Monday, June 20, 2011

MtGox Compromise And What It Means To Me

MtGox is a BitCoin Exchange Market for the BitCoin digital currency and I have read about BitCoin last year but waited for it to mature before stepping into the market.

About two weeks ago I invested in MtGox about $880 USD and 2 days later a Distributed Denial of Service (DDoS) attack was launched at MtGox. I did some reading and it wasn't the first time they were under attack and they had everything secured and well planned so I wasn't worried.

The market volume suddenly increased with massive quantities flooding the market, followed by a market crash (prices dropped to $13/BTC where the price previously was $17). MtGox closed the market and halted all transactions. Apparently, they were compromised.

I panicked at first as I couldn't access my account on MtGox (they froze all) and they said they were going to do a roll over, which means undo everything and return to the state before the crash.
I wasn't happy because I didn't know the state of my money & coins, and those who bought coins at cheap prices could have withdrawn the coins from the market which means there is no way to trace the coins nor return them.

I still don't know how will MtGox deal with those who bought cheap coins & withdrew them, but if they do a roll back, they'll get their money/coins back to what they had before the crash, in addition to the coins they withdrew! That means extra profit! Unless they monitored the withdrawn amounts from each account and will balance those out.

Anyway, I searched for my username on Google in relation to MtGox but nothing came up. Maybe Google didn't have time to index all pages, they're underground or maybe my user wasn't affected. Either way, my account will be rolled back and the password I used was unique to MtGox itself, so the attackers can't access my email or any other service associated with my email.

Moreover, MtGox has switched to an obscenely secure password hashing scheme: SHA-512, along with contacting GMail and providing them with a list of compromised email addresses so GMail could block them and require a password reset before accessing them (I was one of those affected).

MtGox keeps updating its post with news of what they're doing so they've not neglected their customers, even when under such a big stress.

In my opinion, I'm sticking with them because only at rough times you'll see what a good company can do for its customers, and while there are inconveniences, the overall success of containing the situation was successful.
Perhaps people would have felt much better had MtGox shared how it manages its systems and what kind of security schemes are implemented so that we know they can be trusted. I hope they do that soon.

Away from MtGox, and in general, those who know me well know pretty well that I'm a paranoid person when it comes to computers and being online. Below are some of my practices for staying safe:

  • Different passwords for different accounts.
  • If I forgot a password, it's OK, I request a password reset.
  • Passwords are at least 10 camel-cased alpha numeric and special characters.
  • My passwords are a mixture of meaningful words forming a non-meaningful sentence: R0undTomatoe$Insid3Triangl3Whalez
  • Always check my emails from my own systems & never someone else's (not even family or friends).
  • GMail shows you the list of IPs of who last accessed your account & alerts you on suspicious access.
  • When you create an account at a new site, request a password reset; if they send you the exact password in plaintext, close your account. They're not securing their database & don't care about your account security.
    If they send you a link to reset the password, or email you a randomly generated password, then you're fine.
  • Use different browsers: One for your accounts and another browser for everything else.
    I use Chrome for GMail and Twitter. All links in emails or tweets are opened in Incognito mode (separate/isolated processes from the main) or in Firefox.
  • I use Linux. No Windows or Mac for me, and please don't laugh at Windows if you're a Mac fanboy, Mac OSs are less secure than Windows but aren't targeted as much because you're a minority.
  • If you have to use Windows, use a good antivirus. I put Kaspersky on my family members' machines. I had used it for companies and fully trust it.
  • Do not open emails from strangers.
  • Emails that say they're from good & honest people are most likely aren't.
  • Email that come from addresses of people you know aren't necessarily from them. The addresses can be spoofed, i.e., I can send you an email from your account without accessing your account. Magic.
  • If someone you know asks you for your password or to install something you don't know about, call them and ask them in person.
  • If you read online about a nice service that you use that isn't secure, you better not shrug it off and say that you won't be affected. That's how everyone gets slapped in the end.

I probably have other habits that don't come to mind right now. If you have any suggestions, leave a comment (you can do so anonymously) and I'll be more than happy to add it to the list.

Live paranoid. Live safe.


MCD said...

I suggest using MSE (Microsoft Security Essentials) instead of Kaspersky.

It's fast, unintrusive and best of all, free.

Can be downloaded here:

Or via Windows Update.

Just my 2 cents.

MBH said...

Thank you for the advice, but I don't trust Microsoft products.

(Yes I know they bought a company but they'll mess it up sooner or later).

Kaspersky's self-protection and sound record is more than enough for me to put my trust in them.

MCD said...

It's alright, my post was more directed at the readers and not you specifically since you are already more than happy with Kaspersky.

It's just an option among all the free options out there and you can never go wrong with it.

Yahya said...

DDos attacks cannot be avoid, the must inteesting about gmail is " google authionicator " try to download it at your blackberry/iphone or indroid mobile its offer a super protect, but you need saudi or egypt phone number to verinfiy it.

posted via my iphone