Anyone else experienced contradictory instructions from Rhino.bet? How have you handled it?

[donaghga]

Hi

I was wondering whether any other AG members have encountered the following with Rhino,bet.

When I got to the stage where they wanted to see some verification documents, they sent me an email , requesting that I reply to the same email address with the documents attached.  I do not normally send any sensitive documents via unencrypted email over the open internet, as this is not  a sufficiently secure delivery mechanism, so I replied to ask whether they offered the facility to upload my documents directly to the casino's servers.  They replied to say that they do not off this, but that I should not worry about it, as they assured me that sending the documents via email was perfectly safe.

The funny thing is that both of the emails they sent me contained the following statement after the signature line: "Security Warning: Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. We advise that you understand and observe this lack of security when e-mailing us."

I wrote again, asking them to explain which of their 2 contradictory statements was correct: is email completely safe, or is it not, and they replied to say that it  is perfectly safe, but... you guessed it! ... that email also contained the same Security Warning in its footer.

The Security Warning in the footer of every email sent by rhino.bet is the correct statement, of course.  Unencrypted email over the internet can easily be intercepted and therefore risks with using email to send sensitive documents such as bank statements, or photos of your passport, etc.  Anyone can check the level of encryption implemented by any email domain by using the National Cyber Security Centre's (NCSC) email checking service (https://emailsecuritycheck.service.ncsc.gov.uk/check) and I provided  their report to rhino.bet support.

Have any other users noticed this inconsistency in directions from Rhino.bet?  If so, how have you handled it?

[cocopop3011]

6 minutes ago, donaghga said:

Hi

I was wondering whether any other AG members have encountered the following with Rhino,bet.

When I got to the stage where they wanted to see some verification documents, they sent me an email , requesting that I reply to the same email address with the documents attached.  I do not normally send any sensitive documents via unencrypted email over the open internet, as this is not  a sufficiently secure delivery mechanism, so I replied to ask whether they offered the facility to upload my documents directly to the casino's servers.  They replied to say that they do not off this, but that I should not worry about it, as they assured me that sending the documents via email was perfectly safe.

The funny thing is that both of the emails they sent me contained the following statement after the signature line: "Security Warning: Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. We advise that you understand and observe this lack of security when e-mailing us."

I wrote again, asking them to explain which of their 2 contradictory statements was correct: is email completely safe, or is it not, and they replied to say that it  is perfectly safe, but... you guessed it! ... that email also contained the same Security Warning in its footer.

The Security Warning in the footer of every email sent by rhino.bet is the correct statement, of course.  Unencrypted email over the internet can easily be intercepted and therefore risks with using email to send sensitive documents such as bank statements, or photos of your passport, etc.  Anyone can check the level of encryption implemented by any email domain by using the National Cyber Security Centre's (NCSC) email checking service (https://emailsecuritycheck.service.ncsc.gov.uk/check) and I provided  their report to rhino.bet support.

Have any other users noticed this inconsistency in directions from Rhino.bet?  If so, how have you handled it?

Hello and welcome to the forum.

I have sent documents by email many times and it has always been safe. Can you please confirm which email address you are using?

Unfortunately, not all casinos have a Document Uploader. Do they have the option to upload documents through their live chat?

[donaghga]

Hi

Thanks for the welcome, and your response.

I'm not sure how you think you can tell that the sending of your documents has been safe; any interception would occur after the email has left your email server and before it hits the casino's.  Neither you nor the casino would be aware that it had happened.  It is is common for data breaches of any kind to come to light many months, even years after they have occurred.  Some never are never made public at all.

And remember, rhino.bet themselves acknowledge, in the footer appended to every email that they send out that email is not 100% secure.   I'm not sure whether you tried running the NCSC's email checking tool which I referenced in my original post on the domain name of any of your favourite casinos, but I would be very surprised if any of them pass all of checks that would be required of a wholly secure encrypted email channel.  The same is likely true for most companies, but most companies are not asking you to send copies of your passport and bank statements & proof of address - exactly the documents any fraudster would require to, for example, open an account in your name.  

To answer your question, rhino.bet do not have a live chat feature at all, nor do they publish a phone number.  Email is the only means of communication that they offer - and it has been more than a month  that they haven't responded to my most recent mail to them.

With apologies for getting all wonky on you, Article 32 of GDPR requires "1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including  [...] 
(b)the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; [...]" and "2.   In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed."

The reason that people usually don't need to worry too much about these risks is the sheer volume of email sent every day: literally hundreds of billions by some estimates (only 40% of which is spam!).  Those who might want to make illicit gain from intercepting emails are looking for a needle in a haystack.  However, if it is known that a single company is receiving a large volume of valuable documents  to  a single email domain, the hacker/fraudster's is suddenly looking for hay in a haystack - they could be confident of finding what they are looking for every time and it becomes worthwhile to expend the effort.

I raised this with the ICO already and they have written to rhino.bet (or will soon be doing so)  "regarding their use of email for the purposes of identity and financial verification," but as you rightly point out, the problem is much wider that just rhino.bet.  I opened this forum topic about this casino, because of their acknowledgement of the issue in their emails, even as they ask users to email them sensitive documents (and also because they are withholding £180 of my funds until I comply with their request!).  I have raised the issue with every casino that has asked me to provide docs by email, and they all consistently claim that there is nothing to worry about; this was the first time I have come across where at least someone at  the casino seems to understand the risks of unencrypted email, even if it is just the guy that writes the corporate email footers!

It would not be costly for each casino to create a secure facility where documents can be uploaded directly to their servers, without having to pass through an unpredictable set of intermediary mail servers on their way there ; the fact that many casinos have not often results in users being put in the difficult position of having to choose between their personal data security and gaining access to money that is rightfully theirs, but which is being held in their casino account, pending the delivery of documents.

[cocopop3011]

1 hour ago, donaghga said:

Hi

Thanks for the welcome, and your response.

I'm not sure how you think you can tell that the sending of your documents has been safe; any interception would occur after the email has left your email server and before it hits the casino's.  Neither you nor the casino would be aware that it had happened.  It is is common for data breaches of any kind to come to light many months, even years after they have occurred.  Some never are never made public at all.

And remember, rhino.bet themselves acknowledge, in the footer appended to every email that they send out that email is not 100% secure.   I'm not sure whether you tried running the NCSC's email checking tool which I referenced in my original post on the domain name of any of your favourite casinos, but I would be very surprised if any of them pass all of checks that would be required of a wholly secure encrypted email channel.  The same is likely true for most companies, but most companies are not asking you to send copies of your passport and bank statements & proof of address - exactly the documents any fraudster would require to, for example, open an account in your name.  

To answer your question, rhino.bet do not have a live chat feature at all, nor do they publish a phone number.  Email is the only means of communication that they offer - and it has been more than a month  that they haven't responded to my most recent mail to them.

With apologies for getting all wonky on you, Article 32 of GDPR requires "1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including  [...] 
(b)the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; [...]" and "2.   In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed."

The reason that people usually don't need to worry too much about these risks is the sheer volume of email sent every day: literally hundreds of billions by some estimates (only 40% of which is spam!).  Those who might want to make illicit gain from intercepting emails are looking for a needle in a haystack.  However, if it is known that a single company is receiving a large volume of valuable documents  to  a single email domain, the hacker/fraudster's is suddenly looking for hay in a haystack - they could be confident of finding what they are looking for every time and it becomes worthwhile to expend the effort.

I raised this with the ICO already and they have written to rhino.bet (or will soon be doing so)  "regarding their use of email for the purposes of identity and financial verification," but as you rightly point out, the problem is much wider that just rhino.bet.  I opened this forum topic about this casino, because of their acknowledgement of the issue in their emails, even as they ask users to email them sensitive documents (and also because they are withholding £180 of my funds until I comply with their request!).  I have raised the issue with every casino that has asked me to provide docs by email, and they all consistently claim that there is nothing to worry about; this was the first time I have come across where at least someone at  the casino seems to understand the risks of unencrypted email, even if it is just the guy that writes the corporate email footers!

It would not be costly for each casino to create a secure facility where documents can be uploaded directly to their servers, without having to pass through an unpredictable set of intermediary mail servers on their way there ; the fact that many casinos have not often results in users being put in the difficult position of having to choose between their personal data security and gaining access to money that is rightfully theirs, but which is being held in their casino account, pending the delivery of documents.

What was your most recent email to the casino? 
If the casino are not responding you can use the AGCCS. 
However, I’m regards to your documents, if this is the only way to send them there is very little we can do to change that. 

[Afi4wins]

What I always do first of all before making any deposit is to check if that casino has the facility for uploading documents on their website. If it's not available, I would not ever play there and would request for an immediate closure of my newly created account. I have done this at a few casinos so far and I would carry on doing so whenever necessary.

Simply put, I cannot trust sending any of my personal and important documents via email, be it to casinos or any other establishments.

Hackers are everywhere and there's literally nothing that they cannot hack into at all...ESPECIALLY hacking into or intercepting messages sent via smartphones! 

[pinnit2015]

Baffling why regulators don't hammer casino's for requesting sensitive information by emails, or report them to the ICO. Aside from the fact there's no end to end encryption, if you offer secure upload facilities you could limit access to it to a select number of staff but a lot of these email addresses are generic and probably accessible to the entire support team (who are probably outsourced anyhow )

If you send these guys Passports, licences, bank info etc you're asking for trouble, or at least increasing your chances the info is leaked in some form. 

Player Protection proclamations must just be for Responsible Gambling declarations, not folks' info 

[cocopop3011]

I have just checked the casino terms and conditions and if states that all documents must be sent by email, I’m not sure there is anything our AGCCS can do to be honest. But I can check for you if you like? BUT if they are still non responsive to your emails, you can definitely open a complaint for this. 

However - since they are not replying by email, I can see they are available to contact on Facebook or Twitter, have you tried to communicate with them this way? 

 

And just in a side note.  I would never chose a casino that does not have live chat, well 24/7 live chat as a personal preference, so that’s something you can watch out for in the future. First let’s try and sort this for you. 

[cocopop3011]

@donaghgaI have just spoken to the team. Please submit a complaint and include all the information you have posted here including any emails you have from the casino. Our team will review it and hopefully we will come to a resolution. Please make sure you say that the casino is not responding.