Sunday, October 24, 2010

Security Alliance


All reputable online poker companies employ security staff, both to protect the company’s interests by preventing fraud, and to protect the players’ interests by preventing collusion, multi-accounting and bot use in the games. Good security can save you money, boost player satisfaction and trust, and safeguard your reputation.

However, there is a major problem with the current status quo. Say your security team has a major breakthrough, and catches a ring of colluders. It’s a huge case that has taken hundreds, maybe even thousands of man hours to reach a conclusion. As a company, you’ve spent a fortune on developing tools to catch collusion rings like this one and training expert staff to use them. So you confiscate the colluders’ money, and return it to the players. Perhaps you chip in some of your own money to meet any shortfall in the compensation.

That’s great. Unfortunately, the colluders don’t go to court to be sentenced. Instead, they simply learn from their mistakes, and move on to one of the many other sites, equipped with a more advanced strategy for avoiding detection. They continue to cause harm to players and to the industry – the only difference is that they are doing it somewhere else.

When you go to a shop to buy a DVD, you don’t buy two copies of the same movie. When you go to get your hair cut, you don’t get it done twice by two different hairdressers. When you pay an affiliate commission for sending you a new player, you don’t do it twice. It’s one of the most obvious rules in business – you don’t pay for the same thing more than once. And yet this is what happens in the online poker industry every single day, because you are paying to catch cheats and fraudsters that have already been caught and barred by other operators.

In the brick and mortar casino industry, information on cheats and other undesirables is shared amongst operators, either through lists of unwelcome players supplied by the local regulator, or through a commercial service such as that provided by Griffin Investigations (Las Vegas’ famous ‘black book’). It may be that a particular cheat or fraudster has never set foot in your casino before, but using this shared information, you can identify and catch them before they are able to cause any harm.

In policing, information on known criminals is shared between different police forces, through organisations such as Interpol. If a criminal commits fraud in the United Kingdom, they can’t simply run to Brazil or Mexico and start over with a clean slate. They’re arrested by the Brazilian or Mexican police as they enter the country and are made to face the music. Over the years, 188 countries have come to realise that they are better off working together in this way.

I strongly believe that, like the world’s police forces, we are stronger together, and that we should put aside our differences on security issues. If we share information about known cheats and fraudsters – such as user IDs, IP and MAC addresses, hardware identifiers, suspicious VPNs and colocation servers, geographical trends, as well as the actual cheating techniques used – then we, like casinos in Las Vegas, can catch undesirables before they cause any harm.

I am not suggesting that we should build another bureaucracy, but I do feel that an independent security alliance, comprising of expert members from each of the operators that wishes to participate, is the best way to accomplish this goal. The authority can disperse information on new detection techniques, best practice, and information about trends in fraud and other security issues between its members, and can run as a not-for-profit organisation. An independent authority can also provide an escalation point for high profile cases where players feel that they have been treated unfairly, and provide a greater scope for peer review of complex fraud, collusion or bot use scenarios.

It’s easy to fall into the trap of seeing security as a competitive advantage. After all, if your security is stronger than your competitor’s, then they will tend to lose a greater proportion of their revenue to fraudsters and cheats, which has knock-on effects in how much money they can devote to competing in other areas such as new acquisitions and player retention. Also, a site with poor security doesn’t do its reputation any favours and may lose some more discerning customers as a result.

You might also think that because there are so many operators, each with very different numbers of players, that the bigger sites would contribute a disproportionately large amount of information to the security alliance compared to smaller operators. That may be true, however, the amount of quality, useful information is what really counts. Site A may have ten times as many players as Site B, but it would certainly not have ten times as many fraudsters because fraudsters are much more likely to play on multiple sites compared to a typical player. So the information contributed by Site A would not be ten times as useful to the security alliance. Further to this, whatever fraudsters were caught by Site B would be very likely to also target Site A, or have targeted it in the past, simply due to its size. So a healthy compromise is reached, with a single piece of Site A’s information of a lower quality than Site B’s, but Site A providing more information than Site B to redress the balance.

I think it’s important to recognise that we are all interconnected and that our actions have a ripple effect throughout the industry. Every poker operator depends on others for a certain amount of its success. When one operator breaks into a brand new market in a previously untapped area of the world, every other operator benefits (though perhaps not as much) from the new surge of interest in that region.  Conversely, when there is a huge scandal in the industry, every operator is damaged, regardless of their involvement. I think we can agree that all poker operators were harmed significantly when the ‘superuser’ scandals affecting the UltimateBet and Absolute Poker brands were publicised.

Improving our trustworthiness and each player’s feeling of security is of paramount importance to attracting new players and retaining existing ones. By launching a security alliance, we would send a strong message to cheats and fraudsters that their time was up, and companies that took part would enjoy a significant boost both in PR and in player trust.

This wouldn’t be the first time that we’ve worked together as an industry. We’ve worked together on Responsible Gaming issues, through organisations such as GamCare. We’ve worked together on the US legal situation, and on defining regulatory frameworks in emerging markets such as Italy, France and Estonia. So why not work together on security also? We are an industry that deals with colossal amounts of cash, so you never know when it might save you a million dollars or two. 

This article was published in InsidePokerBusiness, November-December 2010

No comments: