PokerStars Account Hacks Lead to Questions About Site’s Security
For the past few days, discontent has been brewing in the poker community about possible security issues at PokerStars, or at least about how the world’s largest poker room handles security issues. It appears that a number of accounts have been hacked and, in turn, drained of funds, but to the dismay of players, the poker room has not been of much help.
The discussion actually dates back about a month but has really ramped up this week. It is always unfortunate and upsetting, of course, when someone discovers that their account has been broken into, but shit happens sometimes and we do what we can to move on from it. That doesn’t mean we have to smile and accept it, but there are times in life where we just have deal with a punch to the gut. Hell, many of the players who were hacked might be partially to blame – they might have been too loosey-goosey with their passwords or allowed some malware to infect their computers – but that still doesn’t mean they deserved to be hacked. Hey, if I accidentally leave the front door to my house unlocked, that doesn’t mean I should have my television stolen.
The thing with the cases being discussed on Two Plus Two, though, is that even if the victims were careless with their own account security (and there is no evidence at this point, at least according to the players, that they were) they appear to be situations that could have easily been prevented by PokerStars. Let’s just say that a criminal acquired a player’s password by whatever means and had an easy time logging in to the target account. That seems like it would be tough for PokerStars to stop. And yeah, the initial login probably would be. But the steps the crook(s) took after that should have raised some major red flags, prompting someone or something to halt the pilfering process. Let’s take a look at a couple of examples given in a major online poker forum:
• Player always plays from Country A, account was logged into from Country B.
• $10 was deposited (an oddly small amount) using a Neteller account that was not the PokerStars account holder’s.
• 70,000 Frequent Player Points (FPP) were traded in for $70 in 1,000 FPP increments at $10 a pop.
• Hacker played with the account’s money, immediately losing much of it at the tables.
• Hacker used a credit card not in the PokerStars account holder’s name to make numerous $55 deposits totaling around $1,000.
• Two $800 withdrawals were made to a NETeller account that did not belong to the PokerStars player.
• Player’s account was logged into from the same country, but from a location 300 kilometers away from his home.
• The unauthorized login occurred minutes after the real PokerStars account holder had logged out.
• A few minutes later, the player’s self-imposed $20 deposit limit had been increased to $1,500 per week.
• Six deposits were attempted with three different credit cards, one for $181.45 succeeded. All were for different, seemingly random, amounts (meaning, they weren’t nice round numbers like $100 or $200).
• Hacker played in $200 hyper six-max Sit-and-Go and, of course, lost.
It seems, to me at least, that either of these thefts could have been stopped or slowed at any number of junctures. In the first one, sure, the player could have traveled and logged in from another country. But using a different Neteller account to make a small deposit? Red flag. FPP to cash conversion after said mini-deposit? Yellow flag, at least. A run of deposits with a different credit card? Huge red flag. Withdrawal attempts to the strange NETeller account? BRIGHT, WAVING RED FLAG.
In the second example, the hacker logged in from a distant location minutes after the account holder had logged out. Red flag. Deposit limit increased? Red flag. Multiple deposits with different credit cards in strange amounts? Red flag.
I know PokerStars is massive, that hundreds of thousands of players are online at once, and that financial transactions are occurring constantly, but for a company that brags about the security measures it has in place, it sure seems to be lacking in that department. Any one of the things above alone would have given me pause; more than one strung together make it pretty obvious a crime was being committed.
And what is worse is that PokerStars doesn’t seem to be planning to do anything about any of it. In e-mail responses to the affected players, the poker site basically said that someone knew their passwords (there were no failed login attempts) and that the site can’t do anything about recovering the money. Too bad, so sad. Even though there were multiple chances for PokerStars to stop its players from being robbed EVEN IF the players had handed their passwords over to someone, the company takes no blame.
Michael Josem, head of PokerStars PR and a very well-respected person in the poker community (well before he joined PokerStars, he was one of the people responsible for uncovering the superuser scandal at UltimateBet), responded to the criticisms in the Two Plus Two forums, initially noting that though players may think that account hacks are on the rise, they have actually gone down month-to-month so far this year. He also said that PokerStars has its customers’ backs:
Even after a hacker gains access to a player’s login credentials and accesses an account, PokerStars works to minimise the financial harm caused. Of the hacks that have been identified to PokerStars, despite players (often inadvertently) giving their account login credentials to unauthorised users, PokerStars was still able to ensure that no funds were lost in about 52% of the cases in January and February. We compile an internal report at the end of each month and see no significant deviation from that trend so far in March.
Even when harm is caused to player accounts, the amount of harm caused is relatively low in absolute terms, but PokerStars wants to continue to reduce this further. Of the remaining 48% of cases from earlier this year where hackers have been able to cause financial harm, the median loss to each player per hack was $57.09.
And while all of this is well and good, Josem basically ended up saying that these problems rest squarely on the players’ shoulders, not PokerStars’. He said that nobody inside the company stole passwords and because passwords are hashed, they wouldn’t be able to read them if they did grab the database, anyway. Josem rightfully encouraged players to take advantage of all of PokerStars’ security options, such as SMS validation, RSA security tokens, and PokerStars PINs, but that all still ignores the fact that obvious red flags seemed to go completely ignored by the company.
(The opinions expressed herein are solely those of the author, and do not necessarily represent the opinions or beliefs of the site’s owners and publishers.)