Online Accounts Hacked

Top Poker Pros Have Online Accounts Hacked

Many businesses nowadays, particularly ones where a user’s information is particularly sensitive – banks, e-mail providers, cloud storage companies, etc. – encourage their customers to utilize a two-factor authentication service (2FA) in order to bolster the security of their accounts. This week, several high stakes poker pros discovered that in their cases, 2FA weakened their accounts’ security, rather than strengthening it.

Two-factor authentication is a way to add an extra layer of security to an online account, above what a password provides by itself. For example, a bank might give you the option to receive a text message that contains a special code when you attempt to login with your password. In order to complete the login, you must enter that code within a fixed time limit. Other services – I use one with Steam – utilize a code displayed with a smartphone app. It generally works quite well; the “something you know and something you have” security setup is like having two different kinds of locks. If a hacker or thief discovers your password, they still need your phone to complete the two-factor authentication.

It generally works quite well. Until it doesn’t. And then things REALLY go south.

Vanessa Selbst

Vanessa Selbst

What happened to poker pros like Vanessa Selbst, Vanessa Rousso, Dan Smith, and Cate Hall, was that some crook was able to like his way into access of their cell phone accounts. Apparently, it is as easy as calling their cell phone provider, pretending he was one of them, then just hoping that a customer service rep lets him skate through their security protocols. For instance, in Selbst’s case, Verizon normally requires customers who call in to discuss their account tell the rep a special PIN. It sounds like the “hacker” found a rep who just accepted the answer, “Uh, dur, I don’t remember my PIN,” and then let him change it.

From there, he was able to port Selbst’s number to his own phone. Now the “something you have” was in his hands and he could go ahead and gain access to any other accounts she had that used SMS text messaging as a means of resetting account passwords. He got her Gmail account and her Dropbox account.

Selbst was – and still is – incensed that Verizon could so easily give someone else the keys to her account.

“Aaaaand my @VZWSupport account is being hacked for the second time today. AFTER multiple conversations telling them not to make any changes,” she tweeted on Tuesday.

[email protected] @VZWSupport FOUR TIMES TODAY I WAS INFORMED THAT NO ONE COULD CHANGE THE PIN VIA THE PHONE. A hacker has now changed my pin twice.”

[email protected] @VZWSupport every time I called back to wonder how this happened,I was offered to change the pin back. YOU PROMISED I CAN’T DO THIS”

She goes on, berating Verizon publicly for deleted the notes of fraud on her account.

To help people understand the situation, Selbst linked to a December article on Forbes.com. The article discusses incidents that have occurred in the crypto-currency industry (Bitcoin, among others) in which victims have lost hundreds of thousands and even millions of dollars in cyber currency. They tend to be primary targets because they have no recourse. Because crypto-currency is decentralized, currency owners have no way to reverse transactions once the money is pilfered from their accounts.

Forbes explains a common way that hackers trick the cell phone companies into giving them access to someone else’s account:

In order to find that opening through the customer service representative, hackers often employ what’s called social engineering, used in 66% of all attacks by hackers. An elaborate version is demonstrated in this video (starting around 1:55), in which a woman with a baby crying in the background (really just a YouTube recording) claims she’s newly married and doesn’t know what email address is used to log into her husband’s account. She then has the rep change the email and password, locking the victim out.

Basically, it’s all about knowing enough about a victim – gleaning information from sites like Facebook, Twitter, or LinkedIn – to convince a customer service rep that you are who you say you are, even if you don’t know any passwords or PINs. Heck, at times you don’t even have to know anything – you just have to sound authentic.

Steve Waterhouse, former partner at Pantera Capital, had his phone number hijacked and ported. He recently got control of his account and called Verizon to turn on international dialing. From the Forbes article:

The customer service representative asked for the pin on his account. “I said, hang on, let me just remember, because I have a series of businesses and different accounts, and the guy’s like, oh, don’t worry about it, just give me the last four of your Social. I said, whoa, what’s the point of the password then? And he was like, well, you know. And I said, Can I port my number? Actually, I didn’t want to port it — it was a test. And he was like, yeah, no problem, where do you want to send it? And I said, I thought I had port blocking turned on, and he said, hang on, let me look at my notes. And there isn’t a field for this, it’s buried in a series of notes from different customer reps. And he said, oh, that’s right, this happened to you before. Oh wow, you have a high security level. Oh shoot, someone should have put that up at the top of the note. I said, Oh great, so it’s just random. If I get the right person, I can port my number then, and he was like, no, of course not. I thought, this doesn’t sound like security to me.”

So what to do? How should we protect our accounts beyond just a password. As this isn’t a tech blog, I’m not going to get into all of the details, but Forbes links to a fantastic blog post by Jesse Powell, CEO of Kraken, who goes through all the steps to take. He suggests creating a new e-mail accounts to only use with the telecom provider and switching to a more secure form of 2FA, like Google Authenticator. For those who still want to use SMS, he goes through all the steps to make sure the phone associated with the account is completely private, secure, and separate from one’s main phone.

COMMENTS

Leave a Comment

*

LATEST NEWS

filter by

Haley Hintze

17th January 2020 // Legal News, Misc, News

Pennsylvania’s Penn National Fined for Poker Tourney Regulatory Misstep

Pennsylvania casino entity Mountainview Thoroughbred Racing Association, LLC, the parent company of the Hollywood...

Haley Hintze

16th January 2020 // Legal News, Misc, News

Failed Australian Poker Backing Deal Results in Lawsuit Against James Hopkins

Another poker story emanating from Australia in recent days is a failed backing deal in which a related team of backers...

Haley Hintze

15th January 2020 // Industry, Legal News, Misc, News

Australian Regulator Orders Blocking of Ignition Casino, Eight Other Sites

Australia’s online poker players have seemingly lost another outlet for playing their game with the news that...

Haley Hintze

14th January 2020 // Misc, News, Poker Tournaments

World Series of Poker Announces 2020 ‘Championship’ Event Slate

The World Series of Poker (WSOP) has continued fleshing out the 2020 WSOP schedule of events. In recent days, after two...

Haley Hintze

11th January 2020 // Industry, Misc, News

Global Poker Awards Announces 2020 Voting Process, Expands Categories

The poker world’s largest celebration of its own, the Global Poker Awards, has announced more details for its...

Dan Katz

11th January 2020 // News, Online Poker Action

It Could Maybe Happen: 25-Cent Pokerstars Spin & Go’s Have a $1 Million Jackpot Chance This Weekend

The great advantage to being a micro- to low-stakes online poker player, as I was when I was able to regularly play...