Saturday, April 08, 2006

Security of Egold System

As with any online payment system, e-gold is vulnerable to various threats, notably phishing (for example, forged emails asking for login details) and spyware (such as keystroke logging).

In the early years of e-gold, this problem was widely reported to be rampant. The problem could have been due to the novelty of the system, combined with the irreversibility of payments, combined with the hardness of gold as money, combined with many of the early users being "gold bugs" rather than technically-oriented computer users.

Fortunately around early 2004, this problem seemed to be largely eliminated at a stroke, by e-gold adding a simple IP checking process for spends. (This has often been cited as a good example of how extremely simple solutions to security problems can often have big results.)

Some competing DGCs offer similar features to combat typical, simple, "mass" phishing attacks. e-Bullion utilizes a "two-factor", token-based authentication solution from CRYPTOCard, an alternative to RSA's "SecureID". Pecunix has an extremely secure, somewhat complicated, log-in procedure. 1mdc has a simple PIN-pad addition. GoldMoney allows user certificates to be used. Most systems include an optional "email confirmation" type of process. All of these approaches thwart simple keystroke loggers.

In 2005, the Los Angeles Times reported on a specially created trojan horse that compromised "dozens" to "the low hundreds" of e-gold accounts. While trojans usually silently record the login details of the unsuspecting user, the trojan in question (Win32.Grams) emptied the accounts themselves by transferring the contents to the attacker's accounts.


Post a Comment

<< Home