| There's a lot of incompetence on display in that technical description. "Our private server facilities" sounds like they were trying to run their own facility for some misbegotten reason. "A double salted SHA-512 hashing algorithm" sounds like a weak homegrown password hash. I'm guessing it was something along the lines of SHA512(salt1 + SHA512(salt2 + password)), which is pitifully weak compared to any sort of iterated hash (bcrypt, scrypt, PBKDF2, etc). It could also mean SHA512(salt1 + password + salt2), which would be even worse in a kind of sad, hilarious way. "AES RIJNDAEL 256 encryption" is a perfectly normal SSL cipher. Referring to it as "RIJNDAEL" is a bit of a tipoff, though: Rijndael is not an acronym, so it shouldn't be capitalized, and it's simply an older name for AES, so it's entirely redundant in this phrase. "2048-bit, highest assurance Extended Validation SSL certificate" is something you can get from any number of vendors. It isn't actually any more secure than any other SSL certificate. "Industry-leading security and fraud protection" probably means nothing. Or, at most, possibly that they're using an off-the-shelf fraud detection service like Maxmind - which would have done little to nothing to protect them from a determined fraudster, let alone an attacker. "Tape backups" just make it sound like they're using equipment from the 90s. "Secure Card and Google Authenticator" are both decent features to implement, but suggesting that they result in "up to 3 levels of authentication" is amusing. Multiple possession factors ("something you have", like a security token or a cell phone with Authenticator) don't add together; to have three factors, you'd need a knowledge factor (a password), a possession factor, and a biometric factor. And they definitely don't have the last one. |