"Back Door" Cheating Scandal Rocks Online Poker

AcidAUS sends us the story of an online poker cheating ring that netted an estimated $10M for its perpetrators over almost 4 years. The article spotlights the role of an Australian player who first performed the statistical analyses that demonstrated that cheating had to be going on. "In two separate cases, Michael Josem, from Chatswood, analyzed detailed hand history data from Absolute Poker and UltimateBet and uncovered that certain player accounts won money at a rate too fast to be legitimate. His findings led to an internal investigation by the parent company that owns both sites. It found rogue employees had defrauded players over three years via a security hole that allowed the cheats to see other player's secret (or hole) cards." The (Mohawk) Kahnawake Gaming Commission, which licenses the two poker companies, has released its preliminary report. MSNBC reporting from a couple of weeks back gives deep background on the scandal.

Let's comp the cheaters some room nights

Illicit high rollers get free room and board for the next 5-10 years.

This is why

I don't gamble.
I invest my money in the stock market.

Re:This is why

And, assuming you're not going to be taking it out for another 10-40 years, it's a good, safe investment vehicle indeed. Buy stock now! (and in the future, regularly, with a fixed amount monthly, and take advantage of dollar cost averaging!)

Whee.

Re:This is why

Assuming, of course, that the companies you've invested in don't fold with a negative value. From that, there's no recovery.

Don't buy individual stocks

It's a legalized pyramid scheme

The economy is not a zero sum game

10-40 year investment is still a gamble

Yes it is, but as long as in the long term production is higher in the future than it is now, your (sufficiently diversified) investment will grant returns.

Re:This is why

Well, it's rather brutal here. Right now we are advising all our clients to put everything they've got into canned food and shotguns.

Re:This is why

There is only one way to make money gambling: Make sure you are "the house". In the long run, only the house wins.

Actually, I cleaned up last time I was in Vegas. My buddies did too - We developed a 'system'.

1) Fill your pocket with nickels.
2) Find a nickel-slot, sit down, and drop a nickel in.
3) Wait for the cocktail-girl to walk by and spin the slot.
4) Tell the girl, "Why yes, I would enjoy a Heineken on the house."
5) Accept your beer and walk off to find another nickel-slot. (Alternatively sit at the same one, but that will require tipping if you want regular service.)

Maybe you get your nickel back and maybe you don't. Who cares? It's a full night of nickel-Heineken. A buck goes a LONG way.

Re:This is why

My wife doubted we would get comped at the nickel slots. Not only do you get comped, the drinks are stronger than the ones you pay for at the bar! Add to this the cheap rooms and cheap food, and you've saved enough to pay for some expensive entertainment while still vacationing on a budget.

Re:This is why

But then you find out that all the toilets have locks on them charging $10, or even worse, they are slot machines too. "Come on cherries! I need to pee!"

Re:This is why

That's pretty rude. Not to the casinos (I could care less about them), but to the poor, hardworking "cocktail girls". I do more-or-less the same thing when I'm in Vegas, but I make a point to tip the waitrons well. This means: they'll happily keep bringing the drinks; they'll carefully not notice how few nickels you're putting in the slots (as long as you keep up a minimal pretense); and you're still getting drinks at bargain-basement prices.

"Do what you wanna--do what you will;
Just don't mess up your neighbor's thrill--
and when you pay the bill, kindly leave a little tip
to help the next poor sucker on his one-way trip."
                    -- Frank Zappa, "The Meek Shall Inherit Nothing"

Why do people place such a sucker bet anyway?

It's hard enough to trust casinos even when they're under the scrutiny of a licensing body as serious as the Nevada Gaming Commission, much less when they're under no scrutiny at all (or under some "commission" with no actual legislative or enforcement authority). Casino gambling in general is a sucker bet (even under strict conditions the odds always favor the house), but online gaming and other unregulated gambling is ESPECIALLY so (since you haven't the slightest assurance that you're not being cheated).

I still don't understand why people do this. Are they really THAT desperate to place a bet, any bet? Might as well become a day-trader and play the stock market for your fix. It would be a lot more regulated than most online poker.

Re:Why do people place such a sucker bet anyway?

People do it for two reasons.

1) It's fun. When you plunk down $20 for you and your significant other to see a movie in a theater, you have no chance of ever getting that money back. But it's worth it to you for the entertainment. Same goes with gambling. You lose money but a lot of people enjoy it. I don't, personally, but many people do.

2) It's profitable. When playing poker, you don't have to beat the house, you just have to beat the other players. The house takes a portion of the winnings but if you can consistently beat the rest of the table then you come out ahead. It's not like other casino games in this respect. You're not playing against the house, you're just paying the house for the privilege of playing against other people. You can, and many people do, make a living playing poker.

Well, there are actually three types:

3) Idiots think they will win big.

But the point being, with reasons 1 and 2 it's possible to gamble without being irrational or stupid.

'insider knowledge'

This cheat required somebody on the 'inside' to perpetrate. As with most casino table games, if you have somebody on the inside, cheating is easy.

This is how I cheated at various online poker sites. Me and two buddies would join a table, and have a VNC connection setup to view each others hands. two of us would play dummy hands based on whom had the best hand of the bunch. We cleaned out every table we played at.

Re:'insider knowledge'

If you played at any of the levels where the pros inhabited you'd have been identified and banned quickly.

Most of the online pro's are using tracking software and doing analysis which would have picked up on you three. Though I hardly doubt they'd have needed it, the math involved in poker is only part of being a winning player.

2+2, where most of the collaboration is done, is the /. of the poker world. A lot of Statistical anomalies are discussed and investigated there.

Show of hands if anyone knows about the DERB thread?

That's what you get in Kahnawake...

For those who don't know, Kahnawake is Mohawk territory claimed by the aboriginals (aka Indians) in Canada.

The Mohawks claim to sovereignty over the land, and do not allow the provincial & national police to enter.

To avoid stirring up trouble, the Canadian government usually doesn't send police to Kahnawake, even though the Canadian government doesn't recognize the Mohawk claim to exclusive sovereignty.

Without any real police force, crime flourishes in Kahnawake. Drug smuggling, gun smuggling, people smuggling, cigarette smuggling, you name it.

Don't trust any business in Kahnawake, let alone a business attractive to crime, like gambling.

Not long ago, there was a Mohawk criminal driving at high speed (off-reserve) trying to get to the Mohawk territory before getting caught by the police chasing him. He made it on to the Mohawk territory, and the police abandoned their pursuit. Sadly, the Mohawk driver ran a stop sign and killed a Mohawk teenager.

For the people of Kahnawake, it seems that it is more important to be the victims of aboriginal criminals than to cooperate with non-aboriginal law enforcement. Sad.

Strict client/server separation was missing

From what I gather from the articles, they didn't actually write any code that tapped into the server... it was just getting information from the client app that was residing in memory but was not displayed to the screen.

This is just an enormous case study suggesting why strict client/server separation is essential, and that clients only get the information on a "need to know" basis.

Isn't this a fairly standard design practice? How did this happen?

--
Hey code monkey... learn electronics! Powerful microcontroller kits for the digital generation. [nerdkits.com]

superuser

o my....story time...
The phrase of the day is "superuser"
This data was given to many professional online poker players who analyzed the data in late 2007 (see 1 year ago, 10/16/07 to be exact) when they requested the data from the online site "Absolute Poker".

Instead of the site giving them the usual data which hid the opponents cards unless they had shown them during the hand, they sent all the raw data which included the opponents hole cards, and specifically every player and spectators player number. One of the spectators was player number "363" I believe which was incredibly low (one of the first ever to register on the site).

When designing the software they must have used several "superuser" accounts to make sure that it was working correctly, so they let it see all the cards on the table. Someone inside Absolute Bet discovered(or knew they entire time) that the loophole was still open and used multiple accounts to siphon hundreds of thousands if not millions of dollars off of their high stakes users. This was used also over other websites running the same backend software.

What made this so obvious, simply put, to the high stakes players was that these players were playing perfectly over thousands of hands which isn't possible unless you know all the cards on the table.

For more reading see:
http://freakonomics.blogs.nytimes.com/2007/10/17/the-absolute-poker-cheating-scandal-blown-wide-open/ [nytimes.com]
or for more poker talk:
http://archives1.twoplustwo.com/showflat.php?Cat=0&Number=12523924&page=0&fpart=1&vc=1 [twoplustwo.com]

Half of these posts

seem to be from people that know absolutely nothing about poker and ultimately nothing about how the sites make their money, so let's clear up a few things.

1. It would never be in the best interests of the company to try to allow this to happen to anyone, as the cost would be too high. If players had a hint that they were being cheated they would never play there. That $10MM figure is nothing compared to what the sites generate from rake alone. The only people who could benefit would be hired contractors who wrote the code and got paid some small amount of money to do so. To them, it would be worth the risk to try to cheat somehow, and they obviously did.

2. To the few people who seem to think that they were getting information that was already on their systems from memory that was encrypted or something, well, that's false. The "special" accounts were sent information that other players do not get sent. You only get your hole cards, and it's not until a showdown where anyone but you and a random server out there know what anyone has.

I guess that's it, aside from the extreme unlikelihood that anyone would try to cheat in this manner at a small (say 30-60 or less) game. The risk/benefit doesn't add up at those stakes.

A few random points: high stakes poker can be shady at times, and collusion in the smaller games can be defended against to some extent (by either not playing, or using the style of collusion against the colluders. At times games can appear to be collusive due to excessive raising, but the majority of the time that's just strategy.

Re:Use the Front Door!

In theory the online casinos have ways to catch this kind of collusion. If 8 people at a table are connecting from the same IP address, that sets off alarm bells. If the same 8 accounts keep playing together at the same table day after day, even if they're all over the world, that sets off alarms. The local game clients themselves can look for signs of screen scraping applications that might be capturing the hole cards and transmitting them to other players.

All that said, I have no idea whether or not the online casinos are really successful at preventing outside collusion.

Re:Use the Front Door!

If organized teams have ripped off Casinos in Vegas (the MIT blackjack team comes to mind) then surely online casinos get hit all the time and don't know.

You are missing the point. In poker games where players are not competing directly against the house but against other players and the house just charges a small percentage of the overall pot as a fee to play their game, they aren't actually stealing money from the house but the other players seated at the table. So, while the sites want to assure you that there are not any "back doors" they actually don't lose money directly from them, only indirectly if they end up losing aggregate business as a result of people not gambling due to mistrust.

Re:Use the Front Door!

That's called collusion and although it's used from time to time, the regulars pick up on it fast and the software recognizes it even faster. What people aren't understanding about online poker is that it's not the same as "placing a bet", it's a game based on mathematical probability. Online poker players have databases full of information on themselves and their opponent. Every single decision made is either positive expected value or negative, and after a while the better players learn to recognize what situations will yield a positive result. This story has been around for a few years and the real interesting part about it is the fact that it was an online community of poker players who ended up exposing it. This scandal has been developing for quite a while now and if anybody feels like getting the whole story go to the community where it all happened [twoplustwo.com]. There's real interesting reading there and I'm surprised it has gone unnoticed on Slashdot as long as it has.

Re:*mucks his hand*

Thank god the moral police have arrived.

Re:*mucks his hand*

Actually the morality police is what brought us here. If online gaming was regulated to be fair and run by legit casinos who had a legal liability to create a fair and secure playing field this would be unlikely to happen and if it did there would be legal recourse. Since the morality police can't bring themselves to do that people play without the safety of regulation and a legal system and when companies harm their players through negligence our outright fraud the players are just screwed.

Re:*mucks his hand*

Have you ever played poker? With the right people, poker is fun. A movie costs 10$ and lasts 1.5 hours, and may or may not be fun. I can play a 5$ poker game with friends that lasts twice that long, is more entertaining than most movies and that allows for actual interaction between people, rather than staring at a screen. I could blow 50$ or more at the bar, or I could play poker all night for 20$ and not wake up smelling of smoke and beer.

Playing poker because you think it will make you rich is probably retarded, playing at a casino is certainly reckless if you aren't an elite player, but playing poker doesn't in and of itself indicate naivety or stupidity. It's just a different form of entertainment and is reasonably priced as long as you're reasonable about it.

Re:Back door

Liquor in the front,
Poker in the rear.

Re:There are good cryptographic solutions

Indeed there are. I wrote a book on this:

Policing Online Games

It's far from the last word.

For more information:

http://www.wayner.org/books/pog/ [wayner.org]

To look up on Amazon:

http://www.amazon.com/exec/obidos/ASIN/0967584426/myhomepage0bc [amazon.com]