Betfair account security could use some tweaking

Attention, your Betfair account may have been compromised.

That was the warning, which the customers of a popular Betfair third-party software received in their email address yesterday. The manager of A Geek’s Toy, the Betfair software in question, also informed them that they are offering their software free of charge at least for one month, as they simply don’t trust Betfair’s security mechanisms. A Geek’s Toy (AGT) was available for £29 that granted you access to the application for 3 months.

I myself have used the software several years ago. I recollect that is was easily one of the quickest 3rd party Betfair application out there, even faster than Bet Angel. It may have lacked a couple of features, but all the bells and whistles were there, such as the ladder interface and the charting. Yet, it was the speed of trade execution and excellent refresh times that made me use it for quite a long time.

Ah, that speed. It couldn’t be matched. And I had used extensively Betfair software that can be found in their application directory. RacingTraders, Bet Angel, Fracsoft, BFexplorer, Betting Assistant, Fairbot and BetLab to name a few! AGT had no match in that field. And when 100 or 200 milliseconds are all that is needed to make money by trading the odds at Betfair, speed is crucial.

But enough of my praise for AGT. Let’s talk about the breach of Betfair’s security.

Your Betfair username and password may not be safe when using Betfair Certified software products

What I understand by reading the email and a couple of other online reports, is that the security breach of Betfair seems to make their API vulnerable. Betfair API, which stands for Application Programming Interface, is used by third party vendors, in order to grant their customers access to Betfair via their applications and pull markets’ data.

It’s that API that allows the advanced charting of these products.

It’s also responsible for stealing your Betfair username and password.

According to this forum thread, another third party Betfair product experienced some serious flaws and security breaches. Allegedly its customers had their accounts seriously compromised in some way.

For at least 5 months!

And Betfair didn’t detect anything all this time!

It was this fact that led AGT’s administrators to offer their product for free, until their confidence to Betfair has been restored. Can you blame them?

How Betfair can offer more security

Betfair does offer some kind of security. It’s a security tab in your account details. Betfair customers can find out if their accounts have been accessed by someone else. The security tab includes the last 10 or so IPs their account has been accessed from. So, for instance if they live in UK and they see an IP from another country, that should raise flags.

Contacting Betfair would be the least you should do. However Betfair could do more than simply tracking IPs. Not to mention blocking your account due to failed login attempts made by others, leading you to spend valuable time on the telephone.

RSA Security token: That’s the small thingy, which displays (usually) a 6-digit code every time you press it. Alternatively it always displays a code that changes automatically every minute. Secure e-banking is done with this security token. Secure access to your stock trading account is done with such a security token. Secure logging to your PokerStars account is done with this security token. How about securely accessing the Betfair account with that? I’m sure it won’t cost much and would become quite popular to Betfair users. Of course Betfair could offer it for free… Just a thought.

• Passcode card: Ok, Betfair could surely afford the passcode card. It’s nothing more than a plastic card having 200 numbers and codes printed on its sides! Nothing electronic on this card, no moving parts, nothing. It’s a simple card that is used by one of the popular online brokers, Interactive Brokers. It’s the card that guarantees no one will access traders’ accounts without this card. And I suppose you can imagine how much money traders need when they trade at stock markets or forex. Let’s just say that for you to simply open an account with them, you need to deposit $10,000. Other brokers require 5 times more! And they more or less use such a device to protect their customers.

Can Betfair afford this passcode card? Well, I’m sure they could afford sending a printed piece of paper if they run out of plastic.

How you can protect your Betfair account all by yourself

Actually it’s not just Betfair’s fault. People are totally ignorant of the risks of sharing information on the internet. They are picking simple real-word passwords so that they can remember them (although they do forget!). They use the same password in every account of theirs. They don’t see the point of typing the captcha code. But when their accounts are compromised, it’s the company’s fault – oh man, how did this happen?

If you feel safe out there, please spend 5 minutes of your time to read Mat Honan’s story on how he almost lost everything when his Gmail account was hacked. Mat is a senior writer for Wired.com and a reporter of Gizmodo.

Here is my advice about how you can protect yourself online

• Typing extra letters before and/or after you typed your password. The enemy here is called keylogger. It’s some kind of virus, of suspicious software that was installed in your computer when you accidentally opened that strange website. It continuously tracks your typing and records every key you press. By doing so, it fills a file with all that information and occasionally it sends it out to its creator.

So, when I type:

b-e-t-f-a-i-r-.-c-o-m followed by u-s-e-r-n-a-m-e and p-a-s-s-w-o-r-d-ENTER

It doesn’t take a genious to figure out how they could take advantage of that information. So type every password like:

m-u-m-b-o-p-a-s-s-w-o-r-d-j-u-m-b-o

Use any letter or symbols you want, and mix them with several backspace strokes.

• Don’t use the same password EVERYWHERE! The issue is how you are going to remember all those passwords, correct? Create a text document where you are going to write down your passwords. Save that document in your USB stick and encrypt it. Connect the stick to your computer only when you need it. Don’t leave it connected and it would be a good idea not to name the file passwords.txt.
• Use special symbols for your passwords. Symbols like the dollar or pound sign, @#%&*() would do just fine. Again, combine those with some word you could easily remember. Like pa!@ss#$wo%^rd&*. Add some numbers.
• Change your password periodically. Yes, we’ve heard that before. Websites also remind us of that with annoying messages. Who changes their password though, huh? But they are right. We do need to change it from time to time. So, do it.

If Betfair offers better security options (anything will do at this point, the my security tab isn’t actually considered protection) and Betfair customers take their security seriously by following the advice above, I bet we would be living in a more secure cyber world. And if that fails (what is done can always be undone), they would have every right to nag. Until then, Betfair should really win their partners’ confidence and trust back.