Password Security Suggestion--Key Fobs

[Jeff_B]

wow I read most of that and the point of putting 10 char passwords randomly generated and yeah IS costly as the users will do a few things..
1. write it down.
2. forget costing you resources.
3. if password recovery is automated send it to their e-mail which could be compromised as well..

Making use of a token that uses RSA or similiar for encryption would basically be unbreakable (at present time)
tokens would be in improvement IMO as far as the poker sites liability... i.e. I can still be hacked but its my job to secure my own system...

If someone comes into my house signs on to my laptop and decides to transfer my full monies to their account GO FOR IT... I should protect it with in reason ...
My laptop has a PW on it (not because of poker but becuase of people screwing with my laptop) and my house has an alarm/gun because someone has tied to break into it in the past.



I am reading counthomers link they seem somewhat interesting currently..

[fleece_me]

LOL. You cited a phishing attack and a man in the middle attack. Both are flaws with the INTERNET, not dongles.

Also, show me one poker client based phishing attempt. Also why dont the poker sites allow to restrict client login by MAC address? Also, why haven't you been banned for lying and saying there are only 5 hack attempts against online poker accounts since the beginning of time? Also - why do you make [censored] up?

You work for a bunch of very rich, very powerful jewish businessmen that do not want to spend the money to protect their players. And why should they? It is what it is. Quit pretending that hardware tokens don't work.

They work.

They are better than anything else out there.

Yes the token can be intercepted. Yes the token can be entered into a fake website.

and Yes, this has nothing to do with how well these key fobs work.

Please STFU and quit lying to people.

E-trade and Paypal chose this technology why exactly? I can't believe they didn't consult with you first. You could of saved them a small fortune if they could of just heard you tell them they didn't work.

[fleece_me]

[ QUOTE ]
Making use of a token that uses RSA or similiar for encryption would basically be unbreakable (at present time)
tokens would be in improvement IMO as far as the poker sites liability...

[/ QUOTE ]

Of course it is currently unbreakable unless you tell someone else the readout on the dongle, LOL.

This guy is an idiot and doing a ton of damage by placating people into thinking these things do not work. This is evidenced by all the money EMC paid for RSA. They bought a bedtime story that everyone believes is a true story, except this one guy that posts at 2+2 and calls himself a security guru.

Despite what this guy says (and he is the ONLY one saying it), these tokens are the best way to ensure credential authentication. Nothing else is even close.

[fleece_me]

Text messages as a replacement to SecureID? Since when are text messages encrypted? They are vulnerable to man in the middle as well but ANYTHING is better than what they have now.

Do they economic text books in the country you live in? Dongles will never be implemented because they cost the sites money and tremendous resources. There is no other reason.

[Soulman]

[ QUOTE ]
You work for a bunch of very rich, very powerful jewish businessmen

[/ QUOTE ]
This is very relevant. [censored] idiot.

[counthomer]

[ QUOTE ]
LOL. You cited a phishing attack and a man in the middle attack. Both are flaws with the INTERNET, not dongles.

[/ QUOTE ]

Your lack of understanding on this subject is laughable considering how vehemently you argue. We all use the INTERNET to connect - what do you use? Magic fairies? If you don't understand how phishing is possible with poker sites you are as dumb as your bigoted, racist posts make you sound.

Just to help you again (as you seem to need me to repeat what I say twice) it is theoretical (here is a link which explains the word), and a moot point since intelligent hackers are never likely to go to these lengths (since they don't already).


[ QUOTE ]
Also why dont the poker sites allow to restrict client login by MAC address?

[/ QUOTE ]
You think I am here to misdirect everyone and yet you want me to answer your questions?!!!

[ QUOTE ]
Also, why haven't you been banned for lying and saying there are only 5 hack attempts against online poker accounts since the beginning of time? Also - why do you make [censored] up?

[/ QUOTE ]
Which bit of 5 'true' (see previous posts for definition) hack attempts per year from experience do you not understand? I even qualified by saying that it should not be considered true across all sites!

[ QUOTE ]
You work for a bunch of very rich, very powerful jewish businessmen that do not want to spend the money to protect their players. And why should they? It is what it is. Quit pretending that hardware tokens don't work.

[/ QUOTE ]
Your bigoted racism covers you in glory. For the nth time - I AGREE THEY WORK. And again so you can understand - I AGREE THEY WORK.

[ QUOTE ]
They work.

[/ QUOTE ]
I agree.

[ QUOTE ]
They are better than anything else out there.

[/ QUOTE ]
I disagree - they are PART of a solution. They are better than passwords, but not perfect. For example, a bootable linux CD with a tfa is better.

[ QUOTE ]
Yes the token can be intercepted. Yes the token can be entered into a fake website.

and Yes, this has nothing to do with how well these key fobs work.

Please STFU and quit lying to people.

[/ QUOTE ]
Please outline my 'lies' so people can see your insight.

[ QUOTE ]
E-trade and Paypal chose this technology why exactly? I can't believe they didn't consult with you first. You could of saved them a small fortune if they could of just heard you tell them they didn't work.

[/ QUOTE ]
If you don't understand why e-Trade and PayPal are totally different companies with totally different systems to a poker company you shouldn't be posting here. They needed tfa for many reasons. Poker companies need tfa (CAN YOU READ THAT?) but have far less incentive.

[counthomer]

[ QUOTE ]
[ QUOTE ]
Making use of a token that uses RSA or similiar for encryption would basically be unbreakable (at present time)
tokens would be in improvement IMO as far as the poker sites liability...

[/ QUOTE ]

Of course it is currently unbreakable unless you tell someone else the readout on the dongle, LOL.

This guy is an idiot and doing a ton of damage by placating people into thinking these things do not work. This is evidenced by all the money EMC paid for RSA. They bought a bedtime story that everyone believes is a true story, except this one guy that posts at 2+2 and calls himself a security guru.

Despite what this guy says (and he is the ONLY one saying it), these tokens are the best way to ensure credential authentication. Nothing else is even close.

[/ QUOTE ]

Since you have failed to understand my posts, I'm not quite sure how you can come to the conclusions you have.

You are suggesting that I am here on some hidden agenda (probably in your mind on the behest of my 'Jewish' or 'Arab' paymasters) to undermine the development of support for your cherished key fobs. With my mighty sword of diverting facts and confusing arguments, I am single handedly swaying opinion and preventing progress.

Or, it could be that I work in a poker company and see what is possible. It could be that I have come onto this thread to provide some facts and insight and suggest some better solutions.

I'll leave it to the intelligent people to read through my posts and decide whether my suggestions on security are a ruthlessly cunning attempt to subvert 2+2 or are actually quite sensible and practical improvements.

For the record the owners of my company are not Jewish or Arabs, they are American like you and I.

[counthomer]

[ QUOTE ]
Text messages as a replacement to SecureID? Since when are text messages encrypted? They are vulnerable to man in the middle as well but ANYTHING is better than what they have now.

Do they economic text books in the country you live in? Dongles will never be implemented because they cost the sites money and tremendous resources. There is no other reason.

[/ QUOTE ]

I left this post until the end to reply to, as it is your best work yet. In the space of this thread you have basically ended up repeating 90% of my argument, while still somehow trying to insult me and throw in a bit of bigotry for good measure.

Just to summarise for the impatient:

You say: I want better security.
I say: Security improvements are vital.

You say: Tfa is the only solution (that you have suggested).
I say: I agree that tfa is an important PART of the solution if you need to do everything technically possible.

You say: Key fobs work.
I say: I agree (but with the caveats that there are lots of other things that would achieve the same result, and they wont stop everything).

You say: They are too expensive for the sites to seriously consider.
I say: I agree (but it disappoints me that this is the case).

You say: [censored][censored] idiot, Jewish, Arab
I say: Here are a list of simple, practical steps sites could take:

1. Enforce strong passwords
2. Have account lockout policies based on which computer is being accessed from, time etc.
3. Monitor play and auto lockout unusual patterns (game choice etc).
4. Delay transfers over a certain size, limit transfers to certain physical machines.
5. Auto logout after a set period. Make this shorter when logging on from a public location.
6. Prevent storage of username and passwords.
7. Implement a system whereby someone has to key in a second code sent via text message when connecting from a non known location. For the record, it doesn't have to be encrypted to mitigate the problem effectively.

Now, as far as I can see, I am pushing for some relatively small changes that will make a massive difference, yet you are demanding a huge expensive change instead. Good luck with that. You say my posts are damaging, yet you want to belittle my suggestions and demand something that you yourself say will never happen. Smart. Real, real smart.

Are you FOR security in practice, or do you just want to make an ineffective stand on principle? Do you sell these tokens or have a vested interest in them or something? That is what comes across...

I look forward to reading your posts which suggest improvements or provide reasonable debate.

If you can't be helpful then maybe you can take solace in the fact that you probably generously donate more than you want to of your hard earned working $ to some of the 2+2 community everyday. Your money has probably also gone into building the lovely homes of my bosses in Spain, and to some of those people who run other sites who are of different religions and ethnicity that you are so fond of.