Password Security Suggestion--Key Fobs

[counthomer]

Actually neither of these are prevented - as I pointed out in my initial post. As stated, joy riding is nearly always the result of someone leaving themselves logged on, or is someone known to the player (to the extent it is nearly always semi-innocent) and the result of someone not realising what their friend was doing on their account (with their tacit permission). Key fobs are therefore not even in the equation.

If it is a malicious hack attempt then I could easily get around the key fob security, and your rationale that it would save man hours and infrastructure is inaccurate when you consider the support, infrastructure and deployment requirements of two factor authentication. If you don't believe me, then consider why most online banks (who use these systems in house) don't extend them to their customers.

Your argument on the experience of 2+2ers is noted, but it is a overly generic assumption. A good poker site will always recover the money as their systems and procedures will always prevent money leaving the system where real theft has occurred. My guess is that you are referring to joy riding, in which case the general view of the sites on that the player involved caused the problem. This may sound harsh, but ultimately the players have to take some responsibility for the security of their accounts.

Paypal is the wrong comparison to draw here - if someone hacks a paypal account they can move money out of the reach of paypal within seconds. Paypal is therefore even more insecure than an online bank in this regard.

In short this is not a solid and reliable solution in any way - there are few (if any) benefits from a security perspective and many problems in implemenation and support.

[stickdude]

[ QUOTE ]
If it is a malicious hack attempt then I could easily get around the key fob security

[/ QUOTE ]

How so? I'm asking because we use these key fobs for ssh access to our production servers, and I'd be interested to hear about problems with them.

[Percula]

counthomer,

I have been waiting for someone from the poker sites to come and address this, I guess I got the worst response I could have expected.

Nice try though, we will keep pushing for secure tokens. It is too bad the poker sites feel this way. Which one do you work for by the way?

[big e]

Why not start with having to enter 2 of 4 randomly selected digits of a pin code.

This will also have the advantage of being able to implement immediately and stop people using other peoples account who leave there password set.

[counthomer]

[ QUOTE ]
[ QUOTE ]
If it is a malicious hack attempt then I could easily get around the key fob security

[/ QUOTE ]

How so? I'm asking because we use these key fobs for ssh access to our production servers, and I'd be interested to hear about problems with them.

[/ QUOTE ]


Although I know my stuff, I can't claim to be an expert in this area, but if you do a general search you will see that tfa can still be overcome with man in the middle attacks and there is probably still the issue of keylogging and social engineering etc. Obviously a poker client is less susceptible to phishing and other browser based methodologies, but the principles can be extended.

You should also never doubt how easily people can be manipulated and fooled when it comes to security and technology (unfortunately).

[counthomer]

[ QUOTE ]
counthomer,

I have been waiting for someone from the poker sites to come and address this, I guess I got the worst response I could have expected.

Nice try though, we will keep pushing for secure tokens. It is too bad the poker sites feel this way. Which one do you work for by the way?

[/ QUOTE ]

I prefer to keep my employer unknown to be honest. I'm very disappointed with the level of astroturfing I see everyday on these forums by the poker companies, and I feel that by remaining somewhat anonymous I will have much more freedom to post my views.

Please don't feel that my comments are a put down in terms of the aims of this thread, I'm really just trying to help people understand some of the practical realities.

If you really want to understand security, you should try and find the details of how Microsoft secures its network for both internal and external employees. I wish I had the link (looked everywhere but can't find it) but from memory they essentially ensure the security of their network by controlling the status of all the machines that connect. All machines have to have a working firewall, AV and be fully patched. If they are not then MS forces the updates on them until they are.

If you want FULL security on a poker site then you are basically looking at these steps:

1. Linux live cds that contain the clients, so that people are forced to boot into a trusted and guaranteed state before playing.
2. TFA on all tables (so you would have to use your key fob to join any table or tournament every time).
3. Some form of challenge if players were connecting from a different location than expected.
4. Strong password policies.

Now this will pretty much solve all problems, but the reality is that the costs and issues you raise with this sort of setup are huge. Given the types of hack (outlined in my earlier emails) you could achieve almost the same success with some vigorous user education and some slight software design changes (e.g. no remember password/username).

I therefore think that key fobs are really people looking for a tech solution to what is more of a human problem. I think nearly all the sites can be criticised for their lack of player education, and this would be a far more productive route to go down.

[jalexand42]

[ QUOTE ]

Although I know my stuff, I can't claim to be an expert in this area, but if you do a general search you will see that tfa can still be overcome with man in the middle attacks and there is probably still the issue of keylogging and social engineering etc. Obviously a poker client is less susceptible to phishing and other browser based methodologies, but the principles can be extended.

You should also never doubt how easily people can be manipulated and fooled when it comes to security and technology (unfortunately).

[/ QUOTE ]

Okay you're not the only one here that knows his stuff.

#1: Man in the middle attacks are not an issue when you are dealing with well written software, such as when the client has the site's public key embedded and all communication is done over a very secure channel to verified hosts.

#2: Keylogging doesn't help you crack a two piece authentication key when one of them is constantly changing based on secret generation scheme.

#3: Social engineering isn't relevant to the discussion, since obviously if someone is stupid enough to give up their PIN + secure card number, they deserve to get hacked.

I would stake money that you couldn't crack one of these systems if it was implemented well and we're not dealing with a brain dead user. The fact is, it is not debatable that a secure ID system coupled with a player selected component/PIN would be a _HUGE_ improvement in security over the current single factor method. No system can solve the exposure resulting from brain dead users voluntarily/involuntarily compromising themselves.

Your points obviously raise other valid suggestions to the sites, such as logging people out after a certain period, random events prompting for authentication, etc.

[counthomer]

[ QUOTE ]
[ QUOTE ]

Although I know my stuff, I can't claim to be an expert in this area, but if you do a general search you will see that tfa can still be overcome with man in the middle attacks and there is probably still the issue of keylogging and social engineering etc. Obviously a poker client is less susceptible to phishing and other browser based methodologies, but the principles can be extended.

You should also never doubt how easily people can be manipulated and fooled when it comes to security and technology (unfortunately).

[/ QUOTE ]

Okay you're not the only one here that knows his stuff.

#1: Man in the middle attacks are not an issue when you are dealing with well written software, such as when the client has the site's public key embedded and all communication is done over a very secure channel to verified hosts.

#2: Keylogging doesn't help you crack a two piece authentication key when one of them is constantly changing based on secret generation scheme.

#3: Social engineering isn't relevant to the discussion, since obviously if someone is stupid enough to give up their PIN + secure card number, they deserve to get hacked.

I would stake money that you couldn't crack one of these systems if it was implemented well and we're not dealing with a brain dead user. The fact is, it is not debatable that a secure ID system coupled with a player selected component/PIN would be a _HUGE_ improvement in security over the current single factor method. No system can solve the exposure resulting from brain dead users voluntarily/involuntarily compromising themselves.

Your points obviously raise other valid suggestions to the sites, such as logging people out after a certain period, random events prompting for authentication, etc.

[/ QUOTE ]

As stated I am no expert in this area (if only - the people who are charge $000s per hour!) but I'm pretty sure that keylogging could pick up tfa data - you just have a much smaller window within which to implement your attack and fool the user (which could easily be done by making the site appear down).

Man in the middle attacks are probably impossible in a traditional sense, but then the bad guys don't work along standard lines. For example, it wouldn't be too difficult to compromise some home routers, make the client fail to connect and then somehow spoof email responses from support or equivalent. This is obviously moving into social engineering of sort, but as you can see - if we are purely talking about securing against malicious threats, then key fobs really only protects the 'low hanging fruit' (which I believe is protected by the existing security systems and policies anyway).

I also agree that, in theory, tfa would be a big security improvement, but as I stated before, I believe it is a solution which can be found much cheaper elsewhere. There are simply very, very few malicious hack attempts on poker clients - simply because there are much more high value and softer targets..

[NoahSD]

Counthomer,

I'm asking for something that would make my account more secure and hugely reduce the risk of a hacker dumping all my money at 50/100 NL. If I could implement it without the help of the sites, I would, but obviously I can't so I'm asking the sites (i.e. the people who earn tons of money off of my patronage) to help. FFS, I'm even willing to pay for it.

Also, this line from you disgusted me:
[ QUOTE ]

My guess is that you are referring to joy riding, in which case the general view of the sites on that the player involved caused the problem.


[/ QUOTE ]

I don't see why you're against this, and I personally really don't want you to have anything to do with the security of my money.

[NoahSD]

[ QUOTE ]

As stated I am no expert in this area (if only - the people who are charge $000s per hour!) but I'm pretty sure that keylogging could pick up tfa data - you just have a much smaller window within which to implement your attack and fool the user (which could easily be done by making the site appear down).


[/ QUOTE ]

Umm.. a window of 30 seconds is a huge improvement over a window of however long someone decides to take between password changes (usually months, I assume).

I really don't get why you've decided to be against this. The only real argument I could see is that it's not practical, but given that paypal's selling them for $5s a pop, I'm guessing that's not the case.