XPoint / BetRivers PA: CIV-88 retest — FaceTime RDP sustained for 1 hour; Tailscale Mac-to-Mac RDP undetected
Source. June 30, 2026 weekly sync.
Ticket. CIV-88: BetRivers PA — advanced spoofing review (retest).
What we tested
Two additional spoofing checks from the June 23 CIV-88 cycle, confirmed during the week ending June 30:
- FaceTime RDP — sustained session duration
- Tailscale Mac-to-Mac RDP — detection reliability
Both against BetRivers Pennsylvania (XPoint).
What happened
1. FaceTime RDP — 1-hour confirmed session
- ✗ A tester in New Jersey remotely controlled an iPhone in Pennsylvania via Apple's built-in FaceTime screen sharing.
- ✗ The session ran for a full hour — bets placed continuously on both sportsbook and casino throughout.
- ✗ No block or interruption at any point.
This confirms the initial FaceTime gap is not a brief window at login — it is an open, sustained exposure for the full session duration.
2. Tailscale Mac RDP — detection failed
- ✗ Two Macs paired under one Tailscale account.
- ✗ An out-of-state device initiates remote control of an in-state (PA) host via native macOS screen sharing (Finder).
- ✗ No local interaction required on the host — the remote connector receives full control.
- ✗ The geolocation check passes against the host's in-state position.
Why it matters
Both retests deepen the Pennsylvania compliance picture from June 23:
- FaceTime — the gap is now quantified as hour-long, not transient. Any operator conversation about "we catch it eventually" is contradicted by a full session of uninterrupted wagering.
- Tailscale + macOS — the same unattended desktop-control pattern that GeoComply blocked on FanDuel NJ the same week remains undetected on BetRivers PA / XPoint.