MattMaroon.com

Some people got offended by my last poker hack post and called it fraudulent. That’s ridiculous, but I do remember another one that happened in the early days of online poker that actually was. I never did this mind you, as I was pretty sure it was a federal crime of some sort. Granted, it defrauded an online poker site, which the government cared for about as much as they do drug cartels, but even ignoring the moral issues I was never one to risk jail time when I could make a living honestly. For those who couldn’t win at poker, though, there was always the following.

One of the methods of deposit on most poker sites, before the UIGEA, was the Electronic Funds Transfer (EFT), which was basically an electronic check. You gave them your routing and account number and they would take money from your account just as if you had written a physical check. I don’t know a whole lot about how our nation’s financial system works, but I’m pretty sure it went through the ACH just like any regular check, and therefore took a few days. I know they all said 3-5 business days, but they usually seemed to clear in 2.

The sites limited the amount you could deposit via EFT, typically to something like $500 when you first signed up. But as you played more on the site and became a VIP, you could ask for higher limits, and it wasn’t really that tough to get them raised to something like $10,000 or even more. For some reason that I’ll never understand, when you initiated the EFT deposit, the sites put the money in your account right away, even though they took days to clear. The only rule was that you couldn’t cash out until they did. So the scam there was really pretty obvious.

The player started a checking account at their local bank and put a few grand in it. They deposited $500 on every major poker site via EFT, played as normal for a week or so, and then withdrew whatever they had back to the checking account. If they were a marginal player and stuck to low limits, as was usually the case, they’d still have most of their initial investment. They’d ask the sites for limit increases, which might be to a grand or two, and repeat until each site had increased them to whatever the max allowable was.

At that point they’d close their account at the bank, usually on a Monday because a lot of banks have rules that any EFTs or checks that come in for a few days after automatically reopen the account and cause an overdraft, which would then leave the scammer owing the bank and was obviously highly undesirable. They’d then wait until a Thursday or Friday night and make an EFT deposit for the max on each site (the poker rooms had no way to check to see if the account was still open) which gave them until Monday before the EFTs would all resolve, at which point the poker sites would know that they bounced and shut down the player’s account. The scammer just had to make sure the money was in their pocket by then.

The hardest part was getting the money out. The typical way to do it was to ditch it to a friend at a table. Ideally, you’d be at a table with 8 or 9 other people, one of whom you knew but had never played with on the site before. In fact, the person helping the scammer didn’t even have to know about the scam itself. Back in those days, getting money on and off of poker sites was a huge pain, and it was extremely common to help people out. Eventually the sites added inter-account transfer functionality to facilitate that, but in the early days the only way to move the money was by chip dumping. So if a friend asked you to collect some chips from him at a table while trying not to be too obvious about it, it wasn’t as odd of a request as it may sound.

So the scammer would sit on the phone or instant messenger with their friend and coordinate the loss of money. And the person to whom the chips were dumped would cash them out to Neteller or PayPal (online gambling was once a major source of profit for them, back before the eBay acquisition) and transfer to the scammer’s account there, most likely not even knowing they’d aided in fraud. The scammer would have the money in his hands by Friday, and the poker site wouldn’t even know what hit them until Monday. At that point they’d have no way to prove that the scammer dumped money to an accomplice, and even if they did decide they had enough to act on, it wouldn’t matter to the scammer. The accomplice could get their account closed and whatever funds they had taken, but that didn’t matter to the scammer whose money was already on its way to him from Neteller. And most times the poker sites just wrote it off as part of the price of doing business.

You could run pretty much the same scam with credit cards by simply issuing a chargeback. EFTs were more popular though because the limits were usually much higher, and most issuing banks blocked card transactions to online gambling sites long before people started playing poker online. (In the early days, when it was mainly casinos, people would buy in with credit cards, play until they either won a bunch or lost it all, and then charge it back if they went broke or cash out normally if they won, essentially giving them a freeroll against the house. That was why PayPal, and later Neteller, became the preferred deposit method of gambling sites. Even though their fees were outrageous, they were worth it since there were no chargebacks.)

The poker sites were left helpless. Any complaints to American law enforcement, which considered online gambling illegal, surely would have fallen on deaf ears and they knew it. I imagine those running the scheme did it multiple times. I heard of one fellow who changed names repeatedly to do just that, though that may have been urban legend. I never did hear of anyone having any legal trouble over it, even though it almost certainly violated many laws at all levels of government.

Eventually the poker sites got wise and stopped putting funds in players’ accounts before the EFT cleared. I only heard of that scam shortly before it ended, but it apparently went on for a few years. I wouldn’t be surprised if someone made seven figures doing it. It was clearly unethical and almost certainly illegal, but also brilliant and highly profitable.

Seeing this post on Hacker News reminded me of a great story I should have blogged here long ago. The post is in reference to a question on Y Combinator’s latest application form, which is

“Please tell us about the time you (…) most successfully hacked some (non-computer) system to your advantage”

Wow, I could write a book on these, as that’s pretty much my one true passion in life, but I’ll give you my favorite. Once upon a time, back when I was a regular player on PartyPoker, they rolled out a new promotion called PartyPoints. The deal was that you got frequent player points (FPP) for certain stuff and could use those to buy things from the FPP store.

Their FPP program was a blatant rip off of PokerStars, who had implemented their own VIP program maybe a year or so earlier. Both gave you points for hands played, tournament buy-ins, etc., but with one major difference. PartyPoker also gave you points whenever you deposited money into your account. The best point to dollar deposited ratio was achieved by depositing $500. You had to deposit the money, wait a week, and then the FPPs were credited.

Their cashier system was web-based and poorly designed, so I noticed right away that you could make one deposit and then just keep hitting refresh to deposit again and again. I made a simple AutoHotKey script to refresh the page over and over at a 30 second interval for a preset number of times depending on how many dollars were in my Neteller account. At one point the number of refreshes was over 100, and they all worked. I’d just start the script and go to dinner or shopping or whatever, and when I got back it would be done. I’d then go about my normal playing for a week, cash it all out as soon as my FPP balance spiked, and repeat.

For a long time their store had nothing but t-shirts and other such junk, so I just held on to the points, assuming that one day they’d mimic PokerStars again and add something worthwhile to the store. Sure enough, they eventually added all sorts of electronics and other assorted goods. I did a quick check on eBay to see which of the items had the highest resale value per FPP and discovered that it was the video games, which was extraordinarily fortunate because eBay has an awesome listing system for them, in which you simply input the ISBN number and it fills out the whole page for you. And they’re the easiest thing imaginable to ship, you just slap them in a bubble mailer and print out a media mail postage label.

I made about 100% ROI in 6 months on a pretty good sum, and got a nice eBay rating in the process. And the best part of the whole story is that Neteller, the service I deposited through, charges large poker sites something like 10% of the transaction as their fee, meaning PartyPoker was eating thousands in cashier fees every week and giving me massive FPPs while getting no extra profit out of me whatsoever. Actually it was probably less, as I couldn’t play while doing the refreshes or waiting for cash-outs to hit my Neteller account.

I don’t know if anyone else ever figured that one out. I never blogged about it or posted it in any forum for fear someone at Party would catch on, and if any other players did spot that particular hack, they were smart enough not to mention it publicly too. Eventually Party removed the deposit bonus and changed the program around a bit. I’m still not sure if it was just a general tightening of the purse strings or if someone had caught on. But it was awesome while it lasted. I still have a PSP (that I’ve only used maybe twice) with a ton of games, an iPod Nano, a poker table, a ton of shirts, some poker books, an entire wardrobe emblazoned with the PartyPoker logo, a kick ass cigar cutter, lighter and travel humidor, business card holder, flask, bar tool set, year’s subscription to 10 different magazines, and I can’t even remember what else to show for it.