General Betting
Welcome to Live View – Take the tour to learn more
Start Tour
There is currently 1 person viewing this thread.
Hi All,
The betfair Q&A session is to be held on the 14th December. I think these sessions are always a good opportunity to get ideas/questions aired esp as it goes to the top management. A major issue I have with betfair is the concerns with leaving money in my account. I go to great measures to ensure protection of my pcs to keep away criminal activity such as viruses/trojans/key loggers etc as will become apparent. Below are the ideas I have come up with to try and prevent unlawful account hacks and so I ask if anybody has any further ideas which I can put to betfair with my own. I think it will also be interesting to see which ideas/questions get avoided (if in fact any do).
1) can we have an "Exposure limit" at bet level not just full account? This would be a fantastic extra as many of us will rarely place a bet above a certain amount. If someone hacks your account, they will likely try and transfer your money in several ways (to be explained below) one of which is to place a bet with the hacked funds and lay it off with their other account. This I assume would be done with highly liquid events i.e., an important football match where it is nigh on impossible to see where it would have been transferred. By having a bet exposure limit, the criminal would have to place numerous bets in order to "transfer" funds. This could prevent losing the whole bank immediately with the chance of noticing the hack earlier. Also, it may be possible for betfair security to whittle down the possible criminals (all users betting in same events).
2) Player protection - Another way criminals could transfer funds is to do it via a different route (not just sports betting), through Poker. Seems unlikely that it would be possible via Arcade, Casino or Games (please can someone advise?) as never used and never will. I read elsewhere that to prevent such an action you could exclude yourself from these parts of the site via: My Account -> My Profile. You can exclude yourself from Poker, but the problem is you can only exclude yourself for 6 months. Please can this be extended? I would like to exclude myself permanently and I'm sure many others would!
3) Can we be have an option to be emailed/SMS if our ip address changes? I only ever access my computers from my home pcs as know they are as clean as possible (I don't use them for anything else - casual internet perusal is done on seperate computer - different router/internet point). When I am away from home I will always remote-desktop to my home machine (via https) with other tricks like not typing in full password but copying in and pasting bits of password to crop up any keylogger (as well as sandboxes around internet explorer) etc...okay I'm waffling but thought I'd mention this for anyone who is also wondering how to minimise problems when having to use internet access from an external source.
4) Can we have options to restrict access from other countries (but no option to unrestrict) - this should be possible by analysing the login ip address. If we go on holiday abroad and want to access betfair, maybe lifting of the country restriction should only be allowed by phoning betfair (not a web-account option) - I am assuming there would be security checks done over phone, maybe also some email confirmation (a link you have to click)? I believe something like this used to be an option why has it been removed?
5) I know that if there were unscrupulous employees at betfair, account login info could be easily leaked or could it? What measures do betfair use to ensure the security of member's accounts? I assume there is some kind of top encryption on login details but is there additional security on these databases to prevent say any betfair developer querying this data?
I know these points/ideas aren't all perfect but I think they could help and am happy to be corrected if I have misunderstood or not thought of something - please correct me!
The betfair Q&A session is to be held on the 14th December. I think these sessions are always a good opportunity to get ideas/questions aired esp as it goes to the top management. A major issue I have with betfair is the concerns with leaving money in my account. I go to great measures to ensure protection of my pcs to keep away criminal activity such as viruses/trojans/key loggers etc as will become apparent. Below are the ideas I have come up with to try and prevent unlawful account hacks and so I ask if anybody has any further ideas which I can put to betfair with my own. I think it will also be interesting to see which ideas/questions get avoided (if in fact any do).
1) can we have an "Exposure limit" at bet level not just full account? This would be a fantastic extra as many of us will rarely place a bet above a certain amount. If someone hacks your account, they will likely try and transfer your money in several ways (to be explained below) one of which is to place a bet with the hacked funds and lay it off with their other account. This I assume would be done with highly liquid events i.e., an important football match where it is nigh on impossible to see where it would have been transferred. By having a bet exposure limit, the criminal would have to place numerous bets in order to "transfer" funds. This could prevent losing the whole bank immediately with the chance of noticing the hack earlier. Also, it may be possible for betfair security to whittle down the possible criminals (all users betting in same events).
2) Player protection - Another way criminals could transfer funds is to do it via a different route (not just sports betting), through Poker. Seems unlikely that it would be possible via Arcade, Casino or Games (please can someone advise?) as never used and never will. I read elsewhere that to prevent such an action you could exclude yourself from these parts of the site via: My Account -> My Profile. You can exclude yourself from Poker, but the problem is you can only exclude yourself for 6 months. Please can this be extended? I would like to exclude myself permanently and I'm sure many others would!
3) Can we be have an option to be emailed/SMS if our ip address changes? I only ever access my computers from my home pcs as know they are as clean as possible (I don't use them for anything else - casual internet perusal is done on seperate computer - different router/internet point). When I am away from home I will always remote-desktop to my home machine (via https) with other tricks like not typing in full password but copying in and pasting bits of password to crop up any keylogger (as well as sandboxes around internet explorer) etc...okay I'm waffling but thought I'd mention this for anyone who is also wondering how to minimise problems when having to use internet access from an external source.
4) Can we have options to restrict access from other countries (but no option to unrestrict) - this should be possible by analysing the login ip address. If we go on holiday abroad and want to access betfair, maybe lifting of the country restriction should only be allowed by phoning betfair (not a web-account option) - I am assuming there would be security checks done over phone, maybe also some email confirmation (a link you have to click)? I believe something like this used to be an option why has it been removed?
5) I know that if there were unscrupulous employees at betfair, account login info could be easily leaked or could it? What measures do betfair use to ensure the security of member's accounts? I assume there is some kind of top encryption on login details but is there additional security on these databases to prevent say any betfair developer querying this data?
I know these points/ideas aren't all perfect but I think they could help and am happy to be corrected if I have misunderstood or not thought of something - please correct me!
Show More
What is the actual history on BF accounts being hacked and monies transferred out ?
Has BF compensated people ?
Has BF compensated people ?
Great questions, thanks - i'll add them to list.
Just wanted to clarify point 1 above, I meant an optional "Exposure limit" at selection level. I.e., in the Match Odds market in a football match your maximum exposure could be set to a certain amount on each outcome (if possible, taking into consideration exposure reduction when multiple selections bet on, for example, you layed the draw and the home team).
Just wanted to clarify point 1 above, I meant an optional "Exposure limit" at selection level. I.e., in the Match Odds market in a football match your maximum exposure could be set to a certain amount on each outcome (if possible, taking into consideration exposure reduction when multiple selections bet on, for example, you layed the draw and the home team).
When accounts are comprimised, Betfair deal with it on a case by case basis. There have definitely been threads on here from people who have lost their money and not been reimbursed and this makes your questions very valid.
I too am concerned about security and don't really want to have to go down the route of withdrawing all my funds on a Sunday night and redepositing on Saturday morning (as a football gambler).
I know some people who put their money into a long term market (eg. try and back Chelsea at 1000 for the league) so that they have a very low available balance when they do not require the funds but this isn't particularly practical and there is always the risk of a mistake entering the bet.
I think other options would be to have a 'cool off' period before any new cards can be added or ip addresses used. So you could register a new card but it would take 5 days before it became active.
Another would be an email generated everytime a login is attempted from a new ip or some other fundamental change is made to your account.
I too am concerned about security and don't really want to have to go down the route of withdrawing all my funds on a Sunday night and redepositing on Saturday morning (as a football gambler).
I know some people who put their money into a long term market (eg. try and back Chelsea at 1000 for the league) so that they have a very low available balance when they do not require the funds but this isn't particularly practical and there is always the risk of a mistake entering the bet.
I think other options would be to have a 'cool off' period before any new cards can be added or ip addresses used. So you could register a new card but it would take 5 days before it became active.
Another would be an email generated everytime a login is attempted from a new ip or some other fundamental change is made to your account.
Getafix for the player protection #2 they need a written request after the 6 months to reopen those parts of the site but I do agree with all the other points. It's about time betfair starting taking the security of peoples money more seriously even the second stage of a dropdown memorable word like the banks use would be a step in the right direction. I emailed asking why the country restrictions were removed and never even had a reply.
If you search for hacks into betfair account, there are some on forums but a few years ago. On-line security in general has gotten stronger over the past two years (a friend of mine works in Canada in security) especially with instant alerts for the companies.
Security is as strong as you want to make it. Coming up with a rolling security password is good that you change regularly.
If you use public wireless or an internet cafe, change your password as soon as you get in. There are still keystroke programs out there and with wireless, it is even easier (I know someone that found a camera hidden in their coffee shop that was also looking over people's shoulders at the sofa).
If you know you are going to use an internet cafe or wireless, change it from your usual before you leave home and change it when you get back.
ALSO: use a separate password to other accounts you have.
Just changing a letter or a number is enough to flag up blocked attempts to the security team if someone has an old password.
Security is as strong as you want to make it. Coming up with a rolling security password is good that you change regularly.
If you use public wireless or an internet cafe, change your password as soon as you get in. There are still keystroke programs out there and with wireless, it is even easier (I know someone that found a camera hidden in their coffee shop that was also looking over people's shoulders at the sofa).
If you know you are going to use an internet cafe or wireless, change it from your usual before you leave home and change it when you get back.
ALSO: use a separate password to other accounts you have.
Just changing a letter or a number is enough to flag up blocked attempts to the security team if someone has an old password.
Maximum exposure limits *per market* would be a fantastic addition IMO. Not just for account security, but also for protection against stupid typing mistakes! I asked about this in a previous Q&A and Betfair said they 'might look into it'. Of course, nothing came of it.
Another VITAL security feature would be the option to access Betfair completely over a secure connection, ie httpS://www.betfair.com/ - for all betting, not just account login. If you don't think this is important, just google for 'firesheep' and see how easy it is to hack into peoples' facebook accounts and email. Betfair is open and vulnerable to this problem as well.
Another VITAL security feature would be the option to access Betfair completely over a secure connection, ie httpS://www.betfair.com/ - for all betting, not just account login. If you don't think this is important, just google for 'firesheep' and see how easy it is to hack into peoples' facebook accounts and email. Betfair is open and vulnerable to this problem as well.
I log in and out of my account all the time, so the current display of the ip address for the last 10 log-ins is completely useless. It might only go back half an hour. It would be better if they had the last 10 log-ins from each ip-address used to access my account. And the email if the IP address changes is a great idea.
on your first point I recently tried to transfer some money from my wifes account to mine by placing losing bets in the old days this was never a problem but the next day both accounts were suspended and I was told this was money laundering and if it happened again I would be permanently suspended so I think if someone tried that illegally it would probably be picked up immediately by betfair which is encouraging
getafix that is a good idea.
I know of at least one major security risk that has been with us for as long as I can remember.
I can log into the account of anyone I know without needing to know their password.
Indeed betfair customer services staff could also breach this security risk.
Its probably not wise to expand further as I might encourage its use.
I know of at least one major security risk that has been with us for as long as I can remember.
I can log into the account of anyone I know without needing to know their password.
Indeed betfair customer services staff could also breach this security risk.
Its probably not wise to expand further as I might encourage its use.
Thanks for response so far, the list is growing and think there are some great points.
I noticed a mistake in my original post:
3) Can we be have an option to be emailed/SMS if our ip address changes? I only ever access my computers from my home pcs
should have been
3) Can we be have an option to be emailed/SMS if our ip address changes? I only ever access my betting accounts from my home pcs
but I think you worked out what I was going on about.
I would like to just go over a few points:
mc selectaI too am concerned about security and don't really want to have to go down the route of withdrawing all my funds on a Sunday night and redepositing on Saturday morning (as a football gambler).
this is a problem especially when it takes several days for the money to land in your bank account as you end up with having to have much more in your bank account than that needed to cover your bets over several days. I wonder if the funds, nowadays, can be transferred immediately. I know certain banks can do it within 2 hours. Another question added.
I think other options would be to have a 'cool off' period before any new cards can be added or ip addresses used. So you could register a new card but it would take 5 days before it became active.
I don't think the ip cooling off would work because people need access straight away. I agree with an email notification if a card is added to your account though in this situation I suspect the new account would be traceable, though I don't purport to understand situation with say Neteller/paypal I assume equally as strict?
Ghetto Joe
Getafix for the player protection #2 they need a written request after the 6 months to reopen those parts of the site but I do agree with all the other points.
In that case, it is probably fine as is - I'll take off list.
It's about time betfair starting taking the security of peoples money more seriously even the second stage of a dropdown memorable word like the banks use would be a step in the right direction. I emailed asking why the country restrictions were removed and never even had a reply. I emailed asking why the country restrictions were removed and never even had a reply.
Great idea about memorable word with drop downs to select letters, this would certainly get around most of the key loggers. I suspect the country ip became too difficult to maintain? But that is bad you got no reply. Astonishingly, they mustn't see this as being an important issue? Would be interesting the response to Fine As Frog Hair's questions, in case I worry unnecessarily, but I doubt that!
SHAPESHIFTER - some good points, the https which Mr Magoo refers to would get round most public wifi issues etc but not sure what the burden would be to betfair. When encrypting the posts to and from the source extra bumf is added to the bandwidth but seeing as the api works completely over https, I don't see why the website can't, I am sure with todays internet speeds the https would be negligable - I'm just trying to gauge what a betfair response would be to this. The https usage would also get rid of that annoying messagebox that appears everytime I want to go to my account (such a simple fix to this - and has been there for years...anyway I am going off topic!).
Mr Magoo - Thinking this through more, I think your idea of exposure at the market level, instead of selection, would be better. I am thinking of which would be better for the majority of customers (I still need to think this through more)? The idea here which touches on what "The Management" says about cost to betfair to implement this would be to keep this as low as possible. Betfair already have the mechanism in place to prevent exposure over a set amount. It would take very little IT development work, to add a little extra logic to use this same functionality at a market/selection level. So I wouldn't be too bothered whether market or selection I think, as long as bf could implement something quickly on current mechanism.
The Management - I have made requests to the betfair api team before, still not been implemented but is always worth a try as you never know lol. Thanks for acknowledgement with thought and time, I am sure many others consider these points and have emailed as expressed, fortunately with the q&a and this thread(hopefully), there will be no way bf can avoid answering/action? One other point, it is of interest to betfair for the following 2 reasons:
1) if the customers are more comfortable with regards their account security they are more likely to leave their funds in their accounts. I assume betfair make interest from the money in our accounts (admittedly, not much by today's standards but still extra money and esp when the economic conditions improve again) - another question for the list (interest on customer's accounts) ;)
2) bad publicity.
I am the one and only223 I log in and out of my account all the time, so the current display of the ip address for the last 10 log-ins is completely useless. It might only go back half an hour. It would be better if they had the last 10 log-ins from each ip-address used to access my account.
I have often thought the same, good point and thanks for reminding me. Added to list.
cragihol
on your first point I recently tried to transfer some money from my wifes account to mine by placing losing bets in the old days this was never a problem but the next day both accounts were suspended and I was told this was money laundering and if it happened again I would be permanently suspended so I think if someone tried that illegally it would probably be picked up immediately by betfair which is encouraging
I can't see how betfair would pick up this information on a highly liquid market, I suspect this was more the result of additional information being used such as a cross-check against surname/address and bet amounts?
hazel
That is very worrying, esp if not to do with the issue expressed by Mr Magoo?
I will post a summary in the next few days, once the topic has been saturated.
I noticed a mistake in my original post:
3) Can we be have an option to be emailed/SMS if our ip address changes? I only ever access my computers from my home pcs
should have been
3) Can we be have an option to be emailed/SMS if our ip address changes? I only ever access my betting accounts from my home pcs
but I think you worked out what I was going on about.
I would like to just go over a few points:
mc selectaI too am concerned about security and don't really want to have to go down the route of withdrawing all my funds on a Sunday night and redepositing on Saturday morning (as a football gambler).
this is a problem especially when it takes several days for the money to land in your bank account as you end up with having to have much more in your bank account than that needed to cover your bets over several days. I wonder if the funds, nowadays, can be transferred immediately. I know certain banks can do it within 2 hours. Another question added.
I think other options would be to have a 'cool off' period before any new cards can be added or ip addresses used. So you could register a new card but it would take 5 days before it became active.
I don't think the ip cooling off would work because people need access straight away. I agree with an email notification if a card is added to your account though in this situation I suspect the new account would be traceable, though I don't purport to understand situation with say Neteller/paypal I assume equally as strict?
Ghetto Joe
Getafix for the player protection #2 they need a written request after the 6 months to reopen those parts of the site but I do agree with all the other points.
In that case, it is probably fine as is - I'll take off list.
It's about time betfair starting taking the security of peoples money more seriously even the second stage of a dropdown memorable word like the banks use would be a step in the right direction. I emailed asking why the country restrictions were removed and never even had a reply. I emailed asking why the country restrictions were removed and never even had a reply.
Great idea about memorable word with drop downs to select letters, this would certainly get around most of the key loggers. I suspect the country ip became too difficult to maintain? But that is bad you got no reply. Astonishingly, they mustn't see this as being an important issue? Would be interesting the response to Fine As Frog Hair's questions, in case I worry unnecessarily, but I doubt that!
SHAPESHIFTER - some good points, the https which Mr Magoo refers to would get round most public wifi issues etc but not sure what the burden would be to betfair. When encrypting the posts to and from the source extra bumf is added to the bandwidth but seeing as the api works completely over https, I don't see why the website can't, I am sure with todays internet speeds the https would be negligable - I'm just trying to gauge what a betfair response would be to this. The https usage would also get rid of that annoying messagebox that appears everytime I want to go to my account (such a simple fix to this - and has been there for years...anyway I am going off topic!).
Mr Magoo - Thinking this through more, I think your idea of exposure at the market level, instead of selection, would be better. I am thinking of which would be better for the majority of customers (I still need to think this through more)? The idea here which touches on what "The Management" says about cost to betfair to implement this would be to keep this as low as possible. Betfair already have the mechanism in place to prevent exposure over a set amount. It would take very little IT development work, to add a little extra logic to use this same functionality at a market/selection level. So I wouldn't be too bothered whether market or selection I think, as long as bf could implement something quickly on current mechanism.
The Management - I have made requests to the betfair api team before, still not been implemented but is always worth a try as you never know lol. Thanks for acknowledgement with thought and time, I am sure many others consider these points and have emailed as expressed, fortunately with the q&a and this thread(hopefully), there will be no way bf can avoid answering/action? One other point, it is of interest to betfair for the following 2 reasons:
1) if the customers are more comfortable with regards their account security they are more likely to leave their funds in their accounts. I assume betfair make interest from the money in our accounts (admittedly, not much by today's standards but still extra money and esp when the economic conditions improve again) - another question for the list (interest on customer's accounts) ;)
2) bad publicity.
I am the one and only223 I log in and out of my account all the time, so the current display of the ip address for the last 10 log-ins is completely useless. It might only go back half an hour. It would be better if they had the last 10 log-ins from each ip-address used to access my account.
I have often thought the same, good point and thanks for reminding me. Added to list.
cragihol
on your first point I recently tried to transfer some money from my wifes account to mine by placing losing bets in the old days this was never a problem but the next day both accounts were suspended and I was told this was money laundering and if it happened again I would be permanently suspended so I think if someone tried that illegally it would probably be picked up immediately by betfair which is encouraging
I can't see how betfair would pick up this information on a highly liquid market, I suspect this was more the result of additional information being used such as a cross-check against surname/address and bet amounts?
hazel
That is very worrying, esp if not to do with the issue expressed by Mr Magoo?
I will post a summary in the next few days, once the topic has been saturated.
Getafix, have a look at this thread.
http://community.betfair.com/general_betting/go/thread/view/94082/24896773/Where039;s_the_thread_on_hacked_Betfair_accounts_amp;_Security
http://community.betfair.com/general_betting/go/thread/view/94082/24896773/Where039;s_the_thread_on_hacked_Betfair_accounts_amp;_Security
Thanks investor, will check that in a minute.
cragihol - just thought, bf could have picked up on this "transferral" if you were using the same internet connection (ip address)?
cragihol - just thought, bf could have picked up on this "transferral" if you were using the same internet connection (ip address)?
The Investor, I remember these threads, I even remember the one that has disappeared, I think that in fact initiated my concerns. I do remember you posting questions about anti-keylogging software. I did my own research and wasn't entirely convinced these anti-keylogging solutions actually worked, they talked of low level capture then encryption but the bugging question was if they can catch it at that level and encrypt it, why can't a keylogger do the same? I read on other forums that they would cut out many keyloggers but the more advanced would get round it for the reason I just specified. This lead my research to the conclusion that there is no way of preventing keylogging (not sure about macs), however there is a way of preventing the download of malicious software (to an extent) over the internet, and thus, the keylogging software in the first place. I found some software called Sandboxie, google it, it'll become clear but you really need a "clean" computer before you can use it confidently. I suspect the same could be done for free using "virtual pc", but you would have to give it some thought which I have not.
My concerns are more with the possibility of unscrupulous employees (due to my setup), but if I ever fell foul to such a theft, there is no way of proving one way or the other!
My concerns are more with the possibility of unscrupulous employees (due to my setup), but if I ever fell foul to such a theft, there is no way of proving one way or the other!
don't really want to have to go down the route of withdrawing all my funds on a Sunday night and redepositing on Saturday morning
What is difficult about doing that? a few clicks of a mouse is all it takes.
What is difficult about doing that? a few clicks of a mouse is all it takes.
Betfair withdrawals take from 3-5 working days to clear (to a bank - not sure of other methods i.e., paypal/neteller if accepted?). So this means you need 5-7x your req'd liability sitting in your bank as deposit should be immediate. The other problem is the maximum withdrawal allowed which is around £30k. UK banks only guarantee £50k so becomes difficult for the big UK players. Setting up many bank accounts is the only way, but that becomes extremely messy.
Withdrawls from betfair are usually quite quick for me, 3 days maximum.
might depend wht bank you're with though
might depend wht bank you're with though
Avocado, I think it is the Visa restriction I refer to.
I have emailed the following:
Hi,
My questions are mainly to do with client security. I would be extremely grateful if you could answer, advise and possibly commit to some of the
questions/ideas/recommendations that follow. I started a thread to discuss this in more detail here:
http://community.betfair.com/general_betting/go/thread/view/94082/26407401/Betfair_Security_Improvement_IdeasQuestions
because I have no idea when the next q&a session would be I thought a thread would be better to discuss upfront the interests of fellow clients.
The points are discussed in much depth in the above thread but I will rewrite (more succinctly) below:
1) Please can we have an "Exposure limit" at market/selection level not just full account? This would be a fantastic extra as many of us will rarely place a bet above a
certain amount. If someone hacks your account, they will likely try and transfer your money in several ways (to be explained below) one of which is to place a bet with
the hacked funds and lay it off with their other account. This I assume would be done with highly liquid events i.e., an important football match where it is nigh on
impossible to see where it would have been transferred. By having a bet exposure limit, the criminal would have to place numerous bets in order to "transfer" funds.
This could prevent losing the whole bank immediately with the chance of noticing the hack earlier. Also, it may be possible for betfair security to whittle down the
possible criminals (all users betting in same events). This option would also have another massive improvement as it could help protect clients against spelling
mistakes i.e., backing for £1000 when you meant £100 could be avoided if client had say a limit of £500 defined!
2) Please can we be have an option to be emailed/SMS if our login ip address changes? Letting us know when an ip login address changes allows us to change passwords /
contact the betfair security team immediately if we know it isn't us.
3) Please can we have options to restrict access from other countries (but no option to unrestrict) - this should be possible by analysing the login ip address. If we
go on holiday abroad and want to access betfair, maybe lifting of the country restriction should only be allowed by phoning betfair (not a web-account option) - I am
assuming there would be security checks done over phone, maybe also some email confirmation (a link you have to click)? I believe something like this used to be an
option why has it been removed?
4) I know that if there were unscrupulous employees at betfair, account login info could be easily leaked or could it? What measures do betfair use to ensure the
security of member's accounts? I assume there is some kind of top encryption on login details but is there additional security on these databases to prevent say any
betfair developer querying this data?
5) What is the actual history on BF accounts being hacked and monies transferred out ?
Has BF compensated people ?
6) What happens when people add new bank cards to their betfair accounts, can they withdraw funds immediately to these different accounts? If immediate withdrawal
possible and money was withdrawn to a criminal bank account would this be the responsibility of betfair/the bank/the client? Perhaps a cool off period would be
beneficial for withdrawals to new cards? This leads onto next question:
7) Please can we be have an option to be emailed/SMS if sensitive data is changed on the site i.e., password changes, address changes, bank/credit cards added to
account etc.
8) Please can we have a tighter login to the website, i.e., what banks use i.e., select letters from a memorable word/password from drop down boxes - this makes it more
difficult for keyloggers to pick this info up.
9) Please can the whole website be changed to use https (like the api) so that users using public wifi etc have more security (prevent their sessions being cloned etc)?
10) The current security feature on the website shows the last 10 logins, this is not very practical as many users login multiple times during the day. Instead could
we have a list of all distinct ip addresses with the last time it was used to login (say for last 6 months)?
11) Please can you contact the forumite known as Hazel to rectify a known security problem - "I can log into the account of anyone I know without needing to know their
password. Indeed betfair customer services staff could also breach this security risk."
12) Do betfair have any additional security improvements planned for the future which is not contained in the above list?
Non security related questions:
1) Do betfair earn interest on client's funds? If so, are client's funds higher than £50k protected?
Hopefully you will see the recommendations as reasonable and push forward such implementation. I believe this would be a win-win for both betfair and client. Please
keep an eye on the above thread as I am sure there will be more to debate when your response is published. I will republish the thread if it get culled after a certain
amount of time (not sure if content expires on this new forum), so just search for the title "Betfair Security Improvement Ideas/Questions" in the General Betting
section in such an event.
Many thanks
Getafix
P.S. - this has taken me a long time to write so please confirm receipt of this email.
I have emailed the following:
Hi,
My questions are mainly to do with client security. I would be extremely grateful if you could answer, advise and possibly commit to some of the
questions/ideas/recommendations that follow. I started a thread to discuss this in more detail here:
http://community.betfair.com/general_betting/go/thread/view/94082/26407401/Betfair_Security_Improvement_IdeasQuestions
because I have no idea when the next q&a session would be I thought a thread would be better to discuss upfront the interests of fellow clients.
The points are discussed in much depth in the above thread but I will rewrite (more succinctly) below:
1) Please can we have an "Exposure limit" at market/selection level not just full account? This would be a fantastic extra as many of us will rarely place a bet above a
certain amount. If someone hacks your account, they will likely try and transfer your money in several ways (to be explained below) one of which is to place a bet with
the hacked funds and lay it off with their other account. This I assume would be done with highly liquid events i.e., an important football match where it is nigh on
impossible to see where it would have been transferred. By having a bet exposure limit, the criminal would have to place numerous bets in order to "transfer" funds.
This could prevent losing the whole bank immediately with the chance of noticing the hack earlier. Also, it may be possible for betfair security to whittle down the
possible criminals (all users betting in same events). This option would also have another massive improvement as it could help protect clients against spelling
mistakes i.e., backing for £1000 when you meant £100 could be avoided if client had say a limit of £500 defined!
2) Please can we be have an option to be emailed/SMS if our login ip address changes? Letting us know when an ip login address changes allows us to change passwords /
contact the betfair security team immediately if we know it isn't us.
3) Please can we have options to restrict access from other countries (but no option to unrestrict) - this should be possible by analysing the login ip address. If we
go on holiday abroad and want to access betfair, maybe lifting of the country restriction should only be allowed by phoning betfair (not a web-account option) - I am
assuming there would be security checks done over phone, maybe also some email confirmation (a link you have to click)? I believe something like this used to be an
option why has it been removed?
4) I know that if there were unscrupulous employees at betfair, account login info could be easily leaked or could it? What measures do betfair use to ensure the
security of member's accounts? I assume there is some kind of top encryption on login details but is there additional security on these databases to prevent say any
betfair developer querying this data?
5) What is the actual history on BF accounts being hacked and monies transferred out ?
Has BF compensated people ?
6) What happens when people add new bank cards to their betfair accounts, can they withdraw funds immediately to these different accounts? If immediate withdrawal
possible and money was withdrawn to a criminal bank account would this be the responsibility of betfair/the bank/the client? Perhaps a cool off period would be
beneficial for withdrawals to new cards? This leads onto next question:
7) Please can we be have an option to be emailed/SMS if sensitive data is changed on the site i.e., password changes, address changes, bank/credit cards added to
account etc.
8) Please can we have a tighter login to the website, i.e., what banks use i.e., select letters from a memorable word/password from drop down boxes - this makes it more
difficult for keyloggers to pick this info up.
9) Please can the whole website be changed to use https (like the api) so that users using public wifi etc have more security (prevent their sessions being cloned etc)?
10) The current security feature on the website shows the last 10 logins, this is not very practical as many users login multiple times during the day. Instead could
we have a list of all distinct ip addresses with the last time it was used to login (say for last 6 months)?
11) Please can you contact the forumite known as Hazel to rectify a known security problem - "I can log into the account of anyone I know without needing to know their
password. Indeed betfair customer services staff could also breach this security risk."
12) Do betfair have any additional security improvements planned for the future which is not contained in the above list?
Non security related questions:
1) Do betfair earn interest on client's funds? If so, are client's funds higher than £50k protected?
Hopefully you will see the recommendations as reasonable and push forward such implementation. I believe this would be a win-win for both betfair and client. Please
keep an eye on the above thread as I am sure there will be more to debate when your response is published. I will republish the thread if it get culled after a certain
amount of time (not sure if content expires on this new forum), so just search for the title "Betfair Security Improvement Ideas/Questions" in the General Betting
section in such an event.
Many thanks
Getafix
P.S. - this has taken me a long time to write so please confirm receipt of this email.
Sorry about formatting,
also Hazel, I hope you don't mind me asking them to contact you as think it extremely important they should be aware of such issues for the benefit of all of us.
also Hazel, I hope you don't mind me asking them to contact you as think it extremely important they should be aware of such issues for the benefit of all of us.
3 days for a withdrawal is a joke. I'm sure somebody asked them in the last Q&A if they had plans to offer quicker withdrawals. Worth asking them again I suppose, I'll send an email.
Thanks all for input into this :)
Got a quick confirmation which is good:
Dear Sir/Madam,
Thank you for your contribution to the forum Q&A session.
It is greatly appreciated and will assist us making improvements to our
product. Unfortunately it is not possible for us to respond to each
email individually but we will endeavour to answer all questions raised
via the live Q&A session.
Should you have any queries about the site or your account, please
e-mail our Helpdesk on info@betfair.com.
Kind regards,
The Betfair Team
Got a quick confirmation which is good:
Dear Sir/Madam,
Thank you for your contribution to the forum Q&A session.
It is greatly appreciated and will assist us making improvements to our
product. Unfortunately it is not possible for us to respond to each
email individually but we will endeavour to answer all questions raised
via the live Q&A session.
Should you have any queries about the site or your account, please
e-mail our Helpdesk on info@betfair.com.
Kind regards,
The Betfair Team
getafix i don't mind if they contact me. If they don't contact me by Monday I will add the detail to this thread so you can then add it to your Q&A request if you want.
Well done on bringing all this together.
Well done on bringing all this together.
I am really glad you don't mind, after I had sent the email I kicked myself, I should not have sent that without asking your permission first (sorry). I need to learn to think a bit more before going headlong into things (like some of my bets earlier 
lol ).
If the issue is not related to cloning sessions over say a public network, it perhaps best not to publish details here like you originally said as I am doubtful you will be contacted anyway - would like to be proved wrong though? Maybe send direct to them via that q&a email address on Monday if you have not heard anything?
lol ).If the issue is not related to cloning sessions over say a public network, it perhaps best not to publish details here like you originally said as I am doubtful you will be contacted anyway - would like to be proved wrong though? Maybe send direct to them via that q&a email address on Monday if you have not heard anything?
Good email getafix,
I can answer the non security question:
Non security related questions:
1) Do betfair earn interest on client's funds? If so, are client's funds higher than £50k protected?
Yes they do. "In addition, revenue from management of customer
funds fell by £5.7 million to £2.6 million during the year as a result of the low interest rate environment." this is a quote from Betfair investor relations.
[b]Obviously funds are not protected even below £50k (if you are referring to government guarantees for bank accounts, which I guess you are), that doesn't apply at all.
I can answer the non security question:
Non security related questions:
1) Do betfair earn interest on client's funds? If so, are client's funds higher than £50k protected?
Yes they do. "In addition, revenue from management of customer
funds fell by £5.7 million to £2.6 million during the year as a result of the low interest rate environment." this is a quote from Betfair investor relations.
[b]Obviously funds are not protected even below £50k (if you are referring to government guarantees for bank accounts, which I guess you are), that doesn't apply at all.
That's scary The Investor, so in essence, if the banks which betfair earn interest from go bust, we will lose all our account money?
I assume it isn't that straight-forward, they probably hold the money in hundreds(?) of different bank accounts so the threat is minimalised. It begs the question though as to whether they would push the losses in such an event onto the customer!?
I assume it isn't that straight-forward, they probably hold the money in hundreds(?) of different bank accounts so the threat is minimalised. It begs the question though as to whether they would push the losses in such an event onto the customer!?
Getafix, I don't think that's a big worry to be honest.
I know Betfair do indeed hold their money with a wide variety of institutions to minimalise this risk.
You can be extremely confident that Betfair will take the loss if funds are lost, as it would kill the business if they didn't.
Betfair have colossal cash reserves, so I think in this respect your money is safer with Betfair than with a bank.
In other ways your funds are far less secure though. Fraudulent activity being one example. I have had my credit card cloned before, and the bank took the losses (I didn't need to pay), there are rules and laws covering these kind of events, which don't apply to Betting exchanges. That is a far larger concern than a bank holding customer funds going bust.
I know Betfair do indeed hold their money with a wide variety of institutions to minimalise this risk.
You can be extremely confident that Betfair will take the loss if funds are lost, as it would kill the business if they didn't.
Betfair have colossal cash reserves, so I think in this respect your money is safer with Betfair than with a bank.
In other ways your funds are far less secure though. Fraudulent activity being one example. I have had my credit card cloned before, and the bank took the losses (I didn't need to pay), there are rules and laws covering these kind of events, which don't apply to Betting exchanges. That is a far larger concern than a bank holding customer funds going bust.
Hi The Investor, I agree, probably not a big worry to be honest. As long as betfair don't have their colossal cash reserves in the bank that goes bust lol. No seriously, I know these reserves will likely be spread with rest. From my limited understanding of these things (I will read up on) the 50k guarantee is just that, a guarantee! So imo has to be safer in a bank account than betfair because you know for definite it will not disappear with the bank. I can imagine it would be almost impossible for betfair or any exchange to ever compensate fraudulent activity as people could dishonestly claim the huge bet they just lost was the result of their account being hacked? All we can hope for (imo) is for betfair to take some of the advice above to limit these problems as much as possible.
I am thinking about your example of a credit card being cloned and the difference between that and say a huge bet being placed from an alternate ip address in irregular fashion? I wish I knew more about the methods banks use to compensate they must be insured or something, could betfair follow such a lead? Would it be possible? Do they already? Who knows!? Probably getting ahead of myself, as hopefully the answers to FAFH's questions will shed light on this!
I am thinking about your example of a credit card being cloned and the difference between that and say a huge bet being placed from an alternate ip address in irregular fashion? I wish I knew more about the methods banks use to compensate they must be insured or something, could betfair follow such a lead? Would it be possible? Do they already? Who knows!? Probably getting ahead of myself, as hopefully the answers to FAFH's questions will shed light on this!
Getafix - this knowledge is from 3 years ago but i don't think much has changed.. if your card is fraudulently used and your bank returns the money to you, it is likely although not 100% certain that the funds will be taken off the merchant where the funds were spent. so if someone gets your card details and buys a macbook on Dixons website, your bank will ask Dixons for proof it was you that made the transaction. They will almost certainly be unable to do this, and then your bank will take the money from Dixons and give it to you. It is the exception to the rule where a bank will actually lose money itself by compensating a victim of fraud when the bank is not directly responsible itself.
getafix I did get a call from betfair. I am not sure if they feel it is such a security risk as I do. I will let you decide if you want to include it.
It concerns "forgot my password" procedure. You can log into someone else's account without knowing their password. All you need to know is their username, email and 2 security questions. The 2 security questions can be as little as D.O.B and where born.
Some people at betfair know all four requirements. For instance if you phone with an account query you give them the answer to your 2 security questions. They could write them down and pass the information onto a third party residing anywhere in the world.
You cannot change your security questions online, you have to phone betfair customer services and allow them to make the changes. Again adding to the risk.
Anyone who is a close friend of yours may also know the answers by default and be able to access your account.
All my bank accounts require more secure methods if you forget your password, such as emailing you with a code or a temporary password. One of my banks only allows postal method. Security questions are just that, they are not a replacement for a password.
I can see that a third party who may be given such details would need to act carefully, but their is a good chance that anyone who has had their account password changed and bets placed without their knowledge has fallen foul to this security risk.
It concerns "forgot my password" procedure. You can log into someone else's account without knowing their password. All you need to know is their username, email and 2 security questions. The 2 security questions can be as little as D.O.B and where born.
Some people at betfair know all four requirements. For instance if you phone with an account query you give them the answer to your 2 security questions. They could write them down and pass the information onto a third party residing anywhere in the world.
You cannot change your security questions online, you have to phone betfair customer services and allow them to make the changes. Again adding to the risk.
Anyone who is a close friend of yours may also know the answers by default and be able to access your account.
All my bank accounts require more secure methods if you forget your password, such as emailing you with a code or a temporary password. One of my banks only allows postal method. Security questions are just that, they are not a replacement for a password.
I can see that a third party who may be given such details would need to act carefully, but their is a good chance that anyone who has had their account password changed and bets placed without their knowledge has fallen foul to this security risk.
Is anyone asking any of these on the Q&A tomorrow?
Yojimbo - that is very interesting, using an analogy for betfair it would be almost impossible for them to know where the fradulent part of the bet went so would have to be betfair giving the refund (if they would) in such an event.
Hazel, I phoned betfair at the weekend and I recall having to say my name and dob into a "speech recognition" program. I suspect this will get round some of the worry about betfair employee's tracking your info? I don't know whether you are asked again by the operator for such details as I wasn't phoning to place a bet/change account details. It has been around 6 years since I opened my original account and can't even remember entering security questions? Maybe I should pretend I have lost my password for an account and see what the procedure is? Unless one of you who know the procedure are happy to email some suggestions/questions about this part of "can't remember password" to betfair?
The only questions I have emailed so far are those as per my 09 Dec 10 12:17 post.
Hazel, I phoned betfair at the weekend and I recall having to say my name and dob into a "speech recognition" program. I suspect this will get round some of the worry about betfair employee's tracking your info? I don't know whether you are asked again by the operator for such details as I wasn't phoning to place a bet/change account details. It has been around 6 years since I opened my original account and can't even remember entering security questions? Maybe I should pretend I have lost my password for an account and see what the procedure is? Unless one of you who know the procedure are happy to email some suggestions/questions about this part of "can't remember password" to betfair?
The only questions I have emailed so far are those as per my 09 Dec 10 12:17 post.
I forgot to mention, it's a credit to betfair that they did get in touch with you Hazel, indicates they do take security extremely seriously.
Getafix is sent the following to livechat;
"Further to the questions submitted by Getafix, do you believe that your procedure for customers to obtain new passwords when they have forgotten theirs is as secure from fraudulent use as that provided by mainstream online banks?"
"Further to the questions submitted by Getafix, do you believe that your procedure for customers to obtain new passwords when they have forgotten theirs is as secure from fraudulent use as that provided by mainstream online banks?"
Getafix sorry for typo - I should have said - I sent the following to livechat
Betfair Live Chat Date Joined: 07 Jun 00
Add contact | Send message When: 14 Dec 10 18:06 Welcome to the forum Q&A, apologies for being 5 minutes late.
We will start to post answers to questions which have been emailed into us in advance. Customers who wish to ask further questions during this session can either respond in this thread, or email their questions to livechat@betfair.com.
Among the Betfair representatives answering questions this evening are Andrew French (UK Community Manager) and Lee Cowles (Director of our UK business).
No option for me to respond in that thread! Shame. I'll try and get the main question answered again as it doesn't even look like they've read the question!:
Betfair Live Chat Date Joined: 07 Jun 00
Add contact | Send message When: 14 Dec 10 18:13 Please can we have an "Exposure limit" at market/selection level not just full account? This would be a fantastic extra as many of us will rarely place a bet above a
certain amount. If someone hacks your account, they will likely try and transfer your money in several ways (to be explained below) one of which is to place a bet with
the hacked funds and lay it off with their other account. This I assume would be done with highly liquid events i.e., an important football match where it is nigh on
impossible to see where it would have been transferred. By having a bet exposure limit, the criminal would have to place numerous bets in order to "transfer" funds.
This could prevent losing the whole bank immediately with the chance of noticing the hack earlier. Also, it may be possible for betfair security to whittle down the
possible criminals (all users betting in same events). This option would also have another massive improvement as it could help protect clients against spelling
mistakes i.e., backing for £1000 when you meant £100 could be avoided if client had say a limit of £500 defined!
We currently offer Loss Limits on our Arcade & Quick Play and Poker products, and there is also transfer limits functionality available on our Exchange Games and Casino products.
Add contact | Send message When: 14 Dec 10 18:06 Welcome to the forum Q&A, apologies for being 5 minutes late.
We will start to post answers to questions which have been emailed into us in advance. Customers who wish to ask further questions during this session can either respond in this thread, or email their questions to livechat@betfair.com.
Among the Betfair representatives answering questions this evening are Andrew French (UK Community Manager) and Lee Cowles (Director of our UK business).
No option for me to respond in that thread! Shame. I'll try and get the main question answered again as it doesn't even look like they've read the question!:
Betfair Live Chat Date Joined: 07 Jun 00
Add contact | Send message When: 14 Dec 10 18:13 Please can we have an "Exposure limit" at market/selection level not just full account? This would be a fantastic extra as many of us will rarely place a bet above a
certain amount. If someone hacks your account, they will likely try and transfer your money in several ways (to be explained below) one of which is to place a bet with
the hacked funds and lay it off with their other account. This I assume would be done with highly liquid events i.e., an important football match where it is nigh on
impossible to see where it would have been transferred. By having a bet exposure limit, the criminal would have to place numerous bets in order to "transfer" funds.
This could prevent losing the whole bank immediately with the chance of noticing the hack earlier. Also, it may be possible for betfair security to whittle down the
possible criminals (all users betting in same events). This option would also have another massive improvement as it could help protect clients against spelling
mistakes i.e., backing for £1000 when you meant £100 could be avoided if client had say a limit of £500 defined!
We currently offer Loss Limits on our Arcade & Quick Play and Poker products, and there is also transfer limits functionality available on our Exchange Games and Casino products.
Email sent as below:
Hi Andrew, Lee,
I sent the following question for which you have replied (I quote below)
Please can we have an "Exposure limit" at market/selection level not just full account? This would be a fantastic extra as many of us will rarely place a bet above a
certain amount. If someone hacks your account, they will likely try and transfer your money in several ways (to be explained below) one of which is to place a bet with
the hacked funds and lay it off with their other account. This I assume would be done with highly liquid events i.e., an important football match where it is nigh on
impossible to see where it would have been transferred. By having a bet exposure limit, the criminal would have to place numerous bets in order to "transfer" funds.
This could prevent losing the whole bank immediately with the chance of noticing the hack earlier. Also, it may be possible for betfair security to whittle down the
possible criminals (all users betting in same events). This option would also have another massive improvement as it could help protect clients against spelling
mistakes i.e., backing for £1000 when you meant £100 could be avoided if client had say a limit of £500 defined!
We currently offer Loss Limits on our Arcade & Quick Play and Poker products, and there is also transfer limits functionality available on our Exchange Games and Casino products.
Please can you re-read the question as I don't think you understood what I was getting at? This is to do with possible fraud via the sports exchange - nothing to do with loss limits on any of the other betfair products .
Many kind regards
Getafix
P.S. - we can't reply directly to the thread as stated in your opening post:
Welcome to the forum Q&A, apologies for being 5 minutes late.
We will start to post answers to questions which have been emailed into us in advance. Customers who wish to ask further questions during this session can either respond in this thread, or email their questions to livechat@betfair.com.
Among the Betfair representatives answering questions this evening are Andrew French (UK Community Manager) and Lee Cowles (Director of our UK business).
Hi Andrew, Lee,
I sent the following question for which you have replied (I quote below)
Please can we have an "Exposure limit" at market/selection level not just full account? This would be a fantastic extra as many of us will rarely place a bet above a
certain amount. If someone hacks your account, they will likely try and transfer your money in several ways (to be explained below) one of which is to place a bet with
the hacked funds and lay it off with their other account. This I assume would be done with highly liquid events i.e., an important football match where it is nigh on
impossible to see where it would have been transferred. By having a bet exposure limit, the criminal would have to place numerous bets in order to "transfer" funds.
This could prevent losing the whole bank immediately with the chance of noticing the hack earlier. Also, it may be possible for betfair security to whittle down the
possible criminals (all users betting in same events). This option would also have another massive improvement as it could help protect clients against spelling
mistakes i.e., backing for £1000 when you meant £100 could be avoided if client had say a limit of £500 defined!
We currently offer Loss Limits on our Arcade & Quick Play and Poker products, and there is also transfer limits functionality available on our Exchange Games and Casino products.
Please can you re-read the question as I don't think you understood what I was getting at? This is to do with possible fraud via the sports exchange - nothing to do with loss limits on any of the other betfair products .
Many kind regards
Getafix
P.S. - we can't reply directly to the thread as stated in your opening post:
Welcome to the forum Q&A, apologies for being 5 minutes late.
We will start to post answers to questions which have been emailed into us in advance. Customers who wish to ask further questions during this session can either respond in this thread, or email their questions to livechat@betfair.com.
Among the Betfair representatives answering questions this evening are Andrew French (UK Community Manager) and Lee Cowles (Director of our UK business).
I was hoping to post earlier with regards to answers. I'm struggling for time so I'll tackle one at a time. First off the re-question in above post:
Please can you re-read the question as I don't think you understood what I was getting at? This is to do with possible fraud via the sports exchange - nothing to do with loss limits on any of the other betfair products .
Apologies, you’re right, we didn’t answer your question – it’s an interesting point which we’ll raise with the right expert internally. Setting multiple limits on accounts is complex though, would slow the site down and can be confusing so not sure if that’s the best way to address your concern. At the risk of repetition, the most important thing is making sure you have a strong password and security questions and changing them if you have any worries about their security.
I pretty much disagree with all these points. It should not slow down the site because if they piggyback on the current exposure functionality it is one extra "if" statement. To use an example of why I think it will have very limited impact on api/website performance I assume currently their will be code like the following:
double totalLiab = GetTotalLiab(Session["ID"]);
double exposureLimit = Session["Exposure"];
double liab = 0;
if (betType == "B")
{
liab = betStake;
}
else
{
liab = (odds-1) * betStake;
}
if (totalLiab + Liab < exposureLimit)
{
//place bet
}....
the above code I would expect to be a generic function which is called when a bet is placed. It could be tricky for betfair if there code is awful but considering the IT infrastructure I expect their code will be top notch and object oriented so think little problem implementing this. For completeness my piggyback addition would be as follows:
double totalLiab = GetTotalLiab(Session["ID"]);
double exposureLimit = Session["Exposure"];
double liab = 0;
if (betType == "B")
{
liab = betStake;
}
else
{
liab = (odds-1) * betStake;
}
if (exposureLimit > Session["BetExposure"])
exposureLimit = Session["BetExposure"];
if (totalLiab + Liab < exposureLimit)
{
//place bet
}....
Simples!
Please can you re-read the question as I don't think you understood what I was getting at? This is to do with possible fraud via the sports exchange - nothing to do with loss limits on any of the other betfair products .
Apologies, you’re right, we didn’t answer your question – it’s an interesting point which we’ll raise with the right expert internally. Setting multiple limits on accounts is complex though, would slow the site down and can be confusing so not sure if that’s the best way to address your concern. At the risk of repetition, the most important thing is making sure you have a strong password and security questions and changing them if you have any worries about their security.
I pretty much disagree with all these points. It should not slow down the site because if they piggyback on the current exposure functionality it is one extra "if" statement. To use an example of why I think it will have very limited impact on api/website performance I assume currently their will be code like the following:
double totalLiab = GetTotalLiab(Session["ID"]);
double exposureLimit = Session["Exposure"];
double liab = 0;
if (betType == "B")
{
liab = betStake;
}
else
{
liab = (odds-1) * betStake;
}
if (totalLiab + Liab < exposureLimit)
{
//place bet
}....
the above code I would expect to be a generic function which is called when a bet is placed. It could be tricky for betfair if there code is awful but considering the IT infrastructure I expect their code will be top notch and object oriented so think little problem implementing this. For completeness my piggyback addition would be as follows:
double totalLiab = GetTotalLiab(Session["ID"]);
double exposureLimit = Session["Exposure"];
double liab = 0;
if (betType == "B")
{
liab = betStake;
}
else
{
liab = (odds-1) * betStake;
}
if (exposureLimit > Session["BetExposure"])
exposureLimit = Session["BetExposure"];
if (totalLiab + Liab < exposureLimit)
{
//place bet
}....
Simples!
I shouldn't think multiple exposures would be confusing to betfair users. Well, it may be to first time users of the site but the default setting would be there is no exposure set for the bet (market/selection) limit (i.e., initially set to 9999999999999 GBP). This bet level exposure would be an optional extra for advanced users.
Just thought of a mistake in my logic over breakfast, that'll teach me to rush posts! I have not considered the market liab in the above code. This should be relatively simple to handle will require possibly 2 extra "if" statements. I still don't consider 3 "if" checks to be expensive but BF will know better? I'll post a correction to my code later if I get time?
2nd attempt:
double totalLiab = 0;
double mktLiab = 0;
GetLiabs(Session["ID"], marketId, out totalLiab, out marketLiab);
double exposureLimit = Session["Exposure"];
double liab = 0;
if (betType == "B")
{
liab = betStake;
}
else
{
liab = (odds-1) * betStake;
}
if (exposureLimit > Session["BetExposure"])
{
exposureLimit = Session["BetExposure"];
totalLiab = marketLiab;
}
if (totalLiab + Liab < exposureLimit)
{
if (fundsAvailable >= liab)
{
//place bet
....
}
}
....
Note this implies the new "BetExposure" can never be set higher than the "account" Exposure from the new options page (if bf decide to implement).
Because we are piggybacking current exposure functionality I can't see why this would be difficult to implement especially considering this took me about 30 mins to think through. Obviously nothing is ever easy and my version is a very simplified attempt but can't see this taking much resources to run and implement properly?
double totalLiab = 0;
double mktLiab = 0;
GetLiabs(Session["ID"], marketId, out totalLiab, out marketLiab);
double exposureLimit = Session["Exposure"];
double liab = 0;
if (betType == "B")
{
liab = betStake;
}
else
{
liab = (odds-1) * betStake;
}
if (exposureLimit > Session["BetExposure"])
{
exposureLimit = Session["BetExposure"];
totalLiab = marketLiab;
}
if (totalLiab + Liab < exposureLimit)
{
if (fundsAvailable >= liab)
{
//place bet
....
}
}
....
Note this implies the new "BetExposure" can never be set higher than the "account" Exposure from the new options page (if bf decide to implement).
Because we are piggybacking current exposure functionality I can't see why this would be difficult to implement especially considering this took me about 30 mins to think through. Obviously nothing is ever easy and my version is a very simplified attempt but can't see this taking much resources to run and implement properly?
Hi,
My question is simple: how do i transfer funds to a paypal account?
My question is simple: how do i transfer funds to a paypal account?
Excellent thread this containing the Direct opposite of Drivel ................Hat Tip to all!
With the upcoming first general live chat since last year I thought I'd do a review to see what progress has been made in terms of security over the last 11 months. I have tried to match up the correct responses. Hopefully this will format okay?
I intend to forward this for the next chat (deadline Sunday)
Hi,
My questions are mainly to do with client security. I would be extremely grateful if you could answer, advise and possibly commit to some of the
questions/ideas/recommendations that follow. I started a thread to discuss this in more detail here:
http://community.betfair.com/general_betting/go/thread/view/94082/26407401/Betfair_Security_Improvement_IdeasQuestions
because I have no idea when the next q&a session would be I thought a thread would be better to discuss upfront the interests of fellow clients.
The points are discussed in much depth in the above thread but I will rewrite (more succinctly) below:
1) Please can we have an "Exposure limit" at market/selection level not just full account? This would be a fantastic extra as many of us will rarely place a bet above a
certain amount. If someone hacks your account, they will likely try and transfer your money in several ways (to be explained below) one of which is to place a bet with
the hacked funds and lay it off with their other account. This I assume would be done with highly liquid events i.e., an important football match where it is nigh on
impossible to see where it would have been transferred. By having a bet exposure limit, the criminal would have to place numerous bets in order to "transfer" funds.
This could prevent losing the whole bank immediately with the chance of noticing the hack earlier. Also, it may be possible for betfair security to whittle down the
possible criminals (all users betting in same events). This option would also have another massive improvement as it could help protect clients against spelling
mistakes i.e., backing for £1000 when you meant £100 could be avoided if client had say a limit of £500 defined!
BF> it’s an interesting point which we’ll raise with the right expert internally. Setting multiple limits on accounts is complex though, would slow the site down and can be confusing so not sure if that’s the best way to address your concern. At the risk of repetition, the most important thing is making sure you have a strong password and security questions and changing them if you have any worries about their security.
My comments> I don't believe anything has been done here which is fair enough if too difficult to implement?
2) Please can we be have an option to be emailed/SMS if our login ip address changes? Letting us know when an ip login address changes allows us to change passwords /
contact the betfair security team immediately if we know it isn't us.
BF> We will evaluate this alert in conjunction with the answer to question number 3 (below).
My comments> (the BF answer can be seen in my point 7 below).
3) Please can we have options to restrict access from other countries (but no option to unrestrict) - this should be possible by analysing the login ip address. If we
go on holiday abroad and want to access betfair, maybe lifting of the country restriction should only be allowed by phoning betfair (not a web-account option) - I am
assuming there would be security checks done over phone, maybe also some email confirmation (a link you have to click)? I believe something like this used to be an
option why has it been removed?
BF> This functionality did not perform well enough and was only taken up by a few customers. We are continuing to analyse how best to redeploy this capability in the future as a part of improvements to the ‘My Security’ tab.
My comments> There have been no changes to "my security" tab that I can see? Is there still work being done here?
4) I know that if there were unscrupulous employees at betfair, account login info could be easily leaked or could it? What measures do betfair use to ensure the
security of member's accounts? I assume there is some kind of top encryption on login details but is there additional security on these databases to prevent say any
betfair developer querying this data?
BF> Please be assured that account login details, such as passwords, are not stored in the database in clear text. Passwords are hashed and security questions are encrypted. Databases and account access are monitored by Security staff to prevent unauthorised access.
My comments> It was reported that the betfair data loss (March 2010) went undiscovered for 2 months (until one of the Malta servers crashed). What were the security staff doing? This I find very worrying.
5) What is the actual history on BF accounts being hacked and monies transferred out ?
Has BF compensated people ?
BF> As with any online business, Betfair can suffer attacks against its customers and accounts. However we have extensive monitoring of these through a number of different techniques and treat each and every event seriously in order to protect our customers and their funds. We urge all customers to ensure they keep their account details safe and, if they believe an issue has occurred, to immediately call the Helpdesk.
6) What happens when people add new bank cards to their betfair accounts, can they withdraw funds immediately to these different accounts? If immediate withdrawal
possible and money was withdrawn to a criminal bank account would this be the responsibility of betfair/the bank/the client? Perhaps a cool off period would be
beneficial for withdrawals to new cards?
BF> We operate a closed loop policy which enforces the withdrawal of funds back to their source. This means that the customer will be required to level off any deposits made with the same amount of withdrawals for certain payment methods (Cards, Moneybookers, Neteller, Paypal) before withdrawal of any excess funds back to a different payment source. There is currently a delay in our withdrawal process which enables us to carry out enhanced checks before processing payments.
7) Please can we be have an option to be emailed/SMS if sensitive data is changed on the site i.e., password changes, address changes, bank/credit cards added to
account etc.
BF> As requested by our customers, our security team has worked to develop alerting on any changes to customer account details. This will mean that changes to passwords, payment methods, address and other account changes will be notified to the e-mail address we have for the account. Changes to e-mail address will be sent to the old e-mail address as confirmation. This provides additional visibility and security of your customer account details and should be in place in the first quarter of next year.
My comments> This was perhaps one of the most important requests and it was good that you had intentions of getting this out. This is seriously behind schedule as this was promised beginning of this year. Has this been dropped? How long extra?
8) Please can we have a tighter login to the website, i.e., what banks use i.e., select letters from a memorable word/password from drop down boxes - this makes it more
difficult for keyloggers to pick this info up.
BF> Our security team are currently evaluating a number of different authentication options to roll out next year to provide additional protection as requested by our users. This suggestion will be incorporated into that analysis and evaluation.
My comments> Did the security team decide against any additional protection or should we expect something by end of December? This "letter selection" suggestion is one of the most basic measures and would have put my mind at ease with the recent DNS hack that was out of your hands. A more severe DNS hack could have forwarded people to a betfair clone (and then recorded logins).
9) Please can the whole website be changed to use https (like the api) so that users using public wifi etc have more security (prevent their sessions being cloned etc)?
BF> We are evaluating this change across our products and as it is a significant change in our website operation it must be planned with care. For clarity, authentication is performed via HTTPS encryption.
My comments> All fine with authentication but doesn't help with the situation of session cloning.
10) The current security feature on the website shows the last 10 logins, this is not very practical as many users login multiple times during the day. Instead could
we have a list of all distinct ip addresses with the last time it was used to login (say for last 6 months)?
BF> This is a good suggestion and we will incorporate this thinking into any planned changes to the My Security page.
My comments> It is starting to seem like there are no plans to improve security so please can this be implemented on its own merit? It would also be useful if there was an api call that could request such info too? This would be extremely useful for api users/vendors as users could be notified immediately if a suspicious (different) ip has been used recently!
11) Please can you contact the forumite known as Hazel to rectify a known security problem - "I can log into the account of anyone I know without needing to know their
password. Indeed betfair customer services staff could also breach this security risk."
BF>We have made contact with the forum user concerned and understand the risk they have identified. We do not feel our customers are at any greater risk of compromise based on what was disclosed but as always we do advise customers to have strong passwords and security questions. If customers would like these changed please use the website or contact our Helpdesk.
12) Do betfair have any additional security improvements planned for the future which is not contained in the above list?
BF> To summarise, Betfair are improving both internal security controls as well as security features seen by the customer. This includes alerting on suspicious activity to our fraud teams, the evaluation of 2-factor authentication offered on an opt-in basis, the improvements of customer alerting around changes to password details, address or other account details, and improvements to the ‘My Security’ tab on the website. As always Betfair appreciates customer feedback in this area.
My comments>Maybe I am becoming impatient as nothing suggested or promised has been delivered so far (that I can see). At the same time we have seen changes to the forum etc which does not add value to the platform imo. Time better spent on security (again imo).
Non security related questions:
1) Do betfair earn interest on client's funds? If so, are client's funds higher than £50k protected?
Hopefully you will see the recommendations as reasonable and push forward such implementation. I believe this would be a win-win for both betfair and client.
My comments> I can't see a reply for this. But we now know interest is earned by betfair on funds and the protection in place (search this forum for user Nemesis if anyone interested in more detail).
All in all, very disappointing. In 11 months, nothing seems to have been done? I expect the large turnover of staff hasn't helped but it would be nice to know if betfair do still intend to improve these areas? The main disappointment for me is the fact there were plans for alerts etc and by the sounds of the responses they had virtually been implemented already. This was encouraging as it sounded that betfair were working proactively on their own merit. This is not a crusade for me, I am not here to show betfair in a bad light, I would just like to feel more confident leaving a large balance here. I believe betfair has good intentions here (or did) they just haven't materialised yet.
I will probably add some more suggestions over the coming days such as the IP logging to also log internal betfair ip addresses (if it doesn't already - maybe someone who uses telelphone betting service can confirm)?
Please feel free to comment, add ideas etc
Getafix
I intend to forward this for the next chat (deadline Sunday)
Hi,
My questions are mainly to do with client security. I would be extremely grateful if you could answer, advise and possibly commit to some of the
questions/ideas/recommendations that follow. I started a thread to discuss this in more detail here:
http://community.betfair.com/general_betting/go/thread/view/94082/26407401/Betfair_Security_Improvement_IdeasQuestions
because I have no idea when the next q&a session would be I thought a thread would be better to discuss upfront the interests of fellow clients.
The points are discussed in much depth in the above thread but I will rewrite (more succinctly) below:
1) Please can we have an "Exposure limit" at market/selection level not just full account? This would be a fantastic extra as many of us will rarely place a bet above a
certain amount. If someone hacks your account, they will likely try and transfer your money in several ways (to be explained below) one of which is to place a bet with
the hacked funds and lay it off with their other account. This I assume would be done with highly liquid events i.e., an important football match where it is nigh on
impossible to see where it would have been transferred. By having a bet exposure limit, the criminal would have to place numerous bets in order to "transfer" funds.
This could prevent losing the whole bank immediately with the chance of noticing the hack earlier. Also, it may be possible for betfair security to whittle down the
possible criminals (all users betting in same events). This option would also have another massive improvement as it could help protect clients against spelling
mistakes i.e., backing for £1000 when you meant £100 could be avoided if client had say a limit of £500 defined!
BF> it’s an interesting point which we’ll raise with the right expert internally. Setting multiple limits on accounts is complex though, would slow the site down and can be confusing so not sure if that’s the best way to address your concern. At the risk of repetition, the most important thing is making sure you have a strong password and security questions and changing them if you have any worries about their security.
My comments> I don't believe anything has been done here which is fair enough if too difficult to implement?
2) Please can we be have an option to be emailed/SMS if our login ip address changes? Letting us know when an ip login address changes allows us to change passwords /
contact the betfair security team immediately if we know it isn't us.
BF> We will evaluate this alert in conjunction with the answer to question number 3 (below).
My comments> (the BF answer can be seen in my point 7 below).
3) Please can we have options to restrict access from other countries (but no option to unrestrict) - this should be possible by analysing the login ip address. If we
go on holiday abroad and want to access betfair, maybe lifting of the country restriction should only be allowed by phoning betfair (not a web-account option) - I am
assuming there would be security checks done over phone, maybe also some email confirmation (a link you have to click)? I believe something like this used to be an
option why has it been removed?
BF> This functionality did not perform well enough and was only taken up by a few customers. We are continuing to analyse how best to redeploy this capability in the future as a part of improvements to the ‘My Security’ tab.
My comments> There have been no changes to "my security" tab that I can see? Is there still work being done here?
4) I know that if there were unscrupulous employees at betfair, account login info could be easily leaked or could it? What measures do betfair use to ensure the
security of member's accounts? I assume there is some kind of top encryption on login details but is there additional security on these databases to prevent say any
betfair developer querying this data?
BF> Please be assured that account login details, such as passwords, are not stored in the database in clear text. Passwords are hashed and security questions are encrypted. Databases and account access are monitored by Security staff to prevent unauthorised access.
My comments> It was reported that the betfair data loss (March 2010) went undiscovered for 2 months (until one of the Malta servers crashed). What were the security staff doing? This I find very worrying.
5) What is the actual history on BF accounts being hacked and monies transferred out ?
Has BF compensated people ?
BF> As with any online business, Betfair can suffer attacks against its customers and accounts. However we have extensive monitoring of these through a number of different techniques and treat each and every event seriously in order to protect our customers and their funds. We urge all customers to ensure they keep their account details safe and, if they believe an issue has occurred, to immediately call the Helpdesk.
6) What happens when people add new bank cards to their betfair accounts, can they withdraw funds immediately to these different accounts? If immediate withdrawal
possible and money was withdrawn to a criminal bank account would this be the responsibility of betfair/the bank/the client? Perhaps a cool off period would be
beneficial for withdrawals to new cards?
BF> We operate a closed loop policy which enforces the withdrawal of funds back to their source. This means that the customer will be required to level off any deposits made with the same amount of withdrawals for certain payment methods (Cards, Moneybookers, Neteller, Paypal) before withdrawal of any excess funds back to a different payment source. There is currently a delay in our withdrawal process which enables us to carry out enhanced checks before processing payments.
7) Please can we be have an option to be emailed/SMS if sensitive data is changed on the site i.e., password changes, address changes, bank/credit cards added to
account etc.
BF> As requested by our customers, our security team has worked to develop alerting on any changes to customer account details. This will mean that changes to passwords, payment methods, address and other account changes will be notified to the e-mail address we have for the account. Changes to e-mail address will be sent to the old e-mail address as confirmation. This provides additional visibility and security of your customer account details and should be in place in the first quarter of next year.
My comments> This was perhaps one of the most important requests and it was good that you had intentions of getting this out. This is seriously behind schedule as this was promised beginning of this year. Has this been dropped? How long extra?
8) Please can we have a tighter login to the website, i.e., what banks use i.e., select letters from a memorable word/password from drop down boxes - this makes it more
difficult for keyloggers to pick this info up.
BF> Our security team are currently evaluating a number of different authentication options to roll out next year to provide additional protection as requested by our users. This suggestion will be incorporated into that analysis and evaluation.
My comments> Did the security team decide against any additional protection or should we expect something by end of December? This "letter selection" suggestion is one of the most basic measures and would have put my mind at ease with the recent DNS hack that was out of your hands. A more severe DNS hack could have forwarded people to a betfair clone (and then recorded logins).
9) Please can the whole website be changed to use https (like the api) so that users using public wifi etc have more security (prevent their sessions being cloned etc)?
BF> We are evaluating this change across our products and as it is a significant change in our website operation it must be planned with care. For clarity, authentication is performed via HTTPS encryption.
My comments> All fine with authentication but doesn't help with the situation of session cloning.
10) The current security feature on the website shows the last 10 logins, this is not very practical as many users login multiple times during the day. Instead could
we have a list of all distinct ip addresses with the last time it was used to login (say for last 6 months)?
BF> This is a good suggestion and we will incorporate this thinking into any planned changes to the My Security page.
My comments> It is starting to seem like there are no plans to improve security so please can this be implemented on its own merit? It would also be useful if there was an api call that could request such info too? This would be extremely useful for api users/vendors as users could be notified immediately if a suspicious (different) ip has been used recently!
11) Please can you contact the forumite known as Hazel to rectify a known security problem - "I can log into the account of anyone I know without needing to know their
password. Indeed betfair customer services staff could also breach this security risk."
BF>We have made contact with the forum user concerned and understand the risk they have identified. We do not feel our customers are at any greater risk of compromise based on what was disclosed but as always we do advise customers to have strong passwords and security questions. If customers would like these changed please use the website or contact our Helpdesk.
12) Do betfair have any additional security improvements planned for the future which is not contained in the above list?
BF> To summarise, Betfair are improving both internal security controls as well as security features seen by the customer. This includes alerting on suspicious activity to our fraud teams, the evaluation of 2-factor authentication offered on an opt-in basis, the improvements of customer alerting around changes to password details, address or other account details, and improvements to the ‘My Security’ tab on the website. As always Betfair appreciates customer feedback in this area.
My comments>Maybe I am becoming impatient as nothing suggested or promised has been delivered so far (that I can see). At the same time we have seen changes to the forum etc which does not add value to the platform imo. Time better spent on security (again imo).
Non security related questions:
1) Do betfair earn interest on client's funds? If so, are client's funds higher than £50k protected?
Hopefully you will see the recommendations as reasonable and push forward such implementation. I believe this would be a win-win for both betfair and client.
My comments> I can't see a reply for this. But we now know interest is earned by betfair on funds and the protection in place (search this forum for user Nemesis if anyone interested in more detail).
All in all, very disappointing. In 11 months, nothing seems to have been done? I expect the large turnover of staff hasn't helped but it would be nice to know if betfair do still intend to improve these areas? The main disappointment for me is the fact there were plans for alerts etc and by the sounds of the responses they had virtually been implemented already. This was encouraging as it sounded that betfair were working proactively on their own merit. This is not a crusade for me, I am not here to show betfair in a bad light, I would just like to feel more confident leaving a large balance here. I believe betfair has good intentions here (or did) they just haven't materialised yet.
I will probably add some more suggestions over the coming days such as the IP logging to also log internal betfair ip addresses (if it doesn't already - maybe someone who uses telelphone betting service can confirm)?
Please feel free to comment, add ideas etc
Getafix
Hi,
I raised some questions/requests etc at the last "general" live chat (Dec 2010) I have outlined certain points which I hope you can comment on:
1) Please can we be have an option to be emailed/SMS if sensitive data is changed on the site i.e., password changes, address changes, bank/credit cards added to
account etc.
BF> As requested by our customers, our security team has worked to develop alerting on any changes to customer account details. This will mean that changes to passwords, payment methods, address and other account changes will be notified to the e-mail address we have for the account. Changes to e-mail address will be sent to the old e-mail address as confirmation. This provides additional visibility and security of your customer account details and should be in place in the first quarter of next year.
My comments> This was perhaps one of the most important requests and it was good that you had intentions of getting this out. This is seriously behind schedule as this was promised at the beginning of this year. Has this been dropped/how long extra? Optional alerts for IP changes would also be a great addition for those of who go to great lengths on our own security i.e., having a static ip address and only ever working from a "clean" computer (only used for access to betfair).
2) Please can we have an "Exposure limit" at market/selection level not just full account? This would be a fantastic extra as many of us will rarely place a bet above a
certain amount. If someone hacks your account, they will likely try and transfer your money in several ways one of which is to place a bet with
the hacked funds and lay it off with their other account. This I assume would be done with highly liquid events i.e., an important football match where it is nigh on
impossible to see where it would have been transferred. By having a bet exposure limit, the criminal would have to place numerous bets in order to "transfer" funds.
This could prevent losing the whole bank immediately with the chance of noticing the hack earlier. Also, it may be possible for betfair security to whittle down the
possible criminals (all users betting in same events). This option would also have another massive improvement as it could help protect clients against spelling
mistakes i.e., backing for £1000 when you meant £100 could be avoided if client had say a limit of £500 defined!
BF> it’s an interesting point which we’ll raise with the right expert internally. Setting multiple limits on accounts is complex though, would slow the site down and can be confusing so not sure if that’s the best way to address your concern. At the risk of repetition, the most important thing is making sure you have a strong password and security questions and changing them if you have any worries about their security.
My comments> Is this a definite no? Security and detection would be enhanced as long as exposure level changes took say 3 days to become effective (including alerts for changes (as above))
3) Please can we have a tighter login to the website, i.e., what banks use i.e., select letters from a memorable word/password from drop down boxes etc - this makes it more difficult for keyloggers to pick this info up.
BF> Our security team are currently evaluating a number of different authentication options to roll out next year to provide additional protection as requested by our users. This suggestion will be incorporated into that analysis and evaluation.
My comments> Did the security team decide against any additional protection or should we expect something by end of December? This "letter selection" suggestion is one of the most basic measures and would have put my mind at more ease with the recent DNS hack that was out of your hands (a betfair security keyfob would be even better (perhaps a security dongle would be better as could be used by the api too?)). A more serious DNS hack could have forwarded people to a betfair clone (and then recorded logins).
4) Please can the whole website be changed to use https (like the api) so that users using public wifi etc have more security (prevent their sessions being cloned etc)?
BF> We are evaluating this change across our products and as it is a significant change in our website operation it must be planned with care. For clarity, authentication is performed via HTTPS encryption.
My comments> How did the evaluation go? Is this still a possibility?
5) The current security feature on the website shows the last 10 logins, this is not very practical as many users login multiple times during the day. Instead could
we have a list of all distinct ip addresses with the last time it was used to login (say for last 6 months)?
BF> This is a good suggestion and we will incorporate this thinking into any planned changes to the My Security page.
My comments> If there are no plans to improve the "My Security" page, please could this be implemented on its own merit? It would also be useful if there was an api call that could request such info too? This would be extremely useful for api users/vendors as users could be notified immediately if a suspicious (different) ip has been used recently! Also does the current screen show betfair ip addresses? If not, please can these be shown too with a reason (i.e., "telephone bet request" etc)
Many thanks,
Getafix.
I raised some questions/requests etc at the last "general" live chat (Dec 2010) I have outlined certain points which I hope you can comment on:
1) Please can we be have an option to be emailed/SMS if sensitive data is changed on the site i.e., password changes, address changes, bank/credit cards added to
account etc.
BF> As requested by our customers, our security team has worked to develop alerting on any changes to customer account details. This will mean that changes to passwords, payment methods, address and other account changes will be notified to the e-mail address we have for the account. Changes to e-mail address will be sent to the old e-mail address as confirmation. This provides additional visibility and security of your customer account details and should be in place in the first quarter of next year.
My comments> This was perhaps one of the most important requests and it was good that you had intentions of getting this out. This is seriously behind schedule as this was promised at the beginning of this year. Has this been dropped/how long extra? Optional alerts for IP changes would also be a great addition for those of who go to great lengths on our own security i.e., having a static ip address and only ever working from a "clean" computer (only used for access to betfair).
2) Please can we have an "Exposure limit" at market/selection level not just full account? This would be a fantastic extra as many of us will rarely place a bet above a
certain amount. If someone hacks your account, they will likely try and transfer your money in several ways one of which is to place a bet with
the hacked funds and lay it off with their other account. This I assume would be done with highly liquid events i.e., an important football match where it is nigh on
impossible to see where it would have been transferred. By having a bet exposure limit, the criminal would have to place numerous bets in order to "transfer" funds.
This could prevent losing the whole bank immediately with the chance of noticing the hack earlier. Also, it may be possible for betfair security to whittle down the
possible criminals (all users betting in same events). This option would also have another massive improvement as it could help protect clients against spelling
mistakes i.e., backing for £1000 when you meant £100 could be avoided if client had say a limit of £500 defined!
BF> it’s an interesting point which we’ll raise with the right expert internally. Setting multiple limits on accounts is complex though, would slow the site down and can be confusing so not sure if that’s the best way to address your concern. At the risk of repetition, the most important thing is making sure you have a strong password and security questions and changing them if you have any worries about their security.
My comments> Is this a definite no? Security and detection would be enhanced as long as exposure level changes took say 3 days to become effective (including alerts for changes (as above))
3) Please can we have a tighter login to the website, i.e., what banks use i.e., select letters from a memorable word/password from drop down boxes etc - this makes it more difficult for keyloggers to pick this info up.
BF> Our security team are currently evaluating a number of different authentication options to roll out next year to provide additional protection as requested by our users. This suggestion will be incorporated into that analysis and evaluation.
My comments> Did the security team decide against any additional protection or should we expect something by end of December? This "letter selection" suggestion is one of the most basic measures and would have put my mind at more ease with the recent DNS hack that was out of your hands (a betfair security keyfob would be even better (perhaps a security dongle would be better as could be used by the api too?)). A more serious DNS hack could have forwarded people to a betfair clone (and then recorded logins).
4) Please can the whole website be changed to use https (like the api) so that users using public wifi etc have more security (prevent their sessions being cloned etc)?
BF> We are evaluating this change across our products and as it is a significant change in our website operation it must be planned with care. For clarity, authentication is performed via HTTPS encryption.
My comments> How did the evaluation go? Is this still a possibility?
5) The current security feature on the website shows the last 10 logins, this is not very practical as many users login multiple times during the day. Instead could
we have a list of all distinct ip addresses with the last time it was used to login (say for last 6 months)?
BF> This is a good suggestion and we will incorporate this thinking into any planned changes to the My Security page.
My comments> If there are no plans to improve the "My Security" page, please could this be implemented on its own merit? It would also be useful if there was an api call that could request such info too? This would be extremely useful for api users/vendors as users could be notified immediately if a suspicious (different) ip has been used recently! Also does the current screen show betfair ip addresses? If not, please can these be shown too with a reason (i.e., "telephone bet request" etc)
Many thanks,
Getafix.
Post Your Reply
Please login to post a reply.
Wonder
Instance ID: 13539