GGB is committed to providing updated news and analysis on our weekly news site, GGBNews.com.

Beyond the Obvious

Online Gaming Security Risks

Beyond the Obvious

With the dawn of a new year, we are in for some major changes in the gaming landscape. Recently, the Nevada Gaming Commission approved regulations for intrastate online poker. Currently, the ability to play is limited to Nevada residents only due to the restrictions implemented by the U.S. Department of Justice.

Additionally, the same DOJ that seized the domain names of sites such as Full Tilt Poker, Poker Stars and Ultimate Bet/Absolute Poker (UB/AP) last spring recently released a document stating that “interstate transmissions of wire communications that do not relate to a ‘sporting event or contest’ fall outside the reach of the Wire Act.” This opens the door for more states to enact regulations like those in Nevada. Of course, because of Nevada’s rich gaming history, the state’s regulators are positioning themselves to be leaders when it comes to online licensing and regulation.

As a poker player, I could not be happier that regulation is on its way, and that I will be soon able to play online poker from the comfort of my home. However, as an information security professional, I would be lying if I said I was not somewhat concerned. The majority of online poker players are familiar with security issues that have plagued the industry in the past, such as the cheating scandal at UB/AP and the Secure Sockets Layer encryption problems that UB/AP and the Cake Network faced.

It was hard to ignore these problems with the amount of coverage they received from the poker media and poker forums. Players were worried about these problems, and rightfully so. However, it is my opinion that these are not the only security issues about which players need to be concerned. There are many other basic security issues to consider for which other industries (such as financial and medical) have already implemented controls to protect themselves, their customers’ data, and their own personal information. Why should the online poker industry be any different?

As noted above, other industries have already taken steps to protect their systems and customers by implementing security safeguards. Did they do this because they thought it was a good idea and the right thing to do? In some cases, yes. Mostly, they did this because they were forced to do so by regulation. The Federal Information Security Management Act (FISMA), the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Act are just a few examples of regulations that have forced industries to better secure their systems and infrastructures.

The new Nevada Gaming Commission regulations do list some items related to information security under section 5A.070 Internal Controls for Operators of Interactive Gaming. Some examples include: maintaining all security aspects of the interactive gaming system; protecting and ensuring confidentiality of authorized players’ interactive gaming accounts; reasonably ensuring that interactive gaming is engaged in between human individuals only; testing the integrity of the interactive gaming system on an ongoing basis; protecting an authorized player’s personally identifiable information (PII); and establishing procedures to be used in the event that an operator determines that a breach of data security has occurred, including required notification to the board’s enforcement division.

Despite these items, the current emphasis seems to be on regulation related to the financial and management aspects of online poker. This is understandable, as there is no need to bypass a firewall or perform a sophisticated structured query language injection attack if the owners of these companies can simply steal players’ money by transferring it into their bank accounts. As we move toward regulated online gaming in the United States, computer security controls need to be enforced in addition to financial controls.

Why does the online poker industry need effective security? Besides the well-known issues discussed earlier, there are a number of basic security controls that are not being implemented correctly. During the summer of 2011, I gave a presentation on online poker security at Defcon, one of the largest security conferences in the world. In my research, I discovered that simple security controls such as strong passwords and account lockout were not enabled.

While I have not discovered any vulnerabilities that could be exploited in the actual transmission of game traffic, I have identified numerous areas where poker applications interface with poker servers via web traffic. For example, I was able to exploit cross-site scripting vulnerabilities that could be used to attack the end user and gain access to their system and hole cards. Another issue of concern that I documented is how the poker client has similar characteristics to that of a root kit. Not only does the client monitor your system for illegal software (i.e., poker bots), but it goes through your browser cache, making registry changes to areas outside the poker client, and performing many other invasive acts. I also discovered other issues during my research, some of which I documented in my presentation and others that I am still researching.

This is a very exciting time, not just for online poker but online gaming in general. While the initial focus is on online poker, attention to other types of online gaming such as blackjack, craps and slots is not far behind. The companies that will be offering these games and the commissions writing the regulations must not only think about the profits, but also about the security of the game. No longer can cheating be prevented by pit bosses and cameras—strong computer security controls and secure coding must be implemented as well.

This new adventure is on the horizon, and the companies that can protect themselves and their players will be the ultimate winners.

Gus Fritschie has been involved in information security since 2000. About 8 years ago he transitioned a significant portion of his practice into the gaming sector. Earlier this year SeNet merged with GLI/Bulletproof and the combined team provides a comprehensive set of security services to the gaming sector. He has supported many clients across the gaming spectrum from iGaming operators, land-based casinos, gaming manufacturer, lotteries, tribal gaming, and daily fantasy sports.