Programmatic Lunch

Gambling with Security: Online betting in the age of cybercrime

Tim Maytom

We unfortunately live in an age of unprecedented cybercrime. Large-scale data breaches are happening with worrying regularity, exposing consumers to a heightened risk of fraud and identity theft and placing corporations’ private documents under almost-constant threat.

While security experts do their best to stamp down on cybercrime, the scale of many operations is now mind-boggling. Malware and viruses have led to millions of computers quietly running bot software in the background, giving hackers enormous computing power which can now be deployed to crash systems and compromise security. As companies push for the efficiency and cost-saving that digital transformation can bring, they also place more and more systems at risk as minor flaws in coding leave windows open to exploitation.

In this environment, it’s no surprise that online and mobile gambling is seeing just as many attacks as other companies, if not more. Gaming and gambling accounts not only involve email addresses and other identifying data that can be used for fraudulent purposes, but are often used for regular microtransactions, making them an especially juicy target if they can be compromised.

All bets are off
There are already multiple large-scale data breaches at gambling firms on record. In 2009 and 2010, online gambling payments processors Moneybookers (now called Skrill) and Neteller were breached, exposing private data for millions of users – and it wasn’t until three years later that the firms realised the size of the hack. In 2015, a complex attack using the website of the Gaming Professional Webmasters’ Association (GPWA), which runs a website certification service, compromised almost 2,500 gambling sites simultaneously, referring users to third-party sites and using affiliate tags to generate revenue. When the Mirai attack was plaguing the internet in 2016, gambling sites were placed on high alert, worried that they would be shut down by automated requests and forced to pay to get back online.

Gambling companies were right to be worried. A 2015 report by digital security firm Akamai found that the online gambling industry was the biggest target for distributed denial of service (DDoS) attacks, with over 50 per cent of all attacks in Q3 2015 aimed at the industry, and the total number of DDoS attacks up 180 per cent year-on-year. That year, Betfair, PokerStars, Unibet and Svenska Spel were among the online gambling brands hit with DDoS attacks, which overload sites with simultaneous requests, rendering them temporarily offline and enabling attackers to hold them to ransom.

This level of threat has led security experts to call online gaming and gambling “the next big target of cybercrime”. The industry is worth in excess of $100bn (£76.6bn) in revenues, and that’s before you factor in the money fraudsters can extract from consumers. The threat is heightened by the fact that many older gambling companies are particularly vulnerable. During the early days of internet gambling, regulations were lax and, given that operating a gambling website in the US was illegal, many big names hosted their sites offshore, leading to more vulnerable and complex systems of money transfers and data storage.

“When the vulnerability of weak and out of date security processes is revealed by another data breach virtually every week, no business can afford to overlook security requirements,” says Nick Thompson, managing director of DCSL Software. “While it is tempting to try to rush a new app to market without looking at the full picture, overlooking the security requirements could result in business failure before the great idea has even gotten off the ground.”

Taking a hit to the wallet
It’s not just the consumer-facing websites and services that are proving tempting to cybercriminals. The payments processing firms used by many online gambling sites have also been targeted, with details siphoned from Neteller, Skrill and others found for sale on darknet markets frequented by hackers. Optimal Payments, which owns both Skrill and Neteller, has passed on details of the hacks to the consumer hacking check site haveibeenpwned.com. But security expert Troy Hunt, who runs the site, warns that the gap in time between the initial breach and its discovery is troubling.

“This is a good reminder of how serious security incidents can go unnoticed for long periods of time, years in this case,” said Hunt, speaking to Forbes. “There are an untold number of compromised systems out there that are yet to be identified, systems we all use on a regular basis. The impact of a breach like this can be severe as it discloses highly personal and irrevocable information about the victims, information which is extremely useful for identity theft.

“It can also have a major impact on the organisation involved. We saw Optimal’s market cap dip hundreds of millions of pounds after they first announced the incident, which is a strong indication of just how seriously these incidents are now being taken.”

Lie, cheat, steal
Data breaches that affect customer information are serious, but they’re also not the only problem online gambling services face. They also make an attractive target for hackers looking to pull the digital equivalent of Ocean’s Eleven.

US poker company Zynga lost 400bn digital chips, worth over $12m, to a single hacker in 2011. Fraudster Ashley Mitchell posed as an administrator and siphoned off huge volumes of electronic chips before transferring them to fake Facebook accounts and selling them online at vastly reduced prices. More recently, in 2015 online gambling website Primedice Bitcoin lost $1m in cryptocurrency due to a flaw in its random number generation software. A hacker’s account exploited this flaw, betting more than $8,000 in bitcoin every second for hours without being discovered.

The biggest risk to online gambling firms may not be lone hackers or even criminal syndicates, however. While the culprit behind the 2015 attack targeting GPWA-associated websites has never been confirmed, the organisation’s executive director Michael Corfman has strong suspicions who might have been capable of carrying out such a hack.

In June 2015, the owner of online casino affiliate networks RevenueJet and Affactive was indicted for “cyberattacks against other internet gambling businesses to steal customer information, secretly review executives’ emails and cripple rival businesses”. Gery Shalon, the Russia-born owner, was also charged with hacking major US banks, and manipulating stock prices. He eventually agreed to a plea deal with US authorities after being extradited to the US. One of his co-conspirators was sentenced to 66 months in prison for money laundering through a Bitcoin exchange, while another eventually turned himself in after evading authorities and fleeing to Russia.

The cyberattacks that Shalon was accused of took place during the same months that GPWA was targeted, and given the connection, Corfman believes that he and his accomplices engineered the assault on GPWA’s systems.

“It’s well established now what they were willing to do as an organisation,” said Corfman in a statement to The Verge. “At the time, we didn’t know that.”

Casinos and gambling have always carried an association with organised crime. It seems like the move to mobile hasn’t broken that link; the criminal element has just got more technically-minded. That doesn’t bode well for honest gambling operators, or the members of the public who make use of their services.