The Calculated Risk
We, the human race, take risks almost every day of our lives. We fly over oceans, we drive cars, we put our money in banks, etc. All these operations carry associated risks. The fact that these risks exist does not mean we stop engaging in those activities. Sometimes, when the risk involved in an activity is too great, we decide it is not worth it and we give up on the activity altogether. For example, many people have given up smoking because of the risks involved with that activity. Another example is drug usage. Governments forbid the usage of certain drugs because of the risks involved in using them. In other words, we are usually left to calculate the risks for ourselves and then make day-to-day decisions based on our individual levels of risk tolerance. In some cases of extreme risk, it is more likely for governments to get involved and decide for their citizens what should be the appropriate action.
You may be asking yourself by now, what on Earth does all of this have to do with online poker? The answer to that question is very simple. If you’ve read my previous article here on the Cardplayer Lifestyle poker blog about online poker cyber security, you would have understood that there are clearly some risks involved with playing online poker. The question is, are these risks manageable or should enthusiasts give up playing online poker altogether?
Security Issues with Online Poker
Regarding the specific cyber security risks of playing online poker that I already laid out in my previous article, it’s important to note that most of those risks originate from us (the players) not really knowing whether the game is fair or not. History shows that several different online poker sites have been compromised such that games were rigged within the system. In addition to that, there are the external risks, such as someone breaking into our computer and viewing our cards as we play.
During a recent lengthy Twitter exchange, it came to my attention that there is a concern for illegal activity that uses online poker as an infrastructure for money laundering. It is true that these risks are very serious, but the question remains: are these risks manageable or are they so serious that it means we can no longer play online poker anymore?
Online Poker Provider Risks
Online poker operators either develop their poker client server code in-house or purchase it from third-party software developers. From the player’s point of view, the software itself poses the greatest security risk because this is the kind of risk he/she has no control over. This risk is 100% in the hands of the online poker provider. As mentioned in the first article, there are two main risks involved with the online poker provider:
- That the software itself can contain code that will deliberately rig the game against the player
- That the operator hosting the online poker game has been broken into and that hackers can effectively manipulate the software to rig the games for millions of dollars in illicit profits
While these risks are indeed very serious, after much thought I have come to the conclusion that they are manageable.
The main problem with online poker provider risks is lack of standards and regulations. With banks, by contrast, the potential risk is much higher than the risks involved in online poker. However, we all feel safe and secure when we put our money in the bank. The reasons for this are very simple, as banks are constantly monitored by government regulators and bank managers can’t do whatever they want with our money. Governments have set up standards and regulations in order to minimize the risk that a bank will decide to close down, take all money deposited there, and disappear. This risk exists but the chance it will happen is very slim thanks to governments ensuring and enforcing what should be done in order to minimize these risks. Moreover, at least in the case of the United States, the safety net of the FDIC was set up to provide de facto insurance for all accounts (up to $250,000 per account).
Banks are not the only example where regulators face security risks and manage them effectively. Insurance companies are excellent examples, too, as are live casinos.
Solutions for Managing Online Poker Provider Risks
I would suggest the following in order to effectively deal with the online poker provider risks:
- Every online poker provider should have to pass periodic code review by third-party experts. These experts would be allowed to review the software code with each update and thus be able to determine if there are security holes or not.
- Every online poker provider should have to pass periodic network & infrastructure review by third-party experts. These experts would review the configuration and settings of the infrastructure and decide if there are any related security problems.
- Every online poker provider should have to pass periodic regulator-sanctioned software audits.
- Encoded into gambling legislation should be regulations for how the online poker provider ought to deal with money, users, fraud detection, and any other aspects related to the system integrity and security.
While these four suggestions are not the only things that should be done in order to manage the risks involved with online poker software provider, these suggestions should indicate the correct direction the industry should be headed in.
Notice throughout that I have used the word “manage” and not “eliminate” because we can never eliminate the risks. When we are dealing with risks at any level, the question should not be “How do we eliminate the risk?”, but rather “How can we lower the chance an incident will happen?”. We should further ask ourselves “Can we live with the results the day after this incident happens?”.
As noted in my previous article, we users also face risks involving our computer systems. Installing an antivirus is not the right countermeasure against the security risks involved with online poker because antiviruses only help to defend against known attacks. It is very easy for an experienced computer hacker to design an attack that will fly under the radar of an antivirus. Strictly speaking then, the amount of defenses you need to protect your system from being hacked is directly proportional to the amount of money someone could gain from hacking your computer.
If you make a living playing online poker, I would recommend the following:
- Use a separate computer for online poker play (i.e., not your regular home computer).
- Use a firewall that will only allow communication related to the poker game traffic and deny any other traffic to and from the computer.
- Protect this computer with an antivirus be sure you are the only person using this computer.
- Do not read emails or perform any other Internet-based activity from this computer; the risks of getting hacked are too high.
- Use a top-notch authentication procedure to log in to your online poker accounts (e.g., external token or certificate-based authentication).
- Save a backup of your hard drive just after the online poker software installation and uninstall/reinstall this software every so often. Even if someone has managed to infiltrate your system, reinstallation will take care of the problem. (This is very easy and can be automated.)
The above list is not a complete manual of how to achieve online poker security, but it should adequately demonstrate how to minimize client security risks.
While the above preventive measures should ideally be undertaken by recreational online poker players as well, often this might be too expensive of an investment. Thus, as outlined at the outset of this article, they will have to do their own risk assessment and decide if they are willing to assume the risks of playing from a non-100% secured computer. As a guiding rule, the amount of protection you need to take is directly correlated to the amount of money you put at risk when you play poker online. Even taking all of the above countermeasures will not hermetically seal off your computer from potential cyber security attacks, but anyone who does so is capable of playing online poker safely.
Collusion and Money Laundering
Collusion is a type of risk that should be handled at the online poker provider level. Money laundering is an illegal activity that takes place via many potential outlets (e.g., banks, regular business, live casinos etc.).
The notion of online poker collusion is based on the fact that a player could in principle open multiple accounts and manage them from a single point of control, viewing each “player’s” cards and deciding what action each one will take. Importantly, if the same user names are colluding all the time, this could be detected by a simple anomaly system.
The collusion itself also depends on where each controlled player sits around the same online poker table. Of course, one cannot predetermine where specifically they will be seated at a table in tournaments. In cash games, it is possible to decide where you will sit, so colluders would utilize this in principle.
Interestingly, there are two methods via which the potential for collusion could be greatly impaired:
- If the online poker would only allow multi-table tournaments (MTTs) and Zoom/Rush poker-like cash games, where players cannot decide where they sit, collusion is essentially impossible.
- If online poker operators would verify the identity of new players and confirm their accounts only after a full ID check and validation with help from authorities (i.e., versus the current situation, which is based on a simple email address) this will also work to eliminate collusion methods.
Forcing online poker operators to check the identity of each newly registered player is very easy and should be part of the regulation, just as one can’t open a bank account without showing a valid ID. Just as nowadays it is possible to pay our taxes online, certainly a secure online ID validation process could be instated. While this may delay the registration process by 1–2 days, it would solve a large part of the collusion issue.
While even these measures would not eliminate collusion and money laundering entirely, they would sure make it unprofitable in the long term. Security experts do not deal with absolute values; rather we deal with risk management and probability. I think that by identifying users upon registration and not only upon cashing out, it would make collusion next-to-impossible, for all intents and purposes.
Money laundering, with or without collusion, is certainly possible in many other ways than via online poker. Regulating governments should monitor online poker and make every effort to stop potential collusion and money laundering, but this cannot be an argument in favor of online poker itself being prohibited.
Re: The Work of Mr. James Thackston
I have examined the work of Mr. James Thackston and I must admit I was impressed with it. Even though I have not seen the demo, I am sure that the money laundering via collusion scheme he proposes is valid for certain types of games and sites.
There are, however, some major issues with his work:
- I have not seen an analysis of the counter measures that can be taken in order to prevent such collusion.
- To my knowledge, his proposal was not tested on a live real-money online poker provider with a collusion detection system in place (e.g., PokerStars, etc.).
- If you want to launder reasonable amounts of money, you would need to play online poker for very high stakes. The high-limit player pool is far smaller and it thus would be quite abnormal for multiple new players to suddenly show up at these tables and fly completely under the radar. This just can’t happen and, at the very least, regular high-limit players would be extremely wary.
- Ignoring all the possible flaws of his system, I do not believe that Mr. Thackston, with all his mathematical knowledge, truly thinks his is an undetectable system. Perhaps it couldn’t be detected today, but his system is 100% detectable via trivial anomaly detection systems.
Putting aside the aforementioned four points, and assuming Mr. Thackston’s system is 100% valid and flawless, I would thus like to pose an interesting question:
Since Mr. Thackston’s collusion system would only be applicable to cash games, where the seating can be determined by the players themselves, wouldn’t Mr. Thackston agree that MTT and Zoom/Rush-like cash games are immune to such an attack? Perhaps we could all agree that scheduled MTTs are safe and move forward from there?
Cyber security experts can only make recommendations with regard to how to take and manage risks in ways that are acceptable to all sides.
Just as banks and insurance companies are being monitored and regulated by governments in order to provide security and integrity about how they handle our money, online poker sites should be regulated in the same way and to the same extent.
Such regulation would not eliminate all potential malicious online poker cyber attacks, but it would certainly make such attacks unprofitable in the long run for the criminals.
In the 21st century we manage our money online. We can develop new currencies (e.g., Bitcoin) online, buy insurance online, and provide our medical details online. Online poker play should not have any security issues. Thus, opponents of online poker should find better reasons to argue their case.
View Eddie Harari’s profile on Linkedin
Thank you, Mr. Harari, for your important article. I particularly appreciate the section on how to manage online poker provider risks.
This is actually the least important part of this article. HUDs have gone a long way in solving any problem here. He writes “1. That the software itself can contain code that will deliberately rig the game against the player” To my knowledge, there has never been a proven instance of this happening. I challenge the writer of the article, who claims that history has shown us examples of software rigged within the system, to link to a proven example.
Even when POTRIPPER, hacked the system, he was exposed by the players, not the site. It was the players that determined it was impossible for him to be so profitable with his tracked stats being what they were (i.e. # of hands played, # of raises, etc). The biggest provider risk is that they are not being run like fractional reserve banks as was happening at ftp. The incentive for them to rig the system is not there. Like the author writes, “when the risk involved in an activity is too great, we decide it is not worth it and we give up on the activity altogether.” Or never engage in it in the first place.
1. Please read carefully what i have writen. “That the software CAN contain code that will deliberately rig the game”. Such case was not found in modern poker sites. But I mentioned it as a potential risk not as an actual case. Where actual cases took place i did give the actual examples with link references to the details. (please see first article ).
2. My claim that history has shown us examples of software rigged within the system I am refering to the Ultimate Bet case , to absolute poker case where people within the system (progrramers , owners , admins ) were able to insert what we call “software hooks” which enabled them to see hole cards of other players while playing. This kind of “FEATURES” has no place in live “production” system. And rigging the game was done from within the system.
Please understand that as a security expert I need to deal with potential risks , not with actual risks. how would you know if software is rigged or not !? ( poker tracker is a good thing to have in order to check that the stats are right but it is by far not enough to claim that the site is 100% fair and legit).
I have mentioned potential risks, as i said , history showed that sites which everyone trusted to be 100% secured turned up to be rigged.
(by someone within the system , but this still means those were rigged).
** Please understand that english is a second language for me and i am sorry if my writing is not as clear as it should be.
Thank you Eddie for your reply – and again, thank you for your contribution!
Thanks for clearing that up, Eddie. I think the sentence is ambiguous, but your follow up is more than sufficient.
“History shows that several different online poker sites have been compromised such that games were rigged within the system.” — CAN YOU PLZ PROVIDE AN EXAMPLE OF THIS? Pokerstars, and others, are already tested by at lease one third-party, Cigital, to make sure the cards are random. Players also run their own software and can see over time that their hands hold or get drawn out on, exactly as statistics say they should. The “rigged within the system” camp still has not provided any statistical evidence to prove their point. If sites were rigged within the system (why a site would do this, I don’t know … the “to induce action” argument is very flimsy), they would be quickly exposed by the community.
Please understand that I deal with potential risks. in order to understand what kind of security risks are we facing when we play online. Not all the potential risks mentioned in the article were ever proven, but this does not mean we can ignore them when we analyze the risks involved with playing online poker.
When i said games were rigged within the system i wanted to say that someone within the system had neglected the code, and left production level code with some some back doors inside of it (this can be on purpose or by mistake it still does not change the outcome).
1 good example which was mentioned in my first article:
About security checks:
If the government want to protect it’s citizens from fraud etc, it needs to specify standards for auditing and checking security of online poker providers.
You cant trust the online provider to provide it’s own standards this is a PARADOX by definition.
If i do not trust you, and i am looking for someone to check if you are who you claim you are can i trust someone you point out to recognize you ?
the answerr is “NO!”. because as long as your not trusted you cant be a part of the trust establishment process.
How can you trust an security audit that the provider itself ordered ?
Ultimate bet and also Absolute passed security audits, yet their production system contained the ablity to remotly see hole cards of each and every player if you had administrative rights.
Tere are no rooms for such mistakes when it comes to a place that handles hunderds of miilions of dollars.