For those of you who may have missed it, fellow blogger and WBPT’er DuggleBogey got Fristed recently. Someone logged into Full Tilt Poker as him and dumped DB’s bankroll (or at least the part that he had on FTP). While I feel for him, the flip side is that there’s really not a whole lot FTP could do to help him.
I’ve seen several people on his blog comments mention things like blocking foreign IP addresses from logging in and a bunch of other measures that on the surface seem like good ideas but when you cater to a worldwide customer base and you’re dealing with millions of customers one must weigh the benefits vs. the costs. Many players, like myself, travel quite often. I would be pissed if I constantly had to contact FTP to authorize my new IP address.
The responsibility to securing login/password information rests with the account owner (barring someone breaking into FTP and stealing the data from the servers). Obviously either DB didn’t use a strong enough password or someone/something was able to access his computer and snag the information (keystroke logger, Trojan horse, virus, etc). You certainly can’t expect FTP to be responsible for securing every user’s computer. That, IMHO, is an unreasonable expectation.
What you can expect from FTP is a thorough investigation combined with professional communication. I have obviously not been privy to the exchanges between FTP and DB but it seems that may be where things broke down. Of course, DB is making posts on his blog with titles that might lead people to believe that FTP itself is not a safe place for your money so part of this miscommunication could be from his side as well.
Bottom line is that if someone breaks into your account and chip dumps to another account as a way of getting the money from one account to another then FTP should be able to recover the funds from the dumpee. If the guy simply goes onto the site and gambools it up on your dime, what is a reasonable expectation for FTP to do? How would you feel if some donkey spewed several BB’s your way and you got an email the next morning telling you that said donkey was actually a hacker and they are taking back all the money you won from him!
According to DB FTP has supplied him with the hand histories that show the unauthorized user wasn’t dumping to any particular person. Yet, DB says that he’s forced to take FTP’s word that this dirtbag simply wanted to gambool DB’s money away. I can only assume that he’s implying that he thinks FTP may have doctored the hand histories. Knowing DB I don’t really think he believes that but obviously this has to be an emotional experience so what he writes on his blog may not be the same conclusion he comes to in a week or two when he’s had some time to let it all sink in.
While DB does make a valid assertion that when you put your money on any online poker site you are not putting your money in a bank, I think he implies an invalid conclusion that the site has the responsibility of protecting your funds. The funds are sitting in a bank account and from that perspective they are well protected. Barring the site being a complete sham and the owners running off with your money, YOU are responsible for picking a hard to guess password, not giving that password out to anyone (either knowingly or via a phishing scam), and securing your computer in such a way so that someone cannot obtain your password data. FTP is responsible for requiring that anyone wanting to access those funds present a valid login and password.
The unfortunate part is that DB seems to believe this is FTP’s fault. In reality, no matter what poker room he plays at, if someone logs in with valid credentials, they control those funds and can do the same thing. But this isn’t unique to online gaming. If someone logs into your PayPal account, tough luck. While your bank or a particular merchant might do so as a matter of policy, in most cases, there is no obligation on the merchant’s part to make you whole or to even investigate.
So what can we learn from this experience? Well, first is that this type of fraud is possible. Second is that unless someone chip dumps to a specific person, you pretty much have no hope of recovering your funds. More importantly though, we can take away from this that you should make the effort to come up with a hard to guess password. Once you have a hard to guess password you need to make sure you don’t do things to make it easy to steal that password. Don’t click on links in emails and input your password into a webpage. Don’t click that little checkbox that asks if you would like to save your password (this was why I raised a red alert when one company decided to store your password unencrypted). Use a virus scanner and make sure that you’re cautious about what software you’re downloading.
It’s sad that it takes something like this to wake people up to computer security but hopefully DB’s experience can help you avoid having it happen to you.