Strong Authentication – A Comparison of Two New Jersey iGaming Sites

This article may be outdated. Get the latest news on New Jersey here.

New Jersey regulations include several components designed to enhance both the player’s and the gaming site’s security.

In this article we will look closer at the requirement to make “strong authentication” available to players that request it.

NJ regulations call for advanced account security

The standard authentication method for logging-in is a combination of a username and password. However, users will also be given the option to utilize “strong authentication.” The specific regulation states:

“Strong authentication” means a method which has been demonstrated to the satisfaction of the Division to effectively provide higher security than a user name and password alone.

“Multi-factor authentication” means a type of strong authentication which uses two of the following to verify a patron’s identity:

1. Information known only to the patron, such as a password, pattern or answers to challenge questions;

2. An item possessed by a patron such as an electronic token, physical token or an identification card; or

3. A patron’s biometric data, such as fingerprints, facial or voice recognition.

From the initial review we have performed it appears that the majority of sites have implemented this requirement by sending a pin to the user’s mobile phone.

This method is satisfactory and does meet the requirements of New Jersey DGE and is used in other sectors (i.e. finance).

Comparing Ultimate and Tropicana Casino

We decided to look closer at two different sites (Ultimate Casino and Tropicana Casino) to see how well they had implemented this requirement from a security perspective.

Both sites have the ability to enable strong authentication in which after successfully logging in with username/password the player is sent a PIN to his mobile and needs to enter the pin to gain access to the site. Ultimate uses a 6 digit pin (1,000,000 possibilities) while Tropicana has implemented a 4 digit pin (10,000 possibilities).

At first glance it appears that Ultimate has implemented a more secure solution. However, appearances can be deceiving.

Inside Ultimate’s strong authentication

Let’s first look at Ultimate Casino. Below is a screenshot showing the initial login page where the user needs to enter username/password.

Ultimate Security

Upon successful logon, if the user has enabled strong authentication a pin is sent to his mobile. The correct pin that is used for this testing is 407037.

Ultimate Security Confirm

And then the user must enter it into the screen shown below in order to gain access to the application.

Security Screen 3

For testing purposes we intercept the HTTP POST request using a local proxy, in this case Burp Suite. It is then sent to the Intruder functionality in the tool that allows us to brute-force the pin.

Ultimate Security Screen 4

In the figure above we utilize the Burp Intruder and select the position of the request that we are interested in, the pin field. Next we need to select the payload options.

Ultimate Casino Security

Since we want to perform a controlled test and not brute-force all million combinations we start the test with 407000 and go to 407045.

Since we know the correct pin is 407037 this allows us to perform 36 incorrect requests before the correct pin is “guessed.”  This is a large enough sample to determine if the pin would become invalid after a number of incorrect requests and if the user’s account would be locked out.

Security Ultimate Casino

The attack is then run in Burp’s Intruder and you can see in the figure above that when the correct pin is entered the status changes and the length is different.

To confirm that we can login with this pin we enter the correct pin (407037) in the proxy request that we previously intercepted and forwarded the request to the server.

Ultimate Security Verification

The figure above shows the correct pin being entered and forwarded on to the server.

We are then successfully logged on as the screenshot below illustrates.

Confirm Security Ultimate

From the testing we performed it appears that if the username and password is obtained, then even if strong authentication has been enabled the pin can be brute-forced and access granted.

Some might argue that we did not fully prove this as we set the parameters to only brute-force a small number. However, we incorrectly entered over 30 pins before we got the correct pin without the pin changing or account becoming locked out.

The same approach could be used for guessing all possible (1,000,000) combinations. We just did not feel that approach was needed to prove the vulnerability and did not want to possibly overload Ultimate’s authentication server.

Tropicana’s strong authentication

We performed the same approach with Tropicana Casino’s site. Tropicana utilizes just a 4 digit pin, however, from the testing we performed it appears that once an incorrect pin is entered a new one needs to be sent (Ultimate allows multiple incorrect attempts), as shown below.

Ultimate Casino Security ProcessWhen sending it to Burp’s Intruder and performing the same test as for Ultimate, it is not successful.

Ultimate Multifactor Authentication

Conclusion: Strength is in the details

Cliffs: size is not everything – how the process is implemented is just as important.

While I do not think that the sites need to send a new pin after one incorrect attempt as Tropicana does, I would recommend that after a 3 to 5 incorrect attempts the user is sent a new pin for authentication.

Also after a certain number of unsuccessful pin attempts the user account should become locked out. The New Jersey regulations actually state:

Internet and mobile gaming systems shall disable a patron’s account after three failed log in attempts and require strong authentication to recover or reset a password or username.

It is not clear if this only applies to the initial username/password authentication or if applies to all components of authentication.

It is good the see sites implementing strong authentication mechanisms, however it is important that it is implemented correctly in order to be successful.

Testing notes

Ultimate was notified of this issue prior to publication. At the time of writing only the Ultimate and Tropicana sites in New Jersey were examined.

All testing was performed against an account that the testing team controlled. No testing was performed against other user accounts.

- Gus Fritschie is an information security professional living in Washington, D.C.. He is the Chief Technology Officer at SeNet International (, a company with clients including Fortune 500 companies, civilian agencies, and the Department of Defense (DOD). Gus is also a semi-successful poker player, having logged close to a million hands online. Follow Gus on Twitter @gfritschie
Privacy Policy