Tracing the untraceable: Gambling and financial data theft
With every technological development that improves the industry’s reputation and operative efforts, there are cybercriminals working day and night to find gaps to exploit financial data for personal gain.
Financial data is some of the most sought-after information here. Gaining access to a customer’s financial data goes far beyond simply using that information to make large purchases, or removing money from bank accounts unnoticed.
Personal financial details are sold in the murkiest corners of the internet, albeit cheaply, and can cause ongoing distress to the victim.
And as evidenced when a hack of DraftKings resulted in $300,000 being stolen from customers, and when “certain BetMGM patron records were obtained” when BetMGM was hacked last year, no one person – or operator – is exempt from the dangers of financial data theft.
Cutler says that recent breaches of financial security in the industry have created more awareness around the value of personal data.
“There have been breaches in the industry,” he says. “I think it serves as a valuable lesson of how sensitive the data is that these folks are sharing. Fraudsters will go to great lengths to try to access a player’s account.”
Although such breaches have not affected Paysafe’s operations, Cutler emphasises the rigorous security measures it has in place to prevent attacks of this nature.
“We have tons of security protocols,” he explains. “We’re regulated not only by the gaming regulators, but also the financial regulators.
“We have money transmitter licences in just about every state in the US and to get all that, the security bar that we have to go through is extremely high. Because that bar is so high, the gaming industry benefits from that security bar through our product.”
Malicious intentions
Slader echoes the industry’s concerns, adding that GeoComply is providing meticulous protections from fraud attempts.
“I would say that there’s definitely lots of concern at the forefront of the minds of both regulators and consumers that are participating in online gaming operations,” she says.
“From the GeoComply perspective, we’re very much working with operators to support them with services that they can use to identify, mitigate and fight fraud and prevent these types of scenarios from occurring.”
She asserts that these anti-fraud services are crucial in the fight against data breaches. This not only applies to preventing the breaches from occurring in the first place, but also for assisting in criminal investigations if fraud attempts are successful.
“We work across the customer journey, from account creation and KYC all the way through to confirming a user’s location,” she explains. “Things like device fingerprinting, to understand the history of a user and their device, which lends itself to all different ways to identify fraud, track down fraud rings and support law enforcement in their own investigations with this type of information.”
Allen highlights that the industry as a whole is affected, more so now than ever, at a time when financial data security is under a microscope.
“The online gambling sector is one of the most attacked industries in the world,” he says. “Cybercriminals are launching complex and sophisticated attacks against businesses of all sizes, from power players to start-up studios.
“The increase in attack frequency comes at a time when the global economic landscape is going through a period of change, with Russia’s war against Ukraine and the cost-of-living crisis sweeping across the globe a likely catalyst for the volume of attacks to rise further.”
Humanity at large
While robust security measures are the best way to fight hacking attempts, Allen says that the human element must also be considered – or companies could suffer enormous cost.
“Of course, some attacks are able to breach a company’s systems, others are successful due to human error and some even involve manipulating employees to be complicit in the attacks, such as is the case with social engineering attacks,” he explains. “In addition, there are actions that the operator can take, as well as the player – the most obvious example being using different passwords for different sites. It’s a very simple action, but imperative.
“With the average cost of a data breach in 2022 hitting a record high of $4.3m, all businesses across the industry should be asking themselves ‘is my company and player data protected?’”
As an extra layer of protection, Cutler says that companies ought to be careful when it comes to who they partner with, or to whom they assign services.
“You do have to find a trusted partner that has been through it and has already reached the standard and you should review your partner standards,” he continues. “What is your level of payment card industry (PCI) compliance? What does your security team look like? How is it staffed? What are the policies? All the things you can evaluate as an operator before you decide which vendor you want to go with.”
Ahead of the pack
Naturally, those in the industry want to know the best ways to address attempts to steal sensitive financial data, and how to deal with the worst-case scenario of successful attempts.
Slader says that GeoComply provide an all-systems-go package for operators wanting to use their cybersecurity services – a system so robust that most operators are unable to provide it in-house.
“For GeoComply, we employ dozens and dozens of people that are literally on the hunt for all of these types of security threats,” says Slader. “That means that if you’re an online operator, you’re going to need to look for different vendors that can offer types of fraud and payment solutions that are specifically designed to address these types of risks.
“Unless you have people that are full-time investigating what might be the next risk or the next type of breach, it’s really hard to create machine learning around how you might be able to prevent that in the future.”
The bigger picture
Allen says that ensuring all defence tactics are secure is critical to establishing a safe environment for financial data – and will prevent the operator from falling into disrepute.
“The only way to keep up to speed with the changing threat landscape is to take a proactive approach to cybersecurity and deploy a multi-layered strategy for resilience,” he says. “There is no doubt the industry will continue to be under attack over the coming 12 months, so operators and suppliers must act now to ensure they have the necessary policies and protections in place.”
There is also a bigger price to pay, one that may not be as easily recouped as money: reputational damage.
“Those that don’t will leave themselves incredibly vulnerable and, should an attack get through, will have to contend not only with the financial loss that results but also the reputational damage of having customers’ personal and financial data compromised,” says Allen.
There is no single way to completely protect financial data from being exploited. But stringent digital defense and personal accountability are the industry’s best defenses against financial data theft.