Online Casinos aren’t as vulnerable as they look. Having this site and being a pretty active member of the community, I’ve pretty much heard and seen it all. I’ve been asked to hack into banks, into governments, and just about every other thing you can imagine. I was having a beer with a good friend of mine a year or so ago, and he mentioned that a friend of his was juiced in with the Thai mob. Basically this guy had been recruited into it to help them cheat casinos (essentially he got caught by the Thai guys and in exchange for his kneecaps he got to help them out - and a healthy paycheck to keep a smile on his face). They had chosen a really low-tech route by getting a whole bunch of really talented players, stuffing them in a room and paying them to play poker and win all day. Wow, that sucks.
So my buddy, being the computer guru that he is, and also a professional gambler, gave his buddy a few helpful tips on how to succeed, by using proxies, clearing cache and cookies, blah blah. Then he went on to tell me how he would write an AI bot to do detection of the cards on the screen and automatically play for you. My friend is smart. My friend is also unaware of Online Casino security. So here’s how it works, for anyone who wants to avoid getting caught.
First, online casinos are not automated completely. There are indeed humans behind the wheel. If they see something that looks “robotish” they will intercept the user with a dialogue box to get human interaction. With this information they can tell if you are a robot or not. Okay, so what if you had a human nearby who could monitor the screens and respond if something like that happened? Well, eventually if you win too much, just like any Casino in real life, they reserve the right to kick your ass out as a suspected cheater. No problem, just log in as a different user, right?
Wrong…. My friend had the right idea about clearing cookies, and cache, blah blah. The part that he got wrong was that he didn’t know about the OTHER things these systems to do your computer. The Casinos put a piece of software in the Java clients that they ask you to download that map your computer’s hardware. If you come from the same machine twice, even as different users on the machine, despite using proxies, or what have you, they’ll still see you as the same user. Okay, so let’s just bounce around to another Casino, right?
Wrong…. That same software is logging to a centralized database that more and more Casinos are buying into. That software stores all of your hardware specs remotely. When Casino “A” kicks you out for being a cheater, Casino “B” will see you are coming in as a suspected cheater and that Casino “A” that they know and trust has blacklisted your computer. In this way, they are able to keep tabs on you as you move from Casino to Casino. Eventually this could end up being much more virulant softare that does a lot more than just mapping your drive and having a blacklist flag. But that’s a ways out, and giving customer information to competitors has never been a good business model for Casinos.
Are there ways around it? Sure, VMware sounds like a fantastic idea… the problem with virtual machines is that they almost always end up looking the same. Changing your hardware specs doesn’t really help too much, unless you change more than a certain percentage. They store as much information as possible and if they see one datapoint that doesn’t match they are fuzzy enough with their logic to detect that the user is probably the same. Are they logging in other ways? Well, almost definitely (although I have no definitive evidence of this), but those logging mechanisms are probably worth another post.
Is this all spyware? No, it’s DRM. They reserve the right to know that you have a licensed copy of their Java client.
Sorry, cheating online casinos just isn’t that easy anymore. That’s probably why the low-tech route that the Thai mob is using is probably the most lucrative oddly enough.