Account security concerns at multiple casinos

[path]

We at 32Red ask for a lot of information from our players and it is only right that our players in turn know that this information is maintained securely and without fear of compromise.
Firstly, let me deal with information that we hold in respect of a players’ financial accounts.
We do not store credit card numbers or the 3 digit security code that is contained on the reverse of the card. We have the ability to access full card numbers and this access is strictly controlled and limited to senior members of staff. Those employees, who do have access, have been verified through a number of means which do include background checks with the police. The majority of our employees are only able to view the last four digits of a card number, with this being necessary to being able to perform certain financial transactions. The back office system that we use does not allow employees to see multiple instances of accounts, does not allow employees to export information into other files and prevents details from being printed. We run regular audits so as to ensure we know who is accessing what data and for what purpose.
32Red does not store players’ passwords. Yes, we can perform password changes and reset log-in attempts but we have no access to the password itself. Once we have changed a player’s password we urge them to change it themselves from within the gaming software.
Not only do we have our own internal measures, but we are strictly monitored by our regulators and banking partners. As a merchant we have to be fully compliant with the Payment Card Industry’s Security Standards (

You do not have permission to view link Log in or register now.

) which has a core group of six principles and a dozen or so accompanying requirements. These are all aimed at ensuring that we proactively protect customer account data.
I suppose in all of this we are only ‘as strong as our weakest link’ and we are all at the mercy of that ‘rogue’ employee. A whole host of activity is undertaken so as to maintain a workforce that is ‘engaged’ and thus reduce the likelihood of this, but you can never be certain. Additional measures that we take, to further reduce this risk, include the control of the use of mobile phones (to prevent those with cameras being able to take screenshots of player information) and the use of ‘messenger’ applications. Physical security of and access to our premises is tightly controlled as is the security of stored documents. Documentation (for the purposes of player verification) which we receive is never stored and all physical documents are immediately ‘shredded’ once we have concluded our checks.
In respect of the use of personal information, including email addresses, we adhere to our Privacy Policy and we do not rent or sell such information to any third party. We may occasionally hire other companies to provide limited services on our behalf which include identity verification, payment processing and the provision of software. These companies are blue chip organisations and are publicly listed entities. 32Red will only provide these companies with that information which is reasonably required to perform the service, and these third parties will be prohibited from using that information for any other purpose. Again, we instruct these companies to adhere to our stated Privacy Policy and that they protect the confidentiality of your personal information.
Our employees do not have access to multiple instances of email addresses or personal details. When an email distribution is planned, it is only senior members of 32Red who can collate the necessary information from our player database.
I trust this allays your concerns and please feel free to drop me a line if you need any further information in this respect.

 

[bellerock]

At Carmen Media Group the security of customer data is of utmost importance and we adhere to the requirements of the Gibraltar Regulatory Authority and eCOGRA in this regard.

All banking details are encrypted and are not accessible to staff members unless at the highest level and only after in depth security reviews. Most of our staff will only ever see the last four digits of a card/account number. None of our staff can see your password.
As part of our regulatory requirements we have to provide the results of independent penetration tests carried out on our networks and systems, thus identifying and closing any weaknesses that could be exploited by hackers. These tests are carried out on an annual basis.

As with all other operators the biggest risk is from dishonest employees. We have many audit trails that allow us to monitor activity in and around our databases, as well as restrictions on the accessibility of certain reports and lists to specific staff members. We also restrict the use of external hard drives (USB sticks), and have no disk drives or CD burners on our machines. All machines have restrictions that do not allow staff to download and install any software, we restrict the use of communication products and so on.

I think most players can be confident that any operator in a reputable jurisdiction with strict regulatory controls will be taking all the necessary steps to protect their players data.

I trust you will find this informative as to the lengths we go to protect your data.

Best regards,

Belle Rock

 

[bwin]

hello

as a sportsbook and gaming operator licensed in Gibraltar, bwin is not only limited to it's own restrictive policies, but also to regulatory rules. we assure the safety of customers data by splitting data into different subsystems, restricting access to the specific subsystems to authorized people only and by tracking and reviewing all accesses and changes constantly. it is in our own interest NOT to share customer data with anybody outside bwin at all - and within the company only the absolute necessary amount of personal data is shared among people who need it for their daily work (e.g. customer service) and these people and their system accesses are logged and reviewed constantly.
bwin Casino will also never buy and abuse email adresses or other personal data - we are very very restrictive on that. we are a reputable operator and we will never send promotional emails to anyone whithout having the receipients permission - and we will never share customer details with anyone outside bwin.

there are a lot of black sheeps out there - but there are also a lot of reputable operators out there and bwin is definitely one of them.

 

[GamesysAffiliates]

The safety, privacy and security of player information is a top priority at Virgin Casino. I would like to take this opportunity throw a little light onto how Virgin Casino stores player information and the lengths we go to ensure that all customer data is kept secure and private.

Banking information is encrypted and all employees (with the exception of the payment processing team) can only see what payment method a customer uses to transact and the last 4 digits of a card number. We impose strict controls to ensure data privacy and ensure we have an audit history of any changes made to accounts. Virgin Casino is licensed in Alderney and no employee has access to players passwords for the site.

Access to any player information that may be used for marketing (when a customer has opted in to receiving promotional information) is also restricted to staff who work in marketing teams that need access to this data. We follow data protection legislation and ask customers to opt in to marketing communications before we send them out. There are full details of the Virgin Casino privacy policy on our website at

You do not have permission to view link Log in or register now.

I agree with Path that we can never completely rule out the possibility that a rogue employee could steal customer information but we make every effort to reduce this risk to a minimum. We have several processes in place to prevent authorized use of data and ensure close monitoring and regular reviews of staff data access privileges.

If there is ever an instance where you believe your information might be at risk, I would implore you to let us know immediately, as we take security very seriously at Virgin Casino and maintaining players privacy is our top priority.

 

[thisisvegas]

I can echo a lot of the comments made by other operators. Being the manager at www.thisisvegas.com using RivalPowered software I can tell you what we do. It is practically impossible for me to generate a report to collect players' data and to sell it off to someone else including the email list. Rival designed their software with this in mind to prevent any operator from doing this or even having an employee copying and selling data. Regarding any financial transaction I can't even pull up any relevant data, I only have transaction codes which I can match up with the specific payment processor. I can't see a player's password but I can have it reset for them and it's emailed to them without myself knowing it.

I understand the concerns of players since I have been and still do gamble online myself. I personally believe that if you stick with some reputable sites that the most you have to worry about is spam and no worries about your personal data being stolen or sold. I don't like spam myself since I have one email that I had to close down from receiving too much of it and emails from sites I never played at.

I feel confident that at my casino you won't have your information or email shared. I believe the best way to prove this for all the reputable casinos is to have new email addresses and to sign-up to 1 place and track down everything. If you get that spam in a short period of time I don't know how the operator can claim they are innocent.

I would like to see who the offenders are.

John Wright
thisisvegas

 

[Mousey]

My goodness! I've never seen so many casino reps posting in one thread! I feel as if I should fry up a fresh chicken, bake an apple pie, and put on my good Sunday dress .

I would like to thank you one and all for taking the time to come here and inform players regarding your security measures.

I will reread the comment more thoroughly. I have a question or two, I think.

Happy Holidays, reps! And thanks for being on call for us here at Casinomeister.

 

[JSM_Jason]

As the affiliate and marketing manager for Paradise 8 and Cocoa Casino Id just like to reiterate what John has said here regarding the security of Rival casinos.

The back-end of the casinos was developed specifically with security in mind. It seems to have been designed to work on a need-to-know philosophy. Employee back end accesses are restricted to assure that no one has access to information they do not need to do their job. The accounting department can only view limited info relating to their area, the art department has access limited to only relevant areas (banner and graphic uploading etc.) the affiliate manager only has access to affiliate related information and so on. This type of structure adds an extra level of security and prevents any one person from having complete information access. This also keeps the number of staff who has access to player info to a minimum and restricts it to a handful of top employees.

Aside from this compartmentalized back-end structure of the casinos, the reporting system also provides an added precautionary measure to assure the privacy of player info. As John mentioned, as rigorous as the reporting system Rival casinos use is, it will not allow a user to generate a complete player list with email addresses and player information and NO employees have access to player passwords. It would be an understatement to suggest that acquiring a player database from either Paradise 8 or Cocoa Casino would be an extremely difficult task. Pair that with the fact that this info is limited to a handful of top employees (making any security breach easily traceable) and the likelihood of player information leaving our back end is next to none.

Players can feel confident that when they choose to trust their info with Paradise 8 and Cocoa Casino it is completely secure. Honesty and Integrity are a big part of who we are and we feel that these qualities, as well as a dedication to customer service and player and affiliate support, are what will separate us from the crowd.

P.S. Thanks Casinomeister for the heads up on this concern

Sincerely,

Jason Wayne
Affiliate and Marketing Manager
Jet Set Marketing (Paradise 8, Cocoa Casino)
Jason@thejetsetlife.com
MSN: jetset_jason@hotmail.com

 

[vinylweatherman]

I've answered both of those points before.

Hotmail is different, as so many people use the hotmail domain, it's worth spamming every permutation of name @hotmail.com as most of them will turn out to be valid addresses. This isn't the case with my own domain.

Also, when I named names, I gave the names of all the senders of the spam too. Since then I've had one to totesport from 'spin palace' (though the link points to Link Removed ( Old/Invalid) ).

Here's some partial headers;

Totesport #3;
Comment: DomainKeys? See

You do not have permission to view link Log in or register now.

DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;
s=s512; d=vivayouarelucky.com;
b=H7yLbS4SOk6eBRm/hCJNdMiA3dzeuIuFI5O4Z268ProsLjcN3OXBwGpQ87l5agCi7wenSLcsbcb1i7f8JwD9jQ==;
Received: from mx56.vivayouarelucky.com [216.10.15.56] by vivayouarelucky.com [216.10.15.56];
Mon, 10 Dec 2007 14:02:56 EST
-------
Totesport #2;
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=itsforyougetitnow.com;
h=from:to:subject:date:message-id:content-type;
q=dns/txt; s=s512; bh=ulzAB3gYJXNqsiMhkbPZi5xMNhE=;
b=V24d+pSJ76WXPvg/NQANCs0IS4ZBetA1+EXgAEDz9mWn0cMGTwj3yFB5w5FyD3U3m/pB9nVWp6iuGFI81BvIjw==;
Comment: DomainKeys? See

You do not have permission to view link Log in or register now.

DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;
s=s512; d=itsforyougetitnow.com;
b=Skqvq/ZiKlPey1eY/ckgADYqsITuY9HFvwM9YBrpUIDOECa/IHf6fVrhtzFk8fDlJMOpHL5Qymo1mst3zVp+IA==;
Received: from mx25.itsforyougetitnow.com [216.10.15.25] by itsforyougetitnow.com [216.10.15.25];
Sun, 9 Dec 2007 18:24:19 EST
MIME-Version: 1.0
------------
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=superpalacegold.com;
h=from:to:subject:content-type:date:message-id;
q=dns/txt; s=s512; bh=PPXyHYv6Ou+5FBSNwoOzuk6aiCY=;
b=YafHjZz67gy+XS8A0MztstkPL1vyl+SyaTh+MCCho4lCzilJkEi+ZbVdU/DSY0fK0ziUuReVR0Tt5p+QIxzvrw==;
Comment: DomainKeys? See

You do not have permission to view link Log in or register now.

DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;
s=s512; d=superpalacegold.com;
b=lR6ikWJj4gg2h1OxnpTAyUtRi7udJfxBAiB+ldGqvwmsvg3dayBVabCa47RoteRf7VpYT1NeYepqrGAKElFEcQ==;
Received: from mx52.superpalacegold.com [216.10.15.52] by superpalacegold.com [216.10.15.52];
Thu, 6 Dec 2007 18:45:49 EST
MIME-Version: 1.0
----------------
So all of them came from 216.10.15.xxx which is godaddy. The domains were registered on 29th November 2007, by;
Doust, John dedijohn@gmail.com
dedijohn
cyprys limassol
limassol, lima 8234
Cyprus
357892949302

-------------------

Bluesq #1;
Received: from balmyd.net ([75.126.66.132])
by mx.kundenserver.de (node=mxeu17) with ESMTP (Nemesis)
id 0MKxIC-1IzGCL3MBS-00083p for bluesq@mydomain.com; Mon, 03 Dec 2007 19:39:18 +0100
Message-ID: <C2D05BFA.64F7864A@balmyd.net>
Date: Mon, 03 Dec 2007 20:12:32 +0100
Reply-To: <bluesq@balmyd.net>
From: <bluesq@balmyd.net>
MIME-Version: 1.0

---------------------
bluesq#2;
Received: from beardc.net (www.rockheads.com [74.200.253.12])
by mx.kundenserver.de (node=mxeu22) with ESMTP (Nemesis)
id 0MKr6C-1J0jci2VT4-0003xp for bluesq@mydomain.com; Fri, 07 Dec 2007 21:16:37 +0100
Message-ID: <2A2E6438.75AD1658@beardc.net>
---------------------
Whois;
Domain Name: BEARDC.NET

Registrant [1151825]:
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US

Rockheads.com;
Rockheads Comics & Games
2527 75th Street
Kenosha, WI 53143
US
(I suspect this may be a bot)

Domain Name: BALMYD.NET

Registrant [1151856]:
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US
Record created on: 2007-11-08 22:36:47

Well, this makes a connection between the allegations of a leak from Totesport, and that ONE "Spin Palace" rogue affiliate. If we can find out how this rogue affiliate obtained his E-mail address list, we can see if this was on general sale as part of a circulating list, or was generated by one of these bot engines that produce as many permutations as possible.

And for lots0

lol... an expert after one article.
A packet sniffer can be run from anywhere, just like any program.
The real good ones (actually, the only ones that the real spammers use) are run remotely from a botnet.

Well, it may be possible to run it from anywhere, but first it must have had an input feed grafted onto part of the network being monitored, and this is what the article mentioned. There has to be a security breach to install this "bug" for it to send copies of the traffic to a "botnet" for analysis.
If the player has top grade protection at his end, then it is the casinos end that needs to be assessed, is it possible that anything could have been planted.
If the sniffer was on the player's end, it would harvest ALL of his gaming E-mail addresses, and spam would be in proportion to the frequency those addresses were used, and exposed to the packet sniffer. If it is only Totesport addresses that get sniffed and passed on, the sniffer has to be at Totesport's end, where all gambling related E-mails will be to and from Totesport. The other possibility is as originally alleged, that a list of Totesport player E-mail addresses has leaked out, and is now being bought and sold along with others.

 

[GrandMaster]

We do not store credit card numbers or the 3 digit security code that is contained on the reverse of the card. We have the ability to access full card numbers and this access is strictly controlled and limited to senior members of staff. Those employees, who do have access, have been verified through a number of means which do include background checks with the police. The majority of our employees are only able to view the last four digits of a card number, with this being necessary to being able to perform certain financial transactions. The back office system that we use does not allow employees to see multiple instances of accounts, does not allow employees to export information into other files and prevents details from being printed. We run regular audits so as to ensure we know who is accessing what data and for what purpose.

...


In respect of the use of personal information, including email addresses, we adhere to our Privacy Policy and we do not rent or sell such information to any third party. We may occasionally hire other companies to provide limited services on our behalf which include identity verification, payment processing and the provision of software. These companies are blue chip organisations and are publicly listed entities. 32Red will only provide these companies with that information which is reasonably required to perform the service, and these third parties will be prohibited from using that information for any other purpose. Again, we instruct these companies to adhere to our stated Privacy Policy and that they protect the confidentiality of your personal information.
Our employees do not have access to multiple instances of email addresses or personal details. When an email distribution is planned, it is only senior members of 32Red who can collate the necessary information from our player database.

This is the sort of system I expect to have in place at an organisation handling confidential information. Her Majesty's Revenue and Customs could learn a lot from you.

 

[lots0]

Well, it may be possible to run it from anywhere, but first it must have had an input feed grafted onto part of the network being monitored, and this is what the article mentioned. There has to be a security breach to install this "bug" for it to send copies of the traffic to a "botnet" for analysis.

The botnet is the security breach.
The botnet or rather the zombie computers in the botnet are what gathers the information, not what analyzes it.

A zombie(a compromised computer that is part of the botnet) that is on any network with a packet sniffer installed is all you need, real simple stuff for any half assed spammer. At last estimate, there were at least one million zombies(security compromised computers) out there that are part of botnets.
Well enough of email spamming 101. For more info see

You do not have permission to view link Log in or register now.

My point is (and has been) that you are much more likely to get email spam from either a random name generator or a packet sniffer(botnet) than from a reputable casino selling(or giving) your email address to a spammer.

I think some of the responses from the casino Reps from reputable casinos in this thread help to confirm my point.

 

[Casino Action]

I would just like to reiterate my colleagues' statements on player security. Any reputable casino should treat their player's privately registered details as sacrosanct.

Aside from entertainment, online casino operators moreso even than brick-and-mortar casinos are in the business of selling trust. Without that trust, and given the quality of the competition, any online casino operator will not have players and will not be long in business. To violate that trust for the sake of whatever reward you receive for, say, selling on player email addresses, is suicidal especially given that it's so easy for players to work out if you're doing it (many of our players, for example, use lifechooser's method when registering their email addresses), and disseminate that information! (Props to the Meister for this forum!)

As I assume is the case at all eCogra-certified casinos, our player banking details are available only to security-reviewed staff members, and no-one can access player passwords. All player private details are stored on heavily secured servers and all banking transactions are encrypted via SSL.

As bellerock has stated, the biggest risk operators face is from dishonest employees, but a reputable operator should be making every effort to ensure that this risk is reduced: through restricting data each employee has access to, thorough audit trails for every employee action, and employing standard IT security best practises.

I would hope that any casino that has been in operation for a reasonable amount of time, is answerable to their licensor and any third-party review organisation (like eCogra), and operates trusted software (such as, plug plug, Microgaming), would be able to be trusted by players; and for those that can't be, there are sites like Casinomeister that can inform players, or allow players to inform each other, to keep away.

And, of course, it goes without saying that all casinos in the Casino Action group make every effort to ensure that all player data is kept secure .

(Thanks for the heads up, Casinomeister!)

Well, it may be possible to run it from anywhere, but first it must have had an input feed grafted onto part of the network being monitored, and this is what the article mentioned. There has to be a security breach to install this "bug" for it to send copies of the traffic to a "botnet" for analysis.

Yep, this is correct. Compromising traffic across the internet is (thankfully) not as easy as installing a packet monitor on your own PC. Doing so will allow you (or somebody else) to monitor the data coming to and leaving your PC, but to monitor traffic on another network, you need to compromise part of that network.

Cheers,

Andrew @ Casino Action

 

[Fr05t3d]

My input

Wow, what an interesting thread.

Pretty much all angles seem to be covered, but I thought I'd contribute.

I've had casino/poker accounts at several places, and always had a separate e-mail address for all of them - that is one e-mail address for all my gambling correspondence, not one per registration.

I've only ever played at sites I consider reputable - high street bookies, well-known brands, long-established online places etc.

I can categorically state I have NEVER had any spam to this e-mail address in many years. Maybe I've just been lucky, but I'm quite security conscious and have always concerned myself with what information I give out etc. I actually have a bank account that I use solely for my online gaming and that has never been compromised. I think it's important to choose where you play very carefully, obviously, but my experiences give me nothing but confidence that my information has always been kept secure. I have an account at Totesport (as they were mentioned) and obviously receive regular e-mails from them, but never been subject to spam. My account is a hotmail account.

Not sure how relevant anything I just said is, as I'm not as technically minded as some of the posters in this thread. But, hey, I'm here to contribute!

Cheers.

 

[lots0]

Compromising traffic across the internet is (thankfully) not as easy as installing a packet monitor on your own PC. Doing so will allow you (or somebody else) to monitor the data coming to and leaving your PC, but to monitor traffic on another network, you need to compromise part of that network.

To compromise a network is as easy as renting a botnet for a few hundred dollars (I found a botnet to rent in less than ten minutes of looking). A botnet that already has zombie computers inside most of the major networks and lots and lots of minor ones.

 

[3Dice]

Hi All,

With so many things already covered, and views expressed, perhaps its a good idea to try and distill a little manual that players can use to ensure they minimize the risk of their email address ending up in the wrong hands ..

On the technical side, the users own computer obviously is the weakest link. Technical security is more than a full time job for a casino, and so it is safe to assume that in most cases exploits, bots and trojans are to be found on your own computer .. be sure you stay up to date on antivirus and trojan tools, and check your system regularly ..

It is more difficult for a player to asses whether or not the casino is doing its homework on the technical side, but before signing up at least make sure that the casino's security certificates are up to date, and - cant be repeated enough - search google and cm for specific issues before even touching the download button !

When you do sign up, it is a very good idea to use a specific email address. At the very least, it allows you to close an account and have the guarantee that you will no longer be bothered by it .. it is the only thing you can actively do to ensure that you will be able to contain the contamination.

On to the human factor - the cause of the vast majority of security breaches in any sector. Unfortunately, this is much harder to assess, although there are a number of tell-tale signs that could help a player form a balanced opinion. For starters, reiterate the google and cm queries - issues do show up and you wouldn't be able to forgive yourself if you skip this !

Secondly, if you have the opportunity to talk to their support before signing-up then don't miss out .. a lot can be learned from a short conversation. Also consider the amount of 'human factor' - is the casino outsourcing support/marketing and how do they guarantee the continuation of the privacy protection when they do. It may be a good idea to specifically ask who sends and how often they send out commercial emails, and how long that person/company has been doing that for them. (that's the place you _know_ email lists exist.)

And of course, there's a human factor for all of us to. Following lifechoosers example, we should all commit to making sure that all abuse is exposed on public places like Casinomeister, kudos lifechooser !

In conclusion, just like most things an air-tight solution is practically impossible. Empirically measured however, it is safe to say that people that spend the proper amount of attention will be victimized a lot less ..

At 3Dice customer privacy is a continuous focus and we implement the most stringent security scenarios when dealing with any personal information. Email lists are available to no-one, not even management, and emails can only be sent out from the casino's secured back end, banking details are never stored and all sensitive data is encrypted using the latest security algorithms.

Kindest Regards,

Enzo

 

[lifechooser]

I can categorically state I have NEVER had any spam to this e-mail address in many years. ....My account is a hotmail account.

Cheers.

Remember that hotmail has a very good spam filter though.

 

[Casinomeister]

Great thread, and a big thanks to the I-Gaming reps who have been most insightful with this crucial issue.

 

[1819]

iv'e said it many times...there can be no true security when it comes to online gaming. the biggest breach continues to be the fact that almost all casinos ask for sometime of faxback forum. while the casino may have all your personal info secure, that info is out there for all to see once you fax a credit card number on an overseas phone line. drivers license, front and back of a credit card sent over a nonsecure phone line is begging for trouble.

 

[Mart]

To compromise a network is as easy as renting a botnet for a few hundred dollars (I found a botnet to rent in less than ten minutes of looking). A botnet that already has zombie computers inside most of the major networks and lots and lots of minor ones.

Hmm interesting. What are you counting as a major network? You'd have to compromise the casino's network (and that assumes they've set up mail on a LAN side server), or an ISP's WAN side network. At my ISP no client can see the traffic for any other client, or any post-gateway traffic (including from mail servers). You would have to compromise the routing network (which has no personal machines) to see the traffic before it hits the major routing backbones. And if bots are able to sniff casino email traffic within the casinos' networks then I'd still blame them, because that is still a flaw with their security set up.

To keep a little more on thread, I started to receive large amounts of spam to my royal vegas email address a while ago (and one other person I know did as well at the same time).

 

[GaryWatson]

I received some snail mail from Mansion Poker yesterday.

I have never signed up for mansion. Dont intend to due to their pro spamming policy.

Someone has my name, address & details.

The referral code on the disc is UK9928

I cant say im overly concerned but am curious.

 

[vinylweatherman]

iv'e said it many times...there can be no true security when it comes to online gaming. the biggest breach continues to be the fact that almost all casinos ask for sometime of faxback forum. while the casino may have all your personal info secure, that info is out there for all to see once you fax a credit card number on an overseas phone line. drivers license, front and back of a credit card sent over a nonsecure phone line is begging for trouble.

I have seem many complaints from players who have been asked for documents again and again, even after receipt has been confirmed. This shows a woeful lack of security in this part of the procedure. To have CS keep on losing track of these requested documents is clearly a weak spot in the tight procedures employed once the information is in the databases.

 

[lifechooser]

I'm wondering if I should read anything into the fact that none of the casinos I named have posted on here.

 

[shaunm]

Response from totesport.

We have been responding to this customers concern directly through email communications to ensure a professional service.

Totesport treat all privacy concerns of customer details very seriously, and believe this has helped us to develop one of the most trusted names in the UK gambling market. We never pass on customer details to any third party.

With respect to the spam incident reported on this thread, we are confident that there has not been a breach in our security. With a database of over 200,000 registered customers, we have had only a handful of complaints relating to SPAM in 2007. So far, all of these incidents have related to customers who have had “totesport” or “tote” as part of their email address. Although we are unable to fully explain why this is, we believe it could be linked to some sort of “scrapper”. This is further supported by the fact that the customer appears to have received SPAM to all his different email addresses registered at different companies within a relatively short space of time.

The specifications for the storage of Customer Payment Method information are laid down by the Government. This includes the storage and availability of Credit Card details within an organization.

Totesport software systems are regularly audited against these specifications and are fully compliant. This is called PCI Compliance.

Credit Card numbers and other details such as expiry date are 32-bit encrypted before they can be stored in any database. This encryption requires a key to allow decryption for administration purposes. The vast majority of software users within Totesport have what is called Masked availability of your credit card details e.g. for credit card number 1234 2345 3456 4567 they would see XXXX XXXX XXXX 4567. This is a Government standard and is fully audited. There are a few chosen people within the organization who do have the facility to view the entire customer credit card details. This is generally because they need the whole numbers to fulfill their role for example the Security and Fraud department.

Your security number (from the back of the card) cannot be stored in any way within software systems and is certainly not stored within totesport systems. This must be supplied by the customer whenever making an internet transaction on a transaction by transaction basis. We at Totesport cannot hold this information once the transaction is completed.

We cannot store any customer passwords in our system, all we can do is reset them for the customer. Once the customer is sent his/her new password we urge them to immediately change it to something else.

If there are any further questions i'd be happy to help.

Shaun

 

[MichaelBluejay]

Well, I feel like I'm ahead of the curve on this one. I posted about this very issue a full seven years ago:

You do not have permission to view link Log in or register now.

And back when I did casino reviews, whether or not they sent spam to my test address was one of my criteria:

You do not have permission to view link Log in or register now.

I have to suggest that when using a test address, you can't use something as simple as CasinoName@MyDomain.com, because doing so allows a casino to get its competitors in trouble. Let's say you use NastyAssCasino@MyDomain.com at one site. Nasty Ass Casino sees that lots of their players use that exact format. So the addresses they give to spammers are NiceReputableCasino@CustomerDomain1.com, NRC@CustomerDomain2.com, NRC@CustomerDomain3.com, etc. So now it looks like Nice Reputable Casino sold out its players, when that actually wasn't the case. It's not probable that we'd see this particular combination of treachery + too much time on their hands, but it's possible, and when you're making accusations in public, it's important to know that the accused wasn't set up.

So now I use other special characters in the special address. If *that* address gets spammed by a casino, I know the original casino truly sold me out, and not that they were framed.

By the way, while it wouldn't be worth it for a *casino* to sell out its players, the money could be tempting to a rogue employee. How much is a list of 1000 known players worth? I don't know, but probably enough to tempt many individuals.

As for totesport's response:

So far, all of these incidents have related to customers who have had totesport or tote as part of their email address. Although we are unable to fully explain why this is...

(groan) It's because by having totesport in their address, that's the way they know where their addresses were leaked from! Hello?

we believe it could be linked to some sort of scrapper.

You don't seem familiar with what a scraper (not scrapper) is. A scraper lifts info from web pages. These addresses weren't on web pages. You can't blame bots on this one.

 

[EverestBecky]

At the risk of beating a dead horse here, I thought I would put in a quick work on behalf of Everest Poker and Casino. I am sorry it took me so long- I am new over here and wanted to be sure my information was completely accurate before posting. Anyway, I just received the CasinoMeister newsletter and I wanted to compliment Betfred, 32Red and BWin on their responses to this thread and for their overall concern for player security. Here at Everest, player security is also one of our primary responsibilites and we have taken on a multi-faceted approach to ensure our players' accounts and information is safe. Complete security at Everest includes transmission security (all info transmitted between Everest Poker and our players is encrypted using 128-bit SSL), financial security, data security and staff security (access to player account information by Everest Poker staff is strictly controlled. We have a complete audit trail that shows access and data usage to enforce this policy). To view our security statment, please feel free to visit

You do not have permission to view link Log in or register now.

and/or you can PM me anytime- happy to try and help.

 

[lots0]

So far, all of these incidents have related to customers who have had “totesport” or “tote” as part of their email address.

Could be a random word generator set to produce permutations of "totesport" ot "tote" in email addresses.

or

It could be like MichaelBluejay says and only the people with totesport/tote in their email address bothered to report email spam that was advertising totesport.