1 / 16

Protecting the Player– Information Security Concerns Gus Fritschie @ gfritschie

March 21, 2014. Protecting the Player– Information Security Concerns Gus Fritschie @ gfritschie. Overview. While there is the potential for attacks against the iGaming application and infrastructure, it is easier to attack the consumer.

sheri
Download Presentation

Protecting the Player– Information Security Concerns Gus Fritschie @ gfritschie

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. March 21, 2014 Protecting the Player– Information Security ConcernsGus Fritschie@gfritschie

  2. Overview While there is the potential for attacks against the iGaming application and infrastructure, it is easier to attack the consumer. Why spend days trying to exploit a SQL Injection vulnerability when all you need to do is have a player click a link. The focus of this talk is on protecting the player.

  3. Houston, We Have a Problem

  4. Barcelona Laptop Incident http://pokerfuse.com/news/live-and-online/confirmed-ept-barcelona-laptop-infected-with-screen-sharing-trojan-11-12/

  5. Las Vegas Sands Hacked

  6. What Can Sites Do? • There are many steps that sites can take to help protect their players, here are some: • Security Awareness • User security controls (i.e. password policy, multi-factor authentication, account lockout) • Site security controls (i.e. SSL, secure coding, secure configuration) • Continuous Monitoring

  7. Security Awareness • Operators need to do more to raise security awareness among their customers. • This could take the form of logon messages, emails, or other forms of communication. • Last year Poker Stars released a guide on protecting your laptop that was distributed at an EPT event in the wake of the Barcelona hotel incident. • Learn a lesson from Facebook.

  8. User Controls • Password complexity requirements • Session timeout • Account Lockout • Multiple Sessions • Dual-factor authentication • IP/MAC Restrictions • Logon Notification

  9. Site Controls • Security Code Reviews • 3rd Party and Internal Security Reviews • Secure architecture design and implementation • Configuration Management • Encryption (data-in-transit and data-at-rest)

  10. Continuous Monitoring • Collusion/bot detection • Abnormal activity/win rates • Account Activities • Logging/SIEM • Important to monitor not only technical controls, but management and operational controls too

  11. Examples

  12. Security Configuration Issues

  13. Authentication Weaknesses http://www.onlinepokerreport.com/9529/authentication-comparison-two-nj-igaming-sites/

  14. Backend Password and Username Exposed in Request

  15. Password Stored in Clear-text in Database Using the forgot password function the password is sent via email and is the same password as initially set. This indicates passwords are stored in clear-text.

  16. Weak Password Policy

More Related