21 Jun 2020

Should betting and iGaming go all-in on security?

Most gamblers know the house always wins. But cybersecurity experts might think otherwise; if online gambling businesses don’t get their houses in order in 2020, regulators could hit profits harder than any hacker.

Global online gambling was worth USD 48.52 billion in 2018 and is predicted to grow 11.5% every year between 2019 and 2025. Increasing wealth, widespread smartphone use and faster internet connections are powering anytime, anywhere flutters – especially in developing economies. Meanwhile, gambling regulations are relaxing. In the US particularly, the sports betting market has exploded in the last 18 months as a result of deregulation—with six more states, plus Washington DC, expected to allow sports betting later this year.

Business is booming for hackers, too. As the chips and cash transfers rack up, the online gambling industry is becoming an ever more attractive target. And while bad luck is unavoidable, gamblers don’t want to lose out to bad actors. Regulators are committed to ensuring gambling firms protect consumers’ money and personal data or face the price.

This creates a hefty cocktail of threats for betting and iGaming businesses…

Distributed Denial of Service (DDoS) attacks

If criminals can disrupt business as usual, gambling sites could lose out on vast amounts of revenue. Tactics such as Distributed Denial of Service (DDoS) attacks overwhelm and crash sites with massive amounts of traffic.

Hackers hold gambling sites to ransom, continuing the connection overload until they are paid off. To raise the stakes, they will often coordinate attacks during major sporting events like the Super Bowl or NBA Finals. Any disruption during these peak betting periods could prove catastrophic, leaving gambling sites with little choice but to pay up. And no guarantees it won’t happen again.

A less common, but equally worrying tactic, is the use of malicious software to render data inaccessible. Unlike DDoS attacks, which require coordination and consistent effort, once hackers launch an attack of this nature, they can sit back until the target coughs up.

Account hijacking

Individual accounts may not be as lucrative as extorting an entire business, but they remain popular—and often all too easy—targets.

Just as roulette gamblers have their favourite numbers, many consumers reuse passwords across multiple websites. Attackers deploy bots to automate their attacks against a wide variety of sites, typically using passwords from other compromised sites across the internet. Once in, they drain personal funds and launder money at will.

Data protection and regulation

One of the biggest risks to online gambling sites is data protection and security guidelines. The immediate commercial impact of losing cash or personal data may pale in comparison to regulator fines and reputational damage.

So the industry should just follow the rules, right? Except the rules can be quite vague. For example, the EU’s General Data Protection Regulation (GDPR) requires ‘appropriate’ measures to be put in place to protect consumer data. It can cost a lot of time and money figuring out what ‘appropriate’ means for each business.

ISO 27001 is not much clearer. The internationally recognised security standard provides a framework to review risks and assign controls. But what controls each business implements is up to them. That’s a lot of room for risk. And ISO 27001 compliance, whatever that means, doesn’t match up to more technical standards, such as those of the USA’s National Institute of Standards and Technology (NIST).

Regardless, the remote gambling industry remains under intense scrutiny—and the punishments for cybersecurity slip ups will likely only get more severe.

How should the gambling industry respond?

Ultimately, gambling sites have a responsibility to protect their customers’ data. Box ticking won’t protect businesses; only robust security will.

Regulators recognise the current standards are insufficient and are expected to develop more specific cybersecurity guidelines. Businesses can invest in security experts to get ahead of the curve and make informed decisions that balance cybersecurity and regulatory risk with commerciality.

Online betting companies should build in security by design principles when developing apps and online systems. Apps should be built with intrusion protection, customer verification and the latest mobile security standards from the beginning—not as a bolt-on.

Two-factor authentication can help limit account hijacking, although this must be balanced alongside the likely impact on user experience (and therefore profits). Sites can also prevent customers from setting up accounts with common, weak and leaked passwords.

Gambling is a risky business, but the jackpot is too big to ignore, for criminals and legitimate businesses alike. Either way, the odds are stacked against companies which allow users to lose more than they stake.