Fossilman's Stars Account Hacked?

[Greg (FossilMan)]

[ QUOTE ]
[ QUOTE ]

Now that I've read lots of these posts, I'm a big fan of the idea of having a separate ID name, different from your screenname, that you use along with a password when you login. This way, if you got locked out, you could change your ID and your password, and the person trying to hassle you would have to guess your ID name in order to get you locked out again. And, if they're trying to hack into your account, they'd have to guess your ID name and password, simultaneously, to succeed. That makes it WAY less likely that somebody could do it without using spyware or something to get the information from your computer.


[/ QUOTE ]

this seems like one of the most logical and easy-to-implement fixes. please use your pull w/ Stars, Greg!

take care.

[/ QUOTE ]

It turns out that this exact process, or at least one very similar to it, is just around the corner for all PS customers. As part of my reset procedure, I now have a separate secureID number that I have to input after I succesfully enter my password. This secureID is a 7-digit number picked randomly by PS, so there is no way a person could guess it with any reasonable chance of success.

I also like the idea of the secureID badges as pictured by burningyen in this thread. I remember having one of these things when I worked at Pfizer so I could log into my email and stuff from home, and get work done while not at the office. When you try to log into the system, you must enter your user ID, password, and the 8 digit number generated by the secureID device. The number changes every 30 seconds or something, and the number of my device is not the same as the number on anybody else's device at any given moment. Thus, the system knows that it is really me logging in, or at least somebody who has stolen my user ID, password, AND the physical secureID device generating the random number. Hackers, even those with spyware and keyloggers, have no shot at getting into your account unless they also have physical possession of the secureID device.

I'll mention this to PS. Maybe they can implement it for players with more than some minimum amount of money in their account. Obviously this solution is too expensive to implement for every customer, especially those with only play money. Heck, even if PS was going to make me pay for the service, I would do so.

Later, Greg Raymer (FossilMan)

[KittyLiquor]

[ QUOTE ]
It would be nice if we could receive confirmation from Greg that his password was uber-easy to guess.


[/ QUOTE ]

He did. See above. He said someone, on average, could guess it in 100 tries. Weak. [img]/images/graemlins/shocked.gif[/img]

I've never done anything so stupid.

At least in the last 1/2 hour...wait, lemme take that back....let's say in the last 15 minutes. [img]/images/graemlins/blush.gif[/img]

Meow

[Nortonesque]

[ QUOTE ]
I'm going to repeat that the option to "only allow me to log-in from this computer" should be considered.

[/ QUOTE ]
I like BofA's system even better: if an unrecognized computer attempts to log in to your account, it asks a couple additional personal questions (e.g., "What was the name of your first pet?").

[windeetree]

what about keeping your stars account always logged in?

[StregaChess]

[ QUOTE ]
This secureID is a 7-digit number picked randomly by PS, so there is no way a person could guess it with any reasonable chance of success.

I also like the idea of the secureID badges as pictured by burningyen in this thread. I remember having one of these things when I worked at Pfizer so I could log into my email and stuff from home,

[/ QUOTE ]
We've got the same thing at Agilent and works well, however the system is only as good as the folks supporting it. We've outsourced a lot of "tech" stuff and I was horrifed when I called and asked support to reset my pin. The process was pretty weak, a little social engineering and they'd cough it up. But that's the brave new world of out sourced services....

[StepBangin]

[ QUOTE ]
what about keeping your stars account always logged in?

[/ QUOTE ]

What about it?

[MicroBob]

[ QUOTE ]
[ QUOTE ]
I'm going to repeat that the option to "only allow me to log-in from this computer" should be considered.

[/ QUOTE ]
I like BofA's system even better: if an unrecognized computer attempts to log in to your account, it asks a couple additional personal questions (e.g., "What was the name of your first pet?").

[/ QUOTE ]


that works decently for me too.
This double-security question thing when a log-in attempt comes up on a different computer seems to be a pretty common program these days.
I have it at my bank too which is not BOA.
And I think I saw it on one of my credit-card account-online things as well.

[Botchman]

[ QUOTE ]
[ QUOTE ]
Wouldn't it be very simple to have a max of 5 log-in attempts a day?

[/ QUOTE ]

It would be simple. But I know there have been times where it took me more than 5 attempts to login, for whatever reason.

[/ QUOTE ]

I think they should implement a system after a certain number of times a password is tried a red flag is raised internally right away and they could investigate if it is the usual IP addy or a forigen one and watch the account for suspect play, if it is a foriegn IP they should contact the player asap to find out if it is actually the player or if the account has been compromised

[MicroBob]

Absolutely.

Especially the part about watching for suspect play and then freezing the account if it looks all screwy.

If a 1/2 NL 6-max guy is suddenly playing heads-up high-stakes limit or something can't that almost automatically be a situation where they at least keep an eye on things.

[rothko]

[ QUOTE ]
[ QUOTE ]
Wouldn't it be very simple to have a max of 5 log-in attempts a day?

[/ QUOTE ]

I was liking this idea myself. But then somebody pointed out that if a person wanted to make life hard for you, they'd just try to log in as you 5 times, and get you locked out. Once you got things up again, they could repeat the process. Basically, they could get you locked out as often as they wanted.

Now that I've read lots of these posts, I'm a big fan of the idea of having a separate ID name, different from your screenname, that you use along with a password when you login. This way, if you got locked out, you could change your ID and your password, and the person trying to hassle you would have to guess your ID name in order to get you locked out again. And, if they're trying to hack into your account, they'd have to guess your ID name and password, simultaneously, to succeed. That makes it WAY less likely that somebody could do it without using spyware or something to get the information from your computer.

If anybody can explain why having a separate login ID name would be a problem for the sites, I'd love to hear. If there is no such problem, I'll lobby PS to get it done.

Later, Greg Raymer (FossilMan)

[/ QUOTE ]

greg, it isn't a problem. two of the poker rooms that i use have already implemented this practice.