Thoughts on Security in Online Poker
04-30-2010
, 12:39 AM
PLEASE READ BEFORE POSTING:
Please be careful what you say here. ITT, we're going to discuss ways to make it harder for people to cheat and scam in the online poker world. This is not a thread for helping people figure out how to cheat or scam and get away with it. If you have something to say that might help the bad guys, e-mail it to the sites directly or PM it to me. If you're not sure, PM me and I'll let you know.
Here's an example to make it clear what's not ok: When online poker was relatively new, people made bots that always took the same amount of time to act. Eventually, people figured this out and bots like this got caught. If this weren't really commonly known to all bot makers, it would not be okay to publicly discuss trying to catch bots by looking for this because that would let bot makers know what to avoid.
I hope the mods will help to enforce this.
Intro
This OP is a random list of thoughts that I have about various situations in online poker security. It's certainly not comprehensive, and some of it will probably be old news. Some of it will probably be pretty stupid since I'm not particularly educated about this stuff. But I think some of my ideas are probably decent, so I thought I'd post them and hopefully help out a bit.
Please feel free to add your own suggestions and to comment on mine (again, keeping in mind that information that will help cheaters is not acceptable). With any luck, this thread could become a fairly comprehensive guide to online poker security.
Unfortunately, cliffs aren't really possible for a post like this. Obv feel free to only read about the parts that interest you.
Multiaccounting
(This is about having a second account, not playing two accounts in the same tournament or at the same table.)
Currently, there are barely any consequences to multiaccounting. I'm not really sure how it varies by site, but I've heard of lots of examples of people being caught multiaccounting and suffering no real consequences. The sites closed their second account and kindly sent the money that they had there to their original account. So, it's not surprising that multiaccounting is very common.
As I see it, there are only two possible solutions to this.
1) Allow everyone to change their screen names often (like Cake does). That way nobody will gain an advantage from multiaccounting because everyone will be relatively unknown. This also solves some other problems like datamining and extreme bumhunting. The big problem with this is that it kills a lot of the fun of poker that comes from building reads on players over long periods of times. It also makes it much harder for players to report suspicious players to sites or to catch cheaters on their own. And, it would be a big disadvantage to sponsored players who presumably wouldn't be allowed to play anonymously. Regardless, it seems like only a few sites are interested in this approach.
2)Start actually having harsh financial punishments for multiaccounting. The sites should send out an e-mail announcing that a new policy on multiaccounting will take place in a month or something, giving people a grace period to close their extra accounts. After that, people who get caught mutliaccounting should face real financial consequences. The penalty should be expensive enough that the risk of getting caught negates the advantage gained. Of course, the money that sites take from multiaccounters should be given to the players they cheated.
Also, if you played against a second account, you obviously have the right to know the name of the original account. In that way, people won't get an advantage by being unknown when they switch back to their original accounts.
I should mention that some players have a second account for completely innocent reasons. For example, some people signed up to FTP to railbird long before they started playing but forgot their password or didn't like the name they used or whatever, so they started a new account. The purpose of the grace period is to give people like this a chance to sort things out. (And hopefully in examples like the one I just gave, the sites do the reasonable thing and close the original account, not the second one.)
Datamining
Right now, the sites try to prevent datamining by making it harder to actually gather the hands. They could pull this off if they allow players to frequently change screen names or if they stop allowing observers to the table. Otherwise, there's just no way that they'll manage this because all this data is easily available and dataminers only need to collect it.
Datamining also serves some legitimate functions that I don't think the sites really should discourage. It's helpful for catching cheaters. Some people have claimed that that's not true, but I think I've recently proved them wrong. It's also helpful for preventing sites from cheating, and more importantly, allowing third parties to assure people that the sites aren't cheating. It also provides really awesome datasets for nerds like me who are interested in various economics problems related to poker or for governments considering licensing it.
So, the way I see it, there are three options on datamining:
1)Actually make it impossible to datamine in the ways I've already mentioned. I don't think many sites will do this.
2)Just completely allow datamining. This has the obvious problem that people who don't datamine will be at a big disadvantage.
3)Instead of trying (and failing) to prevent the actual collecting of data, just make it so that people can't use datamined hands in their HUDs.
This should be pretty easy to do. As I understand it, HM and PT3 have both agreed to follow the T+Cs of the sites. (For example, neither HUD works on Cake because Cake has banned HUDs.) So, ask them (and whatever other HUD companies are out there) to only give HUD data from hands that were played by the current player. Obviously give them a reasonable amount of time to make these changes. Then slightly modify the way that you release hand histories so that people have to update their HUDs in order to continue using them (and therefore get the update that keeps datamined hands out of their HUDs). If any software developers don't comply (I assume the big ones would), put them on the banned software list and treat them like you do all other banned software.
This won't stop people from studying how other people play between sessions, but nothing practical will prevent that, and that's a lot less serious than using datamined hands in your HUD, IMHO. This plan also has a lot of extra benefits. For one thing, it stops people from using previously datamined hands in their HUDs as well as new datamined hands. It also prevents people from using shared databases in their HUDs, and it means that when you play on someone else's computer you won't get data from hands that he played. Plus, datamining for legitimate purposes (like catching cheaters or studying poker for academic/legal reasons) could continue. Those are all benefits that my solution has but preventing datamining completely does not.
This will probably prevent the vast majority of people from using datamined hands in their HUDs, but I have to admit that there are ways to get around a restriction like this (I'd prefer if people didn't discuss them ITT). To stop people from doing this, take screen shots of players' screens occasionally (most sites already do this when looking for other forms of cheating) and if someone is caught with datamined stats in their HUD, take some amount of money from them and give it to their opponents. You won't have to take these screen shots very often at all to make it -EV for people to try to get around the above restrictions since the benefit that people gain from datamining isn't huge.
I realize that even this isn't a complete solution. Some programmers will figure out ways around this (please don't discuss them ITT). But I don't think that this means that the idea isn't good. Currently, lots of people who are willing to break the rules do so with almost no effort and gain an advantage over people unwilling to break these rules. If this gets implemented, a few people will continue to break the rules, but it will be limited to people with the resources and knowledge to do it and some of them will actually get caught. I think that's a big improvement.
PTR/Sharkscope/OPR/PokerDB/HSDB/etc.
These sites aren't going anywhere unless the poker sites make the information they need totally unavailable—i.e. allow people to change their screen names or don't allow observers to watch games or see tournament results. So either Stars, FTP, etc. do those things, or they should accept that PTR, sharkscope, etc. are going to exist and figure out how best to coexist with them. There are a few things that I think almost everyone agrees should change:
1)Players should be able to opt out of any of these sites. People should have the right to play poker without someone posting publicly how much they've won or lost. Obviously details about how a player would be told about his option to opt out are up for debate, but I think this general idea is pretty solid. (I think Stars has tried something similar except asking players to opt in instead of opt out. This seems impractical to me because I just don't think many sites would be willing to give up all the data of the people who don't care either way.)
2)In general, things that might come off as mocking should be removed. So no “top losers” lists and no “tilt scores” and no ranking someone 4 millionth out of 4 million or anything.
3)No mocking people with data from these sites in chat. (“OMG you're down $3,000! You're so bad!”)
4)Players can't play and have PTR/Sharkscope/etc. open at the same time. Sites should make it clear that they're going to start enforcing this rule, and then start enforcing it. PTR/Sharkscope/etc. can help by explaining this clearly on their front pages or with a popup or whatever. If it's feasible with software, one side or the other could give a warning when a player is in violation of this so he has a chance to close his web browser without getting in trouble.
5)No HUDs that use the data from these sites.
If a datamining site complies with these rules (or whatever other set of rules everyone agrees to), the poker sites should simply allow them to exist. Otherwise they can continue to make life difficult for them by blocking IP addresses, etc. I bet they'll comply.
I realize that lots of people won't consider this to be an ideal solution, but I doubt anyone can come up with a better one that actually has a chance of happening.
Collusion
The sites need to do a better job of finding suspicious players on their own. They're much better equipped to do this than players, and players are in general really really bad at it.
However, looking through a large database of players for collusion is really difficult. I've talked to a few different programmers about this, and they all agree that the only reasonable way to do it is to maintain a separate database that's indexed specifically to look for collusion. Obviously what you look for is pairwise statistics between various players (How often does Alice 3-bet Bob? How often does Bob get to showdown against Alice? What % of hands has Alice played with Bob? Etc.) and if these numbers are significantly anomalous, a security rep should look into it. People who understand this stuff a lot better than I do tell me that this is a pretty expensive thing for the sites to do, but, frankly, the sites have plenty of money to make this happen. (Maybe they could even enlist dataminers to help
)
Testing for hole card sharing is really really easy. I assume sites already know this, but I'll mention it anyway to discourage people from trying it and so that people can check on their own if they've been cheated in this way with HM. All you have to do is filter for hands in which one of the suspect players has a certain type of hand in a certain spot and see how the other player plays. Then look at the same spot where the first player had a different hand and see if play changes. Rinse and repeat for a few different spots and a few different types of hands, and account for randomization and you have a definitive way to tell if players are sharing hole cards. The sites should automate this process as well. (You can use the exact same method to check if someone can see your hole cards.)
Other types of collusion are a bit harder to detect and prove since you can't really prove intent in all cases. The key in these cases is to have very strict rules and to enforce them selectively. For example, if a buddy and I softplay each other and do so over tens of thousands of hands or more, that's cheating. It's cheating because I can be expected to know better and because it's reasonable to assume that I did it to gain an edge. This is true regardless of whether I actually succeeded in gaining an edge (Some cheaters suck at it. They should still be punished.) or whether it can be shown that we had an explicit agreement (because that's impossible to show unless I'm dumb enough to admit to it). However, if a casual player doesn't 3-bet someone very much, I think that's fine because it's too likely that he's doing it for some reason other than the fact that he's giving the player he's avoiding equity at the expense of the other players at the table. If two casual players agree not to 3-bet each very often or to avoid each other in a tournament or something, they should get a warning and an explanation that that's not ok, and if they do it again they should suffer more severe punishment.
This might sound like an awkward way to handle things. It's obviously a double standard where winning players are held more responsible than losing players. It also requires some subjectivity on the part of security departments, which isn't ideal. But, it's really not too bad. The vast majority of cases will be pretty clear cut like the examples I gave above. Plus, the only alternative I see is to allow collusion. In fact, I know that Stars already handles some types of potential cheating in essentially this way, and I assume other sites do as well.
What to Do If You Suspect Someone of Cheating
1)E-mail the poker site right away. It seems like in every cheating scandal, there's a long list of players who suspected that the cheating was happening but didn't mention it to anyone. Don't be one of those people. It's in your best interest to say something because, if you're right, you should be entitled to money back. Plus, it takes like two minutes max to write up a decent e-mail. (Don't be embarrassed because you might be wrong. The poker sites get a huge volume of e-mail from people saying that the site is rigged because they got TT when someone else had AA or whatever. So, even if you're totally wrong and overlooked something simple, you'll still probably be in the top 20% of e-mailers :P.)
2)Try to tell people privately about your suspicions if you see them playing against the suspect account. However, don't make things public right away. If you do, and you're right that cheating is happening, you'll be increasing the chances that the cheater gets money off of the site. If you're wrong, you'll be hurting an innocent person's name and causing unnecessary panic.
3)Wait a while. These things take time... like weeks. If you're not sure how much time is reasonable, ask someone who knows better. You can PM me if you'd like.
4)If the site doesn't finish in a reasonable amount of time, or you're not satisfied with their answer, contact someone you trust to look it over. You can PM me about it if you'd like.
5)If the consensus seems to be that the site screwed up, make it public.
Security Tokens
The risk of losing money to hackers is still very real because some immature douche bags think it's funny to spend all their time trying to hack people's accounts and then dumping all their money in high stakes cash games.
Security tokens (like this one: http://en.wikipedia.org/wiki/RSA_SecurID ) make poker accounts nearly unhackable. All sites should have these by now. If you play on a site that doesn't, e-mail them and bug them about it. If you keep more than ~$1k on a site that has these and don't have one, get one.
Vote with Your Voice if not Your Money
I'm not asking anyone to boycott sites that don't enact good security measures because that's just not going to happen. (Honestly, I'm not willing to boycott any sites myself.) Instead, just suggest the safer sites to the casual players that you meet. If you're anything like me, you get asked about online poker by the uninitiated a lot, so if we all do this, this will directly drive some more traffic to the safer sites. Plus, it will also make the safer sites softer which will mean that we'll be better off playing on them which will make us safer and also further reward the safer sites.
If you have a blog or a web site or some medium that is remotely linked to poker, go out of your way to promote the safer sites and avoid promoting the less safe sites. Big companies like 2p2, cardplayer, bluff, WSOP, etc. should follow this policy as well.
Bots
CAPTCHA (http://en.wikipedia.org/wiki/Captcha) is awesome. It's not perfect, but it's a lot harder to get around than other methods of catching bots. Sites should just make you very occasionally have to enter a CAPTCHA before opening a table.
Incidentally, there are a lot of other methods that the sites could use to catch bots that I won't discuss publicly because they depend on programmers' ignorance. You shouldn't talk about these publicly things either. (See my example in the first section.)
Whether or not a Player Cheated is not Private Information
This should go without saying, but apparently FTP has a different view on things. FTP currently states that it would violate a player's privacy to reveal that his account is under investigation or to reveal whether or not a player has been caught cheating. When I first heard this, I naturally assumed that there was some misunderstanding, but I've confirmed it from multiple sources. In particular, when I repeatedly asked FTP what they were doing about the stoxtrader cheating scandal, I was always told something like this: "As previously stated we are unable to provide information regarding another player's account" (except in one instance mentioned below).
A player is not entitled to privacy when it comes to whether or not he cheated. If a player cheated or is suspected of cheating, those affected deserve to know for obvious reasons. If a player hasn't been caught cheating, I don't see why he would have a problem with the sites letting them know.
FTP's current policy also makes it impossible for players to hold them accountable in their security decisions. That's completely unacceptable.
(Incidentally, FTP's already violated this policy repeatedly when it's convenient for them. For example, they refused to comment at all about the stoxtrader situation when I originally asked and they assured me that that was their policy and they wouldn't even tell me if they were investigating. Then I posted my thread and two days later FTPSean posted publically that FTP was investigating.)
Miscellaneous Tips for Not Getting Scammed
* AIM logging is awesome. If you have the standard AIM client, go to Edit-> Settings-> IM Archives and check “Archive IMs”. Now every AIM conversation you have with someone on this computer will be saved to your hard drive. This is really key for remembering prop bets and staking arrangements and all the other various deals that you enter into over AIM as an online poker player. Plus, it's also good for remembering when you're supposed to meet up with someone or a phone number or whatever as well.
* Don't ever transfer money with a random person. Even if you have him send first, he can still scam you in various ways or you could end up with your account locked.
* Prop bets are very risky. A lot of people don't plan on welching on bets when they make them because they don't expect to lose. Then if they do lose, they feel wronged. So only make prop bets with people you trust or use an escrow. Never make prop bets for significant amount with someone who's not a gambler without making it very very clear that they will have to pay you real money if they lose.
* Always google someone's screen name before doing any business with them. For example, don't do business with this guy http://www.google.com/search?sourcei...q=cornell+fiji or this guy http://www.google.com/search?hl=en&s...mrozo&gs_rfai= .
* Change all your security questions answers to random gibberish. Otherwise anyone who looks up what your elementary school is or whatever can hack your accounts.
* AIM and e-mail accounts aren't secure. If someone IMs or e-mails you asking for something and doesn't sound like himself, you should be very suspicious that he's been hacked. If you have a phone number, call. Otherwise, try asking a question that only he would know the answer to. If it's a hacking or you're not sure, post on 2p2 to warn others. False alarms are no big deal.
* In general, you should try to use two forms of communication before making big transactions (IM and phone, for example).
Please be careful what you say here. ITT, we're going to discuss ways to make it harder for people to cheat and scam in the online poker world. This is not a thread for helping people figure out how to cheat or scam and get away with it. If you have something to say that might help the bad guys, e-mail it to the sites directly or PM it to me. If you're not sure, PM me and I'll let you know.
Here's an example to make it clear what's not ok: When online poker was relatively new, people made bots that always took the same amount of time to act. Eventually, people figured this out and bots like this got caught. If this weren't really commonly known to all bot makers, it would not be okay to publicly discuss trying to catch bots by looking for this because that would let bot makers know what to avoid.
I hope the mods will help to enforce this.
Intro
This OP is a random list of thoughts that I have about various situations in online poker security. It's certainly not comprehensive, and some of it will probably be old news. Some of it will probably be pretty stupid since I'm not particularly educated about this stuff. But I think some of my ideas are probably decent, so I thought I'd post them and hopefully help out a bit.
Please feel free to add your own suggestions and to comment on mine (again, keeping in mind that information that will help cheaters is not acceptable). With any luck, this thread could become a fairly comprehensive guide to online poker security.
Unfortunately, cliffs aren't really possible for a post like this. Obv feel free to only read about the parts that interest you.
Multiaccounting
(This is about having a second account, not playing two accounts in the same tournament or at the same table.)
Currently, there are barely any consequences to multiaccounting. I'm not really sure how it varies by site, but I've heard of lots of examples of people being caught multiaccounting and suffering no real consequences. The sites closed their second account and kindly sent the money that they had there to their original account. So, it's not surprising that multiaccounting is very common.
As I see it, there are only two possible solutions to this.
1) Allow everyone to change their screen names often (like Cake does). That way nobody will gain an advantage from multiaccounting because everyone will be relatively unknown. This also solves some other problems like datamining and extreme bumhunting. The big problem with this is that it kills a lot of the fun of poker that comes from building reads on players over long periods of times. It also makes it much harder for players to report suspicious players to sites or to catch cheaters on their own. And, it would be a big disadvantage to sponsored players who presumably wouldn't be allowed to play anonymously. Regardless, it seems like only a few sites are interested in this approach.
2)Start actually having harsh financial punishments for multiaccounting. The sites should send out an e-mail announcing that a new policy on multiaccounting will take place in a month or something, giving people a grace period to close their extra accounts. After that, people who get caught mutliaccounting should face real financial consequences. The penalty should be expensive enough that the risk of getting caught negates the advantage gained. Of course, the money that sites take from multiaccounters should be given to the players they cheated.
Also, if you played against a second account, you obviously have the right to know the name of the original account. In that way, people won't get an advantage by being unknown when they switch back to their original accounts.
I should mention that some players have a second account for completely innocent reasons. For example, some people signed up to FTP to railbird long before they started playing but forgot their password or didn't like the name they used or whatever, so they started a new account. The purpose of the grace period is to give people like this a chance to sort things out. (And hopefully in examples like the one I just gave, the sites do the reasonable thing and close the original account, not the second one.)
Datamining
Right now, the sites try to prevent datamining by making it harder to actually gather the hands. They could pull this off if they allow players to frequently change screen names or if they stop allowing observers to the table. Otherwise, there's just no way that they'll manage this because all this data is easily available and dataminers only need to collect it.
Datamining also serves some legitimate functions that I don't think the sites really should discourage. It's helpful for catching cheaters. Some people have claimed that that's not true, but I think I've recently proved them wrong. It's also helpful for preventing sites from cheating, and more importantly, allowing third parties to assure people that the sites aren't cheating. It also provides really awesome datasets for nerds like me who are interested in various economics problems related to poker or for governments considering licensing it.
So, the way I see it, there are three options on datamining:
1)Actually make it impossible to datamine in the ways I've already mentioned. I don't think many sites will do this.
2)Just completely allow datamining. This has the obvious problem that people who don't datamine will be at a big disadvantage.
3)Instead of trying (and failing) to prevent the actual collecting of data, just make it so that people can't use datamined hands in their HUDs.
This should be pretty easy to do. As I understand it, HM and PT3 have both agreed to follow the T+Cs of the sites. (For example, neither HUD works on Cake because Cake has banned HUDs.) So, ask them (and whatever other HUD companies are out there) to only give HUD data from hands that were played by the current player. Obviously give them a reasonable amount of time to make these changes. Then slightly modify the way that you release hand histories so that people have to update their HUDs in order to continue using them (and therefore get the update that keeps datamined hands out of their HUDs). If any software developers don't comply (I assume the big ones would), put them on the banned software list and treat them like you do all other banned software.
This won't stop people from studying how other people play between sessions, but nothing practical will prevent that, and that's a lot less serious than using datamined hands in your HUD, IMHO. This plan also has a lot of extra benefits. For one thing, it stops people from using previously datamined hands in their HUDs as well as new datamined hands. It also prevents people from using shared databases in their HUDs, and it means that when you play on someone else's computer you won't get data from hands that he played. Plus, datamining for legitimate purposes (like catching cheaters or studying poker for academic/legal reasons) could continue. Those are all benefits that my solution has but preventing datamining completely does not.
This will probably prevent the vast majority of people from using datamined hands in their HUDs, but I have to admit that there are ways to get around a restriction like this (I'd prefer if people didn't discuss them ITT). To stop people from doing this, take screen shots of players' screens occasionally (most sites already do this when looking for other forms of cheating) and if someone is caught with datamined stats in their HUD, take some amount of money from them and give it to their opponents. You won't have to take these screen shots very often at all to make it -EV for people to try to get around the above restrictions since the benefit that people gain from datamining isn't huge.
I realize that even this isn't a complete solution. Some programmers will figure out ways around this (please don't discuss them ITT). But I don't think that this means that the idea isn't good. Currently, lots of people who are willing to break the rules do so with almost no effort and gain an advantage over people unwilling to break these rules. If this gets implemented, a few people will continue to break the rules, but it will be limited to people with the resources and knowledge to do it and some of them will actually get caught. I think that's a big improvement.
PTR/Sharkscope/OPR/PokerDB/HSDB/etc.
These sites aren't going anywhere unless the poker sites make the information they need totally unavailable—i.e. allow people to change their screen names or don't allow observers to watch games or see tournament results. So either Stars, FTP, etc. do those things, or they should accept that PTR, sharkscope, etc. are going to exist and figure out how best to coexist with them. There are a few things that I think almost everyone agrees should change:
1)Players should be able to opt out of any of these sites. People should have the right to play poker without someone posting publicly how much they've won or lost. Obviously details about how a player would be told about his option to opt out are up for debate, but I think this general idea is pretty solid. (I think Stars has tried something similar except asking players to opt in instead of opt out. This seems impractical to me because I just don't think many sites would be willing to give up all the data of the people who don't care either way.)
2)In general, things that might come off as mocking should be removed. So no “top losers” lists and no “tilt scores” and no ranking someone 4 millionth out of 4 million or anything.
3)No mocking people with data from these sites in chat. (“OMG you're down $3,000! You're so bad!”)
4)Players can't play and have PTR/Sharkscope/etc. open at the same time. Sites should make it clear that they're going to start enforcing this rule, and then start enforcing it. PTR/Sharkscope/etc. can help by explaining this clearly on their front pages or with a popup or whatever. If it's feasible with software, one side or the other could give a warning when a player is in violation of this so he has a chance to close his web browser without getting in trouble.
5)No HUDs that use the data from these sites.
If a datamining site complies with these rules (or whatever other set of rules everyone agrees to), the poker sites should simply allow them to exist. Otherwise they can continue to make life difficult for them by blocking IP addresses, etc. I bet they'll comply.
I realize that lots of people won't consider this to be an ideal solution, but I doubt anyone can come up with a better one that actually has a chance of happening.
Collusion
The sites need to do a better job of finding suspicious players on their own. They're much better equipped to do this than players, and players are in general really really bad at it.
However, looking through a large database of players for collusion is really difficult. I've talked to a few different programmers about this, and they all agree that the only reasonable way to do it is to maintain a separate database that's indexed specifically to look for collusion. Obviously what you look for is pairwise statistics between various players (How often does Alice 3-bet Bob? How often does Bob get to showdown against Alice? What % of hands has Alice played with Bob? Etc.) and if these numbers are significantly anomalous, a security rep should look into it. People who understand this stuff a lot better than I do tell me that this is a pretty expensive thing for the sites to do, but, frankly, the sites have plenty of money to make this happen. (Maybe they could even enlist dataminers to help
)Testing for hole card sharing is really really easy. I assume sites already know this, but I'll mention it anyway to discourage people from trying it and so that people can check on their own if they've been cheated in this way with HM. All you have to do is filter for hands in which one of the suspect players has a certain type of hand in a certain spot and see how the other player plays. Then look at the same spot where the first player had a different hand and see if play changes. Rinse and repeat for a few different spots and a few different types of hands, and account for randomization and you have a definitive way to tell if players are sharing hole cards. The sites should automate this process as well. (You can use the exact same method to check if someone can see your hole cards.)
Other types of collusion are a bit harder to detect and prove since you can't really prove intent in all cases. The key in these cases is to have very strict rules and to enforce them selectively. For example, if a buddy and I softplay each other and do so over tens of thousands of hands or more, that's cheating. It's cheating because I can be expected to know better and because it's reasonable to assume that I did it to gain an edge. This is true regardless of whether I actually succeeded in gaining an edge (Some cheaters suck at it. They should still be punished.) or whether it can be shown that we had an explicit agreement (because that's impossible to show unless I'm dumb enough to admit to it). However, if a casual player doesn't 3-bet someone very much, I think that's fine because it's too likely that he's doing it for some reason other than the fact that he's giving the player he's avoiding equity at the expense of the other players at the table. If two casual players agree not to 3-bet each very often or to avoid each other in a tournament or something, they should get a warning and an explanation that that's not ok, and if they do it again they should suffer more severe punishment.
This might sound like an awkward way to handle things. It's obviously a double standard where winning players are held more responsible than losing players. It also requires some subjectivity on the part of security departments, which isn't ideal. But, it's really not too bad. The vast majority of cases will be pretty clear cut like the examples I gave above. Plus, the only alternative I see is to allow collusion. In fact, I know that Stars already handles some types of potential cheating in essentially this way, and I assume other sites do as well.
What to Do If You Suspect Someone of Cheating
1)E-mail the poker site right away. It seems like in every cheating scandal, there's a long list of players who suspected that the cheating was happening but didn't mention it to anyone. Don't be one of those people. It's in your best interest to say something because, if you're right, you should be entitled to money back. Plus, it takes like two minutes max to write up a decent e-mail. (Don't be embarrassed because you might be wrong. The poker sites get a huge volume of e-mail from people saying that the site is rigged because they got TT when someone else had AA or whatever. So, even if you're totally wrong and overlooked something simple, you'll still probably be in the top 20% of e-mailers :P.)
2)Try to tell people privately about your suspicions if you see them playing against the suspect account. However, don't make things public right away. If you do, and you're right that cheating is happening, you'll be increasing the chances that the cheater gets money off of the site. If you're wrong, you'll be hurting an innocent person's name and causing unnecessary panic.
3)Wait a while. These things take time... like weeks. If you're not sure how much time is reasonable, ask someone who knows better. You can PM me if you'd like.
4)If the site doesn't finish in a reasonable amount of time, or you're not satisfied with their answer, contact someone you trust to look it over. You can PM me about it if you'd like.
5)If the consensus seems to be that the site screwed up, make it public.
Security Tokens
The risk of losing money to hackers is still very real because some immature douche bags think it's funny to spend all their time trying to hack people's accounts and then dumping all their money in high stakes cash games.
Security tokens (like this one: http://en.wikipedia.org/wiki/RSA_SecurID ) make poker accounts nearly unhackable. All sites should have these by now. If you play on a site that doesn't, e-mail them and bug them about it. If you keep more than ~$1k on a site that has these and don't have one, get one.
Vote with Your Voice if not Your Money
I'm not asking anyone to boycott sites that don't enact good security measures because that's just not going to happen. (Honestly, I'm not willing to boycott any sites myself.) Instead, just suggest the safer sites to the casual players that you meet. If you're anything like me, you get asked about online poker by the uninitiated a lot, so if we all do this, this will directly drive some more traffic to the safer sites. Plus, it will also make the safer sites softer which will mean that we'll be better off playing on them which will make us safer and also further reward the safer sites.
If you have a blog or a web site or some medium that is remotely linked to poker, go out of your way to promote the safer sites and avoid promoting the less safe sites. Big companies like 2p2, cardplayer, bluff, WSOP, etc. should follow this policy as well.
Bots
CAPTCHA (http://en.wikipedia.org/wiki/Captcha) is awesome. It's not perfect, but it's a lot harder to get around than other methods of catching bots. Sites should just make you very occasionally have to enter a CAPTCHA before opening a table.
Incidentally, there are a lot of other methods that the sites could use to catch bots that I won't discuss publicly because they depend on programmers' ignorance. You shouldn't talk about these publicly things either. (See my example in the first section.)
Whether or not a Player Cheated is not Private Information
This should go without saying, but apparently FTP has a different view on things. FTP currently states that it would violate a player's privacy to reveal that his account is under investigation or to reveal whether or not a player has been caught cheating. When I first heard this, I naturally assumed that there was some misunderstanding, but I've confirmed it from multiple sources. In particular, when I repeatedly asked FTP what they were doing about the stoxtrader cheating scandal, I was always told something like this: "As previously stated we are unable to provide information regarding another player's account" (except in one instance mentioned below).
A player is not entitled to privacy when it comes to whether or not he cheated. If a player cheated or is suspected of cheating, those affected deserve to know for obvious reasons. If a player hasn't been caught cheating, I don't see why he would have a problem with the sites letting them know.
FTP's current policy also makes it impossible for players to hold them accountable in their security decisions. That's completely unacceptable.
(Incidentally, FTP's already violated this policy repeatedly when it's convenient for them. For example, they refused to comment at all about the stoxtrader situation when I originally asked and they assured me that that was their policy and they wouldn't even tell me if they were investigating. Then I posted my thread and two days later FTPSean posted publically that FTP was investigating.)
Miscellaneous Tips for Not Getting Scammed
* AIM logging is awesome. If you have the standard AIM client, go to Edit-> Settings-> IM Archives and check “Archive IMs”. Now every AIM conversation you have with someone on this computer will be saved to your hard drive. This is really key for remembering prop bets and staking arrangements and all the other various deals that you enter into over AIM as an online poker player. Plus, it's also good for remembering when you're supposed to meet up with someone or a phone number or whatever as well.
* Don't ever transfer money with a random person. Even if you have him send first, he can still scam you in various ways or you could end up with your account locked.
* Prop bets are very risky. A lot of people don't plan on welching on bets when they make them because they don't expect to lose. Then if they do lose, they feel wronged. So only make prop bets with people you trust or use an escrow. Never make prop bets for significant amount with someone who's not a gambler without making it very very clear that they will have to pay you real money if they lose.
* Always google someone's screen name before doing any business with them. For example, don't do business with this guy http://www.google.com/search?sourcei...q=cornell+fiji or this guy http://www.google.com/search?hl=en&s...mrozo&gs_rfai= .
* Change all your security questions answers to random gibberish. Otherwise anyone who looks up what your elementary school is or whatever can hack your accounts.
* AIM and e-mail accounts aren't secure. If someone IMs or e-mails you asking for something and doesn't sound like himself, you should be very suspicious that he's been hacked. If you have a phone number, call. Otherwise, try asking a question that only he would know the answer to. If it's a hacking or you're not sure, post on 2p2 to warn others. False alarms are no big deal.
* In general, you should try to use two forms of communication before making big transactions (IM and phone, for example).
Last edited by Bobo Fett; 04-30-2010 at 04:11 AM.
Reason: Added section as per OP's request.
04-30-2010
, 12:50 AM
04-30-2010
, 11:25 AM
