You're missing the point. They call it responsible gaming. Say, for instance you have a gambling problem, Stars claims to care and wants to help. They allow you to set limits on the amount that you can gamble at any time. WTF is the point of doing this if it can be changed with one mouse click?? I didnt realize that it was this easy to change until my account got hacked. My frustration stems from the fact that if Stars had respected my deposit limits, then the worse case scenario for me was that the hacker could have dumped my meager roll. Instead I am left on the hook for 7 times my self imposed deposit limit. The 48 hour delay isn't just to help in the case of hacking, its to help people from making decisions they may regret. If the responsible gaming options don't actually help, then why bother having them at all?

Again you are talking about the minority of cases.

I don't think you understand what discussion means. I think you're confusing it with another term: "one-sided, mindless, paranoid rambling".

So when we fyp to use the correct term


It actually makes sense, and isn't the ridiculous thing that you're trying to make it.

Let me know if I got that wrong.

Does it matter if its even just one case? Either the corporate policy is that they have a responsible gaming policy, or they don't. Having a policy in place that is just for lip service is pointless.

Because they are only there for your benefit in theory. They are there to cover pokerstars arse in case of liability issues from someone who didn't know when to stop. It's house insurance for the house

Maybe thats true. Hell, for the sake of argument, lets say thats 100% true. Here is a chance for Pokerstars to step up. Make the policies rock solid. Make responsible gaming a true priority. Does this actually hurt their bottom line? I honestly dont think so. Because, guess what? Those people that are willing to step up and say they have a problem, aren't the ones who are going to keep blowing money away.

I maybe missing something here but I understand that when you set a deposit limit it cannot be changed for a week.

You are saying it can be changed with one mouse click at anytime. Correct?

How?

After the period that you set it for is over (in this case 1 week) you can get your normal limit back by accepting/approving the decision in your account on the client

pmarrsouth Answered this. Anytime you change your Responsible Gaming settings, they are in effect for one week. After the week has passed, you can change them to anything you want with a single click. What I am proposing to Pokerstars is that when you set any limits on your account, then yes, it should stay in effect for 7 days. That part is fine. After 7 days, you are able to change these settings, BUT there should be a 48 hour period before your new changes take effect. This allows a cooling off period to avoid a problem gambler from "tilting" off more money. ( And again, in my particular case, it would have stopped a hacker from being able to make fraudulent deposits on my account)

They do tell you this when you set the limit initially. Right. So anyone with half a brain should realise that after 1 week the limit can be changed by anyone who has access to the account. Right.

So Duh!

Ya, well Duh. Apparently, I have half a brain. The way I understood it was that any changes would take a week to take effect. So if I wanted to increase my deposit limits, then it would take 7 days before I was able to do so. Duh. Hopefully the other half of my brain starts to work soon...

any chance poker players are being targeted through some (poker related) software or a similar thing that searches the targets registry for their pokerstars password (since a lot of pokerstars passwords are on set on 'remember' in the client)?

would explain why email accounts etc. of victims werent succesfully hacked (which indicates that poker accounts were specifically targeted and that keyloggers havent been used). can some of the victims weigh in wether or not their stars password is 'remembered' by the client and maybe list some of the software they have installed and that is at least somewhat related to poker?

for example there are table layouts that can be downloaded and that are installed through an .exe file. obv softwares like HEM or PT are very safe in that regard but something like a tablelayout might not always be distributed by a reputable company.

So it's possible to log on account x by person y, from a country other than the one person x was playing from 3 minutes earlier. Then you're able to raise persons x deposit level with one click and deposit some more money using a fraudulent credit card, just to immediately withdraw all this money to persons y NETELLER account.

And people who dare to say that one or more of these steps should be prevented, are ridiculous?!?. This thread....

oh and while i do think people should be more cautious and keep their accounts more secure, its ridiculous to say that only the user is at fault. i understand that they are not covering theft that occurs within some1s account but to demand people to pay the damages that are a result of credit card fraud is insane. when a hacker can deposit money from a creditcard that is in another name than the account holder and then cash it out to a neteller account that has never been used before just hours later, stars should eat these losses themselves. terrible policy and horrendous security management by stars.

Waiting 5 days now for a reply from Stars security to this email, perhaps PokerstarsMichaelJ can answer instead

That was a reply to this email from Stars

I also got a pm from FTPMurphy saying he tried to contact me but my phone number wasn't up to date. I moved to Thailand a couple weeks ago and sent another message to support 2 days ago giving them my Thai number.

Again no response from Support and no phone call from FTPMurphy. The fact they didn't even reply to me confirming my phone number change is rather disappointing.

What are the majority of use cases for people who set the deposit limit? You seriously think it's people who just want to stop themselves making deposits for a single week but are fine right after that?

As you go through the responsible gaming section the first tab is a cash game table limit, in the small print it says it takes 24 hours if you later want to increase it. The next tab is tournament buy-in, it also takes 24 hours if you want to raise it. The next one is casino limit, it also takes 24 hours if you later want to change it. I think people can be forgiven for assuming the 4th tab, the weekly deposit one works in a similar way. On the tab there is also rred text stating "This feature cannot be used to increase your regular maximum deposits, If you want to increase your regular limits please email support@pokerstars.eu" How ridiculous that support is empowered to raise a regular deposit limit for someone but not reduce it.

I find it hard to imagine that the deposit limit functionality is described correctly and in detail in Stars licensing and regulatory submissions - i.e. the regulators have accidentally licensed a site with no deposit limit at all. Anyone know if such submissions are publicly available anywhere? If the submission is wrong then the regulators are going to be on the side of at least the players who had a limit set.

The Czech guy ITT says that on his forum (which sounds more constructive than this one) they have found hacks of recreationals with no third party software at all.

Again people are taking the argument in the wrong direction. Their responsible gaming feature really doesn't have any bearing on this issue. It shouldn't be used as a proxy to force stars to change their deposit/cashout strategy. Feel free to argue that their policy isn't good for those people vulnerable to the charm of gambling but don't argue for changing that for some other purpose (such as preventing these deposit/withdrawals). Again, this doesn't need to be changed if you secure your account.

At some point, people in the thread are going to have to realise, coming up with elaborate changes to the sites processes, when an account is compromised, is completely unnecessary when anyone, and I mean anyone, can secure their account against that happening (at least so far it seems).

I have a lot of sympathy for the people that have been hacked and also for those that feel stars never pushed their security features enough but this is a user issue, not a site issue.

While I don't think stars should be responsible to refund people money for this in any way, maybe a show of goodwill to those who now have negative accounts due to dodgy credit cards etc would be at least a positive step.

Well it does actually. The Stars rep himself suggested it as one method to prevent exactly this type of fraud/theft happening.

And it would work too as long as you remember to reactivate the limit each week. Admittedly this would be a pain but it is a no cost option (as opposed to RSA tokens).

It is a solution to a problem that needn't happen in the first place though. All these solutions are secondary to that of securing your account.

The RSA token costing money is a fair point but at the moment no one seems to be suggesting that a combination of the other free security measure have ever been breached before, so again may be a moot point.

We now have 1 troll and 3 shills itt. Jesus wept.

Neither troll nor shill. There's plenty to complain at stars about, rake hikes etc... this isn't really one of them though. Again, suggest another pointless non solution though, by all means.

Save for your very last suggestion, I think you're off-beam here, given what we currently know. At present there is no indication of exploits at the users' end; a compromised Stars database (or similar) remains a real possibility.

The various users affected are hopefully exchanging information between themselves and with Stars (given they've ceased to post anything in this thread) to identify (alternatively rule out) any common non-Stars exploit vector (whether that's a third-party program, an affiliate, or whatever).

But the compromise of several dormant accounts makes it look very much as though something's gone wrong at Stars' end. In those circumstances I'm not sure your insistence that users should bear the consequences makes any sense at all. Stars makes a commercial decision to allow a degree of flexibility in deposits and cashouts; while this helps some users it's undoubtedly their policy because it helps them, not us, by getting money on the site for people to play with before full ID verification is complete (or, perhaps, started - at least when it comes to initial deposits).

So, Pontylad, here we have not only accounts that may have been compromised through no fault of the users, plus a number of features that customers see as red flags and expect the system to recognise, but also unauthorised deposits where the users are being told they have to pay the balance or cease playing at Stars. This does not currently appear to be a typical hack where the users are at fault. In these circumstances, do you honestly believe the users should bear the losses and the cost of chargebacks? Will you still believe that when it's your account that loses its balance and gets hit with a $1k negative balance for you to make good?

And anyway, if the free account security options (PIN, SMS verification) are to be a condition of Stars having no liability here, why are they even options?

Yes it is a possibility.

However, all of the cases that have been described in detail so far have had the 'remember password' option set, which means that their password is stored on their local PC (encrypted in the file user.ini). It seems to me that is a more likely source of the right first time login details.

we're not all super fkn nova. RSA cost many many fpp's!!!!!

Hello,

We appreciate that this issue is important to many players. Thus, we've sought to answer a lot of your posts and questions here.

As this thread demonstrates, we need to increase awareness of the account security features we offer (and in some cases this will also extend to some of our staff). I have passed on this feedback accordingly for action internally.

The 'SMS Validation' service will do what you are (basically) seeking here: an additional level of account authentication if your account is accessed in a strange or unusual manner.

Accounts that have RSA tokens enabled or SMS Validation do not receive these emails.
The 'SMS Validation' service will require you to provide a code that is sent via SMS in the situations that you describe.

We don't want to specify the exact criteria however we can clarify that device recognition is used during the process.

One of the things that we think is important is having flexibility to adjust our security mechanisms to reflect changes in security risks. Thus, we may want to have the function triggered in more places if a new risk arises... or for it to be triggered in less places if the threat passes.

We offer RSA Security Tokens for players who want this level of security at every login and we are committed to offer equally good alternatives in the future.

As a concept, we believe that players are in the best place to decide if they want the very-high security of two-factor authentication at every login.

This is why players are given the choice to opt-in to the various enhanced security features we have available.

We offer a graduated series of options, from RSA Security Tokens at the high end, through to SMS Validation, through to PokerStars PIN, through to just passwords.
The sample size is reasonable and significant - it represents 76 days of data. We are actively continuing our review and investigation into the recent hacks reported by our players.
No - the graph takes the average number of hacks per day, and is thus adjusted for the differing number of days in each month (31 in January, 28 in February, 17 in March).
We understand that account compromise is a frustrating occurrence, one which causes a high degree of inconvenience to our players. We think that you losing even $1 is too much. That's why we are actively monitoring the patterns you are reporting and we will always work hard to continue to adjust our efforts and technical developments in this area to provide the best service required to our players.
We already offer this service in the form of 'SMS Validation'

You can activate it by clicking on the 'Account' tab in the client and following the instructions there. We agree that there are a bunch of subtleties about IP ranges, devices, and so on, here. That's what the 'SMS Validation' service seeks to address.
Here's a more full explanation of what 'reported' means in this context:

a) A player needs to let us know - or agree with our assessment - that their account has been hacked. This is either because a player notifies us via email, or because we detected something suspicious and proactively looked into the case. I guess that it is theoretically possible that an account has been hacked and neither the player, nor PokerStars, is aware of it, but this seems to be an unlikely situation.

and

b) A staff member then needs to report the hack as part of their routine reporting processes so that our management team is aware of it. Of course, as with every process, errors can occur at times, but we believe that such errors are unusual.
We certainly try to stop fraudulent transactions. We're not perfect, but from our knowledge and research, we believe that our fraud rates are very low compared to others in the industry and online businesses in general.
While it is not possible to prevent 100% of fraud, we are committed to ensuring that credit card fraud on PokerStars is maintained at very low levels, and we are satisfied this is the case generally. On occasions where we identify that improvements can be made(both from a transactional review or system settings) we endeavour to action all such matters as soon as possible, through detailed analysis of patterns and internal training.
We released a statement on the Heartbleed issue a year ago, and it is online here:
https://www.pokerstars.com/en/blog/c...g-147634.shtml

I have however passed on your feedback to our Information Security Team

It isn't quite that simple - the 48 hour function depends upon a whole series of different issues. We have actively reintroduced some restrictions while our review is ongoing.

For example, if someone has $500 in their account, deposits $10, the player is always able to withdraw the original $500. How we handle the cash outs for the remaining $10 depends on a whole series of factors including the deposit method, the account history of the player, and various other risk factors.

We are very reluctant to limit players being able to withdraw their own funds. We need to be careful about imposing rules upon a player's own money. We want such rules to be fair and reasonable for the vast majority of honest players, and thus, we think that the solution here is to be 'smarter' about such rules. This means making judgments based upon the risk, and we'll continue adjusting our judgments to ensure that player funds are safe and secure (yet also accessible). It is a balancing act, and we're going to keep working hard to maintain the right balance.


Affiliates have no access to our internal account administration systems. Even staff with access to our internal account administration systems are unable to obtain passwords.

That's all it sought to prove: that there is no sudden surge in hacking incidents.

They include all hacks that are reported to PokerStars as described above. We haven't sought to filter it in any way.

Let me seek to clarify: In December 2014, we started sending automated emails when an account was accessed from a new location. As a result of those mails, player awareness of these issues has significantly increased.

We think that the 'SMS Validation' mechanism makes a fair trade-off in cases like this - it uses (amongst other things) the device that you are playing from. In many cases, the actual device that you use to access PokerStars is in itself a strong indicator that it is 'really you' logging into your account.
PokerStars agrees with both of you: and that's why we offer that feature as an option. Not every player will want it, but we believe it is important to offer that service to players who want it.

As you identify, we're in the process of rolling out some new security measures - measures that we've been working on for a while. There's no single silver bullet for these issues, but rather, we think it is best to have a variety of complementary mechanisms to protect account security.
Yes, that's how it works. We agree with the feedback about doing more to encourage people to activate this function.

We can confirm that we have no evidence pointing to a breach or compromise on our end. If we did, we would take appropriate action - but we simply have no evidence of this being the case. Our monitoring and investigations are ongoing.

We agree. If I included every footnote and explained every word in great detail, our posts on here would become essentially unreadable by most people. Hence, this follow-up post to expand on some issues of particular interest to players.

Some hacked accounts haven't been active lately. Some have.


It varies.

Quote:

2. When was the password last changed on each compromised account?

It varies.

On the hashing questions, I believe it is hashed, but haven't yet confirmed this with the relevant staff internally. We should be able to confirm this in the next few days.

Quote:

5. Can we rule out a compromised old Stars password database being the source of these hacks?

There's no evidence of it being a compromised old database - and the evidence that we have makes this incredibly unlikely. After all, if there was a compromised old database we would expect that relatively new accounts and accounts with recently changed passwords would not be compromised, which is not the case here.

No affiliates have access to any PokerStars passwords. No staff have access to any PokerStars passwords.

We see no indication of this at this point.

No


No they are not. Keep in mind that the security questions are not meant to be extra passwords. The security questions are an additional mechanism that is not replacing player passwords.


While you're correct from a technical point of view, players in this thread are really just asking for an option to lock their account to secure/trusted places (and have a fast and secure method for unlocking). That's what we already offer in the form of the 'SMS Validation' service.

You can see a reasonable indication of PokerStars traffic levels at pokerscout.com


Your example is precisely why we used the median number, and we disagree that it is disingenuous: The one outlier of $75,000 is hardly representative of the remaining ones. I accept that there are only three pieces of data in your representative sample, but the data here is broadly similar to your illustration - most cases involve relatively small amounts of money, but there are a few big outliers.

This is because the data set here has a hard lower boundary (we have removed all the cases of 0 or below) and an effectively unlimited upper boundary (because there is no limit on player account balances).

In around half of cases, players lose no funds at all. Of the remaining half, a further half of those cases the players lose under $57.09. We think that this is more representative and relevant to most players. There are certainly some outliers where players lose bigger amounts.

Let me give you the hot tip that the idea of trying to trick the TwoPlusTwo forum with statistics is never going to be a good idea, and that's why we haven't tried to do so.

I work as part of a team. The things that I say here are the product of internal team discussions, but they always my honest and genuinely-held beliefs.

PokerStars hasn't ever asked me to say anything that I didn't genuinely believe to be true, and if they did, I would obviously decline to do so.

We think that the severity to each individual hacked account is serious. That's why we're always working on new ways for helping prevent these, but we also believe account security is a joint responsibility.

We think that the data that we have published is meaningful and fair representations of what has happened here.

Absolutely #3 is correct - for the reasons explained above.

The definition of 'unexpected log-ins from a different country' is a little more complicated than what it is conveyed in the thread. Instead, we give players the ability to block unusual/unexpected logins with the 'SMS Validation' mechanism.

We have a faster and better option here - 'SMS Validation'.

We sometimes apply cashout restrictions. There's no 'simple' answer to these issues - rather, there are a whole series of interrelated and interdependent processes at play here.

We don't think that emails are the solution here, because the group of hackers who can gain access to your PokerStars account has a very large overlap with the people who can gain access to your email account.

Instead, we're giving players the option of two-factor authentication in the form of SMS Validation and RSA Security Tokens which largely avoids that problem.

We really are, including shipping. That's what it costs us.

When we developed these things (back in 2008 - as an aside, that was my first significant project at PokerStars) we investigated a variety of providers. We recognise that there are cheaper alternatives, and, I think, RSA might have been the most expensive. However, it was our evaluation that RSA was the most secure and reliable. RSA is also what we use for our own internal staff too.

The most expensive option - RSA tokens – is also subsidized. As previously mentioned we offer a variety of options, and encourage you to use the SMS Validation service which gives you most of the benefits of two-factor authentication, and is free.

The Gmail SMS verification system is very similar to the PokerStars SMS Validation option, but as always we will always look for alternative avenues to offer even better security features and options.

Every time a player reports a potential account compromise, each case is analysed thoroughly. We always seek to prevent loss as much as possible and take the necessary actions in securing the accounts immediately and tracing funds moved during the unauthorized session/s.

We started sending automated emails a few months back when an account was accessed from a new location – this was to increase player awareness and allow players to report any unrecognised activity to us as soon as possible

Sincerely,

Michael Josem
PokerStars Communications Team