The risks of cybercrime for the online gambling industry

by Avocat dr. George Zlati[1]
Context
The online gambling industry will undoubtedly continue to benefit from this technological era, with global adoption being the primary consequence. However, this adoption will not only create opportunities but also present challenges in the realm of cybersecurity. While technology facilitates adoption and can significantly enhance user experience, it simultaneously generates relevant risks for both users and online gambling operators.
In this context, an analysis of the significant risks associated with cybercrime in the online gambling sector becomes crucial in identifying effective mechanisms for preventing and combating criminal behaviour. By understanding these risks and implementing effective prevention and mitigation measures, the gambling industry can ensure its long-term integrity, security, and sustainability.
Cyber Threats in the Gambling Industry
Online gambling platforms can be particularly attractive targets for criminals. Firstly, these platforms process large volumes of financial transactions. Secondly, they store sensitive user data, including personal and financial information (such as identification data, bank card details, and transaction histories), which can be easily exploited on the black market. Additionally, inadequate software implementation can lead to both external and internal exploits, allowing manipulation or unauthorised access to data.

Photo: pixabay/pexels
Key Types of Criminal Conduct
Creating fake or fictitious user accounts is a common modus operandi, aimed at fraudulently obtaining credits, bonuses, or other benefits offered by gambling operators. This practice can also distort market statistics and analyses, affecting operators’ strategic decisions, and facilitate other criminal activities such as money laundering. In this context, attackers may use bots to mass-create user accounts, even using real identification data purchased on the black market. An effective mechanism to combat this phenomenon is the use of a KYC service involving facial scanning. However, it should be noted that such a solution is not infallible.
The fraudulent use of non-cash payment instruments is another highly relevant modus operandi. This involves using stolen bank cards or their identification data to conduct fraudulent transactions and launder money through gambling platforms, turning illegally obtained funds into seemingly legitimate winnings. The ongoing adoption of virtual currencies only amplifies these risks. Currently, it is possible to credit electronic payment instruments such as VISA, MASTERCARD, PayPal, Skrill, etc., using a wide range of virtual currencies obtained through various criminal activities (e.g., fraudulent transfers, ransomware attacks, investment fraud, drug or human trafficking).

CYBERCRIME
Chargeback frauds pose a threat to any merchant accepting electronic payment instruments. Recently, there have also been identified attempts where the merchant was tricked into refunding an electronic payment instrument other than the one used for purchasing goods or services. In this context, an efficient fraud prevention system is essential.
Counterfeiting gambling websites, although less common than in the case of banking institutions, can also pose a threat to gambling operators. Cloning legitimate websites to deceive users and obtain login credentials or financial information is a worrying phenomenon that can only be effectively combated through good awareness of potential victims. Checking the date when the web domain was purchased or whether the webpage is secure (https:// instead of http://) can significantly reduce the risks.
Exploiting data breaches can have major consequences, given the volume and sensitive nature of the information held by online gambling operators. Whether it involves user login data, electronic payment instrument identification data, or other personal data, this information must be adequately protected. Firstly, storing such data in plaintext format in databases should be avoided. Even using a hash function for stored data can provide sufficient protection.
Insider actions can also cause significant damage to gambling operators. Similar to bank employees, gambling operator employees can abuse their access levels within the IT system to fraudulently input data that could alter the outcome of a game – for example, inputting a sports bet into the system immediately after the game has ended by altering the date and time the data was entered. To prevent such situations, it is essential to implement a robust logging and employee activity monitoring system.
Phishing operations, carried out via email, could be relatively effectively countered by using a system of pre-set personalised codes by the user. Thus, any electronic correspondence should include this personalised code to certify that the email is not part of a spoofing attempt. Additionally, implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) is recommended to prevent email spoofing at the domain level.
The use of artificial intelligence-based bots can have a significant impact on the winning chances of legitimate players. Although other sectors, such as the stock market or cryptocurrency markets, also face the issue of trading bot usage, the gambling industry must be aware that in the coming years, these bots could largely replace the human factor in calculating winning odds. Consequently, online gambling operators will need to identify solutions to ensure a fair gaming environment and protect the interests of legitimate players against this new technological challenge.