Fully Secure Online Poker – Is It Possible?

The Calculated Risk

We, the human race, take risks almost every day of our lives. We fly over oceans, we drive cars, we put our money in banks, etc. All these operations carry associated risks. The fact that these risks exist does not mean we stop engaging in those activities. Sometimes, when the risk involved in an activity is too great, we decide it is not worth it and we give up on the activity altogether. For example, many people have given up smoking because of the risks involved with that activity. Another example is drug usage. Governments forbid the usage of certain drugs because of the risks involved in using them. In other words, we are usually left to calculate the risks for ourselves and then make day-to-day decisions based on our individual levels of risk tolerance. In some cases of extreme risk, it is more likely for governments to get involved and decide for their citizens what should be the appropriate action.

You may be asking yourself by now, what on Earth does all of this have to do with online poker? The answer to that question is very simple. If you’ve read my previous article here on the Cardplayer Lifestyle poker blog about online poker cyber security, you would have understood that there are clearly some risks involved with playing online poker. The question is, are these risks manageable or should enthusiasts give up playing online poker altogether?

Security Issues with Online Poker

Regarding the specific cyber security risks of playing online poker that I already laid out in my previous article, it’s important to note that most of those risks originate from us (the players) not really knowing whether the game is fair or not. History shows that several different online poker sites have been compromised such that games were rigged within the system. In addition to that, there are the external risks, such as someone breaking into our computer and viewing our cards as we play.

During a recent lengthy Twitter exchange, it came to my attention that there is a concern for illegal activity that uses online poker as an infrastructure for money laundering. It is true that these risks are very serious, but the question remains: are these risks manageable or are they so serious that it means we can no longer play online poker anymore?

Risk Analysis

Online Poker Provider Risks

Online poker operators either develop their poker client server code in-house or purchase it from third-party software developers. From the player’s point of view, the software itself poses the greatest security risk because this is the kind of risk he/she has no control over. This risk is 100% in the hands of the online poker provider. As mentioned in the first article, there are two main risks involved with the online poker provider:

1. That the software itself can contain code that will deliberately rig the game against the player
2. That the operator hosting the online poker game has been broken into and that hackers can effectively manipulate the software to rig the games for millions of dollars in illicit profits

While these risks are indeed very serious, after much thought I have come to the conclusion that they are manageable.

The main problem with online poker provider risks is lack of standards and regulations. With banks, by contrast, the potential risk is much higher than the risks involved in online poker. However, we all feel safe and secure when we put our money in the bank. The reasons for this are very simple, as banks are constantly monitored by government regulators and bank managers can’t do whatever they want with our money. Governments have set up standards and regulations in order to minimize the risk that a bank will decide to close down, take all money deposited there, and disappear. This risk exists but the chance it will happen is very slim thanks to governments ensuring and enforcing what should be done in order to minimize these risks. Moreover, at least in the case of the United States, the safety net of the FDIC was set up to provide de facto insurance for all accounts (up to $250,000 per account).

Banks are not the only example where regulators face security risks and manage them effectively. Insurance companies are excellent examples, too, as are live casinos.

Solutions for Managing Online Poker Provider Risks

I would suggest the following in order to effectively deal with the online poker provider risks:

1. Every online poker provider should have to pass periodic code review by third-party experts. These experts would be allowed to review the software code with each update and thus be able to determine if there are security holes or not.
2. Every online poker provider should have to pass periodic network & infrastructure review by third-party experts. These experts would review the configuration and settings of the infrastructure and decide if there are any related security problems.
3. Every online poker provider should have to pass periodic regulator-sanctioned software audits.
4. Encoded into gambling legislation should be regulations for how the online poker provider ought to deal with money, users, fraud detection, and any other aspects related to the system integrity and security.

While these four suggestions are not the only things that should be done in order to manage the risks involved with online poker software provider, these suggestions should indicate the correct direction the industry should be headed in.

Notice throughout that I have used the word “manage” and not “eliminate” because we can never eliminate the risks. When we are dealing with risks at any level, the question should not be “How do we eliminate the risk?”, but rather “How can we lower the chance an incident will happen?”. We should further ask ourselves “Can we live with the results the day after this incident happens?”.

Client-Based Risks

As noted in my previous article, we users also face risks involving our computer systems. Installing an antivirus is not the right countermeasure against the security risks involved with online poker because antiviruses only help to defend against known attacks. It is very easy for an experienced computer hacker to design an attack that will fly under the radar of an antivirus. Strictly speaking then, the amount of defenses you need to protect your system from being hacked is directly proportional to the amount of money someone could gain from hacking your computer.

If you make a living playing online poker, I would recommend the following:

1. Use a separate computer for online poker play (i.e., not your regular home computer).
2. Use a firewall that will only allow communication related to the poker game traffic and deny any other traffic to and from the computer.
3. Protect this computer with an antivirus be sure you are the only person using this computer.
4. Do not read emails or perform any other Internet-based activity from this computer; the risks of getting hacked are too high.
5. Use a top-notch authentication procedure to log in to your online poker accounts (e.g., external token or certificate-based authentication).
6. Save a backup of your hard drive just after the online poker software installation and uninstall/reinstall this software every so often. Even if someone has managed to infiltrate your system, reinstallation will take care of the problem. (This is very easy and can be automated.)

The above list is not a complete manual of how to achieve online poker security, but it should adequately demonstrate how to minimize client security risks.

While the above preventive measures should ideally be undertaken by recreational online poker players as well, often this might be too expensive of an investment. Thus, as outlined at the outset of this article, they will have to do their own risk assessment and decide if they are willing to assume the risks of playing from a non-100% secured computer. As a guiding rule, the amount of protection you need to take is directly correlated to the amount of money you put at risk when you play poker online. Even taking all of the above countermeasures will not hermetically seal off your computer from potential cyber security attacks, but anyone who does so is capable of playing online poker safely.

Collusion and Money Laundering

Collusion is a type of risk that should be handled at the online poker provider level. Money laundering is an illegal activity that takes place via many potential outlets (e.g., banks, regular business, live casinos etc.).

The notion of online poker collusion is based on the fact that a player could in principle open multiple accounts and manage them from a single point of control, viewing each “player’s” cards  and deciding what action each one will take. Importantly, if the same user names are colluding all the time, this could be detected by a simple anomaly system.

The collusion itself also depends on where each controlled player sits around the same online poker table. Of course, one cannot predetermine where specifically they will be seated at a table in tournaments. In cash games, it is possible to decide where you will sit, so colluders would utilize this in principle.

Interestingly, there are two methods via which the potential for collusion could be greatly impaired:

1. If the online poker would only allow multi-table tournaments (MTTs) and Zoom/Rush poker-like cash games, where players cannot decide where they sit, collusion is essentially impossible.
2. If online poker operators would verify the identity of new players and confirm their accounts only after a full ID check and validation with help from authorities (i.e., versus the current situation, which is based on a simple email address) this will also work to eliminate collusion methods.

Forcing online poker operators to check the identity of each newly registered player is very easy and should be part of the regulation, just as one can’t open a bank account without showing a valid ID. Just as nowadays it is possible to pay our taxes online, certainly a secure online ID validation process could be instated. While this may delay the registration process by 1–2 days, it would solve a large part of the collusion issue.

While even these measures would not eliminate collusion and money laundering entirely, they would sure make it unprofitable in the long term. Security experts do not deal with absolute values; rather we deal with risk management and probability. I think that by identifying users upon registration and not only upon cashing out, it would make collusion next-to-impossible, for all intents and purposes.

Money laundering, with or without collusion, is certainly possible in many other ways than via online poker. Regulating governments should monitor online poker and make every effort to stop potential collusion and money laundering, but this cannot be an argument in favor of online poker itself being prohibited.

Re: The Work of Mr. James Thackston

I have examined the work of Mr. James Thackston and I must admit I was impressed with it. Even though I have not seen the demo, I am sure that the money laundering via collusion scheme he proposes is valid for certain types of games and sites.

From Mr. Thackston’s site

There are, however, some major issues with his work:

1. I have not seen an analysis of the counter measures that can be taken in order to prevent such collusion.
2. To my knowledge, his proposal was not tested on a live real-money online poker provider with a collusion detection system in place (e.g., PokerStars, etc.).
3. If you want to launder reasonable amounts of money, you would need to play online poker for very high stakes. The high-limit player pool is far smaller and it thus would be quite abnormal for multiple new players to suddenly show up at these tables and fly completely under the radar. This just can’t happen and, at the very least, regular high-limit players would be extremely wary.
4. Ignoring all the possible flaws of his system, I do not believe that Mr. Thackston, with all his mathematical knowledge, truly thinks his is an undetectable system. Perhaps it couldn’t be detected today, but his system is 100% detectable via trivial anomaly detection systems.

Putting aside the aforementioned four points, and assuming Mr. Thackston’s system is 100% valid and flawless, I would thus like to pose an interesting question:

Since Mr. Thackston’s collusion system would only be applicable to cash games, where the seating can be determined by the players themselves, wouldn’t Mr. Thackston agree that MTT and Zoom/Rush-like cash games are immune to such an attack? Perhaps we could all agree that scheduled MTTs are safe and move forward from there?

Conclusion

Cyber security experts can only make recommendations with regard to how to take and manage risks in ways that are acceptable to all sides.

Just as banks and insurance companies are being monitored and regulated by governments in order to provide security and integrity about how they handle our money, online poker sites should be regulated in the same way and to the same extent.

Such regulation would not eliminate all potential malicious online poker cyber attacks, but it would certainly make such attacks unprofitable in the long run for the criminals.

In the 21st century we manage our money online. We can develop new currencies (e.g., Bitcoin) online, buy insurance online, and provide our medical details online. Online poker play should not have any security issues. Thus, opponents of online poker should find better reasons to argue their case.

View Eddie Harari’s profile on Linkedin