Why dont all sites have RSA tokens? Is security only for player with high bankrolls?

Whooooops.

OP, are you using wireless connection?
How sure are you that it is secure?

Probably the cost is too high for a lot of the smaller cardrooms, but yes it should be offered by almost all.

Right, that's what I was thinking. If this is how it happened, OP has some serious security issues he needs to address.

maybe he had a virus on is computer and never deleted it so when he opened up the new email account the hacker could still access his information via keylogger or trojan.

sorry to hear this op i just went through the same thing and it really sucks that people can do this and get away with it

OP said that money was also taken from his bank account which means that more than his e-mail account was compromised. I'm thinking that a keylogger was used.


"I opened the new account, and then I’ve already improved even more the security of my system, antivirus, antispyware, firewalls, etc. In fact I formatted the PC."

Maybe he actually opened the second mail account before formatting the PC or maybe stars support accidentally sent the new password to the old account. Neither would make much sense but then how did the hacker get the e-mail password after a clean install?

Maybe someone had access to his wireless network and stole the e-mail account details when they were sent to the site during a login, who knows what kind of security that site uses.

I wonder if he changed all his passwords after his laptop was stolen. Obviously he should have replaced the stolen RSA token immediately but stars should make it mandatory for accounts that have more than a couple of thousand dollars in them. The pin code is a joke, currently your PokerStars account is only as secure as your e-mail account unless you get the token.

This isn't the first time something like this has happened and it won't be the last and stars just doesn't care. They would much rather say "tough luck" to the victims than taking a few simple steps to actually prevent this from happening.

It's like letting your kids (loyal, paying customers in stars' case) play around with a hot stove, you know that they are eventually going to get burned so you could give them a warning (advertise RSA tokens when the user logs in) but you should really keep them away from the stove altogether (mandatory RSA tokens) rather than wait for your kids to ask you if the hot stove might be dangerous (expecting the people to seek out the information about security on their own).

Sure, the players are adults but my comparison is about years of experience with these things. Stars knows that accounts have been hacked before and they know that this will happen again and they obviously do not care because they are not legally liable. Sure a thinking person should do anything that he can to make sure that his money is secure, if he really values it, but stars could also do better.

I’m gonna try to answer all of you, I’ll use the number of the message:

#11. Why I should be grateful that they gave me back the $5k from Neteller? You can’t change the Account ID of Neteller, never. They only change your Secure ID. You can check that in the Neteller T&C. I couldn’t do it in my situation, not even after being hacked and suffered a theft. So, if someone enters my Stars acc, changes a number that *can’t* be modified, gets $5k from my acc… it’s not a flaw of the security department? Even they admitted they made a mistake. That’s why they gave me back the $5k. It’s not charity. In fact, the same instant someone tried to change that number, they should have blocked the acc and contacted me.

#17 Trying to scam Stars? Are you serious? I’m only trying to get what’s mine. No one sends all the info needed to enter an acc (with money) in the same mail. In my case it was Password + PIN. There’s a reason why the banks never send together the cards and the passwords.

#19 You really think I’m the only one to blame here? They have already admitted that they made a mistake in the Neteller affair, that’s why they gave me the $5k. Also, yesterday I got an e-mail where they say they are going to review my case again. Sixth time they are reviewing it. They don’t seem to be very sure about all this and how this could have happened.

#20 They already admitted their mistake, that’s why they gave me back the Neteller money.

#23 The hacker changed my Neteller number, and knowing that you can’t change the Account ID, in the 2 days they needed to process the payment, they should have seen something strange. Especially when it’s made from a country with a different IP than usual.

#24 I’m not a regular of Stars and that’s why I didn’t ask for it before, now I was coming back (and one of the reasons I had so much money in the acc was because I was going to play the EPT Barcelona, after cashing two times in the EsPT). I’ve already asked the key, but unfortunately they need more than two days.
#28 I don’t use Wi-Fi.
#31 After the first time they entered my bank account and Neteller acc, and they played with the money in another room, I formatted the PC to clean it of everything. The problem with the Stars acc was after this. The thing is that Stars left all the info needed to enter my acc in an e-mail acc when they already knew that I’ve been hacked just one week ago, and there are always chances that they keep trying. Another thing: they sent me that information without telling me in advance that they were going to do it.
#32 After my case, the security department has told me that they are going to study the protocols of account activations for the users. In fact, to get my acc activated again, this time has been by phone, when the usual process is other. If they were 100% sure that there’s nothing wrong sending the PIN and the password together, they would not be reviewing my case again and studying if they need to change their protocols.

After this extra wall of text, I want to speak a bit about my background. I’m not some random dude trying to get easy money. I’ve been playing for years, and I was going really well in the leaderboard of the EsPT (spanish circuit of Pokerstars). I was going to play the ME at the EPT Barcelona. Of course I know that compared with other people in this forum, I’m just a tiny fish, but I’m not a guy that started playing past Monday either. You can search me on www.thehendonmob.com as Eduardo de las Rivas.

Thank you for the thorough response.

Any thoughts on how they might have hacked your two different e-mail accounts? Do you only check your mail at home? Do you live alone?

move to the US and the gubbermint will protect you from playing poker online. :'(

LOL very valuable post


you are a joke really

sorry to hear this, hope you recover soon. gl

You skipped my post, and your answers to similar posts didn't clear this up for me. Maybe I'm missing something, IDK.

I'm not trying to give you a hard time, I'm just trying to sort this out - if it happened like I recounted above, you may still be at risk.

You said "The thing is that Stars left all the info needed to enter my acc in an e-mail acc when they already knew that I’ve been hacked just one week ago, and there are always chances that they keep trying." - how do they leave anything in an email account? If it's your email account, then you're the only one who can delete things. But I'm assuming this is just a language issue. The important question is, what email address was this? Did they send info to your old email address?

I can't imagine how someone could possibly hack his e-mail account when he's using a private internet connection that nobody else can access from a secure computer that nobody else uses.

It's unlikely that the e-mail site itself was hacked, even if it is a small site. And if it was, they would still have to know his new username. It doesn't make sense, how do you get hacked twice in a row?

Was it your alter ego that stole it OP?

This is what I am thinking.

Maybe you forget a new RSA for your stars account!

I know it was a long post but... maybe You forgot to read OP's response?





People who only read the first post or even worse, just a few sentences from it, ignoring OPs explanations so that they could give their uninformed know-it-all response, can be quite annoying. Read first, then post. Stop repeating things that have already been discussed and explained.

This is a key question to this case!

a) If stars sent the new account info (PWD + PIN) to an old eMail-address that they knew was hacked, then I'd say: "OMG, stars security has a lot of homework to do."

b) If stars sent the new account info (PWD + PIN) to the newly created Mail-Account, then I'd say,
- "OP, you still have huge security holes in your IT environment (eMail and other INet-Accounts, WLAN, LAN, PC, Laptop, ISP, .....???). If someone can hack your newly created account right away. And I strongly recommend to consult an IT security expert to sort this out."
- "Stars, pls rethink your strategy sending both, PWD and PIN, via the same contact channel.

In any of the above cases both parties (stars and OP) made mistakes. I really can't get how some ppl here solely blame OP!

I hope you find and close your IT security leaks soon, OP.

GL

Sorry, OP, that sucks.

Obv its fine to offer opinions on what happened to this player and whether or not it was entirely his fault or not, but the people who are just posting to make jokes are pretty scummy, imo. If you've got to laugh at someone who had money stolen from him, can't you just do it offline? Damn. Look at Noah's post, for example. He straight out said it was the OP's fault, yet still offered sympathy.

#38+#44
With this I hope I can answer Bobbo Fett and Lythander71. I’m sorry I forgot about your message, Bobbo.
Stars sent me the password + PIN to the new e-mail account, one they asked me to open only to be able to talk, because they don’t have a customer support phone number. They never told me that they were going to change my password and PIN. And they never told me that they are going to send it to me without any notice to the new email.
You can activate an account in a lot of many other ways, much safer. For example, the last time they did it: they called me to give me a temporary password and to be sure that I got the new PIN in the mail. This way you don’t get everything together. In PartyPoker they called me and also in Poker770, besides they blocked any access to my acc from any non Spanish IP.
In my opinion, the problem came from putting together the password and the PIN. That’s the reason they acceded my acc the second time, not having the second e-mail hacked. That mail acc was only going to be used to talk; at least that was the idea.
Now I have acc in Gmail, with the two step identification process. Everything is much safer now. We could have used that acc before, but I’ve already changed the passwords and the PIN before closing my acc, so I didn’t knew they were going to create some new ones.

#39 I don’t know, sorry
#42 I ordered it, but it takes a few weeks to arrive.

Um, what?

I don't understand this part. It seems like you're saying that the hackers got into your PokerStars account because stars sent you the password and the pin together. You also seem to be saying that you don't think that your second e-mail account was hacked.

That doesn't make any sense.


I understand that you blame PokerStars for sending both the pin and password to your e-mail account but that's their standard procedure. As I understand you sent them a mail, asking for them to open your account, they requested your documents to verify that the mail account belongs to you, once it was verified, they sent you the details you requested.

Now you may want them to give some of the details over the phone and it would be more secure that way and some other sites might do it that way but as far as I know stars rarely calls people about anything. They called you once, that doesn't mean that they're obligated to call you, legally they don't have to. If you verify your e-mail account by sending your copies of your ID then, as far as they know, your e-mail account is secure for all communication. Do not send the document's if your e-mail account is not secure. Securing the mail account shouldn't be that difficult.

Did stars ever actually promise you that they wouldn't send any login details to your account? Just because you assumed they wouldn't doesn't mean that stars is liable.

1) create new account using new email address
2) ask PS to tranafer everything from old account to new account
3) order RSA token

Solved

Exactly!

Nearly all the questions asked were answered on the first post and it comes down to whether Stars is at fault for sending pin and password by e-mail at same time to a player they knew had been hacked .

I think the OP has a case and stars support should of phoned or posted the pin and password to him.

They asked OP to switch to a secure e-mail account, right? They probably also told him to clean up his computer and take further security measures. Whatever the case, you do not ask them to open your account again unless you're absolutely sure that your computer and e-mail account are fully secure. By sending the copy of his ID, he was vouching for his new account.

The security was compromised on OP's end, not stars. Stars should send some of the details by phone but normally they don't and legally they do not have to even if you have been recently hacked. You can't honestly think that they will send you 9k+ just because they are doing things in a way that you don't expect them to.

"9.3. The User is obliged to keep his/her Login Credentials secret and confidential at all times and to take all efforts to protect their secrecy and confidentiality. Any unauthorized use of the Login Credentials shall be the sole responsibility of the User and be deemed as his/her use. Any liability therefrom shall be that of the User."


Um, I'm not sure but this should also apply:

"8. LIMITATION OF LIABILITY. Under no circumstances, including negligence, shall PokerStars be liable for any special, incidental, direct, indirect or consequential damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising out of the use (or misuse) of the Service even if PokerStars had prior knowledge of the possibility of such damages."