Phishing for Chips: Why the Online Gambling Industry is Odds-On to Beat Cybercrime

With the global gaming sector currently worth in excess of $120 billion, and net profits exceeding $30 billion, there’s no doubting that gambling remains popular in times of economic hardship.

These figures do not include money made by those who operate illegally in the shadow economy that has grown around those markets where online gaming is officially banned. Talking of which, a newly published report from gaming consultancy GBGC valued the online gambling industry alone at some $29.3 billion, showing amazing growth during a recession – a 12% increase over the 2009 numbers.

GBGC believes that the industry could hit a global market valuation of $40 billion within just three years at this rate, and if the US were to legalize online gambling once more, you could easily throw another $10 billion into the mix. No wonder the bad guys are paying attention.

Balancing the Security Odds

Site security is not necessarily a primary concern of the average customer who is more worried about a friendly interface, good odds and whether or not they can trust the operator to pay them promptly should they win.

James Alexander, a security partner at Deloitte, points out that consumers tend to be “very quick to vote with their feet if they think their data may be compromised”, and this recognition of ‘effective security’ does help operators “maintain the liquidity that is vital for their operations”.

The industry admits that it is always going to be targeted by villains, which is all the more reason why it remains one of the most primed markets when it comes to being aware of the dangers and risks of cybercrime. So what are those dangers and risks? When talking to IT security professionals from gambling operators, the same data security threats came up repeatedly: denial of service (DDoS), chip fraud/theft, and transactional loss.

Protection Rackets

DDoS attacks are the protection rackets of the day, and old news in the online gambling sector, having been one of the earliest threats to internet casinos, with sites taken down for a few minutes during peak time – followed by a promise of longer downtime if ‘insurance’ was not paid.

Jamie Murphy, a client director with information security advisors Integralis, admits the industry still sees denial of service attacks but is “better placed in understanding the behavior behind such attacks”, with tools and processes in place to mitigate the threat. “Both sides have become more sophisticated”, Murphy says, “there is a fairer balance now”.

Much of the DDoS activity against gambling sites seen by Amichai Shulman, CTO of data security specialists Imperva, would appear to be botnet dominated and can be controlled by “blocking of traffic originating from known active botnets”.

Phishing for Chips

Chip theft and fraud, where virtual chips are either stolen from a compromised account, or fake ones are generated and added to an account, can potentially be highly profitable for the bad guys. Much of this kind of attack is targeted at the consumer rather than the site directly, as it is usually much easier to compromise an account by using ‘traditional’ phishing techniques to acquire logins than it is to hack through gambling site defenses.

Well-known security evangelist Eddy Willems told us of some typical phishing scams aimed at the gambling industry. These included customers being promised non-existent chip credits in order to garner genuine account credentials through cloned site login screens; and the offer of (malware-infected) software that claims to allow poker players visibility of opponent’s hands or enables sports gamblers to manipulate the odds. In fact, it just steals their credit card data and account logins.

Site operators are aware of the need to educate customers about the phishing threat in order to protect themselves from loss of brand reputation, as well as the financial impact of stolen chips being sold cheap on the black market.

Fox Guarding the Hen House?

Sometimes the bad guys just walk through the back door and help themselves to chips. Take the British hacker who logged into the Zynga online poker site using an administrator account and helped himself to some 400 billion chips with a face value of $12 million. These chips were then transferred to multiple Facebook accounts before being sold for less than $100,000 on the black market.

Marc Lee from access governance, compliance and provisioning specialist Courion warns that the data breach at Zynga “underlines the importance of a strong identity management system and clear policies for creating and protecting access credentials” within the gambling industry. Whether in this particular case the admin account was compromised through a site vulnerability, brute force attack or even a phishing exercise is unclear. However, what is clear is that security systems in place to monitor the movement of chip data did their job properly and were able to alert Zynga to the unusually large amount of chips being transferred. Shulman does think there is a more general lesson to be learned here though, and that’s the need for strict controls to be applied around administrator account activity or, as Shulman puts it, “making sure it is not the fox guarding the hen house”.

Putting Your Cards on the Table

Transactional loss is not a risk unique to the online gambling business, but it remains a very real one nonetheless. However, not only are gambling sites a magnet for cybercriminals looking to tap into the transactional data stream and steal credit card information, they also attract the ‘gentleman thief’ using stolen cards to play poker.

Online poker can prove effective for cashing in on stolen cards according to Shulman, who says he has seen attackers using a stolen credit card on one side of the table, while it gets cashed in on the other.

According to a spokesperson from the Gambling Industry Security Forum (GISF) – a body comprising senior security professionals from a number of gambling businesses that meets regularly to discuss risk, security and best practice – all operators making card transactions must comply with the Payment Card Industry Data Security Standard (PCI DSS). “Most operators are licensed and regulated”, GISF told Infosecurity. “However, the standards and levels of due diligence required and applied do vary from regulator to regulator.”

Licensing bodies, moreover, cannot control the use of stolen credit cards, nor does PCI DSS mandate control over card usage (it sets requirements on storage and processing of card data). “In order to restrict the amount of stolen credit cards in online transactions”, Shulman warns, “anti-fraud mechanisms must be applied”.

Betting on Best Privacy Practice

When it comes to privacy concerns, the online gambling industry finds itself firmly in bed with the adult entertainment sector: plenty of people make use of them both, yet very few are happy to admit it. Emma Lindley is strategic development director at GB Group, an identity verification specialist whose clients include Skybet, PartyGaming, Betfair and Ladbrokes. “The industry has seen a number of high-profile cases in recent months where customer data has been stolen or compromised”, Lindley says, warning “breach of data protection regulations could mean fines or the temporary closure of a site, not to mention the damage to brand reputation, so it is imperative that operators pay careful attention to who has access to their customer data”.

Ultimately, it is the responsibility of the operator to ensure they protect that data, and given that customer data is a gaming company’s greatest asset, its protection should be at the core of everything they do. The GISF reminds us that “all site operators are required to be licensed and the issuances of licenses are regulated by authorities [that] place data protection and the safety of customer data at the heart of their legislation”.

An Age-Old Problem

The online gambling industry also shares another age-old problem with the adult entertainment trade – that of ensuring customers are old enough to play. With large volumes of users on a daily basis, online gambling websites need to ensure that their customers are who they say they are, and that they are old enough to be gambling.

Lindley has plenty of experience implementing technology within the gambling sector that cross references online customer applications with multiple data sources including geographical, biographical and anti-impersonation checks. “These types of real-time, electronic checks ensure players are who they say they are, validate their global location, checks they are over 18, and ensures fraudulent identities are detected early”, Lindley insists, concluding “protecting the operator from fraud and ensuring they comply with the relevant regulations are key to increasing their revenues and shareholder value”.