Had a conversation today with an employee from another company in the industry. The call actually went a long way to assure me that not only are they concerned about security, but that they are proactive thinkers ready to protect accounts from all angles of attack.

He told me that they very rarely see accounts hacked via the route of emails being compromised, and that its more like an internet cafe type of thing. I do not doubt this at all, because often there are keyloggers that are not viruses, but they actually are put in place by the cafe, library, institute etc etc.

Edit: i know alot if not most of those hacked in these instances had their email compromised as well or an attempt but the Poker operator would not know this.

Please stop with the ad hominem attacks and derails.

Crossposting this post from raidalot because it raises some serious questions.

I actually am. In any debate, detracting from invaluable conjecture so that others mustn't waste valuable time fully considering it for themselves is almost as important as contributing fresh ideas.

I know it's the internet and most people can't handle being disagreed with, but we're doing it for the same cause (the well being and security of every player in the poker community), so there's really no reason for you guys to be so upset, lol.

How about LEE JONES show some balls and address this? Time to man up.

The issue that irks me the most is Pokerstars stance is if players used a single form of defense (rsa token) hackers wouldn't have been able to get in and do the damage they've done as Pokerstars has very little secondary protection for hacked accounts. (they allow deposits and withdraws from other cards from foreign countries and allow instant cash outs.

When it comes to Pokerstars security they have a multi tiered defense program which they proudly talk about. So why don't they offer a multi tiered defense for players accounts?

It would be very easy and cheap to secure the PS accounts if Amaya wanted to.

My stock broker is Interactive Brokers, one of the largest broker in the world. As a customer you can order a key card (size of of a normal credit card) with 200+ random three numbers/letters kombinations for free of charge. Every time you try to log in you need to type

1) Username
2) Password
3) Two random numbers (6 letters/digits total) from the keycard

The current RSA token is very expensive as a unit. I would believe the keycard solution would cost less than $0,10 per unit to manufacture.

Then you can make it possible to secure your account for $5 / 250FPP (including card + shipping for business sake) and profit massively just from this and have the accounts very secure.

All of this could be optional.

PS Josem has given us at least a partial explanation for why Pokerstars has chosen to run their business in this area and the fact is we as customers do not find it acceptable gauging from the responses itt or in the other thread.

Therefore the decision should be clear to Pstars that changes need to be made to alleviate our very real concerns. Even if Pokerstars morally feel ok that the status quo is fine and fair the perception of its users is not in line with this thinking. Therefore from a business standpoint something needs to change.
To perceive is to believe.

How about Google Authenticator?

The exact opposite is true. I am detracting solely from what I think is unwarranted and poorly thought out(also paranoid) criticism, which, in fact, confuses and complicates a situation which all of us would like to be resolved quickly, while adding almost no real value.

People are free to say anything and discuss the issues all they want, I'm merely pointing out what I think are poor arguments. I'm not forcing anyone to believe anything.

EDIT:

You realize my location is a joke about how often I get accused of being a shill for disagreeing with paranoid PS-haters, right?

If you have nothing more to contribute of value than thank you. Goodbye. This is not a philosophy thread.

This is a very good point. Regardless of exactly how bad the hacking turns out to be, PS handling of the situation has been awful, and raises many more questions than just having accounts hacked and stolen from would have, i.e. If this is how the new/publicly owned stars handles situations such as this, how would they handle a BF type situation or something of the like?

Once people start asking these types of questions, it starts to matter less how serious the security breach was, the confidence your customers have in you is going to decline regardless. Confidence in poker site operators is a problem that we've been combating for a long time and it sucks to see PS perpetrating something like this.

Looking at his admin profile it appears that he is legit.

He contacted me as well and I sent full tilt support an email and they say he is legit..

Are the hacking victims still working together (e.g. via PM or a Skype group) to see if they can establish a common link (other than they had near-dormant Pokerstars accounts) between them all?
Did they, for example, all play at the same live event, where hackers might have scanned the wi-fi network for people logging into Stars via laptops/phones? Finding the likely source of the theft is a crucial step in preventing it happening again.

It seems possible that the passwords were stolen quite a long time ago by a random hacker, but only recently fell into the hands of a group or individual who knew what to do with them. As I understand it, hacked passwords (whether for email, banking, or cloud storage) are traded in bulk among criminal groups, but they need someone with specific expertise to make a financial gain from them. It's not like every random criminal knows how to chip-dump or move money around on a poker site without getting caught.

Pokerstars,

Is there a reason that you have not yet implemented 2-step verification, at least as an option? Then if someone logged in with a new IP they would automatically be blocked from accessing the account until entering a code sent to the mobile phone provided.

Thanks

I was actually having the same thoughts as bj about other things being hacked. If someone with knowledge of online poker decided to target people's Stars accounts in particular, I can't see any reason they would hack anything else. Taking money from people's poker accounts requires a certain amount of familiarity with the processes on the site, possibly secondary accounts to use for chip dumping, etc. Once they've got a routine down pat with how to compromise and empty someone's Stars account, why would they spend time trying to take money from a completely different account (IE another poker site, bank, etc.) when they could just move on to someone else's Stars account?

Yes, it's absolutely possible that someone could target individuals and take money from them every way they can find, but I think it's equally (or perhaps much more) likely that they just go after as many Stars accounts as possible.

If anyone has had little to contribute to this thread, it's you. Enough creating new accounts and spending your time calling out people you disagree with as trolls. No need to reply to this, just stop with the nonsense.

Hi Michael,

Does Pokerstars consider it a "hack" for the purposes of your post in situations where there is a correct password entered and the breach is not caught by Pokerstars? Is it considered a "hack" when a customer reports their funds stolen but Pokerstars states that the password was not properly secured by the customer?

Thank you in advance for answering both of my above questions.

This makes a lot of sense. Especially since the person or group does not only have a way to take money from the accounts. They found a way to get illegitimate funds into the accounts, and move the funds out again. The last time I read about something like this working in a bigger fashion was on Full Tilt around 2009.

But I don't think this theory is any help in finding out how the accounts were compromised.

Okay. I'm not convinced invaluable means what you think it is, but let's continue to detract from conjecture (yours) for the benefit of humanity.

Not sure how you get to any of this (save for being deliberately obtuse). I was rebutting one of your unsustainable conjectures (namely that an attacker with full access to someone's machine and thus all their passwords would attack the Stars account only). I'm relying solely on the data supplied from those whose accounts have been compromised. Not some guess about attacks on other sites (of which there is no material evidence at all): you've simply invented the possibility to support your trolling.

Not sure what else I can say here, save that it is entirely implausible that an attacker with keylogger or MITM access to someone's machine/sessions/passwords would target only a Stars account and not the email account(s) that potentially promise access to a number of similar sources of funds. Couple that with OP's evidence that the attacker had no way of getting at his email address, save one guess at the password (your favourite Occam's Razor will tell you that this attempt will have been to ascertain whether the password is the same as what he already knew from the Stars acccount) and your objections are irrelevant at best.

See, that's the point. He tried exactly once. Try reading the posts rather than reacting to what you imagine has been said.

The greatest problem here is that the theories with which you're engaging are the ones that currently stand up best to scrutiny. In the case of each victim, the attacker knew the Stars password. In each case, there is no evidence of malware and there seems no chance that all victims used a common compromised access point. Indeed, several victims' accounts were dormant, so the idea that this attack was perpetrated by intercepting credentials during sessions is laughable. In each case, the victim has reported that no other accounts (poker sites, email, wallets, whatever) were compromised (and I know you think this is perfectly explicable but you must know some very peculiar criminals). The best explanation we have is that a source of Stars passwords was compromised.

Now, at least we agree that Stars' response is alarmingly deficient. They've not given anywhere near enough comfort about the source of this attack (nor indeed the security of all - and particularly old - password databases). I continue to believe that to be the most likely explanation for these hacks.

I'd love to be proved wrong.

But that will only happen if another explanation is shown to be correct or if evidence comes to light which disproves my theory. You calling it nonsense won't change anything. You doing so in reliance on your own misunderstanding of facts and/or wild speculation will change even less. Please stop derailing this side of the thread.

As for Stars' procedures when it comes to detecting/stopping weird account activity (including deposits/cashouts that appear to violate all normal rules governing online gaming) I think we're on the same page. Maybe you could devote your energies to that side of things?

Ok im gonna tear you a new one now you have the balls to suggest what i posted is poorly thought out and paranoid you post and word exactly like another idiot in the other thread in IP are you Monteroy?

Ok a hacker could be installing rootkits/trojans just to hack Pokerstars accounts tell me how does this hacker know what accounts and devices to target?

Do you understand how a sever is hacked please explain this process?is it paranoid to suggest Pokerstars accounts have been hacked?

You are trying to detract from issues that YOU have no knowledge or expertise in commenting on in and because we do understand this we are PS-haters.

You add no real value with your conspiracy ramblings like some deranged sexual deviant on acid.

Nothing posted by me or thunderbolts who seems to have good IT knowledge is paranoid or poorly thought out now shut the **** up and please take your trolling back to the rigged thread.

Not clear if they're working together on this. I'd like to think so, as there's some key information that would help. But the silence from almost all suggests to me that Stars has contacted them and asked them not to comment further publicly while matters are investigated. If that is the case I'm not sure how I feel about it given the initial ostrich reaction.

Yes, this is a possibility. But I don't think we should overstate the difficulty of getting some money out of accounts.

Either way, I will continue to suggest that the victims offer up information as to the age of their accounts and the date of their last pre-hack password change. This is critical.

But how?

And this doesn't square with OP's experience of the single attempt to enter his email account.

The greater possibility is that his Stars account was accessed by someone with knowledge of the Stars password only. They then tried to get into the email account, but failed to do so because (sensibly) he hadn't reused his password. This indicates not a selective hacker but instead one who only has a list of Stars passwords. Again, I think it all points to a Stars database compromise (and probably an old one given the dormant accounts) instead of some sort of malware or MITM attack. A second possibility is that someone gathered passwords in some other way then sold a list of only Stars account names and passwords on the black market - but I think this is less likely. Not only because when things are sold there's eventually a chance of people hearing about them, and security companies monitor all of the common channels by which credentials and card details are sold, but also because the sale of compromised passwords requires an extra step above and beyond just the compromise of a list.

Making fake deposits, and getting the money out before the account gets frozen is the difficult part.

thunderbolts,

what do you think about the theory that the scammer bought the account credentials on some black market.

It fits him not knowing any other information, and the one try on the email account is explained as well.

Except one thing this episode has taught us is that getting the account frozen doesn't seem to happen anywhere near quickly enough.

I take your point about the fake deposits. Presumably one way in which these might be being made is:

1. access to compromised account;
2. learn name and address details from within;
3. set up some sort of card with those details (this is not my area but are there disposable cards in some jurisdiction for example where this might be possible?)
4. deposit from it, transfer between accounts, whatever;
5. withdraw.

My biggest concern other than the method of exploit, though, is this idea that Stars are holding players liable for chargebacks on their accounts despite the relevant deposits apparently carrying a number of red flags. Perhaps we should all get back to that for a bit, given there is no new information on the mechanics.