Welcome to the Bet Angel Professional Community

[Ferru123]

Why not offer high turnover customers the option of having one of those card readers that banks issue, so you can't log in without entering a pin into the card reader and getting a remotely issued code?

Jeff

[pdupre1961]

I bet the characters aren't randomly organised when you log into your bank account, though.

Jeff

Yes, it's a twelve character alphanumeric word - not the same as my password.

Three randomly selected characters each time I login.

Paul

[Ethanol]

A similar discussion was posted on the moneysavingexpert.com forum a while back; my reply was thus:

http://forums.moneysavingexpert.com/sho ... st41213258

All this security at the users' end is not going to help if the problem is in fact a result of Betfair's own lack of security:

• Betfair's login system works on bare-bones HTTP, so your username and password could be intercepted anywhere from your PC to Betfair's servers. This includes unscrupulous employees at any ISP. You can try to force a HTTPS connection (by prepending the URL with https://), but this seems to break Betfair's site, and it also has a convenient habit of switching back to standard HTTP whenever it gets the chance.
• Are users' passwords being sent in plain text across Betfair's network, so that an unscrupulous employee could sniff them out?
• Are Betfair encrypting their database passwords? If not, anyone with access to the database will be able to view all users' credentials.

We can change our passwords daily, and all of the above will still be an issue. I think the fact that Betfair's site doesn't work via HTTPS is enough proof that they don't take security seriously enough. I believe that there's quite a strong possibly that it is not any fault of the OP that this money has been taken.

They're holding people's money like a bank, so they should really have security like a bank. Like I said in my quoted post above, HTTPS would be a great start, and I've no idea why this isn't already implemented!

I log-in to Facebook using a HTTPS connection, and I have no payment details stored on there! I just don't want people intercepting my personal messages... (for those in doubt, packet sniffing of transferred data is far easier than you might think)

Until Betfair make changes (this won't happen), then I suggest that anyone who logs-in via an unsecured Wi-Fi network first connects to a VPN. If you don't, all of your unsecured passwords transferred to and from the Internet (Betfair, etc...) are a free for all for anyone in the vicinity armed with wireless sniffing software.

On another note, in your Betfair IP history, all IPs with the pattern 10.*.*.* are Betfair's internal IPs. In theory, seeing these in your history should pose no problem; unless of course, there's an unscrupulous Betfair employee at work...

[Ferru123]

Didn't realise that people could view your screen remotely (bar on things like skype etc) and that it was much of a problem even if they could?

My brother once accessed my computer remotely, so he could sort out a problem I was having.

It was just a case of me downloading a piece of software and giving him the required permissions.

So I would have thought that a virus could be programmed to tell a computer to allow remote access by another specified computer.

Now let's say a hacker can view your computer remotely. If he sees you enter the first, third and fifth characters in your password today using a drop down menu, and plans to keep watching you log in on subsequent days, it won't take him too long to work out your password...

Jeff

[andyfuller]

I am sure it is possible but can't say I have heard it being used in any online fraud type stuff (probably has at some stage) which would indicate key logging is more likely. Their user targeting would have to be pretty good as well.

Would have thought key cards is not a cheap thing to be implemented. Also I have heard no end of complaints from people who use HSBC since they introduced them.

I think any security should be opt out rather than opt in tbh.

[Ferru123]

I think any security should be opt out rather than opt in tbh.

I think the way to sell this to Betfair to show them (ideally) that no customers will be inconvenienced, but, failing that, that the only customers who will be inconvenienced will be those who choose to adopt the new measures.

Otherwise, Betfair will worry about your guy who bets a tenner on Man U at the weekend thinking 'Sod all this hassle! I'll place my bet with Ladbrokes instead!'

Jeff

[Euler]

My concern with the case in point is that this person is hot to trot on security and is very careful so it was a real shock to see they were affected. It makes you wonder whether there was some other issue?

[pdupre1961]

OK, my security issue has been solved.

194.116.175.133 (United Kingdom) is the Betfair Historical Data server which logs into your account to check something or other.

Paul

[Yantraman]

I am wondering if traders using a 3g connection as backup (as i do)are the ones being caught out? I have a laptop connected to 3g and a pc with a non wireless connection.

I have no idea how secure 3g is - is it just like a wireless internet connection?

[hgodden]

Would be nice if betfair added some sort of account freeze option whereby you could essentially choose to stop any transactions from happening on your account until the date / time of your choosing.

Would at least stop your account being raided while you're blissfully unaware on holiday. Could also be used just as a day to day thing if people wish.... e.g. a racing trader could check his p+l at the end of the afternoon and then 'freeze' activity on his account until midday the next day.