How do you vouch for the integrity of the games? How can you restrict the games to adults and assure the flow of money in and out of the system is accurate? And how can you protect players’ identities and personal information while fending off hackers eager to corrupt the cyber-terrain with malicious software and bots?
“It’s a jungle in there,” said Gus Fritsche, chief technology officer at SeNet International Corp.
Yet help in maintaining online security and game integrity is available from assorted vendors.
But first, a little bit of history to put Internet systems security in perspective. There was a six-year period following the opening of the first online casino in 1995 in the Caribbean nation of Antigua when problems were nil. That was due to the Internet still being in its infancy and getting online was a time-consuming task until Netscape simplified things. Early websites also were plagued by technical glitches, and connections were slow and subject to unexpected interruptions due to pre-broadband dial-up connections. Yet despite these hindrances, online gaming—especially online poker—became big business, posting its first $1 billion year in 1997 and rising to $8.2 billion in 2000.
But then in the summer of 2001 a quintet of college kids in the Philippines released the “I Love You” virus and the cyber-landscape was changed forever.
There had already been skepticism about the early iGaming sites. So in 2003 a group of online gaming sites formed eCOGRA (eCommerce and Online Gaming Regulation and Assurance) to set standards to ensure a safe and trustworthy gaming experience to every player and verify they are being met. The organization today monitors and certifies more than 100 online gambling sites.
Still, security on iGaming websites has not been without incident. In 2008 it was discovered that a rogue program was placed into the server of the Ultimate Bet website that enabled the perpetrators to view the hole cards of other players, thus giving them a big advantage in determining when to bet. The hackers had created 19 “special accounts” in the Ultimate Bet server and that they played under 88 screen names.
LEARNING FROM NEW JERSEY
Fortunately, Internet gaming security has evolved quite a bit from these turbulent early years. For example, new guidelines for securing iGaming websites against fraud and hackers were issued by Gaming Laboratories International (GLA) in February 2013. The nearly 100 pages of the GLI-19 standard covers every possibility from screening out underage players to blocking an invasion of bots through the installation of controls governing the physical environment of the server to setting up adequate firewalls against cyberattacks.
The GLA guidelines were issued just as acceptance of iGaming in the U.S. was starting to soften. While theoretically banned in the U.S. since its inception, online gaming was recently legalized in three states (Delaware, Nevada and New Jersey), and California, Illinois and Pennsylvania are looking into it.
With the first virtual casinos going online in New Jersey late that year, the need for software to maintain game integrity has blossomed.
Some needs are obvious. Because playing on New Jersey-based online casinos is legal only in that state, geolocation programs are needed to assure out-of-staters aren’t joining the fun. GeoComply USA offers a software package that casinos can embed on their gaming website that checks player location through cellphone links, Wi-Fi, computer IP and GPS. And checks of players automatically become more frequent the closer they get to jurisdictional boundaries, so if a customer is playing on a moving train, the session ends the minute he crosses over into the next state, said Anna Sainsbury, CEO of GeoComply.
The ability for customers to securely place wagering cash online is another issue faced by New Jersey Internet wagering operators. SecureTrading Inc., offers a complete suite of services that ensures safe financial transactions and required consumer protections for online gaming operations, including providing player registration, verification and validation. The solution also provides financial payments processing, tax computation, collection, payment and reporting. The program enables players to register up to three credit cards on an online gaming site to use during wagering sessions.
At present, a U.S. law governing credit card transfers to foreign-based gaming sites requires players have to visit the land-based casino of origin to collect their winnings. To resolve this issue, SecureTrading is working with MasterCard to allow online player winnings to be transferred back on the cards after the player checks out of the site.
Meanwhile, Skrill USA offers Paysafecard digital wallet functions, which operate in a similar fashion to PayPal; enabling players to transfer cash onto their gaming kitty through debit cards, credit cards, peer-to-peer transfers, merchant payouts and automated clearing house services, said Joe Hall, vice president of Skrill USA. It can be used across desktop, mobile and tablet computers. Players can add funds without having to repeatedly enter their personal details or card information. Winnings can go into a player’s casino account where they can wipe out earlier losses or be used for future wagering.
But iGaming sites also must protect their players against cyber-threats emanating from hackers and other computer-savvy miscreants.
“Bots are always a problem,” said SeNet’s Fritsche. “Casinos can build in controls to spot them. But it is an escalating arms race as hackers try to develop new ways to avoid controls. Fortunately most bots are designed by amateurs and are easy to spot. But poker sites in particular need to have their websites checked to see if their bot prevention is up to the current peak technology. And bots are now being found down to the 10-cent level.”
To help casinos combat this and similar problems, SeNet has created a separate business unit—SeNet International Gaming Labs—to check out online gambling sites for ways hackers can get around security systems. Based on years-long studies of online websites, SeNet has formed a team that can provide the highest-quality service to operators, regulators, and others in this industry, Fritsche said.
The security-checking services SeNet provides includes gaming software/protocol reverse engineering (server- and client-side), client/server communication vulnerability testing, and client-side exploit discovery. They can review codes for vulnerabilities, review infrastructure security, forensic/incident response, payment card compliance testing, discovery of potential weaknesses to denial of service attacks, and information security architecture design and implementation.
Fraud prevention using fact-based behavioral history of devices (computers, tablets and smartphones) transacting business online is provided by iovation’s ReputationManager 360 service. The system has the ability to instantly recognize devices and warn operators of prior fraud or abusive website activity. The system builds and maintains a complete list of associated accounts and devices, creating a link-map that exposes fraud rings and people who are colluding to cheat or steal on iGaming sites. When a visiting device has no prior fraud records associated with it, it may still trigger any number of anomaly or evasion-related business rules alerting operators to suspicious activity indicative of fraud. A real-time rules engine scores every transaction, advising clients to allow, review or deny each transaction based on their custom business rule configuration.
More than 90 casino, poker, lottery, and sports book operators globally are supported by iovation, said Connie Gougler, marketing director at iovation. The company’s ReputationManager 360 services include Shared Device Intelligence making use of fraud data shared by hundreds of iovation subscribers. The system has 42 types of evidence, including types specific to iGaming such as collusion, chargebacks, bonus abuse, chip dumping, all-in abuse and arbitrage betting. Subscribers have added over one million pieces of evidence to the system monthly, enabling clients to act in real time on the shared experience and input, Gougler added.
Experian is another company offering products and services to help better protect Internet wagering sites. “Experian can help casinos reduce exposure to risk with our customer identity authentication and fraud prevention services available primarily through our Precise ID service suite,” said Keir Breitenfeld, vice president at Experian Decision Analytics. “Not only can we perform foundational identity element validation and compliance checks, but more robustly assess fraud risk via advance analytics and decisioning. Ultimately, our goal is to accelerate patron identification and player onboarding through proportional authentication services and decisioning capabilities. In general, our authentication suite includes identity element verification, identity transactional link analysis and monitoring, knowledge-based authentication, device intelligence, and aggregate risk scores and hosted decisioning logic.”
Experian software products include Precise ID, which come in packages offering three levels of protection for combating online fraud. The basic Compliance package verifies a player’s identity and his wireless phone and includes iovation’s ReputationManager 360. The middle package further combats identity theft with historical inquiry checks and authentication checks. The maximum package adds checks of players to Experian’s National Fraud Database and checks for shared fraud and account abuse.
Use of Precise ID resources will enable online casinos to outpace criminals by detecting, avoiding and managing fraud activity, Breitenfeld added.
Another iGaming security issue that needs to be addressed: new online casinos must take steps to ensure player information is not being accessed by third parties, said Lee Fenton, CEO at Gamesys. In addition, the game itself must remain protected, so the credibility of the game and the casino isn’t compromised by a security breach. Virgin Casino (which went online in New Jersey last January) and Gamesys have teamed up to create what they believe is the ultimate in security and protection.
The Gamesys Secure Sockets Layer platform provides the same encryption and complex layers of security now employed in banks to verify ID and protect online information for iGaming.
But despite the best protection technology, players must assume some responsibility for what can happen while playing online. Players visiting Gamesys’s Virgin Casino are confronted by a page informing them that good online security requires a combination of good practices by companies running Internet services and informed behavior by users. Instructions to players include:
• Always use a strong password.
• Change passwords regularly and avoid reusing old passwords.
• Do not share online account details with anyone, even family members.
• Do not leave a device unattended.
• Do not share personal financial or banking information with anyone.
• Do not use the ‘Save Username/Password’ functionality on a computer or access device.
• Never send a password or any private account information over e-mail.
• Choose security questions and answers that cannot be easily guessed by someone else. To be even more secure, answers can even be nonsense, as long as the person in question can remember them. For example, Question: What is your favorite city? Answer: Red.
• Avoid phishing scams. Don’t click on links in suspicious e-mail messages and don’t provide personal information on any website that seems illegitimate.
• When using a public computer, always sign out when a session is complete to prevent other people from accessing account information.
• If an e-mail address associated with an online account is no longer being used, be sure to update account details with a current e-mail address.
And, finally, a professional is always a phone call away to talk a client through changing a password for a Virgin casino account.
No doubt, this checklist is a good starting point for any brick-and-mortar casino looking to educate its online wagering customers about the rudiments of personal information security. And, as always, an informed customer is a happy, and hopefully returning, customer.