Account security concerns at multiple casinos

[lifechooser]

I'm wondering if I should read anything into the fact that none of the casinos I named have posted on here.

[shaunm]

We have been responding to this customers concern directly through email communications to ensure a professional service.

Totesport treat all privacy concerns of customer details very seriously, and believe this has helped us to develop one of the most trusted names in the UK gambling market. We never pass on customer details to any third party.

With respect to the spam incident reported on this thread, we are confident that there has not been a breach in our security. With a database of over 200,000 registered customers, we have had only a handful of complaints relating to SPAM in 2007. So far, all of these incidents have related to customers who have had “totesport” or “tote” as part of their email address. Although we are unable to fully explain why this is, we believe it could be linked to some sort of “scrapper”. This is further supported by the fact that the customer appears to have received SPAM to all his different email addresses registered at different companies within a relatively short space of time.

The specifications for the storage of Customer Payment Method information are laid down by the Government. This includes the storage and availability of Credit Card details within an organization.

Totesport software systems are regularly audited against these specifications and are fully compliant. This is called PCI Compliance.

Credit Card numbers and other details such as expiry date are 32-bit encrypted before they can be stored in any database. This encryption requires a key to allow decryption for administration purposes. The vast majority of software users within Totesport have what is called Masked availability of your credit card details e.g. for credit card number 1234 2345 3456 4567 they would see XXXX XXXX XXXX 4567. This is a Government standard and is fully audited. There are a few chosen people within the organization who do have the facility to view the entire customer credit card details. This is generally because they need the whole numbers to fulfill their role for example the Security and Fraud department.

Your security number (from the back of the card) cannot be stored in any way within software systems and is certainly not stored within totesport systems. This must be supplied by the customer whenever making an internet transaction on a transaction by transaction basis. We at Totesport cannot hold this information once the transaction is completed.

We cannot store any customer passwords in our system, all we can do is reset them for the customer. Once the customer is sent his/her new password we urge them to immediately change it to something else.

If there are any further questions i'd be happy to help.

Shaun

[MichaelBluejay]

Well, I feel like I'm ahead of the curve on this one. I posted about this very issue a full seven years ago: http://vegasclick.com/online/spam.html

And back when I did casino reviews, whether or not they sent spam to my test address was one of my criteria: http://vegasclick.com/online/casinoreviews.html

I have to suggest that when using a test address, you can't use something as simple as CasinoName@MyDomain.com, because doing so allows a casino to get its competitors in trouble. Let's say you use NastyAssCasino@MyDomain.com at one site. Nasty Ass Casino sees that lots of their players use that exact format. So the addresses they give to spammers are NiceReputableCasino@CustomerDomain1.com, NRC@CustomerDomain2.com, NRC@CustomerDomain3.com, etc. So now it looks like Nice Reputable Casino sold out its players, when that actually wasn't the case. It's not probable that we'd see this particular combination of treachery + too much time on their hands, but it's possible, and when you're making accusations in public, it's important to know that the accused wasn't set up.

So now I use other special characters in the special address. If *that* address gets spammed by a casino, I know the original casino truly sold me out, and not that they were framed.

By the way, while it wouldn't be worth it for a *casino* to sell out its players, the money could be tempting to a rogue employee. How much is a list of 1000 known players worth? I don't know, but probably enough to tempt many individuals.

As for totesport's response:

So far, all of these incidents have related to customers who have had “totesport” or “tote” as part of their email address. Although we are unable to fully explain why this is...

(groan) It's because by having totesport in their address, that's the way they know where their addresses were leaked from! Hello?

we believe it could be linked to some sort of “scrapper”.

You don't seem familiar with what a scraper (not scrapper) is. A scraper lifts info from web pages. These addresses weren't on web pages. You can't blame bots on this one.

[EverestBecky]

At the risk of beating a dead horse here, I thought I would put in a quick work on behalf of Everest Poker and Casino. I am sorry it took me so long- I am new over here and wanted to be sure my information was completely accurate before posting. Anyway, I just received the CasinoMeister newsletter and I wanted to compliment Betfred, 32Red and BWin on their responses to this thread and for their overall concern for player security. Here at Everest, player security is also one of our primary responsibilites and we have taken on a multi-faceted approach to ensure our players' accounts and information is safe. Complete security at Everest includes transmission security (all info transmitted between Everest Poker and our players is encrypted using 128-bit SSL), financial security, data security and staff security (access to player account information by Everest Poker staff is strictly controlled. We have a complete audit trail that shows access and data usage to enforce this policy). To view our security statment, please feel free to visit http://www.everestpoker.com/en/policies/security.html and/or you can PM me anytime- happy to try and help.

[lots0]

So far, all of these incidents have related to customers who have had “totesport” or “tote” as part of their email address.

Could be a random word generator set to produce permutations of "totesport" ot "tote" in email addresses.

or

It could be like MichaelBluejay says and only the people with totesport/tote in their email address bothered to report email spam that was advertising totesport.

[jolub]

Every day I get spammed by Magic Jackpot Casino. The spam uses several different names but they all point to a site called Magic Jackpot Casino. On MJC's main menu there are many options. Clicking on any and all of them give you the same option, to download their software. Clicking on unscribe in their email takes you to the same page. I have made several rules to send this crap to the deleted folder but nothing seems to work. They change the email just enough so my rules don't apply. I wish I knew what site gave them my name so I could make a withdrawal and stop playing at that site.

The following is taken from their latest spam. Note how casino is spelled.

A new electronic publication from Ca*si*no-World. Announcement Letters.

[Casinomeister]

Every day I get spammed by Magic Jackpot Casino. The spam uses several different names but they all point to a site called Magic Jackpot Casino. On MJC's main menu there are many options. Clicking on any and all of them give you the same option, to download their software. Clicking on unscribe in their email takes you to the same page. I have made several rules to send this crap to the deleted folder but nothing seems to work. They change the email just enough so my rules don't apply. I wish I knew what site gave them my name so I could make a withdrawal and stop playing at that site.

The following is taken from their latest spam. Note how casino is spelled.

A new electronic publication from Ca*si*no-World. Announcement Letters.

Let me guess, and when you download the casino software it's from either Vegas Red or Big Dollar casino. This is a big-time evil affiliate spammer who is pretty much out of control.

[liquuid_fusion]

So far, all of these incidents have related to customers who have had “totesport” or “tote” as part of their email address.

You're stating the obvious. The fact that they has "totesport" or "tote" in their email addresses is the reason they were able to approach you with their complaint. There are probably many more who don't have those words in their email address, but they are none the wiser as to the source of the spam!

[GrandMaster]

Let me guess, and when you download the casino software it's from either Vegas Red or Big Dollar casino. This is a big-time evil affiliate spammer who is pretty much out of control.

The spam which has Big Dollar in it downloads Jupiter Club. This is a mistery I have not figured out.