Mainstreet group exposes entire customer base's accounts

thelawnet

Dormant account
Joined
Apr 4, 2005
Location
UK
The idiots in charge of this casino group have migrated all their accounts from Playtech.

Unfortunately they decided to make the password the same as the username.

Pretty stupid, as you can just login to anyone's random account.

So if you have an account with them you are best to write and ask them to close it, as they are clearly completely clueless.

You can also change any random user's password, here:

Link Removed ( Old/Invalid)
Link Removed ( Old/Invalid)
 
Current Players.

Would be nice if they had told current players this had now gone forward, with instructions as to what we should be doing to update our software, and to safeguard our accounts!
I tried going to the website of Sun Palace, but it still claims to be powered by Playtech - so no change. A live chat window pops up, and says "welcome, can we help...." BUT if I try to use it is does NOT WORK - as soon as I click on the message box to type something it does not give focus to my cursor, but corrupts the display of the chat box, it can be refreshed, but then simply sits with "waiting for an operator to respond".

If they have indeed set the passwords to the account number, then for a while all accounts are theoretically compromised. Players have been told that a change of software was going to happen, but have yet to be told what to do about it, or what dates are involved.
My accounts will have to remain theoretically compromised till Main Street, an accredited operation, decide it is time to tell players what we should do, and how we are going to be able to download and access our accounts under the new software - something that needs to be done ASAP to change the password!!!!!!!
 
Sun Palace

After posting the above, I have received the mailer with the required links and instructions for securing my account, mainly immediately being able to set the password.

It looks like this is not available on the main site, but is accessed from a link in the mailers to existing players.
I now await the corresponding mailers for my other two accounts.
I would like to know whether the original poster's fears about a security breach were founded.

Although account numbers are not in the public domain (probably?), the way this changeover was implemented could enable a quick witted hacker the opportunity to gain access to a dormant account(s). I trust that additional measures have been thought up to ensure that access under the new software is only available to the original player from the location and PC they last used to play.

I would have preferred a change to Microgaming, RTG casinos tend to have more problems around bonuses and promotions. Current players seem to be offered quite a large $500 bonus for the first deposit under RTG - I hope not to find nasty "max cashout" terms as are often found with the generous RTG offerings. RTG software does at least have a function to show achieved playthrough on a bonus, something which Playtech lacked.
 
Damn

I am sure that was taken care off... At least if what that guy states is true, is not easy to spot a funded account from an entire database and harm it.

Plus, you must be really fucked up to do so and start typing accounts

I am sure Mainstreet's team take all the measures for customer accounts to be securely merged.

Vynil, I am also concerned why they didn't considered Microgaming. I think Microgaming has banned a lot of states, so it was not good for business.

If RTG is increasing their business, I am sure several upgrades and improvements will take place in the upcoming months...

If Playtech's or Microgaming's programming or design departments have suffered staff lay offs, I would be looking for them if I was RTG's board of directors...
 
I am sure that was taken care off... At least if what that guy states is true, is not easy to spot a funded account from an entire database and harm it.

Plus, you must be really fucked up to do so and start typing accounts

you'd also have to be quite fucked up if they accidentally exposed people's credit card numbers to use them.

That doesn't make it a good idea for them to give them out though does it.

THe whole point of security is to protect against bad people.

In any case it is extremely easy to guess account numbers, as they all follow the same format - consecutively numbered accounts. So anyone could login and change dozens of accounts'
passwords.

Finally a criminal could probably easily find a funded account - plenty of people post their account numbers on message boards, not thinking the casino will be dumb enough to expose everyone's password. Or he could just keep trying accounts till he found a good one - it wouldn't take long.

A casino group that is prepared to do this (and note there's no requirement to change your pasword when you first login, and as a result many people won't) quite simply is not fit to handle deposits and is quite possibly breaking the merchant account rules, and certainly is acting negligently - if a player had somone login to his account and steal the funds, the casino would be at fault.
 
..In any case it is extremely easy to guess account numbers...

Okay, what's mine? :p

It's not like this was published through out the entire world wide web. These instructions were emailed to each player. Now if you had access to my email, then you'd be able to access my account. You don't so you won't. :D

If any problems arise from this (and perhaps there might be some), then I'm sure the operators will look into this in detail. And I'd welcome anybody to post here or PAB if they fall victim to unscrupulous activity because of this. We need to know if anything was screwed up. Bring it on.
 
Okay, what's mine? :p

It's not like this was published through out the entire world wide web. These instructions were emailed to each player. Now if you had access to my email, then you'd be able to access my account. You don't so you won't. :D
.

I didn't say it was easy to guess a specific account, I said it was easy to guess accounts. If your username is XXX49849, then you could try XXX49850, XXX49851, etc. And anyway, only emailing instructions to players doesn't mean anything when the instructions are exactly the same for everybody.

There's nothing to stop you sitting there all day till you find an account with money in. I'm not sure how this can be acceptable.
 
thelawnet's right - this is a huge security risk.

I don't need to access CM's account per se - I'll take any account I can get into. Easy enough to replace numbers, or some sort of brute force technique, to compromise a number of accounts.
 
I concur. Setting the passwords to the same as the account number is exteremely stupid, and this alone deserves rogueing. It only takes one malicious and technically skilled player to write ascript to look for valid account numbers. Then the hacker can steal money or personal information.
 
thelawnet's right - this is a huge security risk.

I don't need to access CM's account per se - I'll take any account I can get into. Easy enough to replace numbers, or some sort of brute force technique, to compromise a number of accounts.


yep.

From looking at my accounts it seems they all end in 2, and they were closely created in time and have near consecutive numbers. So you just need to take your account number, add 10, 20, 30, 40, or whatever on, and use it to try and login.
 
Further

I have been able to access both my accounts simply by typing in the account number as user and password - worked fine, but never again (I changed the passwords).
Further, they are being very SLOW in releasing the mailers to players telling them they may need to do something to secure accounts.
What has not been mentioned is the position of players who are dormant, they may have little in the accounts, but a hacker could then take over the account(s), and there may never be a complaint from the original owner.
Some deposit details may have been carried, but there would still be a need to obtain the passwords.
This could lead the group open to use by money launderers, as if the accounts were logged into I expect the management will believe it was by the original owners, thus it could be possible to deposit, play, and withdraw under an assumed identity, one that may have even gone through the full verification checks.

This is not just BS, in 1982 our university set up a load of computer user spaces and set the passwords to NULL. Not all students who were allocated them used them, some even no longer studied there. Rest assured, none of these unused userspaces went to waste:D :D (Things were VERY different in those days, you would have near riots over a 100Mb diskdrive on a Uni computer!)
 
This is not just BS, in 1982 our university set up a load of computer user spaces and set the passwords to NULL. Not all students who were allocated them used them, some even no longer studied there. Rest assured, none of these unused userspaces went to waste:D :D (Things were VERY different in those days, you would have near riots over a 100Mb diskdrive on a Uni computer!)

Ain't that the truth! :D

Except 100Mb harddisks didn't exist in 1982... the biggest you could have possibly gotten was 20Mb! I was told that this would be all I would ever need for my lifetime... needless to say it lasted about a year...
 
Bytes

Ain't that the truth! :D

Except 100Mb harddisks didn't exist in 1982... the biggest you could have possibly gotten was 20Mb! I was told that this would be all I would ever need for my lifetime... needless to say it lasted about a year...


I am not sure exactly how big the disks were, space was allocated in pages, each page was probably around 1Kb, and these mass creations were 50 page areas.
The computer had three main drives, they may have been 720Kb each, I am not sure, but it seemed grand in those days!
When I started work in 1984, we had 10Mb drives in the PC's that were available to those who put forward a good case. In the late 80's my group was the envy, with a 100Mb hard drive on a new 386 PC, upgraded to 8Mb of RAM to run Windows 3.11
486 was the next on the list, and eventually all workers were given their own DELL 486 PC, all connected to a network server for data and shared software, so the 100Mb local drives then common seemed overkill!

My "other PC" here is not up to much, a mid range Atari 400 with optional cassette storage and the monitor of choice (or whatever TV set happens to be available). I have not attempted to run All Slots casino on this to see if disconnects are a problem on a different PC as suggested by CS:D :D
 
Most one can do is playing with the balance.
No money can easily be taken out to an account or address other than yours. So I think.
 
you could enter some neteller/moneybookers address and wait for the withdrawal.
.

Not sure it will even go throught to a Neteller account with another name.
If it does, I am sure it will be reversed after the real owner will notice it. Unless he will notice the stuff after a long time. But who is having an interesting balance for a long time without even loging in?
 
Fraud

I think the main problem will be fraud, rather than losing the balance. Most players who have a decent balance will make efforts to reconnect ASAP. It is the dormant accounts that will sit with username and password set the same. All it takes is for a silver tongued fraudster to take it over and convince the casino that they have started playing after an absence, but have now got a new job and been married perhaps, moved house, and of course need to update the details. The best way would be to deposit using a method that can be registered automatically, but that does not carry a big risk of being asked awkward verification questions, withdrawing small amounts will probably achieve this, and if the fraud fails, they could easily do a "chargeback" and run (or could have used a stolen card), thus have taken a chance, but at no risk of ending up down.
This seems hard to perpetrate, but it is amazing what criminals can do against a "robust" system when they have a mind to!
To prove a point, a TV journalist applied for a driving licence in the name of our then Home Secretary, using details that were publically available. The licence was issued with out quibble, what's worse than the fact the issuer should have recognised the name, the Home Secretary was BLIND!!!!!!

One good thing though, unlike Playtech, a hijacked RTG account will NOT display the personal details page in the cashier section. A fraudster will be bluffing blind, and this should be harder.
 

Users who are viewing this thread

Meister Ratings

Back
Top