My bitcoin was stolen from my luno account! Luno is not safe .

Lunomoney

Luno Representative
Joined
Jan 11, 2017
Messages
383
My bitcoin was stolen from my luno account without my permission. They created an API and transferred my bitcoin. I need help to recover back my bitcoin. Luno help !!!!!!!

Thanks.
Hi,

Thank you for getting in touch.

We want to look into your concern. Unfortunately, we can not do this via this platform. Please contact our support team for further assistance. You can submit a ticket here: https://www.luno.com/help/tickets/new. If you have already submitted a ticket, kindly respond to this message with your ticket number.

Our customers' security is our number one priority. We recommend having a look at our recent blog post on how we keep our customers' cryptocurrency safe:

https://www.luno.com/blog/en/post/safe-customer-bitcoin-storage

Thanks for your understanding.
 

mr_norris

Expert Member
Joined
Jun 12, 2007
Messages
2,230
LUNO! About time you enabled 2FA by default. Just do it!
That doesn't make sense and I don't see how it would work. If you have ever enabled 2FA on any account of yours, you'd know that you'd need to be the one to activate it. You're asking Luno to send a rep to you, pick up your phone, and go through the motions of setting it up for you.
 

John Tempus

Expert Member
Joined
Aug 8, 2017
Messages
2,593
That doesn't make sense and I don't see how it would work. If you have ever enabled 2FA on any account of yours, you'd know that you'd need to be the one to activate it. You're asking Luno to send a rep to you, pick up your phone, and go through the motions of setting it up for you.
I believe he actually meant that Luno should force a user at signup as part of security measure before allowing any funding to enable 2fa on their account and take the user through the steps on how to do it.
 

Moh1

Member
Joined
Nov 19, 2018
Messages
13
Huh what, first learn to write sentences before you come here to ask for help. That is really key.

Secondly, I don't understand your reason behind not enable 2fa even after reading it a few times.

The short end of this story, you refused to enable 2fa then dont cry about losing your coins.
I did not want to make broad assumptions but it did look like some vague attempt to create deniability for losing family and friends coins.

My problem with it is that his whole premise based on his writing ability looks like some premeditated way of creating a false case of theft amidst a market crash. He might have cashed out crypto he managed for friends and family or mismanaged it and now with the crash he is creating a way out.

Yes I might seem epicly cynical but it wont be the first time I see these types of situations unfold.

If this is a legit case of losing coins due to access due to no 2fa then I do feel sorry but hope he learned his lesson.


I am not a frequent online, And definitely not an attention seeker. I have no reason to come up here and give vague information about someone or a corporate entity like Luno. What do I stand to gain??

Now listen Mr, all I have lost on the Platform (Luno) is mine, NO FAMILY, NO FRIENDS OR ASSOCIATE. I wasn't seeking the general public or members of this great site to reimburse me. I just felt the need to share my experience with hope to find help as to prevent future occurrence as I still have quiet a substantial $$$ tied up in bitcoin due to the current deep that I seek assistance to protect,nothing more.
 

John Tempus

Expert Member
Joined
Aug 8, 2017
Messages
2,593
I am not a frequent online, And definitely not an attention seeker. I have no reason to come up here and give vague information about someone or a corporate entity like Luno. What do I stand to gain??

Now listen Mr, all I have lost on the Platform (Luno) is mine, NO FAMILY, NO FRIENDS OR ASSOCIATE. I wasn't seeking the general public or members of this great site to reimburse me. I just felt the need to share my experience with hope to find help as to prevent future occurrence as I still have quiet a substantial $$$ tied up in bitcoin due to the current deep that I seek assistance to protect,nothing more.
Ok, cool.

In the future, first learn about the ins/out of keeping your finances safe in cryptoworld just as you would be in the know-how keeping your bank account safe with your local currency in it.

The fact you say you dont frequent online but kept x amount of crypto on luno without enabling 2fa just make me shake my head even harder.
 

mr_norris

Expert Member
Joined
Jun 12, 2007
Messages
2,230
I believe he actually meant that Luno should force a user at signup as part of security measure before allowing any funding to enable 2fa on their account and take the user through the steps on how to do it.
Thanks, that makes sense. It's a tough one. You do that, then you upset the people who don't use 2FA. You can't please everyone I guess.
 

John Tempus

Expert Member
Joined
Aug 8, 2017
Messages
2,593
Well Crypto is a mobile currency so if you handle crypto at all you should have access to a smartphone.

The 0.00000000001% of users who only want to use it from a desktop only is not worth the added security risk of not enforcing it.
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
39,525
Thanks, that makes sense. It's a tough one. You do that, then you upset the people who don't use 2FA. You can't please everyone I guess.
You can always allow people to opt out if they don't want to use it, they can't then argue that it's insecure since they did it.
 

John Tempus

Expert Member
Joined
Aug 8, 2017
Messages
2,593
You can always allow people to opt out if they don't want to use it, they can't then argue that it's insecure since they did it.
I think for something so standardized such as 2fa it should not be an option, you add any funds to the account then you need to enable 2fa.

Any client who wants to go out of their way to avoid 2fa will be a potential liability for any crypto exchange/business in probably a very short timespan and if they do lose the business of this client I am pretty sure not having them as a client is financially/reputationally better longterm.
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
39,525
I think for something so standardized such as 2fa it should not be an option, you add any funds to the account then you need to enable 2fa.

Any client who wants to go out of their way to avoid 2fa will be a potential liability for any crypto exchange/business in probably a very short timespan and if they do lose the business of this client I am pretty sure not having them as a client is financially/reputationally better longterm.
Agree. That's why I'm baffled that not all banks enable 2FA or even give the option to access the online portal.
Nedbank is one. There are two passwords, but really, if one can be compromised, two can just as easily be... That said, there are 2fa requirements for some transactions.
 

Dark Agent

Expert Member
Joined
Nov 30, 2008
Messages
2,009
cookies.PNG
Luno security is bad and So as many many many exchanges. Don't store anything in cookies! My friend argued for 3+ hours that it safe. 20 minutes later I hijacked his account by him just visiting my website(YES, its simple). He had 2FA enable so I was not able to execute anything on his account.

So my friend disable 2FA, he visited my site(Note Luno needs to be login) and I was able to submit an order without him knowing. As you mention they created a api key. I will provide you little more technical detail below.

There are over 12+ possible way they did it.(Browser Extension install, a application install on mobile, you visited a site that had exchange JavaScript exploit kit).

One way, I am trading, Let say you visited illegal movie site/ legal site(Ad on a website) while waiting for trade, now they will scan if you have luno.com cookie installed. They cannot access the content since ORIGIN WILL FAIL and Browser will prevent them from hijacking cookie. But wait for it.
They open an XHR requrest and executed
API Call: https://www.luno.com/ajax/1/api_keys, set field like x-xsrf-token ,etc which will get fulfill from your cookie automatically(very advance topic which I will not cover), with payload of below
Payload: {"policy":{"permissions":32939,"not_valid_after":0,"restrict_ip":false,"allow_ip_ranges":[],"restrict_send_addresses":false,"allow_send_addresses":[]},"label":"test","pin":"2FA AUTH KEY"}

Image show that cookie is injected automatically using a special crafted xhr request.
inject_cookie_vunerability.PNG

SINCE YOU DON'T HAVE 2FA AUTH KEY
Guess what they got back with pin empty
{"api_key_id":"xxxxxxxxxxx","api_key_secret":"xxxxxxxxxxxxxxxxxxxxxxxxxxxx"}, now this key will be send to the attacker and they will then use the key to execute command later during the day/week/month.

So Game over, API has all command that acts silently as it was meant to. All this behind the scene by just visiting a website with ad or javascript code.

Now if you had 2FA.
{"error":"Please use the next two-factor authentication code.","error_code":"ErrSamePin","error_action":{}}

I going to give you some advice that not already mention.
1. ENABLE 2FA ON ALL WEBSITE.
2. When doing financial transaction use secure browser mode.
3. If you using a rooted phone and doing financial, smack yourself.
4. If you using 2FA on the same phone as you login with, smack yourself.
5. If you keeping coin for a long period on an exchange without trading, smack yourself.
6. If you cannot explain how a bitcoin block is mined and basic of header etc, smack yourself since you investing in something you have very little knowledge on.
7. If you storing your private key with 0 encryption, There no hope for you.

So whose at fault. Luno or you? Both
Unfortunately API key only has a 2FA check, Luno need to send a email confirmation that a key is added and only be enable when you confirm via email and call. In defense of Luno, if API key is use, it meant to act silently.
 
Last edited:

John Tempus

Expert Member
Joined
Aug 8, 2017
Messages
2,593
View attachment 581222
Luno security is bad and So as many many many exchanges. Don't store anything in cookies! My friend argued for 3+ hours that it safe. 20 minutes later I hijacked his account by him just visiting my website(YES, its simple). He had 2FA enable so I was not able to execute anything on his account.

So my friend disable 2FA, he visited my site(Note Luno needs to be login) and I was able to submit an order without him knowing. As you mention they created a api key. I will provide you little more technical detail below.

There are over 12+ possible way they did it.(Browser Extension install, a application install on mobile, you visited a site that had exchange JavaScript exploit kit).

One way, I am trading, Let say you visited illegal movie site/ legal site(Ad on a website) while waiting for trade, now they will scan if you have luno.com cookie installed. They cannot access the content since ORIGIN WILL FAIL and Browser will prevent them from hijacking cookie. But wait for it.
They open an XHR requrest and executed
API Call: https://www.luno.com/ajax/1/api_keys, set field like x-xsrf-token ,etc which will get fulfill from your cookie automatically(very advance topic which I will not cover), with payload of below
Payload: {"policy":{"permissions":32939,"not_valid_after":0,"restrict_ip":false,"allow_ip_ranges":[],"restrict_send_addresses":false,"allow_send_addresses":[]},"label":"test","pin":"2FA AUTH KEY"}

Image show that cookie is injected automatically using a special crafted xhr request.
View attachment 581232

SINCE YOU DON'T HAVE 2FA AUTH KEY
Guess what they got back with pin empty
{"api_key_id":"xxxxxxxxxxx","api_key_secret":"xxxxxxxxxxxxxxxxxxxxxxxxxxxx"}, now this key will be send to the attacker and they will then use the key to execute command later during the day/week/month.

So Game over, API has all command that acts silently as it was meant to. All this behind the scene by just visiting a website with ad or javascript code.

Now if you had 2FA.
{"error":"Please use the next two-factor authentication code.","error_code":"ErrSamePin","error_action":{}}

I going to give you some advice that not already mention.
1. ENABLE 2FA ON ALL WEBSITE.
2. When doing financial transaction use secure browser mode.
3. If you using a rooted phone and doing financial, smack yourself.
4. If you using 2FA on the same phone as you login with, smack yourself.
5. If you keeping coin for a long period on an exchange without trading, smack yourself.
6. If you cannot explain how a bitcoin block is mined and basic of header etc, smack yourself since you investing in something you have very little knowledge on.
7. If you storing your private key with 0 encryption, There no hope for you.

So whose at fault. Luno or you? Both
Unfortunately API key only has a 2FA check, Luno need to send a email confirmation that a key is added and only be enable when you confirm via email and call. In defense of Luno, if API key is use, it meant to act silently.

Great write up, I definitely could not have written such a brief yet detailed explanation even if I tried. :)
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
21,499
First things first. Sure Luno should send a code when a new device is used. New device includes different browser. But this isn't foolproof and it's pretty rudimentary. Not all transactions (BTC or fiat) need confirmation. You can't rely on these as security.

Now if Luno wasn't compromised there's only two possibilities.
Password was stolen. As a general rule if you can easily remember a password it's probably not secure.
Someone logged in using google or facebook. Both of these are attack vectors people forget about. FB will even log in again without a password after you've logged out.

Well Crypto is a mobile currency so if you handle crypto at all you should have access to a smartphone.

The 0.00000000001% of users who only want to use it from a desktop only is not worth the added security risk of not enforcing it.
Crypto is not a mobile currency. Don't know where you got that from.
 

John Tempus

Expert Member
Joined
Aug 8, 2017
Messages
2,593
First things first. Sure Luno should send a code when a new device is used. New device includes different browser. But this isn't foolproof and it's pretty rudimentary. Not all transactions (BTC or fiat) need confirmation. You can't rely on these as security.

Now if Luno wasn't compromised there's only two possibilities.
Password was stolen. As a general rule if you can easily remember a password it's probably not secure.
Someone logged in using google or facebook. Both of these are attack vectors people forget about. FB will even log in again without a password after you've logged out.


Crypto is not a mobile currency. Don't know where you got that from.

It most definitely is a mobile currency. It might be a mobile+stationary(equal combination) _ASSET_ if used in that sense however as a currency it is sure as sht a mobile currency.

Everything in its current utility form is designed around point of sale as in all use cases as a currency. All of these use cases are focused on utility on a mobile device and that makes 100% sense.

Please explain to me why you would think it is not a mobile currency. In fact if it were not a mobile currency its use case as a currency or even worse its use case as a micro transaction currency would be absolutely pointless.

Tell me how many times do you go to the store and you first make the payment to buy groceries at home PC and then go to the shop with some sort of proof of payment printout ? NEVER. You go with your fiat currency either cash or card and with mobility make the transaction.

Please think before you argue against something that you seemingly did not think through.

And to follow up on what you wrote about Luno , the easy practical smart solution that could be implemented right this minute is to force every user who got any form of funds on their luno account to enable 2FA, done. No need to run around trying to play detective as to who is the guilty party, at worse both are for not enabling 2FA and not enforcing 2FA. When I refer to 2FA, SMS does not qualif as secure 2FA for obvious reasons by now.
 
Last edited:

Swa

Honorary Master
Joined
May 4, 2012
Messages
21,499
It's platform agnostic. Don't know where you're scratching out that it's a mobile currency. You're the one not thinking.
 

John Tempus

Expert Member
Joined
Aug 8, 2017
Messages
2,593
It's platform agnostic. Don't know where you're scratching out that it's a mobile currency. You're the one not thinking.
It is a mobile currency, platform agnostic or not the main use case to use it as a cash replacement is mobile. Not sure how you gathered me stating its a mobile currency somehow implied its only mobile.

I will assume you could not figure it out so let me use more words this time.

Bitcoin is a mobile currency but not mobile only currency.

Just because today it is seemingly mostly used as an asset class have nothing to do with the original intend to be used as a cash replacement. Again, explain to me how you would not use a cash replacement 99/100 times in mobile form.

If you seriously think that Bitcoin was not designed to primarily function in the real world as a mobile currency you don't seem to think much at all and I should not even be typing these responses.
 
Top