Hi

Bit of a long post, cliff notes are on the end of the post, if you see the chick, you passed 'em.
This is a thread concerning a hack case that hit me this last Sunday.
After busting my roll on the SCOOPs before my exams started in June, I thought I’d look for a freeroll and try my best to not to cut my wrists while I attempt to grind my way up to 500 dollar on Pokerstars. I’d give myself 3 months to achieve this goal. I had it all planned out, and was going to start looking for a freeroll. Untill..
I log on to pokerstars to find that my password was not valid. I immediately become suspicious. I reset the password and rush to the cashier. Here I find a balance of 165 dollar.
“This is just not possible..”
I open the history and see that 2 VISA purchases have been made, one for 168 euro and one for 300 euro. I remember from earlier that the reference numbers last 4 numbers are the last 4 numbers on the VISA card. Still not entirely convinced it’s not my card I immediately email Pokerstars, asking them what the hell happened. It’s only then when I realize that I don’t even have emails about changing a password previously, nor do I have cashier receipts in my inbox.

They freeze my account and investigate.

Later that night I get email back, saying that my account was indeed accessed by a new computer on a new IP address that had never been used before. The VISA card was a card issued in Denmark, so not mine either. They ask me to set up a new emailaccount and send in a proof of identity. I do so and we continue our correspondence on the new emailaccount.

The total amounts to 591 dollars and change. That amount was chipdumped down to 160+ dollars (who were still in my account) to a player Mininips, who was duped in this scandal too.
Monday evening I open my e-mail again and find another e-mail from DiegoS (who was most helpful through all this). This time I was not so happy.

DiegoS informed me that even though I had nothing to do with this hack, not me behind the computer, not me chipdumping, not my card, I now have to pay for the 431 dollar missing.

Since the funds have already been cashed out to the hackers, the money is no longer in the system and therefore they find themselves in a deficit, and I would be the person to settle that deficit.

I don’t think so.

Why on earth would I ever even CONSIDER paying for their security breach?
I find it hard to believe that a multimillion dollar business like Pokerstars has never thought of covering themselves for frauds like this, or at least have a reserve built in in their business system. Surely I am not the first player that ends up with his account hacked.
What worries me the most is that the guy I had on the phone, who explained to me exactly what happened over and over again told me that there is a pattern emerging in these types of hack cases.
Next to that I was very surprised to learn that there was no screening for this cashout, nor was there even a minor flag raised when an account from Belgium, that was listed with a Belgian address, and has only ever used a Belgian VISA card to deposit money.. deposits money with a Danish Visacard.

Also interesting to learn was that if the deposits are not being disputed I would actually come out a winner here, and would be able to keep the 165 dollars in my account, thanks to a Danish person who overlooked the 468 euros on his VISAbill.. probably a 500 to 1 chance of that happening, but still, this type of logic is a nice example of the ridiculousness of the way this case is being handled.

I’d like to conclude this post by pointing out that I use wireless internet distributed by my Router with a built in firewall. I only use my laptop, which is equipped with BitDefender and Ad-ware, both of those run scans on my computer more than weekly. My password is a random combination of vowels and consonants that don’t make any linguistic sense, nor have emotional value to me. Just good old plain and simple nonsense sequence. Just to make sure people dont think its my own damn fault for picking my birthday as a password or something.


Cliff notes
-------------

1. Account gets hacked and 468 dollars is deposited under fraudulent circumstances with a Danish Visacard. I am Belgian, so not mine.
2. I report it as soon as I find out, about 3 hours later
3. Pokerstars investigates and freezes account
4. Confirms the hack, lets me know the IP address and computer used are both brandnew, which indicates a high probability of me not having done it.
5. They confirm chipdumping took place and then acknowledge that there is no gain on my part.
6. Pokerstars already cashed out the funds to the fraudulent party, again with no flags raised
7. There is a pattern emerging in these hacks, I was not the only one involved, this is a recent trend.
8. Since they cannot recuperate the funds from the fraudulent party, they now want to recuperate them from me. My not being involved seems irrelevant.


Threadsavers
-----------------

Video of that stupid kid Justib Bieber getting knocked in the head by a water bottle on stage
Some of the fine things Belgium has to offer:

They know the deposit was fraud, they have an obligation to reverse it immediately.

Attempting to collect from you is absurd. boo pokerstars.

Unfortunately, although you seem legit, pokerstars still has to force you to pay this debt. Why?

Because if they don't, the following scenario could occur:

You could call your friend in another country, have him withdraw all of your money, then call pokerstars and claim you were "hacked," thus basically doubling your roll.

I doubt you actually did this, since you seem sincere, but you have to understand that PS can't just let this slide by.

+1

So your security (or lack of it) allows your account to be hacked and Stars should pay for it? have I got this right?

Yeah its much more likely a hole in your own computer's security then in pokerstars software. That is why they can hold you accountable.

Have you changed your email passwords yet? Because that's almost always the cause of hacked account threads.

Too hard to request a (free) Pokerstar PIN? at leats if s*** happens, you know where to look!(hacked email)

Thats the way she goes.

Changed my password immidiately. They suspect it originated there because i can't find any cashout receipts in my inbox, and they logs saying they were sent.

Thats a simple way of looking at it. The thing I would have done more was indeed add a PIN to my account, but sicne it originated on my emailaccount, a PINreset is easily requested, so I don't really see the added benefit in this case. The thing that really frustrates me the most is that I was told on the phone that if pokerstars hadn't cleared the cashout I wouldn't have to pay a penny. What that comes down to is that because they can't spot fraudulent transactions, I now have to pay for it. I understand that if they have to check every deposit for legitimacy that they would have a lot of work, but damn, we pay 'em for a safe playing environment! If on top of that a player cashes out a farely large amount that would be atypical for his doing, no flags were raised either. I sent the email 3 hours after the hack initiated, and appareantly it is possible tto clean out your account for a 5 figure amount (as per policy they couldn't tell me he exact amount involved) and get away with it without some sort of proof of identity or something that can be traced back in case of fraude.
If this is turning into a trend, then everyone's roll is at stake here. Irregardles of how well you protect your pokerstars account. It's the security on your emailaccount that is of the biggest importance here. Once they get in, a password reset takes 3 minutes, I assume they deliver the same lightspeed service for your PINreset, so it would take around 10-15 minutes to break in through the emailadress and max out a stolen credit card, dump it somewhere on a 10/20 table and clear out. And you are stuck with the bill. Makes me feel real safe.

I have seen a couple of these threads now.

I agree that the sites cannot be responsible for your own computer security but.....

Can someone please explain how both Pokerstars and FullTilt allow deposits with (stolen?) foreign credit cards not in the name of the poker account holder ????

PS i am a credit card noob so forgive me if the answer is obvious

Good question which I don't have the answer to, but it's apparent that there are people who think they should be able to:

About using someone's credit card to deposit

I cannot see any court in the world taking a decision where you have to pay the $431 Poker Stars want from you. You may no be able to play at poker stars again but you should not worry about this claim.

My roll is never at stake because i use a 50 character password for my email account and i change ALL passwords every two months. My notebook's security is locked down airtight, nobody has access to it. And in combination with Pokerstars excellent security, my money is ubersafe.

I feel for you OP but you seem to neglect the part where it should be easy to change PIN with access to your email. It should be impossible that someone has access to your email and hence impossible to change your PIN. And sadly enough it is the case that most people just aren't secure enough, this goes beyond online gambling and into things like online banking fraud and phishing. Most of the time it will be traced back to lack of security on the user's part.

Look i like their quick cash outs and think they're airtight security wise, so please stop saying otherwise.

Well then just don't pay OP, and don't play there again. They just don't want to assume their mistake it seems.

Its not your problem, stars can contact the people that receive and chiped the money. Sure they have no way to get it back but they can try to start the official way, but its hard to went on a courthouse.

Expecially if you offer a not legal service on many places

Usual in such a case...go to the police and show them eyyyy we have 2 criminals that use stolen credit cards on our website..there used IP-adress is
234567890 please arrest them .

That seems like a pretty good way to secure everything.
But when you use a 50character password, you have to store it somewhere, right? Now what if a hacker found that file? 50 characters or not, he has acces to your emailaccount now. I dont have my password stored in files on my pc, but a keylogger could get it fairly easy once it's it gets in your system I think.
I used to think that my double firewall had me covered, and that my spywarebot deleted the fishy files, so I was golden too. Untill this happened.

The part about the PIN I don't understand completely, since I don't use it. But it seems to me that there would be a reset option on that aswell, in case someone actually forgets about it. Then they would need their emailadress to set that straight, and so PIN number, or no PIN number, if they have your email, it's all just stalling. They will get the info they need to get in, it's sent to you. Again, I have no idea how the PIN function works on Pokerstars, since I only started using it after this incident, and it's active on my FTPaccount now. If I'm wrong here I do apoligize.

I understand that quick cashouts can be convenient for you, but they are alsovery convenient for someone who doesn't have the purest of interests at heart, like it happened in this case. I have read on these forums that security on Pokerstars is very good, and I don't claim otherwise. I am just saying that these hackers have found a way to bypass the security protocols that raise flags, and that should be adressed. For our safety and for theirs. Certainly in these types of cases, if they are largely increasing in numbers.

I have thought about this too, and it would seem like a bit of a hassle to go through for this relatively small amount of money. (Small for Pokerstars, not for me)
If my friends who study law are correct this is what should happen in order for me to be forced to pay
1. I would have to be convicted to pay this sum on the Isle of Man.
2. They would need to have a Belgian courtroom revise this verdict, and make it executable in Belgium. (I can appeal to this, dragging it out for quite a while)
3. They would have to send a bailiff to my house

looks like a costly adventure, and since the laws on online gambling in Belgium are not really favouring Pokerstars I doubt this would be worth their time persueing, but you never know.

I sincerely hope it doesn't come to this, and Pokerstars finds some way to figure out who cashed out this sum, or a way to reverse the transaction they made.
If not then I will probably have to save up $431 extra in case I ever decide to travel to Isle of Man.
I love playing on Pokerstars, I like their software, their large offer on games to be played, even in the midst of all this I am really satisfied with the way the personnel handles claims. I just don't agree to their policy on this issue.
To bad it is turning out like this.

If anyone would like to see the correspondance, just ask, I have them all saved.

I'm sorry bro, but again this isn't right. i don't store the password locally, i use a payed (its free but i use the premium) service to encrypt it: Lastpass. I memorize the main password for lastpass, i don't store passwords and don't store forms. Lastpass has good fail-safes and recovery options. U can setup all kinds of alerts of password changes or access from other machines. Like i said AIR-TIGHT.

And now for the keylogger, firefox has an easy addon that scrambles any logging attempt and i check my running processess. I always install legit software froma the same legit source either softpedia or sourceforge.

I use no-script to auto disable everything thats considered dangerous on the web.

Believe me that it will be a cold day in hell before someone hacks me

P.S: Install firefox/lastpass and norton internet security 2010 and go to firefox addons and install every recommended security addon. Keep up to date about threats.

That makes sense, since storing your password on your computer kind of defeats the purpose.
Since I use Firefox I will definately look into that!

It is much easier for PS to have you give them the money instead of going trough the hassle of finding the guy behind the CC-scam. They hope you give them the money so they don't have to pay this themselves.

I cannot see how an argument would be made in court to have you pay money when someone have used your account for a scam, they would have to prove that you have been participating or have had some intent for the scam to happen. If you get a notice from PS, just decline and ask them to take this to court in Belgium and the problem will go away.

If you don't pay you loose out on playing at PS which doesn't have to be that bad...

Keepass FTW.

I should thank you for posting because it made me order a yubikey for two side authentication which in turn will make me invulnerable to replay-attacks, main-in-the-middle attacks and many other threats.

Also i use custom email service for all my internet money, not gmail or hotmail.

This really sucks, man. I can't imagine them taking the effort to take legal action, though.

Good luck with this.

Also, you should ask Pokerstars to flip with you for 431 bucks.

Quick side note: Using someones else credit card will be fairly standard in many countries where cc are not that common and thus should be allowed and not be suspicious.

OP: You still have no idea how your account was hacked ? I have a hard time believing that you don´t know the hacker.