How To Cheat Online Poker: A Software Security Study

Poker is a popular card game in the world. Not only can we play poker on the table in the house, casino, or bridge room, but we can still play Online casinos in New Jersey now. Some of us who study reliable software technology also play poker.

Because we are spending a lot of time online now, it is only a matter of time before poker and reliable software technologies are combined. After we studied the online poker game and software security together, we found a huge security loophole, which is what this article is about.

People can play Texas Hold ’em poker with others in an internet bridge room like PlanetPoker, which is real time and real money. Since our primary job is to provide companies with secure, reliable and robust software, we are curious about what the software behind the online games looks like. How does it work? Is it fair? We looked at the FAQ page on the PlanetPoker website, which contains their shuffling algorithms (which is still surprising given the publicity of shuffling algorithms to make the game fair) enough to start our analysis. When we see the shuffle algorithm, we begin to suspect that there may be problems with this. A little research shows that this intuition is correct.

Security risks are everywhere

All the conveniences are accompanied by a certain price. Unfortunately, there is a real risk of playing online poker. The casino itself may be a hoax, its existence exists only to take money from the player, it does not intend to return the player any victory. Servers running¬†online casinos¬†may also be cracked by malicious attackers to obtain credit card numbers or to try to take advantage of some of the games. Because most casinos do not authenticate and encrypt network traffic between a player’s client program and a server hosting a card game, it is conceivable that a malicious player may examine these network traffic (using classic man-in-the-middle attacks) to determine Opponent card These risks are very familiar to network security experts.

Collusion is also a poker-specific issue (unlike other games such as blackjack or craps). Because poker players fight each other, their rivals are not the casinos themselves. When two or more players on a table collude with each other, they play together as a team and often use the same amount of money. Players who communicate with each other know the cards of their team members (usually through subtle signals), and they bet on the team’s best interests, no matter who wins in the team. Collusion in the reality of the bridge room is a problem, but for online poker, the problem is more serious. Online players can use instant messaging tools, teleconferencing chat tools, etc., which makes collusion a serious risk. What if all players in an online game work together to trick cheat players who do not question network security? How can you guarantee that you will never be the victim of these attacks?

Last but not least, a risk, especially for this article, is that online poker software itself may be flawed. Software problems are a notorious form of security risk and often overlooked by companies who believe in firewalls and encryption technologies. Software applications will bring a lot of security vulnerabilities to a system, we spend a lot of time every day to find and solve these software security issues, so we noticed that online poker is also a matter of time. The remainder of this article is devoted to discussing software security issues that we found in a popular online poker game.

Software security risks

Wash virtual card

The first software bug we are concerned with is playing virtual cards. What does a fair shuffle mean? In essence, it means that all possible combinations of cards appear to be equally probable, and we call each of the 52 cards to be shuffled one at a time.

There are 52 (about 2 ^ 226) non-repetitive shuffles of a true deck of cards. When the computer is washing a virtual card, it chooses one of these possible combinations. There are a lot of shuffling algorithms, some algorithms outperform others, and some are totally wrong.

Algorithms developed by ASF Software are used by most online poker games. We found a lot of flaws with their shuffle algorithms, and based on these findings we contacted ASF and they changed their algorithm, but we have not looked at their new algorithm. It’s not easy to ensure that everything is exactly right from the security point of view (the rest of this article will be covered).