NeTeller authentication procedure???? Possibly very important information here.

[KotysDad]

I have a question about NeTeller. This is slightly different than the post by TKinVA. This has me a little worried unless someone can alleviate my worries here.

I am in the process of tranferring money from Olympic into my NeTeller account. At first try, it was denied by Olympic, so I called to find out why and they said the email address that I signed up with Olympic is different than the email address that I used when I opened an account with NeTeller.

After spending about 20 minutes trying to unsuccessfully figure out how to change the email address that I gave NeTeller, I simply opened a new account using the email address that Olympic knows. Since the two match, Olympic should put the transfer through. I am currently waiting to find out.

Here's the question......

While I was in NeTeller setting up the transaction, all NeTeller wanted was my account ID at Olympic (no password). This is no form authentication whatsoever. If someone knows your home address (which isnt hard to get) and knows your account ID at some sportsbook (which isnt kept under lock and key) and your home email address (assuming you use that as your default address), then all someone has to do is set up an account using your name, home address, and email address, and apparently they can transfer your account balance into their NetTeller account. Have that money sent to a PO Box or another sportsbook account and it seems you are screwed and your money is gone.

Someone please tell me that I am missing something here. NeTeller cant be this oblivious when they set up their authentication procedures for security.

Home addresses and email addresses are public information on the net. These arent national security secrets. That leaves your money in the mathematical chances of someone guessing your account ID which is usually 5 digits. Some uses your initials as a start, no guesswork here if someone knows your name to begin with. Again, unless I am missing something, I dont like the odds here.

If I am right, then dont use NeTeller. It is unsafe. Maybe someone can either confirm this or tell me what I am missing.

[This message has been edited by KotysDad (edited 08-16-2001).]

[This message has been edited by KotysDad (edited 08-16-2001).]


Ok, the change was accepted under my new account and money was transferred. People, this seems to me to be a problem and one that can be exploited by crooks. Of course there might be some crooked lurkers in which case I am telling them how to defeat the security (or lack thereof) in NeTeller. But if I am right about this, then you might want to consider not using NeTeller.

I hope I am wrong about this, but if I am not then at least if might help someone somewhere down the line.

[This message has been edited by KotysDad (edited 08-16-2001).]

[This message has been edited by KotysDad (edited 08-16-2001).]

 

[DOGS THAT BARK]

KD I wish Neteller insured accounts like Paypal but don't believe they do.You should have special pin to get into your Neteller account which would make it hard to get in but after hacking into Oly accounts occurred several months ago I have been leary also.As I told Tk I set up seperate banking account for direct deposits to Neteller and only leave a balance of bout $500 in Neteller at anytime.
Works for me being a small time bettor,however would not work so well for those that fire at em.

 

[KotysDad]

DTB,

You're right. NeTeller gives you a special PIN along with your password to get in, but that isnt the problem. Well actually it is the first step in the problem. When you establish a NeTeller account they have no way of confirming that you are who you say you are. The info that you provide on the signup form is all public information. If they asked you for a credit card number say, then they would have some assurance that you are John Q Public by checking a credit report. But the form just asks for name, rank, and serial number. I could sign up under any name I wish.

The security problem comes in when you go to transfer funds out from a merchant. If you were to take money from Oly and put it in your NeTeller account, all NeTeller wants to know is your Oly ID number. They dont request any secret info like your password for Oly.

So say for example that you have a roommate that you just evicted, or an ex that you just broke up with and they are very pissed at you. They already know all the info about you to open up a NeTeller account under your name. If they lived with you long enough, chances are they know all your ID numbers for your sportsbooks given that most people write them down in a book if they have multiple accounts. They have all the info they need. They open an account and transfer your money out and before you realized what happened, they are gone.

Aside from that you are protected from the fact somewhat that must sportsbook IDs are 5 digits, which would give someone a 1 in 100,000 chance of guessing it. But I would be willing to bet that most IDs start with a 1 or 2 so that right there cuts your odds down to about 1 in 20,000. Some people are cozy with that, but with the speed of modern day computers, some whiz kid would write a script to try those numbers in seconds (assuming NeTeller has a function thay says after 3 unsucessful attempts you cant try for awhile to make the transfer).

Nowhere in this whole process does there seem to be any secret/protected information that gets asked for so that NeTeller or Olympic knows that the person requesting transfer is actually the person who owns the account.

This just seems very non-secure to me, but maybe I am just being overly paranoid about it.

 

[DOGS THAT BARK]

Ahah I understand what you mean now.Is a dilema isn't it.

 

[surfman101]

To withdraw from NeTeller, doesn't the money have to go to the address on record or the bank account on record? I think you said that OLY required the email address and street address to match the NeTeller records. So if your ex did a withdrawal from OLY againt your wishes, I think the money would still come to either your house or your bank account.

 

[KotysDad]

Surfman,

It's probable that if NeTeller sent a check that they would only send it to the address and name listed on the account. But what if the ex (under my name) had the money transfered into her account. NeTeller does allow member to member transfers. Once she transferred it into her real account, then she could have the check mailed directly to her.

...and its not just a concern with an "ex". If you are in college and share a dorm room and computer with 2 or 3 roommate, then the same situation applies. You better either really trust them or hide your ID numbers.

 

[AzRusty]

Why not send this note you wrote to NETeller?
Or even this entire thread?

I have talked to John on numerous occasions there and he seems reasonable. Not sure if he is still there as it has been months since I talked to him. But I liked him and he helped me settle a problem regarding a withdrawal from a sportsbook.

AzRusty

 

[KotysDad]

AzRusty,

Thats a great idea. Do you have the email address of this guy you are referring to? I'll include the link to this thread in my email.

Thanks.

 

[KotysDad]

I sent email to their support staff and incluced the link for this thread. Some guy emails me back and says my information here is inaccurate and that NeTeller wouldnt allow a person to have two accounts. I just shook my head and laughed. I emailed him back and said "I have a little surprise for you. I have two accounts." lol. He said to call and we can discuss it further.

 

[John @ NETeller]

We at NETeller very much appreciate the trust that is implied by you giving us your money transfer business. NETeller is the safest method of money transfer in the world, as our record and our customers will attest. It is true that NETeller accounts are not insured against theft by someone who has gotten your account access information from you. But there is no such insurance anywhere in the industry.

So please remember that when you are dealing with any money transfer system, all of the normal precautions must be taken. We can protect you, our clients against just about anything AS LONG AS YOU KEEP YOUR ACCOUNT ACCESS INFORMATION STRICTLY TO YOURSELF. We cannot be responsible for losses incurred because somebody read your account access information from the yellow sticky on your monitor. To leave your info around in such a manner is the equivalent of writing your pin number on a sticky and putting it on your ATM card.

I have as much trouble as anybody remembering my account info, so I keep it in a secure file in my Palm Pilot. But remember. If you forget your info, you can call us and we will remind you. That's why we have the security question/answer system, the same as any credit card company. It is better to call us and check when you need to than to risk your security by leaving hard copy of your account access information around where it is available to others.

I am pleased to report that when KotysDad opened his second NETeller account, our review department had shut down his first account within 5 minutes, confirming for me the quality of our vigilence.

Again, thank you for using NETeller. We are always interested in your comments and are keen to accept your suggestions.

 

[KotysDad]

John,

Thanks for the response. I was planning on calling your support staff tomorrow morning (
Tuesday) to discuss this further. I wont get into it here in public but I think there is one other hole that needs to be closed up in the authentication process. I look forward to talking with your staff tomorrow.