WARNING - Betfair account hacked / fraud

[Iron]

Hi Tony

I don't know what their MO is. I was just putting forward what seemed to me to be a plausible theory.

Yes, it's odd that they didn't try hacking into people's Paypal accounts, etc (although maybe they thought that Paypal would take security more seriously than Betfair, who would simply shrug their shoulders and say to the customer 'Sorry, nothing we can do about it! Better luck next time!').

But let's say that the breach wasn't caused by them hacking into someone's computer. The logical alternative is that they hacked into Betfair itself. The problem with that theory, however, is that:

A. Presumably Betfair's password file is so well encrypted that even the CIA would struggle to work out your password.

B. Why only target a smattering of accounts, rather than go at as many high-value accounts at once, before word gets out about the breach and people change their passwords?

Jeff

jeff,

is there any evidence that they have accessed anyone,s pc?

[PeterLe]

How secure is a VPS ?
Thanks
Peter

[Euler]

People seem to have forgotten that the entire Betfair database was stolen not so long ago and they didn't even know. Betfair swept that under the carpet and offered virtually no comment on it.

http://www.telegraph.co.uk/finance/news ... theft.html

For all we know the same security flaw still exists. Given such a massive breech you would think Betfair would jump at the chance to tighten security. There is a huge database of customer details out there that the hackers have had a year to work on.

[Iron]

As part of my induction in my new job, I did a module on data protection.

I found out that, a while back, a bank (I can't remember which one) was fined about a million pounds because of a non-malicious security breach involving customer data. If I recall, someone downloaded every customer's personal info details to a DVD and took it home, or something along similar lines.

Maybe Betfair need that kind of kick up of ar$e to make them wake up about security!

Jeff

People seem to have forgotten that the entire Betfair database was stolen not so long ago and they didn't even know. Betfair swept that under the carpet and offered virtually no comment on it.

http://www.telegraph.co.uk/finance/news ... theft.html

[spreadbetting]

People seem to have forgotten that the entire Betfair database was stolen not so long ago and they didn't even know. Betfair swept that under the carpet and offered virtually no comment on it.

http://www.telegraph.co.uk/finance/news ... theft.html

For all we know the same security flaw still exists. Given such a massive breech you would think Betfair would jump at the chance to tighten security. There is a huge database of customer details out there that the hackers have had a year to work on.

"An "Incident Report to Regulators", dated July 15, 2010, explains that the thieves' haul included "approximately 850,000 unexpired credit card details" – a large number in relation to the company's current 949,000 "active users", or regular gamblers.

"We have taken the prudent view that the criminal has the expertise to decrypt the payment card details," Betfair admitted, though stressed that the "CVV2/CVC security numbers" were not stolen. "


As far as I was aware Betfair shouldn't be storing CVV2/CVC numbers anyway????

"Mr Catlett is thought to have been in charge of the security team since just before the breach on March 14, 2010, since when there has been considerable upheaval within the department, with the departure of more than 20 security personnel.

They have included Marcus Pinto, head of application security, Stephen Kapp, an application security specialist, and Fiona Fryer, data protection manager.

The spokesman said that during Mr Catlett's "time with us he has been upgrading the team significantly and bringing in new, highly experienced people, hence the departures".

One Betfair insider said that the departures meant that "almost all the senior security specialists who knew the systems best have now left".

[superfrank]

a woman in charge of data protection... most of them can't stop losing their handbags!!

[LeTiss]

How secure is a VPS ?
Thanks
Peter

I've often thought that Peter.
You wonder whether there's an open window for hackers to capture information

[chuck536]

maybe betfair should offer an option to send out those random log in generators.... like you get from the bank.... they'd love this if they could offer to sell them and make even more money off their customers... im a tight arse but id buy one for sure just to make sure my account wasnt emptied

[Alpha322]

this is very disconcerting. Especially as it happened to Sam. All of a sudden it got real.

I am definately dropping my balance down after cheltenham

I done that today and i make weekly withdrawals when they are healthy

[Alpha322]

Does anything think that the forum itself might pose a security risk?

Let's say that you're a regular poster here, and it's clear from your posts that you're successful. And let's say that your forum username is the same as your Betfair username.


Jeff

Now that would be a very very dumb trader

[Iron]

Here's a security tip that might help some people.

I believe that, if your deposits for a particular card exceed your withdrawals, you can't add any new cards without contacting Betfair to get one of the existing cards removed. So if you have 3 cards registered, each of which has far higher deposits than withdrawls, AFAIK a hacker wouldn't be able to add their own payment method, and make a withdrawl.

Another approach is to withdraw your funds at the end of each session, given that, to make a deposit, a hacker would need to know your CV2 no and the password you've set up with your bank for your credit or debit card.

Hope this helps.

Jeff

[spreadbetting]

The problem with blocking any hackers access to withdraw funds means they have no options other than to fritter the cash away by other means. I'd be happier for them to withdraw to another card as you're much more likely to be able to spot it and have that refunded due to payment processing delays etc and the fact the card would be in a different name.

It's a lot harder for Betfair to wash their hands of the affair when the fraud is more obvious. I know of someone who was recently hacked and winnings sent to a new payment method who was even allowed to keep the fraudulent winnings after spotting their account had been hacked. I've yet to hear of anyone who's acc was hacked and frittered away receiving anything.

[Iron]

The problem with blocking any hackers access to withdraw funds means they have no options other than to fritter the cash away by other means.

But to what avail?

If they can't withdraw the money, wouldn't they be better off getting out of your account un-noticed, given that they probably don't want to go to prison?

Jeff

[spreadbetting]

Do you really believe any betfair hackers have gone to prison, or even been caught!, Jeff

[Iron]

I shall defer to your superior knowledge.

Perhaps you're right in thinking that people who hack computers with the intention of defrauding people never end up in prison. Anything's possible, I guess...

Jeff

Do you really believe any betfair hackers have gone to prison, or even been caught!, Jeff