Any feelings of schadenfreude the regulated industry felt when Americas Cardroom got hit by Distributed Denial of Service (DDoS attacks) at the beginning of last week have completely evaporated as the weekend saw new attacks on PartyPoker and PokerStars.
Industry observers might feel that an offshore poker room that continues to serve the US market in defiance of state law can be expected to get hit by ransom demanding hackers.
Any players that have taken the risk of playing there shouldn’t complain if their game is interrupted, but when it comes to the law-abiding sites such as PartyPoker and PokerStars it’s an altogether more serious situation.
The current wave of outages began on Sunday, Aug. 5 with an attack that saw Americas Cardroom’s flagship MOSS tournament series’ first event cancelled:
Due to DDoS attacks on August 5th we were forced to cancel MOSS events 1, 2, and 3. We will be rescheduling these events next Sunday, August 12th at 1:00pm ET, 11:00am ET, and 3pm ET respectively. We apologize for the inconvenience. pic.twitter.com/VXLbaaZHYQ
— Americas Cardroom (@ACR_POKER) August 5, 2018
Then on Aug.what 9 and 10, PartyPoker got hit:
We are continuing to experience issues and apologise for the disruption, we are continuing to mitigate the attacks and hope to have services back to normal soon. pic.twitter.com/91hkQAOiUp
— partypoker (@partypoker) August 10, 2018
PartyPoker put out a statement acknowledging that the interruption to play was caused by a DDoS attack.
Tom Waters, PartyPoker Managing Director apologized:
“The unfortunate events of 9 August were understandably frustrating for our players. After consideration, the decision was taken to pause and then subsequently cancel all affected tournaments.
Our team worked hard to try to resolve the key issues. As poker players ourselves, we fully understand how frustrating it can be when an online poker room suffers technical issues, and we fully appreciate the considerable patience and understanding shown by our players in light of these difficulties.“
Finally, on Aug. 12, with a second set of attacks on Aug. 13 it was PokerStars’ turn:
Apologies to all our players for the recent issues on PokerStars. The players affected by this morning’s issues have already been credited & we aim to refund players affected by yesterday's problems, with their equity at the time of disconnection, within 72 hours.
— PokerStars (@PokerStars) August 13, 2018
Tournament cancellations always cause some unfairness
Highlighting the difficulty online poker rooms face in responding fairly to DDoS attacks, PokerStars’ response didn’t meet with universal approval.
It took PokerStars a couple of hours to react to the attack by pausing and cancelling its tournaments. They then credited the affected players with an amount equal to their equity in the tournament when it was paused:
This is the response that should have been issued yesterday. U guys really painted urself into a corner by: 1) not pausing the tournys when there was clearly an issue 2) haste decision to payout according to chip stacks AFTER the pause. Regardless, thanks for making things right!
— ????Sammy Da Bull???? (@samkhay81) August 13, 2018
Online poker rooms are in a catch-22 position with whatever method they use to reimburse players, because some will always be disadvantaged.
I got DCd as i was gonna call all in. I had AQ suited in the $22 mini Sunday million and got disconnected so couldn’t call. My PokerStarsUK ID is Rge Berzerkr.
— OG (@OG_MURPHY) August 13, 2018
In advance of the tournament being paused some players will be affected by disconnection problems, and it is extremely difficult if not impossible to compensate them for what might have happened. In the events of the last two days, some players complained that the disruption caused them to blind out before the tournament was paused, entitling them to no recompense.
PokerStars has a flexible cancellation policy
PokerStars cancellation policy sets out three methods of compensating players depending on the reason why a tournament has been cancelled.
- Option 1: Rollback—Acts as if the tournament never happened; “ if you were registered for the tournament, you get your buy-in and fees (including rebuys, add-ons, and knockout entry if any) refunded. Also, the buy-in is refunded in exactly the same format with which you bought in. For instance, if you bought into a tournament using T$10 and $15 cash, then you would get back T$10 and $15 cash.”
- Option 2: Roll Forward (no players are in the money)—“we refund each remaining player his tournament fee (and knockout bounty if appropriate), and then divide up the prize pool based on the following formula:
- 50% of the award pool is distributed evenly among all remaining players
- 50% of the award pool is distributed proportionally according to the chip count”
- Option 3: Roll Forward (players are in the money)—“ we refund each remaining player his tournament fee (and knockout bounty if appropriate), and then divide up the prize pool based on the following formula:
- Each player receives the minimum prize not yet awarded at the time of cancellation
- The remainder of the award pool distributed is distributed proportionally according to the chip count
On top of this, PokerStars looks at the individual circumstances of the cancellation and exercises its own discretion if it feels the policy has resulted in unfairness, and it will be doing the same in this case:
Our technical issues have now been resolved. Apologies to all affected players. While some refunds were made in accordance with our cancellation policy (available here https://t.co/FZ0J6tgTkI) we will evaluate whether additional refunds are necessary following our review.
— PokerStars (@PokerStars) August 12, 2018
DDoS attacks are not a new problem
It is difficult to see what more poker rooms can do after the fact. What is perhaps more worrying is that the poker sites remain open to this type of attack. It is not as if it hasn’t happened before.
In April, 2015 several sites including PokerStars , Betfair , Unibet and Tonybet suffered downtime that appeared to be the result of similar attacks.
Then in July 2015 the New Jersey Division of Gaming Enfocement (DGE) launched a criminal investigation after attacks on the state’s regulated casinos. DGE Director David Rebuck said:
“At least four casinos were impacted and experienced downtime. The attack was followed by the threat of a more powerful and sustained attack.”
Rebuck explained that the motive for the attacks was financial with the hackers demanding a ransom to be paid in Bitcoin otherwise the disruption would continue.
Since then, it has been in the self-interest of the industry for poker rooms to jack-up their security levels, and this they have done.
However, this war is an arms race. Whenever the operators introduce more protection, the hackers develop more powerful weapons. The best defense may be deterrence; to take the pain and decide as an industry to never, ever pay the hackers off.