Reading this document will give you an insight in to the wide security measures we have taken to protect your accounts from unauthorized access and abuse.
The Login Box
The first thing i will explain here is the "Enhanced Security" Keypad. Using the keypad helps prevent stealing of your password by some malicious software like viruses, trojans and key loggers. The second thing i need to mention is that your login password is always hashed using SHA (Secure Hashing Algorithm) before it is sent over your internet connection which means your internet service provide NEVER get to see the original password you entered, only encoded values. This prevents people from viewing your password while they are being sent over the internet and also prevents us seeing your original password!
Password Storage
When we store your passwords (and your secret answers) we do NOT store them in there original form. This means if your password was "hello", it would not be stored in our database as "hello", instead it would look something like "44324bda857234fa18fb341df5dcc1dd0ca918f" (it is also what it would look like when being sent to us over the internet). This is because they are securely hashed using SHA (Secure Hashing Algorithm) encoding, then salted multiple times, and finally locked to your account. This means any two passwords that are the same, are never stored as the same value in our database because they are locked to your account. Hashes are also a form of one way encryption meaning you can not get the original value back from the hash itself, due to this reason, if you forget your account password you can only reset it as we can not send you your original password simply because we do not know it. If your wondering how we know when a password is correct, we do so by applying our algorithm to the password you send us, and if the hashed value matches the value in our database then you have entered the correct password. If you want to find out more about how hashing works, a simple search on google will give you many results. Try searching for different types of hashes like the MD5 hash, and the much stronger SHA hash.
Account Access Logs
You can see when you have logged in and even attempts that have failed allowing you to see if someone is trying to access your account. If that is not enough, for each failed attempt you get to see what level they messed up on (password, security pin, validation image, etc) as well as their resolved IP address. Knowing that information, then allows you to adjust your account security level accordingly before it is too late.
Security Center Settings
This is a very powerful feature. By default, session banning and validation images are enabled and can not be disabled. Upon X amount of incorrect login attempts you will get session banned for a period of time, the validation image will be required at some point as well. With the validation image you are required to enter the digits on the image as well as the usual username and password. You also have the option once logged in to increase your account security by enabling our IP Monitoring feature which will ban a person from accessing your account for a period of time from there current internet connection (IP Address). Obviously they will only get banned after X incorrect attempts of trying to access your account. This is a much stronger way of banning people than our default session banning however banning by IP does have some drawbacks which you can read about in your account security center once logged in. For those of you who are extremely paranoid about security, you can enable our IP & Email Locking feature. This detects if your internet connection (IP Address) has changed, and if it has you are required to enter a pin number before you can access your account which would have been emailed to the email address you have registered with us. Last thing i should mention is that you can change your inactivity setting, which you can adjust from 5 to 60 minutes. If you have not made a page hit for a period of time, you are automatically logged out and we inform you that your session expired. You can read more detailed descriptions about each of these features in your accounts security center. We highly suggest you read each of the description before enabling or disabling a security feature.
Remember Me (Cookies)
When logging in and selecting a time to have your login details remembered for we save your user name and password in a cookie (so cookies must be allowed on your browser). Then the next time you visit the site you will automatically be logged in. When saving your password in the cookie it is first hashed using SHA (Secure Hashing Algorithm) and salted to prevent someone opening your cookie and seeing your password. We recommend NOT having your details remembered if you are on a computer that you share with other people for obvious reasons.
