The majority of online poker players are familiar with security issues that have plagued the industry, such as the cheating scandal at Ultimate Bet/Absolute Poker (UB/AP) and the SSL encryption problems that UB/AP and the Cake Network faced. It was hard to ignore these problems with the amount of coverage they received from the poker media and on poker forums. Players were worried about these problems and rightfully so.
However, it is my opinion that these are not the only security issues about which players need to be concerned. There are many other basic security issues to consider for which other industries (such as financial and medical) have already implemented controls to protect themselves, their customers’ data, and their personal information. Why should the online poker industry be any different? Of course, we know the answer to that question based on the events that occurred on Black Friday: lack of regulation.
In today’s poker climate, the emphasis seems to be on regulation related to the financial and management aspects of online poker. There is no need to bypass a firewall or perform a sophisticated SQL injection attack if the owners of these companies can simply steal players’ money by transferring it into their bank accounts. Now, as we move toward regulated online gaming in the United States, computer security controls need to be enforced as well as financial controls.
As mentioned earlier, other industries have already taken steps to protect their systems and customers by implementing security safeguards. Did they do this because they thought it was a good idea and the right thing to do? In some cases, yes. Mostly, they did this because they were forced to do so by regulations. The Federal Information Security Management Act (FISMA), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry (PCI) are just a few examples of regulations that have forced industries to better secure their systems and infrastructures.
Now, some in the security industry will argue (and I am one) that these regulations do not actually increase the overall security posture of an organization or a system. That is true if regulation compliance is only viewed as a paperwork drill or filling in a check box. However, if viewed properly, these regulations can be used as a mechanism by which to gain the resources needed to implement effective security.
Why does the online poker industry need effective security? Besides the well-known issues discussed earlier, there are a number of basic security controls that are not even being implemented correctly. During the summer, I gave a presentation on online poker security at Defcon, one of the largest security conferences in the world (the powerpoint slides are available for download). During my research, I discovered that simple security controls such as strong passwords (no Full Tilt, I don’t think 5 characters is strong enough) and account lockout were not enabled.
While I have not discovered any vulnerabilities that can be exploited in the actual transmission of the game traffic, I have identified numerous areas where the poker application interfaces with the poker server via Web traffic. For example, I was able to exploit cross-site scripting (XSS) vulnerabilities that could be used to attack the end user and gain access to their system and hole cards. Another issue of concern that I documented is how the actual poker client has similar characteristics to that of a rootkit. Not only is the client monitoring your system for illegal software (i.e., poker bots), it is going through your browser cache, making registry changes to areas outside the poker client, and performing many other invasive acts.
I also discovered other issues during my research, some of which I documented in my presentation and others that I am still researching. Future articles will discuss these vulnerabilities, steps that players can take to protect themselves, and developments in information security centering on the online poker industry.