if you only lock ur front door and windows with the basic lock but do not bar your windows and dead bolt ur front door and also have a security system for your house, its your fault if someone breaks into ur house and steals ur things..

JFC people ITT need to go back to analogy school.

Analogies on Internet message boards are like a box of chocolates

I have a Rsa token-like thingy on Skrill for a long time, payed Skrill around €15 for it.

$95 my azz..

BS. If you want a token, buy it. Why should they give it for free? Id like to know what % of hacked accounts had at least SMS auth on, I bet it's close to 0% if not 0%. If you get hacked you have no one to blame but yourself. And I really doubt there is any kind of inside leak in PS, I have my reasons to believe so.

Highstakesdb article about this: http://www.highstakesdb.com/5615-pok...-dropping.aspx

Pokertube: http://www.pokertube.com/poker-news/...mised-recently

Pokerfuse: http://pokerfuse.com/news/poker-room...ainst-hacking/

Idk but I thought it would just go without saying b/c Stars not even salting the hashed passwords, would be the most absurd thing in the world. If Michael had gone into detail about it, it might have only caused unnecessary confusion for those who are unfamiliar with cryptography.

Come on, how many millions do Stars make off players depositing money on their site and they still want to charge the same players to secure their accounts. Now that is BS.

After reading several account hacked related threads on 2p2 and other poker forums, usually the response from PokerStars Support when a players account gets compromised is this:

But in this case OP has posted this:

^It doesn't mention anything about keylogger or a virus, not sure if OP edited it or the Pokerstars was not sure if a keylogger or a virus caused this.

But there was also one post in Pocket fives forum where it didn't mention anything about the keylogger or a virus just like in this case. http://www.pocketfives.com/f10017/ba...ml#post8021967

In short: Usually the Pokerstars support tells players that their password may have been compromised by a virus or key-logger but not in this case, so I request to all other users whose account have been hacked to post the exact message they received from Support, if they mentioned anything about key-logger/virus or not.

This is the email that they send to me.

Greetings from PokerStars.

Your account has been frozen since we have determined that it is reached from a strange place without your knowledge. We have carried out a full examination of your account and we believe that your PokerStars password may have been compromised.

Our facts to support this are as follows:

The logins to your account shows no failed attempts; those who have reached your account could your password perfectly.

Computer finger pressure technique used by our security department to determine which computer your account has been reached from. In this case, our investigation led to your account is reached from a foreign computer in Russia, where no previous logins have been implemented. It is therefore possible that your password is compromised.

In terms of your account bankroll, there were fortunately no activity for real money, in this asset.

To summarize this case, we would like to inform you that PokerStars is not responsible for the money that has been lost from your PokerStars account. PokerStars is not liable for losses that are caused by inadequate security measures to protect your personal information, which has been overlooked. This is in accordance with what is written in section 10.2 and 10.3 of our User Agreement indicates your responsibility as the owner of the account.

To reinstate your account with a new password and PokerStars PIN we kindly ask you about the following:

1. Scan your computer and remove any viruses or malwares detected.

2. Change the password to your email account.

3. Provide us with a clear copy of your cradling your ID (please make sure your equipment is clean from keyloggers before sending). Please ensure that your full name, birth date and expiration date are clearly legible.

You can send this to security@pokerstars.eu

Finally, you may want to visit the following links that offer suggestions on how you can keep your password secure and details on additional security features that PokerStars offers.

http://www.pokerstars.se/poker/room/...ecurity/token/
http://www.pokerstars.se/poker/room/...ity/passwords/

Your cooperation is greatly appreciated.

Sincerely,

Yulia

ANY malicious software (third party/trojan/whatever) sending the password stored in user.ini (see [User] PWD) and some registry keys, can easily decrypt it.

If people want I can demonstrate this and reveal their password.

The password is sent decrypted via openssl to the pokerstars servers. At the server side the password is checked against their hashed one.
That leaves a potential vulnerability where a pokerstars developer can see the password.

Pokerstars are aware of the unsafe password handling, but the public is not.
The public cannot be blamed for their ignorance.
They make 3 million a day on rake only.
Give the public some respect and compensate.

They might decide it cost them too much.
But the obvious reason they don't compensate is that it would encourage more fraud.

To solve this pokerstars should just enforce sms validation.

For those who want a more secure environment - As previously stated obviously you should order a RSA Token. But also don't forget to secure the mail account linked to your poker account.

Gmail, for example, allows you to use SMS-Verification also for every new login to your account which makes it quite secure. Activate it in the options! If you use a mail provider that doesn't offer any security, consider changing.

This logic is flawed. The fact that they can afford it doesnt mean that they have to. In most countries if you want text messages attached to your bank account for more security, you have to pay extra. If you want to protect your cc from fraudulent activity while you are abroad you have to pay extra for insurance. And ps is not even a bank, it's just a gambling site.
You cant blame ps for the fact that majority of its users is too lazy or ignorant to take simplest measures like installing AV software (should ps buy you one because they profit from our rake?), enable sms auth on ps account and mail account.
What you could blame them for is not taking enough measures to keep the password safe on their client or server side - something that players can do nothing about.

Your talking about regulars, but what about the recreational player that decides to open a account and play some fun poker, to only see his money stolen and account frozen.

Always good for business to call your customer base lazy and dumb and you accuse other of flawed logic!lol ******

And I used to complain my ass off about Isai jesus he was heaven compared to this scum. Come on everyone let's simultaneously withdraw and deposit on the next highest traffic site which is...?

I have bad news for you, you clearly belong to majority. I'm not pokerstars nor a business and I dont have customers.

Heres how i see it:


1)Pokerstars Password database breached and decrypted this explains how
hackers were able to input passwords on dormant accounts "perfect"
E-mail database breached then used for reconnaissance is also a possibility.

2)Corrupt customer service providing personal details to cyber criminals,
Like less visible accounts(dormant) or accounts with low layers of security.
Also the withdraw work around.


3)Trojan/Virus as none have been found in any of the cases to date this is less of a possibility and the hacker did not maintain access to hack other customer accounts like E-mail accounts that would suggest a rootkit infection on customers device.



4)The method of fraud is the same this points to an organised conspiracy to
defraud Pokerstars and there customers and not the customer who is at fault.

So because they have or are making a lot of money, they should pay just because of that, because they have money? Thats not how business, or the world for that matter, works.

Unfortunately it does not go without saying. Various businesses have been compromised over the years because they did not adequately encrypt password stores. Salting is certainly an obvious thing to do; given Michael made a point of confirming that the database was hashed I would have thought he would also have confirmed it was salted if it was. I'd already made the point before he posted, I think.

Even if at the time he didn't want to confuse people, it would be trivial for him now to post to confirm that the database is salted and always has been hashed and salted - if indeed that is true. I still think it unlikely, which is why it would help a lot if everyone affected could confirm the age of their accounts and when they last changed the password before the hack.

One the data is breached salting is just used to make "brute forcing" time consuming
Rainbow hashing will decrypt this incredibly fast.The method The Pokerstars rep described one way hashing this is crackable.


1)Pokerstars Password database breached and decrypted this explains how
hackers were able to input passwords on dormant accounts "perfect" E-mail database breached then used for reconnaissance is also a possibility.


2)Corrupt customer service providing personal details to cyber criminals, Like less visible accounts(dormant) or accounts with low layers of security to target Also the withdraw work around.




3)Trojan/Virus as none have been found in any of the cases to date this is less of a possibility and the hacker did not maintain access to hack other customer accounts like E-mail accounts that would suggest a rootkit infection on customers device.



4)The method of fraud is the same this points to an organized conspiracy to defraud Pokerstars and there customers and not the customers fault in fact the only thing the breached accounts besides location have in common is Pokerstars this points to a leak there end.

If by "some" you mean almost every single person that doesn't run a website or server that is accessed by the general public, then yes, you are correct.

I'm not going to bother commenting on the rest of your post because it gave me a bit of a headache to read.

As I said earlier. Having a dynamic IP address isn't the same as having a totally random IP. It is still going to be in the range assigned to your ISP and still going to pin you down to a specific country.

If someone tries to play on an ISP other than the one I have in my office (joys of being self-employed) or the one I have at home then it shouldn't let them until I can confirm it with a code sent to my mobile - or email if someone hasn't submitted their mobile number. Yes someone can hack from the same country but then I will be dealing with law enforcement in the place where I am, not the other side of the world. Device fingerprinting as mentioned above sounds even better.

Also for those saying "It's your fault if you haven't set up SMS Validation" - well why should I know they even offer this possibility.

Further idea. The PS rep mentioned they have no way to judge if passwords are weak or strong as they are stored in encrypted form. As I understand it, if two users have the same password the encrypted form would also be the same. PS should search it's database for such people and send them a message asking them to change their password as this is almost always going to be people with simple dictionary entry / proper noun style passwords or otherwise very short ones.