Casino Security

**winbig** · 3rd February 2010, 07:16 AM

(Note: Names have been hidden to protect the clueless.

)

There's another thread re: security going on right now, but it's not 100% related to what I'm bringing up here, so I didn't want to derail that thread.

What's the deal here? It seems that MGS casinos don't give a rats a$$ about player security. As you can see from the screenshot below, this connection is not secure. Even a novice would know this, because 99% of the time people are told time and time again not to submit any personal information/passwords/etc over a connection that doesn't begin with https://.

SS:

What I don't get is the fact that they even try to tell you that you're using a secured connection....who are they trying to fool, and why?

Here's further proof that it's not a secure connection:

This is even worse than sending out your password via email...the chance for ID theft in this scenario is very high.

Note: I was sent to this page from within the casino software.

**newguy68** · 3rd February 2010, 11:11 PM

You forgot to hide the name on the tab, under address bar.
Casino name is still visible

**vinylweatherman** · 4th February 2010, 12:24 AM

This casino group use an old version of the loyalty point software. Behind the scenes, the lobby passes both your account number and casino password to this page to ensure an auto-login. This information has CLEARLY been sent over an ordinary http:, or non-encrypted, link. To display that it is 128bit encrypted is highly misleading.

If someone is monitoring traffic, they will see your account number and password IN PLAIN TEXT, rather than a 128bit encrypted field.

This is VERY risky over a wireless connection that itself is not encrypted, such as a public WiFi hotspot. Public WiFi is routinely scanned by criminals because it is such a "soft target" for stealing personal details.

This affair is the fault of MICROGAMING, not the casino. MGS operate the loyalty, Cashcheck, and Playcheck pages in most cases, although many casinos now use their own loyalty managment software, rather than this out of date MGS version.

**Rhyzz** · 4th February 2010, 11:40 AM

Microgaming had a big issue a few years ago which never came to light (gotta love insider contacts). This exact issue was happened with their client, ie) you logged in, the details were passed to MGS and were not encrypted at all, a basic packet sniffer picked up all of the info.

They fixed it but how long had it been around for? Many years, as long as MGS Poker had been operating.

Seems like something they need to look into! I'd make 32Red aware, they're probably the only MGS outfit that would care...

**vinylweatherman** · 5th February 2010, 03:03 AM

Originally Posted by Rhyzz

Microgaming had a big issue a few years ago which never came to light (gotta love insider contacts). This exact issue was happened with their client, ie) you logged in, the details were passed to MGS and were not encrypted at all, a basic packet sniffer picked up all of the info.

They fixed it but how long had it been around for? Many years, as long as MGS Poker had been operating.

Seems like something they need to look into! I'd make 32Red aware, they're probably the only MGS outfit that would care...

Not here though, the details are still passed to the MGS loyalty manager, and in this case it is clearly unencrypted. This would STILL expose the account number and password to any basic packet sniffer that was intercepting the traffic. Worse still, this is managed internally by the Viper client, and the player is often unaware of the nature of the connection, nor what is passed through it by the client software.

**love2winalot** · 5th February 2010, 03:52 AM

Hiya: For anyone that may not know this. Here is the easy way to know if a site is secure or not.

hqttppprrwwe.xxxxxcvbn,on[/url] and on and on. --------------------------------"padlock"

Just look at the URL address at the top of your screen. Now go all the way over to the right. The last thing you will see on a secure site is a small, "padlock". It looks like the lock inside the red circle on winbig post. This padlock is meaningless anywhere on the web page. Only at the end of a URL is it really a secure site.

**Wildfire7** · 5th February 2010, 08:08 PM

Originally Posted by vinylweatherman

This affair is the fault of MICROGAMING, not the casino. MGS operate the loyalty, Cashcheck, and Playcheck pages in most cases, although many casinos now use their own loyalty managment software, rather than this out of date MGS version.

Agreed, however the casino ought to be aware this is happening and do something about it. Afterall it is the casinos house, if they genuinely
wanted to keep their own house in good order, then they will fix the problem by reporting it to MG. No secure information should be exchanged on an unencrypted page such as this. It is such a serious breach of basic security that the casino should suspend this page until it has been secured.
Anything less is totally unacceptable.

Mike

**GrandMaster** · 6th February 2010, 12:15 AM

Originally Posted by love2winalot

Hiya: For anyone that may not know this. Here is the easy way to know if a site is secure or not.

hqttppprrwwe.xxxxxcvbn,on[/url] and on and on. --------------------------------"padlock"

Just look at the URL address at the top of your screen. Now go all the way over to the right. The last thing you will see on a secure site is a small, "padlock". It looks like the lock inside the red circle on winbig post. This padlock is meaningless anywhere on the web page. Only at the end of a URL is it really a secure site.

The location of the padlock rather depends on your browser. You should also know that "no encryption" is one of the valid encyption options under https, so it is still not guaranteed that your password or sensitive personal data will be encrypted.