Leovegas - Unsatisfactory security

citizenx

Non-Gambler
Joined
Nov 29, 2012
Location
UK
Have been with Leovegas for some time and have felt a little concerned by this for some time but on reflection, it's time for Leovegas to do something about it.

As a result, I have closed my account as I do not wish for my information to be in such a way that may compromise the security of my personal information and money.

The Issue:

Leovegas hold both the account number and the secure ID for Neteller accounts.

What this means:

You can make a deposit via Neteller without having to remember pesky things like security codes....

...but so could anyone else - be that a current or former employee or a hacker.


Here in the UK, like much of Europe, we have data protection legislation which enshrines the following
You do not have permission to view link Log in or register now.
in law, when it refers to the processing of personal information:


1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.




Note: These are NOT guidance, they are law.

I feel that Leovegas are breaching the legislation on point 2 as there is NO LAWFUL PURPOSE in retaining the secure ID for the account. I consider that no different from writing a PIN on the back of a card - its OK if YOU do it (although incredibly stupid) but NEVER OK for another to presume to do so with data relating to other people.

I also believe that principle 5 is breached as there is no purpose in holding that data so to hold for any period of time is a breach.

Considering point 7, as the very fact they hold data they do not have a lawful purpose to hold (namely, the secure ID) means this is irrelevant.





I have alterted them to my concerns, via live chat. Initially I was told that they DID NOT hold the secure ID but backed down when challenged. I found this a little troubling (verbatim quote below).

[LV]We do not hold any Neteller security details, you would have to contact them directly.

[Me] Yes you do. If i want to deposit on Leovegas i;m never prompted for my secure ID. Neteller won't authorise a transaction without it ergo you have it stored.
And quite frankly, I'm not impressed now that you're denying it.

[LV]Sorry I think we have had crossed wires somewhere. Let me explain this a little better for you. We do actually save the secure ID but as this changes every time with the 2 step deposit method.
You need to remove the Neteller from your "saved cards"
And then once you deposit again it should work.

This had bothered me somewhat in the past. This lack of honesty and the assumption about two stage authentication troubled me when I queried "changing" the secure ID as Neteller has recently updated mine led me to deciding that I do not wish to deposit and play with an organisation which shows, in my view, a negligent disregard for data protection legislation and simple common sense security measures when it comes to sensitive data.

To that end, I consider it my responsibility to make forum users aware that at best - a poor decision has been taken on how to maintain information about users. Whether it bothers you or not is a matter for you.
 

interlog

Meister Member
webmeister
PABnonaccred
MM
Joined
Mar 29, 2015
Location
London
Isn't this no different than say Amazon where you can pay for items and it remembers your card details including the code on the back of the card (one click check out)?

I think the key to this is how the data is stored in the database. If it is properly encrypted then it is less of a security issue than if it was stored as plain text.
 

citizenx

Non-Gambler
Joined
Nov 29, 2012
Location
UK
Isn't this no different than say Amazon where you can pay for items and it remembers your card details including the code on the back of the card (one click check out)?

I think the key to this is how the data is stored in the database. If it is properly encrypted then it is less of a security issue than if it was stored as plain text.


Can't really comment about Amazon as I don't use them but as a principle, its a very bad idea.

In this scenario however, I believe this is covered by S7 but as I can discern no "proper reason" for holding this data to begin with, S7 remains moot in my opinion.
 

spintee

Ueber Meister
webby
mm2
Joined
Mar 21, 2012
Location
Northants
I think its secured like bank details,

I recently came across a similar matter using skrill 1 tap, Not a clue what it was about, But I see 1 casino connected to my skrill I thought whats that about and concealed it,

A few days later I think It was casumo and I was messing about with the deposit slider, Next thing I had funds in my account, No ask for password, No ask for confirmation, Lucky it was foe a small amount, I than took a look as it must of been this 1tap, I come to realise that its a feature that stores the info so need to log in etc,

I see this skrill 1tap pooping up in loads of casino's now, So any body using skrill I would log in and just cancel the 1tap next to the casino name, Some people may prefer to use this but if you do not no what it is about it can be a dangerous tool

If somebody managed to get into my casino account they could clean my skrill account, and waste all my money, You try telling the casino that it was not you :)
 

vinylweatherman

You type well loads
Joined
Oct 14, 2004
Location
United Kingdom
It would be worth contacting Neteller about this as this may be against their merchant agreement. With an unsecured deposit method saved to a casino account, then only ONE layer lies between the internet wild west and your bank/Neteller/card account, the casino login process. Normally, hacking a casino account only exposes funds already in there, but not funds held in a connected deposit method.

It's rather like contactless cards, if someone steals a contactless card, they have all they need to make purchases from your account up to the value of £30. With a regular card, it's necessary to also steal your PIN. Unlike banks, users of Neteller and Skrill have little redress against the fraudulent use of their funds.
 

Deeplay

New World Order
webmeister
CAG
mm1
Joined
Aug 27, 2008
Location
The biG Eu
In the past I would have said this should not be a major worry so long as you keep your password upto date and the casino https is valid and secure.

But the past 6 months I have had my debit card hacked 2 times not through a casino but through people charging the card.
Luckily each time I spotted it and got the money refunded by my bank. But have to go through the hassle of waiting for a new card.

Last time was last month. So since then I never keep any of card details stored online no matter if its a casino
or BT or who ever. and the same should hold true for other sensitive info such as ewallet account numbers.

It should be standard practice that we enter in details new each time or at least be given that option.

Card / account fraud is a massive issue and everything needs to be done to make this as hard as possible for the scammers.
So very valid topic raised by the OP!
 
Top