Back in January 2012, I wrote an article for Global Gaming Business discussing the role that information security would need to play in the upcoming regulated iGaming environment in the United States. Since that time, much has changed in the iGaming landscape.
We now have three states which not only have laws passed legalizing online gaming, but where the sites are live and players are actively playing. Those states are, of course, Nevada, New Jersey, and to a lesser extent Delaware (due to its small population). Nevada currently only offers online poker, while the other two have full casino games online.
The road was long, perhaps longer than many expected. Especially for Nevada, where quite some time passed from when the law was enacted to when the first online poker room went live. The reason for this was the abundance of caution that the regulators took in the testing and licensing process.
Both the Nevada Gaming Commission (NGC) and the New Jersey Division of Gaming Enforcement (DGE) put together strict guidelines on the standards that the operators must meet and be held accountable to. I have spent most of my time researching and analyzing these two regulatory bodies due to their size and influence, but most of my opinions hold true for Delaware as well.
In both states’ regulations, there are specific information security requirements and standards that operators must meet. However, I feel that for the most part, they are not as strong as they should be. I have the impression from talking to people in the industry that when security in iGaming is discussed, the focus is about geolocation and identity verification. Obviously, these are two major issues when dealing with intrastate iGaming and ensuring that underage players are not allowed access.
This is not to say that the regulations do not have some positive information security requirements.
For example, there are password strength, account lockout, session termination, and multi-factor authentication requirements. However, in reality it is all about how they get implemented. In some of the sites I reviewed, the password requirement was at least eight characters with at least one letter uppercase and one numerical value. Strangely enough, special characters were not allowed on some of the sites. There is no technical reason why this can’t be implemented, and it seems to indicate that the developers did not code the application to deal with special characters as input in the password field. While this is not the worst password policy I have seen, I believe it can be strengthened.
On a more positive note, one of the tested sites after 10 deliberate unsuccessful login attempts required entering a pin that was sent to my mobile before I was able to successfully log in. This is a good defense against brute-force attacks.
Also positive was to see New Jersey’s requirement to make multi-factor authentication available to its users. The standard authentication method for logging in is a combination of a username and password. However, users will also be given the option to utilize “strong authentication.” The specific regulation states:
“‘Strong authentication’ means a method that has been demonstrated to the satisfaction of the division to effectively provide higher security than a user name and password alone.
“‘Multi-factor authentication’ means a type of strong authentication that uses two of the following to verify a patron’s identity:
1. Information known only to the patron, such as a password, pattern or answers to challenge questions;
2. An item possessed by a patron such as an electronic token, physical token or an identification card; or,
3. A patron’s biometric data, such as fingerprints, facial or voice recognition.”
From the initial review I performed, it appears that the majority of sites have implemented this requirement by sending a pin to the user’s mobile phone. This method is satisfactory, and does meet the requirements of the New Jersey DGE—and is used in other sectors (e.g., finance). However, upon closer review I determined that one of the site’s multi-factor implementations could be bypassed, and the pin brute-forced without causing the account to be locked out.
These items outlined above are all controls that will help protect players from client-side attacks. However, what about security requirements on the server side and the application? There are some components in the regulations that do address these areas.
For example, here’s a section on encryption from New Jersey’s regulations:
13:69O-1.7 Communications standards for gaming systems
(a) All gaming systems authorized by this chapter shall be designed to ensure the integrity and confidentiality of all patron communications and ensure the proper identification of the sender and receiver of all communications. If communications are performed across a public or third-party network, the system shall either encrypt the data packets or utilize a secure communications protocol to ensure the integrity and confidentiality of the transmission.
But my question and concern is how and to what level these iGaming applications are tested. We know that in Nevada, before being certified, the operators must pass testing performed by a certified independent testing lab, namely either GLI or BMM. New Jersey also has the following in its regulation: (q) Each casino licensee offering internet gaming shall perform a network integrity and security assessment conducted by an independent network professional selected by the licensee’s external auditor. The independent network professional’s report on the assessment shall be submitted to the Division prior to the commencement of internet gaming operations, quarterly for the first year of operations and annually thereafter.
Being a provider of security assessment services, I found this point very interesting. Of course, what it means by security assessment is open for interpretation. Is this just a network security assessment, or does it also look at the application layer? What about penetration testing? Security code review? Again, it is good as a starting point, but needs to be further defined.
Shortly after iGaming launched in New Jersey, I passively examined a couple of the iGaming sites. (Passive testing indicates no active testing or intrusive scans.) I was surprised to find some serious WordPress (a content management system) misconfigurations that could potentially lead to significant security incidents. I notified the operator and the issues were quickly fixed.
What I find troubling is how such vulnerabilities actually made it into production. What type of testing, if any, was performed? I ask because this was an item that by simply running a basic security scanner would have been detected. If this was missed, I am concerned about what other problems that require more detailed testing, such as security code reviews, might still remain or get introduced with new versions of the gaming software.
Am I raising a bigger cause for concern than is warranted? After all, there have been no reported major security issues that have impacted a site’s integrity. My answer would be that I do not feel that in today’s climate an iGaming operator could survive a security breach the size and sensitivity of, say, the recent Target security incident. Not only would players lose faith in that operator, but it could affect the industry as a whole. Additional ammunition would be given to opponents of iGaming who claim it cannot be offered in a safe and secure manner.
Today, what we mostly see reported is not attacks against an operator’s gaming infrastructure but attacks against the players themselves. The reason for this is clear—the players are an easier target. Why spend effort attempting to bypass a site’s security when you can “trick” a user into clicking on a malicious link (i.e., phishing attack) and installing a backdoor on their computer, which allows you to see their hole cards? While not a direct attack at a site, I feel the operators still bear some of the responsibility to protect the players.
It is also in the sites’ best interest because the negative publicity could impact their reputation. In some of the recent regulations, we see player protection mechanisms such as enabling multi-factor authentication, account lockout, and displaying last login being required.
However, we still see these attacks occurring, and they seem to be getting more organized. For example, there was an incident during the EPT Barcelona last year that was first reported on the popular poker forum Two+Two. This attack involved numerous online players whose laptops were infected with a backdoor while staying at a sponsored hotel. You can read more about this incident over at Pokerfuse. In order to stop these types of attacks, more aggressive security controls at the client layer are needed and better security awareness training has to be developed and disseminated to the players.
Looking forward to 2014, I predict that while we will not see any major security incidents at those regulated sites in the United States, we will see an increase of targeted phishing attacks at players. While I do not predict any attacks directly against an operator, I do feel that there will be some major security incidents that will affect mobile iGaming platforms.
Mistakes that were made 10 years ago in traditional web applications are now being made on mobile platforms. The iGaming industry is one that moves quickly with the adoption of new technologies. However, the security controls do not typically keep up. With the increase of security breaches, like Target and recently the compromise of 4.6 million SnapChat accounts, only sites that are able to best protect themselves will be in the position the gain their players’ trust and confidence.