Money Missing From Poker Accounts - Page 13

TimM · #**121** 02-23-2006, 11:43 PM

[ QUOTE ]
I know for a fact that many online sportsbooks not only do not encrypt your password in their databases, but they actually make it available in plaintext to support personnel. How do I know?

They asked me for it when I called!

It is part of their "security measures" to verify your identity. I was pretty shocked the first time a sportsbook did this.

[/ QUOTE ]

This does not prove they store your password in plaintext. The right way to store passwords is with one-way encryption. You provide the password over the phone, and they have a piece of software that performs the one-way encryption, and compares the result to your encrypted password in the database to see if they match.

Note that any site which can send you a forgotten password via e-mail does not do this. Sites that reset your password to something random, and then e-mail that to you, are more likely to be doing it right.

TimM · #**122** 02-23-2006, 11:47 PM

[ QUOTE ]
Bottom line I have an IP to work with now and am sure its a US one, legal action has been in the US taken as of 10 mins ago

[/ QUOTE ]

Good I hope they nail this [censored].

DaffyDuck · #**123** 02-24-2006, 12:21 AM

[ QUOTE ]
[ QUOTE ]
[ QUOTE ]

Actually it would be so complex that if you were able to perform this feat of legerdemain you should be hacking 100 million dollar Federal Reserve Bank accounts rather than PP accounts.

[/ QUOTE ]

Actually it would be so easy that anybody with an intermediate amount of development experience could probably pull it off in a day. All that would be involved is replacing the code that currently encrypts the password before it is written to the db with code that just leaves it as it is.

[/ QUOTE ]

It doesn't work that way, at least it shouldn't work in that manner. My company developed a large amount of online gaming software in the early years and it would be nearly impossible to do what you describe and completely impossible without being easily detected not only by internal safeguards but by the end uses themselves.

[/ QUOTE ]

I'm guessing you weren't a programmer at that company.

The argument here isn't about how hard it would be to capture passwords on a site you didn't own, it's about how easy it would be to capture passwords on a site you DID own. Forum software does whatever you want it to if you own the site. If you want to log the passwords or store them in plain text and not encrypt them, it is your site and your code and there ain't no trick to it. To say that it pose any kind of difficulty at all is just ignorance.

So, if I wanted to put up a web site and force people to enter a password and I wanted to harvest those passwords I would bet a significant percentage of those passwords would be usable for any and all accounts, forums, etc. that that person uses. Probably even their email account. It's probably the password they have on a post-it note on their monitor and that they use everywhere they need a password. That is why you should never use common passwords at different Internet stes.

Pinga · #**124** 02-24-2006, 01:52 AM

I am a computer and security professional and would be glad to put time and energy into this problem. It's pretty clear that this isn't a random and/or one time situation. Our community has become a target.

I would like to assemble a list of victims and knowledgeable people willing to help.

Questions for Peachy:

1) Has your computer been reloaded since this happened?
2) Have you found anything with antivirus/spyware tools?
3) Would you PM me the IP address, please?

Jibbs · #**125** 02-24-2006, 01:57 AM

Right, but what about a malicious webmaster that wants to harvest passwords. Its very easy to change the software for just that reason. If people use the same user id and password from site to site it would be easy to collect them and try them at other sites.

Edit: Thufferin Thuccotash, Daffy already answered this

peachy · #**126** 02-24-2006, 02:04 AM

[ QUOTE ]
I am a computer and security professional and would be glad to put time and energy into this problem. It's pretty clear that this isn't a random and/or one time situation. Our community has become a target.

I would like to assemble a list of victims and knowledgeable people willing to help.

Questions for Peachy:

1) Has your computer been reloaded since this happened?
2) Have you found anything with antivirus/spyware tools?
3) Would you PM me the IP address, please?

[/ QUOTE ]

what does reloaded mean? no a virus scan i ran on both my desktop and my laptop came up with nothing...

sublime · #**127** 02-24-2006, 02:14 AM

peachy, this is a serious issue and i feel very bad for you. i do have one important question to ask.

whens the last time your panties were hacked?

thanks

peachy · #**128** 02-24-2006, 02:23 AM

[ QUOTE ]
peachy, this is a serious issue and i feel very bad for you. i do have one important question to ask.

whens the last time your panties were hacked?

thanks

[/ QUOTE ]

trust me...i rather it would have been my panties and not all my money

Pinga · #**129** 02-24-2006, 02:28 AM

By reloaded I mean loading windows from scratch and making it like brand new. Which antivirus program(s) did you scan with?

This guy used your password from another computer. There's a few ways he could do this.

a) He guessed it (not too likely since you claim it's a decent password)

b) Brute force - he tried many passwords until one worked (not too likely as party should lock your account)

c) He hacked your computer and installed something that sent your keystrokes to him. (somewhat likely)

d) You used the same user name/password on another site that he has control over (I think you already said you didn't do this)

e) He hacked party poker's database and has access to millions of passwords (Less likely but possible)

f) He hacked party's computers and added some custom code to the party application so he can either gather passwords and/or control your computer (again not so likely but possible)

------------------

If we assume (c), this program may still be on your computer. This would help us find and identify it but it would also be very bad for you. Any account you access will be at risk. Changing your passwords won't help if the bad guys sees the new ones as you type them.

sublime · #**130** 02-24-2006, 02:30 AM

[ QUOTE ]
[ QUOTE ]
peachy, this is a serious issue and i feel very bad for you. i do have one important question to ask.

whens the last time your panties were hacked?

thanks

[/ QUOTE ]

trust me...i rather it would have been my panties and not all my money

[/ QUOTE ]

so your saying you would sell access to your cockpit for 10k?