Password Security Suggestion--Key Fobs

[Splash-the-Pot]

$5 a pop is just for the keyfob --> Think about all of their costs developing the hardware algorithm, the server-side algorithm to authenticate, and the required support and personnel to get this designed, developed, tested, and then released!

PayPal has a HUGE customer-base and is one of the top sites out there that gets Phishing attacks... They have a lot to lose, and thereby a lot to gain from using KeyFOBs..

I'm all for it, but you won't be seeing it any time soon. The main problem is the $ required to develop it, the expertise (coming up with something solid), and especially the extra it will cost in support / techs to have your site fully support it.

Maybe some day, but honestly I wouldn't hold my breath.

My Advice: Make 10+ digit passwords that are made up of numbers and letters in a seemingly random, non-meaningful setup. Use non-alphanumeric chars as well whenever allowed...

I administrate several production and test server boxes and I just keep secure passwords -> Same w/ poker sites and user logins. It's really a LOT more powerful than many tend to think!

[skier_5]

[ QUOTE ]
$5 a pop is just for the keyfob --> Think about all of their costs developing the hardware algorithm, the server-side algorithm to authenticate, and the required support and personnel to get this designed, developed, tested, and then released!

PayPal has a HUGE customer-base and is one of the top sites out there that gets Phishing attacks... They have a lot to lose, and thereby a lot to gain from using KeyFOBs..

I'm all for it, but you won't be seeing it any time soon. The main problem is the $ required to develop it, the expertise (coming up with something solid), and especially the extra it will cost in support / techs to have your site fully support it.

Maybe some day, but honestly I wouldn't hold my breath.

My Advice: Make 10+ digit passwords that are made up of numbers and letters in a seemingly random, non-meaningful setup. Use non-alphanumeric chars as well whenever allowed...

I administrate several production and test server boxes and I just keep secure passwords -> Same w/ poker sites and user logins. It's really a LOT more powerful than many tend to think!

[/ QUOTE ]

I'm pretty sure if verisign is selling hardware for this, they are selling the server side software as well. Therefore, it is just a matter of integrating it into the poker site's software.

Anything would be better than the current system. Even if it was as simple as a hardware usb key that has to be plugged into the computer that the user logs in from. Take auto login off and you won't have "joyriders" and you won't have issues with hackers logging in from remote locations, etc. Of course I have no idea how hard it would be for a good hacker to make a fake (as in virtual) key, but I'm sure there are probably ways to prevent this. Either way, just plug it into your computer and forget about it and you're way more secure than before.

[fleece_me]

Counthomer is an idiot and should be ignored. None of the things he mentioned will overcome a keyfob other than if the player stays logged in to the account and someone uses that persons computer.

It is important to note why Paypal does this. They are highly incentived to not get sued. Therefore they go to reasonable lengths to make sure their accounts are secure. If litigated, they can point to these Secure-IDs and claim they have "done their part". They would be right. The poker sites do not give a rat's ass. They can't be sued. All a key fob can do is cost them time and money in hardware (the fob itself), shipping and tech support man hours. These companies are making hundreds of millions of dollars and they don't want to spend the first quarter to protect the players. And why should they?

Neteller tried to do this when they added their "Secure-id" but it was a poorly thought it, dumb ass addition because in their API they mandated that the sites require it. So now, the sites have your Acc#, your secure-id and all they need to do is guess your password to hack your account. The people at Neteller, in case no one has noticed, are idiots.

Keyfobs are expensive. They expire (battery runs out). They need to be replaced when they expire. Poker sites have zero reason to do this. They don't care if your account gets hacked - they've never once renumerated a player for his loss.

Despite what counterhomer says, there is a ton of research ont he net about these key fobs and quite simply, they work.

[jalexand42]

[ QUOTE ]
$5 a pop is just for the keyfob --> Think about all of their costs developing the hardware algorithm, the server-side algorithm to authenticate, and the required support and personnel to get this designed, developed, tested, and then released!

PayPal has a HUGE customer-base and is one of the top sites out there that gets Phishing attacks... They have a lot to lose, and thereby a lot to gain from using KeyFOBs..

I'm all for it, but you won't be seeing it any time soon. The main problem is the $ required to develop it, the expertise (coming up with something solid), and especially the extra it will cost in support / techs to have your site fully support it.

Maybe some day, but honestly I wouldn't hold my breath.

My Advice: Make 10+ digit passwords that are made up of numbers and letters in a seemingly random, non-meaningful setup. Use non-alphanumeric chars as well whenever allowed...

I administrate several production and test server boxes and I just keep secure passwords -> Same w/ poker sites and user logins. It's really a LOT more powerful than many tend to think!

[/ QUOTE ]

Seriously, why do people come on a site and pretend to know what they are talking about.

There is more than one vendor who sells a TURN KEY solution dude. They start in the high tens of thousands, which is a pittance for a poker site. These solutions come with software API's that can be easily plugged into software packages such as a poker client.

[jalexand42]

[ QUOTE ]
These companies are making hundreds of millions of dollars and they don't want to spend the first quarter to protect the players. And why should they?

Despite what counterhomer says, there is a ton of research ont he net about these key fobs and quite simply, they work.

[/ QUOTE ]

Good post. It's a shame that the poker sites treat their customer base this way. There are major significant glaring weakness in the security model for all these sites.

Hopefully in a regulated environment where Harrahs/MGM/Venetian etc. could play, we'd see much better security.

[b-komplex]

Yeah wow this thread took a serious left turn but so you all know jalex is making sense and a lot of other guys are iffy.

As for the impetus for the sites, I absolutely believe there is a business case there especially as the players demand it. I am a weekend $11 tourney donk and I've gone through like $1500 entry fees in a year so I can only imagine what these places are making off the real grinders and how they would feel if the first one out of the gate with 2-factor auth got all the business. But even without assuming mass player exodus I bet it's close...

Bottom line this would be a huge step forward in the level of protection offered to today's player and make a lot of the current stuff that is happening basically impossible.

[shamelessplug]If anyone from one of the sites is interested in discussing further I have a lot of experience with these systems and am between jobs right now shoot me a PM[/shamelessplug]

[jalexand42]

[ QUOTE ]

Man in the middle attacks are probably impossible in a traditional sense, but then the bad guys don't work along standard lines. For example, it wouldn't be too difficult to compromise some home routers, make the client fail to connect and then somehow spoof email responses from support or equivalent. This is obviously moving into social engineering of sort [snip]


[/ QUOTE ]

BTW, just to be a total jerk about it, I'd be interested if you could give me a rundown on how you would go about crafting an attack such as your example above.

Theoretically, I could waggle my fingers and make the balance of aba's account magically move into my own....and certainly a key fob wouldn't protect against that either.

[counthomer]

I have to say I am rather disheartened by the fact that people have abused me on this topic. I have come in here as an insider, and have tried to explain some of the mechanics and thinking of the industry to give you guys an insight into what is actually happening and how and why things work the way they do. Instead I get abuse and put down because I present a slightly different view. Would you rather I came here as a representative and did what the rest do - astroturf the topic, appease you with some bland statements while knowing it would never happen?

I'm even more disappointed that people like fleece_me and NoahSD have failed to read the insight I have provided. I can totally accept that you might disagree, but to simply overlook the points I have made is irrational.

Let me summarise my position so that everyone is clear, and then maybe Noah and fleece can come back to me with some points of their own.

1. I am massively for improvements in security. I have even posted some suggestions in this very thread. I am also critical of the all the poker companies and how they do things. I can do this because I post as myself rather than a representative. I am therefore PRO security tokens and two factor authentication (in principle). I agree with all the points made here about how they would stop most scenarios. I pointed out some security caveats because some people seem to think they are a magic bullet. For example, I see someone posted that '30 seconds is better than 3 months' but this is classic wishful thinking. In security terms it takes seconds to compromise a system, and then it is merely a question of avoiding discovery while you do your damage. 30s is therefore a lifetime in that sense.

2. Since I am FOR security (including tokens) why have people read my comments as anti the thrust of this thread? Well I think that is because I have been strongly suggesting that they are pointless. I say this because of two things (which are based on experience):

a) There are only a handful ( < 5 )of what I call 'real' hack attempts every year on poker accounts. By 'real' I mean the sort of stuff people are suggesting here - people cracking passwords etc. On the good sites all of these hack attempts fail, because the perpetrators are not poker people and they don't realise that even if they can get money out of the hacked account, they still have to get it off the poker company itself. Good security measures catch all of these attempts. You should also consider the nature of the players and the other targets here. The relevant targets (big players with big balances) play very regularly - in nearly all cases they find their accounts have been compromised very quickly making it easy for the sites to shut the culprits down and repair the damage. In terms of targets, if you are doing a true hack on someone, what most people will go for are the online banking accounts etc - these are far easier to steal money from - this gives poker accounts some security by effectively not being the low hanging fruit as it were.

b) The rest of the cases are all 'joy riding' in nature, and 99% of all of these cases are where someone leaves themselves logged in at home, or lets a friend use their account (sometimes unknowingly but generally knowingly). Noah was highly critical of me when I explained the general industry position in this regard, but I ask simply - at what point does the person take some responsibility? If you gave your Visa card and pin to your best friend would you complain to the bank if they ran up big debts on it?

Given these two types of 'hack' what do key fobs solve? Well the answer is almost certainly all of (a) and most/all of (b) - the latter depending on whether the sites implemented a system of having to add the number before each table join.

However, my point it simple. Look at the cost - from experience (and a wikipedia search somewhat corroborates this) the average cost per user is around $50 - $100. I can eradicate all of the (b) items (and (a) items are pretty much caught already as stated) with some simple changes in security design and some brisk user education. The key fob way costs millions, mine probably less than $1 per person. Key fobs are therefore really just an expensive marketing tool in some regards - if the sites wanted to secure accounts they would start by doing these million little things.

I'm sure now there will be some posts giving me stick that I am therefore part of the problem for not making these changes. Damn right I say - I am appalled at some of the security design in the clients (remember username/password etc) but I'm not in charge. I hope that some people will now see the benefits of my posts. If you send an email asking for security fobs you will get a representative on here saying we are looking into them and a thank you email, but they will never happen. If enough people ask for the sites to remove the 'save login' features some clients have then there is much more chance of some useful change.

So in summary, I hope people now understand what I stand for in this area and my posts in this topic. I came onto these boards with good intentions, trying to be one of the few people around here who works in the industry but is not paid to come in here and placate you with empty promises. I hope some of the people who have been so harsh on me will consider an apology, or at least show me the courtesy of coming back to me with reason and questions where I can provide insight.

[Percula]

[ QUOTE ]
I have to say I am rather disheartened by the fact that people have abused me on this topic. I have come in here as an insider, and have tried to explain some of the mechanics and thinking of the industry to give you guys an insight into what is actually happening and how and why things work the way they do. Instead I get abuse and put down because I present a slightly different view. Would you rather I came here as a representative and did what the rest do - astroturf the topic, appease you with some bland statements while knowing it would never happen?

[/ QUOTE ]

I am to some degree glad you are here, but frankly you come off as a shill. Someone that has been tasked or engaged to run an propaganda blitz on the subject.

--snip--

[ QUOTE ]
a) There are only a handful ( < 5 )of what I call 'real' hack attempts every year on poker accounts. By 'real' I mean the sort of stuff people are suggesting here - people cracking passwords etc. On the good sites all of these hack attempts fail, because the perpetrators are not poker people and they don't realise that even if they can get money out of the hacked account, they still have to get it off the poker company itself. Good security measures catch all of these attempts. You should also consider the nature of the players and the other targets here. The relevant targets (big players with big balances) play very regularly - in nearly all cases they find their accounts have been compromised very quickly making it easy for the sites to shut the culprits down and repair the damage. In terms of targets, if you are doing a true hack on someone, what most people will go for are the online banking accounts etc - these are far easier to steal money from - this gives poker accounts some security by effectively not being the low hanging fruit as it were.

[/ QUOTE ]

You are sadly mistaken here. The majority of the hacked accounts that have been reported of late here on 2+2 have been or can be related to compromised PC's in the form of keyloggers, spyware, tojans or a combination of social engineering and keyloggers, etc. Two factor authentication would have prevented the vast majority of the reported cases seen here.

You are also missing or trying to redirect the topic to "user education", "it's the users fault". Yes you are correct that user education is a major factor. But that is not the topic at hand. The topic at hand is "What are the poker sites doing to protect their customers?". Many with and without technical knowledge would say not enough. You simply can not reasonably expect the end use to become the security expert.

Also, you talk about these delays in processing cashouts, that they inherently protect the customer. That has not been my experience, at least back in the days of Neteller, when a cashout was available in a matter of minutes or hours. Bottom line, this is not a security measure.

[ QUOTE ]
So in summary, I hope people now understand what I stand for in this area and my posts in this topic. I came onto these boards with good intentions, trying to be one of the few people around here who works in the industry but is not paid to come in here and placate you with empty promises. I hope some of the people who have been so harsh on me will consider an apology, or at least show me the courtesy of coming back to me with reason and questions where I can provide insight.

[/ QUOTE ]

That's the problem, we don't know what you stand for. Much of your comment/statements are either misleading or inaccurate or off topic. You appear to be pushing a agenda that is not forth coming in nature.

[counthomer]

[ QUOTE ]
I am to some degree glad you are here, but frankly you come off as a shill. Someone that has been tasked or engaged to run an propaganda blitz on the subject.

[/ QUOTE ]

I have no agenda here, but don't take my word for it - read through my comments in detail. I (personally) can't see any way that my comments could be seen to be self serving in any way.

To be clear, I am being extra careful in all my posts to not push or promote any site or group of sites over another (save to point out public differences where appropriate). I was hoping to be able to provide some insight and some useful knowledge which could be helpful to debates where I have some experience. In fact, the general tone of most of my posts in this area is pretty critical of all sites.

[ QUOTE ]
You are sadly mistaken here. The majority of the hacked accounts that have been reported of late here on 2+2 have been or can be related to compromised PC's in the form of keyloggers, spyware, tojans or a combination of social engineering and keyloggers, etc. Two factor authentication would have prevented the vast majority of the reported cases seen here.

[/ QUOTE ]

I'm going to state two things here. Firstly that I agree tfa would have prevented most of these, and secondly that I agree that it would prevent most and not all.

The issue here is that if someone has that level of control of your machine, then you have no guarantee that the link you click on to open your poker site actually opens the real site or a copy designed to capture your data (including key fob number). This is the reason I mentioned the Microsoft security policy article which basically states that they use a "clean access agent' in conjunction with tfa. Unfortunately this is impossible for poker sites to consider.

Given that the tfa is therefore not a perfect solution, the question is therefore whether there is something the sites could do that is better and cheaper and would achieve the desired results. I think there is, and I outline one personal idea below.

[ QUOTE ]
You are also missing or trying to redirect the topic to "user education", "it's the users fault". Yes you are correct that user education is a major factor. But that is not the topic at hand. The topic at hand is "What are the poker sites doing to protect their customers?". Many with and without technical knowledge would say not enough. You simply can not reasonably expect the end use to become the security expert.

[/ QUOTE ]

I have never had any intention of redirecting the topic. One of the benefits of not being an official spokesperson is that my posts stand on their own merit. I merely feel that getting to a better security situation requires a number of steps, and the best one to fight for initially is a user education drive.

[ QUOTE ]
Also, you talk about these delays in processing cashouts, that they inherently protect the customer. That has not been my experience, at least back in the days of Neteller, when a cashout was available in a matter of minutes or hours. Bottom line, this is not a security measure.

[/ QUOTE ]

In a way this is - most of the sites will only cashout to 'known' accounts, therefore a hacker could only transfer money to your NETeller account or get a cheque in your name. If they were cashing out to there own personal account (or an intermediary) then their personal details are almost certainly on file, and the last thing these people want are accurate records of who they are. Many hackers of the ilk you describe are therefore new accounts with little or no history, and therefore easily flagged.

This does raise an interesting question of how secure the entire chain of companies (bank account > ewallet > poker site) is, and whether implementing a tfa solution on one would be sufficient.

----

In the spirit of actually being constructive I was considering this topic overnight and have a suggestion.

I feel that fobs will never come in, but the principle (which I am very much for) is still very valid. The idea I came up with was that as most of the sites track a large amount of data about your machine every time you connect, it would be easy of them to generate an automatic 'secure password' challenge if you did not connect from the expected location. It would be very easy for them to store cell numbers and send out a text to the user with this 'secure password'. Your cellphone (which never touches a computer) therefore becomes the 'thing you have'. This password would be generated and could only be used once, and there would be no way of spoofing the client as I outlined above.

I think if you combined that with a push to ensure that users all had working AV/firewall and patched machines, you would eliminate all but the most sophisticated hack attempts for very little money.

Unfortunately, and I am ashamed to admit this, I don't see even this being considered. If you look at PayPal, they were effectively shamed into trying to secure their site with the constant flow of phishing and hack stories hitting the general public. With the poker sites you have a relatively small group of users posting on forums such as this. The sites make a lot of money and know that if they send someone in to forums like this to keep people placated, they will never have to address these issues seriously.

For what it is worth, I feel hardly any of the sites have got this right, and while there are a few that are taking it relatively seriously, the rest are stuck battling with the balance between making the systems easy to use for the non technical users and ensuring security.