Plot hole: Nicky steals the EXR formula from Garriga's "server" by hacking it remotely within 48 hours. That's impossible. Garriga wouldn't carry his servers to race tracks. He needs only the fuel with which to race, not its formula. That means Nicky was left with penetrating air-gapped R&D servers inside Garriga's factory. This task is worth an entire film unto itself. It can't be done in 48 hours.
Plot hole: Garriga shows a small thumb-sized device, claiming it changes his password every 15 minutes, thus protecting his servers against brute-force attacks. In real life, remote servers are resilient to brute-force attacks because they restrict wrong guesses. Worse, changing the password every 15 minutes means Garriga would never know a password that can be reused indefinitely within 15 minutes! In real life, we use time-based one-time passwords (TOTP) and 2FA instead.
Answer: Absolutely. There are many people (especially people who work on high commissions and con men) who are well practiced in subtle cues with body language. The elaborate process they went through in the movie greatly increased the chances he would make such a pick, but there was no guarantee. However, it was constructed with personal knowledge of the target. Even more strange was the fact that a string of some of his reasonable bets went bad (the missed extra point, the pick of the card, etc). Had they all not gone bad, it would have disrupted his faked desperation to the multi-million dollar bet.