You need to be logged in to your Sky Poker account above to post discussions and comments.

You might need to refresh your page afterwards.

Sky Poker forums will be temporarily unavailable from 11pm Wednesday July 25th.
Sky Poker Forums is upgrading its look! Stay tuned for the big reveal!

Security concerns

edited May 2017 in Poker Chat
In the last six months, two of my accounts with other bookmakers have been logged into by somebody else, who then placed my entire account balance on Roulette. On both occasions these were negligible sums of money, totalling around £40. While both bookmakers returned my funds to me (in one case I was told to make a new account) this obviously led me to change my passwords across all of my sites, and take far more precautions regarding account security. 

For instance, my Paypal (which I use to deposit) and Betfair accounts both now have two stage verification, meaning they send a six digit code to my phone which I have to enter after my password in order to log in. Without having access to my phone, you're going to have a hard time getting into either of those accounts, even if you knew my username and password.

Unfortunately, my Sky User ID is the same as the username on both of the other bookmaker accounts which got compromised. Sky's current system relies primarily on the User ID not being known. However, many people will have User IDs which are either:
- Usernames on other sites which are visible at the table
- Very similar to their table name, thus predictable

If a User ID is known, then that layer of account security is lost. This is particularly true of well known players, whose User ID is potentially going to be their username on a high profile site, and people are going to know there is potentially a large amount of money in that account (Not that I fall into that category, but if you know a 200nl reg who sits in the bigger games when they run is likely to have £5-10k+ in his account at any one time, and I know their Stars username because they're active in either the Sky or UK Poker community, I could have a pretty good guess at their Sky login...)

Whilst the user ID is actually a pretty decent added layer of security (by forcing username and screen name to be different), it's certainly not going to keep an account secure by itself.

Sky is naive enough to believe that a 4-6 digit pin is ample security for my (or anyone else's) account. This couldn't be further from the truth. There are:
- 1 million six-digit pins
- 100k five-digit pins
- 10k four-digit pins

For a total of 1.11 million possible PIN combinations. Anyone with any software building knowledge wouldn't have too much difficulty building something that would try to input each and every one of those 1.11m PIN combinations. Maybe it would always try obvious potential passwords such as "123456", or palindromes, or dates in DDMMYY format first, but it would take no time at all for a piece of software to crack a Sky password if the username was known using brute force.

A four digit password consisting only of letters and numbers has roughly 1.68m potential combinations. Nobody in their right mind would consider that to be a secure password, and yet, it's still more secure than what we are currently restricted to by Sky.

If you had a normal set of password parameters - maybe you decide to use 6-12 characters that must be 0-9 or A-Z. That gives you roughly 4,900,000,000,000,000,000, or 4.9 quintillion password combinations. If you make that password case sensivite, then you now have somewhere in the region of 3,300,000,000,000,000,000,000, or 3.3 sextillion possible passwords. Sure, people are going to be naive enough to use passwords based on words, patterns, and so on. Maybe they choose a password like "John230706" after the birth date of their first child for example, which clearly wouldn't be as secure as a random string. But at least you give the user the option of having a more secure password.

Instead, we are left with a pathetic system that leaves login credentials three quadrillion (that's 3,000,000,000,000,000) times less secure than a twelve character, case sensitive string consisting of only letters and numbers. My password for my Sky account is a liability in terms of protecting my account, not by my choice, but by poor software design.

In addition to that, there is no function to change login name at present, as I asked Customer Care this prior to starting this thread. I made an account at Titan when they were sponsoring Sam Trickett back in the day, and the login for that is a twelve character string, totally separate from my name at the tables. If my username was a random twelve character string, I would feel far less concerned about people being able to access my account, despite the password issue.

But instead, I'm left with a username which is probably known to somebody hacking into sports betting accounts to punt the account balance on Roulette, and a pathetic six-digit pin which is ridiculously easy to crack by brute force, with no option to make my account any more secure. Does that really make me feel happy about leaving any amount of money in my Sky account at the start or end of a session? What about if I put a £20 football acca on but I'm not going to be able to log on for a while to withdraw a potentially significant amount of winnings?

Oh, and the worst part, when I explained to Customer Care that the system currently in place is useless, their response? "We appreciate your feedback, is there anything else I can help you with today?" - I don't think the Customer Care staff could have possibly cared any less.

Comments

  • edited May 2017
    I agree that a 6 digit numerical code is very weak for a password.

    A private username/password combination is not the only mechanism to offer protection but it is a very important one.

    I have a different username to my table name, but I don't feel overly comfortable with the security within my control here (and it is my day job to look after these things).

    I could say a lot more but I have to be careful and I will wait and see if we get a response from the Sky team.

    PS There  are several other ways a hacker could get into your accounts, not just brute forcing your password having known your user name. 

    PPS I don't think you can expect Customer Care staff to be competent to discuss cyber security matters and all you can really hope is that they passed your issue on. 




  • edited May 2017
    out of intrest pingu do you know or heard of anyone on skybet/poker having their accounts hacked am not saying its not possible it probably is these whizz kids today can hack into anything they want
    sky is most likely insured against any threat of malpractice
  • edited May 2017
    Obviously if extra security was available for anyone who wished to have it then there would be no losers. Therefore, fair enough on that point.

    Although, to play Devils Advocate...

    I would hope that if there were actually significant problems with peoples accounts being compromised that Sky would be doing something about it. I doubt Sky would release the figures but the fact that they have not added extra layers thus far could be read to suggest that there are not significant problems in this area. I.E. nobody/almost nobody are having their accounts compromised. 

    I get that a 4 character pin is short but again I would hope that the software would bar someone from making an excessive amount of incorrect PIN attempts. I am not certain if this is the case (if it isn't then it probably/definitely should be). If this is the case and people are barred from trying more PIN combos after say 10 attempts then even with just the 1.68m variations that could take 460 years to break through (assuming the person knew your account ID too).

    Lastly I would hope that if I was the victim of the type of fraudulent activity that has been highlighted that Sky/my bank would be insured for this and sort it out.
  • edited May 2017
    In Response to Re: Security concerns:
    out of intrest pingu do you know or heard of anyone on skybet/poker having their accounts hacked am not saying its not possible it probably is these whizz kids today can hack into anything they want sky is most likely insured against any threat of malpractice
    Posted by stokefc
    I haven't, but that doesn't mean it hasn't happened to people already, and it always pays to be proactive with these things.
  • edited May 2017
    I really dont think we should be speculating and I don't expect Sky to confirm/deny what added layers of security.

    There are undoubtedly many.

    Talking generically now:

    The fact remains that security always needs a multi-layered approach.

    The fact also remains that a 6 character max numerical passcode is weak. 

    If you are locked out for a period of time that is a common approach and will make it harder to "brute force" ie go through every combination from 000000 to 999999.

    However if people are using poor security themselves and using say their birthdate then that is easy to find out and much easier to brute force if you know someones age or age range.
     
  • edited May 2017
    Very good post and a bit of an eye opener.  I would like to know that sky lock you out if you type your pin incorrectly more than a few times.
    It is a 4 digit pin number and the banks and pay pall lock your account after 3 tries.

    Someone should try it and see if they get locked out, (I'm too scared!)


    I think I will cash out more frequently having read this post.

    Weird thing is I always seem to run so bad after I have cashed out!

    Anyone else find this?

    (It's not just in my head but I mean people actually win with any 2 cards in crazy spots consistantly) 



  • edited May 2017
    Brilliant post pingu,very informative.
  • edited May 2017
    In Response to Security concerns:
    Oh, and the worst part, when I explained to Customer Care that the system currently in place is useless, their response? "We appreciate your feedback, is there anything else I can help you with today?" - I don't think the Customer Care staff could have possibly cared any less.
    Posted by EvilPingu
    To be fair what can Sky do here?

    If the specific concerns you mentioned to them are correct, and are a concern... you wouldn't expect the customer care rep to turn around and confirm this. Otherwise they would just be confirming exact areas of concern to members of the public which would be pretty poor security.

    If the specific concerns you mentioned to them were not correct, and were not an area for concern... you wouldn't expect the customer care rep to turn around and say... 'Well sir/madam, this is not correct. If a, b or c happens then we have x, y & z in place'. Again they would just be giving security info to the public which would be pretty poor security. 

    Damned if they do, damned if they don't type of stuff as far as I can see.

    I would expect a generic message from support along the lines of 'your funds are safe with us and we thank you for your feedback which we will pass along'.

    As someone playing on Sky I am a little concerned about the post to be honest. I know there is no ill intent and I know the OP is a great contributor on the forum, however...

    There are 2 scenarios as far as I can see. The concerns are either (a) valid, and are publicly drawing attention to weak areas of the site which obviously increase risks for us all. Or (b) are not valid but will cause some players, as fi33er mentioned he would, to cash out which hurts the site.

    I am not sure the public forum is the best place to highlight specific areas of concern. I personally would pass specific concerns on to customer care and be expecting them to hit me with a generic message and never get into detailed security specifics with members of the public such as myself.

    Again I hope the OP doesn't think I am having a pop at them as I realise there is no ill intent intended whatsoever.
  • edited May 2017


    I think the OP is well-intended here, but I'd have to say that overall, I disagree strongly with the thrust of his Post.

    Markycash also makes some very valid points - there is no "safe" answer that Sky Poker can give either via CC or this Forum without giving the game away.

    Let me offer an alternative angle though. When poker players think they have suffered some sort of injustice, real or imagined, & no matter how small, they are on this forum like a shot. We often even have two threads, or three, from the same player about the same problem, often IN UPPER CASE & more often than not they append the thread title with an inexplicable surfeit of punctuation marks. You could not miss these complaints if they existed in any meaningful number, could you?

    And yet this Forum has been in place since 2009 (?) & I don't recall a single instance of someone coming on & saying "My Sky Poker account was hacked & my balance stolen".
     
    Bear in mind also that the same log in methodology is in place for Poker, Bingo, Casino, Vegas & Bet. The SB&G site as a whole is the largest platform of it's kind in Europe, & huge volumes of cash go through the platform every day - & I do mean huge - breathtaking volumes of cash are transmitted though this site every day. (Sky Bet measure "bets placed" in 1,000's of bets per minute). Just try to imagine how much all that adds up to. And, broadly speaking, Vegas, Casino, Bingo & Poker are around the same size (revenue-wise) as Bet. 

    Again, if there were security weaknesses in the Log In methodology, don't you think they would have been exposed by now? The Business has been operating for 15 or more years now.
     
    Please use your common sense here before jumping to any conclusions. "Common-sense" includes not leaving very large balances on the site. If you have security concerns, my advice would be to cash out after each session, or just leave a small balance on the account. 

    Generally speaking, players across SB&G do not leave large balances on site, & this is good practice.

    Nobody from Sky Poker is going to go into too much detail here though, for obvious reasons.
     
    Enjoy your weekend.
  • edited May 2017
    In Response to Re: Security concerns:
    And yet this Forum has been in place since 2009 (?) & I don't recall a single instance of someone coming on & saying "My Sky Poker account was hacked & my balance stolen".   Bear in mind also that the same log in methodology is in place for Poker, Bingo, Casino, Vegas & Bet. The SB&G site as a whole is the largest platform of it's kind in Europe, & huge volumes of cash go through the platform every day - & I do mean huge - breathtaking volumes of cash are transmitted though this site every day. (Sky Bet measure "bets placed" in 1,000's of bets per minute). Just try to imagine how much all that adds up to. And, broadly speaking, Vegas, Casino, Bingo & Poker are around the same size (revenue-wise) as Bet.  Again, if there were security weaknesses in the Log In methodology, don't you think they would have been exposed by now? The Business has been operating for 15 or more years now.   Please use your common sense here before jumping to any conclusions. "Common-sense" includes not leaving very large balances on the site. If you have security concerns, my advice would be to cash out after each session, or just leave a small balance on the account.  Generally speaking, players across SB&G do not leave large balances on site, & this is good practice. Nobody from Sky Poker is going to go into too much detail here though, for obvious reasons.   Enjoy your weekend.
    Posted by Tikay10
    Nor can I recall such a thread (Although they'd probably be deleted before I saw them, and rightly so) - However that doesn't mean it hasn't happened and can't happen in the future, particularly given how quickly technology improves over time. While there may not be a weaknesses being exposed at present, that doesn't mean they can't be exposed in the future, and I think this is one area that can be improved. Being proactive certainly wouldn't be a bad thing.

    I don't think having the option of something more secure password than a six digit pin could possibly do any harm, irrespective of whatever other measures are in place and whether the security in place at present is doing a good job.
  • edited May 2017
    cheers pingu this post has made me change my pin lol   u just never know 
  • edited May 2017
    thing is tho even if they guess your pin getting your username is a harder part ?
  • edited May 2017
    In Response to Re: Security concerns:
    In Response to Re: Security concerns : Nor can I recall such a thread (Although they'd probably be deleted before I saw them, and rightly so) - However that doesn't mean it hasn't happened and can't happen in the future, particularly given how quickly technology improves over time. While there may not be a weaknesses being exposed at present, that doesn't mean they can't be exposed in the future, and I think this is one area that can be improved. Being proactive certainly wouldn't be a bad thing. I don't think having the option of something more secure password than a six digit pin could possibly do any harm, irrespective of whatever other measures are in place and whether the security in place at present is doing a good job.
    Posted by EvilPingu
    No such threads have ever been removed from here that I can recall, & I have access to all deleted threads.

    If these things had happened, you can be pretty sure we'd know about it on this forum. In my experience, poker players rarely hesitate to complain.

    I agree wholeheartedly that The Business needs to be dynamic in this matter. Rest assured, they are. Huge volumes of cash circulate through this platform every day & it is a matter which is taken extremely seriously. Various regulatory bodies also insist that satisfactory security barriers are in place, & SB&G are wholly compliant.
     
    I'm not going to go into detail on the Forum, but Account Security at Sky Poker & SB&G generally is emphatically NOT reliant solely upon a 6 digit PIN. You are going to have to trust me on that Andy.

    It behoves everyone - site and players alike - to be sensible and practical in these matters, & I believe Sky Poker and SB&G keep their end of that particular bargain.

    If you are not happy Andy, my suggestion would be to send an e-Mail (do NOT phone or use Live Chat) to Customer Care, & ask for it to be forwarded to the Poker Team. 

    Thanks bud.  

       

      
     
  • edited May 2017
    Being one of a handful that have had their username instead of an alias posted by sky on the forum & not being aloud to change it a max 6 digit numerical password with no other limitations in place hasn't/does not fill me with confidence.
  • edited May 2017
    Sky are so thorough in their security , they have this......


    No other are even close.
  • edited May 2017
    In Response to Re: Security concerns:
    Very good post and a bit of an eye opener.  I would like to know that sky lock you out if you type your pin incorrectly more than a few times. It is a 4 digit pin number and the banks and pay pall lock your account after 3 tries. Someone should try it and see if they get locked out, (I'm too scared!) I think I will cash out more frequently having read this post. Weird thing is I always seem to run so bad after I have cashed out! Anyone else find this? (It's not just in my head but I mean people actually win with any 2 cards in crazy spots consistantly) 
    Posted by fi33er
    i here a lot of people saying about cashing out t then losing, its like the poker gods  are punishing you lol
  • edited May 2017
    In Response to Re: Security concerns:
    In Response to Re: Security concerns : i here a lot of people saying about cashing out t then losing, its like the poker gods  are punishing you lol
    Posted by conorshay1
    its in their heads its bs m8
  • edited May 2017
    In Response to Re: Security concerns:
    In Response to Re: Security concerns : i here a lot of people saying about cashing out t then losing, its like the poker gods  are punishing you lol
    Posted by conorshay1
    Most people cash out after a period of running above expectation.
  • edited May 2017
    Unless they are trying to keep their cash away from the joint account and the wife.
    Shhhhhhhhnhh ;)
  • edited May 2017
    Two stage authentication is the way to go forward with any financial institution, it doesn't matter if it's a bank or an online bookmaker. Anything that makes it more difficult for a fraudster to commit a crime should not be dismissed. 

    I was on a financial forum this morning, where someone was complaining how Bank details where intercepted online and the infomation used to transfer funds from a business account to a criminals account within minutes. Having a text or google authenticate would stop these problems from happening in the first place. Why do we have to react to these things rather than nip them in the bud. Penguin has identified some potential floors in sky's login system, which to be perfectly honest are 100% valid. I am not surprised that cs did not take on board Andy comments, but in all honesty the levels of customer service across the bookmaking industry have much to be desired.

    It's a shame that sky seem to have lost that personal touch. There even isn't a priority manager available these days. No one told me that Liz had left quite a few months ago. I am reliably informed that CVC partners are actively looking at a stock market listing for SB&G. In my opinion that will make sky just like any other online bookmaker, the USP is fast disappearing. 

    Going back to 2 stage authentication I use it for banking, accessing emails and for other online bookies. I have never been the victim of an online scam or fraud, make of that what you will buy I know having this process makes it very difficult for criminals to prevail.




Sign In or Register to comment.