Not as a default, as you don't know what there is. Or if you limit your browser and so on and never click anything there, it might be safe, but who knows.

The safest is to use another computer, e.g. a tablet to visit unknown sites as one can clean it with a push of the button (losing all but what it was when you bought it).

What comes to the knowledge there, it seems hackers prefer to lose the account money to other players, including to the player(s) cashing it out.

The hacker can make a new deposit/withdrawal method, and you are not protected well enough; a couple of days (you might get an email of the deposit, and other things to think about here) or a raking need that takes minutes as far as the small deposit amount goes.

The link lists ways to protect so the hacker e.g. never gets into your account in the first place.

After I had issue with my account a few years ago stars told me to start using the keypad the 1 which comes up after entering your P.W & every time you log in the numbers move around.

They should make that 1 mandatory for everyone since they have it if its going to add some extra security.

I agree its CRAZY how someone could add a new neteller account & withdrawl.

ehh maybe a PSA here re: that link- i dont think i'd even click it tbh. "pokeroff" (staking organization run out of russia by max katz, i think) bought a large chunk of my main event action a few years back- everything went smoothly. then the next year i tried to contact a couple of them to see if they were interested again and the website was down, the email links were broken, couple of the liasons were nowhere to be found, so i just kinda shrugged and assumed they went busto and i sold off to others instead.

i'd be extremely skeptical of any "pokeroff.ru" link, particularly any having anything to do with hackers.

note that i'm not implying anybody from pokeroff is trying to hack or scam people, but that hackers may have co-opted the website domain and are getting people that way

The numeric keypad was good, 10 years ago, when it was introduced, against certain, limited threats. Particularly, it was useful for people who were crap at creating unique passwords (lol, WSOP2004), and helped people who were at risk of having a family member log on to their device without their authorisation. Thus, it helped against "accidental" or less sophisticated offenders.

However, the keypad thing is pretty mediocre at defending against determined malicious hackers who can obtain a victim's email address, since it can easily be reset by email.


Instead, to combat against the sorts of threats at risk in this thread and more common these days, PokerStars should make this far more prominent/default/mandatory: https://www.pokerstars.com/poker/roo...smsvalidation/

The widespread adoption of SMS Validation by PokerStars customers would substantially reduce the risk of hackers like those that have plagued this thread, and that are likely to be common in the near future.

Having read a bunch of this thread, and with no dog in the fight, I wasn't hacked and I live in the US so don't play on stars...

1) I think dual layer token type logins would obviously help.
2) There is next to zero chance that Pokerstars' passwords haven't been hacked from the source. Too many people with unique passwords to Pokerstars having only their Pokerstars stuff stolen.

So both sides of this debate are right. Pokerstars however is wrong.

^ It was pretty much confirmed ITT (by the question being repeated ignored) that the passwords were stored in hashed but not salted form, which is not secure enough basically.

However, re: two-factor authentication I keep saying this but it keeps getting ignored. Some of the hacked accounts are ones that had been dormant for some time, money was deposited fraudulently then withdrawn / lost to other accounts.

Pokerstars are never going to start issuing RSA tokens to people who last played years ago and nor should those people be responsible for knowing they should get them.

PS need to improve their internal procedures and everything else is a non-starter.

How could someone hack your password? Its pretty hard to just get hacked these days if you have a firewall I would have thought. They didn't also get you internet banking details, just PS account hey?..

There's no evidence that there's been a breach of PokerStars passwords on PokerStars' end. Apart from anything else, failing to disclose it on their end would probably open the company up to a whole range to really harsh penalties.

It's likely they were victims of "credential stuffing"; many of the older, dormant accounts it's almost certain. People tend to use the same passwords across different sites, so Yahoo/ PSN/ etc gets hacked, 2.5bn email/ passwords get stolen and cracked and the crooks just chance their arm, logging in to every poker/ gambling/ banking institution they can, in the hope there's an account and details haven't been updated. They don't need a very high hit rate for it to be extremely profitable, and it's very difficult for the sites to spot it happening- as there aren't multiple log-on attempts.

Best way to stay safe is to have different passwords for everything, and update them regularly.

my stars account got broken into this week, no other accounts of mine have been hacked that i can tell. very strange as i haven't played on stars in over 2 years and that password is a totally unique password that i don't use on any other sites. my rsa did expire in 2015 though

sirwish,

The bit about PokerStars "investigation" concluding that the "foreign computer/device [was] in Germany" is confident sounding, but is probably nonsense.

That IP range is a VPN service, not a real location in Germany.

It is used by the VPN service 'Hide My Ass!'.

Fundamentally, PokerStars seems to be telling you that you were the victim of a crime that seems to have taken place in the Isle of Man (where PokerStars servers are located). If you want to report it to the police there, their phone number is +44 1624 631212.

I don't know if it is worth your time to report it to the police in terms of the likely cost/benefit for you as an individual, but I'm interested to learn what would happen.

probably isnt worth it, i should say support notified me and locked my account up in a timely fashion, always had good experiences with their support

My god this is actually ridic

Seems RSA tokens are now mandatory if your planning to play online

RSA last 4 years and costs $37 so is a no brainer for most members of this forum. A password manager is also prudent all my passwords are unique and up to 50 characters long.

Did you have the pin enabled swish?

A friend sent me a PM asking about how to secure their account, and seeking some feedback on the PokerStars PIN. This answer might be useful to some of y'all too, so I'm just copying and pasting (with minor editing adjustments) here:

Short version: Forget about the PokerStars PIN, enable SMS Validation instead.


Long version:
The PokerStars PIN helps to defend against hackers who can randomly guess your PokerStars password. It does NOT defend against hackers who can obtain your email password.


If I were you, I would turn on SMS Validation:
https://www.pokerstars.com/poker/roo...smsvalidation/

If I were still working at PokerStars, I would activate this feature (on an almost mandatory basis) for almost everyone with a registered mobile phone number, and I would just abolish the PokerStars PIN service.

The PokerStars PIN service provides very little security against today's risks. It was reasonable when it was created 12 (?) years ago, but it isn't worth the attention or effort it gets from either the company or players today.

most people dont know how to set a strong password, manywordsstrungtogetherismuchstronger than a password like sdf245dd254. the longer it is the better.

I didn't know that. Would of assumed a randomly generated long alpha numeric password would be stronger than manywordsstrungtogether will check it out thank you.

That idea was put up by a hacker or by some idiot and became a myth, having some truth in it when the password is too short (these days you need at least 10 letters/numbers, or it is not long enough. Plus other types, at least the letters and numbers but some force you to use some of the others also).

The original idea was clear about why it is not a good password to use just common words. This latter idea tries to argue against it based on tools the hackers use. But that can't be true as the old tools are still there (dictionary tools). You feel safe using common words in your password? I don't and never believed a second otherwise.

I don't know about this. The reason you hear the suggestion to use random words is that humans are horrible at actually randomly picking characters for a password, so people end up doing something like: P@55W0Rd instead of actually randomizing. But research has found that people do the exact same thing with pass phrases: they generally use sentences or phrases common in everyday speech. The key to a secure password or passphrase is randomness. 6 truly random words of 6-7 characters each will be more secure than a 10 character password, but it won't be if it's:
"Hey how was your day?"

https://arstechnica.com/information-...-poor-choices/

"Examining the surprisingly weak distribution of phrases in natural language, we can conclude that even 4-word phrases probably provide less than 30 bits of security which is insufficient against offline attack," the paper says.

The article title is misleading imo, because 30 bits of security is way worse than what a standard password provides you. A 12 character random password using letters and numbers gives you 71.5 bits of security.

interesting article but its making some assumptions. they proved their point by using a worldlist and hacking 1.13% of passwords. thats a low success rate if you are trying to brute force a password one at a time which afaik is how these hacks work. it also doesnt say how many of those passwords were single words or 4word phrases or 8 words.

there has been 0 success in breaking 8 word passphrases in real world scenarios. a large % of the worlds crypto uses them for security.

a random string of letters/numbers is just as good or maybe slightly better, as long as its the same length. harder to remember though. hopefully the takeaway here is to avoid all passwords with <20 characters, go with 12 at the very least.

a good trick ive been taught is to change the last letter to the first letter of the website you are using or something similar, so each password you have is easy to remember but all your accounts wont get hacked at once. ex: my pw is daviddiggerpullsthetriggeronevery, on 2p2 it would be daviddiggerpullsthetriggeroneveryt

I know you were just giving an example to show the memory trick (not a bad idea), but the example you gave wouldn't be great because "pulls the trigger" is a common enough phrase that it would be susceptible to being cracked.

But yeah, I agree with all of this. take away is definitely to make sure you have a completely random pw that is 12+ characters, doesn't really matter if it's words or numbers/letters as long as it's actually random.

yea maybe it would take a computer only a 100k years to crack my pw with 8 words instead of a million years. cant have that.

Yep came to the same conclusion after a bit of research. Anything long and random is fine just a case of taking 100 lifetimes or 1000 to brute force.

Yea sure. PS have great security and would just let this happen.

The argument about whether it is better to have have random passwords, or ultra-long phrase passwords is entirely stupid and irrelevant to this thread for a few reasons:

a) The PokerStars password field is not - last time I checked - endless. I think it was limited to 20 characters (I can't check now, but anyone else can do so).

b) The issues of password complexity apply to offline password cracking (where you can run X million attempts a second) not to online password hacking where you have to send each request to the server, and wait for a result. I cannot imagine that you could send even a million request to the PokerStars server, let alone billions, to brute force a PokerStars password in this manner

c) It is all made irrelevant if you use the multi-factor authentication options that PokerStars offers: ideally, the RSA Security Token which was designed and implemented a decade ago, or the more recent SMS Validation. Each will be "good enough" for the meaningful risks that people reading this thread will face