WARNING - Betfair account hacked / fraud

News, chat and debate about the Betfair betting exchange.
Post Reply
Iron
Posts: 6793
Joined: Fri Dec 11, 2009 10:51 pm

Here's a security tip that might help some people.

I believe that, if your deposits for a particular card exceed your withdrawals, you can't add any new cards without contacting Betfair to get one of the existing cards removed. So if you have 3 cards registered, each of which has far higher deposits than withdrawls, AFAIK a hacker wouldn't be able to add their own payment method, and make a withdrawl.

Another approach is to withdraw your funds at the end of each session, given that, to make a deposit, a hacker would need to know your CV2 no and the password you've set up with your bank for your credit or debit card.

Hope this helps. :)

Jeff
Top
spreadbetting
Posts: 3140
Joined: Sun Jan 31, 2010 8:06 pm

The problem with blocking any hackers access to withdraw funds means they have no options other than to fritter the cash away by other means. I'd be happier for them to withdraw to another card as you're much more likely to be able to spot it and have that refunded due to payment processing delays etc and the fact the card would be in a different name.

It's a lot harder for Betfair to wash their hands of the affair when the fraud is more obvious. I know of someone who was recently hacked and winnings sent to a new payment method who was even allowed to keep the fraudulent winnings after spotting their account had been hacked. I've yet to hear of anyone who's acc was hacked and frittered away receiving anything.
Top
Iron
Posts: 6793
Joined: Fri Dec 11, 2009 10:51 pm

spreadbetting wrote:The problem with blocking any hackers access to withdraw funds means they have no options other than to fritter the cash away by other means.
But to what avail?

If they can't withdraw the money, wouldn't they be better off getting out of your account un-noticed, given that they probably don't want to go to prison? :)

Jeff
Top
spreadbetting
Posts: 3140
Joined: Sun Jan 31, 2010 8:06 pm

Do you really believe any betfair hackers have gone to prison, or even been caught!, Jeff :D
Top
Iron
Posts: 6793
Joined: Fri Dec 11, 2009 10:51 pm

I shall defer to your superior knowledge. :)

Perhaps you're right in thinking that people who hack computers with the intention of defrauding people never end up in prison. Anything's possible, I guess... :roll:

Jeff
spreadbetting wrote:Do you really believe any betfair hackers have gone to prison, or even been caught!, Jeff :D
Top
User avatar
Ethanol
Posts: 148
Joined: Thu Jun 09, 2011 9:09 am

Here's one of my (many) theories as to how users' accounts on Betfair could be getting hacked:

- Hacker has gained "root access" to one of Betfair's servers (this essentially means they have full control over that server). Believe me - this isn't that hard, especially in a company which has no care for security. A simple example would be that a member of Betfair's IT department allowed a malicious trojan to get onto his laptop, and thus the hackers gained the remote access password for the server.
- Hacker installs "packet sniffing" software onto said server. This basically allows them to read all data sent from customers' machines to Betfair's server(s). This includes all of the usernames and passwords when customers log-in. They are unencrypted at this stage, as they haven't been checked against the database yet.
- Hacker logs-in to the server, retrieves the usernames and passwords, and does what the hell he likes!

In simple terms, it's more important for Betfair's staff to be following their own security suggestions than the customers themselves! If just one employee exposes just one password, then every one of Betfair's customers is at risk.

In addition to my example above, there are many other ways hackers could be getting access to this data, but until Betfair even acknowledge there is a problem, then no fix will ever occur!

Bear in mind that it is possible that the hackers have already acquired all usernames and passwords for customers who have logged-in since they installed said "sniffing" software; however, they can't empty too many accounts too quickly, as they know they will be caught. By using a slow-syphoning method, they are able to continue unnoticed. And it is working.
Top
User avatar
Ethanol
Posts: 148
Joined: Thu Jun 09, 2011 9:09 am

spreadbetting wrote: Need to think of some way to freeze the account if any odd activity is detected though so if any one has any ideas just post. I think incorrect logins will lock the account but possibly not for anyone already logged in.
Get your code to purposely submit your password incorrectly five times. It will lock your account.

EDIT: Sorry, I overlooked your comment about customers that are already logged-in. Knowing Betfair's coding skills, they will remain logged-in; however, if you're willing to make a phone call to Betfair, you could test this for yourself.
Last edited by Ethanol on Sun Mar 11, 2012 4:58 pm, edited 1 time in total.
Top
Iron
Posts: 6793
Joined: Fri Dec 11, 2009 10:51 pm

Hi Ethanol

I couldn't resist a smile when I read the term 'packet sniffing' :oops: (just my warped mind, I guess! :lol: ), but that does sound like a plausible theory (although I have to confess that I'm a non-techie!). :)

Jeff
Top
User avatar
superfrank
Posts: 2762
Joined: Fri Aug 14, 2009 8:28 pm

would one solution be that betfair optionally allows us to define a list of IP addresses in our account profile that logins are restricted to?
Top
Iron
Posts: 6793
Joined: Fri Dec 11, 2009 10:51 pm

That's a good idea Frank, so it probably won't be implemented... :evil:

Jeff
superfrank wrote:would one solution be that betfair optionally allows us to define a list of IP addresses in our account profile that logins are restricted to?
Top
spreadbetting
Posts: 3140
Joined: Sun Jan 31, 2010 8:06 pm

superfrank wrote:would one solution be that betfair optionally allows us to define a list of IP addresses in our account profile that logins are restricted to?
Been suggested to them plenty of times but never taken up, they even removed the option where you could restrict logins by country location :(

I think they prefer the head in the sand approach to security as their t&c's seem to exempt them from any liability to pay out anyway. Plus they probably worry any additional security measures is likely to have the impression the site is more vunerable than the other bookie sites to the masses, and associated problems of people forgetting other security details etc. If you look at skybet but they only have a four number PIN ffs !!!!!!
Top
User avatar
Euler
Posts: 24815
Joined: Wed Nov 10, 2010 1:39 pm
Location: Bet Angel HQ

Surely the hacker could go in and change them though?
Top
User avatar
superfrank
Posts: 2762
Joined: Fri Aug 14, 2009 8:28 pm

good point!

maybe the list can only be updated over the phone after appropriate identity checks?

it's bl00dy typical that this problem is Betfair's. i've probably got 30+ betting/trading accounts with other companies and never heard of a problem elsewhere. i think they are jinxed!
Top
andyfuller
Posts: 4619
Joined: Wed Mar 25, 2009 12:23 pm

I like that idea Frank, once setup then wouldn't the hacker not be able to get in and therefore not be able to change the restricted list?

If it was an opt in it would still leave the door open to allow the hacker in for those who aren't opted in.
Top
User avatar
superfrank
Posts: 2762
Joined: Fri Aug 14, 2009 8:28 pm

andyfuller wrote:I like that idea Frank, once setup then wouldn't the hacker not be able to get in and therefore not be able to change the restricted list?

If it was an opt in it would still leave the door open to allow the hacker in for those who aren't opted in.
thanks. that's the idea yes.

i'm sure most serious players would opt in given the opportunity.
Top
Post Reply

Return to “Betfair exchange”