I wanted to do a follow up post because in my haste to get a post out before heading out for the evening I may have not fully articulated my points. My bad and this is an attempt to correct that oversight on my part.
So first off, let me explain a little bit about my background. I am not a security expert but I have designed and architected systems which hundreds of millions of dollars have passed through. I’ve worked with some absolutely brilliant security experts as well as several hackers infamous in the hacking community. I’ve had real-world experience with hackers launching coordinated attacks on systems I’ve helped design (which was well chronicled) and probably the greatest compliment I’ve ever received is from one of the people behind the attack complimenting us on our security. In the entire time I have been involved with software development, I’m unaware of a customer losing even a single dollar due to security issues associated with a system I’ve helped architect. I mention this not to impress but to impress upon people that I know a little something on the topic of which we’re speaking.
Now DuggleBogey’s main contention is he felt that Full Tilt should have taken measures to prevent his loss. In fact, he says:
I would like to see Full Tilt Poker do more to protect your money, should you decide to leave it at the site. Something simple like having the option to prevent “foreign” IP addresses from accessing your account. Just a simple check box that says “Only allow US IP addresses.”
First off, DB has learned that the IP address that accessed his account was from Colorado. But the key word there is “protect.” Full Tilt along with 99.9% of sites that deal with money require something called authentication. You must supply a valid login and password in order to gain entry to your account. My bank account in the US is with one of the largest banks in the world and all they require from me to access my accounts is a valid account number and a valid password. This is pretty much the standard. DB was fully aware that FTP didn’t have this “foreign IP” option, yet, out of conditioning from dealing with the other 99.9% of the financial world he felt verification via login and password was sufficient to let him sleep well at night. I sleep fine at night though my banking information is secured by only those two items.
It was only after he was ripped off that he felt that Full Tilt owed it to him to take extra preventative measures. Measures that would have proved pointless since the attack happened from a computer based in the US (according to his own research and comments left by his readers). So, again, we return to the question of what his expectation was from FTP.
What this meat of this issue comes down to is this statement by DB:
I’m certainly not saying that any other poker room would handle this any differently, or that another poker system is safer that FTP. I actually thought that FTP was different, somehow better than most places that would just say “you’re screwed, we’re sorry.” I was DEAD WRONG. My bad.
What this really comes down to is that DB wants FTP to make him whole. I’m pretty confident that FTP didn’t say “you’re screwed.” If they did, that guy should be fired. But I know the guys in fraud at FTP and I can assume DB is projecting here. That being the case, my point in the previous thread holds. Nobody, and I mean nobody, is going to refund your lost funds if they have no way of getting them back from the people who benefited from this security breach. PayPal isn’t going to refund you for fraudulent activity that had nothing to do with them. DB recommends withdrawing your funds to Neteller but they aren’t going to refund your money either if they can’t recapture it from the hacker. In my previous post I wasn’t saying that one is more secure than the other. I was saying that their policies regarding fraud are the same (or similar).
Another main contention by DB is that because FTP can’t tell him how this hacker got his login and password credentials that FTP is somehow guilty of something (or that it’s cause for suspicion). At the very least, he implies that they can be viewed as partially responsible for his loss. Now, let’s put ourselves in FTP’s shoes for a moment. Someone says they’ve been ripped off. You check your records and someone successfully logged in using a valid username and password for that account. The rightful owner of that account now demands to know how someone could have gotten his login and password. Assuming you are unaware of a security hole in your systems and barring a massive number of similar complaints, you can only assume that the problem is on the user’s side.
I mean, come on, let’s think about this logically for a moment. Some guy has found a way to hack FTP. Instead of going for Phil Ivey’s account which probably has hundreds of thousands of dollars in it you’re going to expose your hack via donking off $500 in a $2/$4 NL game?!? Which sounds more plausible, DB’s security was compromised or FTP’s? DB’s ignorance of how it happened is not evidence that it didn’t happen.
And that brings us to another point. DB fortifies his claim with a link to someone who also got ripped off on the same day and roughly the same time he did. But if you go to the other guy’s site, he indicates that he and DB know each other from a secondary source, PSO (which I assume is Phantasy Star Online, a World of Warcraft-like game). So two people who also have associations with each other outside of FTP got ripped off using similar methodologies. I’m no Colombo (sorry if you’re too young to get the reference) but this is starting to sound like a problem not originating at FTP. In fact, as you read on in the posts of the guy who also got ripped off, he has sneaking suspicions about who’s behind it and, unlike DB, he’s starting to conclude that it has nothing to do with FTP.
Furthermore, rather than immediately jumping to the conclusion that FTP’s site had been compromised he at least entertained the idea that the hack could have happened elsewhere. After several exchanges with FTP’s fraud dept he posts:
I received a reply from Full Tilt which leaves me to believe that they are not responsible for the fraud.
In another post he goes on to say:
This confirms that I am absolutely not responsible for what happened to my money. Someone, somewhere, screwed up. We have a pretty good idea about who that might be, but we won’t point more fingers just yet.
Our likely suspect who lives in Pennsylvania doesn’t seem as likely either. Why would he move funds to Vietnam, when he recently moved to Pittsburg and looks like a good guy? A bit of a loser, but a good guy nonetheless.
Assuming DB’s problems and this guys problems originate from a similar source, it’s starting to appear that not only are there other people to suspect, but that this issue involves a host of compromised computers (the thefts on FTP occurred from a computer in CO, while money is being diverted to Vietnam). So far, I’ve yet to see a post from DB willing to consider this explanation.
I know, at least now, that DB is going to view me as some evil person but these are, as ugly as they may be, the facts. I know I sound cold and heartless for not unquestionably backing someone I know but the 12 years I’ve spent building secure systems tells me something smells funny here. I don’t fault DB for being upset and pissed off about what’s happened to him (I certainly would be) but at the same time I worked at the company that he’s intermittently disparaging and I know most of the people who he’s calling into question. If the problem is on their end they will make him whole. I have zero doubt about that in my mind. If the problem is not on their end I think he’s being entirely unfair in terms of his expectations. And currently, the facts support it not being FTP’s fault so I think DB is out of line until more facts are presented that actually support his assumption/accusations.
Hey Duggle,
First off, I didn’t say it was impossible. I said in your particular case it would have accomplished nothing since the IP address originated from CO. Yes, Neteller does do IP checking. Most of the sites that have cut off US customers also do IP geo-location. But even then, it’s a very broad brush. For instance, many Canadians have IP addresses that belong to US companies. It’s only a moderately good indicator.
I think the idea you propose is one of those, good idea taken to the extreme sort of things. It’s always been a good idea not to keep large amounts of cash on online poker sites. It’s probably not a good idea to keep it at Neteller either. That part is not new or revolutionary. Now you’ve simply taken it to the extreme by keeping no money on a site. I don’t necessarily agree with that though. I imagine someone who plays daily gets away with it for about a month before the site just closes your account. You’ll be generating more in fees than you do in rake and poker sites aren’t stupid. They’ll figure out that you’re costing them a ton of dough and cut you off.
I, on the other hand, might recommend not having the same password for low risk accounts as you have for high risk accounts. In fact, I’m going to be writing a post on that very subject.
Bill
Interestingly, Neteller closed my account a few months ago when I tried to access my account from a hotel that was using a foreign proxy. So such a system is not as impossible as you say.
And I’m not telling people to take all their money and never play Full Tilt again.
I’m simply saying don’t STORE your money in a Full Tilt Account. There are safer places. Deposit to play and withdraw when you are finished, just like buying chips at a casino.
Please tell me what you think of that idea?
Another good post. I think that DB’s post was meant in good spirit.. but it seems to have grown way out of hand. I have seen MANY people take money off FT and not want to play there anymore.. like FT has a problem.. It is not right for a company I think has gone above and beyond the call of duty to provide a great site. The one thing I agree with for all of us is leaving huge amounts of money on sites is unnecessary. You can have your working roll at a site and have other funds readily available. Why give FT the interest when you could easily be making it yourself.
Anyway good post again.
Agree 100%. I feel for DB, but if I were him, I’d be talking to Poker Source Online (A site he frequently shills for).
PSO probably means Poker Source Online, a rakeback/bonus/forum thingy. They’ve had problems with security before, as a lot of people were getting torrents of spam on email addresses registered with PSO (some of them one-shot addresses, so the source was obvious).
If, say, DB’s PSO forum password was the same as or close to DB’s FTP password, well, that’s a pretty easy bouncing ball to follow. I’m expressly not implying any wrongdoing on PSO’s part here, just synthesizing a couple commonly-available facts and making a 1000-mile leap to a conclusion I might as well have pulled out of my ass.