24 May 2019

Editor’s inbox: Is It Possible For Online Casinos To Be Rigged?

UK-licensed online casinos use random number generators to ensure game outcomes are 100% random and fair. We talk to Alvin Rizaldi at iTech Labs to learn more about how they work and how the prevent online casinos from being rigged

editors inbox image

One of the most common email subject headings we see land in the Find My UK Casino inbox each week is “Are online casinos rigged?”.

Despite the many steps operators must take to ensure game outcomes are random and fair in order to obtain a licence from the UK Gambling Commission (UKGC), trust among players remains low.

In fact, in its latest participation report, the UKGC found that only 30% of respondents thought that gambling was fair and could be trusted.

This is a little surprising when you consider that UK-licensed online casinos use random number generators (RNGs) to decide the outcome of games – at random, as the name suggests.

Not only that, but RNGs have to be tested by independent third parties to ensure they are actually random and that they are working as they should be.

In addition to this, each game has a return to player (RTP) – the amount the game pays back to players – which must also be tested and verified.

Most players are unaware of random number generators, how they work and why they mean that online casinos can’t be rigged. The same can be said for RTPs.

To help explain RNGs and RTPs, and how they are tested and verified, we spoke to Alvin Rizaldi, Chief Commercial Officer at independent testing house, iTech Labs.

Alvin ITec Labs

Alvin Rizaldi, CCO at independent testing house, iTech Labs

FIRST UP, WHAT IS A RANDOM NUMBER GENERATOR AND HOW DOES IT WORK:

“An RNG is a hardware device (HRNG) or a software programme (Pseudo RNG or PRNG) that generates a sequence of numbers that cannot be predicted. To do this, online casinos use tested and certified hardware RNGs or software algorithms to generate the random numbers,” Alvin says.

“They are used in slots games to determine the symbols that land with each spin, for shuffling the decks in card games and for drawing balls in games like bingo and lottery. They also work across both desktop and mobile.”

Still a bit confused? Let’s take a slot game such as Big Time Gaming’s Bonanza, which can be played at UK-licensed online casino sites such as Foxy Casino and Unibet, as an example.

The RNG fires into action as soon as you hit “spin” and uses its algorithm to generate a number that determines which symbols land on the reels and thus determines the outcome of the game.

Random numbers translate into a specific set of numbers that match the symbols on the reels. The player can then see whether they have won or lost.

If this is still a little technical, think of a random number generator as a string of lights but where only one bulb can be lit at any given time.

When you hit “spin” the electrical current runs up and down the wire, passing through the bulbs, before selecting one at random to illuminate.

The light represents the winning number selected by the RNG (and thus the corresponding symbols).

SECONDLY, WHAT IS THE RETURN TO PLAYER?

“The return to player is the ratio of money won to bets placed,” says Alvin. “So if money won is £90 and bets placed is £100, the RTP of that game is 90%.”

Most slot games have an RTP of around 96.5% which means that for every £100 wagered on that game, £96 is payed back to players.

That said, this is just an average and does not mean that for every £100 you wager you will get £96 back. One player may win £500 while another may loose £1,000.

TESTING RNGS AND RTPS MEANS UK-LICENSED ONLINE CASINOS CANNOT BE RIGGED:

Of course, RNGs and RTPs alone don’t stop online casinos from being “rigged” and that is where independent testing houses such as iTech Labs come in.

They spend two to three weeks testing all aspects of random number generators, and additional time testing the return to player for each game, to ensure they are indeed random and that everything is working as it should be.

All UK-licensed online casinos and game developers are required to undergo independent third-party testing by the Gambling Commission.

“To prevent rigging, random number generators and games must be independently certified and all critical code for RNGs, pay tables and game logic must be baselined and monitored,” says Alvin.

“Our test methodology includes examination of source code, compiling the code and generating numbers, conducting die-hard tests on the numbers generated by the algorithm and conducting chi-square tests on the much smaller scaled numbers used by the games.”

JARGON BUSTING:

A die-hard test is… a battery of statistical tests for measuring the quality of a random number generator. These tests are done at the bits level (1’s and O’s) using 80 million bits generated by the RNG for each test (in computers at the hardware level, each number exist in binary form using the digits 1’s and 0’s only).

 A chi-square test is… conducted on the actual numbers used by the games to make sure all possible numbers have equal probability of occurring. For example, in a 90-ball bingo game, these tests ensure that each of the 90 numbers have equal probability of occurring.

THESE ARE THE STEPS ITECH LABS TAKES WHEN TESTING RNGS:

Alvin says that testing is done in three stages and includes the following:

1. Examination of source code and compilation:

  • Identification of RNG algorithm and researching known weaknesses
  • Verifying internal state of RNG
  • Verifying that the RNG implementation caters for unpredictability and non-repeatability requirements
  • Verifying seeding, background cycling and minimal re-seeding
  • Verifying the use of the random numbers, including scaling and shuffling
  • Compiling the RNG code (after all code issues are resolved)

2. Raw numbers generated by the RNG algorithm are subjected to “diehard” tests

3. Generating sample scaled output and applying “chi-square” tests.

If the RNG passes all of the above it is certified and this certification is valid for as long as the source code remains the same. If the source code is changed, the RNG must be re-tested.

But do any RNGs fail these tests? And what happens if they do? Alvin explains:

“We usually find many issues during the code review process and these are reported back to the customer. The customer can then fix these issues and send an updated code for review. This continues until all code issues are fixed.

“Once this has been done, we then conduct the various tests outlined above. During testing we may still find issues which again are reported to the customer for fixing.

“Any serious issues such as a bad algorithm are identified at the code review stage and the customer is asked to re-submit the code using one of the well-known public domain algorithms.”

These are the well-known public domain algorithms:

  1. Mersenne Twister (MT)
  2. ISAAC 64
  3. Fortuna
  4. SHA1, MT+SHA1
  5. WELL1024A, WELL512A
  6. MD5 hash

AND THIS IS HOW RTPS ARE TESTED:

The return to player is a little easier to test for simpler games as they are tested using mathematical equations on a spreadsheet.

That said, more complex games are subject to a complex simulation process where all rules, game logic and pay tables are implemented independently of the game in a separate programme.

This programme is run automatically millions of times over and then the total wins to bets ratio is calculated and compared with the number provided by the game developer.

If it is a match, the RTP is approved and certified. If it is not a match, investigations are conducted to identify the reason for the mismatch.

Game certification also includes additional testing to ensure game rules and artwork match game functionality, and to verify pay-outs and examine source code for the critical part of the game logic.

HOW TO CHECK THAT RNGS AND RTPS HAVE BEEN TESTED:

Most UK-licensed online casino operators are proud of their RNG certificates and display a link to the independent testing house on the footer of their website.

In addition to iTech Labs, other reputable testing labs include Gaming Laboratories International and eCOGRA.

For operators that have been tested by iTech Labs, if you click on the logo at the footer on the homepage it will take you to the iTech Labs website and the operator’s original certificate.

If an operator has been tested by iTech Labs it will display its logo at the bottom of its homepage

Click the logo to see the operator’s iTech Labs certificate

Alternatively, you can contact customer support and ask one of the agents to provide you with a copy of its most recent RNG certificate.

In terms of RTP, you can usually find this by clicking the information tab in the game window. If you’d like to see the RTP certificate just ask customer support and they will be able to provide it.

These are three Find My UK Casino recommended sites that have had their RNGs tested by iTech Labs and which share a link to their certificate on their homepage:

FINALLY, THE INDEPENDENT TESTERS ARE INDEPENDENTLY TESTED:

As a final safeguard, independent testing houses such as iTech Labs are subject to independent audits themselves to ensure their processes and procedures are above board.

Every two years it is subject to a thorough audit by the International Organisation for Standardisation and holds ISO/IEC 17025 and ISO/IEC 17020 accreditation.

All of this means that UK-licensed online casinos are reputable and fair, and that game outcomes simply can’t be rigged.

Alvin says: “You can be sure that online casino software running under a UK license is independently tested and regularly audited.

“If you are still uncertain, look out for online casinos that have been tested by iTech Labs to be totally sure their RNGs and RTPs are working as they should be!”

If you have any more questions about online casino fairness, RNGs or RTPs you can contact the Find My UK Casino team here.

Share This