Many Pokerstars accounts hacked recently, Stars accepts no liability
Had a conversation today with an employee from another company in the industry. The call actually went a long way to assure me that not only are they concerned about security, but that they are proactive thinkers ready to protect accounts from all angles of attack.
He told me that they very rarely see accounts hacked via the route of emails being compromised, and that its more like an internet cafe type of thing. I do not doubt this at all, because often there are keyloggers that are not viruses, but they actually are put in place by the cafe, library, institute etc etc.
Edit: i know alot if not most of those hacked in these instances had their email compromised as well or an attempt but the Poker operator would not know this.
He told me that they very rarely see accounts hacked via the route of emails being compromised, and that its more like an internet cafe type of thing. I do not doubt this at all, because often there are keyloggers that are not viruses, but they actually are put in place by the cafe, library, institute etc etc.
Edit: i know alot if not most of those hacked in these instances had their email compromised as well or an attempt but the Poker operator would not know this.
Please stop with the ad hominem attacks and derails.
Crossposting this post from raidalot because it raises some serious questions.
Crossposting this post from raidalot because it raises some serious questions.
Questions for Michael:
(1) How many PS accounts have been hacked so far in March (and btw I can't see any valid reason for not giving this info in the circumstances)?
(2) How does that compare to the average of the previous 12 months?
(3) Does PS accept deposits into an account from cards/accounts other than in the name of the account holder?
(4) Does PS give cash-outs to cards/accounts other than in the name of the account holder?
(5) If yes to (3) or (4) then, is the prior email permission of the account holder required?
(6) If yes to (3) or (4), and no to (5): if the person who makes/receives the payment turns out to be stealing then PS has been defrauded by that person (and not the account holder, who gave no permission to stars to accept payments/withdrawals on his account from a third party, and who has no control on the quality of PS verification checks on the third party and his transfers) - on what basis can you justify passing on the cost of PS negligence in accepting such deposits/withdrawals to the account holder?
[btw I'd be amazed if you were able to win any case before a court or decent regulator to recover such funds from a player who refused to cover your losses. Apart from anything else it would put the account holder in a position of potentially being liable for infinite losses.]
(7) To solve some of this, why not implement some of the following? ...
(a) Allow a/c holders to set a minimum period for withdrawal processing (eg 2 days)
(b) Require deposits/withdrawals can only be made in name of account holder unless permission has been given otherwise for specific names. [At least do this if surname is different or other person is in a different country!]
(c) If an account has been used exclusively from one IP for more than [1] month then auto email the account holder if login is made from a new address. [esp do this if login is from another country]
(8) The player is put in a position where they can actually lose much more than is in their account in such circumstances. Do you warn players when they sign up and deposit $10 that this is possible? If not, then should this be done?
(1) How many PS accounts have been hacked so far in March (and btw I can't see any valid reason for not giving this info in the circumstances)?
(2) How does that compare to the average of the previous 12 months?
(3) Does PS accept deposits into an account from cards/accounts other than in the name of the account holder?
(4) Does PS give cash-outs to cards/accounts other than in the name of the account holder?
(5) If yes to (3) or (4) then, is the prior email permission of the account holder required?
(6) If yes to (3) or (4), and no to (5): if the person who makes/receives the payment turns out to be stealing then PS has been defrauded by that person (and not the account holder, who gave no permission to stars to accept payments/withdrawals on his account from a third party, and who has no control on the quality of PS verification checks on the third party and his transfers) - on what basis can you justify passing on the cost of PS negligence in accepting such deposits/withdrawals to the account holder?
[btw I'd be amazed if you were able to win any case before a court or decent regulator to recover such funds from a player who refused to cover your losses. Apart from anything else it would put the account holder in a position of potentially being liable for infinite losses.]
(7) To solve some of this, why not implement some of the following? ...
(a) Allow a/c holders to set a minimum period for withdrawal processing (eg 2 days)
(b) Require deposits/withdrawals can only be made in name of account holder unless permission has been given otherwise for specific names. [At least do this if surname is different or other person is in a different country!]
(c) If an account has been used exclusively from one IP for more than [1] month then auto email the account holder if login is made from a new address. [esp do this if login is from another country]
(8) The player is put in a position where they can actually lose much more than is in their account in such circumstances. Do you warn players when they sign up and deposit $10 that this is possible? If not, then should this be done?
I know it's the internet and most people can't handle being disagreed with, but we're doing it for the same cause (the well being and security of every player in the poker community), so there's really no reason for you guys to be so upset, lol.
How about LEE JONES show some balls and address this? Time to man up.
The issue that irks me the most is Pokerstars stance is if players used a single form of defense (rsa token) hackers wouldn't have been able to get in and do the damage they've done as Pokerstars has very little secondary protection for hacked accounts. (they allow deposits and withdraws from other cards from foreign countries and allow instant cash outs.
When it comes to Pokerstars security they have a multi tiered defense program which they proudly talk about. So why don't they offer a multi tiered defense for players accounts?
When it comes to Pokerstars security they have a multi tiered defense program which they proudly talk about. So why don't they offer a multi tiered defense for players accounts?
It would be very easy and cheap to secure the PS accounts if Amaya wanted to.
My stock broker is Interactive Brokers, one of the largest broker in the world. As a customer you can order a key card (size of of a normal credit card) with 200+ random three numbers/letters kombinations for free of charge. Every time you try to log in you need to type
1) Username
2) Password
3) Two random numbers (6 letters/digits total) from the keycard
The current RSA token is very expensive as a unit. I would believe the keycard solution would cost less than $0,10 per unit to manufacture.
Then you can make it possible to secure your account for $5 / 250FPP (including card + shipping for business sake) and profit massively just from this and have the accounts very secure.
All of this could be optional.
My stock broker is Interactive Brokers, one of the largest broker in the world. As a customer you can order a key card (size of of a normal credit card) with 200+ random three numbers/letters kombinations for free of charge. Every time you try to log in you need to type
1) Username
2) Password
3) Two random numbers (6 letters/digits total) from the keycard
The current RSA token is very expensive as a unit. I would believe the keycard solution would cost less than $0,10 per unit to manufacture.
Then you can make it possible to secure your account for $5 / 250FPP (including card + shipping for business sake) and profit massively just from this and have the accounts very secure.
All of this could be optional.
PS Josem has given us at least a partial explanation for why Pokerstars has chosen to run their business in this area and the fact is we as customers do not find it acceptable gauging from the responses itt or in the other thread.
Therefore the decision should be clear to Pstars that changes need to be made to alleviate our very real concerns. Even if Pokerstars morally feel ok that the status quo is fine and fair the perception of its users is not in line with this thinking. Therefore from a business standpoint something needs to change.
To perceive is to believe.
Therefore the decision should be clear to Pstars that changes need to be made to alleviate our very real concerns. Even if Pokerstars morally feel ok that the status quo is fine and fair the perception of its users is not in line with this thinking. Therefore from a business standpoint something needs to change.
To perceive is to believe.
It would be very easy and cheap to secure the PS accounts if Amaya wanted to.
My stock broker is Interactive Brokers, one of the largest broker in the world. As a customer you can order a key card (size of of a normal credit card) with 200+ random three numbers/letters kombinations for free of charge. Every time you try to log in you need to type
1) Username
2) Password
3) Two random numbers (6 letters/digits total) from the keycard
The current RSA token is very expensive as a unit. I would believe the keycard solution would cost less than $0,10 per unit to manufacture.
Then you can make it possible to secure your account for $5 / 250FPP (including card + shipping for business sake) and profit massively just from this and have the accounts very secure.
All of this could be optional.
My stock broker is Interactive Brokers, one of the largest broker in the world. As a customer you can order a key card (size of of a normal credit card) with 200+ random three numbers/letters kombinations for free of charge. Every time you try to log in you need to type
1) Username
2) Password
3) Two random numbers (6 letters/digits total) from the keycard
The current RSA token is very expensive as a unit. I would believe the keycard solution would cost less than $0,10 per unit to manufacture.
Then you can make it possible to secure your account for $5 / 250FPP (including card + shipping for business sake) and profit massively just from this and have the accounts very secure.
All of this could be optional.
Actually, you are advertising yourself as a self admitted shill, while giving redic amounts of energy supporting your own image and opinions. You are clearly propped up by (some form of) popular mod opinion.
You are detracting from constructive and warranted criticism.
Let the players discuss the issues without you. We have legit complaints and solutions, such as multisig/bitcoin. There is no reason for hacked passwords/accounts (or server issue's) in this day and age, but an attempt to suppress and an inefficient use of (over-)raked monies.
You are detracting from constructive and warranted criticism.
Let the players discuss the issues without you. We have legit complaints and solutions, such as multisig/bitcoin. There is no reason for hacked passwords/accounts (or server issue's) in this day and age, but an attempt to suppress and an inefficient use of (over-)raked monies.
People are free to say anything and discuss the issues all they want, I'm merely pointing out what I think are poor arguments. I'm not forcing anyone to believe anything.
EDIT:
You realize my location is a joke about how often I get accused of being a shill for disagreeing with paranoid PS-haters, right?
The exact opposite is true. I am detracting solely from what I think is unwarranted and poorly thought out(also paranoid) criticism, which, in fact, confuses and complicates a situation which all of us would like to be resolved quickly, while adding almost no real value.
People are free to say anything and discuss the issues all they want, I'm merely pointing out what I think are poor arguments. I'm not forcing anyone to believe anything.
People are free to say anything and discuss the issues all they want, I'm merely pointing out what I think are poor arguments. I'm not forcing anyone to believe anything.
PS Josem has given us at least a partial explanation for why Pokerstars has chosen to run their business in this area and the fact is we as customers do not find it acceptable gauging from the responses itt or in the other thread.
Therefore the decision should be clear to Pstars that changes need to be made to alleviate our very real concerns. Even if Pokerstars morally feel ok that the status quo is fine and fair the perception of its users is not in line with this thinking. Therefore from a business standpoint something needs to change.
To perceive is to believe.
Therefore the decision should be clear to Pstars that changes need to be made to alleviate our very real concerns. Even if Pokerstars morally feel ok that the status quo is fine and fair the perception of its users is not in line with this thinking. Therefore from a business standpoint something needs to change.
To perceive is to believe.
Once people start asking these types of questions, it starts to matter less how serious the security breach was, the confidence your customers have in you is going to decline regardless. Confidence in poker site operators is a problem that we've been combating for a long time and it sucks to see PS perpetrating something like this.
Looking at his admin profile it appears that he is legit.
He contacted me as well and I sent full tilt support an email and they say he is legit..
Are the hacking victims still working together (e.g. via PM or a Skype group) to see if they can establish a common link (other than they had near-dormant Pokerstars accounts) between them all?
Did they, for example, all play at the same live event, where hackers might have scanned the wi-fi network for people logging into Stars via laptops/phones? Finding the likely source of the theft is a crucial step in preventing it happening again.
It seems possible that the passwords were stolen quite a long time ago by a random hacker, but only recently fell into the hands of a group or individual who knew what to do with them. As I understand it, hacked passwords (whether for email, banking, or cloud storage) are traded in bulk among criminal groups, but they need someone with specific expertise to make a financial gain from them. It's not like every random criminal knows how to chip-dump or move money around on a poker site without getting caught.
Did they, for example, all play at the same live event, where hackers might have scanned the wi-fi network for people logging into Stars via laptops/phones? Finding the likely source of the theft is a crucial step in preventing it happening again.
It seems possible that the passwords were stolen quite a long time ago by a random hacker, but only recently fell into the hands of a group or individual who knew what to do with them. As I understand it, hacked passwords (whether for email, banking, or cloud storage) are traded in bulk among criminal groups, but they need someone with specific expertise to make a financial gain from them. It's not like every random criminal knows how to chip-dump or move money around on a poker site without getting caught.
Pokerstars,
Is there a reason that you have not yet implemented 2-step verification, at least as an option? Then if someone logged in with a new IP they would automatically be blocked from accessing the account until entering a code sent to the mobile phone provided.
Thanks
Is there a reason that you have not yet implemented 2-step verification, at least as an option? Then if someone logged in with a new IP they would automatically be blocked from accessing the account until entering a code sent to the mobile phone provided.
Thanks
I was actually having the same thoughts as bj about other things being hacked. If someone with knowledge of online poker decided to target people's Stars accounts in particular, I can't see any reason they would hack anything else. Taking money from people's poker accounts requires a certain amount of familiarity with the processes on the site, possibly secondary accounts to use for chip dumping, etc. Once they've got a routine down pat with how to compromise and empty someone's Stars account, why would they spend time trying to take money from a completely different account (IE another poker site, bank, etc.) when they could just move on to someone else's Stars account?
Yes, it's absolutely possible that someone could target individuals and take money from them every way they can find, but I think it's equally (or perhaps much more) likely that they just go after as many Stars accounts as possible.
If anyone has had little to contribute to this thread, it's you. Enough creating new accounts and spending your time calling out people you disagree with as trolls. No need to reply to this, just stop with the nonsense.
Yes, it's absolutely possible that someone could target individuals and take money from them every way they can find, but I think it's equally (or perhaps much more) likely that they just go after as many Stars accounts as possible.
If anyone has had little to contribute to this thread, it's you. Enough creating new accounts and spending your time calling out people you disagree with as trolls. No need to reply to this, just stop with the nonsense.
Hello,
PokerStars is monitoring the discussion of account hacking in this thread.
Let us provide some information which we believe will help you understand the context of this issue.
Firstly, the frequency of hacks at PokerStars has been decreasing during 2015. The chart below shows the frequency of hacks per day that have been identified and reported by our staff on a monthly basis for 2015 through 17 March (inclusive).
While we will not provide absolute numbers, the trend for the last 2½ months shows that there is no sudden spate or recent surge of account hackings. The only thing that has changed has been player awareness of the issue – awareness that has been partly caused by PokerStars instituting heightened security in the form of new notification emails when a PokerStars client is accessed from a new location.
We believe that the best defence against hacking is to prevent hackers accessing accounts in the first place. We support players keeping their login credentials secure by a whole series of different mechanisms, including, our hashing* of passwords, and giving players the option of enabling RSA Security Tokens, PokerStars PINs and SMS Validation. Literally hundreds of thousands of players log in every day in a safe and secure manner.
Even after a hacker gains access to a player’s login credentials and accesses an account, PokerStars works to minimise the financial harm caused. Of the hacks that have been identified to PokerStars, despite players (often inadvertently) giving their account login credentials to unauthorised users, PokerStars was still able to ensure that no funds were lost in about 52% of the cases in January and February. We compile an internal report at the end of each month and see no significant deviation from that trend so far in March.
Even when harm is caused to player accounts, the amount of harm caused is relatively low in absolute terms, but PokerStars wants to continue to reduce this further. Of the remaining 48% of cases from earlier this year where hackers have been able to cause financial harm, the median loss to each player per hack was $57.09.
Going forward, we have two key strategies to further reduce the already-decreasing frequency of accounts being ‘hacked’. We will more actively promote account security enhancements to players to make their account more secure. In addition, we will continue to improve our system for evaluating risky cash-outs. We continually refine our cash-out systems to combat overall fraud trends, and we want to keep the frequency of hacked accounts moving in a downward direction.
Let us also address some of the other issues raised in this thread:
-In many of the cases claimed in this thread, players have posted emails from PokerStars explaining that there were no failed password guesses. This strongly suggests that the hackers knew the passwords.
-Because PokerStars follows the best-practice security guidelines for storing passwords, we don’t store a copy of a player’s password that can be decrypted. Thus, we can’t review the strength of passwords of the players who were hacked, and have only limited ability to evaluate how those passwords might have been obtained by the hackers.
-There is no evidence of any misbehaviour by PokerStars insiders in this situation. Because PokerStars passwords are hashed, even if a PokerStars insider were somehow able to gain access to the password database, they would not be able to decrypt a player’s password.
-PokerStars affiliates have no access to our internal systems for administering player accounts. They do not have access to any special information that would enable them to gain unauthorised access to player accounts.
-PokerStars has no way of unilaterally determining if the affected players all used the same password at another online service, or whether the players have fallen victim to a particular piece of malicious software. Instead, we are continuing to investigate what commonalities exist between players. In this context, it is worth noting that while some of the posters in these threads have some things in common with other players, there are others that appear to be entirely unrelated.
-Some players have suggested that PokerStars should send a code to the email or phone of players when their account is accessed from a new location. PokerStars already offers this option – we call it ‘SMS Validation’ and it can be activated in the PokerStars software for free. Click on the ‘Account’ tab in the PokerStars lobby.
PokerStars is continuing to investigate these issues, and we believe that account hacking is going to be an ongoing challenge. The measures that we’ve taken in recent years have done a lot to improve account security, and we are going to keep working in this area to further reduce the risk to players.
Sincerely,
Michael Josem
PokerStars Communications Team
*A technical description of hashing and why it is stronger for protecting passwords than other forms of encryption is available online here: https://en.wikipedia.org/wiki/Crypto..._hash_function
PokerStars is monitoring the discussion of account hacking in this thread.
Let us provide some information which we believe will help you understand the context of this issue.
Firstly, the frequency of hacks at PokerStars has been decreasing during 2015. The chart below shows the frequency of hacks per day that have been identified and reported by our staff on a monthly basis for 2015 through 17 March (inclusive).
While we will not provide absolute numbers, the trend for the last 2½ months shows that there is no sudden spate or recent surge of account hackings. The only thing that has changed has been player awareness of the issue – awareness that has been partly caused by PokerStars instituting heightened security in the form of new notification emails when a PokerStars client is accessed from a new location.
We believe that the best defence against hacking is to prevent hackers accessing accounts in the first place. We support players keeping their login credentials secure by a whole series of different mechanisms, including, our hashing* of passwords, and giving players the option of enabling RSA Security Tokens, PokerStars PINs and SMS Validation. Literally hundreds of thousands of players log in every day in a safe and secure manner.
Even after a hacker gains access to a player’s login credentials and accesses an account, PokerStars works to minimise the financial harm caused. Of the hacks that have been identified to PokerStars, despite players (often inadvertently) giving their account login credentials to unauthorised users, PokerStars was still able to ensure that no funds were lost in about 52% of the cases in January and February. We compile an internal report at the end of each month and see no significant deviation from that trend so far in March.
Even when harm is caused to player accounts, the amount of harm caused is relatively low in absolute terms, but PokerStars wants to continue to reduce this further. Of the remaining 48% of cases from earlier this year where hackers have been able to cause financial harm, the median loss to each player per hack was $57.09.
Going forward, we have two key strategies to further reduce the already-decreasing frequency of accounts being ‘hacked’. We will more actively promote account security enhancements to players to make their account more secure. In addition, we will continue to improve our system for evaluating risky cash-outs. We continually refine our cash-out systems to combat overall fraud trends, and we want to keep the frequency of hacked accounts moving in a downward direction.
Let us also address some of the other issues raised in this thread:
-In many of the cases claimed in this thread, players have posted emails from PokerStars explaining that there were no failed password guesses. This strongly suggests that the hackers knew the passwords.
-Because PokerStars follows the best-practice security guidelines for storing passwords, we don’t store a copy of a player’s password that can be decrypted. Thus, we can’t review the strength of passwords of the players who were hacked, and have only limited ability to evaluate how those passwords might have been obtained by the hackers.
-There is no evidence of any misbehaviour by PokerStars insiders in this situation. Because PokerStars passwords are hashed, even if a PokerStars insider were somehow able to gain access to the password database, they would not be able to decrypt a player’s password.
-PokerStars affiliates have no access to our internal systems for administering player accounts. They do not have access to any special information that would enable them to gain unauthorised access to player accounts.
-PokerStars has no way of unilaterally determining if the affected players all used the same password at another online service, or whether the players have fallen victim to a particular piece of malicious software. Instead, we are continuing to investigate what commonalities exist between players. In this context, it is worth noting that while some of the posters in these threads have some things in common with other players, there are others that appear to be entirely unrelated.
-Some players have suggested that PokerStars should send a code to the email or phone of players when their account is accessed from a new location. PokerStars already offers this option – we call it ‘SMS Validation’ and it can be activated in the PokerStars software for free. Click on the ‘Account’ tab in the PokerStars lobby.
PokerStars is continuing to investigate these issues, and we believe that account hacking is going to be an ongoing challenge. The measures that we’ve taken in recent years have done a lot to improve account security, and we are going to keep working in this area to further reduce the risk to players.
Sincerely,
Michael Josem
PokerStars Communications Team
*A technical description of hashing and why it is stronger for protecting passwords than other forms of encryption is available online here: https://en.wikipedia.org/wiki/Crypto..._hash_function
Hi Michael,
Does Pokerstars consider it a "hack" for the purposes of your post in situations where there is a correct password entered and the breach is not caught by Pokerstars? Is it considered a "hack" when a customer reports their funds stolen but Pokerstars states that the password was not properly secured by the customer?
Thank you in advance for answering both of my above questions.
I was actually having the same thoughts as bj about other things being hacked. If someone with knowledge of online poker decided to target people's Stars accounts in particular, I can't see any reason they would hack anything else. Taking money from people's poker accounts requires a certain amount of familiarity with the processes on the site, possibly secondary accounts to use for chip dumping, etc. Once they've got a routine down pat with how to compromise and empty someone's Stars account, why would they spend time trying to take money from a completely different account (IE another poker site, bank, etc.) when they could just move on to someone else's Stars account?
But I don't think this theory is any help in finding out how the accounts were compromised.
I actually am. In any debate, detracting from invaluable conjecture so that others mustn't waste valuable time fully considering it for themselves is almost as important as contributing fresh ideas.
I know it's the internet and most people can't handle being disagreed with, but we're doing it for the same cause (the well being and security of every player in the poker community), so there's really no reason for you guys to be so upset, lol.
I know it's the internet and most people can't handle being disagreed with, but we're doing it for the same cause (the well being and security of every player in the poker community), so there's really no reason for you guys to be so upset, lol.
Stars is much, much, MUCH more popular than every other site, and they therefore will have a disproportionately large amount of publicized attacks happen to them. The amount of actual attacks on smaller sites may be entirely proportional to what we are seeing here. You are just making assumptions in order to support your argument.
This just does not follow logically. Because a certain account is the only one being accessed does not inherently suggest that the breach came from that account.
As I've already stated, there are many other reasons why stars might be the accounts being targeted, such as the fact that they have lots of money in them but are less secure than other popular accounts that also have money in them, such as bank accounts.
As I've already stated, there are many other reasons why stars might be the accounts being targeted, such as the fact that they have lots of money in them but are less secure than other popular accounts that also have money in them, such as bank accounts.
I'm not trying to absolve PS of any blame here as you guys seem to think, I'm just showing you guys how poor your arguments are so that you're not disappointed when your nonsense theories inevitably fall apart, and so the parties of importance in this situation are better able to sift through the nonsense and get to the actual facts of the case.
Now, at least we agree that Stars' response is alarmingly deficient. They've not given anywhere near enough comfort about the source of this attack (nor indeed the security of all - and particularly old - password databases). I continue to believe that to be the most likely explanation for these hacks.
I'd love to be proved wrong.
But that will only happen if another explanation is shown to be correct or if evidence comes to light which disproves my theory. You calling it nonsense won't change anything. You doing so in reliance on your own misunderstanding of facts and/or wild speculation will change even less. Please stop derailing this side of the thread.
As for Stars' procedures when it comes to detecting/stopping weird account activity (including deposits/cashouts that appear to violate all normal rules governing online gaming) I think we're on the same page. Maybe you could devote your energies to that side of things?
The exact opposite is true. I am detracting solely from what I think is unwarranted and poorly thought out(also paranoid) criticism, which, in fact, confuses and complicates a situation which all of us would like to be resolved quickly, while adding almost no real value.
People are free to say anything and discuss the issues all they want, I'm merely pointing out what I think are poor arguments. I'm not forcing anyone to believe anything.
EDIT:
You realize my location is a joke about how often I get accused of being a shill for disagreeing with paranoid PS-haters, right?
People are free to say anything and discuss the issues all they want, I'm merely pointing out what I think are poor arguments. I'm not forcing anyone to believe anything.
EDIT:
You realize my location is a joke about how often I get accused of being a shill for disagreeing with paranoid PS-haters, right?
Ok a hacker could be installing rootkits/trojans just to hack Pokerstars accounts tell me how does this hacker know what accounts and devices to target?
Do you understand how a sever is hacked please explain this process?is it paranoid to suggest Pokerstars accounts have been hacked?
You are trying to detract from issues that YOU have no knowledge or expertise in commenting on in and because we do understand this we are PS-haters.
You add no real value with your conspiracy ramblings like some deranged sexual deviant on acid.
Nothing posted by me or thunderbolts who seems to have good IT knowledge is paranoid or poorly thought out now shut the **** up and please take your trolling back to the rigged thread.
Are the hacking victims still working together (e.g. via PM or a Skype group) to see if they can establish a common link (other than they had near-dormant Pokerstars accounts) between them all?
Did they, for example, all play at the same live event, where hackers might have scanned the wi-fi network for people logging into Stars via laptops/phones? Finding the likely source of the theft is a crucial step in preventing it happening again.
Did they, for example, all play at the same live event, where hackers might have scanned the wi-fi network for people logging into Stars via laptops/phones? Finding the likely source of the theft is a crucial step in preventing it happening again.
It seems possible that the passwords were stolen quite a long time ago by a random hacker, but only recently fell into the hands of a group or individual who knew what to do with them. As I understand it, hacked passwords (whether for email, banking, or cloud storage) are traded in bulk among criminal groups, but they need someone with specific expertise to make a financial gain from them. It's not like every random criminal knows how to chip-dump or move money around on a poker site without getting caught.
Either way, I will continue to suggest that the victims offer up information as to the age of their accounts and the date of their last pre-hack password change. This is critical.
I was actually having the same thoughts as bj about other things being hacked. If someone with knowledge of online poker decided to target people's Stars accounts in particular, I can't see any reason they would hack anything else. Taking money from people's poker accounts requires a certain amount of familiarity with the processes on the site, possibly secondary accounts to use for chip dumping, etc. Once they've got a routine down pat with how to compromise and empty someone's Stars account, why would they spend time trying to take money from a completely different account (IE another poker site, bank, etc.) when they could just move on to someone else's Stars account?
Yes, it's absolutely possible that someone could target individuals and take money from them every way they can find, but I think it's equally (or perhaps much more) likely that they just go after as many Stars accounts as possible.
Yes, it's absolutely possible that someone could target individuals and take money from them every way they can find, but I think it's equally (or perhaps much more) likely that they just go after as many Stars accounts as possible.
And this doesn't square with OP's experience of the single attempt to enter his email account.
The greater possibility is that his Stars account was accessed by someone with knowledge of the Stars password only. They then tried to get into the email account, but failed to do so because (sensibly) he hadn't reused his password. This indicates not a selective hacker but instead one who only has a list of Stars passwords. Again, I think it all points to a Stars database compromise (and probably an old one given the dormant accounts) instead of some sort of malware or MITM attack. A second possibility is that someone gathered passwords in some other way then sold a list of only Stars account names and passwords on the black market - but I think this is less likely. Not only because when things are sold there's eventually a chance of people hearing about them, and security companies monitor all of the common channels by which credentials and card details are sold, but also because the sale of compromised passwords requires an extra step above and beyond just the compromise of a list.
Making fake deposits, and getting the money out before the account gets frozen is the difficult part.
thunderbolts,
what do you think about the theory that the scammer bought the account credentials on some black market.
It fits him not knowing any other information, and the one try on the email account is explained as well.
what do you think about the theory that the scammer bought the account credentials on some black market.
It fits him not knowing any other information, and the one try on the email account is explained as well.
I take your point about the fake deposits. Presumably one way in which these might be being made is:
1. access to compromised account;
2. learn name and address details from within;
3. set up some sort of card with those details (this is not my area but are there disposable cards in some jurisdiction for example where this might be possible?)
4. deposit from it, transfer between accounts, whatever;
5. withdraw.
My biggest concern other than the method of exploit, though, is this idea that Stars are holding players liable for chargebacks on their accounts despite the relevant deposits apparently carrying a number of red flags. Perhaps we should all get back to that for a bit, given there is no new information on the mechanics.
Feedback is used for internal purposes. LEARN MORE