Online Poker Poker — 15 December 2006

For those of you who may have missed it, fellow blogger and WBPT’er DuggleBogey got Fristed recently. Someone logged into Full Tilt Poker as him and dumped DB’s bankroll (or at least the part that he had on FTP). While I feel for him, the flip side is that there’s really not a whole lot FTP could do to help him.

"Subscribe to Bill's Poker Blog"
Receive an update straight to your inbox every time I publish a new article. Your email address will never be shared
arrow 3 Sometimes Life Sucks – DuggleBogey and Full Tilt

I’ve seen several people on his blog comments mention things like blocking foreign IP addresses from logging in and a bunch of other measures that on the surface seem like good ideas but when you cater to a worldwide customer base and you’re dealing with millions of customers one must weigh the benefits vs. the costs. Many players, like myself, travel quite often. I would be pissed if I constantly had to contact FTP to authorize my new IP address.

The responsibility to securing login/password information rests with the account owner (barring someone breaking into FTP and stealing the data from the servers). Obviously either DB didn’t use a strong enough password or someone/something was able to access his computer and snag the information (keystroke logger, Trojan horse, virus, etc). You certainly can’t expect FTP to be responsible for securing every user’s computer. That, IMHO, is an unreasonable expectation.

What you can expect from FTP is a thorough investigation combined with professional communication. I have obviously not been privy to the exchanges between FTP and DB but it seems that may be where things broke down. Of course, DB is making posts on his blog with titles that might lead people to believe that FTP itself is not a safe place for your money so part of this miscommunication could be from his side as well.

Bottom line is that if someone breaks into your account and chip dumps to another account as a way of getting the money from one account to another then FTP should be able to recover the funds from the dumpee. If the guy simply goes onto the site and gambools it up on your dime, what is a reasonable expectation for FTP to do? How would you feel if some donkey spewed several BB’s your way and you got an email the next morning telling you that said donkey was actually a hacker and they are taking back all the money you won from him!

According to DB FTP has supplied him with the hand histories that show the unauthorized user wasn’t dumping to any particular person. Yet, DB says that he’s forced to take FTP’s word that this dirtbag simply wanted to gambool DB’s money away. I can only assume that he’s implying that he thinks FTP may have doctored the hand histories. Knowing DB I don’t really think he believes that but obviously this has to be an emotional experience so what he writes on his blog may not be the same conclusion he comes to in a week or two when he’s had some time to let it all sink in.

While DB does make a valid assertion that when you put your money on any online poker site you are not putting your money in a bank, I think he implies an invalid conclusion that the site has the responsibility of protecting your funds. The funds are sitting in a bank account and from that perspective they are well protected. Barring the site being a complete sham and the owners running off with your money, YOU are responsible for picking a hard to guess password, not giving that password out to anyone (either knowingly or via a phishing scam), and securing your computer in such a way so that someone cannot obtain your password data. FTP is responsible for requiring that anyone wanting to access those funds present a valid login and password.

The unfortunate part is that DB seems to believe this is FTP’s fault. In reality, no matter what poker room he plays at, if someone logs in with valid credentials, they control those funds and can do the same thing. But this isn’t unique to online gaming. If someone logs into your PayPal account, tough luck. While your bank or a particular merchant might do so as a matter of policy, in most cases, there is no obligation on the merchant’s part to make you whole or to even investigate.

So what can we learn from this experience? Well, first is that this type of fraud is possible. Second is that unless someone chip dumps to a specific person, you pretty much have no hope of recovering your funds. More importantly though, we can take away from this that you should make the effort to come up with a hard to guess password. Once you have a hard to guess password you need to make sure you don’t do things to make it easy to steal that password. Don’t click on links in emails and input your password into a webpage. Don’t click that little checkbox that asks if you would like to save your password (this was why I raised a red alert when one company decided to store your password unencrypted). Use a virus scanner and make sure that you’re cautious about what software you’re downloading.

It’s sad that it takes something like this to wake people up to computer security but hopefully DB’s experience can help you avoid having it happen to you.

Ship It Holla Ballas!

Share

About Author

Bill Rini has been working in the online poker industry since 2004. He was a product manager for poker at Full Tilt and was the poker room manager at PartyPoker. Currently, Bill is the Head of Online Poker for WSOP.

 

Bill has been blogging about online poker since 2003 and is considered one of the leading authorities on the online poker industry.

 

“I like What Bill Rini said in his blog” – Doyle Brunson

 

“In other news, we had Bill Rini write an absolutely home run blog.” Daniel Negreanu

 

“Industry insider Bill Rini has one of the most popular blogs in poker, with thousands of subscribers and fans regularly coming back for his universally respected insight into the industry” – Barry Carter (News editor for PokerStrategy, Co-Author: The Mental Game of Poker)

(0) Readers Comments

  1. Crap. I wrote a whole post and I forgot to respond to the question and it got deleted. Need to fix that…serious, I always do that. Might want to put it at the bottom above submit comment.

    In any case, I think this is a lie. Serious, I really don’t think this guy got his money stolen. Serious, why would they hack his small bank account and not someone like Mine of Phil Ivey’s. That just doesn’t make sense to me. What limit does this guy play on FullTilt? I can’t see this as being truth. Plus, I feel that PokerStars and FullTilt are really strict about transfers of money.

  2. Hey Scurvy,

    I think my point may not have been communicated well. I’m not implying that FTP accounts can’t be hacked. They can and have been (so has every other site). Go read 2+2.

    What I’m saying is that when it happens he’s going to get the same response. Go tell PayPal someone ripped you off for $500 and ask them to make it right. It’s not unique to Full Tilt yet in the 5 or 6 posts he did on the subject, he did imply that he thought FTP should make it right. Now, I have no clue by what he means by making it right but I’m going to take a wild guess that he wanted them to refund his money. I make that guess because they gave him everything else he asked for including the IP address of the hacker, the hand histories (which he implied might have been doctored by FTP) and basically everything they had in terms of information/data.

    What I’m also saying is that DB has refused to consider that the problem might be on his side. In one of his more recent posts he links to another guy who had his FTP account hacked right around the same time. What nobody has even considered is that they both play PSO (don’t know what it is but the other guy mentioned that DB is a fellow PSO’er). Couldn’t the security breach just as well have been the result of another site they hang out on? Maybe a disgruntled message board owner or site admin who saw DB’s site with FTP ads on it and hit him there because it’s the only place he knew that he played?

    I mean, does that even sound plausible? It does to me. Look, about a year (I think it was a year) back there were a bunch of 2+2′ers who had their online poker accounts hacked into with similar results as the ones DB has had. Wild accusations flew back and forth about the only common thread being that they all hung out on 2+2. Finally someone put in a little elbow grease and figured out it was a virus embedded in a poker odds calculator they had all downloaded. Someone had posted a link to it on 2+2 and they had all downloaded the same software. 2+2 wasn’t to blame. Nobody at 2+2 had ripped them off.

    And interestingly, because it was a specially written virus to hack poker accounts it wasn’t widespread enough to have made it onto the anti-virus software company’s radars.

    Listen, I don’t work for FTP anymore. I gain nothing by defending them here. But I do know the people there and I do know the systems and I find the chances of it being a security breach on their end to be highly improbable. Doesn’t make it impossible but even if I had never worked there before and I was being brought in as a security consultant to help someone track down what happened, FTP would be somewhere near the bottom of my list in terms of where I began my investigation. I would certainly explore the PSO connection. I would backtrack who might know that he plays on FTP outside of the poker world. I would engage FTP’s fraud support with questions about whether they’ve seen that IP before logging into other accounts. In other words, I would spend a lot of time investigating highly probable (though not necessarily obvious) weak points and only after I had eliminated those would I turn my sights on the poker room.

    Because, really, what DB said was not something in a single post. It was things dropped across several posts.

    My security comprimised? Or Full Tilt’s?

    I am relegated to taking their word for the fact that my money was taken to the tables by some untraceable dirtbag and blown at the tables for absolutely no gain to him except the thrill of putting the screws to me. They’ve given me an IP address and a big text file of hand histories that show someone blowing my money to a few players over several hands.

    Thus Endeth My Relationship with Full Tilt Poker

    They are completely and totally useless, and their site cannot be trusted.

    I got ripped off at Full Tilt Poker, and support did nothing to help me. Here’s how I discovered it.

    I got ripped off, and Full Tilt Poker is doing nothing about the scam. If you play at Full Tilt Poker, do not keep any money there, it is not safe. Deposit when you play, and withdraw when you finish.

    Now, by his own accounts, FTP responded to him within an hour of him sending off his email to customer support and soon after that they suspended his account to prevent any further unauthorized access. In another post he rips them for not helping him track down the guy and then hours later says that they gave him the hand histories and the IP address of the offender. From his own posts, I can’t think of anything else FTP could do to be of assistance. They responded in a timely manner and they supplied him with all the data he requested.

    What DB doesn’t like is the outcome and that’s understandable. It sucks! But, and this goes back to my opening remarks in this comment, the same risk applies to every online poker site, Neteller, FirePay, PayPal, and so on and so on. Nobody is going to give you your money back. Sorry. That’s the tough titties about it. These companies would go bankrupt if they started making players whole every time they did something like click on a phishing scam email or downloaded some poker odds calculator. And according to DB he didn’t do that but what exactly is the site’s obligation to him?

    He keeps talking about how he trusted FTP and how poker sites aren’t banks. Well, duh! I find it nearly impossible to believe that he thought FTP was bank-like. He rants about how the UIGEA meant to regulate these sites but do you really think a regulated MGM Online is going to refund your money because someone got your password and donked off all your money? Hell no.

    As I said in the original post, I think this sucks and I think DB has a right to be pissed. But I also think he has a duty to at least be responsible in his postings. It’s hard to be balanced when you’ve just been ripped off but hey, you gotta move on. It’s been a week and it was a relatively small amount of money (by DB’s own account). Post a lessons learned or hypothesize about how someone could have scammed him. I don’t know. But the chicken little routine is started to get a little played out.

    Bill

  3. I can definitely see both sides of this.

    Rini, I’m not sure how you can say that Duggle is unfairly targeting Full Tilt, and that he has the same level of safety at “PayPal, Neteller, Stars, Party, UB, and every other site”. His accounts at those other sites didn’t get hacked. His Full Tilt account got hacked. I realize that no conclusion should logically follow from that, but, umm, it’s kind of hard to simply ignore that fact, too.

    If someone were going to use a keystroke logger/virus/Trojan/whatever to grab logins/passwords, why would they only empty his Full Tilt account? If all the aforementioned sites are equally safe, why is Full Tilt sticking out like a sore thumb? This may vary from player to player, but if I were a hacker (and all other things were equal), I’d hit Neteller first, as most players tend to lump the most money in there, then Stars, then Full Tilt.

    Maybe they tried that and Duggle only had money in Full Tilt. Or maybe there’s something unique about Full Tilt that makes it more attractive to hack accounts. It doesn’t necessarily have to be a fault in their security itself on their end, but it could be a by-product of how they handle hacked accounts.

    I think you’re dancing a bit around the issue that accounts do get hacked, and pretending that Duggle’s case exists in a vacuum. I mean, let’s say you gave Full Tilt truth serum and asked how many instances of hacked accounts they have each month? If it was higher than any other site, would you then react the same to Duggle’s case? If it were lower, is Duggle more likely to be at fault? All I’m really saying is it’s hard to use the fact that only his account got hacked to build an argument that the fault likely lies on his end, when Full Tilt has a very vested interest in never disclosing any other cases of hacked accounts.

    In the end, yeah, it’s most likely that it’s something amiss on Duggle’s end. Yeah, I agree, there’s little any site can do if it’s not a clear case of chip dumping and they can’t recover the funds. Refunding money would invite massive fraud of all sorts.

  4. So if the guy dumps to 4 separate people… they shouldn’t recover the money? Is that the playbook for hackers?

    Unless it’s to the same 4 people every time or there’s some other reason to believe that those people are in cahoots with the hacker . . . yes. Who are they going to recover the money from? As I said in the post, how would you like it if periodically you received emails telling you that that win you had last night was from a hacked account so sorry, you gotta give the money back? I certainly wouldn’t stand for it.

    So the only other place to recover it from would be the poker room itself. Despite the fact that these are highly profitable companies, they would be out of business in 6 months if they instituted policies of making players whole when they lost money via fraud. Not that there’s an enormous amount of fraud now but because it would encourage fraud. Every time I got drunk and lost all my money I would claim to be a victim of a phishing scam. I could conspire with other players and give them my account details and have them donk off chips to each other and then claim to have been ripped off. I mean, the possibilities are endless and as long as the only one being hurt is the casino, well, everybody would soon be doing it.

  5. I do this for a living.

    As do I. And in your experience of doing this for a living, when someone’s account is hacked, what’s the likelihood of it being a security or policy problem on the user’s end?

    Listen, I’m not calling you an idiot or passing any judgment on you at all. All I’m saying is that given the option of believing that the security of a major site was compromised or believing that your system or password was compromised, gotta go with your system until additional evidence says the problem was on their side. So far I haven’t seen enough evidence to that effect. If anything, if this hacker hacked into FTP and decided to exploit an account that only had a few hundred in it, then he’s probably the dumbest hacker who ever lived (thus somewhat negating the argument that he was smart enough to do it in the first place). There are accounts at FTP with hundreds of thousands of dollars that this guy could have donked off $600 an it wouldn’t have even registered. Why pick an account with a relatively small balance and run it to zero (or almost zero)?

    assumption that I’m the screw up

    Actually, that’s a wrong association to make and one which I am not making. Your security being compromised and you screwing up are not the same thing. I have not said anywhere that you screwed up. What I’ve said is that given the two points where the problem could have occurred, it’s far more likely to be a problem on your side.

    And let’s just be straight up here. You have been making repeated posts saying that people’s money is not safe at Full Tilt. Well, your money has the same level of safety at PayPal, Neteller, Stars, Party, UB, and every other site.

    From what you’ve posted on your blog, FTP has given you hand histories and seems to have attempted to supply you with quite a bit of information about the incident. I believe the only piece of information they haven’t given you is the IP address of all of the players. And, quite frankly, I don’t think they should. First off, it would be privacy breach for all the other players unless there was something more to suspect that they conspired with the hacker. Second, FTP may be attempting to monitor this guy and giving you the IP address so you could alert him to the investigation by going to his ISP seems foolish.

  6. So if the guy dumps to 4 separate people… they shouldn’t recover the money? Is that the playbook for hackers?

  7. I’ve seen several people on his blog comments mention things like blocking foreign IP addresses from logging in and a bunch of other measures that on the surface seem like good ideas but when you cater to a worldwide customer base and you’re dealing with millions of customers one must weigh the benefits vs. the costs. Many players, like myself, travel quite often. I would be pissed if I constantly had to contact FTP to authorize my new IP address.

    Actually, I suggested that it be an option. If you want it, select it. If you don’t, don’t. Everyone wins.

  8. Obviously either DB didn’t use a strong enough password or someone/something was able to access his computer and snag the information (keystroke logger, Trojan horse, virus, etc). You certainly can’t expect FTP to be responsible for securing every user’s computer.

    How obvious is that? I used a very strong password. I have up to date virus definitions. I have a hardware firewall and a software firewall running. I have scanned for spyware repeatedly and discovered nothing. I am not a computer newbie. I do this for a living.

    Point that all critical eye with all those assumptions upon Full Tilt Poker. What if their security has been compromised? Would they admit it? If they did, they could shutter the doors, because that would be the end of Full Tilt Poker.

    I’m not claiming to be perfect. But this automatic assumption that I’m the screw up is beginning to piss me off. I’m not the only person this has happened to recently.

  9. Damn, this site makes me do Math to comment.. it is like a test.. if I get it wrong I am too stupid to comment.. jeez..

    Anyway.. Nice write up and I totally agree. While I feel for the guy.. I have seen things like this happen on other sites.. and the whole “Full Tilt is not safe” thing going around is just misleading. Nice to see a cooler head write something.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <card> <code> <em> <i> <span class=""> <strike> <strong>