WARNING - Betfair account hacked / fraud

[Euler]

Hopefully two step authentication will eliminate any funny business every occurring again. Not sure that there is any reason to capture your password? We don't know it and I thought Betfair strictly prohibited it?

[Ethanol]

Just had an email this morning from another vendor that I used to use that is basically saying that a vendor/befair had a security breach a while back where usernames and passwords were compromised.

Could this have been the cause of all the trouble people had on this thread?

Why does a vendor need to store user passwords within their database? In terms of security, these should be stored locally, on a user's device. A concerning practice, if this is the case.

It does seem probable; although I'm still not convinced that Betfair's security is up to much and could just as easily be the source. To conclude that a third party is at fault, we would need these people to recall every website/application which they've ever logged-in with. Assuming these people are not long gone - any takers?

[andyfuller]

Which ever vendor it was, has it been said they were storing passwords?

As Peter said I didn't think that was allowed by any vendor as Betfair strictly forbid it.

[hgodden]

I had my account hacked and have never used the vendor in question. Tbh I can't remember the name of it but I remember that it is very much a niche product that most people wont have used.

I've been told that betfair still have people's accounts being hacked into (could be from several sources) so vigilance is the watchword!

[Ethanol]

Which ever vendor it was, has it been said they were storing passwords?

Other than deliberately storing the details, the only two other scenarios I could envisage would be that passwords were being deliberately sniffed at some point during the communication process from client to vendor (but this still doesn't explain why the vendor needed the passwords), or that their application contained some form of malware (not necessarily of their own doing) which sent these details to a third party.

[Euler]

Well you can be re-assured that because I and lots of other very large users use Bet Angel to trade, we will always take peoples security immensely seriously and have had take many steps over the years to ensure we minimise the possibility of issues. Obviously the best thing to do is use two-step authentication on Betfair because then people can't use your password, compromised or not - It's a simple solution.

You can also be re-assured we won't try and frighten people into use our software either. I'm pretty sure most vendors comply with Betfair's security standards, especially ones that have been around for a long time. If anybody wants to email and tell me what the issue is I'd be interested. We don't go out there hunting for issues so I'm not personally aware of what is behind or at issue in this particular case or how it was discovered.

[Zenyatta]

How is the new 2-stage authentication working out? I thought it was great to begin with, but the problem is, we don't have any idea what the problem was in the first place, which should give us pause.

This new system should definitely stop external hacks, but if the problem was with the Betfair system itself (internal errors, backdoors, 'inside jobs' etc.) the hackers might have been bypassing the login altogether, in which case they could still get in.

Have there been any reports of anyone getting hacked with 2-stage authentication? If no new reports occur, we can say the problem is solved. If people are still being cleaned out, we would then have to suspect the problem is internal to Betfair.

[Ethanol]

Have there been any reports of anyone getting hacked with 2-stage authentication? If no new reports occur, we can say the problem is solved. If people are still being cleaned out, we would then have to suspect the problem is internal to Betfair.

If I were an internal Betfair hacker, and assuming I could hack any account regardless of the security in place, I'd still target those accounts without the 2-step authentication. This actually serves to shift the focus away from being an internal Betfair problem; thus ironically making it easier for the fraudsters to remain undetected.

There will be more than enough accounts for the fraudsters to target which don't have this authentication in place.

So unfortunately, I personally wouldn't say that no reports is conclusive.

[Euler]

Have there been any reports of anyone getting hacked with 2-stage authentication?

Not that I am aware of. Nothing that involves a human will ever be 100% secure because people do daft things, but two step is a huge leap forward from where we were.

With regard to the other issue raised recently on this thread, Betfair took the unusual measure of officially posting a comment on it when it was posted on their forum and removing the original message: -

The issue raised is historical and has been rectified. Any customers potentially affected were contacted by both the third party vendor and Betfair offering suitable advice. We are not aware of any existing security issues with any licensed third party API products.

If you have any further questions please email [email protected]

[Golfer]

The problem with Betfair is always transparency...XM, passwords/CC compromised (2010), Voler la Vedette gate, server crashes and whatever has been going on recently...

[convoysur-2]

edit

[LeTiss]

I don't think it was wise to print that on a forum - you should have contacted Peter/BA, or even BF direct, as they would know what the best options were. You may have just alerted this bloke, so I'd ask BA to delete your post Marc