Page 2 of 2 FirstFirst 12
Results 21 to 30 of 30

Thread: ACR player claims a withdrawal was made without his permission. PFA is on the case...

  1. #21
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,627
    Blog Entries
    2
    Load Metric
    65691958
    In what may or may not be related, the mobile app has been down all day, and it's not clear what is going on.

    https://twitter.com/ZippyChippy4/status/1512317919765618689

    https://twitter.com/ACR_POKER/status/1512261623347564554



    It is very possible that ACR discovered that this breach was via the mobile app, and they've taken it offline until they can fix it. Note in the e-mail posted by that Twitter user above, ACR acknowledges there is "no timetable" for the mobile app's return.


    There are also several (reliable) reports of a new procedure in place over the past week, regarding sending a confirmation e-mail to cashier@digitalexchange.eu, when a cashout is requested. I am assuming that digitalexchange.eu is their payment processor.

    I doubt this is all a coincidence, and I believe the situation is a lot more complex than a simple "credential stuff" attack.

  2. #22
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,627
    Blog Entries
    2
    Load Metric
    65691958
    I suppose this is a good time to give a summary of everything going on, and why I feel ACR's "credential stuffing attack" story is BS.


    https://twitter.com/ACR_POKER/status/1512109972620029959


    What is a "credential stuffing attack"?

    A "credential stuffing attack" sounds like something very technical and complicated, but it's actually quite simple. In recent years, huge databases full of e-mails and passwords have been hacked, and sold/shared on the black market. Therefore, if you use the same e-mail and password combination on multiple sites, these hackers can access all of your accounts using such a combo, no matter how "tough" your password would be to guess.

    Credential stuffing attacks are not done by human beings. They are done by automated bots, which try thousands or millions of e-mail/password combos obtained from other site hacks. The bots do not try to make additional guesses. For example, if you used the simple password "Bobby1" on website A, and "Bobby2" on website B, the bot would NOT be able to break into your account on site B, despite the similarity of the two passwords. It would try "Bobby1" on website B, fail to login, and move on to the next account. However, if you used password "23nFW#2b%12$!" on BOTH sites A and B, with the same e-mail or login name, then the credential stuffing attack WOULD work.



    What is ACR claiming occurred?

    ACR seems to be stating that a credential stuffing attack was used on their service, where hacks of other sites yielded e-mail/password combos which were also used on ACR. They claim this allowed the hackers to get into accounts, and make these unauthorized withdrawals.

    ACR claims that they have refunded all affected players. While I have seen evidence that some players have received refunds, others are still waiting for resolution. It should also be noted that they only seem to be refunded those who noticed the money missing.



    What is the problem with ACR's explanation?

    Anyone attempting to login to ACR's platform using a different device would get a "new device" confirmation e-mail. Until the link in that e-mail is clicked, the thief would not be able to log in.

    In every case I've heard, these thieves were able to access ACR's platform WITHOUT ever clicking that link. That is highly suspicious, and indicative that this wasn't simply a credential stuffing attack.

    For example, even if I had the list of every single e-mail and password of every ACR player, I couldn't log in to any of them. I would get the message to check my e-mail to authorize a new device logging in, and I would be stuck at that point, being unable to access these users' e-mail. Somehow these thieves did NOT run into this problem!



    Is there anything else suspicious here?

    Yes. To my knowledge, not a single account was hit for more than $14,000, despite the presence of players on ACR with more than $100,000 on the site.

    Furthremore, the thieves seemed to know ACR's security review procedures all too well. In the case of the player who got hit for $13,623, a withdrawal of $10,000 was done first, and then the other $3,623 just 30 minutes later.

    In the first case discussed here, the thieves left $206 over, and only withdrew $8849 of the $9065 balance.

    In another case, a user with just $68 in his account decided to add $267 via deposit. Within 61 minutes of the deposit, someone breached his account and withdrew the same $267 he just deposited, which was first rejected twice for unknown reasons, and then processed on the third try. The original $68 was never touched.

    The third case, while for the smallest amount of money, is the most bizarre. If this were a credential stuffing attack, how would the thieves have known within 61 minutes that this guy just added money to the site? Someone clearly had insider knowledge in some way that this deposit occurred.

    I also have a case where someone's withdrawal simply disappeared. This was NOT an account breach, but rather a situation where they withdrew money, and it never showed up to their bitcoin address. ACR will NOT provide this person with the address where the bitcoin was actually sent, but simply insists that it was paid out!



    What are your theories as to what is going on here?

    This is almost surely being perpetrated by either someone who works for ACR, or someone who works for their payment processor, DigitalExchange.

    Note that in one of the cases described above, an account breach occurred just 61 minutes after the user had deposited, and the idenitcal amount of money was cashed out. Only the payment processor and ACR would have this information.

    It is possible that the payment processor is given more access to ACR's platform than we are aware, and might be able to bypass security procedures normally in place for logins. It is also possible that insiders at ACR are simply forcing their way into these accounts, and making unauthorized cashouts. It is possible that ACR insiders AND insiders at DigitalExchange are in cahoots to steal this money.

    It is unlikely that management is involved. As mentioned before, nobody has had more than $14k stolen, and some of the thefts are for 3-figure amounts. Furthermore, this appears to be hitting a relatively small number of people -- possibly to stay under the radar. This appears to be a crime of opportunity, and the last known instance was on April 1 -- after I had called it out and made CEO Phil Nagy aware of it, via a third-party. It simply would not be worth the reputation hit for ACR to steal this amount of money.



    Where might the ACR app fit into this?

    I have never used the ACR app, so I can only speculate. However, I doubt it's a coincidence that the ACR app went offline on the same day that they publicly acknolwedged this theft issue.

    It is possible that the app was the means to access these accounts, and that some insider discovered this in January 2022. An insider at ACR -- perhaps someone who worked on development on the app -- may have discovered a way to manipulate the API calls (the interface between the app and ACR's server) to log into accounts without needing to click on any new device verification link. If that person also had a way to access ACR e-mail/password/screename combos, they could simply observe accounts on the system, and target select people either depositing or displaying money on the system (such as those sitting with thousands on a cash table).

    It is possible that ACR's temporary "fix" for the matter was to shut off the app completely while examining the vulnerabilities, and then also requiring confirmation e-mails to be sent by the player to their processor when a cashout was requested. This is a common tactic in system security, where a temporary blockade on the vulnerability is introduced, while a more permanent security solution is researched and tested.



    Why won't ACR release the IP addresses or bitcoin addresses of the thieves?

    ACR has admitted that theft occurred, so why won't they release this info, even to the victims? Shouldn't everyone have a right to get the bitcoin address of where their money went?

    My guess is they're afraid that the smart and crypto-expert poker community would be able to trace this information back to these ACR and/or payment processor insiders, and there would be a tremendous crisis of confidence regarding people's ACR funds. Thus, it makes far more business sense to attempt to keep this information private.



    If the credential stuffing attack story isn't true, why is ACR claiming that?

    A credential stuffing attack gives them the best excuse for this matter. It's not their fault if OTHER sites were hacked, and if certain users were dumb enough to use the same e-mail/password combo in multiple places, right?

    While they do acknowledge a "vulnerability" they have patched, presumably they're implying that they are tightening up the requirements to verify that the person requesting the cashout is really who they say they are.

    By characterizing it as an external attack by hackers who preyed upon users with identical passwords everywhere, they can make it appear as if their fault in the matter is very limited, and combined with reimbursing victims, they figured this would all go away.



    If this has been happening since January 26, and they've known about it since close to that date, why is this action only occurring on April 7?

    That's a great question, and I'd love to hear their answer to this.

    I do think that they felt a lack of urgency because it was only happening to a relatively small number of accounts, and they possibly decided to see if they could catch the insiders red-handed. They probably figured that they could simply investigate and refund anyone who was victimized in the meantime. Perhaps they even had checks in place for large cashouts (maybe over $10,000), which would prevent any account from being hit for something huge.

    It is no coincidence that they are finally taking action and making a public statement since I pressed the issue hard over the past week or so. As none of the victims were high profile or known poker pros, I can assure you that this would have stayed under the radar had I not brought attention to it.



    What do you want from ACR now?

    I am relatively satisfied in my belief that ACR management/ownership was NOT in on this, and that their goal was to make all victims whole.

    However, several people are still waiting for their funds back, and we also aren't getting the truth regarding what happened here.

    ACR just needs to come clean about what happened, and then be transparent regarding steps they took to prevent it going forward. This can be done without giving away too much information to help future hackers. They are one of the two biggest US-facing online poker sites, so they need to be honest with the community, and not just push a narrative which paints them as the least culpable. The community deserves to know the truth about what happened, and whether their money is safe on ACR going forward.

  3. #23
    Gold PositiveVariance's Avatar
    Reputation
    1976
    Join Date
    Jun 2020
    Posts
    1,580
    Load Metric
    65691958
    As far as the verification email to verify the new device being used - After the players realized their accounts had been drained, was the verification email still in their inbox as "new mail"? Or is there a way for the player to retroactively see if the link was clicked?

    It wouldn't be to much of a stretch to assume these people also used the same password for their email account as they used for their ACR account since they used it for at least 2 other accounts, assuming a CSA Attack was used.

    A side note - You would think modern technology would prevent blasting email and password combinations to a site, even if they used multiple devices. Strange.

    As far as the small 3 digit withdrawal, it's possible they came across accounts that had low to no balances during their process and made a list of accounts that were active with regular activity and repeatedly logged into these accounts throughout the day knowing some will eventually get a deposit. When the account had $68 they may have figured it wasn't worth a withdrawal to expose the hack knowing it would eventually get a deposit. Once the player deposited $267, they may have realized that's as good as it would get. It could be a 3rd world country where they are paying someone $20/day to repeatedly log into a list of previously accessed accounts that had were hacked but had low to no balances - They continuously login until they get one where someone made a deposit. Just a theory.

    Also, I think there could be a half truth to ACR's explanation that maybe they did have an outside party that accessed accounts with the emails and passwords, then at some point recruited a rogue employee to seam things together. They can "recruit" dishonest employees off sites such as LinkedIn, probably wouldn't take long to find someone that would work with you.

    But yeah, overall there is suspicion about ACR's explanation of it being a "Credential Stuffing Attack". Seems like the easiest way to deflect blame.
    Last edited by PositiveVariance; 04-08-2022 at 06:00 PM.

  4. #24
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,627
    Blog Entries
    2
    Load Metric
    65691958

  5. #25
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,627
    Blog Entries
    2
    Load Metric
    65691958
    Quote Originally Posted by PositiveVariance View Post
    As far as the verification email to verify the new device being used - After the players realized their accounts had been drained, was the verification email still in their inbox as "new mail"? Or is there a way for the player to retroactively see if the link was clicked?

    It wouldn't be to much of a stretch to assume these people also used the same password for their email account as they used for their ACR account since they used it for at least 2 other accounts, assuming a CSA Attack was used.

    A side note - You would think modern technology would prevent blasting email and password combinations to a site, even if they used multiple devices. Strange.

    As far as the small 3 digit withdrawal, it's possible they came across accounts that had low to no balances during their process and made a list of accounts that were active with regular activity and repeatedly logged into these accounts throughout the day knowing some will eventually get a deposit. When the account had $68 they may have figured it wasn't worth a withdrawal to expose the hack knowing it would eventually get a deposit. Once the player deposited $267, they may have realized that's as good as it would get. It could be a 3rd world country where they are paying someone $20/day to repeatedly log into a list of previously accessed accounts that had were hacked but had low to no balances - They continuously login until they get one where someone made a deposit. Just a theory.

    Also, I think there could be a half truth to ACR's explanation that maybe they did have an outside party that accessed accounts with the emails and passwords, then at some point recruited a rogue employee to seam things together. They can "recruit" dishonest employees off sites such as LinkedIn, probably wouldn't take long to find someone that would work with you.

    But yeah, overall there is suspicion about ACR's explanation of it being a "Credential Stuffing Attack". Seems like the easiest way to deflect blame.
    You raise some good points here, but when I think about the totality of information I have, it just doesn't make sense to be a simple credential stuffing attack by outsiders.

    For one, the first guy who reported this on Twitter (the one in the original post of this thread) insists that his Hotmail does not have any logs of strange IPs logging in, and the new device verification e-mail was unopened.

    Many others didn't get a new device verification e-mail at all.

    If there's any credential stuffing going on, it might be that some clever insider bought a list of e-mail/password combos on the black market, auto-deleted any e-mail which didn't match ACR accounts, and then was able to read or intercept the new device verification link e-mail. That is, it's possible that the paswords on ACR really were securely stored, but the outgoing e-mail queue was not secure, so anyone with server access and a list of bought passwords could probably get into some accounts.

    It's very possible that accounts were targeted after they saw some event in the system logs -- a player standing up from a cash table with thousands, winning a tournament, or depositing new funds.

    It is unlikely that they were repeatedly logging into accounts to check if they had new deposits, because that wouldn't be worth their time. Most deposits are fairly small. It would be much more effective to simply target the accounts with $5000+ balances, and steal them, while not going after the huge accounts which might be under some kind of review at withdrawal.

    I got another update e-mail from yet another victim -- one I haven't mentioned here yet. This guy had about $2200 in his account, but only $2000 was stolen. (Notice the leaving $200 over, just like first-described theft.) He did NOT get a new device e-mail, only the withdrawal e-mail.

    He just got back his money yesterday. This was the latest known theft -- Sunday, April 3.

    I had him ask for the IP and bitcoin address info regarding the withdrawal, and of course ACR ignored him.

  6. #26
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,627
    Blog Entries
    2
    Load Metric
    65691958
    "serenity21" from 2+2 posted the following e-mail from ACR he recently got when trying to withdraw:

    We hope this email finds you well.

    In order to move forward with your recent cash out request, email us at cashier@digitalexchange.eu from your registered email with the following information:

    - Amount of this cashout
    - BTC Receiving Address for this cashout
    - Date and amount of your last deposit.

    As soon as we hear from you, we will move forward to process your cash out request. Otherwise, if we do not hear from you within 24 hours, your transaction will be canceled.
    https://forumserver.twoplustwo.com/s...ostcount=35840


    Interesting.

    So they're definitely trying to catch people making unauthorized cashouts on others' accounts, though I'm not sure how this info is "verification". Wouldn't the thieves have all of this, except perhaps the date/amount of last deposit? But at the same time, legit players forget the date/amount of last deposit -- including me!

  7. #27
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,627
    Blog Entries
    2
    Load Metric
    65691958
    I have since been told that the above info request has been done as far back as 2018, and is not related to this incident. Apparently it happens "once every 7 or 8 cashouts, almost at random", according to this person.

    So I'm theorizing that this request is when the system suspects anything even slightly "off", and not necessarily because of what has been happening lately.

    However, it's possible they increased the usage of this, given everything that's been going on lately.

  8. #28
    Gold PositiveVariance's Avatar
    Reputation
    1976
    Join Date
    Jun 2020
    Posts
    1,580
    Load Metric
    65691958
    Seems like they would have every user change their password at there next login as some company's do when they have a security breach.

    Also, have users set up a 4 digit pin that is requested at cashouts for verification. Upon cashout the employee would have to manually enter it in the system and it would have to match the number on file. No match- No cashout. A stranger would be guessing at a possibility of 9,999 potential combos. Have to where only upper management can see or change a pin if the account holder forgets it.
    Last edited by PositiveVariance; 04-11-2022 at 11:22 AM.

  9. #29
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,627
    Blog Entries
    2
    Load Metric
    65691958
    Hey guys, remember this story?

    I was really gaining traction, until it was drowned out by explosive cheating allegations Ali Imsirovic and Bryn Kenney.

    In any case, I believe this has mostly reached a conclusion. I recently got contacted by a guy whose account was breached on April 6 -- the latest known instance of this. However, this is still one day BEFORE they made a public statement about it, and took their mobile app offline.

    The mobile app is back now, after about a 2-week hiatus. I have not received reports about any further incidents since April 6. Oddly, a low stakes player victimized for $125 on March 24 claims he was DENIED a refund! I told him to e-mail again, bring up this scandal, and let me know if they still refuse.

    It does appear that they most likely closed this vulnerability on April 7, and this probably won't be happening anymore. However, ACR has not been completely truthful about the whole thing, as I've already mentioned.

    One thing I have found that is constant among the victims -- they DID use the same passwords on ACR as they did on some other websites. Not a single one told me they had a unique password for ACR. This makes ACR's "credential stuffing attack" claim seem true. However, it ALSO seems that this was done by an insider -- one who likely needed the outside database of hacked passwords in order to make the rest of his plan work.

    I will share below my tweets about my recent conclusions:

    https://twitter.com/ToddWitteles/status/1518052515459203072

    https://twitter.com/ToddWitteles/status/1518053957985177600

    https://twitter.com/ToddWitteles/status/1518055206214270977

    https://twitter.com/ToddWitteles/status/1518056180026777600

    https://twitter.com/ToddWitteles/status/1518060680061980672

  10. #30
    Gold sah_24's Avatar
    Reputation
    -37
    Join Date
    Mar 2012
    Location
    Laclede
    Posts
    1,315
    Blog Entries
    5
    Load Metric
    65691958
    I know for a fact that WPN doesn't like refunding anything bc of hacks.

    My True poker account was hacked 2 years ago, the thief tried a crypto cashout but I got the email and was able to get back in and cancel it. The hacker then was so mad that he just punted my balance in blackjack and WPN refused to refund it despite the fact that it was obviously from a totally different IP that had never been on my account before (and my account had never gambled on anything thats not poker before)...
    Last edited by sah_24; 04-24-2022 at 07:42 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 9
    Last Post: 12-21-2017, 02:23 AM
  2. Replies: 3
    Last Post: 07-09-2017, 07:40 AM
  3. Replies: 10
    Last Post: 08-14-2016, 01:54 AM
  4. Florida poker player claims fellow poker player Ray DePasquale is a career scammer
    By Dan Druff in forum Scams, Scandals, and Shadiness
    Replies: 1
    Last Post: 08-27-2013, 06:25 PM
  5. Replies: 334
    Last Post: 08-14-2012, 07:07 PM