blonde poker forum

Vaguely interesting article

http://www.guardian.co.uk/business/story/0,3604,1441390,00.html

I wonder how their share prices will do when the word gets out about all the money that is being stolen from players accounts by password hackers and how incredibly incompetent their support is in dealing with these issues.This is not rumour but personal experience.
                                                          Badly Burned

i have been warning about this for ages but people think i am off my head

protect yourself by using long passwords than use numbers and letters in a random order (no real words)
use different password for each poker site
remove your credit card details from the account once you have made your deposit/withdrawl
change your passwords once a week
never keep more than a couple of hundred $$$s in your account at any one time

poker is along way behind banking when it comes to security and as joe beavers said to me today just look at that japanese bank last week that was hacked.

just to get into my online bank i need an account number a password and to know the answer to one of 12 questions they rotate in a random order and if i get it wrong twice in a row they freeze my online accoount
is there any reason that pokersites cant do this to help us feel safer?
YES the cost of the extra support staff for all the blocked accounts
YES the cost to there buissness of contacting all the people currently playing (some with out of date emails or emails sent to spam filters) to get them to use a new system

untill poker players start making a fuss about the secuirity of their accounts then poker sites wont listen
untill more peoples accounts are hacked poker players dont care as long as its not them


so untill pokersites up the ante and protect from the hackers stay safe

Great post Ironside, thank you. Clearly, you are not just a pretty face.....

I think your splendid post may well have ended with the words, "YOU HAVE BEEN WARNED"!

However, I havea question for you.

Two - no three - parties are involved in this.

The Card Room. The player. And the hacker.

The Card Room says "Hey, you can deposit money with us. We guarantee we wont mess with it. Choose your own password. Guard it carefully. Use a good password. We guarantee never to divulge that password to a soul."

The Player agrees. "OK, here's x00 pounds. I have chosen a really neat password that I don't think anyone can guess".

The Hacker comes along, works his magic, cracks the Password, & empties the Players account.

Assuming the Cardroom has not divulged the password to anyone - and for goodness sake, why should they? - who is responsible for the players loss?

Now, I think I know the answer to this question - but I'd be interested in your take on it. Or anyone else's, for that matter.

1st the hacker doesnt need to guess the password they get a PC program to do it for them its easy they already have half the info they need the username. If you dont beleive how easy it is i can supply you with a simple program a monkey could use to get the info, i can also supply you with the urls of password forums where passwords gained by this software are swapped among people not wanting to pay for porn.
the adult industry is problery the only industry bigger than gambling online at the moment they recognised the problem and have already started trying to stop it (with a huge lack of success)
as soon as these kids that hack the porn grow up a little and relaise they can use their skills for getting money simply by
gaining access to a poker account dumping chips into another account then cashing out before the site finds out then we will be in real trouble


the fault lies in 2 places for accounts hacked and money stolen

1) the user for having too much money in the account (remember i said limited teh amount in your account that way if any goes missing it's not serious)
2) the site for spending 2 much money on gimmics and not enough on secuirty, the security on MOST (not all) online poker sites is so far out of date that even free email services like yahoo are light years ahead. yes yahoo had a problem with hackers hacking into and taking over accounts but they got off there backsides and did something about it.


one poker site which i wont name when they found a player trying to guess another players password (after the player told them he had) was more worried about them trying to use the account to cheat a promo than they were about the personal details and money in the account.


time to wake up and smell the roses guys we live in an age where crime is a billion dollar buisness and online pokersites are an easy target

I was about to make a post like Ironside's earlier when work distracted me.

I would also add to the basics that need to be in order to keep yourself as safe as possible:

1) Good, up to date Anti Virus software.
2) A Firewall of some sort.
3) Good, up to date Anti Spyware (Spyware is a group of threats that includes some trojans, these could reveal your passwords, as well as annoying pop up ads)

(I can expand on this, i.e. what's good if people need).

Most online banking fraud is carried by obtaining access to the site from the user, by installing malicious software or sending out hoax emails that they respond to. They do this as it is a lot easier than hacking the bank itself and yields them a good profit. This is the reason that one of the most respected name's in the computer security industry has said that banks are wasting millions on "two-factor authentication" (a hardware dongle you plug in that verifies you to your bank).


This is because the threat is not from fraudsters cracking the password to gain access to the bank but rather tricking the user into giving them the details they need to get authorised.

Assuming poker sites maintain the most basic levels of security it is more likely that people hacking the site will target the users rather than the site itself.

This happened in the only case of this that i know the details of (hippicrit on poker stars through the post The Hendon Mob Forum). His username was the same as his screen name (is that always the case on pokerstars? i have yet to create an account there) and his password was his username with a 1 on the end. Someone saw him make a score in a tourny and tried to get onto his account and succeeded - as his password was very simple.

As for who is responsible, I would think the user - the username/password identifies them and it is their responisbility to make sure no one else knows it. I have a sneaking suspiscion that the only reason the banks are so helpful to the majority of users who are caught out by online fraud as they stand to save a lot of money by moving banking online. Obviously stories about fraud would hinder their attempts to do this.

However they may very well be ignorant of the issues and what is expected of them. With online poker (and gambling) getting so big i'm suprised that no sites have any help with security or some form of big push to help users with this. Thinking about this today made me realise that there was so much sites could do to help with this. I was suprised that no one had done anything like that as i'm sure it would help them differentiate themselves from the competition aswell as justify some of the rake that they charge.

Hope that makes sense i've just got back from the gym.

I am amazed that this is that easy (again unless the player had an easy password that was guessed with very few attempts). Basic security would stop people from logging in after 3 (or so) failed attempts (this could be fine tuned, e.g. 3 failed attempts from an IP then the IP is prevented from logging in for some amount of time). This would also help prevent the "brute force" password cracks as it could substantially increase the amount of time it took.

The system could also warn the player that someone was trying to hack their account and give them advice on how to help prevent this.

the new software that people uses to brute force uses proxies and witha  good list of proxies online porn sites are finding it difficult to stop the brute force attacks, poker sites have not admitted to having suffered from brute force attacks but it cant be long untill they are attacked if they are not already getting done.

brute forcing is simple just run the software over night and in the morning you will have a host of username/password combinations along with proxies.
then all you need to do is watch for the target to logg off to go and raid their account

ps anyone stupid enough to be online without a good UPTODATE antivirus/spyware and a good firewall deserves to have their details stolen its not as if virus and hacking hasnt been all over the meida for the last few years
espically since the iloveyou virus hit the front page of newspapers and healine news on the tv

I bet this proxies are just the average persons PC infected with a trojan, which would make them difficult to blacklist - all the more reason to keep your machine clean.

An idea i had to stop this was to allow players to specify an IP address (or range) that their account could be used from. E.G. you could say only allow access from a bt internet IP address - this should make it more difficult for hackers.

You could also specify a range of games that you play in and no others would be allowed without you authorising them - making it harder for an account to be cleared out if they do get access.

These things would add an extra inconvienience to players wishing to move up a level, try a new game or moving ISP but you wouldn't have to use them.

They do however rely on some form of authentication. However as this doesn't need to be broadcast over the net or used as often i'm sure something more secure could be thought up. (It would be very hard to "brute force" a password over the phone for example.).

Some results from some surveys:

A survey by AOL and the National Cyber Security Alliance found 80% of home PCs had some form of infection, yet 75% believed that their PC was very secure or moderately secure. (http://www.theregister.co.uk/2004/10/26/pc_petri_dish_city/)

An unprotected WinXP PC was infected within 4 minutes of being connected to the Internet and a zombie (i.e. one of the proxies from above, also used for sending spam mail) 10 hours later. (http://www.theregister.co.uk/2004/12/01/honeypot_test/)

25% of such PCs are located in Britain, more than any other country. (http://www.theregister.co.uk/2005/03/21/botnet_charts/)

The message isn't getting through unfortunately.

a simple graphically image with a few letters on that you need to type in every time you logg in would solve the problem of brute force attacks, its already been used by yahoo, problem is people are used to just opeing the software with the username and passowrd already stored so all they need to do is play they dont want to have to type in a few letters each time.

another way to solve it would be to get the software to link to the PC by serial of the proccessor but this would stop players playing on friends machines and on the move from internet cafes etc etc.

My online bank (lloydstsb) asked for a 9 digit alphanumeric code? in addition to a username and password. After logging in it will ask you for any 3 letters (random) from this code in order to proceed. This is a very simple and effective method and i would thing very cheap to implement. These are in the form of dropdown lists and so couldn't be bruteforced. Also this info is not likely to be stored on a users 'puter and so trojans and keyloggers (the most common way of doing this) can access the info.
Ian

The trojans take screengrabs of the screens. Doesn't take them long to figure out the codes.

You misunderstand, 3 random letters from a 9 digit code.
you could literally log in hundreds of times without ever revealing the full code.
Ian

They could also do it in 3 times (if they are lucky). Getting 2 digits gives them a 10% chance of guessing aswell.

I wonder what the average amount of logins would be until they had it cracked?

Admitedly these are more secure than a standard password and a damn sight better than the average poker site by the sound of things.

Nothing is infallible sp? but the risks are hugely reduced with such a simple system.
Just thought about it and mine is actually 12 digits!! thought even with 9 and having 2 it still leaves what 80 odd possibles for the last? and that's without special symbols!!
As for how many logins? how long is a piece of string?
Ian

if all my bank wanted from me was my online account number and 3 digits from a 12 didgit pass then i would be changing banks ASAP
all a person would need to attempt to logg in would be the account number and a good piece of software that could go thru every 3 diget combinations (under 500k) that could be done in under an hour

the good thing with most banks is that with 3 failed attempt to logg in online they will freeze the account till they have made sure they have contact with you and confirmed your id

this doesnt happen with online poker

Wow, what HAVE we started? Fascinating stuff.

But the answer to the question I posed earlier seems to be - all things being equal - that if Mr Hacker cracks your password, it's YOUR fault, and YOUR responsibility. So we cant start blaming the Card Rooms, even though it's fashionable to knock them, or so it seems to me. We all have to take responsibility for our actions.

Is this how you guys see it?

Many thanks to Redsimon for starting this thread, and to le plonquer, Ironside, ifm, & bongo for giving this matter a good airing. I have no idea who bongo is - he only joined the blonde Forum today - but his input has been invaluable. And spare a thought for le plonquer, who appears to have suffered at the hands of the hackers. Let's hope he gets at least some of his cash back.

blondepoker is a new site, & our Forum is only a bit player in the grand scheme of things. But judged by this thread, it's going the right way. Thanks guys.

tikay if someone gains access to an account via cracking a password then i lay the blame squarely at the site for having such lax secuirty
if someone gains access to an account via guessing a password then i blame the account holder

untill such times as i feel that poker sites are taking secuirty seriously i will never put my debit card online and i certainly wont keep much money in any account

I think we need to differentiate between cracking and other forms of hackers obtaining your password (e.g. a keylogger or guessing).

In the case of cracking (i.e. brute force attack or similar) I would blame the site entirely - they should have a system in place to stop it, or at the very least detect it and stop them from gaining anything. Thousands of failed login attempts in a short time period should be very easy to spot, i for one would prefer to have my account locked down if they detected this rather than lose money to crackers.

In the other cases the I would place the responisbility squarely on the user. They should have a password that can't be guessed easily (e.g. screenname1) and should keep their system clean of anything that could log their passwords. The card rooms don't exist to teach safe computing afterall, although it migh benefit users if they did the same could be said for PC vendors and ISPs.

In terms of online banking most frauds are carried out by obtaining the password from the user in some way rather than cracking, as this has a far higher sucess rate. This should be the case with card rooms aswell.

Hmm, now I'm confused.

What both Ironside & Bongo seem to be saying is this:

If your password is cracked by a "brute force attack", then it's the Card-Room's fault.

If your password is "guessed" by Mr Hacker it's the players fault.

I need to think about this, as I am struggling to see the difference.

But let's, just for a moment, consider the problem from the card rooms perspective. What's to stop me giving my password to our good friend Matey Boy. He empties my account. I then claim the money from the cardroom on the grounds that they "allowed" my password to be cracked. Where would THAT end?

users can do nothing to stop brute force attack sites can

users can stop there passwords being easy guessed

tighter security would stop matey boy and his mate dead in there tracks
a word to an isp or 2 ubder a fraud investigation would stop matey boy in his tracks

I think my original post has gone slightly "off topic" but interesting stuff. One thing, how do you make the url I posted clickable (showing my duffer status with regard to computers!).

The url IS clickable Simon! I just clicked it & it took me straight to the article.

As to how it works, if that's what you meant, well that's obvious really. It's magic - how else could it work?

I'll try to explain the differences between the two types of attack for anyone being confused.

First the types that are the players responsibility:

Weak Password - e.g. if you're sign on name was "MateyBoy" and your password was "MateyBoy1" or something else which could easily be guessed (If you're well known facts about yourself could be guessed, like your pets name etc).

Malicious Software - e.g. your computer gets "infected" with some form of software that steals your password (logs the keys you press when you enter your password, or logs the information you send to the card room to get the password). This could be part of a virus or maybe it gets installed by something posing as a poker utility.

"Phishing" (read: fishing):

more on this here: http://en.wikipedia.org/wiki/Phishing

This is tricking people into sending fraudsters personal details like passwords, e.g. sending an email to MateyBoy say i'm PokerStars support and could he verify his password for me.

The risk of all of these can be minimised by the player taking sensible precautions, the card room can do nothing to stop these attacks.

Things the card room are responsible for:

"Brute force" cracking: This is trying to find out the password by trying out every possible password until you get the correct one. Unless the hackers have access to the card rooms servers this will be done by trying to login to the room several times. This will obviously generate several failed login attempts in a short space of time (the process is automated and able to try several passwords a second). This is easy to spot and there are several things that can be done to make it harder for the crackers (e.g. Ironside's example of making people enter a few characters presented to them in an image every time they log in).

Obviously there is nothing the user can do about this attack, but lots that a cardroom can do.

Does this help?

Thanks Bongo - I think I am getting there now.

You refer to Ironsides example of an image being presented each time we log in. I have seen & used this on yahoo mail. They have a little box, with 4 or 5 digits sort of scrawled in it graffiti style. You have to type in the letters you see. How on earth does this work? Surely we ALL see the same image, be we a hacker or not?

And whilst I am very grateful to you for your patience with us in explaining all this, I'd ask you to be a little more respectful to Matey Boy. He's gonna have to change his password now youve told everyone!

I know one thing for sure though. I need to change most of my passwords - this thread has frightened the life out of me. I don't suppose I am the only one, either.

The image thing is to stop a computer program trying to get in to your account. These programs cannot recognise the text in an image.

Thanks Mike - I think I can see that now.

You are suggesting that the "brute force attacks" are computer generated, & the computer cant read squiggly writing. I feel a real thicko now!

Excellent thread. Without wanting to be too alarmist, working in the internet industry (and having seen some dodgy practices) I think this is a subject players ought to be taking a lot more interest in.

It is certainly the sites responsibility to ensure that they have adequate procedures in place not only for account management, but also for data protection (are you happy that they are handling credit card and other personal  information correctly?) and following adequate procedures for responsible handling of large quantities of other peoples money (see disasters such as pokerspot! there is some good comment on this on Paul Phillips blog). Where there are large quantities of money involved these should be akin to those of banks and other financial institusions. Players ought to be voting with their feet on their subject when they are concerned and now that I have some decent amounts of cash online I am being much more careful about. Personally I am keeping cash centralised in my Neteller account.

I think the reasons the poker industry is very behind here are several. A lot of these sites are offshore in places where there isn't the necessary regulation, they don't want to spend the money, and the customer base doesn't yet have the expectation that this should be the case. In general while there is such a boom on sites are very poor in general about responding to customer concerns (pokerstars stands out as an exception to this) Hopefully this will all improve as the industry develops.

Thanks ontilt.

It has certainly opened my eyes, & I shall be taking a lot more care in future.

Much credit goes to Ironside & Bongo for taking the time to educate us in the error of our ways, & to show us how exposed to fraud we really are. Or were....

Blimey!  so would i!!
In this particular case you log in with an 8 digit username (sent by post) and a password of your choosing, then you are taken to a different screen where it'll ask you for say the 2nd 6th and 10th digit of a different 12 digit password, these are selected from a dropdown list (can computer programs use dropdown lists) such as in the address bar of internet explorer. Only then if correct can you gain access to the site.
This is by far the best security i've come across and i have all my credit card, other bank acounts etc online.
Again though it could theoretically be guesses though the username is random letters numbers etc.

As for your question Tikay, if someone logs into your account using your username and password tough!
Sites do not have policies for reimbursing you for this type of fraud whereas banks do (if someone withdraws money from your account/card you just sign a form to say you didn't do it and they will give you the money back!!)
Poker sites do however have policies designed to stop money laundering, if you dump chips off and they see it they can and freeze your account!!! The great Pokergirl1 will attest to that, i think primapoker froze 50k of his cuz they said he did this, not sure of the outcome though.
I once read somewhere that some of these computer programs will EVENTUALLY be able to get into any username/password guarded site. Though some believe it or not are stored in the cgi bin itself (this is a little complicated to explain but it can be accessed thru the website address).
Ian

Yes the computer programs can both read (they can take screenshots of them) and also send them to the bank.

My maths tells me that you need to know 10 of the 12 digits to have a >50% chance of knowing all 3 that are asked. I then calculated that you will need to observe 7 logins on average to know 10 digits of the 12. My maths could well be wrong though.

I think the key to preventing this kind of password cracking is having accounts that lock out until you verify your identity in person which is what banks do.  As I believe someone mentioned earlier this would be much more of an overhead and undoubtedly hit the rake as people would not play when locked out accidentally.

"I once read somewhere that some of these computer programs will EVENTUALLY be able to get into any username/password guarded site. Though some believe it or not are stored in the cgi bin itself (this is a little complicated to explain but it can be accessed thru the website address).
Ian"

-- bit on the technical side but there was a hotmail crack not long ago where you could get the password via the querystring and read anyones mail. One of my friends did this and found out we had all been laughing at his sexual escapades, but at least he didn't steal my banking details! But this also makes the point that you ought to be careful about storing your account details in easy to access email accounts, turning off auto remember password on machines (which I have seen lots of people forget) especially if you are playing on a public computer and also not using the same passwords for everything. It depends how paranoid a person you are, its also unsafe to use your credit card ina restaurant or on holiday or give someone the number on the phone or use chip and pin, but you can't live in fear! Maybe poker sites ought to post a help page on how to be safe playing on the internet.  - Maybe you coul post one on this site Tikay?

I'd be willing to help with the guide, if you were to go ahead.

On the subject of hotmail i know several people who have had their password compromised through the use of the security question. A friend got caught out by this, he was using MSN Messenger when someone struck up a conversation with him (using the messenger program)  and after a while asked him about his pets and then what his cats name was. This was his security question.

The player mentioned, Hippicrit, had 5k robbed from his account, The hacker guessed his password and then transferred the cash to his own a/c. he played a 5k heads up, apparently thinking he would win and then return the money unnoticed. Pokerstars refunded the money to hippicrit. Scott Grey had his account on Party dipped, he lost 4k+ I think, he got no joy from Party apparently and is none too happy. If anyone sees him at the Irish open, the could get the full story.

Also a point that I've been thinking about, how many players register on forums with their poker username and the same password they use on Stars/UB etc?.  If Tikay wanted, he could probably clean out quite a few accounts.

An interesting post script to this....I just had a 'phone call from my VISA card provider. Two sums of $200 a time were taken off it last night on a certain online poker site. Not by me! Now the odd thing is I have only ever used this VISA card twice online, both in 2002 on Paradise and Ladbrokes. (Basically since 2003 I have not had to buy in because I have built my online bankroll up and avoided risking too much of it on any one session).

So I guess it could have been swiped in a shop when i've used it, like I say never used it for anything online at all for 3 years.

At least VISA rang and have stopped the card, but i guess this happens a lot?

I had a similar experience, my debit card was used over a weekend totalling 1700. 500 was a restaurant bill (strange that it was exactly that amount).
I actually noticed it myself, just happened to check my acount online.
All i can think is that either it was double swiped somewhere or someone got my details from a petrol station reciept (yes all the info they need is there!!!!! though most have changed their reciepts).
Anyway the bank repaid me and gave me a new card.
Incidentally i also had my cheque book stolen once and someone walked into various post offices and cashed cheques 200 a time 25 times!!!
Luckily i had already reported it stolen/lost and the bank again repaid me.

Ian