A Cyber Security Expert’s Analysis of Online Poker

Online gambling securityWhether you are a professional poker player or a recreational one, when playing poker for real money you always want to be sure that the game is safe and that there is no cheating going on at or away from the table. In live poker, the game’s integrity is protected by the host of the game (casino/poker room) via hi-tech surveillance measures they’ve put in place, the poker room staff (floorpersons, dealers, etc.), and by the players at the table constantly checking that everything looks and feels right.

I would say that live poker is relatively easy to protect, since the risks involved in rigging the game are very high and the preparations for such a task would probably cost a decent amount of money and not be viable for a long period of time. Indeed, as mentioned, casinos implement sophisticated hardware and software to detect fraud and keep cheaters away from their premises.

With online poker, however, penetrating a game’s security is a little different. This is mainly because you don’t always need physical access to the game in order to be able to cheat or rig the game. Online poker rooms, due to the amount of money they handle 24/7, are among the biggest targets online for computer criminals and fraudsters.

Security Risks When Playing Online Poker

It is important to understand the risks involved when playing online. The risks can be divided into two categories:

  1. Risks that are the responsibility of the game’s host (online poker room)
  2. Risks that are the responsibility of the player

In this article, I will attempt to explain these two risks and what can be done to minimize them.

Online poker rooms are in effect client-server software. The player downloads the client and uses this client to log on to the server. Once a player is logged in, the client and the server exchange messages continuously in order to “let each other know” how the game progresses along with the relevant data about the hand that is being played; this is called the application protocol.

From a game security perspective, in a live game, as long as there are no cameras built into the table (i.e., televised poker), no one but you can see your cards. In online poker, the server must be able to identify all cards dealt in order to notify the client as to which cards it should present to each player. It would thus be correct to say that the server “knows” what your cards are before you even see them. This gives anyone who can control the server the ability to see your cards while you play at the table. Naturally, if this person is seated at the same table as you, it gives him/her an insurmountable advantage over all other players.

Nobody really knows who precisely has access to the servers of any online poker room and whether the people who do are trustworthy or not. However, we do know that there are people who must have access to the servers for the purposes of software and hardware maintenance as well as day to day operations. If one of those people decides to cheat, he is definitely technically able to do so.

The Gatekeepers Hold the Keys to Online Poker Security

secure online poker

With online poker still thriving, especially real money play, we place our trust in the online poker rooms to verify who has access to their servers and what these people are doing with this access. We in effect trust them to police themselves and detect if one of their staff members may use their access in an underhanded way – namely to cheat online poker players while looking at their hole cards during a game.

It is important to emphasize that it’s not only people with permitted access to the online poker room servers who are able to cheat. Skilled computer criminals may in principle be able to gain unauthorized access to servers in order to have the ability to look at players’ hole cards. Thus, in principle, even if internal company security is airtight, a devious computer criminal with malicious intentions may be able to penetrate the software from the outside.

Critically, this does not mean that hacking into an online poker company’s servers is an easy task. Overall security measures depend on each individual company at the end of the day. Naturally, it’s in their best interests to prevent this kind of external server access by constantly monitoring their systems and ensuring nothing fishy is going on.

That said, there’s nothing to prevent computer criminals from continuously attempting to break into the server. Should such a hacker succeed in penetrating an online poker room’s software (unlikely as this may be), it could go undetected for a very long time. Needless to say, the cheater would stand to make a lot of money from it.

Taking Advantage of Weak Internet Infrastructure and Denial of Service

Denial of service attack

Illustration of a denial of service attack

In the past, about 5–7 years ago, many online poker sites dealt with player timeouts by declaring the player all-in for the amount currently invested in the hand (with any further action placed in a side pot). At the time, the Internet infrastructure simply wasn’t good enough to keep players well-connected.

Some computer-savvy players used this online poker site policy to their advantage, as follows: whenever a lot of money was in the pot and they were sure they were ahead in the hand, players would disconnect themselves from the site to be “all in on the cheap” (without having to risk additional money if falling behind in the hand).

Nowadays, however, the Internet infrastructure has improved vastly. Online poker sites have adjusted their disconnect policy as well. If you disconnect today, your time bank will be activated and your hand will be folded when it runs out.

Nonetheless, this opens the door for a Denial of Service attack as a computer criminal could force you out of the hand if he creates a denial of service against your computer (i.e., the online poker site would think that you’ve timed out and will fold your hand, pushing the pot to your opponent). Needless to say, this is not an easy attack to carry out, but if an attacker has done due diligence and knows who you are (i.e., is targeting you specifically) and is thus able to obtain your IP address, this can be done.

Notorious Online Poker Cheating Scandals

The risk of someone with internal access to online poker servers cheating was actually “demonstrated” back in 2007. At the time, someone from the inside at Absolute Poker was able to view the hole cards of other players at the table using an administrative account while simultaneously playing at the table while using his other account. The same thing happened when Russ Hamilton, a consultant to Ultimate Bet, was able to use a “super user” account in order to view other players’ hole cards while playing against them. He was able to do so for 4 years and steal over $15,000,000 before finally getting caught – yet Hamilton was never formally charged with regards to this incident.

Another risk which falls under the responsibility of poker sites is the secured design of the software and the protocol “spoken” between the client and the server. While breaking into the game server may be a very hard task and sometimes practically impossible, a determined, nefarious computer criminal may be able to gain a lot of information by reverse engineering the client application and dissecting the communications between the client and the server.

planet pokerFor instance, in 1999 some hackers discovered that the shuffle algorithm used by Planet Poker had a flaw in it. This article will not go into the details of how the algorithm was compromised, but suffice it to say that laypeople would consider the task to have been “impossible”. Essentially, those hackers were able to predict the upcoming cards by synchronizing their machine clock with the server clock. They then used the flaw in the shuffle algorithm to mathematically calculate the place of each card in the deck.  This case has been well documented.

The above incident illustrates one of the most important principals in the cyber security world: there is no such thing as closed software, hidden algorithms, or hidden protocols. Once a hacker decides to try and tamper with software, all he needs is time and a computer to try and find ways to exploit flaws. Every online poker room’s software has its own proprietary protocol and many potential flaws could be found in each. Reverse engineering the software and the protocol is not a hard task for a competent computer criminal. If a hacker were to be able to detect even one flaw, it could probably be exploited for a long period of time without being detected.

How Can Online Poker Players Protect Themselves?

From the player point of view, there is not much to be done when it comes to risks that are under the responsibility of the poker site. One thing you could do is track every hand you play by using tracking software. You could then periodically test that the statistical data of all the hands is correctly distributed and that there are no bizarre incidents or any other big statistical errors. You need not be a professor of Statistics to notice that “something seems off” with the numbers in your hand history. However, the bottom line is you need to trust the online poker site, its software, and the operators to do the best they can to prevent collusions, and physical and virtual break-ins. Most importantly you need to trust them not to cheat or enable cheating in any way.

Why would an online poker site cheat players if they make millions anyway?

The answer to that is very simple: greed!

online poker security

If an online poker site’s administration feels that they can cheat and get away with it, despite the millions they make fairly, they could in principle make even more by cheating. Sadly, this type of temptation is not something everyone in positions of power can resist. As evidenced above, it has happened in the past and it lasted for a long period of time.

This is so despite regulation by reputable organizations like the Kahnawake Gaming Commission –which at the time oversaw Ultimate Bet operations. Nonetheless, cheating still managed to occur “right under their noses”.

Incidents like these that have arisen from time to time can only bring us to the conclusion that, sadly, not enough precautions have been being taken by the online poker sites when it comes to protecting player security. A further example of this was when 2004 WSOP Main Event Champion Greg Raymer’s password was hacked. The attacker was able to guess his password, which according to Raymer was “too easy to guess”.

2004 WSOP Main Event champ Greg Raymer

Raymer on the FOX network speaking about online poker

As a cyber security expert, I can tell you from my 25 years of experience in the field that it is almost impossible to guess a password (however simple it may be) without making multiple attempts to find it. My “easy passwords” dictionary contains around 100,000 common passwords. It seems very strange that someone trying to hack the account of an online poker player would be able to make an unreasonable amount of failed password tries until finding the right one, while going completely under the radar. The culprit only got caught because after cracking the password he logged on as if he was Raymer and played heads-up tournaments against his own private account – where he would play both sides and dump chips from “Greg” to himself. The cyber security point to be made here is that PokerStars could have in principle detected this before it actually happened. In my professional opinion, 5–6 failed password attempts should have raised a flag – especially on a high-profile online poker player account such as that. That incident also teaches us the second rule of cyber security: passwords, as strong as they may be, are only an obstacle not a barrier.

Up until now this article has dealt with server side security. The fact is that we can’t do much about it aside for constant monitoring that nothing unusual is happening. Even then, a good mathematician could in principle come up with an algorithm that would cheat the player and still fly under the radar. The only way to make sure this does not happen is to ensure each online poker site provides a full disclosure at all times about its software, servers, random number algorithm, and methods of security.

Some Cyber Security Responsibilities Are On the Players

Another security aspect of poker that is actually the players’ responsibility is always making sure your personal computers have not been hacked and that the computer you are playing on (if not your own) is secure. If an attacker writes special software designed to run on an online poker player’s computer and send his/her hole cards to the attacker’s computer, you can only imagine the potential bankroll damage that could be inflicted if the two were seated at the same table.

protect your cards

It’s up to you to ensure your cards (and computer) are protected at all times

Again, the onus is on the player to make sure the computer he plays poker on is safe. Computer software can do damage in many ways. It can record your password, your hole cards, and your actions at the virtual felt. Malicious software can also hijack your actions while in a hand and take remote control commands from a remote controller. Plus there are many more ways a hacked computer can cost a player a lot of money.

From my experience, I think that the best way to protect yourself from having your computer compromised is not to play poker on the computer you work on for day to day tasks. Thus, to ensure maximum online poker safety, I would advise a separate computer solely for the purpose of playing poker. Don’t install any other software on it and don’t let anyone else who you don’t trust handle your computer in any way or even have access to it.

Moreover, you should configure firewall protection on this computer that will only allow traffic that is needed for the poker software and will drop all other traffic from and to this computer. I would also recommend installing antivirus software. Keep in mind, however, that while antivirus software will give you a general layer of protection, it will not protect you from a focused, targeted attack by new malicious software on your specific computer.

Finally, you should make sure that the data on this computer is encrypted with a strong password.

We have a nice saying in the worldwide hacker community: “In God we trust. Everyone else, we monitor”!

In Conclusion

Indeed, the types of cyber security attacks covered in this article may seem not just far-fetched, but almost James Bond-like in nature. Nonetheless, you can rest assured that every competent computer security expert knows that they’re not only possible, but have actually happened in the past. At the end of the day, you simply cannot (and should not) play online poker unless you place your full, blind trust in the site you’re playing on. The fact is that you’ll never know 100% what goes on behind closed doors.

Happy Cyber Monday and be safe at the virtual felt!

Be sure to check out my follow-up article: Fully Secure Online Poker – Is It Possible?

View Eddie Harari’s profile on Linkedin

Leave a Reply