Black Friday exposed a breach of trust between Full Tilt and its players. While not on the same scale of such theft and fraud, password encryption (or, rather, a lack thereof) has always caused concern. Controversial data mining site PokerTableRatings revealed weak encryption in Cake Poker’s servers in 2010, where unscrupulous players could access everything from passwords to hole cards. And it doesn’t stop there. Many networks and rooms today are not even encrypting basic passwords, and everyone from staff to hackers is able to leak sensitive information.
SSL (Secured Socket Layer) encryption is the encoding of a message so only the sender and intended receiver are able to read its contents. An encryption algorithm encodes the message. When the message reaches the intended destination, the decryption process decodes the message and makes it readable again. The stronger the key, the harder the message is to break (a 256-bit encryption vs. a 128-bit one, for example).
On July 26, 2010, PokerTableRatings reported encryption weakness on Cake Poker. The network used a feeble custom-based XOR encryption that amateur programmers could crack instead of the industry standard SSL. Players on unsecured wireless networks were in danger of having their hole cards and account information compromised. According to the tracking site, people could launch their Windows calculator, switch it to scientific mode, and decode Cake’s XOR.
Lee Jones, who was Cake Poker’s card room manager at the time, said several months prior network programmers insisted their encryption code was more secure than Cereus’. Cake, caught off guard and flushed with embarrassment, scrambled to fix the flaw. Finally on August 5, the network added SSL encryption to its old client and new beta software. Besides Cake, other rooms on the network at the time included DoylesRoom and Phil Laak’s Unabomber Poker.
The security issue was nearly identical to the one that occurred on the Cereus network (also first spotted by PokerTableRatings) in May 2010. The Two Plus Two thread “Possibly Superusers on Cake–Lee Jones/Cake Refusing to Respond” caused uproar. The problem for players: even if superusers were operating on Cake, it’s unlikely they would be uncovered. The network blocks data mining and allows players to change their screen names, rendering tracking software and sites useless.
In addition to high profile security flaws in servers, networks and rooms today are failing to encrypt even basic passwords. Take Betfred, for example, the bookmaker owned and operated by Petfre Limited in Gibraltar. The company does not encrypt passwords for affiliate accounts, and rogue employees have leaked confidential information. The following screen shot with addresses, passwords and rake numbers on full display was found by PokerUpdate.
What’s most disturbing about the security flaw is that Betfred refuses to address the issue, despite being told by PokerUpdate and others for weeks to upgrade its security. Both Betfred and Betfred Affiliates declined to respond to our requests for comment. We urge you to respond to this article and others drawing attention to the issue. Further, please call on Betfred and other companies like Ladbrokes that are not encrypting basic passwords to boost security. Your information is at risk.
Admittedly, Betfred doesn’t have a good track record of getting things right. The company is most famous for its founder Fred Done, who was the first bookmaker ever to pay out too early. In March 1998, Done paid out punters who had bet on Manchester United to win the Premier League, only for Arsenal to best United by one point only weeks later.