Podcast | 20th Jan 2022 / 08:53

Cybersecurity Sessions #3: Online Casino Abuse

The online casino industry is a big target for fraudsters. Our guest this month can attest to this, since he used to exploit them professionally!
Alex McConnell Cybersecurity Content Specialist

The online casino industry is a big target for fraudsters, from sign-up bonus abuse through to sidestepping account bans and exploiting business logic to guarantee a profit. This month’s guest on the Cybersecurity Sessions can attest to this – he used to exploit online casinos professionally!

Now using this experience to help operators rather than exploit them, gambling security consultant Ozric Vondervelden (Director, Greco) joins Andy to reveal the devious tactics cybercriminals are using to abuse online casinos.

Ozric VonderveldenOzric Vondervelden, Director at Greco

After years of exploiting online casinos professionally, Ozric Vandervelden now uses his knowledge and experience to help gaming and betting companies prevent online abuse. After two years of consulting with over 30 operators, his team has developed Greco, a Gameplay Risk Engine for the iGaming industry.

Key points

  • Why duplicate account creation is of major concern to gambling operators
  • The techniques fraudsters are using to get around account restrictions
  • How abuse tactics evolve in response to improvements in security processes
  • What gambling operators can do to stay ahead of fraudsters

Andy Still  00:06

Hello, good day and welcome. Here we are, again, back with the latest installment of the Cybersecurity Sessions, our regular passcodes our regular podcast talking about all things cybersecurity, when myself - Andy Still, CTO and co-founder of Netacea, the world's first fully agentless bot management product. Today we're going to be talking about gambling. Now gambling has never had the best reputation as an area that could be completely free of corruption. I guess people, in general, prefer to gamble when they know that they can't lose. In fact, I was only reading earlier on today about one of the earliest uses of sports statistics, being the use of the new science of baseball statistics to identify the fixing of the 1919 World Series, illustrating that the tradition of exposing and capturing corruption using sciences along and indeed very honorable one. So it's no surprise that online gambling suffers the same challenges. And we're lucky to be joined today by Ozric Vondervelden from Lovelace Consultancy who spends his time today helping gambling companies protect themselves from online exploits. Welcome, Ozric, thank you very much for joining us today. Could you quickly introduce yourself for our listeners?


Ozric  01:17

Sure. So I'm the founder of Lovelace Consultancy, and the new co-director of Greco. Our background is, well, we've spent many years specializing in protecting operators in the online gambling industry from an array of techniques that essentially lead to unintended losses. So this range is for a whole diverse mix of areas within any given operation. As we focus on multi-accounting, duplicate accounting, process abuse in relation to AML for doors and verification, content, books, content and bonus logic, interoperability issues, integration issues, advantage play, collusion, affiliate, fraud, bonus logic, bugs and flaws. And as I say, more recently, where were we started development on the world's first commercially available gameplay risk engine, which is Greco.


Andy Still  02:21

Thank you very much. How's it going? I think what we've got from that brief introduction is the fact that the number of different challenges faced by online gambling companies, it's an ever-expanding list. And all of which you're actively working to try and try and help companies prevent. We can't talk about all of them today. But I think there was one in particular that you have recently started seeing an increasing source of compromise. And you've given that the rather nice name of Ed, Edd and Eddy problem. Can you just tell us a little bit more about that? Yes, so


Ozric  03:00

The wider topic is duplicate accounting. So the Ed, Edd and Eddy technique is one particular type of one particular process of achieving that, which we named after Ed, who is the co-director of Lovelace. He is He likes his beer. And he's been known to extend his free trial periods. And so we gave it the name, the Ed, Edd and Eddy technique. So just to explain sort of what duplicate accounting is, and so in simple terms, it's the process of creating more than one account using a single identity. And there are several reasons why someone might attempt this form of abuse. And it ranges sort of, from quite innocent to extremely fraudulent. So there's the case of subscriptions and, you know, prolonging subscription periods or the or the incentive periods. They can also remove limits on project product purchase limits. So, things such as limited supply trainers, for example, or event tickets, or gaining access to sites that you've been banned from, which is obviously a big issue in the gambling industry, or repeatedly taking advantage of affiliate links or free samples, or as I mentioned, sort of promotions. The other one, the other big issue that we're seeing is CPA fraud as well. So if you can create multiple accounts, you can essentially, as an affiliate incentivized for each account you create.


Andy Still  04:46

And is this something then that, I mean, it sounds like there's, you know, relatively simple ways that you could stop the obvious ways of doing this. I mean, I'm thinking I'll be So your dress jacking and validation? What? What are some of the techniques that go that people are using to do this? And is this kind of automated or are these manual processes that people are going through?


Ozric  05:13

So, I'll go through some of the techniques. It's a mix of manual and automated, to be honest. And so there's the Ed, Edd and Eddy technique that we've talked about, which is a simple case of changing your details every time you register subtle changes to your registration details in order to scale. So Ed, Edd and Eddy, for example, would be a change of name, that may be seen as different in a duplicate account system. And then there are more sophisticated techniques. So there's, we call it manual manipulation, which is the process of changing or details within an account. Essentially, what this if a system is only looking at the most recent details for a player, this can essentially allow the player to create multiple accounts with the same data by simply changing the data after they've exhausted for whatever reason, they created the account. So in the case of the bonus industry, quite often someone will create an account, exploit the welcome offer. Change the details and then create another. And then there's sort of social enrichment, sorry, social engineering or kind of manually void, as we call it. So this is the process of creating an account with your true details, and then creating a second account that intentionally fails verification. So this could be a case of changing the format of the data. So it could be like America-style data birth search. Do you do intentionally fail verification, which then requires you to upload documents, and what can happen is that the operative checking this information can see oh, there's just a simple mistake, I'll correct that information and verify the account. And what this has done is bypass the automated process. And then there's another area as well, which kind of plays into operators' overreaction of GDPR, the kind of void to be forgotten. So another technique is just to ask for all of your data to be removed, and then create a new account. And while this isn't sort of a regular regulatory requirement, at least in the gambling industry, there is kind of an allowance for storing data, that's kind of a security risk. And a lot of operators kind of overreact or misinterpret the legislation, which can lead to this kind of exploit.


Andy Still  07:56

Yeah, I mean, it is clearly outside the scope of GDPR, a legitimate retention use of data to track for these sorts of things, isn't it? So? Is it and I know you you kind of raised this as something that's becoming more common is this increase in usage is this being driven by the security processes that these companies are put in place to try and to try and prevent fake accounts creation and, and things like that, and basic kind of validation processes that they've got.


Ozric  08:33

So it's always been there? I wouldn't say it's necessarily increasing. But it's kind of a game of cat and mouse in that regard. So. So when I was younger, kind of growing up with the internet, while it was still figuring itself out, the application products or processes, sorry, we're still very rudimentary if existing at all. And most account most significant sites you could create duplicate accounts on. It was maybe when I was, well, maybe 17 years ago, I was starting to play around with, with these different processes to see see how the wool systems could be exploited. So I actually dabbled a little bit when I was younger. Kind of it was in free samples, seeing if I could scale the process of receiving free samples, and I'd be selling them on eBay. And then looking to streamline that by having the samples sent directly to the person I selling them to. And then I'd scale with bots, as well. It was very rudimentary stuff. I mean, there wasn't any kind of randomization on you know, the form submissions there was a clear pattern in the kind of changes of the data that was being entered. And it was probably very obvious To the naked eye, like I was doing 1000s of form submissions for a single kind of free sample, I think the problem actually was a process issue. That meant that they were likely subcontracting a sampling company, it was probably being incentivized per unit. And so it was kind of overlooked. And this is an example of a kind of poor process, the processes have got better now. They still have the abuse tactics, as I say, the sort of, apart from the Edit and Edie technique, they're all kind of a little more advanced. And it's really down to each company. So there are pockets of knowledge all over the place. It wouldn't be fair to generalize, but there are still many sites out there that are very vulnerable in this regard. So it's, it's a need for process improvement. Just generally.


Andy Still  11:00

And do you think that I think is interesting just to pick up on the fact that the companies actually may not be incentivized to do this, if the subcontracting about that, how much of these process changes you think, are not being made, because the ways of either the company themselves or subcontract to areas of the company making money out of this,


Ozric  11:31

I don't think that's necessary, at least not in the industry, I'm working on the issue anymore, there's just another kind of misalignment. So there's a whole world of complications towards the solutions that can be kind of imposed to solve these problems. One of them being as people do lose access to their email addresses and want to register again, people do change address, people do change a name, you know, people's details change. And, you know, just working off someone's date of birth isn't, isn't going to, it's gonna have a lot of false positives. So the challenge is in creating a fuzzy, kind of fuzzy matching logic that's effective, and that you don't have kind of rules that are too relaxed.


Andy Still  12:24

Going back, this was many, many years ago, when I first graduated, I did a data entry job. And one of them, one of the responsibilities was to check for duplicates. And we did actually end up with a situation where there were two people who were actually twins. So they have the same date of birth, the same address, the same second name, and one letter different in their first name. And they continually were being brought up as a data entry error, because they were seen as too similar, but it was legitimate. And I guess one of the key challenges with the ID, ID probe and the Ed, Edd and Eddy problem is that for every way you try and clamp down on that there will be a legitimate personal use of like you say, a legitimate person trying to try and to actually use the service properly. And what kind of advice do you have for companies? Who were trying to address this issue?


Ozric  13:31

Well, there are some sort of basic solutions. I mean, there's, there's a lot of basic problems still out there, that could be quite easily fixed. So I'll kind of go through them. So in the case of the Ed, Edd and Eddy technique in the gambling industry, I mean, the gambling industry does have restricted content. And so they, you know, legally, at least in most regulated markets, require some form of background verification. And the way this works is, it's a slight play on the identity technique. And the person is looking to make the name different enough to, to bypass the duplicate account system detection system are similar enough to fall within the margins of deviation of the verification system. And so that's very easy to solve. Even the walls need to be aligned. So you've got to kind of mirrored processes, or you need to kind of put a limit on how many people are verified as a single identity for your verification process. And then there's the kind of social engineering aspect where I talked about somebody sort of going with mistakes and details and trying to get a manual override that could be solved with somebody just doing a manual job. could check before approving any account. In the case of GDPR, it's just a case of, you know, having a better understanding of what your rights are in that regard. So there's a lot of easy quick wins out there. Obviously, there's a lot of nuances and complications along the way, depending on like I say, your processes for how people change a dress, or, you know, people, like you say that are twins even, that there are nuances that need to be sort of given acceptance.


Andy Still  15:36

Yeah, I mean, not like any security process, it's about balancing the risk of stopping legitimate activity versus the risk of stopping illegitimate activity. And I think it's a, I think this is a really challenging area, because the sophistication that we're seeing in the kind of attackers out there and the tooling available, even the growth of legitimate single-use credit card numbers being generated for specific uses, which mask an account, a single card behind this is, is already reducing the kind of strength of using credit cards as a single source of validation thing, as we're starting to see some against some of the tools to allow people to, to hide their identity behind other areas for legitimate or at least semi-legitimate purposes. In some cases, I think that just throws another challenge onto those companies, which I guess keeps you on your toes.


Ozric  16:49

Absolutely. As the industry becomes more sophisticated. So do so the the opposition, like you said, this is one part of a wider process, I mean, payment payments, having a nightmare nightmare with virtual, like you say virtual cards and disposable card numbers at the moment, because again, now the payment process can be scaled as well. So you can create multiple accounts, without the need of recruiting or stealing different identities. You can scale the payments without a single bank card. And it's you know, there's sort of widespread understanding now of browser IP and device fingerprinting as well. So the sophistication level there has grown also. So it's a constant battle, trying to stay one step ahead, essentially.


Andy Still  17:42

Well, so I think we're, we're getting towards the end of time. Now if if you had one last piece of advice you wanted to give to companies with this issue, what would it what would it be


Ozric  17:59

I think there's a lot of pride in the industry, and everybody thinks they have a competitive edge, which limits data sharing. And I think it's important that operators come together either for worse or directly to kind of understand what's happening to other operators and collaborate on coming towards the solution.


Andy Still  18:25

That's great advice. And thank you very much for your time today. And hopefully, we can get you back at some point in the future to talk more about Greco which sounds very interesting. Projecting potentially game-changing projects for yourselves in the industry. And so thank you very much. And thank you everyone for tuning in today. And, as usual, will like and subscribe. We'd love to hear your feedback. We have a Twitter account @CyberSecPod and or you can email to podcast@netacea.com. Thank you very much and we will see you again in the next episode!

Chosen for you

The Bot Management Review: How are bots skewing market...

05th Jan 2022 / 09:13 VIEW video

The Bot Management Review: Separating Bot Fact from Fi...

16th Mar 2022 / 10:48 VIEW guide

Customer Loyalty: How are bots exploiting business logic?

28th Jun 2021 / 16:32 VIEW whitepaper