In the last six months, two of my accounts with other bookmakers have been logged into by somebody else, who then placed my entire account balance on Roulette. On both occasions these were negligible sums of money, totalling around £40. While both bookmakers returned my funds to me (in one case I was told to make a new account) this obviously led me to change my passwords across all of my sites, and take far more precautions regarding account security.
For instance, my Paypal (which I use to deposit) and Betfair accounts both now have two stage verification, meaning they send a six digit code to my phone which I have to enter after my password in order to log in. Without having access to my phone, you're going to have a hard time getting into either of those accounts, even if you knew my username and password.
Unfortunately, my Sky User ID is the same as the username on both of the other bookmaker accounts which got compromised. Sky's current system relies primarily on the User ID not being known. However, many people will have User IDs which are either:
- Usernames on other sites which are visible at the table
- Very similar to their table name, thus predictable
If a User ID is known, then that layer of account security is lost. This is particularly true of well known players, whose User ID is potentially going to be their username on a high profile site, and people are going to know there is potentially a large amount of money in that account (Not that I fall into that category, but if you know a 200nl reg who sits in the bigger games when they run is likely to have £5-10k+ in his account at any one time, and I know their Stars username because they're active in either the Sky or UK Poker community, I could have a pretty good guess at their Sky login...)
Whilst the user ID is actually a pretty decent added layer of security (by forcing username and screen name to be different), it's certainly not going to keep an account secure by itself.
Sky is naive enough to believe that a 4-6 digit pin is ample security for my (or anyone else's) account. This couldn't be further from the truth. There are:
- 1 million six-digit pins
- 100k five-digit pins
- 10k four-digit pins
For a total of 1.11 million possible PIN combinations. Anyone with any software building knowledge wouldn't have too much difficulty building something that would try to input each and every one of those 1.11m PIN combinations. Maybe it would always try obvious potential passwords such as "123456", or palindromes, or dates in DDMMYY format first, but it would take no time at all for a piece of software to crack a Sky password if the username was known using brute force.
A four digit password consisting only of letters and numbers has roughly 1.68m potential combinations. Nobody in their right mind would consider that to be a secure password, and yet, it's still more secure than what we are currently restricted to by Sky.
If you had a normal set of password parameters - maybe you decide to use 6-12 characters that must be 0-9 or A-Z. That gives you roughly 4,900,000,000,000,000,000, or 4.9 quintillion password combinations. If you make that password case sensivite, then you now have somewhere in the region of 3,300,000,000,000,000,000,000, or 3.3 sextillion possible passwords. Sure, people are going to be naive enough to use passwords based on words, patterns, and so on. Maybe they choose a password like "John230706" after the birth date of their first child for example, which clearly wouldn't be as secure as a random string. But at least you give the user the option of having a more secure password.
Instead, we are left with a pathetic system that leaves login credentials three quadrillion (that's 3,000,000,000,000,000) times less secure than a twelve character, case sensitive string consisting of only letters and numbers. My password for my Sky account is a liability in terms of protecting my account, not by my choice, but by poor software design.
In addition to that, there is no function to change login name at present, as I asked Customer Care this prior to starting this thread. I made an account at Titan when they were sponsoring Sam Trickett back in the day, and the login for that is a twelve character string, totally separate from my name at the tables. If my username was a random twelve character string, I would feel far less concerned about people being able to access my account, despite the password issue.
But instead, I'm left with a username which is probably known to somebody hacking into sports betting accounts to punt the account balance on Roulette, and a pathetic six-digit pin which is ridiculously easy to crack by brute force, with no option to make my account any more secure. Does that really make me feel happy about leaving any amount of money in my Sky account at the start or end of a session? What about if I put a £20 football acca on but I'm not going to be able to log on for a while to withdraw a potentially significant amount of winnings?
Oh, and the worst part, when I explained to Customer Care that the system currently in place is useless, their response? "We appreciate your feedback, is there anything else I can help you with today?" - I don't think the Customer Care staff could have possibly cared any less.
Comments
Although, to play Devils Advocate...
I would hope that if there were actually significant problems with peoples accounts being compromised that Sky would be doing something about it. I doubt Sky would release the figures but the fact that they have not added extra layers thus far could be read to suggest that there are not significant problems in this area. I.E. nobody/almost nobody are having their accounts compromised.
I get that a 4 character pin is short but again I would hope that the software would bar someone from making an excessive amount of incorrect PIN attempts. I am not certain if this is the case (if it isn't then it probably/definitely should be). If this is the case and people are barred from trying more PIN combos after say 10 attempts then even with just the 1.68m variations that could take 460 years to break through (assuming the person knew your account ID too).
Lastly I would hope that if I was the victim of the type of fraudulent activity that has been highlighted that Sky/my bank would be insured for this and sort it out.
If the specific concerns you mentioned to them are correct, and are a concern... you wouldn't expect the customer care rep to turn around and confirm this. Otherwise they would just be confirming exact areas of concern to members of the public which would be pretty poor security.
If the specific concerns you mentioned to them were not correct, and were not an area for concern... you wouldn't expect the customer care rep to turn around and say... 'Well sir/madam, this is not correct. If a, b or c happens then we have x, y & z in place'. Again they would just be giving security info to the public which would be pretty poor security.
Damned if they do, damned if they don't type of stuff as far as I can see.
I would expect a generic message from support along the lines of 'your funds are safe with us and we thank you for your feedback which we will pass along'.
As someone playing on Sky I am a little concerned about the post to be honest. I know there is no ill intent and I know the OP is a great contributor on the forum, however...
There are 2 scenarios as far as I can see. The concerns are either (a) valid, and are publicly drawing attention to weak areas of the site which obviously increase risks for us all. Or (b) are not valid but will cause some players, as fi33er mentioned he would, to cash out which hurts the site.
I am not sure the public forum is the best place to highlight specific areas of concern. I personally would pass specific concerns on to customer care and be expecting them to hit me with a generic message and never get into detailed security specifics with members of the public such as myself.
Again I hope the OP doesn't think I am having a pop at them as I realise there is no ill intent intended whatsoever.
I think the OP is well-intended here, but I'd have to say that overall, I disagree strongly with the thrust of his Post.
Markycash also makes some very valid points - there is no "safe" answer that Sky Poker can give either via CC or this Forum without giving the game away.
Let me offer an alternative angle though. When poker players think they have suffered some sort of injustice, real or imagined, & no matter how small, they are on this forum like a shot. We often even have two threads, or three, from the same player about the same problem, often IN UPPER CASE & more often than not they append the thread title with an inexplicable surfeit of punctuation marks. You could not miss these complaints if they existed in any meaningful number, could you?
And yet this Forum has been in place since 2009 (?) & I don't recall a single instance of someone coming on & saying "My Sky Poker account was hacked & my balance stolen".
Bear in mind also that the same log in methodology is in place for Poker, Bingo, Casino, Vegas & Bet. The SB&G site as a whole is the largest platform of it's kind in Europe, & huge volumes of cash go through the platform every day - & I do mean huge - breathtaking volumes of cash are transmitted though this site every day. (Sky Bet measure "bets placed" in 1,000's of bets per minute). Just try to imagine how much all that adds up to. And, broadly speaking, Vegas, Casino, Bingo & Poker are around the same size (revenue-wise) as Bet.
Again, if there were security weaknesses in the Log In methodology, don't you think they would have been exposed by now? The Business has been operating for 15 or more years now.
Please use your common sense here before jumping to any conclusions. "Common-sense" includes not leaving very large balances on the site. If you have security concerns, my advice would be to cash out after each session, or just leave a small balance on the account.
Generally speaking, players across SB&G do not leave large balances on site, & this is good practice.
Nobody from Sky Poker is going to go into too much detail here though, for obvious reasons.
Enjoy your weekend.
If these things had happened, you can be pretty sure we'd know about it on this forum. In my experience, poker players rarely hesitate to complain.
I agree wholeheartedly that The Business needs to be dynamic in this matter. Rest assured, they are. Huge volumes of cash circulate through this platform every day & it is a matter which is taken extremely seriously. Various regulatory bodies also insist that satisfactory security barriers are in place, & SB&G are wholly compliant.
I'm not going to go into detail on the Forum, but Account Security at Sky Poker & SB&G generally is emphatically NOT reliant solely upon a 6 digit PIN. You are going to have to trust me on that Andy.
It behoves everyone - site and players alike - to be sensible and practical in these matters, & I believe Sky Poker and SB&G keep their end of that particular bargain.
If you are not happy Andy, my suggestion would be to send an e-Mail (do NOT phone or use Live Chat) to Customer Care, & ask for it to be forwarded to the Poker Team.
Thanks bud.