Fully Secure Online Poker – Is It Possible?

The Calculated Risk

calculated risksWe, the human race, take risks almost every day of our lives. We fly over oceans, we drive cars, we put our money in banks, etc. All these operations carry associated risks. The fact that these risks exist does not mean we stop engaging in those activities. Sometimes, when the risk involved in an activity is too great, we decide it is not worth it and we give up on the activity altogether. For example, many people have given up smoking because of the risks involved with that activity. Another example is drug usage. Governments forbid the usage of certain drugs because of the risks involved in using them. In other words, we are usually left to calculate the risks for ourselves and then make day-to-day decisions based on our individual levels of risk tolerance. In some cases of extreme risk, it is more likely for governments to get involved and decide for their citizens what should be the appropriate action.

You may be asking yourself by now, what on Earth does all of this have to do with online poker? The answer to that question is very simple. If you’ve read my previous article here on the Cardplayer Lifestyle poker blog about online poker cyber security, you would have understood that there are clearly some risks involved with playing online poker. The question is, are these risks manageable or should enthusiasts give up playing online poker altogether?

Security Issues with Online Poker

cyber thiefRegarding the specific cyber security risks of playing online poker that I already laid out in my previous article, it’s important to note that most of those risks originate from us (the players) not really knowing whether the game is fair or not. History shows that several different online poker sites have been compromised such that games were rigged within the system. In addition to that, there are the external risks, such as someone breaking into our computer and viewing our cards as we play.

During a recent lengthy Twitter exchange, it came to my attention that there is a concern for illegal activity that uses online poker as an infrastructure for money laundering. It is true that these risks are very serious, but the question remains: are these risks manageable or are they so serious that it means we can no longer play online poker anymore?

Risk Analysis

Online Poker Provider Risks

online poker securityOnline poker operators either develop their poker client server code in-house or purchase it from third-party software developers. From the player’s point of view, the software itself poses the greatest security risk because this is the kind of risk he/she has no control over. This risk is 100% in the hands of the online poker provider. As mentioned in the first article, there are two main risks involved with the online poker provider:

  1. That the software itself can contain code that will deliberately rig the game against the player
  2. That the operator hosting the online poker game has been broken into and that hackers can effectively manipulate the software to rig the games for millions of dollars in illicit profits

While these risks are indeed very serious, after much thought I have come to the conclusion that they are manageable.

The main problem with online poker provider risks is lack of standards and regulations. With banks, by contrast, the potential risk is much higher than the risks involved in online poker. However, we all feel safe and secure when we put our money in the bank. The reasons for this are very simple, as banks are constantly monitored by government regulators and bank managers can’t do whatever they want with our money. Governments have set up standards and regulations in order to minimize the risk that a bank will decide to close down, take all money deposited there, and disappear. This risk exists but the chance it will happen is very slim thanks to governments ensuring and enforcing what should be done in order to minimize these risks. Moreover, at least in the case of the United States, the safety net of the FDIC was set up to provide de facto insurance for all accounts (up to $250,000 per account).

Banks are not the only example where regulators face security risks and manage them effectively. Insurance companies are excellent examples, too, as are live casinos.

Solutions for Managing Online Poker Provider Risks

no cheatingI would suggest the following in order to effectively deal with the online poker provider risks:

  1. Every online poker provider should have to pass periodic code review by third-party experts. These experts would be allowed to review the software code with each update and thus be able to determine if there are security holes or not.
  2. Every online poker provider should have to pass periodic network & infrastructure review by third-party experts. These experts would review the configuration and settings of the infrastructure and decide if there are any related security problems.
  3. Every online poker provider should have to pass periodic regulator-sanctioned software audits.
  4. Encoded into gambling legislation should be regulations for how the online poker provider ought to deal with money, users, fraud detection, and any other aspects related to the system integrity and security.

While these four suggestions are not the only things that should be done in order to manage the risks involved with online poker software provider, these suggestions should indicate the correct direction the industry should be headed in.

Notice throughout that I have used the word “manage” and not “eliminate” because we can never eliminate the risks. When we are dealing with risks at any level, the question should not be “How do we eliminate the risk?”, but rather “How can we lower the chance an incident will happen?”. We should further ask ourselves “Can we live with the results the day after this incident happens?”.

Client-Based Risks

play at your own riskAs noted in my previous article, we users also face risks involving our computer systems. Installing an antivirus is not the right countermeasure against the security risks involved with online poker because antiviruses only help to defend against known attacks. It is very easy for an experienced computer hacker to design an attack that will fly under the radar of an antivirus. Strictly speaking then, the amount of defenses you need to protect your system from being hacked is directly proportional to the amount of money someone could gain from hacking your computer.

If you make a living playing online poker, I would recommend the following:

  1. Use a separate computer for online poker play (i.e., not your regular home computer).
  2. Use a firewall that will only allow communication related to the poker game traffic and deny any other traffic to and from the computer.
  3. Protect this computer with an antivirus be sure you are the only person using this computer.
  4. Do not read emails or perform any other Internet-based activity from this computer; the risks of getting hacked are too high.
  5. Use a top-notch authentication procedure to log in to your online poker accounts (e.g., external token or certificate-based authentication).
  6. Save a backup of your hard drive just after the online poker software installation and uninstall/reinstall this software every so often. Even if someone has managed to infiltrate your system, reinstallation will take care of the problem. (This is very easy and can be automated.)

The above list is not a complete manual of how to achieve online poker security, but it should adequately demonstrate how to minimize client security risks.

While the above preventive measures should ideally be undertaken by recreational online poker players as well, often this might be too expensive of an investment. Thus, as outlined at the outset of this article, they will have to do their own risk assessment and decide if they are willing to assume the risks of playing from a non-100% secured computer. As a guiding rule, the amount of protection you need to take is directly correlated to the amount of money you put at risk when you play poker online. Even taking all of the above countermeasures will not hermetically seal off your computer from potential cyber security attacks, but anyone who does so is capable of playing online poker safely.

Collusion and Money Laundering

collusionCollusion is a type of risk that should be handled at the online poker provider level. Money laundering is an illegal activity that takes place via many potential outlets (e.g., banks, regular business, live casinos etc.).

The notion of online poker collusion is based on the fact that a player could in principle open multiple accounts and manage them from a single point of control, viewing each “player’s” cards  and deciding what action each one will take. Importantly, if the same user names are colluding all the time, this could be detected by a simple anomaly system.

The collusion itself also depends on where each controlled player sits around the same online poker table. Of course, one cannot predetermine where specifically they will be seated at a table in tournaments. In cash games, it is possible to decide where you will sit, so colluders would utilize this in principle.

Interestingly, there are two methods via which the potential for collusion could be greatly impaired:

  1. If the online poker would only allow multi-table tournaments (MTTs) and Zoom/Rush poker-like cash games, where players cannot decide where they sit, collusion is essentially impossible.
  2. If online poker operators would verify the identity of new players and confirm their accounts only after a full ID check and validation with help from authorities (i.e., versus the current situation, which is based on a simple email address) this will also work to eliminate collusion methods.

Forcing online poker operators to check the identity of each newly registered player is very easy and should be part of the regulation, just as one can’t open a bank account without showing a valid ID. Just as nowadays it is possible to pay our taxes online, certainly a secure online ID validation process could be instated. While this may delay the registration process by 1–2 days, it would solve a large part of the collusion issue.

While even these measures would not eliminate collusion and money laundering entirely, they would sure make it unprofitable in the long term. Security experts do not deal with absolute values; rather we deal with risk management and probability. I think that by identifying users upon registration and not only upon cashing out, it would make collusion next-to-impossible, for all intents and purposes.

Money laundering, with or without collusion, is certainly possible in many other ways than via online poker. Regulating governments should monitor online poker and make every effort to stop potential collusion and money laundering, but this cannot be an argument in favor of online poker itself being prohibited.

Re: The Work of Mr. James Thackston

I have examined the work of Mr. James Thackston and I must admit I was impressed with it. Even though I have not seen the demo, I am sure that the money laundering via collusion scheme he proposes is valid for certain types of games and sites.

undetectable laundering

From Mr. Thackston’s site

There are, however, some major issues with his work:

  1. I have not seen an analysis of the counter measures that can be taken in order to prevent such collusion.
  2. To my knowledge, his proposal was not tested on a live real-money online poker provider with a collusion detection system in place (e.g., PokerStars, etc.).
  3. If you want to launder reasonable amounts of money, you would need to play online poker for very high stakes. The high-limit player pool is far smaller and it thus would be quite abnormal for multiple new players to suddenly show up at these tables and fly completely under the radar. This just can’t happen and, at the very least, regular high-limit players would be extremely wary.
  4. Ignoring all the possible flaws of his system, I do not believe that Mr. Thackston, with all his mathematical knowledge, truly thinks his is an undetectable system. Perhaps it couldn’t be detected today, but his system is 100% detectable via trivial anomaly detection systems.

Putting aside the aforementioned four points, and assuming Mr. Thackston’s system is 100% valid and flawless, I would thus like to pose an interesting question:

Since Mr. Thackston’s collusion system would only be applicable to cash games, where the seating can be determined by the players themselves, wouldn’t Mr. Thackston agree that MTT and Zoom/Rush-like cash games are immune to such an attack? Perhaps we could all agree that scheduled MTTs are safe and move forward from there?

Conclusion

Cyber security experts can only make recommendations with regard to how to take and manage risks in ways that are acceptable to all sides.

Just as banks and insurance companies are being monitored and regulated by governments in order to provide security and integrity about how they handle our money, online poker sites should be regulated in the same way and to the same extent.

Such regulation would not eliminate all potential malicious online poker cyber attacks, but it would certainly make such attacks unprofitable in the long run for the criminals.

In the 21st century we manage our money online. We can develop new currencies (e.g., Bitcoin) online, buy insurance online, and provide our medical details online. Online poker play should not have any security issues. Thus, opponents of online poker should find better reasons to argue their case.

View Eddie Harari’s profile on Linkedin

14 Comments

  1. Rich Muny
    Rich Muny March 24, 2014 at 10:35 pm

    Thank you for taking the time to write on this important issue, Mr. Harari. I especially appreciate your reaching out to me for information along with Mr. Thackston’s contrary point of view.

    As sites have 10+ years experience in collusion detection and surveillance, it was flat-out reckless and irresponsible for Thackston to claim he had “proven” US-licensed sites and top-tier offshore sites like PokerStars are particularly attractive to money launderers when he had zero data on the surveillance capabilities of these sites. When put under the harsh light of tough evaluation, it quickly became clear that all he had was something he felt looked scary, but without any information on the ability of a site to detect it. In other words, he has a hypothesis he seeks to use as an excuse to justify a nationwide ban on online poker.

    This has been an interesting topic of discussion for the poker community. The Poker Players Alliance is a non-profit advocacy group comprised of 1.2 millions poker players and enthusiasts who, as those most directly impacted by collusion, are dedicated to attacking collusion and empowering law enforcement to take clear action against those who’d prey on the poker community. Our community was victimized by those at Ultimate Bet and Absolute Poker, and many of us – me included – are just now receiving our Full Tilt Poker balances (the result of a non-collusion issue). There are no greater advocates for safe online poker than those who actually play the game.

    PPA takes money laundering seriously and offers actual solutions. PPA Executive Director John Pappas recently testified before a Congressional committee on online poker consumer protection and law enforcement empowerment, with specific emphasis on anti-money laundering compliance programs — complete with auditable records to be maintained by sites.

    We also very strongly disagree with the notion Thackston has tried to forward, suggesting sites have no incentive to stop collusion. Caesars, MGM, PokerStars, etc., are big name operations that have no desire to tarnish their names. In other words, they have all the reason in the world to ensure players see their sites as honest and trustworthy.

    We are pleased by the compliance of the licensed U.S. sites as well as the experience of some offshore sites that no longer serve the U.S. market but which are licensed offshore for operation where they offer services, such as PokerStars. It is our desire to move forward with all forms of online poker in all fifty states.

    Thanks again!

    Rich Muny
    Poker Players Alliance
    Vice President of Player Relations

  2. Mike Qualley
    Mike Qualley March 25, 2014 at 12:44 am

    Very good article! Eddie Harari has done what our opposition and MR. Thackston fail to do on a daily basis…Eddie uses no hypothetical unproven tests, just true facts.

    As he said in this article this is the 21st century and Americans use the Internet daily for all forms of e-commerce. This BTW also includes billions of dollars traded daily/weekly online by stock, bond, futures etc. traders on any number of online trading platforms, i.e. e-Trade, Ameritrade, Forex etc. Surely if online poker sites are in danger of money laundering, these financial sites should also be considered extremely vulnerable because of the shear amount of money that can be made on just one successful trade. Our opposition seems to forget about this form of e-commerce.

    Unlike Eddie Harari, our opposition uses only hypothetical’s, including their FBI study…again only hypothetical. Even Sheldon Adelson’s point man Andrew Abboud admits that he is clueless to the technical side of this argument…he said this after the tech presentation last week at the iGNA conference “I was lost” during the tech presentation. How can he speak intelligently about this issue when he does not understand it…the answer is he can’t! This is what every one of our opposition fails to do, understand why we need to license and regulate online poker within our borders.

    As a poker player who played online for over 8 years before the shutdown, I appreciate the time that Eddie Harari took to share his expertise and real life experience with all of us and hopefully Congress and our state governments will see this as well.

    Thank you Eddie Harari for pointing out what our opposition fails to acknowledge. That the ONLY way to make online poker sites safe for the U.S. players, consumers and families is to license and regulate the industry within the USA and allow our law enforcement to properly perform their jobs.

  3. Gail S.
    Gail S. March 25, 2014 at 3:10 am

    Thank you for your in-depth analysis on this issue.

  4. mexinger
    mexinger March 25, 2014 at 6:27 am

    Wonderful perspective – everything is a risk, and one can’t eliminate it – one can reduce it, factor for it, etc. Online is the way to go – ask retail, banking, etc. I think this “Internet” thing is here to stay.

  5. Dave Sans
    Dave Sans March 25, 2014 at 9:00 am

    Very well written Mr. Harari A+.

    Instead of using scare tactics to try to manipulate the public, its nice to see someone discuss the security of online poker rationally and intelligently.

    You make very good points obviously.

    I agree with your assessment that online poker should be licensed and regulated here in the USA to provide a safer gaming environment for consumers.

  6. Robert Stephens
    Robert Stephens March 25, 2014 at 12:18 pm

    nicely written.

  7. Michael M. Bandy
    Michael M. Bandy March 25, 2014 at 12:51 pm

    Thank you, Mr. Harari, for your important article. I particularly appreciate the section on how to manage online poker provider risks.

  8. Jacob LaConte
    Jacob LaConte March 25, 2014 at 7:16 pm

    “History shows that several different online poker sites have been compromised such that games were rigged within the system.” — CAN YOU PLZ PROVIDE AN EXAMPLE OF THIS? Pokerstars, and others, are already tested by at lease one third-party, Cigital, to make sure the cards are random. Players also run their own software and can see over time that their hands hold or get drawn out on, exactly as statistics say they should. The “rigged within the system” camp still has not provided any statistical evidence to prove their point. If sites were rigged within the system (why a site would do this, I don’t know … the “to induce action” argument is very flimsy), they would be quickly exposed by the community.

  9. Jacob LaConte
    Jacob LaConte March 25, 2014 at 7:52 pm

    This is actually the least important part of this article. HUDs have gone a long way in solving any problem here. He writes “1. That the software itself can contain code that will deliberately rig the game against the player” To my knowledge, there has never been a proven instance of this happening. I challenge the writer of the article, who claims that history has shown us examples of software rigged within the system, to link to a proven example.

    Even when POTRIPPER, hacked the system, he was exposed by the players, not the site. It was the players that determined it was impossible for him to be so profitable with his tracked stats being what they were (i.e. # of hands played, # of raises, etc). The biggest provider risk is that they are not being run like fractional reserve banks as was happening at ftp. The incentive for them to rig the system is not there. Like the author writes, “when the risk involved in an activity is too great, we decide it is not worth it and we give up on the activity altogether.” Or never engage in it in the first place.

  10. Eddie Harari
    Eddie Harari March 26, 2014 at 4:19 am

    Hey Jacob,

    1. Please read carefully what i have writen. “That the software CAN contain code that will deliberately rig the game”. Such case was not found in modern poker sites. But I mentioned it as a potential risk not as an actual case. Where actual cases took place i did give the actual examples with link references to the details. (please see first article ).

    2. My claim that history has shown us examples of software rigged within the system I am refering to the Ultimate Bet case , to absolute poker case where people within the system (progrramers , owners , admins ) were able to insert what we call “software hooks” which enabled them to see hole cards of other players while playing. This kind of “FEATURES” has no place in live “production” system. And rigging the game was done from within the system.

    Please understand that as a security expert I need to deal with potential risks , not with actual risks. how would you know if software is rigged or not !? ( poker tracker is a good thing to have in order to check that the stats are right but it is by far not enough to claim that the site is 100% fair and legit).

    I have mentioned potential risks, as i said , history showed that sites which everyone trusted to be 100% secured turned up to be rigged.
    (by someone within the system , but this still means those were rigged).

    Thanks ,

    Eddie.

    ** Please understand that english is a second language for me and i am sorry if my writing is not as clear as it should be.

  11. cardplayerlifestyle
    cardplayerlifestyle March 26, 2014 at 4:21 am

    Thank you Eddie for your reply – and again, thank you for your contribution!

  12. Eddie Harari
    Eddie Harari March 26, 2014 at 4:53 am

    Again ,

    Please understand that I deal with potential risks. in order to understand what kind of security risks are we facing when we play online. Not all the potential risks mentioned in the article were ever proven, but this does not mean we can ignore them when we analyze the risks involved with playing online poker.

    When i said games were rigged within the system i wanted to say that someone within the system had neglected the code, and left production level code with some some back doors inside of it (this can be on purpose or by mistake it still does not change the outcome).

    1 good example which was mentioned in my first article:

    http://www.cigital.com/papers/download/developer_gambling.php

    About security checks:

    If the government want to protect it’s citizens from fraud etc, it needs to specify standards for auditing and checking security of online poker providers.
    You cant trust the online provider to provide it’s own standards this is a PARADOX by definition.

    If i do not trust you, and i am looking for someone to check if you are who you claim you are can i trust someone you point out to recognize you ?
    the answerr is “NO!”. because as long as your not trusted you cant be a part of the trust establishment process.

    How can you trust an security audit that the provider itself ordered ?

    Ultimate bet and also Absolute passed security audits, yet their production system contained the ablity to remotly see hole cards of each and every player if you had administrative rights.

    Tere are no rooms for such mistakes when it comes to a place that handles hunderds of miilions of dollars.

  13. Jacob LaConte
    Jacob LaConte March 26, 2014 at 6:18 am

    Thanks for clearing that up, Eddie. I think the sentence is ambiguous, but your follow up is more than sufficient.

  14. Zulran Zzulran
    Zulran Zzulran April 4, 2014 at 1:41 am

    Thanks for Mr. Harari for giving us a fair look at the risks involved in poker. I wish our politicians had the same concerns for my 401k as they do me playing poker and it’s risks. Because if they gave me the same ROI as poker I’d be retiring early.

Leave a Reply