Have been with Leovegas for some time and have felt a little concerned by this for some time but on reflection, it's time for Leovegas to do something about it.
As a result, I have closed my account as I do not wish for my information to be in such a way that may compromise the security of my personal information and money.
The Issue:
Leovegas hold both the account number and the secure ID for Neteller accounts.
What this means:
You can make a deposit via Neteller without having to remember pesky things like security codes....
...but so could anyone else - be that a current or former employee or a hacker.
Here in the UK, like much of Europe, we have data protection legislation which enshrines the following
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Note: These are NOT guidance, they are law.
I feel that Leovegas are breaching the legislation on point 2 as there is NO LAWFUL PURPOSE in retaining the secure ID for the account. I consider that no different from writing a PIN on the back of a card - its OK if YOU do it (although incredibly stupid) but NEVER OK for another to presume to do so with data relating to other people.
I also believe that principle 5 is breached as there is no purpose in holding that data so to hold for any period of time is a breach.
Considering point 7, as the very fact they hold data they do not have a lawful purpose to hold (namely, the secure ID) means this is irrelevant.
I have alterted them to my concerns, via live chat. Initially I was told that they DID NOT hold the secure ID but backed down when challenged. I found this a little troubling (verbatim quote below).
[LV]We do not hold any Neteller security details, you would have to contact them directly.
[Me] Yes you do. If i want to deposit on Leovegas i;m never prompted for my secure ID. Neteller won't authorise a transaction without it ergo you have it stored.
And quite frankly, I'm not impressed now that you're denying it.
[LV]Sorry I think we have had crossed wires somewhere. Let me explain this a little better for you. We do actually save the secure ID but as this changes every time with the 2 step deposit method.
You need to remove the Neteller from your "saved cards"
And then once you deposit again it should work.
This had bothered me somewhat in the past. This lack of honesty and the assumption about two stage authentication troubled me when I queried "changing" the secure ID as Neteller has recently updated mine led me to deciding that I do not wish to deposit and play with an organisation which shows, in my view, a negligent disregard for data protection legislation and simple common sense security measures when it comes to sensitive data.
To that end, I consider it my responsibility to make forum users aware that at best - a poor decision has been taken on how to maintain information about users. Whether it bothers you or not is a matter for you.
As a result, I have closed my account as I do not wish for my information to be in such a way that may compromise the security of my personal information and money.
The Issue:
Leovegas hold both the account number and the secure ID for Neteller accounts.
What this means:
You can make a deposit via Neteller without having to remember pesky things like security codes....
...but so could anyone else - be that a current or former employee or a hacker.
Here in the UK, like much of Europe, we have data protection legislation which enshrines the following
You do not have permission to view link
Log in or register now.
in law, when it refers to the processing of personal information:1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Note: These are NOT guidance, they are law.
I feel that Leovegas are breaching the legislation on point 2 as there is NO LAWFUL PURPOSE in retaining the secure ID for the account. I consider that no different from writing a PIN on the back of a card - its OK if YOU do it (although incredibly stupid) but NEVER OK for another to presume to do so with data relating to other people.
I also believe that principle 5 is breached as there is no purpose in holding that data so to hold for any period of time is a breach.
Considering point 7, as the very fact they hold data they do not have a lawful purpose to hold (namely, the secure ID) means this is irrelevant.
I have alterted them to my concerns, via live chat. Initially I was told that they DID NOT hold the secure ID but backed down when challenged. I found this a little troubling (verbatim quote below).
[LV]We do not hold any Neteller security details, you would have to contact them directly.
[Me] Yes you do. If i want to deposit on Leovegas i;m never prompted for my secure ID. Neteller won't authorise a transaction without it ergo you have it stored.
And quite frankly, I'm not impressed now that you're denying it.
[LV]Sorry I think we have had crossed wires somewhere. Let me explain this a little better for you. We do actually save the secure ID but as this changes every time with the 2 step deposit method.
You need to remove the Neteller from your "saved cards"
And then once you deposit again it should work.
This had bothered me somewhat in the past. This lack of honesty and the assumption about two stage authentication troubled me when I queried "changing" the secure ID as Neteller has recently updated mine led me to deciding that I do not wish to deposit and play with an organisation which shows, in my view, a negligent disregard for data protection legislation and simple common sense security measures when it comes to sensitive data.
To that end, I consider it my responsibility to make forum users aware that at best - a poor decision has been taken on how to maintain information about users. Whether it bothers you or not is a matter for you.