Multifactor Authentication - A comparison of two New Jersey iGaming Sites

This article was originally published on the Online Poker Report.New Jersey regulations include several components designed to enhance both the player’s and the gaming site’s security.  In this article we will look closer at the requirement to make “strong authentication” available to players that request it.  The standard authentication method for logging-in is a combination of a username and password. However, users will also be given the option to utilize “strong authentication”.  The specific regulation states:

“Strong authentication” means a method which has been demonstrated to the satisfaction of the Division to effectively provide higher security than a user name and password alone.

"Multi-factor authentication” means a type of strong authentication which uses two of the following to verify a patron’s identity:

1. Information known only to the patron, such as a password, pattern or answers to challenge questions;

2. An item possessed by a patron such as an electronic token, physical token or an identification card; or

3. A patron’s biometric data, such as fingerprints, facial or voice recognition.

From the initial review we have performed it appears that the majority of sites have implemented this requirement by sending a pin to the user’s mobile phone.  This method is satisfactory and does meet the requirements of New Jersey DGE and is used in other sectors (i.e. finance).  We decided to look closer at two different sites (Ultimate Casino and Tropicana Casino) to see how well they had implemented this requirement from a security perspective.  Both sites have the ability to enable strong authentication where after successfully logging in with username/password you are sent a PIN to your mobile and need to enter the pin to gain access to the site.  Ultimate uses a 6 digit pin (1,000,000 possibilities) while Tropicana has implemented a 4 digit pin (10,000 possibilities).  At first glance it appears that Ultimate has implemented a more secure solution.  However, appearances can be deceiving.

Let’s first look at Ultimate Casino.  Below is a screenshot showing the initial login page where the user needs to enter username/password.

1

Upon successful logon, if the user has enabled strong authentication a pin is sent to their mobile.  The correct pin that is used for this testing is 407037.

2

And then the user must enter it into the screen shown below in order to gain access to the application.

3

For testing purposes we intercept the HTTP POST request using a local proxy, in this case Burp Suite.  It is then sent to the Intruder functionality in the tool that allows us to brute-force the pin.

4

In the figure above we utilize the Burp Intruder and select the position of the request that we are interested in, the pin field.  Next we need to select the payload options.

5

Since we want to perform a controlled test and not brute-force all million combinations we start the test with 407000 and go to 407045.  Since we know the correct pin is 407037 this allows us to perform 36 incorrect requests before the correct pin is “guessed”.  This is a large enough sample to determine if the pin would become invalid after a number of incorrect requests and if the user’s account would be locked out.

6

The attack is then run in Burp’s Intruder and you can see in the figure above that when the correct pin is entered the status changes and the length is different.  To confirm that we can login with this pin we enter the correct pin (407037) in the proxy request that we previously intercepted and forwarded the request to the server.

7

The figure above shows the correct pin being entered and forwarded on to the server.  We are then successfully logged on as the screenshot below illustrates.

8

From the testing we performed it appears that if the username and password is obtained, then even if strong authentication has been enabled the pin can be brute-forced and access granted.  Some might argue that we did not fully prove this as we set the parameters to only brute-force a small number.  However, we incorrectly entered over 30 pins before we got the correct pin without the pin changing or account becoming locked out.  The same approach could be used for guessing all possible (1,000,000) combinations.  We just did not feel that approach was needed to prove the vulnerability and did not want to possibly overload Ultimate’s authentication server.

We performed the same approach with Tropicana Casino’s site.  Tropicana utilizes just a 4 digit pin, however, from the testing we performed it appears that once an incorrect pin is entered a new one needs to be sent (Ultimate allows multiple incorrect attempts), as shown below.

9

When sending it to Burp’s Intruder and performing the same test as for Ultimate, it is not successful.

10

In conclusion size is not everything, how the process is implemented is just as important.  While I do not think that the sites need to send a new pin after one incorrect attempt as Tropicana does, I would recommend that after a 3 to 5 incorrect attempts the user is sent a new pin for authentication.  Also after a certain number of unsuccessful pin attempts the user account should become locked out.  The New Jersey regulations actually state:

Internet and mobile gaming systems shall disable a patron’s account after three failed log in attempts and require strong authentication to recover or reset a password or username.

It is not clear if this only applies to the initial username/password authentication or if applies to all components of authentication.  It is good the see sites implementing strong authentication mechanisms, however, it is important that it is implemented correctly in order to be successful.  Ultimate was notified of this issue and have taken steps to mitigate the vulnerability.

At the time of writing only the Ultimate and Tropicana sites in New Jersey were examined.  All testing was performed against an account that the testing team controlled.  No testing was performed against other user accounts.