SealsWithClubs Hacking: Bitcoin Poker Sites an Exceptional Target

SealsWithClubsThe hacking attempt launched at new Bitcoin-based online poker site SealsWithClubs in recent weeks is likely the first such online break-in targeted at a poker site accepting Bitcoins as a payment, but it’s very unlikely to be the last.  While Bitcoins as a medium could be very useful for all sorts of sites, including online gambling, they also bring an increased risk, not only due to the anonymity afforded to many Bitcoin users, but also due to the fact that the data itself is the money medium.

The risk grows another notch when one considers that online gaming, due to the nature of the business itself, has always been an exceptional target for online criminals. The early years of online poker and casino sites and online sportsbooks were a never-ending litany of hacking and extortion attempts.  Givem the combination of big money, uncertain jurisdiction and operating in a legal grey area, it was something of a freeroll for criminals; if they didn’t score big bucks, they were just out a little time.

A lot of that simmered down as the online gaming market matured and as interested licensing jurisdictions gave at least a tiny bit of lip service to protecting their own.  For all the improvements in that regard, however, the anonymous payments made possible by Bitcoins and other virtual currencies have reopened that door just a little bit.

It was SealsWithClubs own frontman, Bryan Micon, who has repeatedly characterized SWC as being the “Wild West of online poker,” but the truth of that has a sharp edge: the Wild West was a pretty lawless place.

In the recent hacking attempt launched at SWC, it’s still not actually known if any significant amount of players lost the contents of their Bitcoin wallets at SWC.  It’s likely that few or no accounts were actually affected, and SWC issued a mandatory password-update notice, but that’s still only part of the story.

The break-in at SealsWithClubs consisted of more than 42,000 weakly encrypted passwords being stolen from an old data processor’s database, then decrypted after the stolen passwords were posted on a prominent hacking website, with hackers receiving a paltry two pennies per hacked password — another indicator that the Internet’s “Wild West” days are far from over.

But it’s more likely that sites such as SealsWithClubs will have to deal with such attacks in the future, simply because they are dealing with Bitcoins.  I checked in with SWC’s Micon, who confirmed that the attack was more a crime against a Bitcoin holding site than an online-poker site, per se.

Said Micon, “When the data [itself] is money, the stakes are higher.”

It’s one of the reasons Micon and SWC apologized so profusely after the hacking attack went public.  Major mainstream security sites determined that SWC’s security team had used a weak SHA-1 hashing algorithm, which was first cracked in 2007 and which was discarded as pretty much worthless by 2010 or so.  It simply should not have been used, and its temporary security lied only in the fact that no one outside SWC knew that SHA-1 was being used in the first place.

Of course, the primary blame for the hacking went to the hosting and data service first used by SealsWithClubs, which left the modestly outdated database on an unprotected server.  It’s not the first time that a service provider’s data security has been dropped in such a manner.

Added Micon, “I really do not know the motivation behind the hacker.  All indications appear they were trying to steal Bitcoins,” though as with a lot of new-era hacking, it’s a game of thrills in an unprotected environment.

Micon believed that no users actually lost money, since the hacking actually only attacked one of several security layers involved at SWC.  However, due to the way Bitcoin deposits work at SWC, with an e-mail address not even needed in the interests of anonymity, a player who also suffered a second hacking attack against his personal Bitcoin wallet could, conceivably, find himself locked out of his own Bitcoin account.  That rare combination of circumstances likely wouldn’t even be reported to SealsWithClubs.

Micon noted that the storage system for Bitcoins in play on the site is actualy separate from the player passwords and account, meaning that those Bitcoins were safe all along.  “It is worth noting that player funds were never at risk,” said Micon, “as we have a cold storage solution that does not interact with our ‘hot wallet’ system.  It is also worth noting that the group that makes up ‘Seal Team 6,'” as Micon calls the SWC security department, “takes their jobs very seriously.  We made a terrible error that was compounded by our datacenter’s failure.”

“We take full responsibility and understand our reputation will take a hit,” added Micon.  “We have shifted all efforts towards security.  I hope that players see how we respond to this and other issues we have had in the past.  We strive for honesty and full disclosure without compromising security, and I think we have exhibited that in our reaction.  At this stage I want players to understand that SealsWithClubs is a small group of highly motivated poker players and software engineers that share the vision of doing online poker ‘the right way.’  We are likely to make mistakes at these early stages….  The current database compromise is embarrassing and costly.  We will treat this like all other challenges we have faced and fix it.  We will not let a creative hacker destroy what we have built: instead we will defend this house with all that we have.

The attack put Bitcoin-based online gambling sites on notice; they’re on the front line against hackers who would like to steal Bitcoins, since once stole, they’re almost impossible to recover.  SWC and its brethen must maintain a robust security defense to win the mainstream’s trust.

Up To $3,000 in Bonuses! Play Now
100% up to $3,000 Bonus

Bovada is our most recommended ONLINE CASINO and POKER ROOM for US players with excellent deposit options. Get your 100% signup bonus today.

Be the first to comment

Leave a Reply