Account security concerns at multiple casinos

**Casino Action** · 12th December 2007, 01:15 AM

I would just like to reiterate my colleagues' statements on player security. Any reputable casino should treat their player's privately registered details as sacrosanct.

Aside from entertainment, online casino operators � moreso even than brick-and-mortar casinos � are in the business of selling trust. Without that trust, and given the quality of the competition, any online casino operator will not have players and will not be long in business. To violate that trust for the sake of whatever reward you receive for, say, selling on player email addresses, is suicidal � especially given that it's so easy for players to work out if you're doing it (many of our players, for example, use lifechooser's method when registering their email addresses), and disseminate that information! (Props to the Meister for this forum!)

As I assume is the case at all eCogra-certified casinos, our player banking details are available only to security-reviewed staff members, and no-one can access player passwords. All player private details are stored on heavily secured servers and all banking transactions are encrypted via SSL.

As bellerock has stated, the biggest risk operators face is from dishonest employees, but a reputable operator should be making every effort to ensure that this risk is reduced: through restricting data each employee has access to, thorough audit trails for every employee action, and employing standard IT security best practises.

I would hope that any casino that has been in operation for a reasonable amount of time, is answerable to their licensor and any third-party review organisation (like eCogra), and operates trusted software (such as, plug plug, Microgaming), would be able to be trusted by players; and for those that can't be, there are sites like Casinomeister that can inform players, or allow players to inform each other, to keep away.

And, of course, it goes without saying that all casinos in the Casino Action group make every effort to ensure that all player data is kept secure

.

(Thanks for the heads up, Casinomeister!)

Originally Posted by vinylweatherman

Well, it may be possible to run it from anywhere, but first it must have had an input feed grafted onto part of the network being monitored, and this is what the article mentioned. There has to be a security breach to install this "bug" for it to send copies of the traffic to a "botnet" for analysis.

Yep, this is correct. Compromising traffic across the internet is (thankfully) not as easy as installing a packet monitor on your own PC. Doing so will allow you (or somebody else) to monitor the data coming to and leaving your PC, but to monitor traffic on another network, you need to compromise part of that network.

Cheers,

Andrew @ Casino Action

**Fr05t3d** · 12th December 2007, 01:39 AM

Wow, what an interesting thread.

Pretty much all angles seem to be covered, but I thought I'd contribute.

I've had casino/poker accounts at several places, and always had a separate e-mail address for all of them - that is one e-mail address for all my gambling correspondence, not one per registration.

I've only ever played at sites I consider reputable - high street bookies, well-known brands, long-established online places etc.

I can categorically state I have NEVER had any spam to this e-mail address in many years. Maybe I've just been lucky, but I'm quite security conscious and have always concerned myself with what information I give out etc. I actually have a bank account that I use solely for my online gaming and that has never been compromised. I think it's important to choose where you play very carefully, obviously, but my experiences give me nothing but confidence that my information has always been kept secure. I have an account at Totesport (as they were mentioned) and obviously receive regular e-mails from them, but never been subject to spam. My account is a hotmail account.

Not sure how relevant anything I just said is, as I'm not as technically minded as some of the posters in this thread. But, hey, I'm here to contribute!

Cheers.

**lots0** · 12th December 2007, 01:39 AM

Compromising traffic across the internet is (thankfully) not as easy as installing a packet monitor on your own PC. Doing so will allow you (or somebody else) to monitor the data coming to and leaving your PC, but to monitor traffic on another network, you need to compromise part of that network.

To compromise a network is as easy as renting a botnet for a few hundred dollars (I found a botnet to rent in less than ten minutes of looking). A botnet that already has zombie computers inside most of the major networks and lots and lots of minor ones.

**3Dice** · 12th December 2007, 11:19 AM

Hi All,

With so many things already covered, and views expressed, perhaps its a good idea to try and distill a little manual that players can use to ensure they minimize the risk of their email address ending up in the wrong hands ..

On the technical side, the users own computer obviously is the weakest link. Technical security is more than a full time job for a casino, and so it is safe to assume that in most cases exploits, bots and trojans are to be found on your own computer .. be sure you stay up to date on antivirus and trojan tools, and check your system regularly ..

It is more difficult for a player to asses whether or not the casino is doing its homework on the technical side, but before signing up at least make sure that the casino's security certificates are up to date, and - cant be repeated enough - search google and cm for specific issues before even touching the download button !

When you do sign up, it is a very good idea to use a specific email address. At the very least, it allows you to close an account and have the guarantee that you will no longer be bothered by it .. it is the only thing you can actively do to ensure that you will be able to contain the contamination.

On to the human factor - the cause of the vast majority of security breaches in any sector. Unfortunately, this is much harder to assess, although there are a number of tell-tale signs that could help a player form a balanced opinion. For starters, reiterate the google and cm queries - issues do show up and you wouldn't be able to forgive yourself if you skip this !

Secondly, if you have the opportunity to talk to their support before signing-up then don't miss out .. a lot can be learned from a short conversation. Also consider the amount of 'human factor' - is the casino outsourcing support/marketing and how do they guarantee the continuation of the privacy protection when they do. It may be a good idea to specifically ask who sends and how often they send out commercial emails, and how long that person/company has been doing that for them. (that's the place you _know_ email lists exist.)

And of course, there's a human factor for all of us to. Following lifechoosers example, we should all commit to making sure that all abuse is exposed on public places like Casinomeister, kudos lifechooser !

In conclusion, just like most things an air-tight solution is practically impossible. Empirically measured however, it is safe to say that people that spend the proper amount of attention will be victimized a lot less ..

At 3Dice customer privacy is a continuous focus and we implement the most stringent security scenarios when dealing with any personal information. Email lists are available to no-one, not even management, and emails can only be sent out from the casino's secured back end, banking details are never stored and all sensitive data is encrypted using the latest security algorithms.

Kindest Regards,

Enzo

**lifechooser** · 12th December 2007, 11:39 AM

Originally Posted by Fr05t3d

I can categorically state I have NEVER had any spam to this e-mail address in many years. ....My account is a hotmail account.

Cheers.

Remember that hotmail has a very good spam filter though.

**Casinomeister** · 13th December 2007, 06:56 PM

Great thread, and a big thanks to the I-Gaming reps who have been most insightful with this crucial issue.

**1819** · 13th December 2007, 07:18 PM

iv'e said it many times...there can be no true security when it comes to online gaming. the biggest breach continues to be the fact that almost all casinos ask for sometime of faxback forum. while the casino may have all your personal info secure, that info is out there for all to see once you fax a credit card number on an overseas phone line. drivers license, front and back of a credit card sent over a nonsecure phone line is begging for trouble.

**Mart** · 13th December 2007, 08:11 PM

Originally Posted by lots0

To compromise a network is as easy as renting a botnet for a few hundred dollars (I found a botnet to rent in less than ten minutes of looking). A botnet that already has zombie computers inside most of the major networks and lots and lots of minor ones.

Hmm interesting. What are you counting as a major network? You'd have to compromise the casino's network (and that assumes they've set up mail on a LAN side server), or an ISP's WAN side network. At my ISP no client can see the traffic for any other client, or any post-gateway traffic (including from mail servers). You would have to compromise the routing network (which has no personal machines) to see the traffic before it hits the major routing backbones. And if bots are able to sniff casino email traffic within the casinos' networks then I'd still blame them, because that is still a flaw with their security set up.

To keep a little more on thread, I started to receive large amounts of spam to my royal vegas email address a while ago (and one other person I know did as well at the same time).

**GaryWatson** · 13th December 2007, 09:48 PM

I received some snail mail from Mansion Poker yesterday.

I have never signed up for mansion. Dont intend to due to their pro spamming policy.

Someone has my name, address & details.

The referral code on the disc is UK9928

I cant say im overly concerned but am curious.

**vinylweatherman** · 14th December 2007, 12:03 AM

Originally Posted by 1819

iv'e said it many times...there can be no true security when it comes to online gaming. the biggest breach continues to be the fact that almost all casinos ask for sometime of faxback forum. while the casino may have all your personal info secure, that info is out there for all to see once you fax a credit card number on an overseas phone line. drivers license, front and back of a credit card sent over a nonsecure phone line is begging for trouble.

I have seem many complaints from players who have been asked for documents again and again, even after receipt has been confirmed. This shows a woeful lack of security in this part of the procedure. To have CS keep on losing track of these requested documents is clearly a weak spot in the tight procedures employed once the information is in the databases.