Fraud, payment and verification controls won’t save you from bonus abuse

In the high-stakes world of gambling, the allure of beating the house is a tale as old as time. Yet, even with advanced fraud, verification and payment risk management tools, the industry still struggles with fraudsters scaling bonus abuse, a problem costing billions.

The gambling industry carries a reputation that often makes it easy for opportunists to justify ethical transgressions. When answering the question “what do you do for a living?” I am always met with an intrigue surrounding the ingenuity of the fraudsters outsmarting the industry. It’s the defiance of odds, the Robin Hood narrative.

Hollywood blockbusters like Ocean’s Eleven have glamourised this aspect, and real-life figures like the MIT card counters have achieved almost legendary status. It’s often perceived as an intellectual duel against the epitome of raw capitalism.

Take the case of Jonathan Howard, a husband and parent jailed earlier this year in the UK. If asked, I don’t believe Howard would see his actions as inherently wrong. This moral ambiguity, coupled with the enormous potential gains, drives individuals to extraordinary lengths to exploit system and process vulnerabilities. Scaling bonus abuse, after all, is the equivalent to having your own money printing press.

Despite a plethora of fraud and verification tools in the market, the counter-industry against bonus abuse, worth billions, continues to thrive. The secret, known all too well in bonus abuse communities but less so within the industry, is the relative ease of bypassing these security solutions.

Gaps in the armour

For instance, device fingerprinting, a common security defence, has its limitations. Our research in New Jersey revealed that a single identity exploiting every welcome offer could yield profits upwards of $18,000. In many jurisdictions, this figure is even higher. 

Fraudsters can scale this across multiple identities by using unique devices and IP addresses for each identity. The additional cost of the hardware required will only make a small dent in their earnings. But usually, the methods are simpler. There’s dynamic IPs, clearing cookies and using common browsers and devices that fall into a grey area of false positives.

Good verification is always at odds with user experience and cost. While background verification offers minimal user friction, it remains incredibly vulnerable to scraped and stolen data. 

In the UK the data required for thousands of verifiable casino accounts is publicly available on the Companies House register. Guess which data source many verification tools use? The use of Social Security numbers is considered more secure, but continual data leaks have proven this process quite ineffective. 

Another common verification practice is “document upload upon withdrawal”, which fraudsters exploit through collusion. By aggregating winnings from multiple accounts into a single account and using sophisticated forgeries, they only require a single set of convincing fake documents to target an operator with thousands of identities. 

Advances in AI have made detecting these forgeries increasingly challenging. In fact, a recent viral demonstration on LinkedIn showed how AI can animate still images to bypass costly liveness checks which are considered one of the most secure defences.

This AI versus AI scenario creates a technological arms race, resulting in security measures being outsmarted.

Virtually impossible?

The introduction of digital wallets and virtual cards has dramatically altered the landscape of payment-based risk management in gambling. Previously, the unique payment card requirement was a formidable barrier against multi-accounting. However, digital wallets like PayPal, Apple Pay, Neteller and Skrill have eased the creation of multiple accounts linked to a single wallet. 

The advent of virtual cards has further exacerbated this issue, allowing users to generate hundreds, if not thousands, of unique card details for one wallet. The dilemma arises when trying to block virtual cards, as their identification codes (BINs) often overlap with those of physical cards. 

Blocking all cards from providers like Monzo and Revolut could alienate a significant customer base. And it goes against the trends in banking innovation and consumer privacy demands. 

Maybe we will find a solution to these challenges. Maybe blockchain-based digital identities will be able to tie players to a digital trust score, validated via an encrypted retina scan. 

The problem is, this still doesn’t solve the challenge of syndicates. 

Here’s how it works… A ringleader will recruit people to exploit bonuses. The ringleader will provide them with guides on how to exploit each offer and the ringleader will take a cut. The problem with this setup is that each player is using their own device, IP, cookies, browser, geo, payment method and KYC docs, leaving no traceable correlations.

Finnish bonus abusers are notoriously difficult to catch because they adopted this process in response to open banking, which has led to many operators going bust. The US is dealing with the same challenge emerging as a response to geolocation tracking. 

Analysing gameplay to stop bonus abuse

Don’t get me wrong, risk solutions are an absolute necessity. But none of them are currently a full solution and anyone that is depending on them to be so, is leaving themselves exposed.

In high bonusing markets a full solution requires device fingerprinting, verification, payment analysis and gameplay analysis. The problem is that almost all risk mitigation products used in the industry are multi-industry focused. They neglect the thing that makes this industry unique – gameplay.

Gameplay is the only process that can’t be spoofed and acts as a failsafe. If a player is taking value, they are taking value. If a player is cheating, then a player is cheating. It’s black and white. 

The issue is that operators aren’t well equipped to make these distinctions. Many top tier operators can be exploited for over 12 months on a single account, at a cost of thousands before they are able to identify it, by which time it’s too late. We need to get better at analysing gameplay risk and we need to break down the silos between risk teams and CRM. 

After all, VIPs and bonus abusers are at the two ends of the same value scale.