Spring 2014 issue of Horizons

GAMING

Operators have developed monitoring controls that cross reference players’ IP addresses to detect if certain players tend to play with one another on a regular basis and investigate accordingly. Regardless of the method, operators in all three states have implemented procedures around detecting fraudulent play. System Integrity & Security New Jersey requires “server based gaming must perform an authentication process on all control programs on demand and at least every 24 hours.” Nevada has taken a similar approach by mandating “interactive gaming systems must be capable of verifying that all control programs contained on the interactive gaming system are authentic copies of approved components of the interactive gaming system automatically, at least once every 24 hours, and on demand…” Delaware requires the external interface of the website to be scanned for known vulnerabilities at least once every six months by an expert third party, and subjected to penetration testing at least annually by an expert third party. Third-party providers are required to encrypt social security numbers, bank information, passwords and other personally identifiable information stored on servers and used in the communication between the servers and authorized users. The state of Delaware does not mention anything about encryption of personally identifiable information or the communication between the server and player. However, each provider must “submit Internet lottery schematics, network diagrams, technical and operation manuals, program source code and object code and any other information requested by the Director of Delaware Gaming Enforcement for purposes of analyzing and testing the Internet lottery system.”

to ensure players’ locations are within state lines.

Delaware and New Jersey use similar language to Nevada, which states “the interactive gaming system must employ a mechanism to reasonably detect the physical location of an authorized player attempting to access the interactive gaming system for the purpose of conducting interacting gaming.” The mechanism generally identifies the IP address the authorized player is using and ensures it is within state boundaries. Protecting Against Fraudulent Play Fraudulent play is one of the biggest risks to online gamblers. Consider a poker game with ten players. It should be one player versus nine other individual players. None of the players should know what any of the other players’ cards are. In the brick and mortar gaming business, this is easier to monitor. But in virtual gaming, how can a group of people communicating with one another be prevented from taking nine positions in an online poker game and corroborating to take the disadvantaged player’s money? Furthermore, how can an online patron know if a single individual is signed in as multiple users, taking multiple positions at one table to gain an advantage? Each state has taken similar approaches to protect against fraudulent play by applying vague language to place the responsibility on the operator. For example, New Jersey’s language states, “a casino licensee offering Internet wagering shall have an Internet gaming manager responsible for the operation and integrity of Internet gaming and reviewing all reports of suspicious behavior.”

One method is to profile games and users with an eye towards detecting anomalies.

page 38 | horizons Spring 2014