POKER TIPS & STRATEGY

Fully Secure Online Poker – Is It Possible?

By Eddie Harari
March 24, 2014

The Calculated Risk

We, the human race, take risks almost every day of our lives. We fly over oceans, we drive cars, we put our money in banks, etc. All these operations carry associated risks. The fact that these risks exist does not mean we stop engaging in those activities. Sometimes, when the risk involved in an activity is too great, we decide it is not worth it and we give up on the activity altogether. For example, many people have given up smoking because of the risks involved with that activity. Another example is drug usage. Governments forbid the usage of certain drugs because of the risks involved in using them. In other words, we are usually left to calculate the risks for ourselves and then make day-to-day decisions based on our individual levels of risk tolerance. In some cases of extreme risk, it is more likely for governments to get involved and decide for their citizens what should be the appropriate action.calculated risks

You may be asking yourself by now, what on Earth does all of this have to do with online poker? The answer to that question is very simple. If you’ve read my previous article here on the Cardplayer Lifestyle poker blog about online poker cyber security, you would have understood that there are clearly some risks involved with playing online poker. The question is, are these risks manageable or should enthusiasts give up playing online poker altogether?

Security Issues with Online Poker

Regarding the specific cyber security risks of playing online poker that I already laid out in my previous article, it’s important to note that most of those risks originate from us (the players) not really knowing whether the game is fair or not. History shows that several different online poker sites have been compromised such that games were rigged within the system. In addition to that, there are the external risks, such as someone breaking into our computer and viewing our cards as we play.cyber thief

During a recent lengthy Twitter exchange, it came to my attention that there is a concern for illegal activity that uses online poker as an infrastructure for money laundering. It is true that these risks are very serious, but the question remains: are these risks manageable or are they so serious that it means we can no longer play online poker anymore?

Risk Analysis

Online Poker Provider Risks

Online poker operators either develop their poker client server code in-house or purchase it from third-party software developers. From the player’s point of view, the software itself poses the greatest security risk because this is the kind of risk he/she has no control over. This risk is 100% in the hands of the online poker provider. As mentioned in the first article, there are two main risks involved with the online poker provider:

  1. That the software itself can contain code that will deliberately rig the game against the player
  2. That the operator hosting the online poker game has been broken into and that hackers can effectively manipulate the software to rig the games for millions of dollars in illicit profits

While these risks are indeed very serious, after much thought I have come to the conclusion that they are manageable.online poker security

The main problem with online poker provider risks is lack of standards and regulations. With banks, by contrast, the potential risk is much higher than the risks involved in online poker. However, we all feel safe and secure when we put our money in the bank. The reasons for this are very simple, as banks are constantly monitored by government regulators and bank managers can’t do whatever they want with our money. Governments have set up standards and regulations in order to minimize the risk that a bank will decide to close down, take all money deposited there, and disappear. This risk exists but the chance it will happen is very slim thanks to governments ensuring and enforcing what should be done in order to minimize these risks. Moreover, at least in the case of the United States, the safety net of the FDIC was set up to provide de facto insurance for all accounts (up to $250,000 per account).

Banks are not the only example where regulators face security risks and manage them effectively. Insurance companies are excellent examples, too, as are live casinos.

Solutions for Managing Online Poker Provider Risks

I would suggest the following in order to effectively deal with the online poker provider risks:

  1. Every online poker provider should have to pass periodic code review by third-party experts. These experts would be allowed to review the software code with each update and thus be able to determine if there are security holes or not.
  2. Every online poker provider should have to pass periodic network & infrastructure review by third-party experts. These experts would review the configuration and settings of the infrastructure and decide if there are any related security problems.
  3. Every online poker provider should have to pass periodic regulator-sanctioned software audits.
  4. Encoded into gambling legislation should be regulations for how the online poker provider ought to deal with money, users, fraud detection, and any other aspects related to the system integrity and security.

While these four suggestions are not the only things that should be done in order to manage the risks involved with online poker software provider, these suggestions should indicate the correct direction the industry should be headed in.no cheating

Notice throughout that I have used the word “manage” and not “eliminate” because we can never eliminate the risks. When we are dealing with risks at any level, the question should not be “How do we eliminate the risk?”, but rather “How can we lower the chance an incident will happen?”. We should further ask ourselves “Can we live with the results the day after this incident happens?”.

Client-Based Risks

As noted in my previous article, we users also face risks involving our computer systems. Installing an antivirus is not the right countermeasure against the security risks involved with online poker because antiviruses only help to defend against known attacks. It is very easy for an experienced computer hacker to design an attack that will fly under the radar of an antivirus. Strictly speaking then, the amount of defenses you need to protect your system from being hacked is directly proportional to the amount of money someone could gain from hacking your computer.play at your own risk

If you make a living playing online poker, I would recommend the following:

  1. Use a separate computer for online poker play (i.e., not your regular home computer).
  2. Use a firewall that will only allow communication related to the poker game traffic and deny any other traffic to and from the computer.
  3. Protect this computer with an antivirus be sure you are the only person using this computer.
  4. Do not read emails or perform any other Internet-based activity from this computer; the risks of getting hacked are too high.
  5. Use a top-notch authentication procedure to log in to your online poker accounts (e.g., external token or certificate-based authentication).
  6. Save a backup of your hard drive just after the online poker software installation and uninstall/reinstall this software every so often. Even if someone has managed to infiltrate your system, reinstallation will take care of the problem. (This is very easy and can be automated.)

The above list is not a complete manual of how to achieve online poker security, but it should adequately demonstrate how to minimize client security risks.

While the above preventive measures should ideally be undertaken by recreational online poker players as well, often this might be too expensive of an investment. Thus, as outlined at the outset of this article, they will have to do their own risk assessment and decide if they are willing to assume the risks of playing from a non-100% secured computer. As a guiding rule, the amount of protection you need to take is directly correlated to the amount of money you put at risk when you play poker online. Even taking all of the above countermeasures will not hermetically seal off your computer from potential cyber security attacks, but anyone who does so is capable of playing online poker safely.

Collusion and Money Laundering

Collusion is a type of risk that should be handled at the online poker provider level. Money laundering is an illegal activity that takes place via many potential outlets (e.g., banks, regular business, live casinos etc.).collusion

The notion of online poker collusion is based on the fact that a player could in principle open multiple accounts and manage them from a single point of control, viewing each “player’s” cards  and deciding what action each one will take. Importantly, if the same user names are colluding all the time, this could be detected by a simple anomaly system.

The collusion itself also depends on where each controlled player sits around the same online poker table. Of course, one cannot predetermine where specifically they will be seated at a table in tournaments. In cash games, it is possible to decide where you will sit, so colluders would utilize this in principle.

Interestingly, there are two methods via which the potential for collusion could be greatly impaired:

  1. If the online poker would only allow multi-table tournaments (MTTs) and Zoom/Rush poker-like cash games, where players cannot decide where they sit, collusion is essentially impossible.
  2. If online poker operators would verify the identity of new players and confirm their accounts only after a full ID check and validation with help from authorities (i.e., versus the current situation, which is based on a simple email address) this will also work to eliminate collusion methods.

Forcing online poker operators to check the identity of each newly registered player is very easy and should be part of the regulation, just as one can’t open a bank account without showing a valid ID. Just as nowadays it is possible to pay our taxes online, certainly a secure online ID validation process could be instated. While this may delay the registration process by 1–2 days, it would solve a large part of the collusion issue.

While even these measures would not eliminate collusion and money laundering entirely, they would sure make it unprofitable in the long term. Security experts do not deal with absolute values; rather we deal with risk management and probability. I think that by identifying users upon registration and not only upon cashing out, it would make collusion next-to-impossible, for all intents and purposes.

Money laundering, with or without collusion, is certainly possible in many other ways than via online poker. Regulating governments should monitor online poker and make every effort to stop potential collusion and money laundering, but this cannot be an argument in favor of online poker itself being prohibited.

Re: The Work of Mr. James Thackston

I have examined the work of Mr. James Thackston and I must admit I was impressed with it. Even though I have not seen the demo, I am sure that the money laundering via collusion scheme he proposes is valid for certain types of games and sites.

undetectable laundering

From Mr. Thackston’s site

There are, however, some major issues with his work:

  1. I have not seen an analysis of the counter measures that can be taken in order to prevent such collusion.
  2. To my knowledge, his proposal was not tested on a live real-money online poker provider with a collusion detection system in place (e.g., PokerStars, etc.).
  3. If you want to launder reasonable amounts of money, you would need to play online poker for very high stakes. The high-limit player pool is far smaller and it thus would be quite abnormal for multiple new players to suddenly show up at these tables and fly completely under the radar. This just can’t happen and, at the very least, regular high-limit players would be extremely wary.
  4. Ignoring all the possible flaws of his system, I do not believe that Mr. Thackston, with all his mathematical knowledge, truly thinks his is an undetectable system. Perhaps it couldn’t be detected today, but his system is 100% detectable via trivial anomaly detection systems.

Putting aside the aforementioned four points, and assuming Mr. Thackston’s system is 100% valid and flawless, I would thus like to pose an interesting question:

Since Mr. Thackston’s collusion system would only be applicable to cash games, where the seating can be determined by the players themselves, wouldn’t Mr. Thackston agree that MTT and Zoom/Rush-like cash games are immune to such an attack? Perhaps we could all agree that scheduled MTTs are safe and move forward from there?

Conclusion

Cyber security experts can only make recommendations with regard to how to take and manage risks in ways that are acceptable to all sides.

Just as banks and insurance companies are being monitored and regulated by governments in order to provide security and integrity about how they handle our money, online poker sites should be regulated in the same way and to the same extent.

Such regulation would not eliminate all potential malicious online poker cyber attacks, but it would certainly make such attacks unprofitable in the long run for the criminals.

In the 21st century we manage our money online. We can develop new currencies (e.g., Bitcoin) online, buy insurance online, and provide our medical details online. Online poker play should not have any security issues. Thus, opponents of online poker should find better reasons to argue their case.

View Eddie Harari’s profile on Linkedin

1

LIKE THIS STORY?
GET OUR BEST ONES IN YOUR INBOX EACH MONTH!

Sign up
Eddie Harari
Written By.

Eddie Harari

Eddie Harari has been a cyber security expert and a hacker for over 30 years. He has done private consultant work for a number of governments as well as multinational companies. He has published numerous articles in professional journals and given talks in security conferences around the world. View Eddie’s full credentials on Linkedin.

Comments

0 Comments

Thank you for taking the time to write on this important issue, Mr. Harari. I especially appreciate your reaching out to me for information along with Mr. Thackston’s contrary point of view.

As sites have 10+ years experience in collusion detection and surveillance, it was flat-out reckless and irresponsible for Thackston to claim he had “proven” US-licensed sites and top-tier offshore sites like PokerStars are particularly attractive to money launderers when he had zero data on the surveillance capabilities of these sites. When put under the harsh light of tough evaluation, it quickly became clear that all he had was something he felt looked scary, but without any information on the ability of a site to detect it. In other words, he has a hypothesis he seeks to use as an excuse to justify a nationwide ban on online poker.

This has been an interesting topic of discussion for the poker community. The Poker Players Alliance is a non-profit advocacy group comprised of 1.2 millions poker players and enthusiasts who, as those most directly impacted by collusion, are dedicated to attacking collusion and empowering law enforcement to take clear action against those who’d prey on the poker community. Our community was victimized by those at Ultimate Bet and Absolute Poker, and many of us – me included – are just now receiving our Full Tilt Poker balances (the result of a non-collusion issue). There are no greater advocates for safe online poker than those who actually play the game.

PPA takes money laundering seriously and offers actual solutions. PPA Executive Director John Pappas recently testified before a Congressional committee on online poker consumer protection and law enforcement empowerment, with specific emphasis on anti-money laundering compliance programs — complete with auditable records to be maintained by sites.

We also very strongly disagree with the notion Thackston has tried to forward, suggesting sites have no incentive to stop collusion. Caesars, MGM, PokerStars, etc., are big name operations that have no desire to tarnish their names. In other words, they have all the reason in the world to ensure players see their sites as honest and trustworthy.

We are pleased by the compliance of the licensed U.S. sites as well as the experience of some offshore sites that no longer serve the U.S. market but which are licensed offshore for operation where they offer services, such as PokerStars. It is our desire to move forward with all forms of online poker in all fifty states.

Thanks again!

Rich Muny
Poker Players Alliance
Vice President of Player Relations

Very good article! Eddie Harari has done what our opposition and MR. Thackston fail to do on a daily basis…Eddie uses no hypothetical unproven tests, just true facts.

As he said in this article this is the 21st century and Americans use the Internet daily for all forms of e-commerce. This BTW also includes billions of dollars traded daily/weekly online by stock, bond, futures etc. traders on any number of online trading platforms, i.e. e-Trade, Ameritrade, Forex etc. Surely if online poker sites are in danger of money laundering, these financial sites should also be considered extremely vulnerable because of the shear amount of money that can be made on just one successful trade. Our opposition seems to forget about this form of e-commerce.

Unlike Eddie Harari, our opposition uses only hypothetical’s, including their FBI study…again only hypothetical. Even Sheldon Adelson’s point man Andrew Abboud admits that he is clueless to the technical side of this argument…he said this after the tech presentation last week at the iGNA conference “I was lost” during the tech presentation. How can he speak intelligently about this issue when he does not understand it…the answer is he can’t! This is what every one of our opposition fails to do, understand why we need to license and regulate online poker within our borders.

As a poker player who played online for over 8 years before the shutdown, I appreciate the time that Eddie Harari took to share his expertise and real life experience with all of us and hopefully Congress and our state governments will see this as well.

Thank you Eddie Harari for pointing out what our opposition fails to acknowledge. That the ONLY way to make online poker sites safe for the U.S. players, consumers and families is to license and regulate the industry within the USA and allow our law enforcement to properly perform their jobs.

Join The Discussion

Latest Post

Tags

Mixed Game Festival VIII

Pokercoaching All Access

WPTGlobal Welcome Offer

Don’t miss our top stories, exclusive offers and giveaways!