The new PokerStars security options are now operational for Beta testers. Well, at least the menus and the PIN are working, the RSA tokens haven't shipped yet. Here's how it works, with pictures.

This is the new 'Account' menu. Right now it only looks like this for logged-in Beta testers.



Here is the window that pops up when you choose the 'Login Settings...' option from the 'Account' menu.



If you choose 'Order Security Token', the window disappears and the Cashier, then FPP store pop up. The token isn't currently available in the store, so it just pops up to the default store category, 'Bonuses'.

If you choose 'Activate RSA Security Token', you get this:


Since we don't have our tokens yet I can't get beyond there right now.

If you click on 'Request Pokerstars PIN', you get:


Then you get the following email... obviously I have since changed my PIN. You get a new PIN every time you click the request button. I've done it a few times and it's damn fast.



If you check or uncheck the 'Enable PokerStars PIN' checkbox you get the following:



If you successfully enter your password/PIN to enable/disable your PIN, you get this email:



If you have the PIN enabled, the first step of logging in looks the same. But then there's a new, second step:



The numbers are in different places each time so if someone tracks the location of your mouse clicks, they still won't know which numbers you're clicking.



If you get to this second login step and have forgotten your PIN, you can click the 'Pokerstars PIN Recovery Service' words in blue, in which case this pops up:



And you get the Pokerstars PIN email with a new PIN.


That's everything until the RSA Tokens come out. Here's the email we got from Josem when he enabled everything, so you know what kind of stuff they want feedback on. These pictures basically give you the same experience a beta tester gets, and I'm sure Josem will read this thread, so here's your chance to contribute even if you missed out on the Beta.

FWIW I first thought the PIN would be useless. Then when I tried it and realized the numbers are in a different order each time, I changed my mind... this is total protection from keyloggers as long as your email password is secure (and you don't type it... I realize some people do, such as those who use webmail accounts rather than pop3).

Anyone that can get at your email can still get your PIN no problem if they have your password. But as long as your email password is different from your pokerstars password, this does protect you from all kinda of Phishing... plus if you use the same password for Stars as you do for something else and that password database is poorly protected or just a straight-out scam, this would save you.

I know a few people who went to 'poker forums' linked to via AIM chat with hackers... they then promptly created accounts, with the same username/password they use for stars, giving the hacker their login info. This would stop that, as well as a few other things.

I'm going to be a RSA Token user myself, but we'll have to wait a bit longer for that.

Very nice, thank you PokerStars.

i get this too but no security token in my mailbox yet

If a hacker gets your password, but not your PIN, how easy is it to reset the PIN? Do you need to login in with the PIN to change it? As long as you need to know your PIN to change your PIN, your email only needs to be secure when you receive the initial email, after that, they shouldn't be able to hack your stars account even if they hack your email and request a new password. I'm hoping that stars won't resort to sending all the info to a hacked email account, I think Stars should consider their account security to be greater/better than the account security at Hotmail/Gmail/Yahoo/etc... because NOW IT IS. Maybe be able to send a new password to email, but if you cannot remember the PIN or lose your security token you should need some type of non-email validation.

Don't get me wrong, these changes are GREAT. I just want to make sure they aren't making our email provider the weakest link -- there should be some type of additional verification if someone needs their password, PIN, and security token (or 2 of the 3) reset at the same time.

Also, it's awesome that they change the order of the numbers around. I cannot believe there are banks out there that implement a similar feature but don't change the order of the numbers each time.

Never say total protection - a key logger could detect the pin window, screenshot it to see the key positions, and monitor mouse activity to see clicks. You could code up a proof-of-concept in autohotkey in a very short time.

I'm not saying it isn't an excellent move by stars and it looks like an excellent implementation (mimmicking that of many online banking sites), but you have to be careful with saying things like "total protection".

How is the pin different from having a password? Is it simply that hackers will now have 2 codes to break instead of just one?

Edit: I just saw this:

FWIW I first thought the PIN would be useless. Then when I tried it and realized the numbers are in a different order each time

Can someone please explain what this does exactly?

when entering the PIN you can choose to "click" on the buttons (numbers) instead of typing them with the keyboard , since the numbers are not on the same spot every time a more sophisticated "keylogger" would be required in order to get your PIN


its pretty clear in the OP i think

If you have the PIN enabled, the first step of logging in looks the same. But then there's a new, second step:



The numbers are in different places each time so if someone tracks the location of your mouse clicks, they still won't know which numbers you're clicking.

If we already have a RSA token from another source can we enter the serial number here and use it?

I have one my work provides for me for remote access.

a couple things.
1. in this popup box there is a type o. 'considering' is what you were going for


2. as far as lost pins. what about text messages to cell phone? my bank will text me if someone tries to setup a new bill pay or my cc is used for an over the internet, or phone transaction. then someone would physically have to have your phone. little bit different system than email but still fully automated and capable of sending thousands a day.

Def. not. There are tons of manufacturers of tokens, and pokerstars will have contracted one of those manufacturers to do a run for them. if PS (or any other institution) had a list of every RSA token in existence, and had the ability to authenticate it (i.e. knew its key) then the whole point of RSA tokens period would evaporate.

Looks like a good start but Stars should not allow ones email to be the weak point in this as it just negates the whole usefulness against key logger protection. Perhaps a call like security companies do with a safe word for people that are either supernova or/and have 5k+ in their account.

edit: I prefer blueys idea to mine after reading it.

Sweet, thank you so much Stars. You guys are definitely taking another step in the right direction. Good job guys.

Funny, durrrr made a thread in HSML with ideas very similar to these. I expect FTP and eventually UB to follow suit.

Good work Stars. Leading the industry yet again, and especially on an important issue like this one. Thank you.

Any idea on the FPP cost for this? I don't think these cost that much, and it will certainly be money well spent for all but the smallest accounts.

Also, thanks to Stars for finally making this a reality. I'm looking forward to it getting out of Beta.

Earlier I was working in tech support for company that used RSA security tokens. One of the most common problems (after Outlook ) was token being out of sync and didn't work. They had to call tech support to get their tokens resynced. Just wondering how PS is going to handle this without phone support? Players have just have to order new token and wait couple of weeks?

The text message thing is def a good idea. I dunno how much it'd cost Stars, but plenty of other companies do it.

great, any ideas on how much the token will cost?

+1; not that the price matters. These features will make me feel really comfortable with keeping xx,xxx online. PIN, password, and token = piece of mind.

why not have a clickable keyboard that works the same way for the regular password?

What do us little players have to do to get on the beta-test list?

agreed....this is BALLER by stars...makes me feel 100x more safe.

This:


New PINs should be retrievable, at least as an option, from a non-email source. Either a text message or phone call. If cost/manpower is an issue, make each reactivation by non-email subscribers cost x FPPs (with a warning when people select this option there will be a fee for reactivation via this means).

Overall, excellent work Stars!

My impression was that the list of Beta testers was made based on who participated in the forum discussion here about RSA tokens that helped spur pokerstars to initiate this change. Not based on who is a 'little' or 'big' player.