My online bank (lloydstsb) asked for a 9 digit alphanumeric code? in addition to a username and password. After logging in it will ask you for any 3 letters (random) from this code in order to proceed. This is a very simple and effective method and i would thing very cheap to implement. These are in the form of dropdown lists and so couldn't be bruteforced. Also this info is not likely to be stored on a users 'puter and so trojans and keyloggers (the most common way of doing this) can access the info.
Ian

The trojans take screengrabs of the screens. Doesn't take them long to figure out the codes.

ps anyone stupid enough to be online without a good UPTODATE antivirus/spyware and a good firewall deserves to have their details stolen its not as if virus and hacking hasnt been all over the meida for the last few years
espically since the iloveyou virus hit the front page of newspapers and healine news on the tv

Some results from some surveys:

A survey by AOL and the National Cyber Security Alliance found 80% of home PCs had some form of infection, yet 75% believed that their PC was very secure or moderately secure. (http://www.theregister.co.uk/2004/10/26/pc_petri_dish_city/)

An unprotected WinXP PC was infected within 4 minutes of being connected to the Internet and a zombie (i.e. one of the proxies from above, also used for sending spam mail) 10 hours later. (http://www.theregister.co.uk/2004/12/01/honeypot_test/)

25% of such PCs are located in Britain, more than any other country. (http://www.theregister.co.uk/2005/03/21/botnet_charts/)

The message isn't getting through unfortunately.

the new software that people uses to brute force uses proxies and witha  good list of proxies online porn sites are finding it difficult to stop the brute force attacks, poker sites have not admitted to having suffered from brute force attacks but it cant be long untill they are attacked if they are not already getting done.

brute forcing is simple just run the software over night and in the morning you will have a host of username/password combinations along with proxies.
then all you need to do is watch for the target to logg off to go and raid their account

I bet this proxies are just the average persons PC infected with a trojan, which would make them difficult to blacklist - all the more reason to keep your machine clean.

An idea i had to stop this was to allow players to specify an IP address (or range) that their account could be used from. E.G. you could say only allow access from a bt internet IP address - this should make it more difficult for hackers.

You could also specify a range of games that you play in and no others would be allowed without you authorising them - making it harder for an account to be cleared out if they do get access.

These things would add an extra inconvienience to players wishing to move up a level, try a new game or moving ISP but you wouldn't have to use them.

They do however rely on some form of authentication. However as this doesn't need to be broadcast over the net or used as often i'm sure something more secure could be thought up. (It would be very hard to "brute force" a password over the phone for example.).

one poker site which i wont name when they found a player trying to guess another players password (after the player told them he had) was more worried about them trying to use the account to cheat a promo than they were about the personal details and money in the account.

I am amazed that this is that easy (again unless the player had an easy password that was guessed with very few attempts). Basic security would stop people from logging in after 3 (or so) failed attempts (this could be fine tuned, e.g. 3 failed attempts from an IP then the IP is prevented from logging in for some amount of time). This would also help prevent the "brute force" password cracks as it could substantially increase the amount of time it took.

The system could also warn the player that someone was trying to hack their account and give them advice on how to help prevent this.

I was about to make a post like Ironside's earlier when work distracted me.

I would also add to the basics that need to be in order to keep yourself as safe as possible:

1) Good, up to date Anti Virus software.
2) A Firewall of some sort.
3) Good, up to date Anti Spyware (Spyware is a group of threats that includes some trojans, these could reveal your passwords, as well as annoying pop up ads)

(I can expand on this, i.e. what's good if people need).

Most online banking fraud is carried by obtaining access to the site from the user, by installing malicious software or sending out hoax emails that they respond to. They do this as it is a lot easier than hacking the bank itself and yields them a good profit. This is the reason that one of the most respected name's in the computer security industry has said that banks are wasting millions on "two-factor authentication" (a hardware dongle you plug in that verifies you to your bank).

"Two-factor authentication was invented a couple of decades ago against the threats of the time. Now, the threats have changed - and two-factor authentication doesn't defend against them. It's a waste of money," Schneier told El Reg. His comments are controversial because they attack a technology touted as a gold standard for net security - but that doesn't necessarily mean he's wrong.

This is because the threat is not from fraudsters cracking the password to gain access to the bank but rather tricking the user into giving them the details they need to get authorised.

Assuming poker sites maintain the most basic levels of security it is more likely that people hacking the site will target the users rather than the site itself.

This happened in the only case of this that i know the details of (hippicrit on poker stars through the post The Hendon Mob Forum). His username was the same as his screen name (is that always the case on pokerstars? i have yet to create an account there) and his password was his username with a 1 on the end. Someone saw him make a score in a tourny and tried to get onto his account and succeeded - as his password was very simple.

As for who is responsible, I would think the user - the username/password identifies them and it is their responisbility to make sure no one else knows it. I have a sneaking suspiscion that the only reason the banks are so helpful to the majority of users who are caught out by online fraud as they stand to save a lot of money by moving banking online. Obviously stories about fraud would hinder their attempts to do this.

However they may very well be ignorant of the issues and what is expected of them. With online poker (and gambling) getting so big i'm suprised that no sites have any help with security or some form of big push to help users with this. Thinking about this today made me realise that there was so much sites could do to help with this. I was suprised that no one had done anything like that as i'm sure it would help them differentiate themselves from the competition aswell as justify some of the rake that they charge.

Hope that makes sense i've just got back from the gym.