Jump to content


Photo

Goldmoney Be Careful With Your Login


53 replies to this topic

#1 id5

id5

    Millennium man

  • Members
  • PipPipPipPip
  • 1,890 posts
  • Gender:Male

Posted 15 November 2008 - 10:33 AM

Someone has just made me aware that there is a possible security risk with the GoldMoney front page. It is not a secure HTTPS page yet asks you to put in your Holding Number and Passphrase. The page could be subject to a man in the middle attack from someone in your company/ISP/etc by them displaying a dummy front page, asking for your credentials and then forwarding you to the real page. They can then change your bank wire details and raid the account. GoldMoney were informed but have done nothing about it yet. It is a small risk but it is your money you are risking.

If you click on the Login button but don’t put in your Holding Number and Passphrase it takes you to a secure HTTPS page where you can put your credentials in safely.

The market can stay irrational longer than you can stay solvent. - John Maynard Keynes

I must remember that investing is a marathon and not a sprint!

#2 Cuthbert Calculus

Cuthbert Calculus

    Tri-Millennium Guru

  • Members
  • PipPipPipPipPip
  • 3,321 posts
  • Gender:Male

Posted 15 November 2008 - 10:34 AM

Thank you

#3 Mr P

Mr P

    Millennium man

  • Members
  • PipPipPipPip
  • 1,214 posts

Posted 15 November 2008 - 11:08 AM

There is a way to Lock down linked a/c's with Goldmoney. Once done, no more bank a/c's for transfers out can be added. Pain if you ever do want to link other a/c though!

You can lock down access to an IP range too - if that suits.

Plus, think they will only accept linked a/c's matching your own name.

Guess they'd need a 2 password system to sort the problem mentioned...

#4 G0ldfinger

G0ldfinger

    Tri-Millennium Guru

  • Members
  • PipPipPipPipPip
  • 11,512 posts
  • Gender:Male
  • Location:Fort Knox
  • Interests:Hoarding gold.

Posted 15 November 2008 - 11:21 AM

I've never sold any of my holding and hence don't exactly know how GoldMoney gives you fiat paper if you want it. But wouldn't they only transfer it on an account where it is clear that it is yours (namewise etc.), or is there no possibility for them to check this? Of course another risk would be that someon makes a gg payment into his own account, but this would leave a paper trail too.
You can't tax deflation.
“Currency Induced Cost-Push Hyperinflation” vs “Demand-Pull (non-hyper) Inflation.”
The "no income --> no inflation"-thesis is as wrong as the "price control --> inflation control"-thesis.
Don't TRADE gold! You might lose your shirt in the biggest bull run ever. That would be embarassing. © possibly by Swampy
Posted Image
Gold, silver, property, currencies, commodities charts.

#5 id5

id5

    Millennium man

  • Members
  • PipPipPipPip
  • 1,890 posts
  • Gender:Male

Posted 15 November 2008 - 11:37 AM

QUOTE (G0ldfinger @ Nov 15 2008, 11:21 AM) <{POST_SNAPBACK}>
I've never sold any of my holding and hence don't exactly know how GoldMoney gives you fiat paper if you want it. But wouldn't they only transfer it on an account where it is clear that it is yours (namewise etc.), or is there no possibility for them to check this? Of course another risk would be that someon makes a gg payment into his own account, but this would leave a paper trail too.


Accounts in other names are easily created if you don't follow the rules or use bogus ID, etc and a paper trail only shows you where the money was sent not where it is now sad.gif
The market can stay irrational longer than you can stay solvent. - John Maynard Keynes

I must remember that investing is a marathon and not a sprint!

#6 Pixel8r

Pixel8r

    Tri-Millennium Guru

  • Members
  • PipPipPipPipPip
  • 4,409 posts
  • Gender:Male
  • Location:UK
  • Interests:Photography, computers, business, precious metals & stocks, motorbikes & running 24knews.com

Posted 15 November 2008 - 11:38 AM

Thanks for this information, I have passed it onto James Turk and will post any response to this thread.

#7 bazzer

bazzer

    Centurion

  • Members
  • PipPip
  • 181 posts
  • Gender:Male
  • Location:BH1

Posted 15 November 2008 - 11:39 AM

bookmark this:

https://secure.goldmoney.com/


#8 id5

id5

    Millennium man

  • Members
  • PipPipPipPip
  • 1,890 posts
  • Gender:Male

Posted 15 November 2008 - 11:44 AM

QUOTE (bazzer @ Nov 15 2008, 11:39 AM) <{POST_SNAPBACK}>


Don't book mark it as there is another scam around that allows hackers in via bookmarks, for those who want to know have a look at TMF or MSE


The market can stay irrational longer than you can stay solvent. - John Maynard Keynes

I must remember that investing is a marathon and not a sprint!

#9 Ziknik

Ziknik

    Tri-Millennium Guru

  • Members2
  • PipPipPipPipPip
  • 3,791 posts

Posted 15 November 2008 - 12:02 PM

QUOTE (bazzer @ Nov 15 2008, 11:39 AM) <{POST_SNAPBACK}>




The linked site is not secure

My address bar changes colour when I visit a secure site, that site is not doing anything

#10 bazzer

bazzer

    Centurion

  • Members
  • PipPip
  • 181 posts
  • Gender:Male
  • Location:BH1

Posted 15 November 2008 - 12:28 PM

hmm oh yeah, that is weird... its https yet not encrypted. ignore the link, sorry

https://secure.goldm.../user/login.php seems better

#11 nicejim

nicejim

    Twistin' by the pool

  • Members
  • PipPipPipPip
  • 1,593 posts
  • Location:Liverpool

Posted 15 November 2008 - 04:02 PM

QUOTE (ziknik @ Nov 15 2008, 12:02 PM) <{POST_SNAPBACK}>


The linked site is not secure

My address bar changes colour when I visit a secure site, that site is not doing anything

Firefox says it uses 256-bit encryption but does not supply identity information (right-click in the page and select View Page Info).

Uses 168-bit encryption, supplies id info, Firefox address bar turns green on the left hand side
https://www.paypal.com/us/

Uses 256-bit encryption, supoplied no id info, Firefox address bar icon turns blue
https://login.yahoo....intl=uk&.src=ym
If you're hanging on to a rising balloon, you're presented with a difficult decision - let go before it's too late or hold on and keep getting higher, posing the question: how long can you keep a grip on the rope?
- Danny, Withnail & I

#12 No6

No6

    Tri-Millennium Guru

  • Members
  • PipPipPipPipPip
  • 6,667 posts
  • Gender:Male
  • Location:Garden

Posted 15 November 2008 - 06:08 PM

You could also use McAfee SiteAdvisor as an addon to FF and IE, or TrendProtect with IE.

#13 klogger

klogger

    Centurion

  • Members
  • PipPip
  • 156 posts

Posted 15 November 2008 - 06:39 PM

In Firefox on the https://secure.goldmoney.com/ if you click on the Padlock icon at the bottom (it has a red exclamation mark on it) then it tells you the page is partially encrypted. Some of the elements are being sent unencrypted but others are not. That is probably why the Firefox bar does not change colour.

On the non-secure http://goldmoney.com and secure https://secure.goldmoney.com/ version the form posts to a secure address (https://secure.goldmoney.com/user/login.php) so I think the data it sends is encrypted but has a small possibility of a man in the middle attack, but I am not an expert in security.

I also just did a packet capture on the form data (not using my real username or password of course) and it is encrypted. I have attached the capture in case anyone is interested in verifying (.txt extension to get around the upload filter but is ASCII bin file).

Attached Files



#14 No6

No6

    Tri-Millennium Guru

  • Members
  • PipPipPipPipPip
  • 6,667 posts
  • Gender:Male
  • Location:Garden

Posted 15 November 2008 - 06:51 PM

QUOTE (klogger @ Nov 15 2008, 07:39 PM) <{POST_SNAPBACK}>
In Firefox on the https://secure.goldmoney.com/ if you click on the Padlock icon at the bottom (it has a red exclamation mark on it) then it tells you the page is partially encrypted. Some of the elements are being sent unencrypted but others are not.

I've spotted that in the FF browser you will occasionally get a red line through the padlock on supposedly secure sites indicating partially encrypted for some reason. The answer I've found is to clear the cache and cookies and then try again, which usually works.

#15 Steve Netwriter

Steve Netwriter

    Tri-Millennium Guru

  • Super Admins
  • PipPipPipPipPip
  • 5,856 posts
  • Gender:Male
  • Location:Christchurch, New Zealand

Posted 15 November 2008 - 07:46 PM

Interesting stuff. I noticed right at the start that BV is a very much more secure login system.

I've forgotten now, does GM email you when someone logs into your account ?

Fiat: What starts becoming worth less eventually becomes worthless.

Notable Threads Notable Posts

#16 the_duke_of_hazzard

the_duke_of_hazzard

    Member

  • Members
  • Pip
  • 58 posts

Posted 15 November 2008 - 09:02 PM

QUOTE (klogger @ Nov 15 2008, 06:39 PM) <{POST_SNAPBACK}>
In Firefox on the https://secure.goldmoney.com/ if you click on the Padlock icon at the bottom (it has a red exclamation mark on it) then it tells you the page is partially encrypted. Some of the elements are being sent unencrypted but others are not. That is probably why the Firefox bar does not change colour.

On the non-secure http://goldmoney.com and secure https://secure.goldmoney.com/ version the form posts to a secure address (https://secure.goldmoney.com/user/login.php) so I think the data it sends is encrypted but has a small possibility of a man in the middle attack, but I am not an expert in security.

I also just did a packet capture on the form data (not using my real username or password of course) and it is encrypted. I have attached the capture in case anyone is interested in verifying (.txt extension to get around the upload filter but is ASCII bin file).


This is correct. It's perfectly safe. This is irresponsible scaremongering.

#17 wren

wren

    Millennium man

  • Members
  • PipPipPipPip
  • 1,989 posts
  • Gender:Male
  • Location:Finland

Posted 15 November 2008 - 09:15 PM

QUOTE (Steve Netwriter @ Nov 15 2008, 09:46 PM) <{POST_SNAPBACK}>
Interesting stuff. I noticed right at the start that BV is a very much more secure login system.

I've forgotten now, does GM email you when someone logs into your account ?

The default setting is not to, but you can change it.

Go to:

Profile & Settings > Email notices

Gold and financial news: 24knews
Video at guardian.co.uk: Gold for Food in Zimbabwe.
Video at YouTube: Buying groceries with silver in California.
Energy Bulletin A daily news site about oil, natural gas, food, transportation and their economic and social ramifications.

#18 klogger

klogger

    Centurion

  • Members
  • PipPip
  • 156 posts

Posted 15 November 2008 - 09:54 PM

QUOTE (the_duke_of_hazzard @ Nov 15 2008, 09:02 PM) <{POST_SNAPBACK}>
This is correct. It's perfectly safe. This is irresponsible scaremongering.


To be fair I would say it was bad site implementation. It is not clear to a non technical user that HTTPS is being used and I had to check the source code to see what was actually going on and even then perform the packet capture to prove it to myself.

<preacher>
It is far better to be safe than sorry.
</preacher>

#19 Mercury

Mercury

    Centurion

  • Members
  • PipPip
  • 105 posts

Posted 15 November 2008 - 11:46 PM

QUOTE (klogger @ Nov 15 2008, 06:39 PM) <{POST_SNAPBACK}>
In Firefox on the https://secure.goldmoney.com/ if you click on the Padlock icon at the bottom (it has a red exclamation mark on it) then it tells you the page is partially encrypted. Some of the elements are being sent unencrypted but others are not. That is probably why the Firefox bar does not change colour.

On the non-secure http://goldmoney.com and secure https://secure.goldmoney.com/ version the form posts to a secure address (https://secure.goldmoney.com/user/login.php) so I think the data it sends is encrypted but has a small possibility of a man in the middle attack, but I am not an expert in security.

I also just did a packet capture on the form data (not using my real username or password of course) and it is encrypted. I have attached the capture in case anyone is interested in verifying (.txt extension to get around the upload filter but is ASCII bin file).


QUOTE (the_duke_of_hazzard @ Nov 15 2008, 09:02 PM) <{POST_SNAPBACK}>
This is correct. It's perfectly safe. This is irresponsible scaremongering.


It is not scaremongering - there is a real threat. Anyone who can update your DNS could direct you to a page which is identical to the original, other than that the form does not submit to a secure page, instead capturing your password before displaying the real goldmoney page. Without looking at the page source there would be no visible difference. Your DNS could be changed by your ISP, and you are depending on their security measures to protect it.

Starting on the https://secure.goldmoney.com page is safe. I am not as much concerned with this particular risk, but rather it shows a lack of security planning in general. If the original poster raised the issue and it was ignored I would be particularly concerned. The warning about the page containing insecure items is due to the google tracker on the page. Google supply a secure version which would avoid the warning that could easily be used. I am quite worried that the security issues go beyond the web frontend.

#20 nicejim

nicejim

    Twistin' by the pool

  • Members
  • PipPipPipPip
  • 1,593 posts
  • Location:Liverpool

Posted 16 November 2008 - 12:05 AM

QUOTE
Your passphrase has been changed successfully. Please make sure you memorise your new passphrase and/or write it down and keep it in a safe place.

If you're hanging on to a rising balloon, you're presented with a difficult decision - let go before it's too late or hold on and keep getting higher, posing the question: how long can you keep a grip on the rope?
- Danny, Withnail & I




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users