Gambling continues to grow in the UK including by 10% remotely. Globally it’s estimated the entire industry will be worth US$60bn by 2020. Such high figures makes the industry attractive for dishonesty, including identity fraud, AML, physical fraud, hacking and ‘ransomware’ attacks. The recent news that the Gambling Commission has fined another leading high street operator for breaking its regulations, brings in to focus some of the size and types of challenges the industry is facing into.
Ruari McCallion explored the theme of cybercrime and its relationship to gaming during a dedicated day on topic as part of the recent Totally Gaming exhibition.
- Hackers and thieves’ techniques are constantly evolving; security must be doing the same
- Don’t forget the old tricks; they can still be potent
- Share useful knowledge and experience, with other companies as well as internally, to build a common base of expertise
- Use external agencies to test your systems, including ‘ethical hackers’
- A firewall is not total security
- ISO 27001 is a start, not the finish
- Test your internal systems against phishing and employee vulnerability
- Trust – but verify
- Plan for when a breach occurs to protect your business’ reputation and customer’s digital identity
The potential rewards for dishonesty in the multi-billion pound gaming business means they are bound to attract various types of criminal enterprises from around the world. Security problems are not unique to the UK and criminals are as likely to be operating in Washington, Tyne & Wear, as in Washington DC. The only recognition they give to borders is something to hide behind.
As Josh Gunnell, fraud consultant at TransUnion (formerly Callcredit), sums it up; “Fraud is not a localised issue, it’s a global threat. The digital world we now operate in means that fraud professionals have an ever expanding set of data points to analyse risks, to both themselves and to their customers.”
The challenge for the industry, then, is to ensure that its own systems are leakproof, transactions are secure and people are who they say they are, while making the customer experience simple, straightforward and enjoyable.
Information liquidity: a time to share?
One of the ways the operators could strengthen their approach to cybercrime is data sharing and improved communication. Andy Atha, of Sky Betting and Gaming, said that his organisation has quadrupled the size of its online security team over the past two years but could look to add further muscle to the fight against fraud by engaging with competitors.
“As well as operating sophisticated customer monitoring, businesses should be more prepared to share information with others,” Atha suggested during the panel discussion on ID Theft and Fraud Prevention.
He cited his experience in insurance where sharing intelligence has helped to cut fraudulent claims and their value, and to identify gangs of fraudsters who faked accidents. All without any breaches of data security, loss of IP or decline in competitiveness. Indeed premiums have been reduced and profitability improved. Atha commented that companies in the gaming sector have a tendency to regard insights as a proprietary asset, which can be short-sighted and counterproductive.
Consider ethical hacking to test your own defences
Jamie Woodruff, a Certified Penetration Testing Engineer at Metrix Cloud Ltd, is an ‘ethical hacker’. He describes his job as being to break in to organisations. And he’s very good at it.
“The perception of a hacker is always wrong,” says Woodruff. “Breaches in your security won’t come from a 14-year-old kid playing a game; they are most likely to come from a disgruntled employee or a service provider.”
He treated the audience to a hair-raising list of ruses he has used to gain physical access to server floors, including working for a week as a pizza delivery man; he had spotted that a senior exec enjoyed a pizza and security just let someone in the right uniform go right on in.
Woodruff describes his ‘social engineering’ techniques as ‘manipulation for information’. He uses social media to find out about workers’ habits – where they regularly go at lunchtime, for example. He once gained access by sharing a smoke with a group at the back door for several days until he sprung the old ‘I’ve left my pass on my desk’ trick. They thought they knew him and they let him in.
“Your firewall may be like a locked and patrolled iron door but the rest of your walls – your employees – are like a two-foot high hedge,” he notes. To stress test the theory “Encourage responsible hackers to hack your organisation. After four or five days you will know where you are and where you have to go.”
A certificate might not be worth the paper it's printed on
While criminal techniques are advancing and evolving all the time, phishing and other old-style tools should not be forgotten. Like measles and diseases we thought had been eliminated, viruses and ransomware keep popping back up. They are most likely to come in via employees, whether intentionally or not, as Jamie Woodruff made clear.
Businesses’ processes and security have to be up to date and auditable but Chris Sullivan, Executive Chairman of the Gambling Commission, said that ISO 27001 is not a be-all and end-all.
Having that certification on its own will not satisfy the Commission in the event of a data breach. They will want to know how it happened, precisely, and what is being done to ensure it doesn’t happen again.
Regulatory pressures are no doubt continuing to be at the forefront of gaming operators’ minds and they have a responsibility to their customers to ensure they have adequate controls in place at every touchpoint.
Gunnell believes organisations must focus on prevention and cure; “It would be naïve to think any company is immune to cyber-attacks in the current climate. The plans you have in place need to involve keeping your customers informed and reassured. Facilities such as giving your customers the ability to monitor their credit files and react to changes which may indicate fraud can have a huge impact on protecting your customer’s digital identities and the organisation’s reputation.”
Power up – how to aspire to be an end level boss
Perhaps the most important lesson from the day wasn’t a single solution or action but more attitudinal. The flexibility and ingenuity of thought demonstrated by criminals needs to be replicated by those attempting to stop them. This could involve thinking and working in a way that is anathema to the corporate world, such as collaborating with the competition or deploying techniques that aren’t in the current playbook.
For Gunnell the choice is clear; “Data and information sharing is key to a collaborative industry response to fight the fraudsters. Forensic profiling of non-traditional digital data will have to be more widely adopted and coupled with machine learning to make informed decisions in a timely manner. Gaming is a highly competitive market, and those operators without these defences will find themselves becoming the target of ever-more sophisticated attacks.”