Party Poker in The Guardian

[redsimon]

Vaguely interesting article

http://www.guardian.co.uk/business/story/0,3604,1441390,00.html

[le plonquer]

I wonder how their share prices will do when the word gets out about all the money that is being stolen from players accounts by password hackers and how incredibly incompetent their support is in dealing with these issues.This is not rumour but personal experience.
                                                          Badly Burned

[Ironside]

I wonder how their share prices will do when the word gets out about all the money that is being stolen from players accounts by password hackers and how incredibly incompetent their support is in dealing with these issues.This is not rumour but personal experience.
                             Badly Burned

i have been warning about this for ages but people think i am off my head

protect yourself by using long passwords than use numbers and letters in a random order (no real words)
use different password for each poker site
remove your credit card details from the account once you have made your deposit/withdrawl
change your passwords once a week
never keep more than a couple of hundred $$$s in your account at any one time

poker is along way behind banking when it comes to security and as joe beavers said to me today just look at that japanese bank last week that was hacked.

just to get into my online bank i need an account number a password and to know the answer to one of 12 questions they rotate in a random order and if i get it wrong twice in a row they freeze my online accoount
is there any reason that pokersites cant do this to help us feel safer?
YES the cost of the extra support staff for all the blocked accounts
YES the cost to there buissness of contacting all the people currently playing (some with out of date emails or emails sent to spam filters) to get them to use a new system

untill poker players start making a fuss about the secuirity of their accounts then poker sites wont listen
untill more peoples accounts are hacked poker players dont care as long as its not them


so untill pokersites up the ante and protect from the hackers stay safe

[tikay]

Great post Ironside, thank you. Clearly, you are not just a pretty face.....

I think your splendid post may well have ended with the words, "YOU HAVE BEEN WARNED"!

However, I havea question for you.

Two - no three - parties are involved in this.

The Card Room. The player. And the hacker.

The Card Room says "Hey, you can deposit money with us. We guarantee we wont mess with it. Choose your own password. Guard it carefully. Use a good password. We guarantee never to divulge that password to a soul."

The Player agrees. "OK, here's x00 pounds. I have chosen a really neat password that I don't think anyone can guess".

The Hacker comes along, works his magic, cracks the Password, & empties the Players account.

Assuming the Cardroom has not divulged the password to anyone - and for goodness sake, why should they? - who is responsible for the players loss?

Now, I think I know the answer to this question - but I'd be interested in your take on it. Or anyone else's, for that matter.

[Ironside]

Great post Ironside, thank you. Clearly, you are not just a pretty face.....

I think your splendid post may well have ended with the words, "YOU HAVE BEEN WARNED"!

However, I havea question for you.

Two - no three - parties are involved in this.

The Card Room. The player. And the hacker.

The Card Room says "Hey, you can deposit money with us. We guarantee we wont mess with it. Choose your own password. Guard it carefully. Use a good password. We guarantee never to divulge that password to a soul."

The Player agrees. "OK, here's x00 pounds. I have chosen a really neat password that I don't think anyone can guess".

The Hacker comes along, works his magic, cracks the Password, & empties the Players account.

Assuming the Cardroom has not divulged the password to anyone - and for goodness sake, why should they? - who is responsible for the players loss?

Now, I think I know the answer to this question - but I'd be interested in your take on it. Or anyone else's, for that matter.

1st the hacker doesnt need to guess the password they get a PC program to do it for them its easy they already have half the info they need the username. If you dont beleive how easy it is i can supply you with a simple program a monkey could use to get the info, i can also supply you with the urls of password forums where passwords gained by this software are swapped among people not wanting to pay for porn.
the adult industry is problery the only industry bigger than gambling online at the moment they recognised the problem and have already started trying to stop it (with a huge lack of success)
as soon as these kids that hack the porn grow up a little and relaise they can use their skills for getting money simply by
gaining access to a poker account dumping chips into another account then cashing out before the site finds out then we will be in real trouble


the fault lies in 2 places for accounts hacked and money stolen

1) the user for having too much money in the account (remember i said limited teh amount in your account that way if any goes missing it's not serious)
2) the site for spending 2 much money on gimmics and not enough on secuirty, the security on MOST (not all) online poker sites is so far out of date that even free email services like yahoo are light years ahead. yes yahoo had a problem with hackers hacking into and taking over accounts but they got off there backsides and did something about it.


one poker site which i wont name when they found a player trying to guess another players password (after the player told them he had) was more worried about them trying to use the account to cheat a promo than they were about the personal details and money in the account.


time to wake up and smell the roses guys we live in an age where crime is a billion dollar buisness and online pokersites are an easy target

[Bongo]

I was about to make a post like Ironside's earlier when work distracted me.

I would also add to the basics that need to be in order to keep yourself as safe as possible:

1) Good, up to date Anti Virus software.
2) A Firewall of some sort.
3) Good, up to date Anti Spyware (Spyware is a group of threats that includes some trojans, these could reveal your passwords, as well as annoying pop up ads)

(I can expand on this, i.e. what's good if people need).

Most online banking fraud is carried by obtaining access to the site from the user, by installing malicious software or sending out hoax emails that they respond to. They do this as it is a lot easier than hacking the bank itself and yields them a good profit. This is the reason that one of the most respected name's in the computer security industry has said that banks are wasting millions on "two-factor authentication" (a hardware dongle you plug in that verifies you to your bank).

"Two-factor authentication was invented a couple of decades ago against the threats of the time. Now, the threats have changed - and two-factor authentication doesn't defend against them. It's a waste of money," Schneier told El Reg. His comments are controversial because they attack a technology touted as a gold standard for net security - but that doesn't necessarily mean he's wrong.

This is because the threat is not from fraudsters cracking the password to gain access to the bank but rather tricking the user into giving them the details they need to get authorised.

Assuming poker sites maintain the most basic levels of security it is more likely that people hacking the site will target the users rather than the site itself.

This happened in the only case of this that i know the details of (hippicrit on poker stars through the post The Hendon Mob Forum). His username was the same as his screen name (is that always the case on pokerstars? i have yet to create an account there) and his password was his username with a 1 on the end. Someone saw him make a score in a tourny and tried to get onto his account and succeeded - as his password was very simple.

As for who is responsible, I would think the user - the username/password identifies them and it is their responisbility to make sure no one else knows it. I have a sneaking suspiscion that the only reason the banks are so helpful to the majority of users who are caught out by online fraud as they stand to save a lot of money by moving banking online. Obviously stories about fraud would hinder their attempts to do this.

However they may very well be ignorant of the issues and what is expected of them. With online poker (and gambling) getting so big i'm suprised that no sites have any help with security or some form of big push to help users with this. Thinking about this today made me realise that there was so much sites could do to help with this. I was suprised that no one had done anything like that as i'm sure it would help them differentiate themselves from the competition aswell as justify some of the rake that they charge.

Hope that makes sense i've just got back from the gym.

[Bongo]

one poker site which i wont name when they found a player trying to guess another players password (after the player told them he had) was more worried about them trying to use the account to cheat a promo than they were about the personal details and money in the account.

I am amazed that this is that easy (again unless the player had an easy password that was guessed with very few attempts). Basic security would stop people from logging in after 3 (or so) failed attempts (this could be fine tuned, e.g. 3 failed attempts from an IP then the IP is prevented from logging in for some amount of time). This would also help prevent the "brute force" password cracks as it could substantially increase the amount of time it took.

The system could also warn the player that someone was trying to hack their account and give them advice on how to help prevent this.

[Ironside]

one poker site which i wont name when they found a player trying to guess another players password (after the player told them he had) was more worried about them trying to use the account to cheat a promo than they were about the personal details and money in the account.

I am amazed that this is that easy (again unless the player had an easy password that was guessed with very few attempts). Basic security would stop people from logging in after 3 (or so) failed attempts (this could be fine tuned, e.g. 3 failed attempts from an IP then the IP is prevented from logging in for some amount of time). This would also help prevent the "brute force" password cracks as it could substantially increase the amount of time it took.

The system could also warn the player that someone was trying to hack their account and give them advice on how to help prevent this.

the new software that people uses to brute force uses proxies and witha  good list of proxies online porn sites are finding it difficult to stop the brute force attacks, poker sites have not admitted to having suffered from brute force attacks but it cant be long untill they are attacked if they are not already getting done.

brute forcing is simple just run the software over night and in the morning you will have a host of username/password combinations along with proxies.
then all you need to do is watch for the target to logg off to go and raid their account

[Ironside]

ps anyone stupid enough to be online without a good UPTODATE antivirus/spyware and a good firewall deserves to have their details stolen its not as if virus and hacking hasnt been all over the meida for the last few years
espically since the iloveyou virus hit the front page of newspapers and healine news on the tv

[Bongo]

the new software that people uses to brute force uses proxies and witha  good list of proxies online porn sites are finding it difficult to stop the brute force attacks, poker sites have not admitted to having suffered from brute force attacks but it cant be long untill they are attacked if they are not already getting done.

brute forcing is simple just run the software over night and in the morning you will have a host of username/password combinations along with proxies.
then all you need to do is watch for the target to logg off to go and raid their account

I bet this proxies are just the average persons PC infected with a trojan, which would make them difficult to blacklist - all the more reason to keep your machine clean.

An idea i had to stop this was to allow players to specify an IP address (or range) that their account could be used from. E.G. you could say only allow access from a bt internet IP address - this should make it more difficult for hackers.

You could also specify a range of games that you play in and no others would be allowed without you authorising them - making it harder for an account to be cleared out if they do get access.

These things would add an extra inconvienience to players wishing to move up a level, try a new game or moving ISP but you wouldn't have to use them.

They do however rely on some form of authentication. However as this doesn't need to be broadcast over the net or used as often i'm sure something more secure could be thought up. (It would be very hard to "brute force" a password over the phone for example.).

[Bongo]

ps anyone stupid enough to be online without a good UPTODATE antivirus/spyware and a good firewall deserves to have their details stolen its not as if virus and hacking hasnt been all over the meida for the last few years
espically since the iloveyou virus hit the front page of newspapers and healine news on the tv

Some results from some surveys:

A survey by AOL and the National Cyber Security Alliance found 80% of home PCs had some form of infection, yet 75% believed that their PC was very secure or moderately secure. (http://www.theregister.co.uk/2004/10/26/pc_petri_dish_city/)

An unprotected WinXP PC was infected within 4 minutes of being connected to the Internet and a zombie (i.e. one of the proxies from above, also used for sending spam mail) 10 hours later. (http://www.theregister.co.uk/2004/12/01/honeypot_test/)

25% of such PCs are located in Britain, more than any other country. (http://www.theregister.co.uk/2005/03/21/botnet_charts/)

The message isn't getting through unfortunately.

[Ironside]

the new software that people uses to brute force uses proxies and witha good list of proxies online porn sites are finding it difficult to stop the brute force attacks, poker sites have not admitted to having suffered from brute force attacks but it cant be long untill they are attacked if they are not already getting done.

brute forcing is simple just run the software over night and in the morning you will have a host of username/password combinations along with proxies.
then all you need to do is watch for the target to logg off to go and raid their account

I bet this proxies are just the average persons PC infected with a trojan, which would make them difficult to blacklist - all the more reason to keep your machine clean.

An idea i had to stop this was to allow players to specify an IP address (or range) that their account could be used from. E.G. you could say only allow access from a bt internet IP address - this should make it more difficult for hackers.

You could also specify a range of games that you play in and no others would be allowed without you authorising them - making it harder for an account to be cleared out if they do get access.

These things would add an extra inconvienience to players wishing to move up a level, try a new game or moving ISP but you wouldn't have to use them.

They do however rely on some form of authentication. However as this doesn't need to be broadcast over the net or used as often i'm sure something more secure could be thought up. (It would be very hard to "brute force" a password over the phone for example.).

a simple graphically image with a few letters on that you need to type in every time you logg in would solve the problem of brute force attacks, its already been used by yahoo, problem is people are used to just opeing the software with the username and passowrd already stored so all they need to do is play they dont want to have to type in a few letters each time.

another way to solve it would be to get the software to link to the PC by serial of the proccessor but this would stop players playing on friends machines and on the move from internet cafes etc etc.

[ifm]

My online bank (lloydstsb) asked for a 9 digit alphanumeric code? in addition to a username and password. After logging in it will ask you for any 3 letters (random) from this code in order to proceed. This is a very simple and effective method and i would thing very cheap to implement. These are in the form of dropdown lists and so couldn't be bruteforced. Also this info is not likely to be stored on a users 'puter and so trojans and keyloggers (the most common way of doing this) can access the info.
Ian

[Bongo]

My online bank (lloydstsb) asked for a 9 digit alphanumeric code? in addition to a username and password. After logging in it will ask you for any 3 letters (random) from this code in order to proceed. This is a very simple and effective method and i would thing very cheap to implement. These are in the form of dropdown lists and so couldn't be bruteforced. Also this info is not likely to be stored on a users 'puter and so trojans and keyloggers (the most common way of doing this) can access the info.
Ian

The trojans take screengrabs of the screens. Doesn't take them long to figure out the codes.

[ifm]

You misunderstand, 3 random letters from a 9 digit code.
you could literally log in hundreds of times without ever revealing the full code.
Ian