Jump to content
TorGuard
Sign in to follow this  
Guest

Security issues signing up

Rate this topic

Recommended Posts

Guest

I'm a relatively new subscriber and during the signup process I noticed a couple of issues that I think should be improved upon to tighten security of the signup process:

 

1 - Why does torguard need to send you all your login details, unencrypted via email? This seems like a bad practice in general since it allows anyone eavesdropping on the transmission or who might have access to my email to use my VPN credentials. My bank or even amazon.com wouldn't send me my login details, so I would think my VPN shouldn't either.

 

2 - Why doesn't the signup process allow you to use non-alphanumeric characters for passwords? Using such non-alphanumeric characters strengthens passwords against cracking and also against dictionary attacks.

 

3 - I noticed that during the billing process it states that I cannot use a proxy or VPN to sign up. Why not? Especially when users aren't using credit cards, I don't know why I shouldn't be able to sign up using any IP that I wish.

 

I was initially attracted to torguard VPN because they were described as having good security practices in an arstechnica article ("How one site beat back botnets, spammers, and the “4chan party van"), however I am beginning to wonder about this since it seems some of security used to safeguard the users is less than ideal and perhaps even amateur (eg sending login details unencrypted).

Share this post


Link to post
Share on other sites
Support

Hello

 

1) This is already being changed but we didn't want to do it over our busiest period.

 

2) Are you referring to VPN user/pass or billing user/pass ?

 

3) And how to we establish if the order is legit or not ? unfortunately we have to verify orders to some degree or else we just let ourselves in for constant abuse by carders who card services just to spam and dos which in turn can affect the services/performance of our customers.

 

Our overall security is very good, this is the last little thing we have been working towards, thise passwords are not stored in human readable forms, they are all hashed and salted.

 

EDIT: Number 1 has already been addressed.

 

Regards

Share this post


Link to post
Share on other sites
Allan

While we are at the signup process, my concern was that it is only possible to sign up after giving my full name and the address. This is quite, well, unusual, considering that the service one signs up for promotes net anonymity.

 

Why is there a need to know the identity of your customers? Wouldn't it be possible to provide the service to - well, whoever pays for it?

 

Because ultimately, this VPN game requires a heck of a lot of trust into the VPN provider. The provider promises to not keep logs, promises to not provide any information to third parties, but that is all based on trust.

 

If at least the provider does not know the name and address of the customer, one layer of "need for trust" would be removed.

 

Share this post


Link to post
Share on other sites
TorGuard Admin
While we are at the signup process, my concern was that it is only possible to sign up after giving my full name and the address. This is quite, well, unusual, considering that the service one signs up for promotes net anonymity.

 

As you can imagine, credit card fraud is rampant these days. (Especially in the VPN business.) Our billing system performs an address / billing phone check for all credit card orders. This is strictly for fraud prevention purposes to ensure that the purchaser is in fact the true card holder. We do not share this info with anyone, and our billing system and VPN auth system are kept completely separate. Anti fraud measures are in place to ensure we provide the highest quality anonymity services to our clients and to prevent abuse from carders/scammers.

 

If you don't wish to supply your billing address, just use a generic one and pay with PayPal or Bitcoins.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...