Mt. Gox: Where is your Security? Introducing the New OTP

Jesús Cripto
December 1, 2013

Reddit user /u/sockinabox recently awoke to an email from Mt. Gox informing him that his funds had been withdrawn.  About $12,000 of his personal funds are now gone with absolutely no way for the rightful owner to recover them.  Just like the many times before that this has happened and been reported on /r/bitcoin, Mt. Gox’s email support is unresponsive which only adds to the frustration.  However, even if Mt. Gox responded to every email they received about stolen funds, can they actually do anything to recover funds that have already been stolen?

Any Bitcoiner will realize that once the coins are sent, Mt. Gox can’t do anything more than the victim can.  This is a feature of Bitcoin, not a flaw, and part of being a Bitcoiner is realizing that putting your bitcoins online puts one password between the world and the bitcoins.  Obviously, the first step to securing ones bitcoins if one plans to store them in an online exchange is to choose a secure and never-before-cracked password.  Such a password would probably be incredibly long and not contain any combination of letters that has ever before been written in Wikipedia.  While this is general good practice, many other online services have started to offer  Two-Factor Authentication [2FA] through a separate device or email account for withdrawals and/or logging in.  Some view this as a crutch, while others view it as an adequate tool in the arsenal against black-hat actors.  Mt. Gox has previously only offered 2FA through Yubikey, a paid solution that cost $30 and frankly was not widely adopted by exchange users.

Days ago, Mt. Gox finally released information on their newest security updates.  I hope you’re as excited as i was…

Here is Mt. Gox’s Resource Guide for their new security feature.

Mt. Gox is offering a “one time password card” [OTP] that is lithium battery operated.  Honestly, this is somewhat superior to using ones smart phone which might be stolen for its other purposes or an email for 2FA, as these two solutions are essentially just putting another password in the way between the attacker and the victim.  This OTP card functions the same way as the Yubikey previously sold by Mt. Gox with the same purpose.

The difference? Mt. Gox’s new OTP cost $10 more than the Yubikey.

Both of which cost infinitely more than setting up 2FA via Google Authenticator or even setting up email confirmations for withdrawals like competitor BTC-e does.

With “updates” like this and long long delays on fiat withdrawals, it is no wonder that BTC China has surpassed Mt. Gox as the number one Bitcoin Exchange in the world.

Have cryptic days, mis amigos.

Last modified (UTC): April 20, 2014 18:25

Jesús Cripto

I am here to preach about Cryptocoins, the benefit of decentralized systems, and love for our crypto-brethren. If you like my writing and would like to donate XPM: Ab3suyYAjL5wZkix6598HEaEHNfxFVbX5h