[e-gold-list] Re: Pecunix security
Sidd, there is no need to increase the length of the passwords. I understand that passwords are good for those people who print their PIKs and may loose them; it's a simple security backup system. For such a case, passwords need to be short to be easily remembered. Also, people who log-in from a public computer only need to remember their limited access password. So, the current password doesn't need to change. However, this still leaves an account opened for automated password cracking. Therefore, the system has to lock (for 24 hours) an account for which there are too many consecutive failed log-ins (for example, 10). This means that each PIK must be unique, so that the system can at any time determine to what account each PIK belongs. The only things that still bugs me is an easier way in input the elements of the PIK, in the log-in form. George Hara --- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Pecunix security
On Wednesday, November 26, 2003, at 04:50 AM, FileMatrix wrote: However, this still leaves an account opened for automated password cracking. Therefore, the system has to lock (for 24 hours) an account for which there are too many consecutive failed log-ins (for example, 10). This means that each PIK must be unique, so that the system can at any time determine to what account each PIK belongs. No George, as I said in an earlier email, there is no way for Pecunix to lock out an account for repeated invalid login attempts. Pecunix cannot identify an account just from the small portion of the PIK entered on a login attempt. Only the secret account id identifies the account, so if a hacker is trying those at random there is obviously no way for Pecunix to know which account to lock out. Besides, as Ian Green points out, locking out an account for repeated invalid login attempts can have some very bad unintended consequences: I agree with you George, but I would be concerned that such a lock out system not be used as a denial of service method for attackers. For example, a competitor could make a login attempt every nine, ten or eleven seconds to the FileMatrix e-gold account and then take advantage of the disgruntled FileMatrix customers who got bad service. -- Patrick --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Pecunix security
Right, Patrick. For a moment I forgot that only a few elements from the PIK are used in a log-in. A separate, unique, private log-in ID is required. Besides, as Ian Green points out, locking out an account for repeated invalid login attempts can have some very bad unintended consequences: I haven't received Ian's email and I don't see it in the list. I said the same thing as Ian, earlier. But if the log-in ID is private, nobody can disrupt a business since he doesn't know the private ID of that business. George Hara --- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Pecunix security
On Wednesday, November 26, 2003, at 11:46 AM, FileMatrix wrote: Right, Patrick. For a moment I forgot that only a few elements from the PIK are used in a log-in. ... Gotcha. ... A separate, unique, private log-in ID is required. Besides, as Ian Green points out, locking out an account for repeated invalid login attempts can have some very bad unintended consequences: I haven't received Ian's email and I don't see it in the list. It was Cracking the Turing number from 15-September. Ancient history I know -- I just love doing open-ended email searches such as lock and Pecunix. :-) I said the same thing as Ian, earlier. But if the log-in ID is private, nobody can disrupt a business since he doesn't know the private ID of that business. Precisely. -- Patrick --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Pecunix security
However, this still leaves an account opened for automated password cracking. Therefore, the system has to lock (for 24 hours) an account for which there are too many consecutive failed log-ins (for example, 10). This means that each PIK must be unique, so that the system can at any time determine to what account each PIK belongs. George, The accounts can only be indentified by the 'password', since I have to enter only 4 characters from the PIK, and there must be other accounts with the same characters in the same places here and there. We have to assume that their system checks to make it impossible that two accounts can have the same 'password', because otherwise that would be a serious security problem. In fact it would be more correct to say that the password is actually the login ID, and the PIK codes are the passwords, but does it really make a difference? The easiest way to make online currencies much more safe is by requiring email confirmation of spends. That can be as simple as just hitting 'Reply' to the notification email they send. A code in the reply email address will tell the server that the transaction is approved. With such system in place the thief need not only have your passwords, he need to control your email as well. Danny --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Pecunix security
Danny, The accounts can only be indentified by the 'password', since I have to enter only 4 characters from the PIK, and there must be other accounts with the same characters in the same places here and there. We have to assume that their system checks to make it impossible that two accounts can have the same 'password', because otherwise that would be a serious security problem. I have to assume the system combines both PIK and password for identification purposes. The password is too short to provide, by itself, proper identification. There are about 10^8 combinations in the password, but there are other (26 + 26 + 10)^4 combinations (over 10^7) in the PIK. A unique, private log-in ID would solve a number of issues. The user would log-in with: a private ID (up to 20 characters), a private password (one for each access level, up to 20 characters), a private PIK (one for each access level). The system checks to see if there are more than 10 consecutive failed log-ins. No Turing number is required, but the users can associate the PIK with the Turing, and thus see the log-in method as being pretty familiar. Sidd, I wonder if it is possible for a user to make his account balance public, but not to everybody?! I mean, the user should be able to send a temporary password to anyone who needs to see the balance, but people without that password would not see the balance. ... Something like a letter from a bank certifying that a client has a specific balance. George Hara --- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Pecunix security
I wonder if it is possible for a user to make his account balance public, but not to everybody?! This is currently possible - somewhat; the read-only access level. However, the password would have to be changed soon after to make it temporary. I mean, the user should be able to send a temporary password to anyone who needs to see the balance, but people without that password would not see the balance. ... Something like a letter from a bank certifying that a client has a specific balance. True temporary passwords/sub-user access that allow read-only acct access, with without access to history and/or acct information, would be a great idea for any GBC (whatever happened to FAGWANE? Queer Eye for the Straight Gold) to implement. It's lumped in there with 1 000 001 other great nifty ideas that need to be implemented. Viking Coder http://www.2cw.org/?VikingCoder --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Pecunix security
George, Viking Coder wrote: I wonder if it is possible for a user to make his account balance public, but not to everybody?! This is currently possible - somewhat; the read-only access level. However, the password would have to be changed soon after to make it temporary. A better way to do it would be to put an obscure e-mail address as the Pecunix account identifier... any free e-mail address that you control would do... Send the e-mail address to the person who must view the account. Once they have viewed the account, change the e-mail address in the account back to your normal one. The public balance is viewed here: http://pecunix.com/money.refined...ref.balance Regards, Sidd. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Pecunix security
Sidd wrote: Send the e-mail address to the person who must view the account. Once they have viewed the account, change the e-mail address in the account back to your normal one. Er... and remember to turn public viewing off again. Regards, Sidd. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Pecunix security
Dear Sidd, This will reveal your limited access PIK... use the limited access PIK to log in with limited access, and likewise use your read-only PIK for read-only access. Ah, I see. That's nifty. You can also activate PGP security for your account Yes, I've done so. It is also spiffy. Spaceman Spiff spiffy. I was wondering whether the PGP security might be a stand-alone login, but I see that your system uses the PIK/password to identify the account being logged into. The thing is Jim, despite what the detractors say, Pecunix does have a much higher level of security than the competing DGC's and it is NOT DIFFICULT to use! Okay. I think that is true. In my opinion, Pecunix has a level of security which is comparable to e-Bullion's Cryptocard access, without the expense of the card. There is no need to have lower levels of access security. It takes getting used to, Sidd. The PIK/password approach is different - more secure by design but also more unusual. voice=Tom JonesIt's quite unusual...to see me PIK./voice we need to help users to protect themselves, despite their best efforts to the contrary. It seems necessary to provide systems which are more secure by design. A key advantage for Pecunix is that there are various other online gold services and online fiat-transfer services which are not nearly as secure. Yes, I think so... the alternative would be Java... either way, it is never a good idea to run any type of program from a browser... it is open to all kinds of abuse... Imagine the fun that copycat sites could have if the user was actually willing (and expecting) the site to download a program to the browser! Interesting. I think that's part of what dBourse does when I go to log in there. Regards, Jim --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Pecunix security
Sidd, For those who only use one computer and who have a fixed IP address, the IP security is also available (George?) I prefer to keep my options open. You never know what can happen. Besides, I'm on dial-up for the moment and I can't be sure if the next time the IP will be even in the same domain. It doesn't matter George! It is just one half of the puzzle, the Password is the SECRET part of the key... The PIK is there to defeat the trojans, the password secures your account, just as it does in e-gold and the others. If your PIK becomes public, and you log-in from a public computer (or from some computer you don't have complete control over), anyone could have a key-logger read your password. If your PIK is not public but you log-in a number of times from the same (public) computer, anyone could monitor your activity and put together all elements of your PIK. So, once you log-in from a public computer, the security is compromised. Guys, never do that! There is not enough security for such a case. There can't be! You must never log-in from the same (public) location more than once / twice, or at least change the PIK after one or two public log-ins. As I said before, if the PIK is known, the password is too short and can be cracked. So, you can't make you PIK public because the security is compromised. If the password could be longer (the maximum set to at least 20 characters), things would be entirely different. Ok, that's no problem to change... Only in that case, the security of Pecunix will be above the others, not before that. Most people don't use IP lock or PGP log-in, they use passwords - it's easier. Actually, we would need to have 3 PIKs and 3 passwords... Why use passwords anyway, Sidd? You can't expect users to remember three passwords (with those random numbers included), that is beside any other passwords they have to remember. So, they either save them on their computers, or print them. In any case, a pair of PIKs is even better (than PIK + password) since none of them can be intercepted by key-loggers. However, there is no need for a pair, just an increase in the number of elements of a PIK (to 30, for example), and also an increase in the number of combo-boxes in the log-in form (to 8, for example). Here is another possible improvement. The combo-boxes are text, and therefore can be intercepted, so why not replace them with pictures too. One way is for the log-in form to ask for 8 random characters from the (30 characters long) PIK, and to have a pool of characters (like a small keyboard) from where users can dragg-and-dropped characters. This method is much easier to use than to navigate through the combo-boxes. Here is a possible layout: Pecunix log-in Drag-and-drop on the following (numbered) spots, from the pool of letters, each letter from your PIK associated with the number displayed in the drop spots. Drag from this pool of letters: A B C D E F G H I J ... Drop a letter from the pool on each of the following spots: 28 03 14 09 18 29 20 11 Another possible improvement is for the pool of characters to be randomly displayed, not in the same (alphabetical) order every time. Of course, you can have passwords too. The main idea is that I think this is easier and safer than to have combo-boxes and edit-boxes, since you want to be able to log-in from public places. The good thing about this is that no logger is supposed to have any possible way to monitor in what order you drag-and-drop the letters (as long as the pool and the drop zone are randomly ordered), because the letter-number associations are not cached on disk. But you're still not safe if some dude can hook the image drops (which image was dropped on what spot) and you still log-in many times from the same public computer. Its too complicated and too limiting George... imagine, if people judge the current Pecunix system as complicated, how much more so is bedazzled? Well, I said it's probably interesting only for those who need extreme security (and never log-in from any other place than the personal computer). George Hara --- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. --- You
[e-gold-list] Re: Pecunix security
Only in that case, the security of Pecunix will be above the others, not before that. Most people don't use IP lock or PGP log-in, they use passwords - it's easier. I was, of course, referring to the security of the log-in process. The rest is better, considering the PGP integration. George Hara --- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Pecunix security
On Sunday, November 23, 2003, at 07:34 PM, Jim Davidson wrote: I believe Patrick made the point But the way Pecunix displays the PIKs makes it difficult if not impossible to copy and paste them. ... Since we know that keystroke loggers and clipboard loggers are out there, it seems uncommonly foolish to move back to a typing or pasting approach. ... Jim, we're not talking about typing or pasting the PIKs at the point of login. George just wants a way to copy and paste new PIKs issued to him during the account creation process, because he likes to keep his PIKs and passwords in an encrypted file. -- Patrick --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Pecunix security
Dear Jim, Jim Davidson wrote: One of the things I'm not clear about is how one goes about logging into a Pecunix account with less than full access. Log in to your Pecunix account with full access and click Account Details Access Levels Look for Limited Access and Click here to view or update your PIK for this access level This will reveal your limited access PIK... use the limited access PIK to log in with limited access, and likewise use your read-only PIK for read-only access. You can also activate PGP security for your account by clicking Account Details PGP Security For those who only use one computer and who have a fixed IP address, the IP security is also available (George?) Sidd, it seems to me that you should keep the high level of security for full access. Perhaps lower-level access could be obtained using PGP only? The thing is Jim, despite what the detractors say, Pecunix does have a much higher level of security than the competing DGC's and it is NOT DIFFICULT to use! There is no need to have lower levels of access security. Or maybe those who want to risk the keystroke loggers and clipboard loggers can set their accounts to a more open approach. I don't know. I think this is unnecessary, the Pecunix system works well, and is really not difficult. There is enough evidence to suggest that we need to help users to protect themselves, despite their best efforts to the contrary. If it were possible it would require running a program (such as activex) from the browser... a definitely BAD idea. Isn't ActiveX one of those dramatically bad ideas of the Microsofties? I thought it was pretty much limited to Internet Exploder? Yes, I think so... the alternative would be Java... either way, it is never a good idea to run any type of program from a browser... it is open to all kinds of abuse... Imagine the fun that copycat sites could have if the user was actually willing (and expecting) the site to download a program to the browser! Regards, Sidd. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.