Party Poker in The Guardian

[Bongo]

You misunderstand, 3 random letters from a 9 digit code.
you could literally log in hundreds of times without ever revealing the full code.
Ian

They could also do it in 3 times (if they are lucky). Getting 2 digits gives them a 10% chance of guessing aswell.

I wonder what the average amount of logins would be until they had it cracked?

Admitedly these are more secure than a standard password and a damn sight better than the average poker site by the sound of things.

[ifm]

Nothing is infallible sp? but the risks are hugely reduced with such a simple system.
Just thought about it and mine is actually 12 digits!! thought even with 9 and having 2 it still leaves what 80 odd possibles for the last? and that's without special symbols!!
As for how many logins? how long is a piece of string?
Ian

[Ironside]

if all my bank wanted from me was my online account number and 3 digits from a 12 didgit pass then i would be changing banks ASAP
all a person would need to attempt to logg in would be the account number and a good piece of software that could go thru every 3 diget combinations (under 500k) that could be done in under an hour

the good thing with most banks is that with 3 failed attempt to logg in online they will freeze the account till they have made sure they have contact with you and confirmed your id

this doesnt happen with online poker

[tikay]

Wow, what HAVE we started? Fascinating stuff.

But the answer to the question I posed earlier seems to be - all things being equal - that if Mr Hacker cracks your password, it's YOUR fault, and YOUR responsibility. So we cant start blaming the Card Rooms, even though it's fashionable to knock them, or so it seems to me. We all have to take responsibility for our actions.

Is this how you guys see it?

Many thanks to Redsimon for starting this thread, and to le plonquer, Ironside, ifm, & bongo for giving this matter a good airing. I have no idea who bongo is - he only joined the blonde Forum today - but his input has been invaluable. And spare a thought for le plonquer, who appears to have suffered at the hands of the hackers. Let's hope he gets at least some of his cash back.

blondepoker is a new site, & our Forum is only a bit player in the grand scheme of things. But judged by this thread, it's going the right way. Thanks guys.

[Ironside]

Wow, what HAVE we started? Fascinating stuff.

But the answer to the question I posed earlier seems to be - all things being equal - that if Mr Hacker cracks your password, it's YOUR fault, and YOUR responsibility. So we cant start blaming the Card Rooms, even though it's fashionable to knock them, or so it seems to me. We all have to take responsibility for our actions.

Is this how you guys see it?

Many thanks to Redsimon for starting this thread, and to le plonquer, Ironside, ifm, & bongo for giving this matter a good airing. I have no idea who bongo is - he only joined the blonde Forum today - but his input has been invaluable. And spare a thought for le plonquer, who appears to have suffered at the hands of the hackers. Let's hope he gets at least some of his cash back.

blondepoker is a new site, & our Forum is only a bit player in the grand scheme of things. But judged by this thread, it's going the right way. Thanks guys.

tikay if someone gains access to an account via cracking a password then i lay the blame squarely at the site for having such lax secuirty
if someone gains access to an account via guessing a password then i blame the account holder

untill such times as i feel that poker sites are taking secuirty seriously i will never put my debit card online and i certainly wont keep much money in any account

[Bongo]

I think we need to differentiate between cracking and other forms of hackers obtaining your password (e.g. a keylogger or guessing).

In the case of cracking (i.e. brute force attack or similar) I would blame the site entirely - they should have a system in place to stop it, or at the very least detect it and stop them from gaining anything. Thousands of failed login attempts in a short time period should be very easy to spot, i for one would prefer to have my account locked down if they detected this rather than lose money to crackers.

In the other cases the I would place the responisbility squarely on the user. They should have a password that can't be guessed easily (e.g. screenname1) and should keep their system clean of anything that could log their passwords. The card rooms don't exist to teach safe computing afterall, although it migh benefit users if they did the same could be said for PC vendors and ISPs.

In terms of online banking most frauds are carried out by obtaining the password from the user in some way rather than cracking, as this has a far higher sucess rate. This should be the case with card rooms aswell.

[tikay]

Hmm, now I'm confused.

What both Ironside & Bongo seem to be saying is this:

If your password is cracked by a "brute force attack", then it's the Card-Room's fault.

If your password is "guessed" by Mr Hacker it's the players fault.

I need to think about this, as I am struggling to see the difference.

But let's, just for a moment, consider the problem from the card rooms perspective. What's to stop me giving my password to our good friend Matey Boy. He empties my account. I then claim the money from the cardroom on the grounds that they "allowed" my password to be cracked. Where would THAT end?

[Ironside]

Hmm, now I'm confused.

What both Ironside & Bongo seem to be saying is this:

If your password is cracked by a "brute force attack", then it's the Card-Room's fault.

If your password is "guessed" by Mr Hacker it's the players fault.

I need to think about this, as I am struggling to see the difference.

But let's, just for a moment, consider the problem from the card rooms perspective. What's to stop me giving my password to our good friend Matey Boy. He empties my account. I then claim the money from the cardroom on the grounds that they "allowed" my password to be cracked. Where would THAT end?

users can do nothing to stop brute force attack sites can

users can stop there passwords being easy guessed

tighter security would stop matey boy and his mate dead in there tracks
a word to an isp or 2 ubder a fraud investigation would stop matey boy in his tracks

[redsimon]

Many thanks to Redsimon for starting this thread,

I think my original post has gone slightly "off topic" but interesting stuff. One thing, how do you make the url I posted clickable (showing my duffer status with regard to computers!).

[tikay]

The url IS clickable Simon! I just clicked it & it took me straight to the article.

As to how it works, if that's what you meant, well that's obvious really. It's magic - how else could it work?

[Bongo]

I'll try to explain the differences between the two types of attack for anyone being confused.

First the types that are the players responsibility:

Weak Password - e.g. if you're sign on name was "MateyBoy" and your password was "MateyBoy1" or something else which could easily be guessed (If you're well known facts about yourself could be guessed, like your pets name etc).

Malicious Software - e.g. your computer gets "infected" with some form of software that steals your password (logs the keys you press when you enter your password, or logs the information you send to the card room to get the password). This could be part of a virus or maybe it gets installed by something posing as a poker utility.

"Phishing" (read: fishing):

In computing, phishing is the act of attempting to fraudulently acquire through deception sensitive personal information such as passwords and credit card details by masquerading in an official-looking email, IM, etc. as someone trustworthy with a real need for such information. It is a form of social engineering attack

more on this here: http://en.wikipedia.org/wiki/Phishing

This is tricking people into sending fraudsters personal details like passwords, e.g. sending an email to MateyBoy say i'm PokerStars support and could he verify his password for me.

The risk of all of these can be minimised by the player taking sensible precautions, the card room can do nothing to stop these attacks.

Things the card room are responsible for:

"Brute force" cracking: This is trying to find out the password by trying out every possible password until you get the correct one. Unless the hackers have access to the card rooms servers this will be done by trying to login to the room several times. This will obviously generate several failed login attempts in a short space of time (the process is automated and able to try several passwords a second). This is easy to spot and there are several things that can be done to make it harder for the crackers (e.g. Ironside's example of making people enter a few characters presented to them in an image every time they log in).

Obviously there is nothing the user can do about this attack, but lots that a cardroom can do.

Does this help?

[tikay]

Thanks Bongo - I think I am getting there now.

You refer to Ironsides example of an image being presented each time we log in. I have seen & used this on yahoo mail. They have a little box, with 4 or 5 digits sort of scrawled in it graffiti style. You have to type in the letters you see. How on earth does this work? Surely we ALL see the same image, be we a hacker or not?

And whilst I am very grateful to you for your patience with us in explaining all this, I'd ask you to be a little more respectful to Matey Boy. He's gonna have to change his password now youve told everyone!

I know one thing for sure though. I need to change most of my passwords - this thread has frightened the life out of me. I don't suppose I am the only one, either.

[luckyblind]

Thanks Bongo - I think I am getting there now.

You refer to Ironsides example of an image being presented each time we log in. I have seen & used this on yahoo mail. They have a little box, with 4 or 5 digits sort of scrawled in it graffiti style. You have to type in the letters you see. How on earth does this work? Surely we ALL see the same image, be we a hacker or not?

And whilst I am very grateful to you for your patience with us in explaining all this, I'd ask you to be a little more respectful to Matey Boy. He's gonna have to change his password now youve told everyone!

I know one thing for sure though. I need to change most of my passwords - this thread has frightened the life out of me. I don't suppose I am the only one, either.

The image thing is to stop a computer program trying to get in to your account. These programs cannot recognise the text in an image.

[tikay]

Thanks Mike - I think I can see that now.

You are suggesting that the "brute force attacks" are computer generated, & the computer cant read squiggly writing. I feel a real thicko now!

[ontilt]

Excellent thread. Without wanting to be too alarmist, working in the internet industry (and having seen some dodgy practices) I think this is a subject players ought to be taking a lot more interest in.

It is certainly the sites responsibility to ensure that they have adequate procedures in place not only for account management, but also for data protection (are you happy that they are handling credit card and other personal  information correctly?) and following adequate procedures for responsible handling of large quantities of other peoples money (see disasters such as pokerspot! there is some good comment on this on Paul Phillips blog). Where there are large quantities of money involved these should be akin to those of banks and other financial institusions. Players ought to be voting with their feet on their subject when they are concerned and now that I have some decent amounts of cash online I am being much more careful about. Personally I am keeping cash centralised in my Neteller account.

I think the reasons the poker industry is very behind here are several. A lot of these sites are offshore in places where there isn't the necessary regulation, they don't want to spend the money, and the customer base doesn't yet have the expectation that this should be the case. In general while there is such a boom on sites are very poor in general about responding to customer concerns (pokerstars stands out as an exception to this) Hopefully this will all improve as the industry develops.