IP-address range for allowed logins

[DepchZ]

I just ran to an issue with ebay for having received for weeks now e-mails that say that someone has been trying to access my account and failed. Did the basic things like changing my password etc. and I really don't have to worry about anyone gaining an access to it as I live alone and have my passwords memorized only.

The suggestion I came up with however was to enter an IP-address range for allowed logins and try to escalate this further if it would be possible. I am now approaching Unibet for the same idea as this would make your account so much more secure for any case of abuses.

-No foreign logins allowed to your account
-No logins from the country of residence from strange ISP:s
-If you have a static IP-address that narrows it down perfectly to your residency as you can narrow down the range to a single one -> your own computer

To be able to do this would be a perfect way of taking care of your security. It would narrow things down to a tiny percentage of happening.

Something like this should not be hard to do I would imagine. Shouldn't something like this be pretty much a norm for existing already?

Solution: You enter your login credentials -> It forwards your data through software based "firewall" and you get through if the conditions of the pre-set values meet up. If they do not meet up you get an error message and you obviously would have to contact the customer help for changing that range if it is a valid request that is.

ps. Unibet staff could even go through most of the known proxies and address ban lists for those, so that people can't use proxies to play behind other countries of residence.

pps. This does not have to require anything from the general customer, but be an option in account settings / option of request for customer service for those who want increased security for example.

[DepchZ]

+ You could have an option for a vacation mode button to override those ranges for the time being if you go touring in Europe for example and would like to play some while vacation.

-Using vacation mode sends an automated e-mail to your address that it is being used
-Perhaps that it would have to be renewed every 2 weeks if you are on a prolonged vacation

[Zipfil]

@DepchZ

This was a little strange and I understand that you dont realy understand how HW\SW and so on work but will try to give you some info on this.

First of all your account is locked to your native language\country. That is a securety from Unibet to you so wherever you are in the world you can acess Unibet like if I was on hollyday in Cambodia and go to Unibet I will get the English start page but after log in I get automatic directed to my native language Norwegian, also my Unibet account is secure since no other user can\could withdraw anything exept me. Evry withdraw is also automatic locked and cant be canseled to use for playing, this is a thing all the players can ask LC to make default. So all withdraws goes follow my name and so on or get canseld\returned to Unibet if my Name dont match accout or visa,versa......

When it come to strange ISP`s.....what are you talking about ??? to be a ISP you need a real Company, that is the strangest thing I have read....

So my and hopefully your`s and others Unibet accounts are secure if people just make \ use a long difficullt password, Unibet cant be hacked by Brute Force, since by default it lock a players account if you enter log inn info wrong 5 times.

The first thing I thought when I saw you getting mutiple info from E-bay and they claim \ want info becuse of faul play made me think that you had a issue of "Phishing".....again cant say since I dont know about your understanding of the web..

When it comes to the web \ ip adress and so on it getting complicated, there is no limit to IP adress , they just uppgrading the Web to say it easy, like when IP4 got emty they just activated IP6 so even if your HW is so old that you only go online true your ISP and IP 4 then the Server give you a IP 6 adress...also to change IP adress is realy just a temporary sollution, the people who realy want to find you do that easy if they want to track you even true companys like Hidemyass and so on, wonder why? well you have a uniqe identifier in your HW (actually a loot) called like a mac adress...that is locked unless you strat to change it but then you need to be learning serius scills in OS like a Kali distro , read here: https://www.kali.org/

So my advice is to not vorry about your Unibet account but vorry about what HW\SW you are playing from, settings\securety from the user end is more likly to "hack" your account than a n00b ;)

My experience is that there is not any sutch thing as a techknical error or alike , the fault is usally 99.99 % between the chair and the keyboard ;)

Just my 2 cents :)

[DepchZ]

Thanks Zip for the answer.

The situation with eBay was not that them requiring information, I went through the e-mail conversation with eBay customer service inquiring what those e-mails truly are and verify are there login attempts to my account elsewhere, which they confirmed. I came in with the idea of having a restriction for IP-address range for your allowed logins. I had not cared about the situation that much for weeks as I did not have any monetary information saved up there that could be abused and now I will just not use that service, or if I will I will just change my e-mail + login info there. Not a case of phishing e-mails as I don't fall for those, never type your login information to non https-sites and just use the official site, everyone should check that always.

I'm extremely happy if Unibet restricts the foreign attempts by default. That narrows down already a lot of the possible cases and perhaps it has already been stated somewhere here in one of the threads, but I had forgot about it. I must also say that when writing this I completely forgot how hard it is for the possible abusers to extract money out of it and was just more doing this in the sense of sharing that idea.

But even if your login is restricted to the country of your residency, there is still the chance for your account being used for malicious attempts. I can come in to at least two types of attempt types.

A) If your account is hacked, mostly if your passwords are leaked somehow your account could still be used for chip dumping for example to transfer the money out of it for another account for a withdrawal. Yes the other account receiving the money would have to be looking good to go with same fake ID:s and perhaps some wins/deposits confirmed to be working already to be allowed to do this. But I would assume this is what professionals are doing.

B) An extremely rare case would be that if they would have your e-mail address and you would be using internet wallets, they might have information for those as well to make those quick withdrawals from your account and then transfer the money to a verified account to another account, maybe registered for fake ID or so and have that money taken out via ATM or so. A double leak of such information would be really really rare however.

Some clarification also regarding my post:

Strange ISP = I meant any other ISP than you are using for example aka not familiar to you by selecting the range from. So not "strange"  in any "non company" ISP or any sort of paranormal way. ;D A poor choise of words on my behalf.

"firewall" = I meant more of a software rule that checks out from what IP you are logging in from. The IP:s are always tracked and saved for logins even now. You can clearly see it from the Unibet settings even now what logins and systems are on. Let's make an example for clarification. So let's assume that you usually log in from 194.194.194.194 that you have put on to that suggested allowed list via settings and that your account would be tried to be accessed with the correct leaked login information from IP-address 254.254.254.254. Upon entering the correct details the software first checks the allowed list of IP:s if there are any and because the IP:s are already seen even now, it could easily compare that ok, the login is coming from 254.254.254.254 so login is denied. That should not be hard to do. I know what firewalls are, just did not have a proper name for what I was suggesting, thus "firewall". Also remember it's an extra option to use not a mandatorial thing.

Same thing could be used with IPv6 easily. Use IPv4 -> No IPv6 addresses on exceptions = no access and same vice verse.

A dumbed down C64 language example. :D
10 IF LOGIN IP = 1 THEN GO TO 20 (1 = IP addres for login matches IP-pool entered to rules)
15 IF LOGIN IP = 0 THEN GO TO 30 (0 = IP does not match IP-pool of entered values)
20 LOG IN SUCCESFULLY (continue to main screen of Unibet)
30 SYNTAX TERROR

I don't understand why you are bringing up that stuff in the latter part of your post. Services like hidemyass would enter the site from a selected pool of IP:s just hiding the real IP (hiding  your ass). If that pool is not in the exception list no worry. It's also true that most of the time the fault is in the user if they leak the information out, but this had nothing to do with any error messages of any sort. And sure if this could be tied to your list of selected mac-addresses then that would be great as well. This would just be an extra option to make hacking anyones account that much more harder. This sort of thing would make user errors somewhat easy to overcome with in the sense of security, even if you posted your password and login credentials by mistake to reddit it's going to be almost impossible for anyone to get in with those.

ps. This was not about a personal worry of my account, just an idea of overall improvement. I'm using Linux + have my password memorized only, live alone etc. Not much to worry about. :)

[Zipfil]

Sorry m8 had to lafghing....almost forgot the SYNTAX ERROR...that I havent seen in some years.... :)

Anyway about your Parts:

1: Make a long password only you remember and change it evry month.

2: Example using my Skrill account. There anyone get a small problem , first need a Username, Password and a securety question that changes , only for log inn. Then for any transfer it require it again + a 6 diget code I can change anytime I want. So to even try it would be difficullt also Skrill sending me a "PM" ASAP when something happends on that account so I can cansel it fast if absolutly evrything else fail.

When it come to locking a account to a spesified IP\Country for logging on, just tell LC @ Unibet that you are in a diffrent country and they are helpfull with that. I had to ask them one time if it was ok to play from SE Asia on LC and it was no problem, cleared it with them first. So since I do travel sometimes I dont like a block on that part...

Anyway there is nothing who is impossible but that do take time ;)

So anyone who are playing RG have to be responsible for a verry good password \ securety themself, then if something realy goes wrong, lets say your account start to behave verry strange I think Unibet would help you out later :)

Thx for reminding me of C64 and A 500 xD

[DepchZ]

You are right to suggest the case with the passwords security. This was just an idea of prevention to what if you lose your login information / they are leaked from somewhere, what could be the security to kick in afterwards. It might help Unibet in reducing some work as well with a little investment in having this option created, but perhaps not too many people are aware of the tech behind it for it to become worth of investment.

Thank you also for reminding on Skrill, I think I'll turn on my 2-way authentication on there, it should take care of the B example I suggested. Possible malicious attempts on chip dumping could still though exist as of current in example A).

Thinking of this further from this conversation, perhaps it's too much to ask from Unibet and posting this was a bit hasty. It is secure already how money is being handled by Unibet. I mean it's worse in a service like eBay where you can buy and order things especially if you have your credit card information saved up. I still would like to have this sort of option available at least in some of the services that I am using, even if not in Unibet. So sharing ideas regarding security is always good. Perhaps they'll spread unconsciously and are refined eventually for the betterment of all and who knows who what kind of people read these boards, maybe it'll be picked up elsewhere where it's required. :)

[DepchZ]

I was thinking about this a bit further how it could be refined to be easier for everyone based on the discussion here.

If this sort of thing can be tied up to a MAC-address or general information of the device/OS/browsers in use, then it would be easy to do the following way:

Customer has the option to choose how many different devices he is using for the site from the options. If he has a desktop/laptop + mobile device he can choose to have 2 devices are in use. The login information will be locked down automatically to the 2 devices being in login history and no other devices can log in. If the customer likes to play somewhere else randomly as well or knows he's heading to a friends place or so, just add an extra device or be able to scrap one of the used devices already in account history.

I would probably just lock it down to my laptop and use only 1 device even though I have used mobile at times as well currently. 

Also it is an option, not mandatory. :)

And of course if you do not want to have any limitations to the devices being able to access the account, then just

[nekoneko]

You'll also need a laser secured room and a tin foil hat. Just to be extra safe.

It's just a site, and so far i see noone being hacked or something so all is good. No reason to over exagerate with security stuff.

[DepchZ]

Lol nekoneko, I think you got me wrong here, it's not about going paranoid about getting hacked. Like I said earlier I even let that situation go on for weeks in eBay, I'm the opposite of that. :D

It's an honest suggestion of how to make things better. Not even now, not immediately. But I am seriously wondering why it's not being in use already or anything similar to my knowledge. Even if you lost your login credentials to a site it would pretty much prevent anyone else using them unless someone has stolen also your e-mail accounts or using your own units for that.