Here's a security tip that might help some people.
I believe that, if your deposits for a particular card exceed your withdrawals, you can't add any new cards without contacting Betfair to get one of the existing cards removed. So if you have 3 cards registered, each of which has far higher deposits than withdrawls, AFAIK a hacker wouldn't be able to add their own payment method, and make a withdrawl.
Another approach is to withdraw your funds at the end of each session, given that, to make a deposit, a hacker would need to know your CV2 no and the password you've set up with your bank for your credit or debit card.
Hope this helps.
Jeff
WARNING - Betfair account hacked / fraud
-
- Posts: 3140
- Joined: Sun Jan 31, 2010 8:06 pm
The problem with blocking any hackers access to withdraw funds means they have no options other than to fritter the cash away by other means. I'd be happier for them to withdraw to another card as you're much more likely to be able to spot it and have that refunded due to payment processing delays etc and the fact the card would be in a different name.
It's a lot harder for Betfair to wash their hands of the affair when the fraud is more obvious. I know of someone who was recently hacked and winnings sent to a new payment method who was even allowed to keep the fraudulent winnings after spotting their account had been hacked. I've yet to hear of anyone who's acc was hacked and frittered away receiving anything.
It's a lot harder for Betfair to wash their hands of the affair when the fraud is more obvious. I know of someone who was recently hacked and winnings sent to a new payment method who was even allowed to keep the fraudulent winnings after spotting their account had been hacked. I've yet to hear of anyone who's acc was hacked and frittered away receiving anything.
But to what avail?spreadbetting wrote:The problem with blocking any hackers access to withdraw funds means they have no options other than to fritter the cash away by other means.
If they can't withdraw the money, wouldn't they be better off getting out of your account un-noticed, given that they probably don't want to go to prison?
Jeff
-
- Posts: 3140
- Joined: Sun Jan 31, 2010 8:06 pm
Do you really believe any betfair hackers have gone to prison, or even been caught!, Jeff
I shall defer to your superior knowledge.
Perhaps you're right in thinking that people who hack computers with the intention of defrauding people never end up in prison. Anything's possible, I guess...
Jeff
Perhaps you're right in thinking that people who hack computers with the intention of defrauding people never end up in prison. Anything's possible, I guess...
Jeff
spreadbetting wrote:Do you really believe any betfair hackers have gone to prison, or even been caught!, Jeff
Here's one of my (many) theories as to how users' accounts on Betfair could be getting hacked:
- Hacker has gained "root access" to one of Betfair's servers (this essentially means they have full control over that server). Believe me - this isn't that hard, especially in a company which has no care for security. A simple example would be that a member of Betfair's IT department allowed a malicious trojan to get onto his laptop, and thus the hackers gained the remote access password for the server.
- Hacker installs "packet sniffing" software onto said server. This basically allows them to read all data sent from customers' machines to Betfair's server(s). This includes all of the usernames and passwords when customers log-in. They are unencrypted at this stage, as they haven't been checked against the database yet.
- Hacker logs-in to the server, retrieves the usernames and passwords, and does what the hell he likes!
In simple terms, it's more important for Betfair's staff to be following their own security suggestions than the customers themselves! If just one employee exposes just one password, then every one of Betfair's customers is at risk.
In addition to my example above, there are many other ways hackers could be getting access to this data, but until Betfair even acknowledge there is a problem, then no fix will ever occur!
Bear in mind that it is possible that the hackers have already acquired all usernames and passwords for customers who have logged-in since they installed said "sniffing" software; however, they can't empty too many accounts too quickly, as they know they will be caught. By using a slow-syphoning method, they are able to continue unnoticed. And it is working.
- Hacker has gained "root access" to one of Betfair's servers (this essentially means they have full control over that server). Believe me - this isn't that hard, especially in a company which has no care for security. A simple example would be that a member of Betfair's IT department allowed a malicious trojan to get onto his laptop, and thus the hackers gained the remote access password for the server.
- Hacker installs "packet sniffing" software onto said server. This basically allows them to read all data sent from customers' machines to Betfair's server(s). This includes all of the usernames and passwords when customers log-in. They are unencrypted at this stage, as they haven't been checked against the database yet.
- Hacker logs-in to the server, retrieves the usernames and passwords, and does what the hell he likes!
In simple terms, it's more important for Betfair's staff to be following their own security suggestions than the customers themselves! If just one employee exposes just one password, then every one of Betfair's customers is at risk.
In addition to my example above, there are many other ways hackers could be getting access to this data, but until Betfair even acknowledge there is a problem, then no fix will ever occur!
Bear in mind that it is possible that the hackers have already acquired all usernames and passwords for customers who have logged-in since they installed said "sniffing" software; however, they can't empty too many accounts too quickly, as they know they will be caught. By using a slow-syphoning method, they are able to continue unnoticed. And it is working.
Get your code to purposely submit your password incorrectly five times. It will lock your account.spreadbetting wrote: Need to think of some way to freeze the account if any odd activity is detected though so if any one has any ideas just post. I think incorrect logins will lock the account but possibly not for anyone already logged in.
EDIT: Sorry, I overlooked your comment about customers that are already logged-in. Knowing Betfair's coding skills, they will remain logged-in; however, if you're willing to make a phone call to Betfair, you could test this for yourself.
Last edited by Ethanol on Sun Mar 11, 2012 4:58 pm, edited 1 time in total.
- superfrank
- Posts: 2762
- Joined: Fri Aug 14, 2009 8:28 pm
would one solution be that betfair optionally allows us to define a list of IP addresses in our account profile that logins are restricted to?
-
- Posts: 3140
- Joined: Sun Jan 31, 2010 8:06 pm
Been suggested to them plenty of times but never taken up, they even removed the option where you could restrict logins by country locationsuperfrank wrote:would one solution be that betfair optionally allows us to define a list of IP addresses in our account profile that logins are restricted to?
I think they prefer the head in the sand approach to security as their t&c's seem to exempt them from any liability to pay out anyway. Plus they probably worry any additional security measures is likely to have the impression the site is more vunerable than the other bookie sites to the masses, and associated problems of people forgetting other security details etc. If you look at skybet but they only have a four number PIN ffs !!!!!!
- superfrank
- Posts: 2762
- Joined: Fri Aug 14, 2009 8:28 pm
good point!
maybe the list can only be updated over the phone after appropriate identity checks?
it's bl00dy typical that this problem is Betfair's. i've probably got 30+ betting/trading accounts with other companies and never heard of a problem elsewhere. i think they are jinxed!
maybe the list can only be updated over the phone after appropriate identity checks?
it's bl00dy typical that this problem is Betfair's. i've probably got 30+ betting/trading accounts with other companies and never heard of a problem elsewhere. i think they are jinxed!
-
- Posts: 4619
- Joined: Wed Mar 25, 2009 12:23 pm
I like that idea Frank, once setup then wouldn't the hacker not be able to get in and therefore not be able to change the restricted list?
If it was an opt in it would still leave the door open to allow the hacker in for those who aren't opted in.
If it was an opt in it would still leave the door open to allow the hacker in for those who aren't opted in.
- superfrank
- Posts: 2762
- Joined: Fri Aug 14, 2009 8:28 pm
thanks. that's the idea yes.andyfuller wrote:I like that idea Frank, once setup then wouldn't the hacker not be able to get in and therefore not be able to change the restricted list?
If it was an opt in it would still leave the door open to allow the hacker in for those who aren't opted in.
i'm sure most serious players would opt in given the opportunity.