Gambling Securely Online

[munk]

Introduction
There's no better pastime than watching your bankroll grow in size as your online gambling progresses. The flip side of that though is watching your bankroll disappear in the blink of an eyelid due to fraud or other security breaches. For an example of this see this post on the forum:

Moneybookers Fraud thread

There are a number of steps you can take to help protect yourself from fraud/security compromises which we discuss below. The majority of the online security tips do revolve around using a password database application - although you can put some of the measures listed below into place without such an application, it makes life so much easier if you can take the time to learn how to use a password database application.

Finally - inspired by an unfortunate incident where someone's nephew managed to login to someone's account, deposit and then bet £1000s on roulette(!) - we will look at a few tips for securing your PC locally for the situation where you are not the only person with access to your PC.

Use an encrypted password database
Above all this is perhaps the most important aspect in maintaining a solid online security regime. A password database like Keepass allows you to maintain/store all your online accounts/private details in one single file which is encrypted - as long as you secure the password database with a very strong master password (and preferably only allow it to be opened if a usb stick is present), the database cannot be read even if it slips into the wrong hands.

Every time you create a new online account, create a new entry in the password database:

• Create a unique username - Keepass has a useful random password generator which is useful for creating random strings that can be used as usernames (just copy/paste the random string from Keepass's password generator into the username field). Having a random username is a pain if you have to ring up a call centre, but it stops crackers from guessing your username easily.
• Create a unique password - as above, use the password generator functionality in Keepass to create a random password. The longer the better, although a lot of sites do limit the password length. It can be useful to keep a note of how long the password can be in the 'notes' field for each entry in Keepass.
• Create a unique email address - reasoning for this is similar to the above. Once you've created the unique email address, keep a note of it in the 'notes' section for each entry in the Keepass database.
• Set the password to expire every 3 months - Keepass can be configured to automatically set passwords for new entries to expire by default after 3 months. When passwords are about to expire, Keepass can be configured to remind you so that you can go and change the password on the site in question which makes it a little harder for passwords to be compromised.
• Add any extra notes about the account - Keepass is a great place to keep site specific notes and memos to remind you what you did when you signed up or how to change the password etc etc.
• Above all, change the passwords regularly - as above, Keepass can expire passwords every 3 months so that you have to go in and change each password. This is quite a task to get on top of especially if you have hundreds of online accounts, but it's a small price to pay for peace of mind and isn't that hard once you get used to doing it (try and get into the habit of spending an hour at the start of each month updating all the passwords that are due to expire in the current month).

Keepass can be found here:

KeePass Password Safe

Most of the tips below rely on using Keepass or similar. However even if you do not use Keepass it's still worth having a good read to try and understand how to secure your online accounts.

Added security for your password database
Whilst using a password database is safe and highly recommended, at the same time the database is only as secure as the password you lock it with. It is important to use a very long and random password as your master password - whilst this sounds like a pain, in reality it's not so bad once you learn the password.

Alternatively (although do try and make your master password as long/random as you can!), if you don't like the idea of having a highly complex password there are some extra/alternative security measures you can take when using Keepass:

• Use a Key file - a key file is a file that must be present before the password database can be opened. The ideal way of utilizing this feature is to have your key file on a USB stick that you can easily remove from the PC you work at.
• Require a Windows user account to be active - with this method, you specify that in order for the password database to be opened a specific Windows user must be logged in. Be very careful with this method though because if you ever manage to crash your hard drive, you may not be able to access your password database even if you have it backed up since all the user login information will be stored on the hard drive.

You can use either of the methods above alongside each other (and alongside the master password or even in place of it). I must admit personally I don't use either of the above methods, but there are scenarios when they could both come in very useful so it's worth keeping them in mind.


Only use email addresses (especially on money based services like Moneybookers) that are NOT in use in public
If you can find your email address on Google then so can the crackers. If they can find your email address they'll feed it into various online sites that are known to allow email addresses as usernames (like Moneybookers) and then look to see which 'light up' when they do so.

They'll get an error message perhaps that's slightly different from the one you get when you use an incorrect username full stop, so that indicates it's a 'hot' account ID. After that it's just a matter of using brute force to fire lots of passwords with that account ID until one of them works.

Whilst this may sound far fetched, this method is used to crack online accounts very regularly.

Make sure the email address(es) that you use for any account that involves money is NOT a publicly used address - do NOT post your email address anywhere online and preferably do not give it out to anyone apart from when you register online.


Use unique email addresses for each online account
Ideally, create a unique email address for every different online account that you have. If you own your own domain this is fairly easy to do and just requires that you create a new email alias for each new account.

For example, create semi-random looking email addresses like 'qef901foobar@example.com' for a company that you use called 'foobar'. Since this is hard to remember, ideally keep the email address details in a password db like Keepass along with all the other details for that particular account.

This method has several advantages:

• Security - using a unique email address for every online account means that if one email address gets 'discovered' by crackers, they can't access more than one account with that email address.
• Spam trapping - if you start receiving spam and it's directed to one of these unique email addresses, immediately you know who's responsible for passing on your email address without your consent.
• Email filtering - because each email address you use is unique, you can setup email filters on your email client to automatically filter email received from each address into it's own 'folder' making it quicker/easier to work with your email.

If you don't have your own domain, Gmail does have a useful feature that allows you to create multiple email aliases from a single gmail address. If your gmail account is example@gmail.com, Gmail allows you to create aliases using '+' as a separator - so for example all of the following:

• example+bank1do1kd@gmail.com
• example+cooking@gmail.com
• example+toast@gmail.com

will be delivered to the same Gmail inbox for 'example@gmail.com'. Using this you can create unique email addresses for all the different accounts you have. (The only drawback with this method is that quite often online sites don't allow '+' in the email field - they should do since it is an allowed character in an email address, but some sites don't.)


Use unique usernames and passwords for each online account that you have
With similar reasoning to above, if one of your online accounts gets compromised by crackers then only that one online account will be compromised because all the other accounts have a different username/password attached to them. The 'rot' is stopped at that first online account that was broken into.

Again this is very hard to maintain unless you use something like Keepass, but is very worthwhile investing the time into setting up. Once set up, logging into online accounts is much MUCH quicker using Keepass since you only need to hit 'ctrl-alt-a' and you're logged in (rather than having to try and remember what the username/password is each time)!


Change passwords every 3 months (one month for specifically money based accounts like paypal/moneybookers/banks etc)
Yet again quite hard to keep on top of unless you use a password database application like Keepass, but with Keepass you can set it up to get reminders when your passwords reach a certain age - whilst it's a chore updating them (especially when you have hundreds!), it is another step to securing your online accounts.

[munk]

Securing your PC locally
Whilst online fraud is a major issue, it's easy to overlook the less obvious threat from someone accessing your PC physically (ie actually sitting at your PC) and then either managing to lose a lot of money from your accounts by gambling randomly or actively defrauding you by transferring money out of your account into theirs.

Here are a number of tips for securing your PC from unwanted physical access (ie someone sitting down and using the PC without your knowledge):

• Create a dedicated gambling PC user account - once you've created the account, make sure you never give the password out to anyone you don't trust. As well as using a password for your PC login, if you have other people access your machine that you don't trust 100% you might want to create a completely separate account for allowing 'guests' to login to your machine. This way you never have to give out the password to your 'main' gambling account.
• Only install gambling related apps / data on the dedicated gambling account - make sure that you only install gambling applications (casino software/keepass/etc) on the gambling account and check that people can't access those apps from the guest account if you added one. This will help block people being able to physically access your apps and gamble away your money without your knowledge.
• Lock the workstation after 30 minutes of inactivity - set up the gambling account so that it locks itself after 30 mins (or whatever) and you have to unlock it by entering the account password. An additional tip for this - to quickly lock the workstation/PC, press 'win+L' - this will lock the account and you'll have to enter the password to regain access.
• Consider using an encrypted partition - this is a bit advanced, but tools like Truecrypt allow you to create encrypted partitions on your PC hard drive which you can protect with strong passwords. Before being able to 'mount' the encrypted partition, you have to enter the password.

[munk]

Here's another article on the same subject by Whoops, has been merged into this thread so see below for the original post (#25 below), definitely worth copying up to the top of this thread though:

-snip-
Security for your gambling PC
I couldn't find a guide on the site for securing your betting PC so I thought I'd write one.

Plenty of people will read about two more lines before dismissing this guide as applicable to the tin-foil-hat brigade only. It's not, it's applicable to everyone. I work in the computer industry for a living and I've seen what really happens when PC's and laptops get stolen. I've seen important stuff get hacked. The true cost is way, way more than 'just a pc'.

If at any stage you think this setup is over the top, go to wikipedia and read up on the Dunning-Kruger effect.

Note : I'm getting nothing for writing this and get nothing if you follow the recommendations. None of the links are affiliate links. All the recommended products bar one are free.

Most of you will have a not-so-insignificant sum of money stored online for use in matched betting/arbing. The following is a guide about how to secure your computer, at negligible cost, to help keep that money where it's supposed to be. In your accounts.

1) Passwords - 'letmein', 'password' and 'money' are not good passwords. Neither is your date of birth. In order to have a secure setup you need good passwords and there are plenty of trustworthy tools that will do this for you. My favourite password tool is Lastpass from LastPass - Password Manager, Form Filler, Password Management (free) but Keepass KeePass Password Safe (free) is a good alternative. Both these tools remove the need for you to remember passwords, both will generate complex passwords, both auto-log you in and both are incredibly secure. You have absolutely no excuse for using the same weak password on multiple sites.

I cannot stress enough how important it is to have unique and strong passwords for all your sites.

For fun, take the lastpass test. Allow it to search your PC for stored passwords and then test their strength. Chances are you'll be (unpleasantly) surprised by what it finds, and the number of places you've used the same old password. Also remember that whatever lastpass finds is available for a thief or rogue program to find just as easily.

Oh, and no. Having one weak password for your 'casual' sites, a better one for 'important' sites and a good one for 'financial' sites is not a good password policy.

2) Remember Me/Remember Password - If you tick this box on any website, quite frankly you deserve to lose your money. How much effort does it take to type in a password ? Anyone who steals your laptop/PC and clicks on an icon is going to have an awful lot of fun gambling away your money. The bookies will love you too. You should never, ever use this function.

3) Windows logon - Not having a windows logon password (free) is just lazy. If your PC boots straight to windows to save you time, well, it'll boot straight to windows for the guy who steals it too. A windows password isn't total security but it's a nice deterrent to the casual thief's curiosity.

4) Full disk encryption - Truecrypt from TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows 7/Vista/XP, Mac OS X and Linux (free) will encrypt your entire harddrive. There's no performance hit and it's just one extra password at boot. I use Truecrypt and when I power on the only thing showing on the screen is my phone number. Windows only loads after I type my password, which is nice and strong. Actually, to give you an idea of how strong, here's the actual password. It's '1/4PounderWithCheeseMealLargeWithCoke'. I can tell you because I trust you

My phone number is there so that if my laptop is stolen/recovered I've a great chance of getting it back.

Also I know that if my laptop is ever stolen it's going to take one really, really computer literate thief to even get a windows logon screen. If he's that good at hacking, he wouldn't need my laptop to get into my accounts.

5) Keyloggers - Keyloggers generally get on your machine when you install some dodgy software or visit dodgy sites. They collect your keystrokes and silently send them back to the bad guy. To protect against keyloggers I use Keyscrambler from QFX Software - Anti-Keylogging Software and More (free). Automatically obfuscates all my keystrokes during input. I don't think it protects against hardware keyloggers but it'll certainly stop a lot of the software based ones. (Read the rules if you use AutoHotKey)

6) Online behaviour (particularly browsing pr0n) - If you browse porn you are going to get hacked. If you browse porn on your betting PC, you're asking to have all your money taken from you. Just don't do it. Go take a cold shower or something instead. If you really, really have to browse then use Sandboxie Sandboxie - Sandbox software for application isolation and secure Web browsing (free). It creates a virtual sandbox on your PC and when you close it, 'poof', everything you downloaded has gone with it. (Yes, even your browsing history). If you are browsing anything on your betting PC, you should do it in Sandboxie. It's not just porn sites that host malware.

7) Antivirus - You really, really need antivirus. It also needs to be updating. I use NOD32 (not free) but there are free alternatives (AV-Comparatives - Independent Tests of Anti-Virus Software - Welcome to AV-Comparatives.org will give you an idea about how good each antivirus package is). If you are not using antivirus you are begging to be hacked. Anyone who disables antivirus due to 'performance' issues really needs to think again. Switch vendor if performance is a problem, don't compromise your security to load a web page 0.001 seconds faster.

8) Windows Updates - Another free one. Switch them on. Auto download them all, they are available to you for a reason. They rarely cause issues (I auto-patch over 1000 production machines every month and cannot remember the last time there was a problem). They either give you extra functionality or fix security loopholes. Both are good from our point of view.

9) Anti-malware - I use MalwareBytes from Malwarebytes (free). If malware did make it past everything above, this is one more free chance you have to detect it and stop it. Absolutely no reason not to have it.

10) Game/software cracks - If you download cracks, you are hacked.

11) Secure backups - Just a helpful one. Got important data ? Photo's or documents ? Dropbox at Dropbox - Home - Online backup, file sync, and sharing made easy. (free) allows you to store and sync whatever you want. If your machine crashes and you need to rebuild it's a great feeling knowing that all your important stuff is safe up in the cloud.

12) Suspect files - Got a file you really want to open/install and don't know if you should ? Upload it to VirusTotal - Free Online Virus, Malware and URL Scanner (free) and it will be run against 40-something different antivirus tools, including all the mainstream ones. If they all flag it as clean it probably is.

Although the setup runs perfectly well without, I have purchased the full versions of all the above products (except Dropbox) to get the premium features. I didn't get the cracked versions because these are all anti-hacking tools and the main purpose of a lot of crackers is to get control of your PC. If a guy whose main motive is to control your PC suddenly offers to give you free software to protect against guys like him, would you take it ?

Finally, this is your money. If you've never had a machine stolen or a password compromised you WILL underestimate the impact it will have. Most of us have had a car stolen (I've lost two). Remember how you felt when it was missing ? "I wonder where they've gone with it, what have they done to it, I bet they've damaged it, it'll never be the same...." Well, when your PC goes you can add "I hope they don't post on a forum in my name, oh wait, they've got access to all my email too, now they can get all my logon info for everything. I need to contact my sites. Now, there's errm, betfair and Bet365, and, errr, that one I just joined, thingy...." There's also the classic "Oh, crikey, I do hope they don't look in that folder..."
-snip-

Fantastic, many thanks.

[NongMeoaw]

Great posts in these fradulent times

Taking the theme on a little...how do we online bettors prepare for the day when our laptop gets nicked?

What hard-copies/info should we keep?
How could we "lock down" our accounts?
Can online accounts be managed by phone in an emergency?

I have no answers!
...but it's maybe something worth laying some contingencies for.

[munk]

Yeah that's a good point, that's something else that could have gone in the article really, what kind of backup strategy to use.

Personally I have a USB stick with a truecrypt partition on which I backup to every month or so, create a back up of my gambling spreadsheets, my keepass database, MS Money accounts, emails and various other bits and bobs (mainly 'my documents' folder).

Actually ended up losing the last USB stick though which was a nightmare! Luckily(?) I think it was thrown in the rubbish by mistake so probably won't see the light of day for a few years, by which time all the passwords on the keepass db will have changed (and even so it was protected by a very strong password).

One other thing that's a bit morbid (and slightly off topic) is what happens to your accounts if you die? Not that I anticipate dying any time soon, but I keep meaning to write out some instructions for a mate/brother so they can access all my accounts and withdraw everything back to my bank accounts if the worst ever happens.

[zenmaster]

One other thing that's a bit morbid (and slightly off topic) is what happens to your accounts if you die? Not that I anticipate dying any time soon, but I keep meaning to write out some instructions for a mate/brother so they can access all my accounts and withdraw everything back to my bank accounts if the worst ever happens.

Could of sworn there is a website out there that is able to email an address or addresses if you dont check in periodically. cant seem to find it at the moment but something similar to that would be useful in such a situation.

[Tebs_on_tour]

A top post Monk thanks for the info.

A quick question though do you think this keepass is safe. For example is it not a scam in itself where it feeds back your usernames and passwords to the creator everytime you log in. Just being paranoid but the person who is dishing this out for free could potentially stockpile a massive list of usernames and passwords.

[munk]

A top post Monk thanks for the info.

A quick question though do you think this keepass is safe. For example is it not a scam in itself where it feeds back your usernames and passwords to the creator everytime you log in. Just being paranoid but the person who is dishing this out for free could potentially stockpile a massive list of usernames and passwords.

Yes the Keepass app is safe as far as I know. The only time it ever connects / needs to connect to the internet is to check if a new version is available, if you really didn't trust it then you could just block it from connecting to the internet with a firewall. But from my own use of it I personally trust it but only because I've done my own 'research' on it (ie reading their site, forums/mail list, user reviews and so on).

Makes me think now, I didn't mention a single thing about Antivirus or Firewall's above... which is kind of odd I must admit... although to be fair originally the article above was written more from the perspective of keeping your online gambling accounts secure rather than your own PC secure...

Hopefully goes without saying that you want to have an anti-virus and firewall installed and up to date, as well as having Windows / OSX software updated regularly.

[Tebs_on_tour]

Hi Munk,

Sorry 1 more question. I have doen as you recommended and also ensured a USB has to be present to open the database. My only question is that if this USB is lost or broken does this mean that I lose access to my database?

Cheers

[munk]

Hi Munk,

Sorry 1 more question. I have doen as you recommended and also ensured a USB has to be present to open the database. My only question is that if this USB is lost or broken does this mean that I lose access to my database?

Cheers

I don't know to be honest but I imagine so yes. There might be more info on it at the Keepass site maybe. I think I would probably take a backup of the keepass db every month or so and disable the usb stick requirement on the backup just in case (keeping the backup on another / different usb stick).

I never actually got around to using the 'require USB stick' bit so I don't know what the score is with that. Probably a good job too cos I lost the USB stick I would have used to secure it a while ago!