During the Easter Weekend, the Localbitcoins team updated its blog with the results of its investigation into the reported losses from the Bitcoin exchange, as we reported earlier. All but one of the incidents of theft were apparently from accounts which were not using 2-Factor Authentication, followed by an explanation of vulnerability for the one 2-Factor authenticated account that did suffer from theft.
The user who had 2-Factor Authentication, “don4of4”, was the same as who complained on Reddit and the Localbitcoins forum about the theft. In this case, Localbitcoins went into details of the user’s behaviour pattern.
“In the case of user don4of4, the following is what happened.
- 21. March 2014, the user activates his/her user account
- 21. March 2014, the user conducts series of trades, using a desktop browser
- 16. April 2014, the user conducts series of trades, using a desktop browser
- 17. April 2014 03:52, the user activates the two-factor authentication, using desktop browser
- 17. April 2014 12:40, the user does his/her first two-factor login using an Android device
- 17. April 2014 15:45, the user Bitcoins are transferred away using the two-factor codes and login session the user opened earlier. This request came from a Tor browser, as opposite to the user’s Android device.
- 17. April 2014 ~17:00, the user posts to Reddit claiming that the LocalBitcoins security is compromised
- 17. April 2014 ~17:00, the user open a support ticket for resolving the incident”
In simple terms, Don4of4’s point of vulnerability appears to have been his/her Android phone. While the phone was being used as the physical 2-Factor authentication token, it had also been used as the last device to log into Localbitcoins with too. Which negated the benefit of 2-Factor authentication as the same physical device was being used to provide all methods of authentication.
“The user has admitted storing his two-factor codes on the Android device. In this case if the user used this particular Android device to access LocalBitcoins and the device was compromised, the attacker gained access to user password, user session id and two-factor codes. Furthermore, it was reported on the Reddit that the credentials of this particular user have been found on known compromised user account lists spreading in the Internet.”
This in turn raises a wider question as to what was the vulnerability on this user’s Android device? How might it affect the wider user-base of Android?
For those who regularly use Localbitcoins on their phone, Localbitcoins issued this advice:
“If one needs to operate LocalBicoins site from a mobile phone, LocalBitcoins offers a paper codes based two-factor authentication which is based on printed one-time passwords. Even if the mobile device is compromised the attacker cannot gain access to the physical printed paper.”
Localbitcoins stated on its blog that it monitors IP address behaviour for each user account, and does query logins from anomalous locations. However, if the user account does not have 2-Factor authentication and a correct password is provided, Localbitcoins says there is nothing it can do and therefore users are urged to activate 2-Factor Authentication.