Here's one of my (many) theories as to how users' accounts on Betfair could be getting hacked:
- Hacker has gained "root access" to one of Betfair's servers (this essentially means they have full control over that server). Believe me - this isn't that hard, especially in a company which has no care for security. A simple example would be that a member of Betfair's IT department allowed a malicious trojan to get onto his laptop, and thus the hackers gained the remote access password for the server.
- Hacker installs "packet sniffing" software onto said server. This basically allows them to read all data sent from customers' machines to Betfair's server(s). This includes all of the usernames and passwords when customers log-in. They are unencrypted at this stage, as they haven't been checked against the database yet.
- Hacker logs-in to the server, retrieves the usernames and passwords, and does what the hell he likes!
In simple terms, it's more important for Betfair's staff to be following their own security suggestions than the customers themselves! If just one employee exposes just one password, then every one of Betfair's customers is at risk.
In addition to my example above, there are many other ways hackers could be getting access to this data, but until Betfair even acknowledge there is a problem, then no fix will ever occur!
Bear in mind that it is possible that the hackers have already acquired all usernames and passwords for customers who have logged-in since they installed said "sniffing" software; however, they can't empty too many accounts too quickly, as they know they will be caught. By using a slow-syphoning method, they are able to continue unnoticed. And it is working.
WARNING - Betfair account hacked / fraud
Get your code to purposely submit your password incorrectly five times. It will lock your account.spreadbetting wrote: Need to think of some way to freeze the account if any odd activity is detected though so if any one has any ideas just post. I think incorrect logins will lock the account but possibly not for anyone already logged in.
EDIT: Sorry, I overlooked your comment about customers that are already logged-in. Knowing Betfair's coding skills, they will remain logged-in; however, if you're willing to make a phone call to Betfair, you could test this for yourself.
Last edited by Ethanol on Sun Mar 11, 2012 4:58 pm, edited 1 time in total.
(just my warped mind, I guess! 
), but that does sound like a plausible theory (although I have to confess that I'm a non-techie!). 
-
superfrank
- Posts: 2762
- Joined: Fri Aug 14, 2009 8:28 pm
would one solution be that betfair optionally allows us to define a list of IP addresses in our account profile that logins are restricted to?
-
spreadbetting
- Posts: 3140
- Joined: Sun Jan 31, 2010 8:06 pm
Been suggested to them plenty of times but never taken up, they even removed the option where you could restrict logins by country locationsuperfrank wrote:would one solution be that betfair optionally allows us to define a list of IP addresses in our account profile that logins are restricted to?
I think they prefer the head in the sand approach to security as their t&c's seem to exempt them from any liability to pay out anyway. Plus they probably worry any additional security measures is likely to have the impression the site is more vunerable than the other bookie sites to the masses, and associated problems of people forgetting other security details etc. If you look at skybet but they only have a four number PIN ffs !!!!!!
-
superfrank
- Posts: 2762
- Joined: Fri Aug 14, 2009 8:28 pm
good point!
maybe the list can only be updated over the phone after appropriate identity checks?
it's bl00dy typical that this problem is Betfair's. i've probably got 30+ betting/trading accounts with other companies and never heard of a problem elsewhere. i think they are jinxed!
maybe the list can only be updated over the phone after appropriate identity checks?
it's bl00dy typical that this problem is Betfair's. i've probably got 30+ betting/trading accounts with other companies and never heard of a problem elsewhere. i think they are jinxed!
-
andyfuller
- Posts: 4619
- Joined: Wed Mar 25, 2009 12:23 pm
I like that idea Frank, once setup then wouldn't the hacker not be able to get in and therefore not be able to change the restricted list?
If it was an opt in it would still leave the door open to allow the hacker in for those who aren't opted in.
If it was an opt in it would still leave the door open to allow the hacker in for those who aren't opted in.
-
superfrank
- Posts: 2762
- Joined: Fri Aug 14, 2009 8:28 pm
thanks. that's the idea yes.andyfuller wrote:I like that idea Frank, once setup then wouldn't the hacker not be able to get in and therefore not be able to change the restricted list?
If it was an opt in it would still leave the door open to allow the hacker in for those who aren't opted in.
i'm sure most serious players would opt in given the opportunity.
-
andyfuller
- Posts: 4619
- Joined: Wed Mar 25, 2009 12:23 pm
I guess one issue with it would be for those that like to do stuff on the move as your mobile device would be connecting by a different IP each time I would guess.
But even a country restriction would make any hacker have to jump through a few more hoops.
For those that trade from a set location though I can see the idea being perfect.
I would guess the reason BF are reluctant to have across the board added security is that it would put off a lot of casual users who just want their £10 bet on etc and may be then more inclined to go elsewhere.
As I have said before I don't think BF's current measures are any worse than other bookmakers in general but they are also a slightly different kind of thing to say Paddy Power.
But even a country restriction would make any hacker have to jump through a few more hoops.
For those that trade from a set location though I can see the idea being perfect.
I would guess the reason BF are reluctant to have across the board added security is that it would put off a lot of casual users who just want their £10 bet on etc and may be then more inclined to go elsewhere.
As I have said before I don't think BF's current measures are any worse than other bookmakers in general but they are also a slightly different kind of thing to say Paddy Power.
I tend to agree that BF's website is probably no worse than many bookies.
The difference with BF is the amount of money people leave in their accounts, this makes it a far more attractive proposition for hackers. I suspect the likes of Paddy Power are holding a fraction of the money BF hold within customer accounts
The difference with BF is the amount of money people leave in their accounts, this makes it a far more attractive proposition for hackers. I suspect the likes of Paddy Power are holding a fraction of the money BF hold within customer accounts
All they would have to do to allow us to secure our accounts would be to allow us to choose a time and date to self exclude ourselves to (instead of the 6 months that is on the website.) That way at the end of a trading session you simply exclude yourself until the time and date of your next trading session.
At the moment I'm doing this everytime anyway by calling the help desk (0844 871 0000) though you have to call them again to unsuspend it. I'd recommend anyone to do it, certainly if you have more money than normal in your account during Cheltenham. It's an 0844 number so if you're in the UK it should only cost between 1 and 5p a minute. Well worth the insurance I'd say. Plus the more people clog up their phone lines due to security fears the more they are likely to actually do something about it.
At the moment I'm doing this everytime anyway by calling the help desk (0844 871 0000) though you have to call them again to unsuspend it. I'd recommend anyone to do it, certainly if you have more money than normal in your account during Cheltenham. It's an 0844 number so if you're in the UK it should only cost between 1 and 5p a minute. Well worth the insurance I'd say. Plus the more people clog up their phone lines due to security fears the more they are likely to actually do something about it.
Some strange thing happened today that put me on guard and i susspended my account, i was trading this afternoons races, then bang the pc started to go all funny, eventualy i rebooted it, BA went funny BF site went funny and all sorts were happening, when it had come back on the shortcut icon of BA had gone, the program was still on my PC, my anti virus software should no signs of anything wrong, i rang betfair and the assistant said my account was fine is it really time to pack this in,
because accounts are not safe
because accounts are not safe
Hi
I remember we talked about this just prior to Cheltenham last year too. I had quite a big bank at the time in anticipation and withdrew the vast majority of it directly after Cheltenham.
The thing I had issues with was I got a kick out of seeing my bank rise, it felt like I was achieving something, so every time i withdrew some money it felt like I was treading water and not moving forward.
What I did was open a premium bonds account and every time I took money out of Betfair it went straight into the bonds. So now I can see that sum grow. (By the way, I have won about £300 pounds this year alone in bonds, which isn't a lot but better than what I would have got if it was left in betfair!)
regards
Peter
I remember we talked about this just prior to Cheltenham last year too. I had quite a big bank at the time in anticipation and withdrew the vast majority of it directly after Cheltenham.
The thing I had issues with was I got a kick out of seeing my bank rise, it felt like I was achieving something, so every time i withdrew some money it felt like I was treading water and not moving forward.
What I did was open a premium bonds account and every time I took money out of Betfair it went straight into the bonds. So now I can see that sum grow. (By the way, I have won about £300 pounds this year alone in bonds, which isn't a lot but better than what I would have got if it was left in betfair!)
regards
Peter