Security Flaw at Neteller - please comment

[dardo]

After reading the experience of this user, this user and some more you can find making the search "+neteller +security -re:" at this forum. I started to question the security of holding funds at Neteller. I've sent them an e-mail with my concerns, you can read it below.

If you feel like contacting Neteller support their email address is ... support@neteller.com

Also, I would suggest to request a new Secure ID through phone. (You can change it making a call.)

dardo.

-----------------------------

Dear Sir / Madam,

It has come to the concern of the Spanish Poker Community a significant security risk for Neteller’s users.

This topic is being discussed at the forum http://www.poquer.com.es/foro/ and it will be soon discussed at the 2+2 forums http://forumserver.twoplustwo.com/po...amp;Board=inet . After the negative experience of one of their users who got his balance stolen through this security breach.

This security risk exists because Poker sites only need your name, Account ID and Security ID to get permit to make a transfer from a Neteller account. This means a hacker could make a fake account at a casino/poker site and rob the funds from a Neteller account.

Basically, the breach is that you need to share sensitive information: The Security ID with third parties aside from Neteller.

It is understandable that your company wants to create a friendly user operative so it’s very easy to deposit at Poker Sites. But once you have a significant amount of money at an account it becomes a big security concern.

It would be very easy to solution. It would just need the option to ask for confirmation of any transaction from WITHIN the Neteller account before processing it. This way it wouldn’t be possible to make a transfer from WITHOUT the Neteller account as is possible right now.

Best regards,

Pedro Gomez

[JPFisher55]

Your explanation does not make sense. I think that you mean to ask if Neteller can design a system that allows you to transfer funds to a merchant without typing your security code on the merchant's website.
In the meantime, I recommend only depositing into very reputable sites.

[AngusThermopyle]

[ QUOTE ]
Your explanation does not make sense. I think that you mean to ask if Neteller can design a system that allows you to transfer funds to a merchant without typing your security code on the merchant's website.
In the meantime, I recommend only depositing into very reputable sites.

[/ QUOTE ]

I think what he is suggesting is that you set up an option so that any withdrawl from Neteller to a merchant must be approved from withing the Neteller account.
ie...make request at PokerStars for $500 Neteller deposit, PokerStars places request to Neteller, and Neteller only releases funds if you log onto your Neteller account (using your secure id and password) and click on "Approve" for the pending $500.
A bit more time consuming

[Jukep]

[ QUOTE ]
Your explanation does not make sense. I think that you mean to ask if Neteller can design a system that allows you to transfer funds to a merchant without typing your security code on the merchant's website.

[/ QUOTE ]

I think it makes very much sense. He suggests a system where the user is transferred to Neteller's site and authorizes the transfer there. E.g. Epassporte uses this method.

Another good solution would be the use of onetime authorization codes. A user would get a list of random codes, use one per transaction, cross it off and so on. This is how online banking works in most of the European banks I've dealt with.

I think Neteller is pretty unsecure as it is now.

[dardo]

[ QUOTE ]
I think what he is suggesting is that you set up an option so that any withdrawl from Neteller to a merchant must be approved from withing the Neteller account.
ie...make request at PokerStars for $500 Neteller deposit, PokerStars places request to Neteller, and Neteller only releases funds if you log onto your Neteller account (using your secure id and password) and click on "Approve" for the pending $500.
A bit more time consuming

[/ QUOTE ]

Yep, exactly. This way you would prevent the issue I described above. But the idea of just taking you to Neteller's web site (as Jukep said) would be even better.

You would just need to type two more passwords this way. PayPal makes it, now that I think of this.

regards,

dardo

[dardo]

[ QUOTE ]
I think it makes very much sense. He suggests a system where the user is transferred to Neteller's site and authorizes the transfer there. E.g. Epassporte uses this method.

[/ QUOTE ]

Thanks for your answer. Do you know if Epassporte or another money transfer service with this method can be used like Neteller to transfer money between sites?

[ QUOTE ]
Another good solution would be the use of onetime authorization codes. A user would get a list of random codes, use one per transaction, cross it off and so on. This is how online banking works in most of the European banks I've dealt with.

[/ QUOTE ]

Sure. With both things Neteller would be a much secure place, and I'm sure their customer would have the confidence to let at their accounts a bigger balance.

[ QUOTE ]
I think Neteller is pretty unsecure as it is now.

[/ QUOTE ]

It's like your online bak asked you to share your account password anytime you are going to buy something. It's ok for people who want to play some poker/casino from time to time, nothing else.

regards,

dardo

[Dazarath]

Do any of the users, who have supposedly gotten their Neteller account hacked (or whatever), have more posts than I can count on one hand? I'm not a post count Nazi, but there are a lot of trolls out there, and one sure sign is someone registering for a forum just to complain about some BS problem, but not stay around to actually join in any other forum discussions.

[dardo]

[ QUOTE ]
Do any of the users, who have supposedly gotten their Neteller account hacked (or whatever), have more posts than I can count on one hand? I'm not a post count Nazi, but there are a lot of trolls out there, and one sure sign is someone registering for a forum just to complain about some BS problem, but not stay around to actually join in any other forum discussions.

[/ QUOTE ]

Actually the first poster, I put a link of, is a regular poster of the bigger spanish-talking poker forum ... poquer.com.es He posted here because I suggested him to do so.

regards,

dardo

[Dazarath]

[ QUOTE ]
Actually the first poster, I put a link of, is a regular poster of the bigger spanish-talking poker forum ... poquer.com.es He posted here because I suggested him to do so.

[/ QUOTE ]

Fair enough. I wasn't trying to be accusing. It's just that (and I'm sure you know just as well as I do), there are so many trolls out there, it's not always easy to distinguish between the legitimate issues and the BS ones.

[phish]

Doesn't your email address at the poker site have to match your neteller email address for you to transfer funds?

I always thought so. If not, then I agree that this is a major security flaw.