When someone praises stars he is the first to show up and write all sort of bs. If things go the other way though, that guy won't post a single word.

seems really bad on pokerstars part, really losing hope with the lacklustre security!

so about RSA tokens, what about fulltilt poker? you cannot buy an RSA token! nor do ur mobile rsa code mobile sms feature neither work! are our accounts liable? totally shocked by it all tbh, but then again, pokerstars has been going downhill a while now !

I remember back in the day pre-BF, I cashed out from my PS account a lot when I was travelling and needed cash on my credit card. Stars security always sent me an email asking me to confirm that it's me who is trying to cash out from Vegas or wherever right now.

I wasn't too happy about the process being slowed down by a couple hours at least, but it always made me feel my money was save there.

That said, it's a little hard for me to feel sorry for people who didn't use any of the securty features stars offers.

This morning when I logged into Stars, I got a pop-up that told me about some additional security questions I could use.

I would have expected that as well. It seems like a very reasonable expectation. The whole point is to have a future self-binding effect with a time delay. And it would have prevented much of the damage.

I am VERY surprised that all this operations were possible. I also remember that every time I tried to do a financial transaction on PS from a different location they always checked before processing it that it was really me who did it. Always felt that the security procedure of the website were strong enough, apparently not at all.

I am also shocked at the way Pokerstars support is handling this. They probably very well know that the breach is likely to come from somewhere else than the customer (and probably a good chance that it comes from them) - but as they can cover their ass with their t&c bull****, they blame everything on the user because they perfectly know that it's a case where he absolutely can't prove 100% that his password was not compromised on his end.

But as previously stated in the thread, they ****ed up so many times by not noticing any of the red flags that it's not even close as to who should take responsibility for the hacking.

It's sad that the community has to stay vigilant on everything now to avoid getting screwed. At least before I always felt that I could trust Pokerstars. Now I just see them as another greedy company (but apparently, they're now happy with being just "not worse than our concurrents")

isnt he the head of onlinepoker communication or some other sort of player-communication?


lee bro, where are you?

Sometimes if you pester him enough he will show up and tell us how he's not going to tell us anything.

These questions have been appearing on login for at least a week, possibly a bit longer (UK account).

As for a link between the accounts, the possibility remains that this is the result of a compromised password database, whether at Stars' end or via an affiliate (if they have that info?)

One possible link would be the age of the accounts and when (if ever) their password was last changed. One can imagine that if an old db (i.e. one dating from before when Stars started hashing password etc) was compromised, then only the accounts with no subsequent password change would be exploited.

So I propose, as I did in the other thread, that people affected also confirm the age of their account and when they think they last changed the password before this attack (if they had done so at all).

It might also be worth people confirming if they have played on the mobile app (and if so on what platform) in case that's common to all and a possible vulnerability - I know some have mentioned it.

A related point: Michael J confirmed in the other thread that the current password db is hashed. If (1) the database has always been hashed; and (2) it's salted as well; I think those are reassurances which it would be helpful for Stars to offer.

How on earth does Stars allow people to both play with uncleared funds ( though I don't really care about that as a player) but more importantly withdraw uncleared funds. How are funds segregated, as Stars tells us all the time, if they don't have them to segregate ?

Do we have a view yet on when the last time was that the victims changed their passwords ? With dormant accounts, this clearly has been a long while, but some people say their accounts were not dormant.

The Stars rep seems confident that there was no breach at their end, and that they use password hashes with salts (I would be shocked if they did not). However, while I don't know what intrusion detection/prevention measures they have in place, one should not rule out the possibility that (part of) their password db was leaked and they have no trace of it. This may even have been a long time ago. Once you have the hashes+salt, you can still try brute-forcing it to recover the passwords. This would explain why the hacks seem rather distributed over time (with the earliest report being november). I'm still doubtful this was what happened though since some folks here already mentioned they had a pretty complex/long password and I would expect those to withstand a brute force until news of an attack gets in the open.

The emails posted ITT seem to be template replies from lower level employees. Everyone reading this thread who doesn't have an RSA token should email Stars right now and ask them about their security measures: what happens when someone logs in from an unknown device, what happens when someone logs in from a different country, what happens when someone deposits and/or withdraws with a previously unused method etc. This might get someone in charge to review their processes.

Did you guys have an Adobe account? Adobe had a major breach a year ago and I remember some hackers trying to get into my email and facebook accounts with the stolen password.

That's not necessary to prevent what is happening here.

Security measures that are pretty standard would have prevented the fraud being described in these threads.

No, this is not possible. IP addresses have an expiry date. Even if you played from the same location connected to the same network every time, there is still an extremely high chance that you IP address will change at some point.

Yes, there is an option for a network to use a static IP address, but almost nobody knows about it and just assumes their IP address never changes.

As for allowing people to specify a range of IP addresses, no, that is also a horrible idea. (Most) people are stupid when it comes to anything technology related, especially when it comes to anything network or computer related. Allowing people to specify something like an allowed IP address, or range of addresses, is highly likely to cause more harm than good.

My speculation: To me this problem comes from the history of Pokerstars. In the other thread someone posted that PartyPoker requires that deposits and withdrawals only be to and from cards registered to the same person as the account holder because they are not a money-transfer service. Unibet have a similar rule.

Now unlike those two sites, Pokerstars has earned its hero status in the poker community for being brave enough to keep the games running in the 2006-2011 period, at a time when people were getting money onto the site in all kinds of irregular ways. People making a profit online were transferring credits to other players in return for offline cash or person to person bank transfers. The functionality of pokerstars that it can be used as a quick anonymous money transfer service between e.g. Canada and Poland was probably intended when it was first built in.

However this is a different era now. Pokerstars is regulated (by someone other than Kahnawake) and has KYC obligations and should start to follow industry standards. We no longer need you to turn a blind eye to our accounts being shared with someone in another country, we need you to restrict access to just us.

Allowing people to insta-cashout probably comes from that time too. With so many dodgy underfunded poker sites around they really didn't want people starting threads saying "OMG I've been waiting 4 days for my Pokerstars cashout". At one time I was Betfair premium charge payer (like SNE in terms of bragging rights but actually with worse terms than normal customers) making regular withdrawals and their terms are that withdrawals are going to take 5-7 days. You don't start to question whether or not they have the funds on hand because it's Betfair FFS. Pokerstars has that kind of status now and should just implement industry standard waiting times - or at least 24 hours so there is time for someone to come into work and put a manual stop to any withdrawals that need to be more closely investigated - we believe you have the money to pay us.

In on the biggest debacle since Arts

Lol all this trouble and I can't even deposit on stars with my OWN credit card.

Hello,

PokerStars is monitoring the discussion of account hacking in this thread.

Let us provide some information which we believe will help you understand the context of this issue.

Firstly, the frequency of hacks at PokerStars has been decreasing during 2015. The chart below shows the frequency of hacks per day that have been identified and reported by our staff on a monthly basis for 2015 through 17 March (inclusive).



While we will not provide absolute numbers, the trend for the last 2½ months shows that there is no sudden spate or recent surge of account hackings. The only thing that has changed has been player awareness of the issue – awareness that has been partly caused by PokerStars instituting heightened security in the form of new notification emails when a PokerStars client is accessed from a new location.

We believe that the best defence against hacking is to prevent hackers accessing accounts in the first place. We support players keeping their login credentials secure by a whole series of different mechanisms, including, our hashing* of passwords, and giving players the option of enabling RSA Security Tokens, PokerStars PINs and SMS Validation. Literally hundreds of thousands of players log in every day in a safe and secure manner.

Even after a hacker gains access to a player’s login credentials and accesses an account, PokerStars works to minimise the financial harm caused. Of the hacks that have been identified to PokerStars, despite players (often inadvertently) giving their account login credentials to unauthorised users, PokerStars was still able to ensure that no funds were lost in about 52% of the cases in January and February. We compile an internal report at the end of each month and see no significant deviation from that trend so far in March.

Even when harm is caused to player accounts, the amount of harm caused is relatively low in absolute terms, but PokerStars wants to continue to reduce this further. Of the remaining 48% of cases from earlier this year where hackers have been able to cause financial harm, the median loss to each player per hack was $57.09.

Going forward, we have two key strategies to further reduce the already-decreasing frequency of accounts being ‘hacked’. We will more actively promote account security enhancements to players to make their account more secure. In addition, we will continue to improve our system for evaluating risky cash-outs. We continually refine our cash-out systems to combat overall fraud trends, and we want to keep the frequency of hacked accounts moving in a downward direction.

Let us also address some of the other issues raised in this thread:

-In many of the cases claimed in this thread, players have posted emails from PokerStars explaining that there were no failed password guesses. This strongly suggests that the hackers knew the passwords.

-Because PokerStars follows the best-practice security guidelines for storing passwords, we don’t store a copy of a player’s password that can be decrypted. Thus, we can’t review the strength of passwords of the players who were hacked, and have only limited ability to evaluate how those passwords might have been obtained by the hackers.

-There is no evidence of any misbehaviour by PokerStars insiders in this situation. Because PokerStars passwords are hashed, even if a PokerStars insider were somehow able to gain access to the password database, they would not be able to decrypt a player’s password.

-PokerStars affiliates have no access to our internal systems for administering player accounts. They do not have access to any special information that would enable them to gain unauthorised access to player accounts.

-PokerStars has no way of unilaterally determining if the affected players all used the same password at another online service, or whether the players have fallen victim to a particular piece of malicious software. Instead, we are continuing to investigate what commonalities exist between players. In this context, it is worth noting that while some of the posters in these threads have some things in common with other players, there are others that appear to be entirely unrelated.

-Some players have suggested that PokerStars should send a code to the email or phone of players when their account is accessed from a new location. PokerStars already offers this option – we call it ‘SMS Validation’ and it can be activated in the PokerStars software for free. Click on the ‘Account’ tab in the PokerStars lobby.

PokerStars is continuing to investigate these issues, and we believe that account hacking is going to be an ongoing challenge. The measures that we’ve taken in recent years have done a lot to improve account security, and we are going to keep working in this area to further reduce the risk to players.

Sincerely,

Michael Josem
PokerStars Communications Team

*A technical description of hashing and why it is stronger for protecting passwords than other forms of encryption is available online here: https://en.wikipedia.org/wiki/Crypto..._hash_function

Thanks for the reply Michael. I specifically asked support, 2 weeks ago, if they would block my account if

a) someone logged onto my account in a different country, or

b) tried to credit/cash out my stars account, with a bank/credit card or net teller account etc that wasn't in my name.

I was told this wasn't possible, can you explain why?

Thanks for replying to this thread Michael. However, I am going to post a question for the 3rd time as it has not yet been answered and I think it's pretty important as far as security goes.

Very well said. I live in the US and so haven't been able to play on Stars for years. I always talk them up to people as the gold standard of internet poker and was always impressed by their attention to detail/thoughtfulness about player policies when I played there. It is shocking to me that they seem to have put so little thought into basic deposit/cashout security measures.

Hello Michael, its reassuring that you are getting involved ITT and I hope it continues. I would be very interested to see the data you posted below compared with the same period in 2014. A larger sample of data will give us all a better indication as to what trends are at play.

~10% drop in 2 months wow congrats. **** amaya