Atlantic City casinos have the eye in the sky.
This is where GeoComply comes into play. The company is behind the technology making sure gamblers using an NJ app are actually in the Garden State when the betting process is taking place. No exceptions.
Using these platforms from outside of state lines is a big no-no. And the New Jersey Division of Gaming Enforcement is going to find out when it does happen. A hefty fine usually follows.
And there can be glitches in the system. Nobody is perfect.
But how exactly does a highly technical system figure out where in the United States players are located? And what happens when safeguards don’t go as planned?
Play NJ chatted with Lindsay Slader, vice president of regulatory affairs for GeoComply, to get answers.
Individuals residing in Philadelphia or New York City may have attempted to use the apps from within their home states. And in most cases, the virtual fence is likely to trigger the alarms.
Before getting into what happens in those situations, let’s start with the basics.
Play NJ: How does the geolocation technology work?
Slader: For a customer who is located within the borders of a state that permits wagering, the geolocation process happens in the background at some point between their login and first wager — this may be invisible or announced as a process during your session.
If you’re on a mobile app, this process relies on your phone’s in-built Location Services. If you’re on a desktop, it may require a plugin installed from a browser page or will be embedded within a poker client to leverage your device’s Wi-Fi data.
GeoComply verifies this collected location data through 350-plus checks to trust its integrity. Customer friction points would only arise if you were attempting to wager from out of state, or deemed inadmissible by demonstrating a potential spoofing risk such as the use of prohibited software, mock location tools, etc.
The state of NJ has fairly strong cease-and-desist language displayed in these instances when such access is attempted during a gaming session.
Testing the geolocation system
Just like test driving a new car, the software goes through an extensive trial process. And if it fails, improvements can be made without shutting down the system.
And when it’s something as crucial as geolocation, there is no room for error.
Play NJ: What kind of testing is done with mobile sports betting casino apps to make sure the geolocation technology is operating correctly?
Slader: GeoComply’s software is approved as components of a gaming system, and then the platform to which it is integrated undergoes its own review by government or independent test labs.
Field testing of the system is often performed as well — this could include driving across bridges, borders, etc done from various locations of a state to review the real-life scenarios a player may encounter related to their location.
Out of state, not out of mind
But hackers will figure out ways to outsmart the system.
When the incident is taking place, the player is likely thinking they will escape scot-free. But like taking the last cookie from the cookie jar, someone eventually finds out.
And the previously mentioned incidents are two examples of what can go wrong.
Play NJ: How are they able to get around the geolocation system?
Slader: GeoComply’s solutions are designed to incredibly robust levels in order to meet the technical requirements set out by the regulator in NJ. Our technology, in turn, needs to be integrated correctly into the overall gaming platform to ensure no “doors” are left open, creating vulnerabilities.
If this isn’t done in a manner that’s 110 percent, there is always the risk of a motivated black hat hacker who will seek out and exploit the situation.
A few such “open door” instances have occurred in New Jersey resulting in fines levied by the DGE, yet the vulnerabilities were easily repaired once identified.
GiG, Hard Rock, and what can go wrong
A public records request often provides a few clues to what happens behind the scenes.
And there are immediate remedies to prevent it from happening again. For this, we dig deeper into the case of the HardRockCasino.com site.
In this particular instance, GeoComply, according to the case file, discovered what is described as a “geolocation vulnerability in GiG’s desktop iteration of the client.”
The client refers to the Hard Rock Online Casino web browser. Here is an excerpt from the report:
“Once the geolocation software detected that a patron was attempting to access HardRockCasino.com (“the Website”) from outside of New Jersey and denied the patron access to the Website, this vulnerability would allow the patron to inspect the browser code and modify the geolocation value to indicate that the patron was located in New Jersey. Accordingly, the patron would then be able to place wagers.”
And the report continues:
“From June 28 to July 3, 2018, one patron located in Nevada exploited this vulnerability and placed wagers on the Website for a net loss of $29.29.”
GiG addresses the problem
This time period directly correlates with the first week of online business for Hard Rock Atlantic City. The online casino platform launched the same day as the refurbished casino opened its doors.
The DGE hit the technology company with a $25,000 fine.
A GiG spokesperson provided a statement that helps shed some light on this technical malfunction:
“This one-off single incidence of out-of-state gambling was due to a technical vulnerability, which was quickly discovered and reported (by GiG’s B2B client) to the regulator in New Jersey in the first week the company went live in New Jersey in the beginning of July 2018. GeoComply was at all times integrated.
“An end user from outside the state of New Jersey with technical knowledge managed to access the front end debugger to change the location and pretend to be from New Jersey. The vulnerability was discovered after this end user had exploited it, as part of a vulnerability assessment carried out.”
The statement further adds that the solution was “promptly resolved” and approved by the DGE:
“An immediate fix was implemented and the matter was very promptly resolved with a permanent solution which was approved by the Division of Gaming Enforcement. GiG maintains protective, detective and reactive controls to mitigate risk which are fully integrated within its processes and operations to ensure business continuity and compliance with all regulations are maintained at all times.”
GeoComply on the lookout for ‘location spoofing’
In case it wasn’t clear, the NJ online gambling industry is huge. There are currently 14 mobile online sportsbooks and 20-plus casino and poker apps.
Looking at the bigger picture, out of all these platforms and five years of active iGaming in the state, there have been just a few reported cases of geolocation technical issues. At least in terms of gamblers from outside of the NJ geofence.
The Borgata incident dates back to 2014. In this particular case player named Vinh Dao had managed to place wagers from the West Coast. And the penalty was a biggie: Borgata was ordered to return $2,000 to Dao and forfeit the remaining $79,539.24.
And even with the technical flaws, GeoComply is constantly on alert for when these hackers try to crack the system.
Play NJ: Have there been any flaws to the technology that raised a so-called red flag, and what was done to fix it?
Slader: GeoComply has the data and the tools to confidently detect most if not all imaginable location spoofing scenarios that our company, or any regulator, has ever dreamed up. That being said, no system is 100% foolproof — even government intelligence agencies get hacked.
But the gift of being online is traceability — we have all the virtual “breadcrumbs” to build out evidence of a spoofing attempt, whereby the regulator and or police authorities may intervene and take further action based on our analysis and findings.
Our technology is ever evolving to detect and block today’s or tomorrow’s new spoofing risk — the majority of GeoComply’s staff are solely devoted to this task.
Concurrent to those efforts, the best defense for an operator or platform to protect against a compromised gaming system is to assume the mind of a hacker and ensure no back doors are left open to vulnerability.