Security tips for avoiding account hackers

[Lee Jones]

Hi folks -
A well-known player wrote me and asked for any suggestions I had about counter-strategies against account hackers. There have been a few high-profile cases recently and this person was (understandably) concerned.

I took the liberty of forwarding his question to JeffW - a senior staffer at PokerStars. Jeff has been with PokerStars longer than I have, and has a eighth-dan black-belt in computer security. Jeff sent back a list of 11 guidelines for protecting your computer and online poker account.

You may not like them all - some of them are a hassle and some are in direct conflict with the way a lot of you live your online poker lives. But this is serious stuff, and there are some Very Bad people out there working hard to separate you from your bankroll. And I don't mean the good poker players.

I hope you'll read carefully and follow these guidelines.

Best regards,
Lee Jones

PokerStars Poker Room Manager

----------------------------

Jeff’s computer security tips for online poker players

1. Never let the system “remember” any of your passwords. While systems provide this as a matter of convenience, this is the most common "hack". A password does nothing for you at all if itnever has to be entered.

2. Password-protect your Windows system so that when it goes to sleep, you have enter a password to get back in. This is security 101 stuff but almost nobody does it.

3. Always choose a strong password. Never use a word that can be found in a dictionary, and never, ever use kids names, birthdays, friends names, or a password related to the site. “pocketaces” is a terrible password for online poker. Good password selection can be as simple as picking a book off your bookshelf, flipping to a random page,and picking two words from it at random separated by the page number. Then bookmark the page and circle the two words in case you ever need to look it up again. Doing this just now with a novel I came up with a password of “great167side”.

4. Never, ever share your poker account password with anyone. You wouldn't let someone else access your online banking, so why let someone else access your poker account? Likewise, no reputable site will ever ask you to send your password for any purpose other than to actually log into the site in question. Any other time you're asked to give up your password, you're being scammed.

5. Don't use the same password in any two locations. Sure, it makes it easy to have the same password everywhere. Easy for you. Easy for hackers. You may trust the operators of this forum, but if you sign up at a forum somewhere and use the same password (and heaven forbid, the same user ID!), then you're asking for a hack. A determined hacker is willing to go to the effort to establish a forum that looks legitimate and to stick with it for a VERY long time, in order to harvest many emails, account names and passwords. Only months later will he go in for the kill, draining at once all the accounts he's managed to find.

6. Change your passwords often.... very often. 3 months is too long to keep the same password on a financial account. When changing passwords, never re-use an older password, nor any variant of it. If your last password was (as insecure as) “iraisewithAA”, then your next password should not be “iraisewithKK” or even “ifold72offsuit”.

7. If someone chats you up online claiming to be your close buddy who wants a loan...call and ask first. You wouldn't hand money to a stranger in a casino because “your buddy Joe said he needs it, he's right over there in the Pot Limit game, honest”. Don't do this online, either. If he is that good of a buddy, you have a phone number for him. Call him first.

8. Never log into Windows to play poker as "Administrator" or equivalent. Use a restricted user account to make key loggers or trojans have a much more difficult time gaining access. Yes,Windows XP Home Edition users have no choice in the matter, since every user account is by default an Administrator. Don't use XP Home to play online. Use XP Professional.

9. Windows Firewall stinks. It will not protect you, as it only blocks attacks from the outside from getting in. It does nothing to protect you from thingsthat managed to get in from communicating with the outside world. No matter how much it bogs down your system, you need a good bidrectional firewall that will alert you when software triesto access the Internet. Norton, McAfee, ZoneAlarm, Kaspersky. They are your friends, and they are not optional – use one (exactly one) of them. Same for at least two good spyware scanners.

10. Virus/Trojan/Spyware Scanners only detect things they know about. It is still possible to catch a customized piece of spyware or a key logger that has never been reported to the scanner authors... and you'll never know you've been infected in such a case. Thus, exercise good judgement when deciding what to download. How much do you know about that third party HUD (“heads-up display”) tool? Does the author identify himself? Has it been around for a long time and used by many players without incident? Don't be the guinea pig that finds “malware” the hard way. Don't install downloaded software you don't implicitly trust completely... and that list should be avery short one.

11. Here’s the hard one: don’t play online poker on anybody else’s computer. We know that’s anathema to the young, mobile, hip online poker crowd. But consider this: You go to all the trouble to protect your computer and PokerStars account with the steps we’ve outlined above. Now you sit down at somebody else’s laptop and type in your userid and password. You know virtually nothing about the security of that computer, and have just wasted all the work that you’ve done to protect yourself. If you really “must” play online poker on another computer, do it on a machine owned by somebody that’s as careful about security as you are.

[kyleb]

And always check the sticky which has an article written by yours truly, a former PokerStars employee.

[antneye]

Thanks for the tips Lee. You can never be too careful.

[[Phill]]

Thanks for the tips.

Most of it is old ground for me, but that book password idea is genius.

[Mike Haven]

Thanks, Lee. Good post.

I just spoke to CDPoker to change my password. Here's some of the chat:

*

Me: hello?

chatoperator1: Kylie: Hi! This is Kylie from Online Support. How may I help you? [img]/images/graemlins/smile.gif[/img]

Me: i want to change my pw for normal basic security reasons as ive had it for a long time but i cant see how to on the site

Me: kindly point me to the option thx

chatoperator1: Kylie: Shania there is no option in the software to change your password however I may change your password online provided that you have to tell me your email address...

chatoperator1: Kylie: But the password is randomly selected by the computer.

chatoperator1: Kylie: is that okay with you?

Me: that seems very unsafe - do you send it in an ordinary email?

chatoperator1: Kylie: yes we will send the password into the email that you have registered here.


*

Does that method fit in well with a secure system, Lee?

[chezlaw]

Hi

I'm not sure yopu can do this but what I'd like to be able to do is register computers or IP addresses I can logon to pokerstars with.

Then if I want to play somewhere else I have to tell you and either be identified by an employee who knows me well enough or have to wait a few days during which time you can send me an email telling me that you are adding the new location (even by country would be something).

It would be a bit of a pain occasionally but could be voluntary. Any chance?

chez

[MicroBob]

I've suggested something like this before and also think it's a good idea.

[Lee Jones]

Hi Chez -
Our software can't do that right now, but I've definitely heard worse ideas. Let me run it by our security and software teams and see what they think.

Best regards,
Lee Jones

PokerStars Poker Room Manager

[MrMoo]

[ QUOTE ]
Doing this just now with a novel I came up with a password of “great167side”.

[/ QUOTE ]

Thats still a bad password. With just lower case letters and numbers, you've only used up 36 out of a possible 68 characters available using letters, numbers and punctuation.

[holland3r]

I know people have mentioned it on here before, but this is a really great piece of software:

KeePass