53 replies to this topic

[id5]

Someone has just made me aware that there is a possible security risk with the GoldMoney front page. It is not a secure HTTPS page yet asks you to put in your Holding Number and Passphrase. The page could be subject to a man in the middle attack from someone in your company/ISP/etc by them displaying a dummy front page, asking for your credentials and then forwarding you to the real page. They can then change your bank wire details and raid the account. GoldMoney were informed but have done nothing about it yet. It is a small risk but it is your money you are risking.

If you click on the Login button but don’t put in your Holding Number and Passphrase it takes you to a secure HTTPS page where you can put your credentials in safely.

[Cuthbert Calculus]

Thank you

[Mr P]

There is a way to Lock down linked a/c's with Goldmoney. Once done, no more bank a/c's for transfers out can be added. Pain if you ever do want to link other a/c though!

You can lock down access to an IP range too - if that suits.

Plus, think they will only accept linked a/c's matching your own name.

Guess they'd need a 2 password system to sort the problem mentioned...

[G0ldfinger]

I've never sold any of my holding and hence don't exactly know how GoldMoney gives you fiat paper if you want it. But wouldn't they only transfer it on an account where it is clear that it is yours (namewise etc.), or is there no possibility for them to check this? Of course another risk would be that someon makes a gg payment into his own account, but this would leave a paper trail too.

[id5]

I've never sold any of my holding and hence don't exactly know how GoldMoney gives you fiat paper if you want it. But wouldn't they only transfer it on an account where it is clear that it is yours (namewise etc.), or is there no possibility for them to check this? Of course another risk would be that someon makes a gg payment into his own account, but this would leave a paper trail too.

Accounts in other names are easily created if you don't follow the rules or use bogus ID, etc and a paper trail only shows you where the money was sent not where it is now  

[Pixel8r]

Thanks for this information, I have passed it onto James Turk and will post any response to this thread.

[bazzer]

bookmark this:

https://secure.goldmoney.com/

[id5]

bookmark this:

https://secure.goldmoney.com/

Don't book mark it as there is another scam around that allows hackers in via bookmarks, for those who want to know have a look at TMF or MSE

[Ziknik]

bookmark this:

https://secure.goldmoney.com/

The linked site is not secure

My address bar changes colour when I visit a secure site, that site is not doing anything

[bazzer]

hmm oh yeah, that is weird... its https yet not encrypted. ignore the link, sorry

https://secure.goldmoney.com/user/login.php seems better

[nicejim]

The linked site is not secure

My address bar changes colour when I visit a secure site, that site is not doing anything

Firefox says it uses 256-bit encryption but does not supply identity information (right-click in the page and select View Page Info).

Uses 168-bit encryption, supplies id info, Firefox address bar turns green on the left hand side
https://www.paypal.com/us/

Uses 256-bit encryption, supoplied no id info, Firefox address bar icon turns blue
https://login.yahoo.com/config/mail?.intl=uk&.src=ym

[No6]

You could also use McAfee SiteAdvisor as an addon to FF and IE, or TrendProtect with IE.

[klogger]

In Firefox on the https://secure.goldmoney.com/ if you click on the Padlock icon at the bottom (it has a red exclamation mark on it) then it tells you the page is partially encrypted. Some of the elements are being sent unencrypted but others are not. That is probably why the Firefox bar does not change colour.

On the non-secure http://goldmoney.com and secure https://secure.goldmoney.com/ version the form posts to a secure address (https://secure.goldm.../user/login.php) so I think the data it sends is encrypted but has a small possibility of a man in the middle attack, but I am not an expert in security.

I also just did a packet capture on the form data (not using my real username or password of course) and it is encrypted. I have attached the capture in case anyone is interested in verifying (.txt extension to get around the upload filter but is ASCII bin file).

Attached Files

•  gold_money_packet_capture.txt   10.81K   6 downloads

[No6]

In Firefox on the https://secure.goldmoney.com/ if you click on the Padlock icon at the bottom (it has a red exclamation mark on it) then it tells you the page is partially encrypted. Some of the elements are being sent unencrypted but others are not.

I've spotted that in the FF browser you will occasionally get a red line through the padlock on supposedly secure sites indicating partially encrypted for some reason.  The answer I've found is to clear the cache and cookies and then try again, which usually works.

[Steve Netwriter]

Interesting stuff. I noticed right at the start that BV is a very much more secure login system.

I've forgotten now, does GM email you when someone logs into your account ?

[the_duke_of_hazzard]

In Firefox on the https://secure.goldmoney.com/ if you click on the Padlock icon at the bottom (it has a red exclamation mark on it) then it tells you the page is partially encrypted. Some of the elements are being sent unencrypted but others are not. That is probably why the Firefox bar does not change colour.

On the non-secure http://goldmoney.com and secure https://secure.goldmoney.com/ version the form posts to a secure address (https://secure.goldm.../user/login.php) so I think the data it sends is encrypted but has a small possibility of a man in the middle attack, but I am not an expert in security.

I also just did a packet capture on the form data (not using my real username or password of course) and it is encrypted. I have attached the capture in case anyone is interested in verifying (.txt extension to get around the upload filter but is ASCII bin file).

This is correct. It's perfectly safe. This is irresponsible scaremongering.

[wren]

Interesting stuff. I noticed right at the start that BV is a very much more secure login system.

I've forgotten now, does GM email you when someone logs into your account ?

The default setting is not to, but you can change it.

Go to:

Profile & Settings > Email notices

[klogger]

This is correct. It's perfectly safe. This is irresponsible scaremongering.

To be fair I would say it was bad site implementation. It is not clear to a non technical user that HTTPS is being used and I had to check the source code to see what was actually going on and even then perform the packet capture to prove it to myself.

<preacher>
       It is far better to be safe than sorry.
</preacher>

[Mercury]

In Firefox on the https://secure.goldmoney.com/ if you click on the Padlock icon at the bottom (it has a red exclamation mark on it) then it tells you the page is partially encrypted. Some of the elements are being sent unencrypted but others are not. That is probably why the Firefox bar does not change colour.

On the non-secure http://goldmoney.com and secure https://secure.goldmoney.com/ version the form posts to a secure address (https://secure.goldm.../user/login.php) so I think the data it sends is encrypted but has a small possibility of a man in the middle attack, but I am not an expert in security.

I also just did a packet capture on the form data (not using my real username or password of course) and it is encrypted. I have attached the capture in case anyone is interested in verifying (.txt extension to get around the upload filter but is ASCII bin file).

This is correct. It's perfectly safe. This is irresponsible scaremongering.

It is not scaremongering - there is a real threat. Anyone who can update your DNS could direct you to a page which is identical to the original, other than that the form does not submit to a secure page, instead capturing your password before displaying the real goldmoney page. Without looking at the page source there would be no visible difference. Your DNS could be changed by your ISP, and you are depending on their security measures to protect it.

Starting on the https://secure.goldmoney.com page is safe. I am not as much concerned with this particular risk, but rather it shows a lack of security planning in general. If the original poster raised the issue and it was ignored I would be particularly concerned. The warning about the page containing insecure items is due to the google tracker on the page. Google supply a secure version which would avoid the warning that could easily be used. I am quite worried that the security issues go beyond the web frontend.

[nicejim]

Your passphrase has been changed successfully. Please make sure you memorise your new passphrase and/or write it down and keep it in a safe place.