Sunday, July 19, 2009

Don't Trust the House

Following up on my last post about online poker, I'd like to begin a series of posts on why online poker is risky business.

This post will focus on the house, and why you shouldn't trust that the house will not cheat. My poker friends usually respond to my warnings by stating that the house only takes a rake, a small percentage of every pot, so their incentive is for fair play, and a lot of it. However, remember that the "house" is really a set of computer servers that are programmed by people. There is nothing stopping those people from entering the casino as well. These people can play in poker rooms with you, and they have access to all of the cards in the deck before they are dealt. That's a pretty big advantage.

If you think this example is far fetched, then see this
about a 60 Minutes investigation that led to the discovery that a former World Series of Poker champion was behind exactly this kind of scam at the site Absolute Poker, stealing over $20 million. Due to the fact that online poker's legal status is ambiguous in the US, and that the poker companies were managed in Costa Rica and run on an autonomous Indian reservation in Canada, the players who lost tens and even hundreds of thousands of dollars have had very little recourse.

The cheaters in the 60 Minutes story were discovered because they were greedy and were not trying very hard to hide. As the article describes, whenever a player was bluffing, the cheaters would go all in. When another player had a good hand, they would fold. The cheaters' winning percentage was a whopping 15 standard deviations away from the mean. They were almost asking to be caught.

I believe that wherever and whenever there is an opportunity to cheat for big money, there are people who will do so. It would be naive to think that the Absolute Poker scam is the last of its kind. But, next time, the cheaters will be smarter and more careful. It would not be too difficult to program a bot, armed with knowledge of all the cards, to play at some small percentage of the poker tables, and to win just a little above average. The bot could be programmed to lose some and to only win within the expected norms of a good player. Over time, the author of the bots will win millions.

The next time you sit down at a poker table with real money, ask yourself how confident you are that the other "people" at the table are human, and that none of them is in cahoots with the house. Remember, that in the case of Absolute Poker, the company running the servers was not an accomplice. There was just a malicious insider.

Thursday, July 16, 2009

Know when to Hold 'em

I sometimes play online poker, Texas Hold 'em, on my iPhone. The application is by Zynga, and it's not real money - just for fun. Still, it's highly interactive and extremely fun. People from anywhere in the world join tables with other iPhone users along with other users on their computers. You get several thousand play dollars, and you're off and running.

Although I really enjoy playing Texas Hold 'em, I've never played for real money online. As a security researcher, there are too many reasons why I don't trust the system to be fair. For starters, collusion among other players could put me at a huge disadvantage. They could share their cards and their money, and in any situation, they would be able to calculate the odds of making or not making certain hands much better than me. Over time, they would be expected to destroy me. I can't think of any way to prevent collusion. Furthermore, how do I know that the house isn't cheating? How do I know the cards are random? How do I know nobody can see my cards? What about malware on my phone or desktop that could read my cards from memory? I have many other worries.

Many of my friends play Texas Hold 'em online for money, despite my warnings. Well, this week, I had an interesting experience playing on my iPhone. I was dealt the King of spades and the King of clubs. A pretty good hand. I bet it aggressively, and I made a bunch of "money" on the hand. The next hand, I was dealt ... the King of spades and the King of clubs. That seemed like a pretty unlikely coincidence. But, it was still possible. I bet it the same way and was paid off again in a showdown (meaning that everyone saw my cards at the end). The very next hand, I was once again dealt the two black kings. This time I bet it even more aggressively, correctly thinking that the others wouldn't believe I had three good hands in a row and would put me on a bluff. I got a lot of callers and really cleaned up. (The next hand after that I had a more typical hand for me, something like two-seven off suit.)

Unfortunately, I was not actually in the room with the other players, so I couldn't see their reactions, but I have to believe that they were incredulous. What are the odds of being dealt the same exact two high cards three hands in a row? I don't have my calculator on me, but my intuition tells me that it shouldn't happen that often. I had never seen it before. So, what caused this? I believe the most likely answer is coincidence. But, perhaps it was an error in the way memory is cleaned up in the poker software? Maybe it was due to a bug in the random number generator? It would have to be an error on the server, as I imagine that the client just displays what it's told, and considering that the other players saw my cards, I don't think it was a client-side error. I'll never know for sure, but I can say that every time an extremely unlikely event happens in online poker - and they are guaranteed to happen sometimes - doubt will creep in about the security and honesty of the system. It's one reason I won't play online for real money.