WARNING - Betfair account hacked / fraud
Why does a vendor need to store user passwords within their database? In terms of security, these should be stored locally, on a user's device. A concerning practice, if this is the case.andyfuller wrote:Just had an email this morning from another vendor that I used to use that is basically saying that a vendor/befair had a security breach a while back where usernames and passwords were compromised.
Could this have been the cause of all the trouble people had on this thread?
It does seem probable; although I'm still not convinced that Betfair's security is up to much and could just as easily be the source. To conclude that a third party is at fault, we would need these people to recall every website/application which they've ever logged-in with. Assuming these people are not long gone - any takers?
-
- Posts: 4619
- Joined: Wed Mar 25, 2009 12:23 pm
Which ever vendor it was, has it been said they were storing passwords?
As Peter said I didn't think that was allowed by any vendor as Betfair strictly forbid it.
As Peter said I didn't think that was allowed by any vendor as Betfair strictly forbid it.
I had my account hacked and have never used the vendor in question. Tbh I can't remember the name of it but I remember that it is very much a niche product that most people wont have used.
I've been told that betfair still have people's accounts being hacked into (could be from several sources) so vigilance is the watchword!
I've been told that betfair still have people's accounts being hacked into (could be from several sources) so vigilance is the watchword!
Other than deliberately storing the details, the only two other scenarios I could envisage would be that passwords were being deliberately sniffed at some point during the communication process from client to vendor (but this still doesn't explain why the vendor needed the passwords), or that their application contained some form of malware (not necessarily of their own doing) which sent these details to a third party.andyfuller wrote:Which ever vendor it was, has it been said they were storing passwords?
Well you can be re-assured that because I and lots of other very large users use Bet Angel to trade, we will always take peoples security immensely seriously and have had take many steps over the years to ensure we minimise the possibility of issues. Obviously the best thing to do is use two-step authentication on Betfair because then people can't use your password, compromised or not - It's a simple solution.
You can also be re-assured we won't try and frighten people into use our software either. I'm pretty sure most vendors comply with Betfair's security standards, especially ones that have been around for a long time. If anybody wants to email and tell me what the issue is I'd be interested. We don't go out there hunting for issues so I'm not personally aware of what is behind or at issue in this particular case or how it was discovered.
You can also be re-assured we won't try and frighten people into use our software either. I'm pretty sure most vendors comply with Betfair's security standards, especially ones that have been around for a long time. If anybody wants to email and tell me what the issue is I'd be interested. We don't go out there hunting for issues so I'm not personally aware of what is behind or at issue in this particular case or how it was discovered.
How is the new 2-stage authentication working out? I thought it was great to begin with, but the problem is, we don't have any idea what the problem was in the first place, which should give us pause.
This new system should definitely stop external hacks, but if the problem was with the Betfair system itself (internal errors, backdoors, 'inside jobs' etc.) the hackers might have been bypassing the login altogether, in which case they could still get in.
Have there been any reports of anyone getting hacked with 2-stage authentication? If no new reports occur, we can say the problem is solved. If people are still being cleaned out, we would then have to suspect the problem is internal to Betfair.
This new system should definitely stop external hacks, but if the problem was with the Betfair system itself (internal errors, backdoors, 'inside jobs' etc.) the hackers might have been bypassing the login altogether, in which case they could still get in.
Have there been any reports of anyone getting hacked with 2-stage authentication? If no new reports occur, we can say the problem is solved. If people are still being cleaned out, we would then have to suspect the problem is internal to Betfair.
If I were an internal Betfair hacker, and assuming I could hack any account regardless of the security in place, I'd still target those accounts without the 2-step authentication. This actually serves to shift the focus away from being an internal Betfair problem; thus ironically making it easier for the fraudsters to remain undetected.Zenyatta wrote:Have there been any reports of anyone getting hacked with 2-stage authentication? If no new reports occur, we can say the problem is solved. If people are still being cleaned out, we would then have to suspect the problem is internal to Betfair.
There will be more than enough accounts for the fraudsters to target which don't have this authentication in place.
So unfortunately, I personally wouldn't say that no reports is conclusive.
Not that I am aware of. Nothing that involves a human will ever be 100% secure because people do daft things, but two step is a huge leap forward from where we were.Zenyatta wrote:Have there been any reports of anyone getting hacked with 2-stage authentication?
With regard to the other issue raised recently on this thread, Betfair took the unusual measure of officially posting a comment on it when it was posted on their forum and removing the original message: -
The issue raised is historical and has been rectified. Any customers potentially affected were contacted by both the third party vendor and Betfair offering suitable advice. We are not aware of any existing security issues with any licensed third party API products.
If you have any further questions please email [email protected]
-
- Posts: 1110
- Joined: Thu Jan 12, 2012 10:00 am
edit
Last edited by convoysur-2 on Mon Sep 08, 2014 12:35 pm, edited 1 time in total.