Protecting the Player– Information Security
Concerns
Gus Fritschie
@gfritschie
March 21, 2014
Overview
SeNet
While there is the potential for attacks against the
iGaming application and infrastructure, it is easier to
attack the consumer.
Why spend days trying to exploit a SQL Injection
vulnerability when all you need to do is have a player
click a link.
The focus of this talk is on protecting the player.
© SeNet International Corp. 2014
2
March 2014
SeNet
© SeNet International Corp. 2014
Houston, We Have a Problem
3
March 2014
SeNet
Barcelona Laptop Incident
http://pokerfuse.com/news/live-and-online/confirmed-ept-barcelonalaptop-infected-with-screen-sharing-trojan-11-12/
© SeNet International Corp. 2014
4
March 2014
SeNet
© SeNet International Corp. 2014
Las Vegas Sands Hacked
5
March 2014
What Can Sites Do?
SeNet
There are many steps that sites can
take to help protect their players,
here are some:
• Security Awareness
• User security controls (i.e.
password policy, multi-factor
authentication, account lockout)
• Site security controls (i.e. SSL,
secure coding, secure
configuration)
• Continuous Monitoring
© SeNet International Corp. 2014
6
March 2014
Security Awareness
SeNet
• Operators need to do more to raise security awareness among their
customers.
• This could take the form of logon messages, emails, or other forms of
communication.
• Last year Poker Stars released a guide on protecting your laptop that
was distributed at an EPT event in the wake of the Barcelona hotel
incident.
• Learn a lesson from Facebook.
© SeNet International Corp. 2014
7
March 2014
User Controls
SeNet
• Password complexity requirements
• Session timeout
• Account Lockout
• Multiple Sessions
• Dual-factor authentication
• IP/MAC Restrictions
• Logon Notification
© SeNet International Corp. 2014
8
March 2014
Site Controls
SeNet
• Security Code Reviews
• 3rd Party and Internal Security Reviews
• Secure architecture design and implementation
• Configuration Management
• Encryption (data-in-transit and data-at-rest)
© SeNet International Corp. 2014
9
March 2014
Continuous Monitoring
SeNet
• Collusion/bot detection
• Abnormal activity/win rates
• Account Activities
• Logging/SIEM
• Important to monitor not only technical controls, but management and
operational controls too
© SeNet International Corp. 2014
10
March 2014
Examples
SeNet
© SeNet International Corp. 2014
11
March 2014
SeNet
© SeNet International Corp. 2014
Security Configuration Issues
12
March 2014
Authentication Weaknesses
SeNet
http://www.onlinepokerreport.com/9529/authenticationcomparison-two-nj-igaming-sites/
© SeNet International Corp. 2014
13
March 2014
SeNet
© SeNet International Corp. 2014
Backend Password and Username
Exposed in Request
14
March 2014
SeNet
Password Stored in Clear-text in
Database
Using the forgot password function the password is sent via
email and is the same password as initially set. This indicates
passwords are stored in clear-text.
© SeNet International Corp. 2014
15
March 2014
Weak Password Policy
SeNet
© SeNet International Corp. 2014
16
March 2014