26 March, 2021 | MAR APR 2021

An Ever-evolving Threat

With contributions from Continent 8, Jumio and Big Cyber, Tim Poole analyses the biggest cyber security trends of 2021, as the Covid-19 pandemic exacerbates an already-vital area of concern for gaming firms

As has been well documented within the pages of this magazine, online gaming is booming. With whole populations homebound across the world, players are digitalising their entertainment sources in droves – a shift already underway years prior to the pandemic, and one seen as permanent rather than temporary. But with significant increases in online usage comes significantly increased risk, especially with many businesses still operating remotely across the globe. Indeed, while the cyber space is growing, so too are the ever-increasing cyber threats that dwell within it.

Earlier this year, Miracl CEO Rob Griffin spoke to Gambling Insider about account takeovers costing the gaming industry billions in 2021. Last year, meanwhile, Cynance CEO Stav Pischits featured in this magazine discussing the weaknesses of decentralised defence systems, when faced with such unprecedented levels of remote access to company networks. Even before the Covid-19 pandemic, cyber crime was on the rise and cyber security an increasingly pressing concern for gaming companies. Now, with those same problems compounded in a climate that organisations have to improvise to adapt to, Gambling Insider has sought industry expertise on the many challenges cyber security presents in 2021.

 

What are the biggest threats?

Cyber security as a defined term encompasses a number of areas. Much like gaming itself, you couldn’t write one article on ‘gaming;’ you would have to specify whether you mean suppliers, operators or affiliates, technology or marketing, which geographic area you are focusing on and so on. That said, when it comes to the specific cyber threats companies face, there are some that apply more to the gaming sector than others. Leon Allen, innovation director at Continent 8, is quick to highlight the particular threat of Distributed Denial of Services (DDoS): when a cyber attack can make a gaming site unavailable to its users.

“Continent 8’s opinions on the main cyber security concerns were actually echoed in the recent The Return of the Leaders and Legends webinar, which included, as panelists, senior leaders from FanDuel, Microgaming, Playtech, Scientific Games, 888 Holdings and DraftKings,” Allen explains to Gambling Insider. “They  spoke about the online gaming sector continuing to be plagued with the more ‘traditional’ type attacks such as DDoS, as well as the slightly more sophisticated methods at the application layer such as BOT and API attacks.

“Further, the meteoric growth of cloud adoption across the industry has resulted in the potential for cloud environments to not be fully secured, perhaps due to a lack of time or knowledge. Given there are so many people currently working from home, the boundaries of work and home have now merged from a psychological and, more crucially given this topic, a technological perspective. These changes have opened up many more attack verticals for bad actors looking to exploit individuals, or attack unsecured remote devices.”

The latter point is something Alexandru Petrescu, SVP at Big Cyber, is equally keen to highlight. With cyber threats both evolving in sophistication and increasing in frequency over the last 12 months, previous cyber security solutions have been stretched. Companies’ centralised approaches of past yeras have now left them more exposed to attacks in a remote world. A dependence on existing cyber security regulations can even add to the risk, Petrescu says. “Another threat is the belief that IT security requirements mandated by respective regulators equate to cyber security best-practice. They don’t,” he states. “This can give a false sense of security. Companies need to invest in cyber security solutions that provide security and clarity, placing safeguards to protect assets and operational continuity. Such an approach allows IT staff to concentrate on company cyber hygiene and staff training, further safeguarding the business.”

Petrescu is keen to add that criminals don’t use outdated software. In an ever-evolving space, hackers and cyber criminals update their software to be ahead of the cyber security measures taken by the market. He asks: why should gaming companies be any different in their approach? As threats grow, companies should be proactive and actively hunting threats 24/7. Being secure just isn’t enough anymore.

 

ID fraud – stopping at source

As Griffin previously told us, account takeovers are a major issue facing operators today, and even they are just one example of wider fraud. ID verification specialist Jumio specifically combats fraud and Anies Khan, the company’s director of sales EMEA, sees increasing digitalisation as a double-edged sword. As the popularity of online grew during the Covid-19 pandemic, he says, so too did the opportunities for fraudsters to scam players. “To deter cyber criminals, gaming operators must verify the real identity of their players,” Khan tells Gambling Insider. “By requiring an ID document and a corroborating selfie, operators can reduce friendly fraud and ensure the player creating the account is who they claim to be with a high level of assurance. Deploying a biometric-based identity verification solution will also protect gaming operators against losses associated with chargeback abuse. By confirming the identity of their players, operators have a better chance to prevent this type of friendly fraud, as it will be very difficult for an account holder to deny making a charge to an online gambling site if the charge was authorised with a selfie.”

Hackers can steal or spoof identities using a myriad of methods in the current climate. One such method is credential stuffing, which then results in account takeovers. “This is a result of the billions of personal records exposed in data breaches – there were 36 billion records breached in 2020,” Khan states. “It’s a type of cyber attack where automated bots use exposed account credentials to gain unauthorised access to user accounts. As 71% of accounts are protected by passwords used on multiple websites, credential stuffing is a key way in which attackers are able to successfully gain access to multiple accounts that could well include gaming accounts. Once logged in, users can change passwords, takeover the account and lock the real user out.”

AI-based technology can certainly assist in this area both now and in the long term. Organisations stand a better chance of fighting fraud, according to Khan, if they shift away from exclusively using data-based approaches such as passwords or answers, because AI can assist in document-centric identity proofing. AI can quickly match ID documents such as passports or driving licences, with a selfie of the user to connect real and virtual identities – much like you see at an airport with passport control.

 

The impact of Covid-19

Cyber security has always been a primary concern for digital businesses, just as cyber threats will inevitably grow as a greater volume of the world’s operations move online. Even land-based gaming organisations will have some kind of dependence on digital when it comes to their databases, marketing and even physical security systems, and this dependence will only grow with time. It is equally inevitable, however, that the Covid-19 pandemic has either accelerated these trends exponentially or created fresh concerns based on the ‘new normal’ organisations have been forced to adapt to.

Even pre-pandemic, DDoS and web application attacks were rising year-on-year. The costs of generating an attack are constantly lowering, thanks to a greater availability of devices to attack with, cheap bandwidth availability and so on. Something else Miracl CEO Griffin told us at the start of the year was that account takeovers are similarly low-cost and high-profit. The total cost of hacking 500,000 gaming passwords is less than $1,000 nowadays, with the guaranteed success rate being a minimum of 500 of those accounts.

Understandably, the pandemic is making these numbers even more emphatic, creating records of an unwanted kind. “The pandemic is certainly exacerbating this rise,” says Allen. “Case in point, from a Continent8 perspective, we saw cyber attacks increase by 55% in Q2 2020 compared with the same period in 2019. And we mitigated the longest sustained DDoS attack in Continent 8’s history of 36.4 hours in Q4 2020. These statistics go to show what a record year 2020 was from a cyber security threat perspective.”

 

The year ahead

So given the importance of cyber security, the rate of acceleration the pandemic has brought about, and the wide range of areasto consider under this far-reaching umbrella, the crucial question is how. More specifically, how can gaming companies deal with the cyber threats of 2021 head on? “There isn't a way to be 100% protected from all cyber threats. As with everything, cyber defence is part of the overall risk management of the organisation,” Petrescu of Big Cyber warns. “However, the eagerness of the gaming industry to innovate and invest in cyber defence solutions gives a positive outlook for 2021 and beyond. The costliest thing a company could do is nothing. Companies shouldn't wait before investing in cyber security. Post mortems and attack containment services outstrip the cost of investing in a cyber defence solution to protect the company by a gargantuan margin.”

For Jumio, meanwhile, 2021 will bring both greater threats and greater solutions. In the first instance, Khan says: “The tactics fraudsters use are constantly evolving. They employ the use of the latest technologies to exploit individuals online and we’ve started to see how deepfakes are being weaponised by cyber criminals to carry out fraud.”

He also adds, however, that we are starting to see real breakthroughs as a result, such as digital identity verification solutions that are capable of defending against bots, advanced spoofing attacks and sophisticated deepfakes.

 “This is achieved through the integration of liveness detection that can detect when photos, videos or even realistic 3D masks are used instead of actual selfies to create online accounts,” he explains.“This serves as a powerful chilling effect on would-be cyber criminals hoping to impersonate legitimate users, and something we’ll see more of in 2021.”

 

Three key focuses

Looking ahead, Continent 8 feels there are three main focuses for 2021. Allen puts forward the company’s prognosis:

  1. Primary defences

Ensuring your primary forms of protection are in place and are as robust as possible. Primary defences include utilising a private network for hosting and communication, enterprise DDoS and Web Application Firewall (WAF) protection, and ensuring your public and private cloud environments are secure.

  1. Endpoint protection and Security Information and Event Management (SIEM)

Especially given the remote working situation we find ourselves in, ensuring an organisation’s infrastructure is not breached, no matter where the perimeter may now be, is crucial. And it is critical that if something untoward happens (such as a breach) the appropriate teams are immediately notified. If it has not been done already, it’s essential to find out how endpoint protection and security event management can be applied to your infrastructure.

  1. Awareness and education

It’s been widely reported that phishing attacks, and other scams targeted to exploit our natural human fears, have increased significantly during the pandemic. As such, companies need to ensure all staff members, from the board to senior executives and all employees, are trained. This is even more crucial now because attackers are preying on emotions (such as sending malicious emails purporting to be Covid welfare checks) and because employees no longer have direct physical contact with their security teams to ask a question or raise a flag.

 

Catastrophic consequences

Just like any retail property must guard against obvious threats – damage to property, fraud, money laundering, and theft – running any online business naturally requires an awareness of cyber threats. And, as already stated, even those operating within the retail space must keep cyber security as high as they can on their priority lists. Petrescu tells Gambling Insider: “There is a myriad of consequences that can leave a previously strong company fighting for its survival. Downtime, stolen data, compromised infrastructure, ransom and reputational damage are just some common results of cyber crime activity. The containment and aftermath of an attack are time-consuming and costly, often taking months.”

This is a sentiment echoed by Allen, who emphasises the scale of the situation: “Cyber security has always been a focus for businesses, and this is especially so in online gaming, as it is one of the most attacked industries in the world. Our experience during the pandemic is that companies have increased conversations around cyber security. As well as exploring options to strengthen existing protections, conversations have also expanded into ensuring remote workers are both protected and educated around new and existing threats. Businesses that fail to prioritise cyber security are taking a massive risk because, sadly, it appears the pandemic will be with us for some time to come, and that means attacks on companies’ infrastructure and people will continue.”

When all is said and done, the lesson here is simple. While cyber security itself takes great care, planning and attention to detail, the easiest decision any senior executive has to make is whether fighting cyber crime warrants a large volume of a gaming company’s resources. There is only one answer: a resounding yes, and any hesitation will not be shown mercy by sophisticated cyber criminals. As Petrescu states, the cost of a successful cyber attack “does not bear thinking about”. Allen, meanwhile, concludes that any business which doesn’t put cyber security top of its agenda risks “catastrophic consequences”.

 

Leon Allen, innovation director, Continent8:

As Continent 8’s innovation director, Leon leads the company’s mission to discover and deliver innovative technologies, and enhance its market leading connectivity, data centre, cloud and cybersecurity solutions. He is a highly experienced IT professional with 15 years' experience in the industry. Leon has a BEng degree in computer software engineering, and a first-class Master’s degree (in management of information security and risk) from City University London.

 

Alexandru Petrescu, SVP, Big Cyber:

With over 15 years of executive-level experience, Alexandru offers an unmatched wealth of knowledge and technical know-how when it comes to cyber security. His experience includes a multitude of prestigious positions within the European Council across digital agenda and the Romanian Government that includes tenures as Minister for Communications and Information Society, Minister for the Business Environment, Trade, and Entrepreneurship, Minister for the Economy and executive and non-executive manager of strategic companies in the portfolio of the Romanian State. With a world-renowned background in IT and financial services, Alexandru is well-equipped to tailor fit a cyber security solution for your company's needs.

 

Anies Khan, director of sales EMEA, Jumio:

With 15 years' experience in driving technology adoption to the gaming industry, Anies Khan, Director of Sales EMEA at Jumio, helps organisations combat fraud, maintain compliance and onboard players faster with Jumio end-to-end identity verification solutions. Jumio offers leading identity verification solutions to help online casinos and gaming sites verify player age, improve conversion rates and beat cyber criminals.