March 22, 2007
Raymer "Hacked"
Interesting stuff about Fossilman getting his Poker Stars account robbed, or, as people who know nothing at all about computers call it, hacked. It isn't hacking at all, it's just him being a moron and someone using that to get his password, but I suppose the difference is irrelevant to most.
There are basically four ways that this can happen to you. The first, and I would suspect by far the most common, is that you type the password in while you're in a public place and someone glances over and sees you push the keys. That's the easiest and best way to get someone's password. While I was in the Bahamas for the poker event I saw multiple people I don't know type theirs in and I wasn't even trying. I bet I could have emptied 20 accounts just by walking around the lobby at Atlantis and writing them down. In fact, I saw the passwords for accounts of at least 3 players you've seen on TV who I don't even know. Of course I never did anything with them, because that's just not how I roll, but that makes me think that when someone does get their password stolen, that's the most likely method.
The second is via phishing. That's where someone tricks you into inputting your password into something that appears to be run by Poker Stars. Phishing is an extraordinarily effective technique for getting passwords for things like PayPal, eBay, or online banking, but since you never input your Poker Stars password on any web pages it wouldn't be so great in this case. It might still be doable if you managed to convince some idiots that your website is run by Stars (i.e., input your name and password here and we'll give you a $100 bonus), and I'm sure plenty of people would fall for such a trick (hell, they reelected Bush) but probably not Raymer. It's just too obvious.
The third method would be a key logger, which is basically some software that is put on your computer without your knowledge that records every key stroke you make and then sends them to someone. Key loggers can be installed by someone who has physical access to your computer or they can be installed via some sort of shenanigans. Maybe someone sends you a program that says "free copy of Poker Tracker" and it's really just a program that installs a key logger. Something to that effect.
Loggers, like all sorts of viruses, are incredibly easy to avoid by following two simple rules. Rule 1: don't be a retard. Don't open mysterious attachments. Don't run installers from sources you don't trust. Don't execute any strange files. In all my years of nonstop computer use I've only gotten two minor viruses, and those were back during the days of easy IE exploits where just surfing to the wrong web page could infect you.
Rule 2: have a good firewall. Zone Alarm won't stop a key logger from being installed, but it will tell you when one tries to phone home and allow you to block it. That's all you need. Both of the viruses I did have tried to send my personal information back to someone and I found out about them (and stopped them) via Zone Alarm. It doesn't do anyone any good to make a list of your passwords unless they can have that list sent to them.
The last way he could have gotten his password stolen is by brute force. Someone could have made a bot that repeatedly types in passwords (usually using words from the dictionary) until they got the right one. I've heard it said that this is how it was done, but I can't believe that to be true.
Poker Stars is very security conscious and brute force attacks are relatively simple to prevent. You just have accounts automatically locked if they try to log in repeatedly with incorrect passwords in a short period of time. Those attacks have to attempt millions of logins, so they often try many times per second. Stars could just have a rule that if a client tries to log in more than once in 3 seconds (which no human could feasibly do) that they freeze the account and notify security. I have to believe that have something like that.
It's possible that someone tried typing in a few things that are very obvious, like 2003WSOPchamp and stuff like that, but I doubt Raymer was that dumb. In the end someone probably saw him type in his password in the Bahamas, or maybe somehow got a key logger on his computer. If I were Raymer I'd reinstall Windows just to be sure.
The only good thing in all of this is that a bunch of people will update their passwords now to something more secure. I hate obnoxious sites that enforce password security on customers, but some have a neat little bar that slides as your password strength increases. Most people ignore it I'm sure, but it's a nice feature for those who care.
Posted by themaroon at March 22, 2007 1:09 PM
Comments
Don't you think it's more likely that Raymer's password is double_cheeseburger_&_fries?
Posted by: bp at March 22, 2007 2:11 PM
Poker Stars is very security conscious and brute force attacks are relatively simple to prevent. You just have accounts automatically locked if they try to log in repeatedly with incorrect passwords in a short period of time.
Unfortunately, this "solution" would expose Stars players to denial of service attacks since your login is the same as the screen name displayed at the tables.
Posted by: J at March 22, 2007 5:26 PM
RE: 2003WSOPchamp
Why would he use Chris Moneymakers password?
Posted by: NanaAnna at March 22, 2007 7:29 PM
I highly recommend using KeePass (http://keepass.info/). It can generate and store secure passwords (most of my passwords look like this: ^cNGcEXm2Gs W\dWiWl$!sa$@X8j[). You can also have it auto-fill in username/password combos fairly easily. You end up only needing to remember one password (hopefully something complex, like a phrase) to open the database. It's handy to carry around on a little USB key. Just make sure you backup your database and don't forget your master password... :)
Posted by: Bobo bin Bobo at March 22, 2007 7:56 PM
Raymer has kids too, it's possible one of them let some thing slip through.
Posted by: Jeff D at March 23, 2007 12:02 AM
i think it might have been "manflaps12"
Posted by: scott at March 23, 2007 6:36 AM
You couldn't DoS someone who was already logged in. Stars just tells you "this account is already signed in." They would only lock the account if someone tried to repeatedly sign into an account that wasn't signed into already.
It does bring up an interesting point though. You could DoS, say, everyone whose name was on the list for the Sunday $215 15 minutes before it started. Most of them are probably logged off until right before 4:30. It would be fun to see how Stars handled that. They'd have a couple thousand locked accounts to sift through in only a few minutes.
There's a simple solution, just block all future logins to the victim account from the same IP address. So as soon as someone tries to log into Fossilman 3 times in 3 seconds, you block all future login attempts from that IP address for the Fossilman account and flag it for security. The real Fossilman can still log in from wherever he is (unless, of course, he's on the same network as whoever is trying to brute force him, which would be hilarious) so there's no DoS potention. And nobody could come up with even a tiny fraction of the number of IP addresses required to get around that and brute force a password.
Another option is to just set up a time delay. Have it so a customer cannot attempt to log in more than once every 5 seconds. That won't inconvenience a human at all, but might make a brute force attack take 100 times longer, making it economically unfeasible.
Posted by: Matthew Maroon at March 23, 2007 7:24 AM
greg has said that someone probably just guessed it since according to him a reasonably intelligent person could guess it within 100 tries.
ya, i know.
Posted by: mike at March 23, 2007 1:18 PM
I hear that Stars is in the process of changing the log in ID to something different than your screen name.
Posted by: Alan at March 23, 2007 2:53 PM
Admittedly very high tech spy-stuff, but you can detect key presses from the near vicinity with some awesome equipment. Last time I was familiar with this stuff, it had a max range of about 2 feet, but that's what a grunt like me knew about 8 years ago.
Posted by: Slim at March 24, 2007 1:52 AM
It's very common on many systems today to have an exponential time delay between password tries. Hardly noticeable to the user until about 5 misses.
Posted by: Slim at March 24, 2007 1:54 AM
>>greg has said that someone probably just guessed it since according to him a reasonably intelligent person could guess it within 100 tries.
Just wow.
Posted by: Whatever2002 at March 26, 2007 5:54 PM