Password Security Suggestion--Key Fobs

[Percula]

[ QUOTE ]
I think this is a very good idea. It should also be optional, though. I think something like this may scare away fish if they are required to use it. But for the security-conscious, having the option to use such a token would sure make me sleep better at night.

[/ QUOTE ]

They do it the same way Ebay/PayPal is doing it. PayPal business customers get one for free, regular users have to pay $5 to get one.

The poker sites do the same, when an account reaches $X balance they automatically get the choice of have a free token, if the balance is less than $X then the player can buy one for $5 or for Y number of points.

It will take a fairly significant investment on the poker sites part to implement this, but the true value in implementing something this is that a) players when well educated will feel and be much safer and b) any government or regulatory body can see they are serious and accountable, making the industry look better from the outside.

I would be VERY VERY surprised if the poker sites do this in the near future. Looking from the outside in, it does not appear that these poker sites actually "own" their IT. What I mean is that they do not seem to have their own people working on all aspects of their infrastructure or they do not have the skill sets themselves. PS seems to have their software inside, but FTP appears to have it contracted out. All seem to rely on the datacenter in Canada for networking and server "hands on" work.

[pr0crast]

Call me crazy, but my gut tells me that a password I make up is going to be more secure than a password that some company's algorithm generates. To this date, there is not a single piece of mainstream software that I know of whose serial number algorithm has not been cracked, and I don't see why that won't happen to paypal no matter how secure you say it is.

[Percula]

[ QUOTE ]
Call me crazy, but my gut tells me that a password I make up is going to be more secure than a password that some company's algorithm generates. To this date, there is not a single piece of mainstream software that I know of whose serial number algorithm has not been cracked, and I don't see why that won't happen to paypal no matter how secure you say it is.

[/ QUOTE ]

Obviously you do not under the technology, try reading the wiki links and the VeriSign site.

[FernTheBrute]

You have to provide BOTH your password and the ID generated by the device.

[b-komplex]

These have been used in the corporate world for a long time and the poker community at large ought to be pushing really hard for these to be implemented quickly. I think the sites would have to make them optional but uptake for anyone with any sort of bankroll I think would be tremendous.

[jalexand42]

[ QUOTE ]
[ QUOTE ]
Call me crazy, but my gut tells me that a password I make up is going to be more secure than a password that some company's algorithm generates. To this date, there is not a single piece of mainstream software that I know of whose serial number algorithm has not been cracked, and I don't see why that won't happen to paypal no matter how secure you say it is.

[/ QUOTE ]

Obviously you do not under the technology, try reading the wiki links and the VeriSign site.

[/ QUOTE ]

These are basically impossible to crack w/o having physical access to the server generating the keys. Seriously the sites should get on this. And I don't care if I have to carry more than one, the extra security would be worth it.

[cts]

great idea. gonna email stars/ftp

[Percula]

[ QUOTE ]
great idea. gonna email stars/ftp

[/ QUOTE ]

Good luck, and I really mean that. Lee Jones and FTPDoug have been specifically asked to address this in a number of posts and have ignored it completely. Maybe if enough of the HS players started emailing and bitching about this, something might get done yet...

Let us know what they say CTS.

[counthomer]

As someone who works on the tech side in the industry, I can tell you that this will almost never happen for two reasons.

Firstly, the benefits of two factor authentication (password + key fob) are extremely limited when it comes to poker accounts. Simply put, if someone has illegal access to your account they have two options. They can go the 'theft' route and try and transfer the money out (either by straight transfer or chip dump), or they can effectively 'joy ride' on your funds.

In the first case the problem becomes getting the money out of the recipient account. The big companies (such as mine) spend millions each year tracking players and cashouts to catch all the instances of this type. It is the reason why there is often a delay between the request and the processing of cashouts.

Joy riding is also not a major concern. The good sites track usage patterns, and the nature of poker means that it is hard to do major damage quickly (especially since the person joy riding is likely to be playing to win). 99% of all joy riding is not malicious - it is actually done by players in the same household or known to the account holder, and most often occurs when players leave themselves logged in (which a key fob cannot prevent).

There are therefore real difference between an online banking system (where real damage can be done quickly) and a poker site (where poker companies can easily reverse transfers or refund you in the case of a real attempt to steal).

I should also point out from a technological perspective that key fobs and the system behind them are far from perfect - there are many security issues that they cannot prevent or resolve.

This idea is therefore one to be filed in the 'sounds like a great idea until you consider the practicalities' along with per session screen names etc.

[Percula]

[ QUOTE ]
As someone who works on the tech side in the industry, I can tell you that this will almost never happen for two reasons.

Firstly, the benefits of two factor authentication (password + key fob) are extremely limited when it comes to poker accounts. Simply put, if someone has illegal access to your account they have two options. They can go the 'theft' route and try and transfer the money out (either by straight transfer or chip dump), or they can effectively 'joy ride' on your funds.

In the first case the problem becomes getting the money out of the recipient account. The big companies (such as mine) spend millions each year tracking players and cashouts to catch all the instances of this type. It is the reason why there is often a delay between the request and the processing of cashouts.

Joy riding is also not a major concern. The good sites track usage patterns, and the nature of poker means that it is hard to do major damage quickly (especially since the person joy riding is likely to be playing to win). 99% of all joy riding is not malicious - it is actually done by players in the same household or known to the account holder, and most often occurs when players leave themselves logged in (which a key fob cannot prevent).

[/ QUOTE ]

Both of these "reasons" are prevented with the use of secure tokens, that in and of its self is reason to deploy the technology. If for no other reason that to reduce the man hours/infrastructure requirements that this requires.

[ QUOTE ]
There are therefore real difference between an online banking system (where real damage can be done quickly) and a poker site (where poker companies can easily reverse transfers or refund you in the case of a real attempt to steal).

[/ QUOTE ]

That has not been the experience of many of the people reporting hacks here on 2+2. Most end with "sorry, we tried to get the funds back, but it was too late".

[ QUOTE ]
I should also point out from a technological perspective that key fobs and the system behind them are far from perfect - there are many security issues that they cannot prevent or resolve.

This idea is therefore one to be filed in the 'sounds like a great idea until you consider the practicalities' along with per session screen names etc.

[/ QUOTE ]

When correctly implemented and maintained this is a solid and reliable solution that has little down side.