Hello,
PokerStars is monitoring the discussion of account hacking in this thread.
Let us provide some information which we believe will help you understand the context of this issue.
Firstly,
the frequency of hacks at PokerStars has been decreasing during 2015. The chart below shows the frequency of hacks per day that have been identified and reported by our staff on a monthly basis for 2015 through 17 March (inclusive).
While we will not provide absolute numbers, the trend for the last 2½ months shows that there is no sudden spate or recent surge of account hackings. The only thing that has changed has been player awareness of the issue – awareness that has been partly caused by PokerStars instituting heightened security in the form of new notification emails when a PokerStars client is accessed from a new location.
We believe that the best defence against hacking is to prevent hackers accessing accounts in the first place. We support players keeping their login credentials secure by a whole series of different mechanisms, including, our hashing* of passwords, and giving players the option of enabling RSA Security Tokens, PokerStars PINs and SMS Validation. Literally hundreds of thousands of players log in every day in a safe and secure manner.
Even after a hacker gains access to a player’s login credentials and accesses an account, PokerStars works to minimise the financial harm caused. Of the hacks that have been identified to PokerStars, despite players (often inadvertently) giving their account login credentials to unauthorised users,
PokerStars was still able to ensure that no funds were lost in about 52% of the cases in January and February. We compile an internal report at the end of each month and see no significant deviation from that trend so far in March.
Even when harm is caused to player accounts, the amount of harm caused is relatively low in absolute terms, but PokerStars wants to continue to reduce this further. Of the remaining 48% of cases from earlier this year where hackers have been able to cause financial harm, the median loss to each player per hack was $57.09.
Going forward, we have two key strategies to further reduce the already-decreasing frequency of accounts being ‘hacked’. We will more actively promote account security enhancements to players to make their account more secure. In addition, we will continue to improve our system for evaluating risky cash-outs. We continually refine our cash-out systems to combat overall fraud trends, and we want to keep the frequency of hacked accounts moving in a downward direction.
Let us also address some of the other issues raised in this thread:
-In many of the cases claimed in this thread, players have posted emails from PokerStars explaining that there were no failed password guesses. This strongly suggests that the hackers knew the passwords.
-Because PokerStars follows the best-practice security guidelines for storing passwords, we don’t store a copy of a player’s password that can be decrypted. Thus, we can’t review the strength of passwords of the players who were hacked, and have only limited ability to evaluate how those passwords might have been obtained by the hackers.
-There is no evidence of any misbehaviour by PokerStars insiders in this situation. Because PokerStars passwords are hashed, even if a PokerStars insider were somehow able to gain access to the password database, they would not be able to decrypt a player’s password.
-PokerStars affiliates have no access to our internal systems for administering player accounts. They do not have access to any special information that would enable them to gain unauthorised access to player accounts.
-PokerStars has no way of unilaterally determining if the affected players all used the same password at another online service, or whether the players have fallen victim to a particular piece of malicious software. Instead, we are continuing to investigate what commonalities exist between players. In this context, it is worth noting that while some of the posters in these threads have some things in common with other players, there are others that appear to be entirely unrelated.
-Some players have suggested that PokerStars should send a code to the email or phone of players when their account is accessed from a new location.
PokerStars already offers this option – we call it ‘SMS Validation’ and it can be activated in the PokerStars software for free. Click on the ‘Account’ tab in the PokerStars lobby.
PokerStars is continuing to investigate these issues, and we believe that account hacking is going to be an ongoing challenge. The measures that we’ve taken in recent years have done a lot to improve account security, and we are going to keep working in this area to further reduce the risk to players.
Sincerely,
Michael Josem
PokerStars Communications Team
*A technical description of hashing and why it is stronger for protecting passwords than other forms of encryption is available online here:
https://en.wikipedia.org/wiki/Crypto..._hash_function