Account security concerns at multiple casinos

[path]

We at 32Red ask for a lot of information from our players and it is only right that our players in turn know that this information is maintained securely and without fear of compromise.
Firstly, let me deal with information that we hold in respect of a players’ financial accounts.
We do not store credit card numbers or the 3 digit security code that is contained on the reverse of the card. We have the ability to access full card numbers and this access is strictly controlled and limited to senior members of staff. Those employees, who do have access, have been verified through a number of means which do include background checks with the police. The majority of our employees are only able to view the last four digits of a card number, with this being necessary to being able to perform certain financial transactions. The back office system that we use does not allow employees to see multiple instances of accounts, does not allow employees to export information into other files and prevents details from being printed. We run regular audits so as to ensure we know who is accessing what data and for what purpose.
32Red does not store players’ passwords. Yes, we can perform password changes and reset log-in attempts but we have no access to the password itself. Once we have changed a player’s password we urge them to change it themselves from within the gaming software.
Not only do we have our own internal measures, but we are strictly monitored by our regulators and banking partners. As a merchant we have to be fully compliant with the Payment Card Industry’s Security Standards (https://www.pcisecuritystandards.org/tech/index.htm) which has a core group of six principles and a dozen or so accompanying requirements. These are all aimed at ensuring that we proactively protect customer account data.
I suppose in all of this we are only ‘as strong as our weakest link’ and we are all at the mercy of that ‘rogue’ employee. A whole host of activity is undertaken so as to maintain a workforce that is ‘engaged’ and thus reduce the likelihood of this, but you can never be certain. Additional measures that we take, to further reduce this risk, include the control of the use of mobile phones (to prevent those with cameras being able to take screenshots of player information) and the use of ‘messenger’ applications. Physical security of and access to our premises is tightly controlled as is the security of stored documents. Documentation (for the purposes of player verification) which we receive is never stored and all physical documents are immediately ‘shredded’ once we have concluded our checks.
In respect of the use of personal information, including email addresses, we adhere to our Privacy Policy and we do not rent or sell such information to any third party. We may occasionally hire other companies to provide limited services on our behalf which include identity verification, payment processing and the provision of software. These companies are blue chip organisations and are publicly listed entities. 32Red will only provide these companies with that information which is reasonably required to perform the service, and these third parties will be prohibited from using that information for any other purpose. Again, we instruct these companies to adhere to our stated Privacy Policy and that they protect the confidentiality of your personal information.
Our employees do not have access to multiple instances of email addresses or personal details. When an email distribution is planned, it is only senior members of 32Red who can collate the necessary information from our player database.
I trust this allays your concerns and please feel free to drop me a line if you need any further information in this respect.

[bellerock]

At Carmen Media Group the security of customer data is of utmost importance and we adhere to the requirements of the Gibraltar Regulatory Authority and eCOGRA in this regard.

All banking details are encrypted and are not accessible to staff members unless at the highest level and only after in depth security reviews. Most of our staff will only ever see the last four digits of a card/account number. None of our staff can see your password.
As part of our regulatory requirements we have to provide the results of independent penetration tests carried out on our networks and systems, thus identifying and closing any weaknesses that could be exploited by hackers. These tests are carried out on an annual basis.

As with all other operators the biggest risk is from dishonest employees. We have many audit trails that allow us to monitor activity in and around our databases, as well as restrictions on the accessibility of certain reports and lists to specific staff members. We also restrict the use of external hard drives (USB sticks), and have no disk drives or CD burners on our machines. All machines have restrictions that do not allow staff to download and install any software, we restrict the use of communication products and so on.

I think most players can be confident that any operator in a reputable jurisdiction with strict regulatory controls will be taking all the necessary steps to protect their players data.

I trust you will find this informative as to the lengths we go to protect your data.

Best regards,

Belle Rock

[bwin]

hello

as a sportsbook and gaming operator licensed in Gibraltar, bwin is not only limited to it's own restrictive policies, but also to regulatory rules. we assure the safety of customers data by splitting data into different subsystems, restricting access to the specific subsystems to authorized people only and by tracking and reviewing all accesses and changes constantly. it is in our own interest NOT to share customer data with anybody outside bwin at all - and within the company only the absolute necessary amount of personal data is shared among people who need it for their daily work (e.g. customer service) and these people and their system accesses are logged and reviewed constantly.
bwin Casino will also never buy and abuse email adresses or other personal data - we are very very restrictive on that. we are a reputable operator and we will never send promotional emails to anyone whithout having the receipients permission - and we will never share customer details with anyone outside bwin.

there are a lot of black sheeps out there - but there are also a lot of reputable operators out there and bwin is definitely one of them.

[Virgin Ace]

The safety, privacy and security of player information is a top priority at Virgin Casino. I would like to take this opportunity throw a little light onto how Virgin Casino stores player information and the lengths we go to ensure that all customer data is kept secure and private.

Banking information is encrypted and all employees (with the exception of the payment processing team) can only see what payment method a customer uses to transact and the last 4 digits of a card number. We impose strict controls to ensure data privacy and ensure we have an audit history of any changes made to accounts. Virgin Casino is licensed in Alderney and no employee has access to players’ passwords for the site.

Access to any player information that may be used for marketing (when a customer has opted in to receiving promotional information) is also restricted to staff who work in marketing teams that need access to this data. We follow data protection legislation and ask customers to opt in to marketing communications before we send them out. There are full details of the Virgin Casino privacy policy on our website at https://www.virginCasino.com/casino/...x?page=privacy

I agree with Path that we can never completely rule out the possibility that a rogue employee could steal customer information but we make every effort to reduce this risk to a minimum. We have several processes in place to prevent authorized use of data and ensure close monitoring and regular reviews of staff data access privileges.

If there is ever an instance where you believe your information might be at risk, I would implore you to let us know immediately, as we take security very seriously at Virgin Casino and maintaining players’ privacy is our top priority.

[thisisvegas]

I can echo a lot of the comments made by other operators. Being the manager at www.thisisvegas.com using RivalPowered software I can tell you what we do. It is practically impossible for me to generate a report to collect players' data and to sell it off to someone else including the email list. Rival designed their software with this in mind to prevent any operator from doing this or even having an employee copying and selling data. Regarding any financial transaction I can't even pull up any relevant data, I only have transaction codes which I can match up with the specific payment processor. I can't see a player's password but I can have it reset for them and it's emailed to them without myself knowing it.

I understand the concerns of players since I have been and still do gamble online myself. I personally believe that if you stick with some reputable sites that the most you have to worry about is spam and no worries about your personal data being stolen or sold. I don't like spam myself since I have one email that I had to close down from receiving too much of it and emails from sites I never played at.

I feel confident that at my casino you won't have your information or email shared. I believe the best way to prove this for all the reputable casinos is to have new email addresses and to sign-up to 1 place and track down everything. If you get that spam in a short period of time I don't know how the operator can claim they are innocent.

I would like to see who the offenders are.

John Wright
thisisvegas

[Mousey]

My goodness! I've never seen so many casino reps posting in one thread! I feel as if I should fry up a fresh chicken, bake an apple pie, and put on my good Sunday dress .

I would like to thank you one and all for taking the time to come here and inform players regarding your security measures.

I will reread the comment more thoroughly. I have a question or two, I think.

Happy Holidays, reps! And thanks for being on call for us here at Casinomeister.

[JSM_Jason]

As the affiliate and marketing manager for Paradise 8 and Cocoa Casino I’d just like to reiterate what John has said here regarding the security of Rival casinos.

The back-end of the casinos was developed specifically with security in mind. It seems to have been designed to work on a need-to-know philosophy. Employee back end accesses are restricted to assure that no one has access to information they do not need to do their job. The accounting department can only view limited info relating to their area, the art department has access limited to only relevant areas (banner and graphic uploading etc.) the affiliate manager only has access to affiliate related information and so on. This type of structure adds an extra level of security and prevents any one person from having complete information access. This also keeps the number of staff who has access to player info to a minimum and restricts it to a handful of top employees.

Aside from this compartmentalized back-end structure of the casinos, the reporting system also provides an added precautionary measure to assure the privacy of player info. As John mentioned, as rigorous as the reporting system Rival casinos use is, it will not allow a user to generate a complete player list with email addresses and player information and NO employees have access to player passwords. It would be an understatement to suggest that acquiring a player database from either Paradise 8 or Cocoa Casino would be an extremely difficult task. Pair that with the fact that this info is limited to a handful of top employees (making any security breach easily traceable) and the likelihood of player information leaving our back end is next to none.

Players can feel confident that when they choose to trust their info with Paradise 8 and Cocoa Casino it is completely secure. Honesty and Integrity are a big part of who we are and we feel that these qualities, as well as a dedication to customer service and player and affiliate support, are what will separate us from the crowd.

P.S. Thanks Casinomeister for the heads up on this concern

Sincerely,

Jason Wayne
Affiliate and Marketing Manager
Jet Set Marketing (Paradise 8, Cocoa Casino)
Jason@thejetsetlife.com
MSN: jetset_jason@hotmail.com

[vinylweatherman]

I've answered both of those points before.

Hotmail is different, as so many people use the hotmail domain, it's worth spamming every permutation of name @hotmail.com as most of them will turn out to be valid addresses. This isn't the case with my own domain.

Also, when I named names, I gave the names of all the senders of the spam too. Since then I've had one to totesport from 'spin palace' (though the link points to http://www.bigspinwinners158.com/1/a320623/index.asp).

Here's some partial headers;

Totesport #3;
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;
s=s512; d=vivayouarelucky.com;
b=H7yLbS4SOk6eBRm/hCJNdMiA3dzeuIuFI5O4Z268ProsLjcN3OXBwGpQ87l5agCi7w enSLcsbcb1i7f8JwD9jQ==;
Received: from mx56.vivayouarelucky.com [216.10.15.56] by vivayouarelucky.com [216.10.15.56];
Mon, 10 Dec 2007 14:02:56 EST
-------
Totesport #2;
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=itsforyougetitnow.com;
h=from:to:subject:date:message-id:content-type;
q=dns/txt; s=s512; bh=ulzAB3gYJXNqsiMhkbPZi5xMNhE=;
b=V24d+pSJ76WXPvg/NQANCs0IS4ZBetA1+EXgAEDz9mWn0cMGTwj3yFB5w5FyD3U3m/pB9nVWp6iuGFI81BvIjw==;
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;
s=s512; d=itsforyougetitnow.com;
b=Skqvq/ZiKlPey1eY/ckgADYqsITuY9HFvwM9YBrpUIDOECa/IHf6fVrhtzFk8fDlJMOpHL5Qymo1mst3zVp+IA==;
Received: from mx25.itsforyougetitnow.com [216.10.15.25] by itsforyougetitnow.com [216.10.15.25];
Sun, 9 Dec 2007 18:24:19 EST
MIME-Version: 1.0
------------
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=superpalacegold.com;
h=from:to:subject:content-type:date:message-id;
q=dns/txt; s=s512; bh=PPXyHYv6Ou+5FBSNwoOzuk6aiCY=;
b=YafHjZz67gy+XS8A0MztstkPL1vyl+SyaTh+MCCho4lCzilJ kEi+ZbVdU/DSY0fK0ziUuReVR0Tt5p+QIxzvrw==;
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;
s=s512; d=superpalacegold.com;
b=lR6ikWJj4gg2h1OxnpTAyUtRi7udJfxBAiB+ldGqvwmsvg3d ayBVabCa47RoteRf7VpYT1NeYepqrGAKElFEcQ==;
Received: from mx52.superpalacegold.com [216.10.15.52] by superpalacegold.com [216.10.15.52];
Thu, 6 Dec 2007 18:45:49 EST
MIME-Version: 1.0
----------------
So all of them came from 216.10.15.xxx which is godaddy. The domains were registered on 29th November 2007, by;
Doust, John dedijohn@gmail.com
dedijohn
cyprys limassol
limassol, lima 8234
Cyprus
357892949302

-------------------

Bluesq #1;
Received: from balmyd.net ([75.126.66.132])
by mx.kundenserver.de (node=mxeu17) with ESMTP (Nemesis)
id 0MKxIC-1IzGCL3MBS-00083p for bluesq@mydomain.com; Mon, 03 Dec 2007 19:39:18 +0100
Message-ID: <C2D05BFA.64F7864A@balmyd.net>
Date: Mon, 03 Dec 2007 20:12:32 +0100
Reply-To: <bluesq@balmyd.net>
From: <bluesq@balmyd.net>
MIME-Version: 1.0

---------------------
bluesq#2;
Received: from beardc.net (www.rockheads.com [74.200.253.12])
by mx.kundenserver.de (node=mxeu22) with ESMTP (Nemesis)
id 0MKr6C-1J0jci2VT4-0003xp for bluesq@mydomain.com; Fri, 07 Dec 2007 21:16:37 +0100
Message-ID: <2A2E6438.75AD1658@beardc.net>
---------------------
Whois;
Domain Name: BEARDC.NET

Registrant [1151825]:
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US

Rockheads.com;
Rockheads Comics & Games
2527 75th Street
Kenosha, WI 53143
US
(I suspect this may be a bot)

Domain Name: BALMYD.NET

Registrant [1151856]:
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US
Record created on: 2007-11-08 22:36:47

Well, this makes a connection between the allegations of a leak from Totesport, and that ONE "Spin Palace" rogue affiliate. If we can find out how this rogue affiliate obtained his E-mail address list, we can see if this was on general sale as part of a circulating list, or was generated by one of these bot engines that produce as many permutations as possible.

And for lots0

lol... an expert after one article.
A packet sniffer can be run from anywhere, just like any program.
The real good ones (actually, the only ones that the real spammers use) are run remotely from a botnet.

Well, it may be possible to run it from anywhere, but first it must have had an input feed grafted onto part of the network being monitored, and this is what the article mentioned. There has to be a security breach to install this "bug" for it to send copies of the traffic to a "botnet" for analysis.
If the player has top grade protection at his end, then it is the casinos end that needs to be assessed, is it possible that anything could have been planted.
If the sniffer was on the player's end, it would harvest ALL of his gaming E-mail addresses, and spam would be in proportion to the frequency those addresses were used, and exposed to the packet sniffer. If it is only Totesport addresses that get sniffed and passed on, the sniffer has to be at Totesport's end, where all gambling related E-mails will be to and from Totesport. The other possibility is as originally alleged, that a list of Totesport player E-mail addresses has leaked out, and is now being bought and sold along with others.

[GrandMaster]

We do not store credit card numbers or the 3 digit security code that is contained on the reverse of the card. We have the ability to access full card numbers and this access is strictly controlled and limited to senior members of staff. Those employees, who do have access, have been verified through a number of means which do include background checks with the police. The majority of our employees are only able to view the last four digits of a card number, with this being necessary to being able to perform certain financial transactions. The back office system that we use does not allow employees to see multiple instances of accounts, does not allow employees to export information into other files and prevents details from being printed. We run regular audits so as to ensure we know who is accessing what data and for what purpose.

...


In respect of the use of personal information, including email addresses, we adhere to our Privacy Policy and we do not rent or sell such information to any third party. We may occasionally hire other companies to provide limited services on our behalf which include identity verification, payment processing and the provision of software. These companies are blue chip organisations and are publicly listed entities. 32Red will only provide these companies with that information which is reasonably required to perform the service, and these third parties will be prohibited from using that information for any other purpose. Again, we instruct these companies to adhere to our stated Privacy Policy and that they protect the confidentiality of your personal information.
Our employees do not have access to multiple instances of email addresses or personal details. When an email distribution is planned, it is only senior members of 32Red who can collate the necessary information from our player database.

This is the sort of system I expect to have in place at an organisation handling confidential information. Her Majesty's Revenue and Customs could learn a lot from you.

[lots0]

Well, it may be possible to run it from anywhere, but first it must have had an input feed grafted onto part of the network being monitored, and this is what the article mentioned. There has to be a security breach to install this "bug" for it to send copies of the traffic to a "botnet" for analysis.

The botnet is the security breach.
The botnet or rather the zombie computers in the botnet are what gathers the information, not what analyzes it.

A zombie(a compromised computer that is part of the botnet) that is on any network with a packet sniffer installed is all you need, real simple stuff for any half assed spammer. At last estimate, there were at least one million zombies(security compromised computers) out there that are part of botnets.
Well enough of email spamming 101. For more info see THIS

My point is (and has been) that you are much more likely to get email spam from either a random name generator or a packet sniffer(botnet) than from a reputable casino selling(or giving) your email address to a spammer.

I think some of the responses from the casino Reps from reputable casinos in this thread help to confirm my point.