Skip to main content

5 posts tagged with "ontario"

View All Tags
MissedComplianceMITM / replayUX / messaging

GeoLocs / mkodo — Casumo Casino (QC/ON border): KYC bypass with fake Quebec address; Ontario licence suspended May 14

GeoLocsCasumo Casino
geolocsmkodocasumoontarioquebec

Source. June 23, 2026 weekly sync.
Ticket. CIV-55: mkodo / GeoLocs — full validation.

What we tested

Full validation of mkodo's GeoLocs product via Casumo Casino, tested from the Quebec side of the Ontario–Quebec border. Casumo's Ontario licence was suspended May 14 — relevant context for the operating posture during testing.

What happened

Compliance gaps

  • KYC bypassed with fake Quebec addressOntario ID and Ontario billing address both accepted; $10 deposit completed despite contradictory jurisdiction documentation.

Blocks / working detections

  • Ontario users correctly blocked from registering in-province.
  • ⚠️ DevTools intermittently detected on Mac.
  • Hardware locale evaluation — Canadian-purchased iPhone shown a maintenance page (US iPhone worked — likely device locale detection).

UX issues

  • Games failed to load across all platforms and scenarios under normal conditions — app largely non-functional in QC.

Why it matters

The KYC bypass is a direct regulatory exposure independent of geolocation accuracy: fabricated Quebec credentials plus contradictory Ontario documentation still produced a funded account. The Quebec gaming failures mean the platform is effectively unusable in that territory today — but the KYC gap would matter on any functional deployment path.

Cross-reference

GeoLocs profile → · June 23 weekly sync →

MissedBoundary crossingRemote accessVPNNear border

Locance (LocationSmart) / Luxury Casino Ontario: cross-border play, RDP, and Android VPN gaps; Mac VPN blocked

LocanceLuxury Casino
locancelocationsmartluxury-casinoontarioquebec

Source. June 16, 2026 weekly sync.
Ticket. CIV-54: Locance (LocationSmart) — full validation.

What we tested

Integration validation of Locance (LocationSmart) on Luxury Casino Ontario — cross-border movement between Ontario and Quebec, remote access (TeamViewer, AnyDesk, HopToDesk on desktop and Android), VPN usage across Mac / Android / iOS, and near-border location accuracy on iOS.

What happened

AreaResultNotes
Cross-border play (ON ↔ QC)✗ Non-compliantWagering was possible for multiple kilometres across the provincial boundary in both directions with no friction.
Remote access (TeamViewer, AnyDesk, HopToDesk)✗ UndetectedGameplay continued with active remote control on desktop and Android solutions with little to no friction.
VPN — Mac✓ DetectedVPN / proxy usage was identified; platform access denied.
VPN — Android✗ UndetectedActive VPN tunneling was not blocked; user authenticated and wagered.
VPN — iOS⚠️ Blocked, no UXAccess was denied with VPN enabled, but no error message or troubleshooting guidance was shown.
Near-border UX (iOS)✗ Poor accuracy~100–150 m from the border the app placed the user in Quebec despite a physical Ontario location.

Why it matters

Locance failed on the two vectors regulators care about most on a border-adjacent Ontario deployment: jurisdictional containment (cross- border play for kilometres) and remote session control (three major RDP tools undetected). VPN handling is inconsistent across platforms — Android is fully open, iOS blocks silently — which is both a compliance gap and an operator-support problem. The near-border mis-location suggests geofence accuracy degrades exactly where enforcement should be strictest.

Cross-reference

Locance profile → · June 16 weekly sync →

MissedRemote accessFake GPS appProxy

Locance (LocationSmart) / Luxury Casino Ontario: remote-access block fails on a single retry; iAnyGo GPS spoof undetected

LocanceLuxury Casino
locancelocationsmartluxury-casinoontariordp

Source. June 8, 2026 weekly sync.
Ticket. CIV-53: Locance (LocationSmart) Ontario — remote access retest.

What we tested

A remote-access retest of Locance (LocationSmart) on Luxury Casino Ontario, with the tester operating from Tennessee. Two angles: desktop remote access (TeamViewer & AnyDesk) and GPS location spoofing (iAnyGo).

What happened

  • Remote access (TeamViewer & AnyDesk, desktop) — block did not hold. An initial geolocation check showed an error when the tester attempted to access a Luxury Casino Ontario session remotely from Tennessee. However, after a single retry, access was granted and bets were placed — the block did not hold on the second attempt.
  • ⚠️ GPS location spoofing (iAnyGo) — blocked only indirectly. Location spoofing was blocked, but not by GPS-anomaly detection: Luxury Casino requires a Canadian internet connection (via VPN) to load, and that VPN was detected as a proxy. The GPS spoof itself did not trigger any detection.

Why it matters

Two shallow, retry-fragile defences:

  1. The remote-access block is not durable. A single retry defeats it, which is effectively no protection against a persistent attacker — the first error reads as transient rather than a hard stop.
  2. The GPS spoof went undetected on its own merits. The only thing that stopped it was the proxy flag on the required Canadian VPN. Remove or launder that dependency (e.g. a residential Canadian connection) and the GPS spoof is unguarded.

Both findings are relevant for competitive positioning against operators considering Locance in Ontario.

Cross-reference

Locance profile → · June 8 weekly sync →

MissedComplianceProxy

Locance (LocationSmart) Ontario: real-money deposit with no identity check + detection rules exposed in API

locancelocationsmartontariocompliancekyc

Source. June 2, 2026 weekly sync.
Ticket. CIV-53: Locance (LocationSmart) Ontario — compliance and security gaps.

What we tested

Locance (LocationSmart), a geolocation provider active in Ontario. Two angles: the account-onboarding and deposit flow, and the content of the API response when connecting from outside the jurisdiction.

What happened

  • No identity / location verification. A tester completed account registration and a real-money Interac deposit without ever being asked to verify identity or location — a step that should be mandatory under Ontario iGaming compliance rules.
  • Detection logic exposed in plain text. Connecting from a Singapore IP, the API response visibly named the exact detection rules that were triggered — e.g. IP proxy detected, IP hosting provider.

Why it matters

Two distinct problems on one provider:

  1. The identity-verification gap is a direct compliance failure. Completing a real-money deposit with no KYC step is a regulator-facing defect under Ontario rules.
  2. The exposed detection logic is a security weakness. Any technically sophisticated fraudster intercepting the response learns precisely which rules they need to evade, and can tune their attack accordingly.

Both findings are relevant for competitive positioning against operators considering Locance.

Cross-reference

Locance profile → · June 2 weekly sync →

MissedVPNComplianceUX / messaging

GeoLocs / mkodo at OLG (Ontario): VPN-from-Ontario allowed when location services are on; Netherlands VPN only blocked on re-entry, no user-facing error

GeoLocsOLG (Ontario Lottery & Gaming)
geolocsmkodoolgvpnontario

Source. May 26, 2026 weekly sync.
Ticket. CIV-52: Ontario — mkodo / GeoLocs — Compliance Failures & Retest (Casumo, High Flyer, OLG).

What we tested

Two VPN scenarios against the OLG (Ontario Lottery and Gaming) web app, geolocated by GeoLocs / mkodo:

  1. Ontario-based VPN — exit-node inside the licensed jurisdiction.
  2. Netherlands-based VPN — out-of-jurisdiction exit node.

In both cases device location services were left active so the system had a real GPS signal alongside the VPN IP.

What happened

  • Ontario-based VPN was authorised when location services remained active. Unrestricted gameplay and wagering were permitted — the VPN itself was not flagged.
  • Netherlands-based VPN did not trigger any immediate session termination. The user was able to keep playing.
  • Detection only fired on re-entry — when the user exited a game and tried to come back in, the system finally prohibited access.
  • No explanatory error notification was shown to the user at the point of block. Silent failure on a compliance event.

Why it matters

Two distinct failure modes in one test:

  1. VPN-tolerance when device GPS agrees. A VPN with an in-state exit-node is fine, even though VPN-detection is a normal column of any modern compliance stack. Anyone wanting to obscure their network identity inside Ontario faces no friction.
  2. Late, silent block on out-of-state VPN. The system does eventually detect the Netherlands VPN, but only at a session boundary — and tells the user nothing. From the user's perspective the platform "just stopped working."

This combines into a UX-and-compliance double failure: the wrong thing is allowed, the right thing is detected too late, and the user is never told what happened.

Cross-reference

GeoLocs profile → · May 26 weekly sync →