× Gambling News In-Depth iGaming Calendar Connections GI Friday Trafficology GI Magazine
GGA 2019 AffiliateCon
IN-DEPTH 6 June 2018
Fraud Prevention 101
Irenne Zbarsky, Lead Security Research Analyst, and Itay Kozuch, Director of Research from online security firm IntSights join consultant Peter Taylor to offer thoughts on fraud in the online casino industry, and suggest how operators can combat this increasingly pervasive threat
By Gambling Insider

What is the most common method of defrauding a gaming site?
IntSights: The most common fraud method on gaming sites is carding and identity theft (impersonation); it occurs in every industry, but in gaming and leisure this is the most emergent risk.

Carding is the usage of stolen or fake payment methods while bypassing authentication mechanisms set in place by gaming sites. Hackers share online lists of sites that are “cardable” - meaning sites that when accessed enable purchase using stolen cards to some extent.

Impersonation allows the player to act on behalf of another individual without their consent, usually with stolen accounts. Threat actors would also look for proxy servers using RDPs and SOCKS5 VPN, through which they’d be able to conduct carding and impersonation.

When the impersonation happens with consent (such as in an affiliation scheme), the experienced player uses TeamViewer in order to play on behalf of a newbie - enjoying their privileges and scamming the gaming site in return for profit percentages.

Peter Taylor: A common method is ‘card not present’ fraud by professional hackers. They specialise in using credit card details purchased from the dark web. Committing the fraud is the next stage; the professional fraudster will have an account which they control (usually offshore), and it is often in their name, a family member’s name, or an identity that they use for that site alone.

They will not use that account for a fraud, but use it to feed money into, once they are satisfied that there is sufficient distance between that account and the fraud. Getting the money into that account is a skill of its own. Where an account takeover takes place, the gambling provider will pay the winnings into the dupes account, or only allow it to be drawn into that account. They then move it through several accounts before paying it into their safe account.

How are fraudsters teaming up to attack gaming sites?
IntSights: Fraudsters do their networking in dedicated locations (meeting places) for cyber criminals, and through private encrypted chats. Such places can be encrypted IM platforms, closed haking forums and paste sites, for example. Attackers also use encrypted infrastructure such as Jabber and Teamviewer in order to execute conjoined attacks that include impersonation.

Peter Taylor: The dark web provides an incredible landscape where criminals help each other, and sell information for unlawful purposes. If your company lets a fraudulent transaction through easily, the ‘good news’ is quickly spread to other fraudsters. You can even buy detailed guides on how to commit every type of fraud.

What’s your advice on handling a data breach where customer info has been taken?
IntSights: When a gaming website is breached, it is recommended to identify the amount, size and type of data. Most importantly, the owners should perform a full forensic disclosure including impact analysis, in order to evaluate the type and amount of the damage. It is important to check the source of the leaked data in order to understand if it originates in the admin systems, or from the customer's end. Such data leakage might be due to malware infection or security faults. There is also a possibility of insiders who sell sensitive data outside the gaming company.

If the data was leaked from the customer side, they might be infected by malware themselves, and it is also important to check whether there is anything in common between them - are they accessing their accounts from mobile services? Are they registered in a specific local branch of the company, or using any specific third-side services? There might also be a campaign targeting the industry customers. When the data was leaked from the website’s admins, it is important to check whether the systems were compromised by malware or phishing, and whether the site had vulnerabilities that allowed this breach to happen.

In any case, it is important to notify customers and employees in order to change their passwords, and payment methods (if possible). Furthermore, allocating resources to check the vulnerabilities and other soft parts of both the website and admin system is very important in order to protect the site from future breaches.

It is also recommended to update and patch all embedded technologies, and to block IOCs of known malware that might allow or enhance the breaches.

Peter Taylor: Depending on your location you must comply with the legal notification requirements. That is certainly the area we most commonly get involved in. You may be able to resolve and retrieve data. If regulators get involved you will be able to show that you have promptly taken steps to prevent any further breaches, and that you take the matter seriously. This may also help to minimise or prevent any fines being applied by the regulator.

How should a gaming company respond when they find out a player’s credentials are being used by a fraudster?
IntSights: Gaming sites can use various systems to assess the behaviour of returning gamers and build their gaming profiles. Then, they can detect anomalies in the player’s behaviour, and if it significantly differentiates from the original profile related to the used credentials, the systems can alert that the credentials, or a payment method, might be stolen.

Gaming companies can also use monitoring platforms using tailor-made intelligence in order to know in advance whether data and credentials were stolen or leaked, whether payment methods are stolen or fake, and when this happened.

Peter Taylor: The science is available to confirm that the person placing the bets is using the same email address, internet provider, device and location usually used by the customer. This is getting a little harder with the increase in use of mobile phones compared to personal computers, however, someone living in Birmingham placing a bet on Tuesday is unlikely to place a bet from Moldova on Wednesday morning and Lithuania at lunchtime.

If there is doubt, don’t pay out. Contact the customer and ask for confirmation of ID and a question from their registration or bet history to confirm they are who they say they are. That will put most fraudsters off. You might get the added complication then of a customer who hasn’t placed a bet wanting the winnings.

What can we learn from fraud committed in other online industries? IntSights: Whenever an online company possesses a valuable asset, it can be potentially stolen, exploited or compromised. In the online gaming industry the valuable assets are payment data, in the healthcare industry it is medical data. It is important to follow up on all major attacks in online industries, because most of them can be replicated using the same tools, schemes and social engineering techniques.

Peter Taylor: Once a vulnerable payment system has been found it is widely circulated via the dark web or other channels. It’s a bit like the guy who finds an ATM is issuing £20 notes instead of £10 notes who phones all his friends. The only advantage you have is that if you quickly identify the problem, the same channels promptly inform fraudsters that you are now off-limits. MI with the right metrics is key to this. You really don’t want a card provider telling you that you had huge volumes of fraud last month. You need to spot it yourself. Alternatively, get ready for those charge backs.

Fraudsters often identify targets within an organisation in order to gain access to networks, how can gaming companies defend themselves against this? Insights: Fraudsters indeed target employees, usually by using phishing methods and infecting the whole organisational network via one or more employees that opened a malicious email. It is usually done by registering a domain that is very similar to the company’s original domain, thus confusing the employee into thinking that the malicious mail was sent by a colleague.

Once opening the email and/ or the attached file, malware penetrates the system and can spy, steal, control or damage sensitive data and commands in the organisational network.

There are several ways to protect the organisation from this threat: Technical and social.

Technically, this threat can be prevented by monitoring the potential phishing domain upon its registration, and blocking it in advance in the company’s mail gateway or firewall. Also,in clear cases of phishing attempts, you can ask the authorities to remove the existing fake domain.

Socially, it is crucial to raise the employees’ awareness regarding the threat in subject and train them to work securely with their emails and workplace accounts. They should never click on suspicious emails, and they should inform the IT team immediately about them. Employees should never use an unfamiliar removable media (USB / CD) and never update programs from an unauthorised website. The management, IT and HR teams should be aware of the potential threats, and pass this on to the rest of the employees as well.

Peter Taylor: Why hack when an insider can give you the information? It is far cheaper, far easier, and harder to detect. Have you got a whistleblower system that works, or just looks nice if the regulator looks at it? Are your people wise to the fact that they may be approached? Do they have their occupation on their Facebook account? Do your management know how to spot an employee having difficulties or behaving differently? These are important questions you need to be asking to avoid the threat of inside actors jeopardising your security.
IN-DEPTH 4 September 2019
Virtual reality: Creating next-gen experiences for players

Singular CEO George Shamugia discusses a new revenue stream for casino operators

The competition in online gaming is intensifying, with players becoming more and more demanding. In some markets, single-customer acquisition costs can reach up to €400 ($440) alongside growing churn rates. Furthermore, the online gaming sector struggles to attract one of the most lucrative groups of players – millennials. The experience provided by casinos no longer appeals to the younger generation.

On  the other hand, the video gaming industry perfectly understands the needs of millennials and by introducing elements of luck in their games offers the best of both worlds. With the launch of loot box systems and Grand Theft Auto’s in-game casino, we have seen their first successful steps in targeting the online gaming sector. GTA V online, with 33 million active players, recently opened an in-game casino, where players gamble real money on games such as poker, roulette, slots, etc. As a result, churn users returned and GTA Online reached the highest number of active players since its launch in 2013.

The online gaming industry has almost fully utilised the potential of the mobile medium. The time has come to look for new, innovative ways of delivering a next-gen experience to customers.

The potential of VR

Could the next big thing for online gaming be a fully fledged virtual reality (VR) casino delivering an immersive experience and limitless new opportunities?

Although not widely adopted yet, VR has a sizable number of customers. Analysts predict it’s poised for explosive growth to become mainstream in about five years. According to market intelligence firms, the VR market will be worth $117bn by 2022, and according to Juniper Research bets made through VR will reach $520 billion by 2021. Upcoming 5G mobile network technology will propel VR’s mass adoption by allowing the development of fully portable untethered and affordable VR headsets.

Different level of social interaction

The captivating nature of gambling comes from its social aspect. Unfortunately, personal interaction is widely missing from online gambling sites. VR technology creates multiple opportunities to bring back and even enhance that social moment. The ability to connect with other players is one of the main reasons behind Fortnite’s popularity. This form of co-experience is the next generation of entertainment. Research conducted by Facebook has found participants spend more time on VR compared to any other medium. This directly translates into increased profits for casinos.

Pokerstars has made efforts in this direction by implementing Voice UI. Instead of using hand controllers to make a call, pass, or raise, players give voice commands.

Another opportunity for bringing in the social element are the players’ avatars. They enable players to build their identity reflected in the avatars’ appearance, but also the avatar's social, competitive and community status. For instance, players are willing to pay real money for virtual drinks at the bar. Operators can offer these social touchpoints for free to VIP customers as an act of appreciation.

VR also brings a new dimension to customer support. Customer support can also be represented with avatars to assist the player in person. The social moment increases the LTV of players and contributes towards lower churn rates.

Rethinking game design

VR is a way more capable medium than a 2D mobile or desktop screen. Instead of copying the existing online experience, games must be redesigned from the ground up for a competitive advantage with VR. For example, a VR slot game can become fully immersive by teleporting the user into the slots’ world of Ancient Egypt. Next, enrich the experience with high-fidelity graphics, realistic spatial sounds and animations. When betting on virtual race cars, the user can be teleported inside the car he/she made a bet on and experience the race firsthand.

New revenue streams

VR casino lobbies create new revenue stream opportunities: ad placement of brands on the venue walls, company logos decorating the bar etc. This kind of branding is not intrusive in the VR space and feels natural from the user's perspective. VR also gives users the ability to change venues from a Las Vegas casino today, to Macau or even Mars casino, the very next day. The dynamic and diverse experience increases retention rates.

The majority of profits for online gaming operators come from their high-roller players. Although they represent a small subset of active players, an operator can launch a separate VR casino brand for them. Providing exclusive VR gaming experiences to high rollers/VIPs, the operator can minimise churn and maximise VR efforts for these player demographics.

The catch with VR is to focus on quality, rather than scale. The target audience might be limited yet, once these players experience it, they will become ambassadors for your offering.

Surely, the opportunities and possibilities offered by the VR medium truly exceed anything offered by mobile and desktop. VR is a new frontier not just for gaming but for every industry, and it’s exciting to see where it takes the industry and what kind of innovation it brings upon us.