Skip to main content

2 posts tagged with "ciV-53"

View All Tags
MissedRemote accessFake GPS appProxy

Locance (LocationSmart) / Luxury Casino Ontario: remote-access block fails on a single retry; iAnyGo GPS spoof undetected

LocanceLuxury Casino
locancelocationsmartluxury-casinoontariordp

Source. June 8, 2026 weekly sync.
Ticket. CIV-53: Locance (LocationSmart) Ontario — remote access retest.

What we tested

A remote-access retest of Locance (LocationSmart) on Luxury Casino Ontario, with the tester operating from Tennessee. Two angles: desktop remote access (TeamViewer & AnyDesk) and GPS location spoofing (iAnyGo).

What happened

  • Remote access (TeamViewer & AnyDesk, desktop) — block did not hold. An initial geolocation check showed an error when the tester attempted to access a Luxury Casino Ontario session remotely from Tennessee. However, after a single retry, access was granted and bets were placed — the block did not hold on the second attempt.
  • ⚠️ GPS location spoofing (iAnyGo) — blocked only indirectly. Location spoofing was blocked, but not by GPS-anomaly detection: Luxury Casino requires a Canadian internet connection (via VPN) to load, and that VPN was detected as a proxy. The GPS spoof itself did not trigger any detection.

Why it matters

Two shallow, retry-fragile defences:

  1. The remote-access block is not durable. A single retry defeats it, which is effectively no protection against a persistent attacker — the first error reads as transient rather than a hard stop.
  2. The GPS spoof went undetected on its own merits. The only thing that stopped it was the proxy flag on the required Canadian VPN. Remove or launder that dependency (e.g. a residential Canadian connection) and the GPS spoof is unguarded.

Both findings are relevant for competitive positioning against operators considering Locance in Ontario.

Cross-reference

Locance profile → · June 8 weekly sync →

MissedComplianceProxy

Locance (LocationSmart) Ontario: real-money deposit with no identity check + detection rules exposed in API

locancelocationsmartontariocompliancekyc

Source. June 2, 2026 weekly sync.
Ticket. CIV-53: Locance (LocationSmart) Ontario — compliance and security gaps.

What we tested

Locance (LocationSmart), a geolocation provider active in Ontario. Two angles: the account-onboarding and deposit flow, and the content of the API response when connecting from outside the jurisdiction.

What happened

  • No identity / location verification. A tester completed account registration and a real-money Interac deposit without ever being asked to verify identity or location — a step that should be mandatory under Ontario iGaming compliance rules.
  • Detection logic exposed in plain text. Connecting from a Singapore IP, the API response visibly named the exact detection rules that were triggered — e.g. IP proxy detected, IP hosting provider.

Why it matters

Two distinct problems on one provider:

  1. The identity-verification gap is a direct compliance failure. Completing a real-money deposit with no KYC step is a regulator-facing defect under Ontario rules.
  2. The exposed detection logic is a security weakness. Any technically sophisticated fraudster intercepting the response learns precisely which rules they need to evade, and can tune their attack accordingly.

Both findings are relevant for competitive positioning against operators considering Locance.

Cross-reference

Locance profile → · June 2 weekly sync →