Online Poker Security



The online streaming platform is attracting the biggest names in the game, including Daniel Negreanu, Jason Somerville, Liv Boeree, and plenty others. These poker greats now have tens of thousands of people watching as they play poker online. But does streaming online poker session create too many security risks? A good rule of thumb is the bigger the poker room, the better the security measures. So, the type of poker room that has a lot of users and is featured in commercials and everything else, often has some of the best security measures. Two rooms that offer security keys are Full Tilt Poker and Pokerstars.

When most people think about computer security, they often assume that if they have antivirus software, they are safe. Now, of course, having antivirus software installed with updated virus signatures is a required first step, Passwords are the first that come to mind—there is no need for a complex attack if your password is poker.’ This advice goes for all accounts, not just your poker accounts. E-mail accounts in particular must have strong passwords—just ask Daniel Negreanu. but when your computer is used to play a game where hundreds to thousands of dollars are at stake, more protection is needed.

There have been several reported cases where players have been cheated because their opponents could see their hole cards or other security exposures. While there are sophisticated attacks (such as the man-in-the-middle SSL misconfiguration vulnerability that affected Ultimate Bet Poker [AP]) that could be used to obtain this information, it is more common that a player will be tricked into installing some form of malicious software on their system.

This is not an attack vector that is unique to the online poker industry. Several high-profile attacks in both the government and private sectors have used this method successfully. The RSA (the company that makes those 2-factor authentication tokens that more sites are making available) security breach is a great example.

In this case, an employee was tricked into opening a document that had malicious code, which installed a backdoor that the attacker then used to gain access to RSA’s internal network and eventually portions of RSA’s security algorithm. Now, if an organization whose primary mission is information security can be exploited in this manner, it is likely that the vast majority of the online poker population could also be successfully targeted.

As discussed, while there are several different attack vectors that could be used to gain unauthorized access to a player’s system, two of the most common are old-fashioned social engineering and phishing attacks.

Social engineering is the process of deceiving people into giving away access or confidential information. This topic will not be discussed in this article; rather, we will focus on defenses against client-side attacks such as phishing. There are two primary categories of phishing: general and spear.

  • Phishing – E-mails that typically contain a link to a counterfeit Web site and are designed to look like an authentic login page. They will actually capture personal data for cyber criminals, who will use the data to commit financial fraud.
  • Spear Phishing – Targets are identified in advance and the e-mails that attempt to trick them into handing over personal data can be highly specific. They might claim to come from a friend or colleague, or seek to exploit the target’s known interests.

Of the two, spear phishing attacks are much more dangerous. I can imagine several scenarios that could be used against well-known and successful players in order to launch a successful attack.

There are several obvious defenses that players can use to better protect themselves from these types of attacks. Passwords are the first that come to mind—there is no need for a complex attack if your password is “poker.” This advice goes for all accounts, not just your poker accounts. I believe that the most important protection mechanism you can use is a dedicated system on which you only play online poker. E-mail accounts in particular must have strong passwords—just ask Daniel Negreanu. A separate poker-specific e-mail address is also a good idea.

It is best to have separate passwords for all accounts and ensure that they are complex (I recommend at least 14 alphanumeric characters including special characters). If the option is available to use some sort of multi-factor authentication token, take advantage of it.

Another step is to keep your system up to date will all security patches, not just operating system patches but also third-party updates from companies like Adobe and Java. Attackers’ phishing exercises are usually successful because their victims are running outdated software, which makes their computers easier to exploit.

I believe that the most important protection mechanism you can use is a dedicated system on which you only play online poker. Don’t surf the Web, answer e-mails, use instant messaging, or run anything else on this system. A dedicated system should not only increase your win rate (since you will not be distracted), but it will help you avoid certain types of client-side attacks such as phishing and cross-site scripting (XSS) attacks. During our research last summer, we found numerous sites (both online poker companies and supporting sites) that were vulnerable to client-side XSS attacks. From OWASP.org, XSS is defined as follows:

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

As you can see, there are a number of possible attacks that could occur. Imagine that you were logged in to a site playing poker, you visited a site that was vulnerable to XSS, and the payload captured your cookies and sent them to the attacker. The attacker could then use these cookies to potentially log in to the poker site on which you were playing. The possibilities are unlimited and this is why I advise not to do anything else on your poker system except play poker.

Now, it may be costly or just not practical to use two separate computers. If this is the case, do what I do: use virtualization. With the technologies available today such as VMware or VirtualBox, is easy to have a separate virtual machine dedicated for your poker playing. For my computer setup, I use Ubuntu Linux as my host operating system and VirtualBox for my guest operating systems (see figure below).

This setup allows me to have a dedicated system for poker playing and others for research and work. Now, you will need a system with a substantial amount of memory or you may run into performance issues, but with memory so inexpensive, this should not be a problem in most cases. There are plenty of articles on the Internet about installing and using virtualization, so they should point you in the right direction if you are not familiar with this technology. If you have any questions, please let me know and I will consider writing an article on installing a virtualized system geared toward poker players.

If you follow the suggestions in this article, you will hopefully decrease the risk of your system and poker account becoming compromised. In my next article, I will look at the increase of online poker applications being offered on mobile devices and the security concerns in that environment.

We operate online poker cash games and tournaments, taking a small amount from most cash game pots (in the form of ‘rake’) or tournament buy-ins (via entry fees) as financial recompense. Operating with this business model, the integrity of the game is paramount to our success. In fact, we maintain teams of game integrity experts to ensure no player could ever gain an advantage at the table through anything but their own skill and ability.

We rely on our hard-won, independently verified reputation for providing a fair and honest game. For this reason, allowing players any sort of unfair advantage, or ‘punishing’ any players with an unfair disadvantage, would be counter-productive and damaging to our reputation and our business. And as you can see below, would also be technically impossible.

The Shuffle

We deal the cards in a fair and honest manner. Once the deck is shuffled, it is set, and the order in which the cards are dealt cannot be changed. The software that shuffles and deals the cards cannot control who wins or loses; it just deals the cards and the rest is up to the players in the game.

Our software uses an independently verified random number generator to produce a shuffle that is completely random, and which favors no player over any other. The methods we use ensure complete randomization of the cards, and complete unpredictability of the cards to come.

Our random number generator is one of the most advanced in the industry.

The Random Number Generator

One of the great challenges in generating a truly random number is that computers are logical, process-led machines, and so any series of numbers produced solely by a computer can never be truly random.

Online Poker Secrets

We use a ground-breaking system based on quantum theory. A single photon is directed at a semi-reflective mirror; the angle at which it is reflected, or whether it passes through, is an entirely random process that can never be accurately predicted, reproduced or interfered with.

Our random number generator has been tested and certified by Gaming Labs International (GLI) to meet the industry standard for highly-regulated jurisdictions. Click here to learn more, or click here to read our Certification of Integrity.

Keeping Player Funds Safe and Separate

All player funds and account balances are held in segregated accounts, and are never used for operational expenses. These segregated accounts are managed by a leading European bank.

This arrangement ensures that we can at all times fulfil our monetary obligations toward our online players, and provides further reassurance that player funds are always secure with us.

Responsible Gaming

We have a commitment to ensure that online gaming remains fun and safe. That means preventing people from playing if they are underage, and helping those who do not have control over their playing.

Our software contains built-in measures to protect players, including the facility to limit deposits or play. Look for the ‘Responsible Gaming’ menu to learn more.

You can read our responsible gaming policy here.

Your Password

We employ some of the toughest and most secure systems to protect the integrity of your account, but any account is only as secure as its weakest link, which for many people is their password.

Your password can be up to 20 characters long, and lengthier passwords are usually stronger. Account and password security tips can be found in our Help Center.

Password protection is your responsibility and leads to secure online management.

SMS Validation

Validating your Stars Account using SMS text messaging provides increased security for your account. When activated, you will receive a SMS text message with a secret code if we detect potential irregularities with the operation of your account. In these instances, the facility to conduct real money transactions (including real money play) will be suspended until you enter the provided code into the software.

For guidance on activating or deactivating SMS validation for your account, please visit the Help Center. If you have any queries, are not receiving SMS validation messages, or no longer have access to the phone number that was registered, please contact Support.

PIN

Using a PIN to log in to your account - in addition to your username and password - provides a further level of security for your account.

Online Poker Security Rules

Once activated, you will be prompted to enter your PIN upon each log-in. The numbers will change position each time, stopping most keyloggers from recording where you click and what buttons you press. For information on how to adjust your PIN settings, please visit the Help Center.

If you lose your PIN, you can request a new one which will be sent to your registered email address. If you have lost your PIN and no longer have access to the email address registered to your Stars Account, please contact Support.

Online poker security online

RSA Security Token

An RSA Security Token is a device that generates an extra password needed to log-in to your Stars Account. Each password only shows on the screen for a few seconds. After that, a new password is generated and the old one expires.

For details of how to order, activate, enable or disable an RSA Security Token, visit the Help Center.

If you have any questions about software, player or account security, please visit the Help Center or contact Support.

We are committed to responsible gaming, and are dedicated to an enjoyable and positive gaming experience.

Online Poker Security Software

Poker

PokerStars has special offers running all year round, with cash prizes, seats to the best live events and much more.

You'll find the rules of poker, beginner tips and in-depth strategy in the PokerStars How to Play section.

Online Poker Security Services

Make your first real money deposit and start playing at PokerStars. Deposits are fast and secure.