iovation outlines common casino cybersecurity issues
Fraud and other misdeeds are on the rise in the online gaming universe, fortunately, so too are methods to detect and fight these crimes
Portland, Ore.-based iovation, a TransUnion company, has carved out a successful niche in the gaming marketplace by using advanced device intelligence and real-time risk evaluation to identify trustworthy customers and protect enterprises against fraud and abuse.
As part of an ongoing gaming industry education initiative, for the past three years, iovation has released an annual report outlining trends, both positive and negative, it has noticed within the online gaming space. What follows are the company’s observations regarding cybersecurity and certain types of cybercrime that continue to plague site operators, along with some potential solutions:
Online gaming operators continue to ramp up bonus and promotion offerings to attract and retain VIPs. Unfortunately, these offers also attract fraudsters. Bonus abuse was again the number one reported fraud by iovation gambling clients in 2018. In the past three years, reported bonus abuse has risen 287 percent, underscoring just how large this problem is for the industry.
In an effort to combat this, many operators now limit new players’ deposits and deposit methods. Unfortunately, this could have the unintended side effect of hampering the effectiveness of promotions. And conventional know your customer (KYC) solutions take too long, can negatively impact the player experience and limit the bonuses marketing can use to attract new players.
To bridge the gap, operators are supplementing KYC solutions with predictive analytics. Machine learning can continuously monitor billions of global transactions, looking for subtle device, transaction and account patterns that predict fraudulent behavior. This technology allows operators to weed out fraudsters and provide a seamless, frictionless experience for their best customers and VIP players. This also allows better targeting for upsell opportunities and premium promotions.
The growth in game abuses and cheating reports continued in 2018, but the growth has slowed from 55 percent in 2017 to 12 percent in 2018.
Not only do these violations threaten an operator’s bottom line, but they also undermine a good player’s experience while tarnishing a brand’s reputation.
Casinos often work with each other to stop criminals and serial cheaters at in-person sites. This type of collaboration can greatly benefit the iGaming world as well and is especially important as criminals and cheaters can often hide behind the mask of anonymity.
Types of cheating behavior that operators can collaborate to stop include:
- Chip Dumping: a player caught dumping chips in tournaments;
- Player Collusion: players collaborating to commit fraud; and
- All-In Abuse: a player repeatedly abusing the all-in call on certain card games.
CREDIT CARD FRAUD
Online operators continue to be a lucrative target for credit card fraud. Over the past five years, iovation has seen credit card fraud reports from its gambling clients increase 155 percent, an average annual growth of 39 percent.
This hits operators on a number of fronts. Not only are they out the lost revenue, but there’s also the cost of fraud, and if the fraud isn’t caught early, criminals can use these illegitimate funds to pocket real winnings.
Operators are met with the challenge of reducing credit card fraud without increasing false declines, reviews and unnecessary step-ups.
ACCOUNT TAKEOVER & VENDING
In 2018, many iovation gambling clients saw an increase in the cultivation and selling of VIP accounts for the purposes of enabling laundering of criminal proceeds. These accounts are typically subject to less scrutiny from operators and can be sold for a large profit on the dark web—putting businesses at risk of non-compliance and damaging valuable VIP relationships.
Another emerging trend is distraction attacks via bots. Cybercriminals use bot attacks to create a distraction while they perpetrate other fraudulent activity, which often goes undetected because of the focus on the larger-scale attack.
There are a number of tactics that can be used to combat such attacks. At login, device authentication can be used to confirm that an account is being accessed only by a previously authorized device. If an unauthorized device attempts to access an account, additional step-up authentication can be used to prevent access. Another approach is to add device intelligence and reputation checks at any high-risk touchpoints beyond login. Looking for risk signals such as groups of related devices trying to access multiple accounts or high velocities. Lastly, another effective strategy is to focus on detecting and preventing the fraud caused by such attacks.
Another emerging threat is being fueled by the massive data breaches over the last decade that have provided a flood of stolen credentials and personal data to the dark web. This is accelerating account takeover (ATO), synthetic and true identity fraud which will, in turn, drive other types of fraud. While ATO isn’t yet one of the top threats for gaming, it is growing and can have major impacts both in terms of revenue and reputation. In a recent study, Javelin found that consumers spend 16 hours on average resolving issues after their account is taken over.
A solution is needed that effectively stops ATO without jeopardizing players’ experience. With transparent authentication, players register their devices, then they are transparently recognized on future visits. A device check is done in the background so that operators can catch early risk signals and either step-up or deny the transaction, allowing them to stop ATO without slowing down players.
ORGANIZED FRAUD RINGS
Cybercriminals are increasingly embracing the same technologies that are used to keep them out, including bot attacks, distributed collaboration systems and sophisticated evasion tactics. Lone bad actors and serial cheaters aren’t going away, but a new class of organized fraud rings that are working collaboratively across the globe now pose an additional a major threat.
iGaming businesses must evolve their response to such threats. Innovative technologies such as device intelligence, device-based authentication and data analytics have proven essential in helping operators to distinguish threats from the mass of legitimate players. In an environment where players expect payouts immediately, risk signals will have to be interpreted even faster with intelligence from disparate data sources integrated into dynamic decisioning rules.
Another key tool in the fight against fraud is machine learning and analytics, which provides predictive insights into whether a transaction can be trusted or will become fraudulent. Trained on millions of records of confirmed fraud from thousands of fraud analysts, iovation’s extensive fraud database provides insight for detecting and scoring the risk of any digital transaction.
Technology is only one part of the solution. If cybercriminals can work together, then operators need to collaborate as well… and not just with gambling industry peers. Fraudsters rarely focus their efforts on a single market. Consequently, a fraud analyst at a telecommunications provider, for example, could provide valuable insights for a business.
By sharing confirmed incidents of fraud, the online gaming industry can collectively disrupt and shut down the next-generation of organized fraud rings.
Excerpted from the 2019 iovation gambling industry report. For a complete version of the 2019 iovation Gambling Industry Report, visit www.iovation.com.
Something to hide
Research finds Americans are taking more evasive measures than others to gamble online
Iovation has released findings that show how people in the U.S. are bypassing system controls on gambling websites and apps.
The iovation analysis found that 4.13 percent of online gambling transactions originating from the U.S., predominantly to European gambling operators, used evasion techniques such as trying to hide their location. This is 119 percent higher than iovation’s finding that 1.89 percent of online gambling transactions from outside the U.S. used evasion techniques. In many countries and states, online casinos are restricted from accepting payments from U.S. citizens and therefore are unable to offer them gambling services.
“There is indeed a pent-up demand in the U.S., where gamblers will go to rather extreme measures to try to get around restrictions to become a customer of a foreign gambling site,” said Jon Karl, co-founder and executive vice president of corporate development for iovation.
Some of the most glaring types of evasion techniques iovation has detected with online gambling transactions include:
“Device intelligence has proven effective at detecting customers trying to play on gambling sites from which they are restricted,” Karl said. “This will be essential for gambling operators launching in the U.S. that will need to comply with interstate regulations and limit play by geographic boundaries.”
With the 2018 U.S. Supreme Court ruling in Murphy v. NCAA giving power to individual states to regulate sports betting, many states have introduced, or plan to introduce, legislation to legalize online sports gambling. Today there are a handful of states where online betting is authorized, with the highest profile being Nevada and New Jersey. With online gambling laws varying from state to state, gambling operators must be able to tell whether or not someone is placing a bet from inside a state where online betting has been legalized.