> Tried to get around my states online casino restrictions a few months back. Not a fun time.
How is any casino both (A) following state restrictions and (B) not validating based on both your geo location and the address you must validate via some KYC document? Or are you also entering a fake address somehow?
Yes, because I am trying to use the site. If they block me, I can't use it.
They validate, usually via a backend SSN lookup or via an identity document like ID or passport, but only on registration. Sometimes they make you take a selfie with your ID. Sometimes you get flagged and have to identify again.
In Michigan you are allowed to use the site from any location, there are restricted actions which must be location verified. Sports wagering and any casino gambling obviously, but I think deposits or withdraws might be location limited as well.
The location verification is accomplished via both a dedicated program you must install on your device + giving location permission in the web browser, which uses GPS + Cellular + Wi-FI triangulation.
> Or are you also entering a fake address somehow?
You are allowed to use the online casino's with an out-of-state ID or address. You must simply be in the state for location verification. There is a little industry of people taking road or train trips to travel through all the online gambling states in order to sign up for the free promotion money.
For anyone wanting to know what I tried and how it ended:
This was on a laptop with no built-in GPS and no cellular.
Paid VPN - nope, they probably have a list of all the VPN providers IP addresses.
Self-VPN in cloud - no, again they probably have an IP list
Self-VPN in target state on residential IP - nope, something else causing the fail
Spoofing WiFi names & IDs in the environment of the residential IP above, both from online databases and having someone there do a scan - nope, I think the problem here was the networks in range of the laptop were lowering the confidence of the location check
Finding a browser that doesn't incorporate WIFI triangulation - none that I could find, including all the privacy-focused browsers like Brave. They let you turn off location, but none let you disable the wifi component.
At this point my thoughts were that I would have to find/write a custom driver or find some other way to get the wireless card to lie about which networks are nearby.... or find a way to crack the casino location service executable AND patch a browser not to rat on me.
There is no other sources of leaks from what I could tell. No other signals being detected by my laptop, no DNS or VPN leaks, it had to be the Wi-Fi triangulation.
I didn't want to do all that so instead just left a PC at home hooked up to a PiKVM and it worked perfectly.
edit: Forgot to mention you must have Wifi on the device or else it will block and ask you to enable it.
Ya know what, I didn't actually test that but I would assume. I've been on a laptop for awhile and all my desktops have either a wifi card or its build into the motherboard.
I did disable the driver and tried to make my laptop act as if it didnt have WIFI at all, but I don't see how they could protect a desktop from what I was attempted above without WiFi access.
Oh yes, good point. I'll try when I'm back home, currently in a no-online-gambling state.
As a tangent, I know there are googlers here, but I have always been curious to how low-level google and the rest of FAANG inspects connections.
There is ton's of data being leaked about which device or library or application or network you are using to connect to a service via these low level protocols and encryption schemes.
examplelib1.0 might reply to an ICMP before completing some other part of the state diagram while in 2.0 its reversed. Or maybe the 2.0 handshake takes 2x as long on average. Quirks they might be called elsewhere.
Most people and developers aren't going to care or research or profile this, but I can only imagine with enough resources and risk on the line - this becomes important information to stopping spam or fraud and abuse.
I did not but this could work too. I'll have to give it a try. Seems to be a bunch of methods to detect if an app is being run inside an emulator but it does appear they can all be faked as well.
I must have been so focused on getting access to the desktop sites I didn't even think about the app.
Yes? Is this a problem?
> Tried to get around my states online casino restrictions a few months back. Not a fun time.
How is any casino both (A) following state restrictions and (B) not validating based on both your geo location and the address you must validate via some KYC document? Or are you also entering a fake address somehow?