All communications between our client software running on client computers and our servers is encrypted. It is important to note that strictly speaking, encryption itself does not guarantee privacy. For example, a site where pocket cards of all the players are transferred to everybody, is not secure regardless of encryption. That is why we have spent a lot of effort designing our security system and policies.
The first point at which security becomes an important factor is when the client software is downloaded from the Poker BTC site. We must ensure that the client software is downloaded unmodified. To address this requirement, we built the following features into the client installer:
The installer executable file is signed using an RSA 2048 bit code-signing certificate that was issued to Rational Services Ltd and can be verified with VeriSign, a public certificate authority which can be validated via your web browser.
This ensures that the client installer came from the software publisher, Poker BTC.
It protects the client installer from alteration between the point of publication and later installation on your machine.
We have a number of built-in features to ensure the security of the game itself.
Our client software uses the certificates issued by our own Certificate Authority (CA) to authenticate our servers.
Our client software uses the industry standard TLS protocol. We are currently using a 2048-bit RSA key, which according to RSA is sufficient until 2030. As we review and update private server keys every three months, we are secure within a large safety margin. We support the following ciphers: AES128-SHA (128 bits) and DES-CBC3-SHA (168 bits).
No private data, such as pocket cards, is ever transferred to other players (except in accordance with the game rules).
All client input is validated server-side.
Collusion is a form of cheating in which two or more players signal their holdings in a game, or otherwise form a cheating partnership to the detriment of the other players at the same table.
While on one hand it is easier to pass information between colluding players online than it is in brick & mortar rooms, it is much more difficult to avoid eventual detection, as the cards for all players can be examined after the play.
No matter how sophisticated the collusion is, it must involve a play of a hand that would not be played that way without collusion. Our detection methods are aimed to catch unusual play patterns and warn the security personnel, who will then make a thorough manual investigation. We will also investigate all players’ reports about suspected collusion.
If any player is found to be participating in any form of collusion his or her account may be permanently closed.
We understand that a use of a fair and unpredictable shuffle algorithm is critical to our software. To ensure this and avoid major problems described in , we are using two independent sources of truly random data:
user input, including summary of mouse movements and events timing, collected from client software
Quantis , a true hardware random number generator developed by Swiss-based company ID Quantique, which uses quantum randomness as an entropy source
Each of these sources itself generates enough entropy to ensure a fair and unpredictable shuffle.
A deck of 52 cards can be shuffled in 52! ways. 52! is about 2^225 (to be precise, 80,658,175,170,943,878,571,660,636,856,404,000,000,000,000,000,000,000,000,000, 000,000,000 ways). We use 249 random bits from both entropy sources (user input and quantum randomness) to achieve an even and unpredictable statistical distribution.
Furthermore, we apply conservative rules to enforce the required degree of randomness; for instance, if user input does not generate required amount of entropy, we do not start the next hand until we obtain the required amount of entropy from the Quantis RNG.
We use the SHA-1 cryptographic hash algorithm to mix the entropy gathered from both sources to provide an extra level of security.
We also maintain a SHA-1-based pseudo-random generator to provide even more security and protection from user data attacks.
To convert random bit stream to random numbers within a required range without bias, we use a simple and reliable algorithm. For example, if we need a random number in the range 0-25:
we take 5 random bits and convert them to a random number 0-31
if this number is greater than 25 we just discard all 5 bits and repeat the process
This method is not affected by biases related to modulus operation for generation of random numbers that are not 2n, n = 1,2,..
To perform an actual shuffle, we use another simple and reliable algorithm:
first we draw a random card from the original deck (1 of 52) and place it in a new deck – now original deck contains 51 cards and the new deck contains 1 card
then we draw another random card from the original deck (1 of 51) and place it on top of the new deck – now original deck contains 50 cards and the new deck contains 2 cards
we repeat the process until all cards have moved from the original deck to the new deck
This algorithm does not suffer from “Bad Distribution Of Shuffles” described in .
Online Password Security
Poker BTC employs some of the toughest and most secure systems to protect the integrity of your account.
However, your account is only as secure as its weakest link, which for many people is their password. This information doesn’t just apply to your Poker BTC account, but also other online, password protected services that you might use.
Password protection is your responsibility and leads to secure online management. We can’t emphasize this enough. Treat your Poker BTC account like a bank account – it’s your money, and we want to help you protect your funds.
There are three main ways that your password can be compromised:
Someone can obtain your password if you tell them.The best way to stop this is to never reveal your Poker BTC password to anyone. Don’t tell friends, don’t tell family, and don’t let anyone else use your account.
Someone can guess your password if you use a word or phrase that can easily be guessed.Don’t use a simple password like ‘password’ or ‘qwerty’ or your User ID or your name. If you’ve done something famous – like win a particular poker tournament – don’t use that as your password.
Someone can ‘phish’ for your password by creating a fake website, or by installing nasty software on your PC.The only place you should ever type your password is when logging on to the Poker BTC client. Poker BTC will never ask you to send your password to us, and you should never send it to us or to anyone else. There are no legitimate websites (accessed via your web browser) that require your Poker BTC password.
You should also ensure that your computer’s operating system is up to date, and you use high quality internet security software, including virus scanners, firewalls and so on.
How to practice good password security?
Here are some good guidelines for staying out of password trouble:
Don’t write your password down where somebody can find it.
Do change your password often.
Don’t leave your account logged on if others can access your computer.
Don’t use the ‘Remember Password’ option in the login screen if others can access your computer. This is particular important in offices and college dorms.
Don’t fall prey to scams and hustles where others want to access your account. If an offer sounds too good to be true, it probably is.
Tips for a strong password.
Defending against a malicious hacker, the best passwords are those that a hacker cannot figure out.
Here are some good guidelines to help you create strong passwords:
Don’t make your password something obviousthat will be easy to guess. Don’t use your name, your birth date, or any other simple phrase.
Make it lengthy.The longer the password, the more secure it is. Password strength increases exponentially the longer the password is. Your passwords should be 8 or more characters in length, 14 characters or longer is much better.
Poker BTC allows you to create a password of up to twenty characters– long enough for a phrase made of many words (a ‘pass phrase’). A pass phrase is often easier to remember than a simple password, as well as longer and harder to guess.
Combine letters, numbers, and symbols. The greater variety of characters that you have in your password, the harder it is to guess. A 15-character password composed only of random letters and numbers is about 33,000 times stronger than an 8-character password composed of characters from the entire keyboard. If you cannot create a password that contains symbols, you need to make it considerably longer to get the same degree of protection. An ideal password combines both length and different types of symbols.
Use the entire keyboard, not just the most common characters. Symbols typed by holding down the ‘Shift’ key and typing a number are very common in passwords. Your password will be much stronger if you choose from all the symbols on the keyboard, including punctuation marks not on the upper row of the keyboard.
Use words and phrases that are easy for you to remember, but difficult for others to guess. The easiest way to remember your passwords and pass phrases is to write them down. Contrary to popular belief, there is nothing wrong with writing passwords down, but they need to be adequately protected in order to remain secure and effective.
In general, passwords written on a piece of paper are more difficult to compromise across the Internet than a password manager, Web site, or other software-based storage tool, such as password managers.
Create a strong, memorable password in 6 steps:
Sit down and allocate a couple of minutes to create a strong password. You’re going to be using this password every time you access Poker BTC, so it’s worth your while to get it right.
Use these steps to develop a strong password (courtesy of Microsoft):
Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as “My son Aiden is three years old.”
If the phrase is 20 or less characters, you can use the pass phrase (with spaces between characters).
If it is too long, convert it to a password. Take the first letter of each word of the sentence that you’ve created to create a new, nonsensical word. Using the example above, you’d get: “msaityo”.
Add complexity by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well. For instance, in the pass phrase above, consider misspelling Aiden’s name, or substituting the word “three” for the number 3. There are many possible substitutions, and the longer the sentence, the more complex your password can be. Your pass phrase might become “My SoN Ayd3N is 3 yeeRs old.” If you want to use a shorter password, this might yield a password like “MsAy3yo”.
Finally, substitute some special characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, we create a pass phrase of “MySoN 8N i$ 3 yeeR$ old” or a password (using the first letter of each word) “M$8ni3y0”.
Test your new password with Poker BTC’s Password Checker. Password Checker is a new feature in our software that helps determine your password’s strength as you type.
Password strategies to avoid.
It is important to avoid passwords that hackers can guess.
Some tips to avoid easy-to-guess passwords:
Don’t repeat the same letter or number over and over, and avoid common sequences. Examples like ‘12345678’, ‘222222’, ‘abcdefg’, or adjacent letters on your keyboard do not help make secure passwords.
Don’t only use look-alike substitutions of numbers or symbols. People who are trying to steal your password are smart enough to not be fooled by common look-alike replacements, such as to replace an ‘i’ with a ‘1’ or an ‘a’ with ‘@’ as in ‘[email protected]’ or ‘[email protected]’. On the other hand, they can be helpful in conjunction with other efforts, such as long passwords or deliberately misspelling a word to improve your password strength.
Don’t use your User ID, or parts of your name, birthday, and so on. If you have a social network page or profile (like on Facebook, or MySpace) don’t use any information from there in your password.
Don’t use any words that are in a dictionary in any language. One common technique used by criminals is to guess passwords based on words in dictionaries.
Don’t use the same password on Poker BTC as elsewhere. If you have the same password on Poker BTC and a poker discussion forum, for example, and the forum’s systems are hacked, your Poker BTC account will be an obvious target too.