Rob Griffin, MIRACL CEO, speaks to Gambling Insider about why account takeovers are such an urgent problem, how multi-factor authentication can combat the issue and how MIRACL’s solution aims to do this without curtailing the user experience.
Tell us all about MIRACL and what the company does.
MIRACL enables online operators to protect their customers’ accounts and their data with leading-edge cryptography and multi-factor authentication (MFA). MFA has been around for years but until now, the user experience has been dreadful and systems have been reliant on unsecure SMS messages or third-party authenticator apps. MIRACL is literally the only MFA system in the world that provides a one-user-step means of logging into your accounton any device or browser – that makes all the difference to consumers who want to access their accounts as quickly and easily as possible.
There is an urgent need for this because account takeovers are ballooning. There is broad consensus in the industry including companies such as Microsoft that 99% of account takeover is fixed by the implementation of MFA. The problem is that nobody uses it because everyone hates the user experience. So we’re all about trying to have your cake and eat it: getting rid of the notion that if you improve security you reduce the quality of the user experience. With MIRACL Trust, the user simply has to enter their own four-digit PIN to access their account quickly and easily so their transaction is seamless despite being authenticated withmultiple factors.
I just look at the rate of growth of online account takeovers right now and you’re literally seeing 100 to 200% per annum growth rates in some sectors
What areas do you work with overall – is gaming one of several?
MIRACL is active in social media, dating, travel, e-commerce and of course gaming and gambling sites. For us, the combination of gambling’s entertainment value and the growing regulatory requirements, with real money at stake, means it operates with the triangle of all the criteria: you need a phenomenal user experience and really good security – and that’s exactly what MIRACL provides. The underlying technology is licensed to the US Air Force, the US Government and Intel among others, so its security credentials are second to none.
Last year we took that technology and made it available for consumer-facing platforms to provide an authentication solution that works across any device or browser, and is a way of improving the security of an operator as well as their user experience. We’re really pleased with the result. Anywhere reliant on unsecure usernames and passwords can now speedily integrate MFA without any interruption to the existing user flow or any onerous registration process. From protecting the customers of tier-one banks such as CréditAgricole, to lottery players using African sites such as Mylottohub. From government services such as GOV.uk where you can file your tax return, to enterprise software solutions such as Intergence, we cover a broad array of online services.
However, the combined requirement of great user experience and security (both for regulation and fraud prevention) makes gaming and gambling one of the most important sectors for us. While some of our customers operate in distant fields relative to gaming, we believe they are relevant because passing the UK Government’s security tests, satisfying the European Banking Authority guidelines or meeting the needs of different gambling commissions all adds to the credibility of our solution.
For us to have passed so many diverse and exacting security tests, means our solution really sets the standard in terms of security – and for the gambling sector that’s the reassurance you need. So anywhere that has the combination of a regulatory requirement and fraud prevention but is protected by usernames and passwords, is something we care about and can help with. Even social media now – two years ago you would have never said it was a regulated industry – but data privacy is increasingly so important that actually the safeguarding of a social media account has become a political issue.
99% of account takeover is fixed by the implementation of MFA
Tell us about yourself and your personal background in cyber security.
I originally came to cybersecurity as a professional investor specialised in the technology sector. After working at a US technology fund, I co-founded Open Field Capital in 2004 investing in newly emerging mobile and cyber security technologies so I have operated in the cyber security industry for over 20 years – always focused on IP-rich up-and-coming technologies, as opposed to the mainstay big guys. I think it’s fair to say we did a great job of spotting big themes early.
It was the IP that really captured my attention with regards to MIRACL because our Head Cryptographer, Dr Mike Scott, has developed world-leading technology that can address a large market need. I just look at the rate of growth of online account takeovers right now and you’re literally seeing 100 to 200% per annum growth rates in some sectors. I’m passionate about empowering and delivering oursecurity innovation to thwart that problem, protect consumers and also provide them with a great experience.
It’s bizarre because passwords have been around for 50 years yet there’s a huge inflection point happening right now in the volume of attacks, so I feel lucky in one respect to be at the crest of that wave with the team and technology capable of countering it.
How has the pandemic affected or accelerated these issues? Is it the main factor or are there other things at play?
The digitalisation of our lives that COVID-19 has caused has hugely accelerated a cyber threat which is yielding bumper profits for hackers who are adept at exploiting fear and change. The biggest underlying driver of account takeovers is the availability on the dark web of large databases of previously hacked usernames and passwords– and the fact those are being continually harvested and refreshed, and packaged for turnkey hacker operations carrying out what is called “credential stuffing”. The financial returns currently available from credential stuffing make it very lucrative, so anyone expecting this to be a short-term issue with passwords will be mistaken.
Even with the lowest response rate and the lowest price achieved for a gaming account, you still end up doubling your money with hacking activity that takes just a day
Our analysis suggests that the lowest recorded hit rate on accounts with usernames and passwords is about 0.1%. So if you were to seek to hack 500,000 gaming passwords (easily obtainable at a low cost), you would get a minimum of 500 hacked accounts. The total cost of this hack is less than $1,000. Even with the lowest response rate and the lowest price achieved for a gaming account, you still end up doubling your money with hacking activity that takes just a day. Moreover, it’s now possible to scale this nefarious activity to large numbers such that dedicated hacker organisations exist with hundreds of staff.
This kind of hacking has become a global business with Europe probably, the fastest-growing region. The gambling sector is hard-hit because the level of security currently trails that of the banking sector.
Separately and less dramatically, we are also seeing an increase in friendly fraud, in which gaming customers claim that an (unsuccessful) bet carried out in their account was not executed by them or anyone authorised on the account. Here the fraudster is exploiting the prevalence of account takeover to obtain an unwarranted account credit. An abundance of time in lockdown is probably causing some opportunistic attempts to bolster users’ accounts and, although this fraud is not being perpetrated on a mass scale, the losses to operators quickly add up.
If there was one piece of advice you'd give gaming companies around cyber security, what would it be?
If you don’t think you are suffering this problem, in our experience it is because the hackers are so capable of emulating normal traffic that conventional threat detection systems aren’t noticing. Operators certainly can’t rely on players noticing either. My point is that, per your question, the single piece of advice would be to monitor traffic exactingly to be sure credential stuffing is not a problem. In our experience, no one’s untouched by it. Given that’s the case, we say you need to shift to multi-factor authentication of your users that will crush the issue. Crucially, however, you need to do so in a way that doesn’t crush your sales conversion and rob users of a smooth and enjoyable online experience.
What are MIRACL's aims and targets for 2021?
I say crisis because it’s going to cost the gaming industry billions of pounds this year. And I don’t think that’s getting an adequate share of the news
We are currently in the process of integrating our solution to two of the five largest gaming operators in the world. So we are very excited to be rolling out our technology across a broad platform. From our perspective, we think 2020 has been an absolute inflection point in a problem we are 100% targeted at resolving. We think we can really bring that solution to gaming in the next 12 months, to a global geography and some high-profile operators.
We see a good amount of evolution we can take the product in over the next five years and we’ll be introducing new elements during this year and beyond. However, right now it’s about causing a change in the current urgent crisis. I say crisis because it’s going to cost the gaming industry billions of pounds this year. And I don’t think that’s getting an adequate share of the news.
To read more from MIRACL CEO Rob Griffin, check out the November/December edition of Gambling Insider magazine – and see the Big Question feature or visit miracl.com.