Password strength and login hygiene
Your password is the first line of defence for your hoki365 account. We require passwords to include uppercase letters, lowercase letters, numbers, and symbols — a combination that resists brute-force attacks. Do not use dictionary words, birthdate sequences, or repeating characters (111111, abcabc). A strong password example: MyGates#2024Olympus (14 characters, mixed case, symbol, number).
Never share your password with anyone — not our support team, not friends, not colleagues. We at hoki365 will never ask for your password via email or chat. If someone claims to be from hoki365 support and requests your password, that is a phishing attempt. Report it immediately to our security team.
Change your password every 90 days, or immediately if you suspect compromise. Use the "Change Password" option in your account settings (found under "Security" or "Account"). You will be asked to enter your current password before creating a new one — this protects against unauthorised changes if your browser session has been left unattended.
Log out after each session, especially on shared devices (internet café, family computer, office laptop). Our platform logs you out automatically after subject to verification of inactivity, but manual logout is safer. Look for the "Log Out" or "Sign Out" button in the account menu.
Two-factor authentication (2FA) and session security
We offer optional two-factor authentication (2FA) to add a second security layer. After entering your password, you receive a one-time code via SMS to your registered phone number. You must enter this code within two minutes to log in. Even if someone obtains your password, they cannot access your account without your phone.
We recommend enabling 2FA if you store large balances or play during high-volatility tournament weeks (Idul Fitri slot marathons, Piala AFF championship events). To enable 2FA, go to Security Settings, select "Enable 2FA," and follow the prompts. You will be asked to verify your phone number; we send a test code to confirm it works.
Session management operates automatically. When you log in, a unique session token is issued and encrypted. Each request to the platform (spin a slot, place a bet, withdraw funds) must carry a valid token. Tokens expire after subject to verification of inactivity or when you log out. If you open hoki365 in multiple browser tabs, all tabs share one session; logging out in one tab logs you out everywhere.
From Jakarta, Surabaya, Bandung, Medan, Semarang — anywhere in a supported region — your session is encrypted end-to-end. We use SSL/TLS (Secure Sockets Layer) so data transmitted between your device and our servers cannot be intercepted. Look for a padlock icon in your browser's address bar; this confirms you are on a secure connection.
Account verification and KYC process
Before you can withdraw funds or play for real money on Mahjong Ways, Gates of Olympus, or any title, we require account verification. This is called Know Your Customer (KYC) compliance — a regulatory standard that prevents money laundering and fraud. We ask for:
- A valid national ID (KTP), passport, or driver licence (front and back)
- Proof of address (utility bill, bank statement, or tax document dated within 90 days)
- A selfie holding your ID and a piece of paper with today's date
Upload these documents through the "Verification" tab in your account. We review them within one business day on weekdays. During holidays (Idul Adha, Imlek, Nyepi), review windows may extend. We accept colour copies and clear phone camera photos — no faxes or poorly lit images.
Once verified, your account is flagged "KYC Complete." You can then deposit via e-wallet, mobile banking, local payment, online payment, e-wallet, mobile banking, local payment, online payment, e-wallet, mobile banking without further checks. Withdrawals also process freely, subject to your bank's settlement time. If your ID expires during your time as a hoki365 user, re-upload your new ID when prompted.
- KYC Approval
- Documents verified; full account access granted. Deposits and withdrawals available without daily caps, subject to bank limits.
- KYC Pending
- Documents uploaded but under review. You can deposit and play, but withdrawals are restricted until approval.
- KYC Rejected
- Documents failed (expired ID, unreadable address proof, poor selfie). Resubmit corrected documents. Our support team flags the specific issue.
Data encryption and storage
All personal data — your name, ID number, phone, email, home address — is encrypted at rest using AES-256 encryption. This means even if our servers were physically stolen, the data would be unreadable without the decryption key. Keys are stored separately in a secure vault.
Payment information (bank account, e-wallet details) is never stored in plain text on our platform. When you provide a local payment, online payment, e-wallet, or mobile banking account for withdrawal, we tokenise it — we store only a unique reference, not the actual account number. Real numbers are retrieved only during withdrawal processing and deleted immediately after.
We do not sell, rent, or share your data with third parties for marketing. Our Privacy Policy (linked in the footer) details exactly what we collect, how long we retain it, and your rights. We comply with regional data-protection regulations and undergo annual security audits.
Suspicious activity and account recovery
If you notice unfamiliar logins, unauthorized withdrawals, or balance changes you did not make, contact our support team immediately. We log all account activity with timestamps — every login, deposit, spin, and withdrawal. We can retrieve these logs and investigate within hours.
If your account is compromised, follow these steps: (1) Do not log in again from the same device if you suspect malware. (2) Change your password from a different, clean device. (3) Contact our support team via email (include your account email and registered phone number). (4) Provide details of suspicious transactions — exact amounts, dates, payment methods.
Our fraud team reviews logs, identifies if transactions match your usual pattern (e.g., if you normally withdraw to local payment but suddenly someone withdrew to online payment), and may reverse unauthorized withdrawals within 72 hours. If funds reached an external account, we coordinate with the recipient bank for recovery. This process can take weeks; we keep you informed.
Password reset in case of forgotten credentials: Click "Forgot Password" on the login page. We send a reset link to your registered email. Click the link (valid for subject to verification) and enter a new password. If you no longer have access to that email, our support team can verify your identity via SMS to your registered phone number, then initiate a password reset.
Your security is not a feature we add — it is foundational to how we operate hoki365.
Deposit and withdrawal security
When you deposit via e-wallet, mobile banking, local payment, online payment, e-wallet, mobile banking, or bank transfer, your connection to the payment gateway is encrypted. You never provide your bank or e-wallet credentials to hoki365 — the payment provider handles authentication. We receive only a confirmation that the transaction succeeded.
Withdrawals require an extra verification step if the destination bank differs from your registered account. For example, if you signed up with your local payment account but suddenly request withdrawal to online payment, we ask you to confirm the new account via SMS code. This prevents attackers from redirecting your funds to their own accounts.
Large withdrawals (e.g., over a certain daily limit per your payment method's rules) may trigger additional KYC re-verification. We ask you to re-upload your ID or confirm your phone number. This is a temporary security measure; normal withdrawals resume once confirmed.