:: Security
                Server time: 2008-8-20 4:20 (@139)
Translate:
Spanish French
German Italian
Portugese Japanese
Korean Chinese


Home
Free Download
Contact / About

  Mailing-list:
  Read / Write comments on this page   E-mail this page to a friend   Bookmark this page   Back


News
FAQ
Full list of features
Help
Security
Affiliate program (50%)



OZ-coding.com is a proud member of the Global Digital Currency Association
Click to verify GDCA Rating



The internet is full of thieves, it's sad but true.

It is true in general, but especially within the e-currency arena.
On this page I will only be dealing with e-gold security.

So how does EHC security compare to e-gold security?
There are 2 things that makes EHC less secure, and 4 things that makes it more secure.

EHC is less secure because:
    1. I potentially have the power to empty your account.
    2. You need to have automation access enabled, this is a very small issue.

EHC is more secure because:
    1. Many trojans look for the address-line in internet-explorer, and then log the input when it shows the e-gold site. EHC does not have an address line, and therefore these trojans won't bite on EHC.
    2. EHC is only logged in for few seconds each time you update.
    3. In EHC you have the option to save your password locally, encrypted of course. This prevents keyloggers from fetching the password as you enter it.
    4. A normal keylogger, and lots of common trojans are able to fetch e-gold info together with almost any other sensitive information. A trojan would have to be written specifically for EHC to be an issue at all.

Please contact me if you have any additions, I'd love to add more. You're also welcome to ask me if you're left with any questions.

More:
    If I turned dishonest tomorrow, and didn't care that I'd be caught before the end of the day, I could empty out your account. I would simply send out an update that would make a huge payment to my account instead of downloading your history.
    Obviously I can tell you that I won't do it, but why would you trust me?
    1. Because I would be caught before the money where even out-exchanged.
    2. Because I've been running OZ-coding, and developing EHC for more than a year and a half.
    3. OZ-coding is registered with the GDCA, you can verify the status by clicking on the GDCA logo at the top of any page. Scammers are not listed with GDCA for very long.

    The reason I'm telling you to be aware of it before ordering is that it has happened before that one of my users became the victim of a thief, and before even confronting me he went all over the internet claiming I had emptied his account. That is extremely bad for my business, so please before you use the software, make up your mind if you trust me. If it does happen to you, I can't guarantee that it won't, be kind enough to confront me before bad-mouthing me, EHC or oz-coding anywhere else.
    And in case you were wondering: the guy I'm talking about found out later on that it was his younger brother who had emptied the account as a practical joke.


    No passwords or account numbers are sent to any server other than https://www.e-gold.com/
    The connection to e-gold is through the same 128-bit encrypted connection that you use when visiting the e-gold site the "old-fashioned" way.

    The only time EHC communicates unsecured is when fetching exchange rates, or obtaining subscription status (this communication does not include account number or passphrase).


E-gold general security
    Let me start by correcting a very common misunderstanding. E-gold accounts are not hacked. E-gold fraud is committed, e-gold scams are common and e-gold passphrases are stolen, but accounts are not hacked.

    The only way I see to actually hack an e-gold account would be to do a bruteforce or dictionary attack.
    A bruteforce attack (Trying every combination, aaa to zzz) would require several years to complete, let's say there is just 10 usable character in e-golds passphrase system (there are more than a hundred, but never mind) an 8-letter password would have 100,000,000 (10^8) possible combinations, let's say a hacker would have to try around half to get it right, so 50,000,000 would need to be tried.
    The e-gold shields against brute force attacks by locking the account for 15 minutes if 5 invalid passphrases are entered, so in one day a hacker can only try 96 combinations (4/hour x 24 hours).
    Now he had a total of 50,000,000 before hitting the right one. In other words it would take 520,833 days (50,000,000 / 365) or 1,427 years to complete !
    Try to do the math yourself if you don't believe me... The 15 minute lock is actually a very efficient way to block hackers. And remember: for easyness we only calculate with 10 usable chars, the actual time to do a bruteforce on an 8-char pass is around 61,425,115,582 years !

    A dictionary attack (Trying the most common passwords) is of course much more realistic to complete, but it would still take years to do, and the result... probably nothing, cause for this to work your passphrase needs to be in the "dictionary".
    Of cause there is a third option, and that is to find some sort of bug in the e-gold system. It is possible, there may be mistakes, but I think this is very very unlikely to happen.
    So conclusion: E-gold accounts are not hacked.

    Every time someone says they've been hacked they've actually just been uncarefull with their passphrase.
    A lot of people take extreme measures to avoid having their account hacked. I don't believe this is nescessary. The problem is that often they forget the simplest things. As with most things: The chain is never stronger than the weakest link !
    - Making up a new random 20-sign passphrase every day isn't going to help you if you print it out and leave it in front of your computer with people passing by all the time !
    I've used e-gold for well over 3 years now, I've never done much about security.

    The most common way to lose passphrases is someone pretending to be e-gold sending an e-mail to the victim, and as soon as the victim sees the e-gold logo they blindly follow the instructions in the mail, sending their passphrase directly to the scammer.

    A less common way is fake payment sites, fake login-sites and so on. This is a type of scam that has been going on ever since the first internet-creditcard transaction took place. Pretend to sell a product, and instead of charging the users card you log the number and go shopping for yourself.
    This type of scam isn't very common anymore as people have become more aware of security, and a bit smarter too. I've seen 10-15 sites trying to pull this trick with e-gold, one of which was rather clever, it actually managed to exploit a bug in Internet Explorer to show http://www.e-gold.com/ in the address field.

    The final way to lose your passphrase is trojans, keyloggers and viruses. This can happen to anyone, provided they use their computer for surfing, e-mail or downloading. The only way to prevent this is by having a seperate computer only used for e-gold. You can prevent keyloggers by using the SRK-feature, or copy-n-pasting your passphrase, but regardless of what you do it will allways be technically possible for a trojan on your computer to log it one way or another.

    With the new security features added it's very unlikely that you'll become a victim, even if you are a bit sloppy with security. - You'll have to be unlucky enough to lose your e-mail account to the same hacker as the one you lose your passphrase to. There is of cause one exception from this: If the hacker is on the same network as you, he'll have a similar IP, and so will be able to skip the Account Sentinel pin-verification. This also requires him to have the same browser version as you.
    Almost all e-gold theft will be eliminated for a while, untill someone writes a worm that steals both your e-mail account, and your passphrase.

    Security measures to consider:

    Basic security:
    This is measures you should allways take.
    1. Never enter your passphrase anywhere except your browser and automation programs that you trust (ie. EHC or autopay software).
    2. Allways check that the address-bar is exactly "https://www.e-gold.com/acct/login.asp" before entering your password.
    3. Keep your software updated to make sure you have the latest security bugs fixed.


    Medium security:
    1. Use a random passphrase generator to make you a passphrase
    2. Copy and paste your passphrase instead of entering it, this way you prevent keyloggers from recording it. On the other hand you need to save it somewhere where you copy from, so you enable worms that can get files.
    3. Use anti-virus (do not use Norton, email me if you wonder why) and firewall software (ie. zonealarm), and keep it updated.


    High security:
    1. Split your funds into several seperate accounts, this way even if an account is emtied out your loss will be rather limited. On the other hand the risk of "getting hit" is larger.
    2. Allways use the SRK-feature. This will prevent most keyloggers and worms from getting your passphrase. Technically it's still possible to fetch the passphrase, but highly unlikely.


What are you waiting for ?
Go ahead and download, it's free !



    Read / Write comments on this page   E-mail this page to a friend   Bookmark this page   Http://www.oz-coding.com/security.asp    
Back


  Latest comments:

    Posted by 11/19/2006 4:44:35 PM

    At present I am using AVG antivirus (latest version). I wish to know whether this AV program will sufficient. Otherwise, recommend me the best AntiVirus software.

    Thanks

    Posted by 1/14/2005 5:51:57 PM

    Hi Mikkel,

    Thanks for your honest and insightful info. Though, I will continue to use the Norton Anti-Virus at least for the time being, but I 'll probably try to scan my machine with McAffee and see how it goes. Maybe I'll end up change it in the very near future.

    Glad that you are and everyone you know made it through the tsunami OK.

    Regards,
    Chien


    Posted by 1/14/2005 11:48:18 AM

    Reply also sent to e-mail:

    Hello Chien,

    I do not recommend Norton because I trusted it blindly, thinking it was the
    best antivirus out there, which I think its reputation says. I kept it
    updated, and my e-gold account was emptied anyway... Due to a trojan (some
    sort of simple keylogger I think) that Norton did not detect, but even free
    scanners did.

    I ran several other antivirus programs after this happened, and most of them
    found 4 or 5 other viruses / trojans that Norton never even noticed...
    Furthermore my experience with Norton is that it's able to detect a lot of
    viruses, that it isn't able to clean. I haven't yet had that happen with
    McAffee (my current scanner), or any others for that sake...

    Hope this answers your question.
    Mikkel Christensen

    Ps.: Everyone I know are miraculously OK, although a lot were near the areas
    where the tsunami hit. Some even saw it first hand...

    Posted by 1/14/2005 8:50:28 AM

    Hi Mikkel,
    I have read you site. It is very interesting and thanks for the security tips. I've just learned a bit more on security issue.

    Guess what? I am using the Norton Anti-Virus, but in the Medium security tip, you said do not use it. Yes I wondered why. I just spent money to buy the software.

    Hopefully, everything's alright for you and your love ones after a lot of the awful natural disaster took place in Asia.

    Best Regards,
    Chien

    Posted by 11/16/2004 10:42:34 PM

    Thanks for the tip ;)

    View all comments


  Post comments

    Your name

    Your e-mail

    Your comment