Edit 13/10/13: Mt. Gox have informed me that the site saying that I am able to withdraw when I in fact cannot is a bug, which will be fixed soon. Edit 13/10/13: Mt. Gox have stated they will inform their staff that UK users often don't have Photo ID, and that they are working on improving services. Hopefully this bodes well for the future.
I had some recent dealings with Mt. Gox that I would describe as very suspicious.
On the 2nd of October, DPR was caught, and this affected the Bitcoin price. I decided my best course of action was to move some money into the exchange, so it was there in case I needed to sell in a hurry. I went to the Mt. Gox website and noticed the big red notification about fiat withdrawals requiring verification. I live in England, national id cards were phased out in 2011, and I haven't been abroad and don't drive. Thus I have no photo ID. So of course I was very careful to check that none of these messages mentioned bitcoins. They were all quite clear, none of this stuff applied to bitcoin. Only fiat currencies. I logged in, went to the deposit page, where it clearly stated that I could "withdraw up to 100.00000000 BTC provided you have enough on your account"
Satisfied that Mt. Gox had quite clearly said my account was fine for withdrawals, I went ahead and deposited my 10 BTC without issue.
A few hours later, the Bitcoin price returned to normal, and I decided there was indeed no need to sell. I went to try and withdraw. I got an error message stating that my account required verification, even though, just above this message, it still said that my account was able to withdraw up to 100 BTC.
I contacted support, asking if it was a bug, it seemed bizarre that everything said I could withdraw bitcoins, even though I couldn't. After asking for my account ID, I was told that my "IP is using more than one account" which, to some degree is true. Back in April I had a fellow bitcoiner come down from London and visit me for a few days, while here, he accessed his Mt. Gox account using his laptop, on my WiFi. I figured that was what caused the flag.
I explained to the support staff that this was quite ridiculous, and that one IP does not equal one user. I also explained that I'd be ok to do ID verification, however I didn't have a passport, and that in the UK it takes AT LEAST 6 weeks to get one, and costs £72.50 ($115). Quite a lot of time and money, just to do a Mt. Gox withdrawal. I also pointed out that the site stated (and still did state) that my account was able to withdraw up to 100 BTC.
The support rep ignored my statement about my funding options section clearly stating I was able to withdraw, and told me that my account would need to be verified. He moved my ticket to the verification department.
I replied that I'd do my best to comply with the verification department, and asked the following questions:
Why was I not informed that my account was flagged and required verification at the time it was flagged? Why was the status of my account not made clear to me when I logged in and made a deposit? Why does your website clearly state in the funding options section that I am able to withdraw up to 100 BTC, when in fact my account is "flagged" and I am not able to make a withdrawal?
The new support rep from the verification department replied, this time stating that I used Mt. Gox via TOR, VPN, or a public network. This seems in direct contradiction to the first support rep, I also didn't use any of those services to connect to Mt. Gox. I've always used my PC, at home, using my normal residential internet connection. He said this was the reason my account was flagged. He ignored my questions, and again demanded photo id, which I'd previously stated in my ticket I do not have.
I replied again, stating I had never connected via any of those services. I also pointed out that he hadn't answered any of my questions, and re-stated them. I again stated that I have no photo id to give them, and what the situation is in England regarding ID. I asked him to please provide me with a way to get my funds back. I told him that I could provide him with my birth certificate, along with a gas, electric and phone bill, and also a council tax statement.
He replied to me asking for my name, date of birth, and address, which I promptly provided.
The support rep then replied again, stating that my account was flagged due to the "violation of Mt.Gox rules" and thus there would not be a notification, and I would only get a message when I try to withdraw. He also stated that the website does indeed say I can withdraw up to 100 BTC, but I can't, because my account is flagged. Basically, another question dodging non-answer. He again asked for Photo ID.
At this point I was rather confused, I searched the mtgox site for any mention of "rules", and couldn't find any. Perhaps he was talking about the terms of service? I don't know. I replied back asking what rule I broke, and asking him to please stop changing what I was being accused of. I pointed out that I had asked why I wasn't notified that my account was flagged, and that he again hadn't answered my questions.
He replied again, changing his story once more. He now said that he doesn't know why my account was flagged, and that it could either be because my IP was using more than one account, or that my account was accessed via TOR, VPN, or a public network. He then said that Mt. Gox requests additional identification information at any time at the request of any competent authority (?) or by application of any applicable law or regulation. This brings us up to about 4 different possible reasons my account has been frozen. I came to the conclusion that the support staff did in fact not know why my account was frozen, and were just making stuff up at this point.
I figured I'd go try and find someone on Mt. Goxes IRC channel to escalate the issue. They said I should wait until the start of business hours in Japan, which is about 1am UK time and that I should talk to Marion about the issue. I waited until 1am, but no sign of marion. She didn't arrive on IRC until 2:20am. None the less, I gave her a brief explanation of my situation. She asked me for my account number or ticket number, I provided both. I waited for 20 minutes and got no reply, so I asked if she'd had any luck in looking up my issue. 10 minutes after that she just disconnected from IRC. :(
Luckily, she came back a few minutes later, and replied to me with "I am back sorry", she then went and looked up my information, and replied with "And what is the problem ? You must get verified". I pointed out the problems, that I wasn't notified when my account was flagged (or at all) and that I was allowed to make a deposit even when my account was flagged. She just replied that "There is no notification". and that they apparently "can't block" bitcoin deposits.
This to me makes absolutely no sense whatsoever. There is plenty of things you can do, such as actually notifying the user, not providing them with a deposit address, or generally giving them any indication at all that there's an issue.
She said "All users transgressing rules must get verified, this is a fact". I replied that I'm happy to give them what I have, which is my birth certificate and a bunch of bills. I asked if she could perhaps clarify why my account was flagged, because there had been so many different reasons provided by the ticket staff. She told me very clearly that my account had been accessed via tor, even gave me the IP of the supposed tor exit node, 22.214.171.124, and the date that it happened, 8th of Apr 2013 and 02:07 JST (that's 17:07 GMT)
Now this is where it gets really interesting. I don't use tor, so I certainly didn't make this connection. This means Mt. Gox is saying somebody gained access to my password in order to login. How could they have gone about that? lets go over the possibilities.
1) KeyLogger. This is fairly unlikely, as I use Linux at all times I don't even have a Windows machine in the house. There aren't many Linux keyloggers out in the wild. 2) Phishing. While possible, rather unlikely. I'm fully aware of what a phishing site is, and know how to avoid them. I've never had a phishing incident in my entire life, and it would be very strange to start now. 3) Someone broke into my Linux machine, and gained access to the account that way.
If it was indeed 1 or 3, this would involve someone having access to my machine. If said person had access to my machine, why didn't they clean out my local bitcoin wallet? why didn't they access any of the other numerous things they could have taken? The bank I was with at the time did not do 2fa, I had plenty of BTC in my local wallet. None of it was taken. This makes it fairly unlikely that someone broke into my machine and planted a keylogger or other malware.
I use secure, fully randomised, unique passwords for every service I sign up to, so the password was not guessed either. I also don't log in to anything on anyone elses PC. I generally take my security quite seriously.
Given the above information, I can see no way that the login even took place. None the less, I kept discussing it with Marion, trying to figure out what had happened.
I found Marion to be rather aggressive, often shouting at me, and being generally rude. At first I thought perhaps it was confusion to do with dynamic addresses. She responded to this by saying
(03:11:03) marionxd: This is not possible (03:11:09) marionxd: THIS IS A TOR address (03:11:17) marionxd: It is not used by ISP dynamic address (03:11:23) marionxd: This discussion is done (03:11:27) marionxd: Please get verified
I again pointed out that I want to be verified, and I just don't have the ID to do it, and that I'd offered all the documentation I had, but it had been refused. This is when things finally started to turn around, she said she was aware of the situation in UK, asked me a few questions, then agree'd that she would accept my birth certificate and a utility bill. Yay! I uploaded my Birth certificate, and a couple of bills, she verified my account, and I quickly withdrew all of the remaining funds in my account. Phew, I'm free!
She apologised for the issue, and said that it was only to protect my account. I tried to point out some of the inconsistencies with the tor account access, and she assured me that there wasn't an error, and that they had already checked. Bizarre.
I wanted to research this issue, someone getting any of my passwords is obviously quite serious, I needed to get to the bottom of this one way or another. First thing I did was I went and checked my email, to look at my account history in Mt. Gox. I notice there's a Trade(s) executed email, dated the 13th of April 2013. 5 Days after my account was supposedly compromised by an attacker using tor. I did indeed execute this trade myself, but it of course raises the question, if my account was on lock down because someone had got my password and logged in via tor, which is supposedly against the rules. How was I able to execute this trade with no problem? this is contradictory.
I also found another user, with a very similar story to me, they say his account was accessed via tor when he knows it wasn't. The amusing point here is that he also uses 2fa, so there's just no way it could have happened.
The only conclusions I can come to during this experience are, unfortunately 1) Mt. Gox support is extremely poor, and will spout misinformation at every turn, the general feeling I got from their staff team was that they wanted me to go away. 2) They are quite happy to hold on to your money, and will make it difficult for you to recover it. They are also quite happy to accept deposits knowing that you may not be able to withdraw your money again. 3) Nobody but me ever gained access to my account, and my system is still as secure as it ever was.
There's a few possibilities on Mt. Goxes side for this 1) Human error. Perhaps marion read my account history wrong? That said this seems unlikely, bearing in mind the long list of varying responses I got from the different staff. 2) There is some kind of bug inside Mt. Gox which caused a tor IP to be linked with my account, this is worrying.
I'll be avoiding Mt. Gox from now on, anyway. Glad to have managed to get my money out!