I shouldn't think multiple exposures would be confusing to betfair users. Well, it may be to first time users of the site but the default setting would be there is no exposure set for the bet (market/selection) limit (i.e., initially set to 9999999999999 GBP).  This bet level exposure would be an optional extra for advanced users.

2nd attempt:

double totalLiab = 0;
double mktLiab = 0;

GetLiabs(Session["ID"], marketId, out totalLiab, out marketLiab);
double exposureLimit = Session["Exposure"];
double liab = 0;

if (betType == "B")
{
    liab = betStake;
}
else
{
    liab = (odds-1) * betStake;
}

if (exposureLimit > Session["BetExposure"])
{
    exposureLimit = Session["BetExposure"];
    totalLiab = marketLiab;
}

if (totalLiab + Liab < exposureLimit)
{
    if (fundsAvailable >= liab)
    {
        //place bet
        ....
    }
}
....

Note this implies the new "BetExposure" can never be set higher than the "account" Exposure from the new options page (if bf decide to implement).

Because we are piggybacking current exposure functionality I can't see why this would be difficult to implement especially considering this took me about 30 mins to think through.  Obviously nothing is ever easy and my version is a very simplified attempt but can't see this taking much resources to run and implement properly?

Hi,
My question is simple: how do i transfer funds to a paypal account?

With the upcoming first general live chat since last year I thought I'd do a review to see what progress has been made in terms of security over the last 11 months. I have tried to match up the correct responses.  Hopefully this will format okay?
I intend to forward this for the next chat (deadline Sunday)


Hi,
My questions are mainly to do with client security. I would be extremely grateful if you could answer, advise and possibly commit to some of the
questions/ideas/recommendations that follow.  I started a thread to discuss this in more detail here:
http://community.betfair.com/general_betting/go/thread/view/94082/26407401/Betfair_Security_Improvement_IdeasQuestions
because I have no idea when the next q&a session would be I thought a thread would be better to discuss upfront the interests of fellow clients.
The points are discussed in much depth in the above thread but I will rewrite (more succinctly) below:


1) Please can we have an "Exposure limit" at market/selection level not just full account? This would be a fantastic extra as many of us will rarely place a bet above a
certain amount.  If someone hacks your account, they will likely try and transfer your money in several ways (to be explained below) one of which is to place a bet with
the hacked funds and lay it off with their other account.  This I assume would be done with highly liquid events i.e., an important football match where it is nigh on
impossible to see where it would have been transferred.  By having a bet exposure limit, the criminal would have to place numerous bets in order to "transfer" funds.
This could prevent losing the whole bank immediately with the chance of noticing the hack earlier.  Also, it may be possible for betfair security to whittle down the
possible criminals (all users betting in same events). This option would also have another massive improvement as it could help protect clients against spelling
mistakes i.e., backing for £1000 when you meant £100 could be avoided if client had say a limit of £500 defined!

BF> it’s an interesting point which we’ll raise with the right expert internally. Setting multiple limits on accounts is complex though, would slow the site down and can be confusing so not sure if that’s the best way to address your concern. At the risk of repetition, the most important thing is making sure you have a strong password and security questions and changing them if you have any worries about their security.
My comments> I don't believe anything has been done here which is fair enough if too difficult to implement?


2) Please can we be have an option to be emailed/SMS if our login ip address changes?  Letting us know when an ip login address changes allows us to change passwords /
contact the betfair security team immediately if we know it isn't us.

BF> We will evaluate this alert in conjunction with the answer to question number 3 (below).
My comments> (the BF answer can be seen in my point 7 below).


3) Please can we have options to restrict access from other countries (but no option to unrestrict) - this should be possible by analysing the login ip address.  If we
go on holiday abroad and want to access betfair, maybe lifting of the country restriction should only be allowed by phoning betfair (not a web-account option) - I am
assuming there would be security checks done over phone, maybe also some email confirmation (a link you have to click)?  I believe something like this used to be an
option why has it been removed?

BF> This functionality did not perform well enough and was only taken up by a few customers. We are continuing to analyse how best to redeploy this capability in the future as a part of improvements to the ‘My Security’ tab.
My comments> There have been no changes to "my security" tab that I can see?  Is there still work being done here?


4) I know that if there were unscrupulous employees at betfair, account login info could be easily leaked or could it?  What measures do betfair use to ensure the
security of member's accounts?  I assume there is some kind of top encryption on login details but is there additional security on these databases to prevent say any
betfair developer querying this data?

BF> Please be assured that account login details, such as passwords, are not stored in the database in clear text. Passwords are hashed and security questions are encrypted. Databases and account access are monitored by Security staff to prevent unauthorised access.
My comments> It was reported that the betfair data loss (March 2010) went undiscovered for 2 months (until one of the Malta servers crashed).  What were the security staff doing?  This I find very worrying.


5) What is the actual history on BF accounts being hacked and monies transferred out ?
Has BF compensated people ?

BF> As with any online business, Betfair can suffer attacks against its customers and accounts. However we have extensive monitoring of these through a number of different techniques and treat each and every event seriously in order to protect our customers and their funds. We urge all customers to ensure they keep their account details safe and, if they believe an issue has occurred, to immediately call the Helpdesk.


6) What happens when people add new bank cards to their betfair accounts, can they withdraw funds immediately to these different accounts?  If immediate withdrawal
possible and money was withdrawn to a criminal bank account would this be the responsibility of betfair/the bank/the client?  Perhaps a cool off period would be
beneficial for withdrawals to new cards? 

BF> We operate a closed loop policy which enforces the withdrawal of funds back to their source. This means that the customer will be required to level off any deposits made with the same amount of withdrawals for certain payment methods (Cards, Moneybookers, Neteller, Paypal) before withdrawal of any excess funds back to a different payment source.  There is currently a delay in our withdrawal process which enables us to carry out enhanced checks before processing payments.


7) Please can we be have an option to be emailed/SMS if sensitive data is changed on the site i.e., password changes, address changes, bank/credit cards added to
account etc.

BF> As requested by our customers, our security team has worked to develop alerting on any changes to customer account details.  This will mean that changes to passwords, payment methods, address and other account changes will be notified to the e-mail address we have for the account. Changes to e-mail address will be sent to the old e-mail address as confirmation. This provides additional visibility and security of your customer account details and should be in place in the first quarter of next year.
My comments> This was perhaps one of the most important requests and it was good that you had intentions of getting this out.  This is seriously behind schedule as this was promised beginning of this year.  Has this been dropped? How long extra?

8) Please can we have a tighter login to the website, i.e., what banks use i.e., select letters from a memorable word/password from drop down boxes - this makes it more
difficult for keyloggers to pick this info up.

BF> Our security team are currently evaluating a number of different authentication options to roll out next year to provide additional protection as requested by our users. This suggestion will be incorporated into that analysis and evaluation.
My comments> Did the security team decide against any additional protection or should we expect something by end of December?  This "letter selection" suggestion is one of the most basic measures and would have put my mind at ease with the recent DNS hack that was out of your hands.  A more severe DNS hack could have forwarded people to a betfair clone (and then recorded logins).

9) Please can the whole website be changed to use https (like the api) so that users using public wifi etc have more security (prevent their sessions being cloned etc)?

BF> We are evaluating this change across our products and as it is a significant change in our website operation it must be planned with care. For clarity, authentication is performed via HTTPS encryption.
My comments> All fine with authentication but doesn't help with the situation of session cloning.

10) The current security feature on the website shows the last 10 logins, this is not very practical as many users login multiple times during the day.  Instead could
we have a list of all distinct ip addresses with the last time it was used to login (say for last 6 months)?

BF> This is a good suggestion and we will incorporate this thinking into any planned changes to the My Security page.
My comments> It is starting to seem like there are no plans to improve security so please can this be implemented on its own merit?  It would also be useful if there was an api call that could request such info too?  This would be extremely useful for api users/vendors as users could be notified immediately if a suspicious (different) ip has been used recently!

11) Please can you contact the forumite known as Hazel to rectify a known security problem - "I can log into the account of anyone I know without needing to know their
password. Indeed betfair customer services staff could also breach this security risk."

BF>We have made contact with the forum user concerned and understand the risk they have identified. We do not feel our customers are at any greater risk of compromise based on what was disclosed but as always we do advise customers to have strong passwords and security questions. If customers would like these changed please use the website or contact our Helpdesk.


12) Do betfair have any additional security improvements planned for the future which is not contained in the above list?

BF> To summarise, Betfair are improving both internal security controls as well as security features seen by the customer. This includes alerting on suspicious activity to our fraud teams, the evaluation of 2-factor authentication offered on an opt-in basis, the improvements of customer alerting around changes to password details, address or other account details, and improvements to the ‘My Security’ tab on the website. As always Betfair appreciates customer feedback in this area.
My comments>Maybe I am becoming impatient as nothing suggested or promised has been delivered so far (that I can see).  At the same time we have seen changes to the forum etc which does not add value to the platform imo.  Time better spent on security (again imo).



Non security related questions:

1) Do betfair earn interest on client's funds?  If so, are client's funds higher than £50k protected?
Hopefully you will see the recommendations as reasonable and push forward such implementation.  I believe this would be a win-win for both betfair and client.

My comments> I can't see a reply for this.  But we now know interest is earned by betfair on funds and the protection in place (search this forum for user Nemesis if anyone interested in more detail).




All in all, very disappointing. In 11 months, nothing seems to have been done?  I expect the large turnover of staff hasn't helped but it would be nice to know if betfair do still intend to improve these areas?  The main disappointment for me is the fact there were plans for alerts etc and by the sounds of the responses they had virtually been implemented already.  This was encouraging as it sounded that betfair were working proactively on their own merit.  This is not a crusade for me, I am not here to show betfair in a bad light, I would just like to feel more confident leaving a large balance here.  I believe betfair has good intentions here (or did) they just haven't materialised yet.

I will probably add some more suggestions over the coming days such as the IP logging to also log internal betfair ip addresses (if it doesn't already - maybe someone who uses telelphone betting service can confirm)?

Please feel free to comment, add ideas etc


Getafix