WARNING - Betfair account hacked / fraud

[Iron]

Drop down windows from which you select letters which are randomly placed on the list.

TBH, I think that's a bit OTT.

It would make logging in a ballache (so for commercial reasons, Betfair wouldn't go for it).

I'm not sure having a drop-down menu of characters is a good idea. OK, it will stop keyloggers from finding out particular characters of your password, but anyone who's able to view your screen remotely will be able to see your password. But with characters entered using the keyboard, you could have the characters appear on screen as asterisks.

And if Betfair make it so that 3 failed login attempts results in your account being locked, it won't be possible for a keylogger to try lots of combinations until he gets into your account.

Jeff

[pdupre1961]

I agree with Andy, I prefer the idea of drop downs similar to what I do with my on-line bank account.

[hgodden]

Obviously for people like us this is more important than for the average punter who may only have a few quid in his account. Betfair probably fear making the whole logging in security too tight which may deter your average joe from using the site.

However.... it would be great if they had an option that anyone can add an option to their account whereby to log in it would be far harder..... for instance.... they could ask us 10 security questions when setting the thing up, then when we log in we'd have to answer one of those questions (and in the way that Andy suggested to deter the key strokers)

[Iron]

I agree with Andy, I prefer the idea of drop downs similar to what I do with my on-line bank account.

I bet the characters aren't randomly organised when you log into your bank account, though.

I don't want to have to spend 30 seconds searching for particular letters whenever I log in!

With my bank, I'm asked for 3 random characters of my password. Even if a key logger knows those characters, he won't know which part of the password they relate to (unless he's also remotely watching my screen), and he only gets 3 attempts at logging in before my account is locked...

Jeff

[andyfuller]

I'm not sure having a drop-down menu of characters is a good idea. OK, it will stop keyloggers from finding out particular characters of your password, but anyone who's able to view your screen remotely will be able to see your password. But with characters entered using the keyboard, you could have the characters appear on screen as asterisks.

Didn't realise that people could view your screen remotely (bar on things like skype etc) and that it was much of a problem even if they could? First time I have heard of this. Also could they automate this approach, would they not need to watch the screen manually?

Key logging though I have heard of a lot and is easily automated and is a big problem in all things, not just Betfair.

Which is the bigger problem? People watching screens or key logging?

[Iron]

Why not offer high turnover customers the option of having one of those card readers that banks issue, so you can't log in without entering a pin into the card reader and getting a remotely issued code?

Jeff

[pdupre1961]

I bet the characters aren't randomly organised when you log into your bank account, though.

Jeff

Yes, it's a twelve character alphanumeric word - not the same as my password.

Three randomly selected characters each time I login.

Paul

[Ethanol]

A similar discussion was posted on the moneysavingexpert.com forum a while back; my reply was thus:

http://forums.moneysavingexpert.com/sho ... st41213258

All this security at the users' end is not going to help if the problem is in fact a result of Betfair's own lack of security:

• Betfair's login system works on bare-bones HTTP, so your username and password could be intercepted anywhere from your PC to Betfair's servers. This includes unscrupulous employees at any ISP. You can try to force a HTTPS connection (by prepending the URL with https://), but this seems to break Betfair's site, and it also has a convenient habit of switching back to standard HTTP whenever it gets the chance.
• Are users' passwords being sent in plain text across Betfair's network, so that an unscrupulous employee could sniff them out?
• Are Betfair encrypting their database passwords? If not, anyone with access to the database will be able to view all users' credentials.

We can change our passwords daily, and all of the above will still be an issue. I think the fact that Betfair's site doesn't work via HTTPS is enough proof that they don't take security seriously enough. I believe that there's quite a strong possibly that it is not any fault of the OP that this money has been taken.

They're holding people's money like a bank, so they should really have security like a bank. Like I said in my quoted post above, HTTPS would be a great start, and I've no idea why this isn't already implemented!

I log-in to Facebook using a HTTPS connection, and I have no payment details stored on there! I just don't want people intercepting my personal messages... (for those in doubt, packet sniffing of transferred data is far easier than you might think)

Until Betfair make changes (this won't happen), then I suggest that anyone who logs-in via an unsecured Wi-Fi network first connects to a VPN. If you don't, all of your unsecured passwords transferred to and from the Internet (Betfair, etc...) are a free for all for anyone in the vicinity armed with wireless sniffing software.

On another note, in your Betfair IP history, all IPs with the pattern 10.*.*.* are Betfair's internal IPs. In theory, seeing these in your history should pose no problem; unless of course, there's an unscrupulous Betfair employee at work...

[Iron]

Didn't realise that people could view your screen remotely (bar on things like skype etc) and that it was much of a problem even if they could?

My brother once accessed my computer remotely, so he could sort out a problem I was having.

It was just a case of me downloading a piece of software and giving him the required permissions.

So I would have thought that a virus could be programmed to tell a computer to allow remote access by another specified computer.

Now let's say a hacker can view your computer remotely. If he sees you enter the first, third and fifth characters in your password today using a drop down menu, and plans to keep watching you log in on subsequent days, it won't take him too long to work out your password...

Jeff

[andyfuller]

I am sure it is possible but can't say I have heard it being used in any online fraud type stuff (probably has at some stage) which would indicate key logging is more likely. Their user targeting would have to be pretty good as well.

Would have thought key cards is not a cheap thing to be implemented. Also I have heard no end of complaints from people who use HSBC since they introduced them.

I think any security should be opt out rather than opt in tbh.

[Iron]

I think any security should be opt out rather than opt in tbh.

I think the way to sell this to Betfair to show them (ideally) that no customers will be inconvenienced, but, failing that, that the only customers who will be inconvenienced will be those who choose to adopt the new measures.

Otherwise, Betfair will worry about your guy who bets a tenner on Man U at the weekend thinking 'Sod all this hassle! I'll place my bet with Ladbrokes instead!'

Jeff

[Euler]

My concern with the case in point is that this person is hot to trot on security and is very careful so it was a real shock to see they were affected. It makes you wonder whether there was some other issue?

[pdupre1961]

OK, my security issue has been solved.

194.116.175.133 (United Kingdom) is the Betfair Historical Data server which logs into your account to check something or other.

Paul

[Yantraman]

I am wondering if traders using a 3g connection as backup (as i do)are the ones being caught out? I have a laptop connected to 3g and a pc with a non wireless connection.

I have no idea how secure 3g is - is it just like a wireless internet connection?

[hgodden]

Would be nice if betfair added some sort of account freeze option whereby you could essentially choose to stop any transactions from happening on your account until the date / time of your choosing.

Would at least stop your account being raided while you're blissfully unaware on holiday. Could also be used just as a day to day thing if people wish.... e.g. a racing trader could check his p+l at the end of the afternoon and then 'freeze' activity on his account until midday the next day.