OP has a strange story then. Offcourse Stars will give you your so called own neteller account number? Are you making this up OP?

And neteller will offcourse take action in investigating. the will check the account and working with police if you request this.

Also if the hacker used his creditcard to make 22 deposits as you state then you have to investigate those data also..

I think it is a strange story. I t sounds like you somehow know the hacker. maybe a friend of a friend or something like that.

Also it sounds like you dont take effort to find out the hackers data. you are entitled to this info on netller and creditcards linked to your own account.

OP explain me why you dont ask for these simple account and card details anymore. I am 100% sure Stars will give youy the account number. maybe not the security number to log in. but you will be able to discover who did this.

That graph is ****ing hilarious for a multi-million dollar company.

Hacks are down since January but player awareness is increased? What a load of bollocks.

If, as mentioned, this is because Pokerstars is doing more to highlight the issue to players in March, my question would be what the hell were they doing in January when they saw that accounts were being logged in from Russia at the first attempt?

Hi Michael J,
I am wondering if you have looked at these issues from another perspective.
Recently, the OpenSSL hartbleed bug was identified as you or your security team will surely know of (http://heartbleed.com)
In your terms of service (11.1, https://www.pokerstars.eu/poker/room/tos/), PS states that OpenSSL is indeed used for encrypted connections.

While the Heartbleed bug caused some worries, if PS updated the OpenSSL library on time, PS was never vulnerable (the unlucky thing is it is impossible to check whether you did it on time on your servers).

However, that is not what I'd like to address here.
OpenSSL has stated here (http://marc.info/?l=openssl-announce...3572011212&w=2) that there are several new vulnerabilities with severity classified as 'high' which will be fixed in a patch released today.

With vulnerabilities in the SSL connection, it could be possible to eavesdrop on network level, which would mean nobody's PC got hacked and no passwords were given out.

I think it's your security team's responsibility to find out whether that is a possibility or not. I would even understand if you wouldn't confirm problems like these in public. They simply need to be adressed to be 100% sure that no players in the future will be affected!

Could you please let PS security team look into this?

For the record: I haven't been hacked. I just wanted to share my perspective, maybe it helps. Wondering if I get a response

Is the instant cashout after depositing a new feature or something? I've never been allowed to cash out until after 48hours have passed from the time I deposited.

I honestly did a double take when I saw that, as it looked for all the world like an expert troll.

This was the first point that attracted me to the initial thread. IIRC Stars cited "privacy reasons" for not disclosing the neteller account details to the guy whose account had been compromised, which is of course ridiculous. I'd like to see a stars rep expand on this.

Are RSA tokens free to obtain from Pokerstars? If not, then they should be.

And that graph is absolutely pathetic.

Free for Sne's. For other Vip levers from 1,5k to 4,5k FPP

Those of you that were hacked should do a correlative comparison to narrow down what it likely isn't. Common poker websites you visit, type of HUD or hotkey software you use, social media you frequent or anything poker related on your pcs. Find the common denominators and you can find the cause. Maybe you all use Skype, or teamspeak or something where you accidentally got infected. That or someone saw you type in your password.

One of the strange parts; Stars investigated, found out the account was hacked (or, as the Starsguy here manipulatively suggests; OP gave his logindetails to the hacker (and so did all the other victims)- which seems to be working, if you are being serious), therefore concluded the Netteller account wasn't OP's, so to protect the identity of the hacker they won't give the Nettellerdetails to OP. And ofcourse OP has to cover the losses made by this VIP hacker with fake creditcards.

And, like OP said, Netteller stated that "Unfortunately we are not able to retrieve the account as the transaction ID you have provided is not valid in our system". What else can OP do?

This all is very scary

Yes. For the third time: could an affiliate be the link?

We were trying to find the link between Czech hacked players with no sucess. No common forum,software,affil, inet provider...some of them were recs playing couple of tourneys from time to time without any deeper interest in poker, not using any poker related software or forums, not affiliated anywhere etc.

+ 100000000

Add this to the list of posts which Pokerstars will NEVER address.

It just blows my mind how many red flags went off in this scenario. Some part of me thinks that there is more to this story because it is hard to believe PS being so negligent.

Sorry but that graph is terrible. Not only because it misses all the vital information to read it correctly, but also because it proves nothing. Sure, the total number of hacks may be declining (in a 3 month period without comparison to earlier months/years...), but what good does that information in this case? A trend in 2.5 months... of reported 'hacks'... So are these the exact same kind of hacks, or are hacks by friends who try your hotmailpassword in your Pokerstarsaccount also included?

I also don't understand that when players awareness of hacks rises, the reported number of total hacks declines. That seems to make zero sense.

I'm sorry that u lost the flip OP.

That giraffe is the ultimate troll omg hilarious.

Expecting the people who were hacked to compensate PS and pay them back for their lax security is unbelievably scummy.

haha that graph is comedy; it's one step away from being hand drawn.

PS were probably either thinking "those tards aren't capable of understanding the complex data involved so we're going to dumb it right down for them"

or "**** how do we spin this? ok we'll put this out there and pray that they're all tards and not one of them notices how little information this actually gives away"

I wonder which one?

I won't be playing or depositing on stars ever again. I was already disillusioned by the Amaya takeover, with the rake increases and casino games. Then this has been handled so terribly that it's the final straw for me and i simply don't want to do business with the company anymore.

Why are you guys hating on the reason this graph is such a troll for, yes its very LOL, what a joke it is.

But the reason its LOL, Michael states in his response.

"While we will not provide absolute numbers"

They don't want too reveal the real numbers too the public. i.e. how many players in total actually do get hacked....

Not very transparent but the new Amaya has never been very transparent, IMHO.

While I did like Michael's response too this and it gave me some more confidence in stars customer service,

Im not happy Pokerstar's does not appear very transparent in issues that keep coming up.

But afterall, they have a monopoly, they know they have a monopoly. Monopolies are bad for customers, very bad.

Im sorry for the late response, but my account have been "hacked", and i got an email that someone from another country knew my password perfectly, and he used it to login, luckily i did not have any money in the account. But the account is frozen, for now. Also i got an email from pokerstars that they would give me a call. I have not received it yet.
The thing that is bothering me is the lack of information, none at all i would say.

But i guess that is just the way with all bigger corporations, they simply rule out all involvement in the case, and blames the clients.

How to lie with statistics.

I find it troubling that you chose to share a median loss, instead of a mean (average as people typically understand it) loss.

Lets imagine 200 people have their accounts hacked.

50 people lose $10
49 people lose $50
1 person lose $57.08
1 person loses $57.10
50 people lose $1000
50 people lose $10000

The median loss is $57.09
The MEAN (ie, arithmetic average) loss is $2765.32

I suspect that the losses skew highly to the right and the mean loss is substantially more than $57.

Can we see a histogram?

i don't get it why Mr Josem is bashed for posting the graph ... PS doesn't need to, but ppl making claims, like there's some sort of trend, just on the assumption, that their sample size is somehow relevant. if i'm not wrong, there was a similar thread months ago. if back then, a few other victims would have saw this and responded, ppl would have seen a trend too. kinda like believe in some sort of trend, just b/c two other ppl on Facebook share your birthday.

what's also weird is, that ppl in the original thread (internet poker sub forum) claimed, that they run anti malware software and are clean, so it must be a leak/insider job. besides the fact, that running such software basically proofs nothing, i pointed out, that if ppl use the 'remember password'-option and no PIN, an attacker don't need any keylogger (which might trigger virus scanners) to get the pw. i know, that the victims are disappointed, but instead of really focusing on where the leak is and help finding a potential 'new thread', it's all about making bold statements.

no doubt, as a victim i prolly would also claim, that it's so obvious, that the transaction are made by the hacker. but if you see all the transactions, it's might not so clear anymore. so the pattern of the recent hacks, might be fit onto other cases, were everything is 100% legit.

e.g. i know people, who travel a lot and login from different locations. it would be painful for them, if they are on a road trip and have to confirm this with several poker rooms. what about business ppl, who just want to play a quick session while in a hotel room. you might lose the best fish, if you rule out, that any login from a different location is okay.

there're plenty of cases where people change their IPs. there was also one hacking case, where the attacker lived in the same country. how far away is too far way too be suspicious? besides that, if a hacker get's your password, i guess he could (?) disguise his location too. so this idea of making PS safer is not very secure at all, but would rather make the service for players worse.

to be fair, declining the 'deposit from another creditcard than the account holder' (which is btw standard in many businesses) would help in this case, but if a password, he'll find other ways to get the money. besides that, there are many ppl out there, who don't have a credit card and might be need help, for a deposit. so like the idea with the IP, it don#t help much for security, but it's a bad service for customers.

ppl also think, that the insta cash out is a security leak. again, it might helped in this very specific cases, but i remember that ppl always hate, when it comes to delays in terms of cash out. i rarely play, but had at least one occasion, where i made a deposit and needed the money a few hours later. making it more strict, i'm pretty sure the big mass will hate it, which will reduce the fishes, which is not only bad for the poker room, but also the grinders.

so overall, the whole 'make it safer' ideas would only help a small number of ppl, but would make the playing experience for a lot of ppl worse (mostly random fish, who don't want any hassle but just a quick game). since this is the bottom of the food chain, i would think, which is more important.

last but not least is the idea, that PS has to pay the stolen money. that's obviously an option, but imagine you own a business. eg a club and you provide lockers, so patrons can store their things. let's assume some patrons lose their key and the lockers are cleaned out. as a good service, you pay for the stolen stuff. word spreads and the next weekend you prolly have to pay a lot more, b/c surprisingly the crime rate sky rocketed.

the only real option so far, is some 'opt in', if you never change location and/or deposit option. but to be fair, so far it seems the victims didn't neither use PIN, nor SMS verification (which are both free), so i doubt the potential victims would opt in anyway


tl;dr

don't hate the player, hate the game

Your second line here represents a very common problem for programmers. This awesome comic illustrates it nicely (http://www.cvr-it.com/images/PM_Build_Swing.gif).

I re-read Monorail's post, and he mentions that he only wants to play from home (and continues with the IP stuff). To me, that is an issue of restricting IP addresses, which as you quoted I've already posted my thoughts on.

Similar to restricting to IP addresses, restricting use to a specific device is actually very easy. Every device has a unique identifier (MAC address) which never changes.

I would respectfully disagree with this statement. I believe I can see clearly what the use case is, but I think technology limits the practicality of it. FWIW, I agree with Monorail completely. It would be nice to restrict access to PS to a specific device (or set of devices) as well as from a specific location (or set of locations). That would make it easy to determine if the person logging in to the account is the actual account holder or not.

The problem becomes, as Michael J. has pointed out, what happens if the account wants to play while on vacation (location changes), or gets a new phone or computer (physical device changes)? They would not be allowed to play on the new device or from the new location. You could suggest that you can send an email to PokerStars to notify them of an upcoming change, but what's to stop an attacker from breaking into your email account and sending a message themselves? (Yes, I'm aware that for the cases specific to this thread emails were not affected, but that has not been and will not always be the case for other situations.)

This post is starting to sound a little bit like I'm defending PS in these cases, but I'm not. I think that the way they are handling these cases is terrible, especially making the account holder have to cover for the stolen funds. I'm just trying to share my thoughts as to why a couple of things that were suggested may not work as well as it was hoped.

I give them a pass on the graph. I don't expect them to use the same graphical agency as they use for the EPT branding to produce a graph to be posted in NVG. Also by deliberately choosing the limited time frame the stars rep has been able to get the message out to us that hacks are much higher now than during last year while retaining plausible deniability inside the firm. Also the fact that Lee Jones has not been to this thread is a great sign. We should be pleased he is presumably directing his energies doing internal advocacy on the players' behalf (and therefore to the long-run benefit of his employer) rather then presenting indefensible positions arguing with us in this thread (to the discredit of his employer).

Responsibility lies with chronologically:
1) the person who didn't secure their credit card,
2) the bank which didn't recognise any unusual pattern of use on the card,
3) pokerstars for a) approving a transaction from a card not registered to the user as would be in breach of the TOS of other comparable sites such as Party and Unibet,
b) allowing access to the accounts from random countries which the users have never visited before including ones such as Poland where use of Pokerstars is completely illegal without attempting to contact the user before chip dumping (or potentially P2P transfers?) can take place,
c) making deposit limits valid for only 7 days while giving the impression that they are permanent,
d) allowing funds to be withdrawn to new deposit methods.
4) the PS customer for not stopping the breach sooner.

The question is, which of those 4 entities should be responsible? Of the two weaker entities, the bank customer has the most regulatory protection so it seems like the weakest of all is the pokerstars customer and therefore the person who is easiest to push around. All I can suggest is that those people who are in regulated markets should contact their regulators about this and try to get whatever protection they can. OP is in Holland and his account was accessed from Poland. If Pokerstars care enough about recovering this money then they should be made to argue in front of the new Dutch regulator that customers in the Netherlands on sign-up make an open ended commitment to cover losses caused by unauthorized access to their accounts from countries in which Pokerstars is operating illegally. People in unregistered markets are out of luck it seems if PS don't care about word of mouth.

I was prompted (.eu client) to add security questions yesterday. I wonder if they actually increase security though if they are going to be used like UK banks use them, in the belief that nobody could possibly know my mother's maiden name other than I, so if someone wants to pretend to be me they can use this publicly accessible data to convince people they are me and override other security measures. I also enabled the PIN as suggested in the OP. To be honest I think it is a waste of time because it asks you for all 6 numbers in the same order each time. Someone only has to screen grab you putting it in once to have the whole number. Moving the numbers around is nice but a PIN where numbers repeat is going to have clicks in the same places.

BTW the 300 km thing mentioned above is hard to code if it is in the same country. If I access using city fibre optic network, websites recognise me as being in the city I am actually in. If I use an internet connection based on a mobile phone network then I seem to be hundreds of km away in the capital city of the country, where the mobile phone company's head office is. In any case I regularly use both networks. I have now implemented SMS Validation so I am assuming that if anyone tries to log in from another network they will need a code which will go to me in an SMS text message, not to them. If I rightly understand how it works then this is actual decent security and this is what we should be recommending in the OP to this thread - and what Pokerstars should be prompting its users to set up when they login.

One more avenue of research - had people changed their passwords recently? If nobody had, then it tends to lend credence to the theory of a disk being sold with PS passwords. We should all change our passwords anyway.

It's a disgusting answer to a serious problem. All the signs point to an inside job and that's the best they could come up with? This is ridiculous even for Amaya standards.