- A security professional takes a look at the account security mechanisms present for the online gaming sites in New Jersey.
Recently, I was in New Jersey performing security testing required by the Division of Gaming Enforcement (DGE) for one of our iGaming customers. While I cannot speak to the specific results of that testing, I did perform a brief security survey on the majority of the iGaming sites operating in New Jersey.
Though only a limited test was performed using passive techniques, it is still useful to illustrate some of the security controls that are in place.
Overall, based on my examination it appears that most of the sites have implemented the security controls required by DGE regulation. Of course there is room for improvement in some areas, but that is to be expected.
Testing Approach
The testing was performed simply by creating accounts and then logging into the various iGaming applications and observing certain settings such as password requirements, encryption, and other security requirements.
In some cases a local proxy was used in order to examine the web traffic in order to determine if we observed anything strange that might pose a risk.
This survey was done in a very short time frame and though it should not be considered an authoritative review on the state of the security of New Jersey’s igaming operators, it does provide an in-depth look at some of the security mechanisms encountered by igaming customers.
Password Complexity
The primary mechanism that the sites utilize for authentication is username/password. The strength of the password is important to the overall security of this method.
Most of the sites have adequate password requirements. It is my opinion that the sites bear part of the burden in keeping their customer’s accounts safe. They must force the players to choose strong passwords, otherwise everybody’s password will be “poker”.
The most common requirement forces users to select passwords that have at least 8 characters, at least one number, one letter, and one special character. This is better than it was in the past, but still not strong enough. However, there were some that did not even meet these basic requirements. Golden Nugget Casino for example only requires a minimum of 6 characters.
Others such as Harrahs Casino have a password maximum length set at 12. There is no technical reason why password lengths should ever be capped, and to be honest 12 should be a starting point for a minimum length.
Strong Authentication
Simple password based authentication is the default choice for most of the sites. However, the New Jersey regulations state that the sites must give the player’s the choice to implement “strong authentication” (i.e. multifactor authentication). Practically all of the sites have implemented this feature that can usually be enabled by selecting it in your profile.
The method that most of the operators have used to implement this requirement is by sending a pin to the player’s registered mobile device. This pin must be entered after successful authentication via password.
This control dramatically increases the security and lowers the risk of a player’s account becoming compromised. However, not all multi-factor authentication implementations are created equal. While this type of multi-factor authentication is much better than simple password based authentication, there are even more sophisticated solutions.
Though stronger multi-factor authentication solutions exist, until customers and/or regulators require these types of solutions operators might delay implementation due to cost.
Also as seen in the figure above many of the sites have an option to send you an email every time your account is accessed or your last logon time is displayed when accessing the site. This is great for detecting and responding to account related attacks.
Account Lockout
Another good preventative tool is account lockout. After a certain number of attempts to logon unsuccessfully, a user’s account is locked out for a certain period of time.
This is a good mechanism to prevent against brute-force password attacks. Now since this could also be used to stop a user from logging-in what some of sites have implemented is a CAPTCHA or additional security questions.
Some operators such as Harrahs will send an additional token to your email on record that must be entered with the authentication credentials. These have similar outcomes in limiting the success of brute-force attacks.
Session Timeout
Yes, people will complain that they must log back into the application after a specified period of time, but it is for their own protection.
This is another requirement which is in the DGE regulations and all sites have implemented in one form or another.
Another related control is that some sites like partypoker have implemented is restricting multiple sessions.
Encryption
One of the most obvious things that people think about when it comes to security is SSL.
The general public has been trained to look for the “lock” and make sure it says HTTPS when conducting sensitive transactions on the Internet. It is no different with iGaming, and while SSL is not the silver bullet some people make it out to be, it is better to have it enabled then not. Luckily most of the iGaming sites such as Betfair do have it enabled by default, even on their home pages.
However during my survey I did notice that Harrahs did not seem to have it enabled. I used my proxy to inspect the HTTP requests and contrary to the server name being casino-nj.secured-igaming-services.com, it did not seem to have SSL enabled.
Heartbleed Vulnerability
The week I was in New Jersey a serious vulnerability impacting OpenSSL (i.e. Heartbleed) was made public. It made me curious and I briefly looked at the sites in New Jersey.
On April 8 only one site in New Jersey was vulnerable to the heartbleed issue. As of today, no sites in New Jersey appear to be vulnerable.
A note on this survey; only the primary sites were reviewed (most iGaming sites are made up of numerous servers) and the tool used to test the sites was a Firefox plugin that passively examines the server.
Summary
Only a few subsets of general security controls were examined during this survey. While some problems were detected it appears that the majority of the required security controls are in place on all of the sites.
Of course the only way for operators to know for sure what the security posture of their application looks like is to have a detailed independent test.
Compared to what the state of security was when I first started examined igaming sites in 2010 those in New Jersey have made great improvements.