Two Plus Two Publishing LLC
Two Plus Two Publishing LLC
 

Go Back   Two Plus Two Poker Forums > >

Notices

News, Views, and Gossip For poker news, views, and gossip

Reply
 
Thread Tools Display Modes
Old 10-11-2018, 07:39 PM   #876
pucmo
grinder
 
Join Date: Mar 2016
Location: Euro
Posts: 580
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by vherreral View Post
Are these kind of links safe?
Not as a default, as you don't know what there is. Or if you limit your browser and so on and never click anything there, it might be safe, but who knows.

The safest is to use another computer, e.g. a tablet to visit unknown sites as one can clean it with a push of the button (losing all but what it was when you bought it).

What comes to the knowledge there, it seems hackers prefer to lose the account money to other players, including to the player(s) cashing it out.

The hacker can make a new deposit/withdrawal method, and you are not protected well enough; a couple of days (you might get an email of the deposit, and other things to think about here) or a raking need that takes minutes as far as the small deposit amount goes.

The link lists ways to protect so the hacker e.g. never gets into your account in the first place.
pucmo is offline   Reply With Quote
Old 10-12-2018, 05:24 AM   #877
I_C_YA_KARDZ
journeyman
 
Join Date: Dec 2014
Location: On the river
Posts: 272
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by SalmoTrutta View Post
Bad idea. You want people to be able to login from wherever without carrying a token and waiting for it to be mailed out before getting in on the action etc. The day hopping onto the table isn't a casual matter the site dies.

Being able to connect a new neteller account just like that as a thief is the absurd part in this. Many other sites will only allow you to withdraw to the same card/account you deposited with, otherwise you have to go through a verification process with support etc.
After I had issue with my account a few years ago stars told me to start using the keypad the 1 which comes up after entering your P.W & every time you log in the numbers move around.

They should make that 1 mandatory for everyone since they have it if its going to add some extra security.

I agree its CRAZY how someone could add a new neteller account & withdrawl.
I_C_YA_KARDZ is offline   Reply With Quote
Old 10-12-2018, 08:26 AM   #878
+rep_lol
El Guapo
 
+rep_lol's Avatar
 
Join Date: Sep 2013
Posts: 12,893
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by pucmo View Post
Not as a default, as you don't know what there is. Or if you limit your browser and so on and never click anything there, it might be safe, but who knows.

The safest is to use another computer, e.g. a tablet to visit unknown sites as one can clean it with a push of the button (losing all but what it was when you bought it).

What comes to the knowledge there, it seems hackers prefer to lose the account money to other players, including to the player(s) cashing it out.

The hacker can make a new deposit/withdrawal method, and you are not protected well enough; a couple of days (you might get an email of the deposit, and other things to think about here) or a raking need that takes minutes as far as the small deposit amount goes.

The link lists ways to protect so the hacker e.g. never gets into your account in the first place.
ehh maybe a PSA here re: that link- i dont think i'd even click it tbh. "pokeroff" (staking organization run out of russia by max katz, i think) bought a large chunk of my main event action a few years back- everything went smoothly. then the next year i tried to contact a couple of them to see if they were interested again and the website was down, the email links were broken, couple of the liasons were nowhere to be found, so i just kinda shrugged and assumed they went busto and i sold off to others instead.

i'd be extremely skeptical of any "pokeroff.ru" link, particularly any having anything to do with hackers.

note that i'm not implying anybody from pokeroff is trying to hack or scam people, but that hackers may have co-opted the website domain and are getting people that way
+rep_lol is offline   Reply With Quote
Old 10-12-2018, 08:32 AM   #879
Josem
human chemical weapon
 
Josem's Avatar
 
Join Date: Jan 2007
Location: Getting Trolled
Posts: 16,623
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by I_C_YA_KARDZ View Post
After I had issue with my account a few years ago stars told me to start using the keypad the 1 which comes up after entering your P.W & every time you log in the numbers move around.

They should make that 1 mandatory for everyone since they have it if its going to add some extra security.
The numeric keypad was good, 10 years ago, when it was introduced, against certain, limited threats. Particularly, it was useful for people who were crap at creating unique passwords (lol, WSOP2004), and helped people who were at risk of having a family member log on to their device without their authorisation. Thus, it helped against "accidental" or less sophisticated offenders.

However, the keypad thing is pretty mediocre at defending against determined malicious hackers who can obtain a victim's email address, since it can easily be reset by email.


Instead, to combat against the sorts of threats at risk in this thread and more common these days, PokerStars should make this far more prominent/default/mandatory: https://www.pokerstars.com/poker/roo...smsvalidation/

The widespread adoption of SMS Validation by PokerStars customers would substantially reduce the risk of hackers like those that have plagued this thread, and that are likely to be common in the near future.
Josem is offline   Reply With Quote
Old 10-12-2018, 10:18 AM   #880
falldown
veteran
 
Join Date: May 2012
Posts: 2,070
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Having read a bunch of this thread, and with no dog in the fight, I wasn't hacked and I live in the US so don't play on stars...

1) I think dual layer token type logins would obviously help.
2) There is next to zero chance that Pokerstars' passwords haven't been hacked from the source. Too many people with unique passwords to Pokerstars having only their Pokerstars stuff stolen.

So both sides of this debate are right. Pokerstars however is wrong.
falldown is offline   Reply With Quote
Old 10-15-2018, 05:58 AM   #881
LektorAJ
Carpal \'Tunnel
 
LektorAJ's Avatar
 
Join Date: May 2014
Location: none
Posts: 6,568
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

^ It was pretty much confirmed ITT (by the question being repeated ignored) that the passwords were stored in hashed but not salted form, which is not secure enough basically.

However, re: two-factor authentication I keep saying this but it keeps getting ignored. Some of the hacked accounts are ones that had been dormant for some time, money was deposited fraudulently then withdrawn / lost to other accounts.

Pokerstars are never going to start issuing RSA tokens to people who last played years ago and nor should those people be responsible for knowing they should get them.

PS need to improve their internal procedures and everything else is a non-starter.
LektorAJ is offline   Reply With Quote
Old 10-17-2018, 12:49 AM   #882
mirage01
veteran
 
Join Date: Jan 2013
Location: Australia
Posts: 2,779
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

How could someone hack your password? Its pretty hard to just get hacked these days if you have a firewall I would have thought. They didn't also get you internet banking details, just PS account hey?..
mirage01 is offline   Reply With Quote
Old 10-17-2018, 05:10 AM   #883
Josem
human chemical weapon
 
Josem's Avatar
 
Join Date: Jan 2007
Location: Getting Trolled
Posts: 16,623
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by mirage01 View Post
How could someone hack your password? Its pretty hard to just get hacked these days if you have a firewall I would have thought. They didn't also get you internet banking details, just PS account hey?..
There's no evidence that there's been a breach of PokerStars passwords on PokerStars' end. Apart from anything else, failing to disclose it on their end would probably open the company up to a whole range to really harsh penalties.
Josem is offline   Reply With Quote
Old 10-18-2018, 10:28 AM   #884
ThudNBlunder
newbie
 
Join Date: Dec 2015
Posts: 15
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by mirage01 View Post
How could someone hack your password? Its pretty hard to just get hacked these days if you have a firewall I would have thought. They didn't also get you internet banking details, just PS account hey?..
It's likely they were victims of "credential stuffing"; many of the older, dormant accounts it's almost certain. People tend to use the same passwords across different sites, so Yahoo/ PSN/ etc gets hacked, 2.5bn email/ passwords get stolen and cracked and the crooks just chance their arm, logging in to every poker/ gambling/ banking institution they can, in the hope there's an account and details haven't been updated. They don't need a very high hit rate for it to be extremely profitable, and it's very difficult for the sites to spot it happening- as there aren't multiple log-on attempts.

Best way to stay safe is to have different passwords for everything, and update them regularly.
ThudNBlunder is offline   Reply With Quote
Old 10-18-2018, 10:36 AM   #885
sirswish6
Carpal \'Tunnel
 
sirswish6's Avatar
 
Join Date: Apr 2008
Location: bed
Posts: 6,591
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

my stars account got broken into this week, no other accounts of mine have been hacked that i can tell. very strange as i haven't played on stars in over 2 years and that password is a totally unique password that i don't use on any other sites. my rsa did expire in 2015 though



sirswish6 is offline   Reply With Quote
Old 10-18-2018, 11:09 AM   #886
Josem
human chemical weapon
 
Josem's Avatar
 
Join Date: Jan 2007
Location: Getting Trolled
Posts: 16,623
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

sirwish,

The bit about PokerStars "investigation" concluding that the "foreign computer/device [was] in Germany" is confident sounding, but is probably nonsense.

That IP range is a VPN service, not a real location in Germany.

It is used by the VPN service 'Hide My Ass!'.

Fundamentally, PokerStars seems to be telling you that you were the victim of a crime that seems to have taken place in the Isle of Man (where PokerStars servers are located). If you want to report it to the police there, their phone number is +44 1624 631212.

I don't know if it is worth your time to report it to the police in terms of the likely cost/benefit for you as an individual, but I'm interested to learn what would happen.
Josem is offline   Reply With Quote
Old 10-18-2018, 11:13 AM   #887
sirswish6
Carpal \'Tunnel
 
sirswish6's Avatar
 
Join Date: Apr 2008
Location: bed
Posts: 6,591
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

probably isnt worth it, i should say support notified me and locked my account up in a timely fashion, always had good experiences with their support
sirswish6 is offline   Reply With Quote
Old 10-18-2018, 08:26 PM   #888
wowsooooted
Pooh-Bah
 
wowsooooted's Avatar
 
Join Date: Jan 2013
Location: nearly there
Posts: 4,480
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

My god this is actually ridic

Seems RSA tokens are now mandatory if your planning to play online
wowsooooted is offline   Reply With Quote
Old 10-19-2018, 02:12 AM   #889
U shove i call
veteran
 
Join Date: Nov 2008
Posts: 3,283
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

RSA last 4 years and costs $37 so is a no brainer for most members of this forum. A password manager is also prudent all my passwords are unique and up to 50 characters long.

Did you have the pin enabled swish?
U shove i call is offline   Reply With Quote
Old 10-19-2018, 05:09 AM   #890
Josem
human chemical weapon
 
Josem's Avatar
 
Join Date: Jan 2007
Location: Getting Trolled
Posts: 16,623
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

A friend sent me a PM asking about how to secure their account, and seeking some feedback on the PokerStars PIN. This answer might be useful to some of y'all too, so I'm just copying and pasting (with minor editing adjustments) here:

Short version: Forget about the PokerStars PIN, enable SMS Validation instead.


Long version:
The PokerStars PIN helps to defend against hackers who can randomly guess your PokerStars password. It does NOT defend against hackers who can obtain your email password.


If I were you, I would turn on SMS Validation:
https://www.pokerstars.com/poker/roo...smsvalidation/


If I were still working at PokerStars, I would activate this feature (on an almost mandatory basis) for almost everyone with a registered mobile phone number, and I would just abolish the PokerStars PIN service.

The PokerStars PIN service provides very little security against today's risks. It was reasonable when it was created 12 (?) years ago, but it isn't worth the attention or effort it gets from either the company or players today.
Josem is offline   Reply With Quote
Old 10-19-2018, 11:19 AM   #891
david negus
journeyman
 
david negus's Avatar
 
Join Date: Jan 2014
Posts: 365
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

most people dont know how to set a strong password, manywordsstrungtogetherismuchstronger than a password like sdf245dd254. the longer it is the better.
david negus is offline   Reply With Quote
Old 10-19-2018, 12:02 PM   #892
U shove i call
veteran
 
Join Date: Nov 2008
Posts: 3,283
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by david negus View Post
most people dont know how to set a strong password, manywordsstrungtogetherismuchstronger than a password like sdf245dd254. the longer it is the better.
I didn't know that. Would of assumed a randomly generated long alpha numeric password would be stronger than manywordsstrungtogether will check it out thank you.
U shove i call is offline   Reply With Quote
Old 10-19-2018, 01:00 PM   #893
pucmo
grinder
 
Join Date: Mar 2016
Location: Euro
Posts: 580
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by U shove i call View Post
I didn't know that. Would of assumed a randomly generated long alpha numeric password would be stronger than manywordsstrungtogether will check it out thank you.
That idea was put up by a hacker or by some idiot and became a myth, having some truth in it when the password is too short (these days you need at least 10 letters/numbers, or it is not long enough. Plus other types, at least the letters and numbers but some force you to use some of the others also).

The original idea was clear about why it is not a good password to use just common words. This latter idea tries to argue against it based on tools the hackers use. But that can't be true as the old tools are still there (dictionary tools). You feel safe using common words in your password? I don't and never believed a second otherwise.
pucmo is offline   Reply With Quote
Old 10-19-2018, 01:14 PM   #894
tgiggity
old hand
 
tgiggity's Avatar
 
Join Date: Oct 2016
Location: California
Posts: 1,554
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by david negus View Post
most people dont know how to set a strong password, manywordsstrungtogetherismuchstronger than a password like sdf245dd254. the longer it is the better.
I don't know about this. The reason you hear the suggestion to use random words is that humans are horrible at actually randomly picking characters for a password, so people end up doing something like: P@55W0Rd instead of actually randomizing. But research has found that people do the exact same thing with pass phrases: they generally use sentences or phrases common in everyday speech. The key to a secure password or passphrase is randomness. 6 truly random words of 6-7 characters each will be more secure than a 10 character password, but it won't be if it's:
"Hey how was your day?"

https://arstechnica.com/information-...-poor-choices/

"Examining the surprisingly weak distribution of phrases in natural language, we can conclude that even 4-word phrases probably provide less than 30 bits of security which is insufficient against offline attack," the paper says.

The article title is misleading imo, because 30 bits of security is way worse than what a standard password provides you. A 12 character random password using letters and numbers gives you 71.5 bits of security.
tgiggity is offline   Reply With Quote
Old 10-19-2018, 03:37 PM   #895
david negus
journeyman
 
david negus's Avatar
 
Join Date: Jan 2014
Posts: 365
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by tgiggity View Post
I don't know about this. The reason you hear the suggestion to use random words is that humans are horrible at actually randomly picking characters for a password, so people end up doing something like: P@55W0Rd instead of actually randomizing. But research has found that people do the exact same thing with pass phrases: they generally use sentences or phrases common in everyday speech. The key to a secure password or passphrase is randomness. 6 truly random words of 6-7 characters each will be more secure than a 10 character password, but it won't be if it's:
"Hey how was your day?"

https://arstechnica.com/information-...-poor-choices/

"Examining the surprisingly weak distribution of phrases in natural language, we can conclude that even 4-word phrases probably provide less than 30 bits of security which is insufficient against offline attack," the paper says.

The article title is misleading imo, because 30 bits of security is way worse than what a standard password provides you. A 12 character random password using letters and numbers gives you 71.5 bits of security.
interesting article but its making some assumptions. they proved their point by using a worldlist and hacking 1.13% of passwords. thats a low success rate if you are trying to brute force a password one at a time which afaik is how these hacks work. it also doesnt say how many of those passwords were single words or 4word phrases or 8 words.

there has been 0 success in breaking 8 word passphrases in real world scenarios. a large % of the worlds crypto uses them for security.

a random string of letters/numbers is just as good or maybe slightly better, as long as its the same length. harder to remember though. hopefully the takeaway here is to avoid all passwords with <20 characters, go with 12 at the very least.

a good trick ive been taught is to change the last letter to the first letter of the website you are using or something similar, so each password you have is easy to remember but all your accounts wont get hacked at once. ex: my pw is daviddiggerpullsthetriggeronevery, on 2p2 it would be daviddiggerpullsthetriggeroneveryt

Last edited by david negus; 10-19-2018 at 04:06 PM.
david negus is offline   Reply With Quote
Old 10-19-2018, 05:26 PM   #896
tgiggity
old hand
 
tgiggity's Avatar
 
Join Date: Oct 2016
Location: California
Posts: 1,554
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by david negus View Post
interesting article but its making some assumptions. they proved their point by using a worldlist and hacking 1.13% of passwords. thats a low success rate if you are trying to brute force a password one at a time which afaik is how these hacks work. it also doesnt say how many of those passwords were single words or 4word phrases or 8 words.

there has been 0 success in breaking 8 word passphrases in real world scenarios. a large % of the worlds crypto uses them for security.

a random string of letters/numbers is just as good or maybe slightly better, as long as its the same length. harder to remember though. hopefully the takeaway here is to avoid all passwords with <20 characters, go with 12 at the very least.

a good trick ive been taught is to change the last letter to the first letter of the website you are using or something similar, so each password you have is easy to remember but all your accounts wont get hacked at once. ex: my pw is daviddiggerpullsthetriggeronevery, on 2p2 it would be daviddiggerpullsthetriggeroneveryt
I know you were just giving an example to show the memory trick (not a bad idea), but the example you gave wouldn't be great because "pulls the trigger" is a common enough phrase that it would be susceptible to being cracked.

But yeah, I agree with all of this. take away is definitely to make sure you have a completely random pw that is 12+ characters, doesn't really matter if it's words or numbers/letters as long as it's actually random.
tgiggity is offline   Reply With Quote
Old 10-19-2018, 06:01 PM   #897
david negus
journeyman
 
david negus's Avatar
 
Join Date: Jan 2014
Posts: 365
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by tgiggity View Post
I know you were just giving an example to show the memory trick (not a bad idea), but the example you gave wouldn't be great because "pulls the trigger" is a common enough phrase that it would be susceptible to being cracked.
yea maybe it would take a computer only a 100k years to crack my pw with 8 words instead of a million years. cant have that.
david negus is offline   Reply With Quote
Old 10-19-2018, 06:03 PM   #898
U shove i call
veteran
 
Join Date: Nov 2008
Posts: 3,283
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by david negus View Post
yea maybe it would take a computer only a 100k years to crack my pw with 8 words instead of a million years. cant have that.
Yep came to the same conclusion after a bit of research. Anything long and random is fine just a case of taking 100 lifetimes or 1000 to brute force.

Last edited by U shove i call; 10-19-2018 at 06:15 PM.
U shove i call is offline   Reply With Quote
Old 10-21-2018, 01:32 PM   #899
Inconsiderata
newbie
 
Inconsiderata's Avatar
 
Join Date: Jan 2014
Location: Denver
Posts: 16
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Yea sure. PS have great security and would just let this happen.
Inconsiderata is offline   Reply With Quote
Old 10-22-2018, 05:42 AM   #900
Josem
human chemical weapon
 
Josem's Avatar
 
Join Date: Jan 2007
Location: Getting Trolled
Posts: 16,623
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

The argument about whether it is better to have have random passwords, or ultra-long phrase passwords is entirely stupid and irrelevant to this thread for a few reasons:

a) The PokerStars password field is not - last time I checked - endless. I think it was limited to 20 characters (I can't check now, but anyone else can do so).

b) The issues of password complexity apply to offline password cracking (where you can run X million attempts a second) not to online password hacking where you have to send each request to the server, and wait for a result. I cannot imagine that you could send even a million request to the PokerStars server, let alone billions, to brute force a PokerStars password in this manner

c) It is all made irrelevant if you use the multi-factor authentication options that PokerStars offers: ideally, the RSA Security Token which was designed and implemented a decade ago, or the more recent SMS Validation. Each will be "good enough" for the meaningful risks that people reading this thread will face
Josem is offline   Reply With Quote

Reply
      

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Forum Jump


All times are GMT -4. The time now is 04:22 PM.


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Copyright © 2008-2017, Two Plus Two Interactive
 
 
Poker Players - Streaming Live Online