Jump to content
id5

Goldmoney Be Careful With Your Login

Recommended Posts

Someone has just made me aware that there is a possible security risk with the GoldMoney front page. It is not a secure HTTPS page yet asks you to put in your Holding Number and Passphrase. The page could be subject to a man in the middle attack from someone in your company/ISP/etc by them displaying a dummy front page, asking for your credentials and then forwarding you to the real page. They can then change your bank wire details and raid the account. GoldMoney were informed but have done nothing about it yet. It is a small risk but it is your money you are risking.

 

If you click on the Login button but don’t put in your Holding Number and Passphrase it takes you to a secure HTTPS page where you can put your credentials in safely.

 

Share this post


Link to post
Share on other sites

There is a way to Lock down linked a/c's with Goldmoney. Once done, no more bank a/c's for transfers out can be added. Pain if you ever do want to link other a/c though!

 

You can lock down access to an IP range too - if that suits.

 

Plus, think they will only accept linked a/c's matching your own name.

 

Guess they'd need a 2 password system to sort the problem mentioned...

Share this post


Link to post
Share on other sites

I've never sold any of my holding and hence don't exactly know how GoldMoney gives you fiat paper if you want it. But wouldn't they only transfer it on an account where it is clear that it is yours (namewise etc.), or is there no possibility for them to check this? Of course another risk would be that someon makes a gg payment into his own account, but this would leave a paper trail too.

Share this post


Link to post
Share on other sites
I've never sold any of my holding and hence don't exactly know how GoldMoney gives you fiat paper if you want it. But wouldn't they only transfer it on an account where it is clear that it is yours (namewise etc.), or is there no possibility for them to check this? Of course another risk would be that someon makes a gg payment into his own account, but this would leave a paper trail too.

 

Accounts in other names are easily created if you don't follow the rules or use bogus ID, etc and a paper trail only shows you where the money was sent not where it is now :(

Share this post


Link to post
Share on other sites

Thanks for this information, I have passed it onto James Turk and will post any response to this thread.

Share this post


Link to post
Share on other sites
icon13.gificon13.gificon13.gif

 

The linked site is not secure

 

My address bar changes colour when I visit a secure site, that site is not doing anything

Firefox says it uses 256-bit encryption but does not supply identity information (right-click in the page and select View Page Info).

 

Uses 168-bit encryption, supplies id info, Firefox address bar turns green on the left hand side

https://www.paypal.com/us/

 

Uses 256-bit encryption, supoplied no id info, Firefox address bar icon turns blue

https://login.yahoo.com/config/mail?.intl=uk&.src=ym

Share this post


Link to post
Share on other sites

You could also use McAfee SiteAdvisor as an addon to FF and IE, or TrendProtect with IE.

Share this post


Link to post
Share on other sites

In Firefox on the https://secure.goldmoney.com/ if you click on the Padlock icon at the bottom (it has a red exclamation mark on it) then it tells you the page is partially encrypted. Some of the elements are being sent unencrypted but others are not. That is probably why the Firefox bar does not change colour.

 

On the non-secure http://goldmoney.com and secure https://secure.goldmoney.com/ version the form posts to a secure address (https://secure.goldmoney.com/user/login.php) so I think the data it sends is encrypted but has a small possibility of a man in the middle attack, but I am not an expert in security.

 

I also just did a packet capture on the form data (not using my real username or password of course) and it is encrypted. I have attached the capture in case anyone is interested in verifying (.txt extension to get around the upload filter but is ASCII bin file).

gold_money_packet_capture.txt

Share this post


Link to post
Share on other sites
In Firefox on the https://secure.goldmoney.com/ if you click on the Padlock icon at the bottom (it has a red exclamation mark on it) then it tells you the page is partially encrypted. Some of the elements are being sent unencrypted but others are not.

I've spotted that in the FF browser you will occasionally get a red line through the padlock on supposedly secure sites indicating partially encrypted for some reason. The answer I've found is to clear the cache and cookies and then try again, which usually works.

Share this post


Link to post
Share on other sites

Interesting stuff. I noticed right at the start that BV is a very much more secure login system.

 

I've forgotten now, does GM email you when someone logs into your account ?

 

Share this post


Link to post
Share on other sites
In Firefox on the https://secure.goldmoney.com/ if you click on the Padlock icon at the bottom (it has a red exclamation mark on it) then it tells you the page is partially encrypted. Some of the elements are being sent unencrypted but others are not. That is probably why the Firefox bar does not change colour.

 

On the non-secure http://goldmoney.com and secure https://secure.goldmoney.com/ version the form posts to a secure address (https://secure.goldmoney.com/user/login.php) so I think the data it sends is encrypted but has a small possibility of a man in the middle attack, but I am not an expert in security.

 

I also just did a packet capture on the form data (not using my real username or password of course) and it is encrypted. I have attached the capture in case anyone is interested in verifying (.txt extension to get around the upload filter but is ASCII bin file).

 

This is correct. It's perfectly safe. This is irresponsible scaremongering.

Share this post


Link to post
Share on other sites
Interesting stuff. I noticed right at the start that BV is a very much more secure login system.

 

I've forgotten now, does GM email you when someone logs into your account ?

The default setting is not to, but you can change it.

 

Go to:

 

Profile & Settings > Email notices

 

Share this post


Link to post
Share on other sites
This is correct. It's perfectly safe. This is irresponsible scaremongering.

 

To be fair I would say it was bad site implementation. It is not clear to a non technical user that HTTPS is being used and I had to check the source code to see what was actually going on and even then perform the packet capture to prove it to myself.

 

<preacher>

It is far better to be safe than sorry.

</preacher>

Share this post


Link to post
Share on other sites
In Firefox on the https://secure.goldmoney.com/ if you click on the Padlock icon at the bottom (it has a red exclamation mark on it) then it tells you the page is partially encrypted. Some of the elements are being sent unencrypted but others are not. That is probably why the Firefox bar does not change colour.

 

On the non-secure http://goldmoney.com and secure https://secure.goldmoney.com/ version the form posts to a secure address (https://secure.goldmoney.com/user/login.php) so I think the data it sends is encrypted but has a small possibility of a man in the middle attack, but I am not an expert in security.

 

I also just did a packet capture on the form data (not using my real username or password of course) and it is encrypted. I have attached the capture in case anyone is interested in verifying (.txt extension to get around the upload filter but is ASCII bin file).

 

This is correct. It's perfectly safe. This is irresponsible scaremongering.

 

It is not scaremongering - there is a real threat. Anyone who can update your DNS could direct you to a page which is identical to the original, other than that the form does not submit to a secure page, instead capturing your password before displaying the real goldmoney page. Without looking at the page source there would be no visible difference. Your DNS could be changed by your ISP, and you are depending on their security measures to protect it.

 

Starting on the https://secure.goldmoney.com page is safe. I am not as much concerned with this particular risk, but rather it shows a lack of security planning in general. If the original poster raised the issue and it was ignored I would be particularly concerned. The warning about the page containing insecure items is due to the google tracker on the page. Google supply a secure version which would avoid the warning that could easily be used. I am quite worried that the security issues go beyond the web frontend.

Share this post


Link to post
Share on other sites
Your passphrase has been changed successfully. Please make sure you memorise your new passphrase and/or write it down and keep it in a safe place.

Share this post


Link to post
Share on other sites

I got a quick reply from James Turk on this security risk. Here it is;

 

Hi xxxx,

 

Thank you for your email. We are aware of this security issue and will rectify it when we release a new version of our website in the next few weeks.

 

In the meantime, we encourage all of our customers to bookmark the SSL-secured login page when they first open their account. The welcome email that is sent when the account is opened instructs them to do so.

 

In any case, there are other security features in place like the emailed PIN codes before value can be removed from a GoldMoney account and the ability to disable the addition of new bank accounts to a GoldMoney account. These options further protect the customer's funds in the case of a compromised account password.

 

Regards

James

Share this post


Link to post
Share on other sites

If you're concerned about DNS poisoning use the IP address instead, but you will get a warning from IE, as you circumvented the name resolution process and the cert only matches the FQDN, but it is technically safer. Whilst it is technically possible, it is highly improbable, plus "man in the middle" attacks will be obvious if you verify the certificate(s) over https.

 

https://213.167.85.20

 

Everyone should be more concerned about what malware is on their PC, than being misdirected by rogue DNS servers.

 

It is not scaremongering - there is a real threat. Anyone who can update your DNS could direct you to a page which is identical to the original, other than that the form does not submit to a secure page, instead capturing your password before displaying the real goldmoney page. Without looking at the page source there would be no visible difference. Your DNS could be changed by your ISP, and you are depending on their security measures to protect it.

 

Starting on the https://secure.goldmoney.com page is safe. I am not as much concerned with this particular risk, but rather it shows a lack of security planning in general. If the original poster raised the issue and it was ignored I would be particularly concerned. The warning about the page containing insecure items is due to the google tracker on the page. Google supply a secure version which would avoid the warning that could easily be used. I am quite worried that the security issues go beyond the web frontend.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×