Ok so I talked to OP on Skype and he sent me the files that he posted here, along with some others from All In Asia (AIA). They are pretty tough at best to try to decipher, not helped by the fact that it’s a horrible backend overall.
Cliffs (only taking OP’s side/story for this):
1) he is from Lithuania and makes an account & deposits on AIA
2) he starts to play on GG network thru AIA, on 30th Aug - 1st Sept, runs $1K up to $2.7K and takes a break for a couple of days
3) he tries to log into GG network on the 4th Sept, cannot and has to reset password
4) he receives his password in an email from AIA in plain text from support! (this means that people who work in AIA have access to your password, which is what is used to log into the actual poker sites to play)
5) he sees his balance is xferred to IDN Poker, over 3 transfers, on the 2nd & 3rd Sept. He later finds out its from a Singapore IP
6) 99% of his balance is lost on IDN Poker over several sessions
There are several things that look odd in this, and a lot of unanswered questions.
OP is given the login details of some account from Sept 2nd, shown below. It shows a Singapore IP for 6 records and then his Lithuanian IP on the 4th Sept. It doesn’t show any details from when he registered and deposited on the AIA account. Justin, Head of Security AIA, says:
Quote:
It shows that you have registered with the following IP that you have
played with :
45.77.46.149
This is the Singapore IP, which is possible that was used to register the account, but according to the OP he registered and logged in from Lithuania only.
One interesting thing is that you register directly with AIA, and then are set up with multiple accounts on the poker sites (one for each). You use the same password for each poker room, that matches your AIA one. As Justin said, it is apparently the same IP used to register as was playing on the 2nd/3rd, so I wonder if this was bad investigating where they did not go back to 30th August, or if he has just stated that the IP address came from their offices – I’m guessing it’s the former.
Here you can see the logins on OP’s account (J17242…). There is about 8 hours between the initial attempt and the next one. I am unsure what timezones there are in the screenshots, and there is no “logout” date/timestamp (which seems to be a fail), but maybe the account was initially accessed at 00:35am from Singapore and the first transfer done then. However, the first xfer to IDN occurred at xx:26 (26 minutes passed the hour), but the Online Log above shows the first Date/timestamp to be at xx:35. It is the same for the second transfer, where that occurs at xx:41 but the Online Log shows a xx:46 stamp. I am unsure how this works, or what the above log is of exactly. If it’s the log of just the logins to IDN and not GG or AIA, then it is pretty terrible investigating to state that “It shows that you have registered with the following [Singapore] IP that you have played with”. If your AIA password/account was compromised and you didn’t play on one of the sites previously and this was the first login/creation, then clearly they would have the same IPs. Did the OP try to log into the IDN account on the 4th Sept though? A full breakdown of IPs & Datestamps is needed for all AIA + GG + IDN access.
If OP did use the Singapore IP to sign up & deposit to AIA and play on GG, as well as IDN, then it’s a completely different story.
OP is provided with another screenshot, with an IP report, rather than a UserId report:
Along with OP’s UserID, there are also 3 other UserIds listed on this screenshot. 2 with 1 attempt and the other with 3 attempts. Were these accounts hacked also? Is the first attempt on each the initial “check if we have correct password”? If not do they move on until they get to an account they can access (eg what looks like E1794…). I do not know if these records show all login attempts, or just successful login attempts. Hopefully they have a report which will show if it’s a fail (and the reason) or a success. Are any of these accounts owned by the person who compromised OP? Were they looked into at all? Are any of them registered through AIA?
OP has not yet been provided any hand histories from his account’s play on IDN, which is pretty concerning as presumably any funds (if dumped) are long gone now. OP’s account seems to play several sessions on IDN, was it all HU? Was the winner of all/majority of the funds the same account in each session? Was the account that won funds involved? Do IDN have any alerts for suspicious hands? Are withdrawals reviewed before processed? If it is just one player who won the majority of the funds, was their account set up through AIA?
OP has asked Justin and also the AIA rep on skype to provide him with the full login details of his account on AIA (IPs and Datestamps) and also the HH that were played on IDN. He should also probably ask for a full explanation of what the logs mean, and get IP & Datestamp logs for all activity from AIA + GG + IDN.
As OP stated in post #5, AIA thinks that they have sent him the HH from IDN, however these are just a financial transaction report (presumably some from Texas Holdem – TXH tables). No actual hand details are shown, no winners (if not OP) are listed. Its concerning that a security team member would consider these hand histories.
Its very concerning that AIA employees have easy access to the passwords of their customers. People are lazy with their security, and many use the same password for everything, meaning that AIA employees could access more than just the poker accounts of their users.
OP mentions that he signed up to AIA through PVip, but hopefully they would not have access to his AIA login credentials, unless he shared them with PVip.
Again, all of the above is that OP told me on Skype and what he posted here, so I only have one side of the story.
AIA and IDN can reach out to me if they want, I can help with such investigations, general ops, and also beefing up their detection methods. My Skype is the same as my username here.