How Casinos Can Prevent Loyalty Incentive and Account Takeover Fraud
Cybercriminals aren't picky about their targets — they go where the money is. And they are paying attention to the gaming industry, which makes a lot of money delivering different forms of entertainment.
The commercial gaming industry appears to be roaring back from pandemic lows, particularly in the online gaming sector. The U.S. commercial gaming industry generated $53 billion in revenue, a 76.7% increase from 2020 and a 21.4% increase from 2019, according to the American Gaming Association's Commercial Gaming Revenue Tracker. Online gambling had a particularly strong year, as the segment generated $3.71 billion, up 138.9% in 2020 and 614% in 2019.
Security at a casino should involve more than protecting the vault and cage where the money is kept or installing cameras to catch burglars and fraudsters in the act. While casinos typically have lots of cash on the premises, it is rare that they are victims of Hollywood-esque heists, says Justin Wray, director of services at Core BTS, an IT consulting firm. More often, these facilities are victims of common phishing attacks or hacks.
"If you work for a casino…they're familiar with this security culture from a physical sense. Take that and apply that to the digital landscape," Wray says. "Have staff members thoroughly trained on the tactics and techniques that [fraudsters] are using to trick them into doing things, because that's the No. 1 method that the adversaries use."
Anti-phishing software is useful, but it's also important to have security awareness training for casino staffers so that they know the signs that they are being phished, Wray says. Casino IT and security teams also have to secure their internal networks from hacking attempts, account takeover, and fraud.
Spotting In-Person Gambling Vulnerabilities
When it comes to protecting casinos' in-person operations, IT and cybersecurity professionals must keep their security measures up to date, says Wray. Some organizations may fail to update their cybersecurity measures as risks evolve over time, he adds.
Among the usual targets for online fraudsters hitting physical casinos are ATMs, gaming machines, and ticket machines for redeeming winnings, he says. To secure a physical casino, IT and cybersecurity professionals should take the basic step of segmenting the organization's internal networks, he says, separating the Internet access for the backend departments such as the HR and finance teams from the gaming systems, the guests, and point-of-sale systems.
"These are all the separate environments from a networking perspective, so that if one of those is compromised, they're not all compromised," Wray says. "That's a very basic, fundamental security approach. But it's something that's often overlooked."
To spot these issues, casinos have two options, depending on their resources: hire a team of internal cybersecurity professionals to safeguard the organization around the clock or commission a third-party firm to monitor their operations, Wray says. The option you choose, he explains, depends on the funding you have to analyze the data the organization collects and evaluate any alerts you receive across various authentication logs, network logs, and intrusion detection systems you have in place.
Filtering Out Online Gambling Fraudsters
Over the past few years, casinos have been expanding their operations beyond the brick-and-mortar to the lucrative world of online gambling. The COVID-19 pandemic has encouraged that shift.
IT and security teams must also apply security measures to safeguard their operations against online fraudsters, says Kimberly Sutherland, vice president of fraud and identity & market strategy at LexisNexis Risk Solutions, a risk management firm. Among the potential targets for cybercriminals are legitimate accounts, which can be exploited in account takeovers, and loyalty incentives programs, she says.
To incentivize new customers, some casinos offer loyalty perks to customers, but cybercriminals can exploit these incentives when signing up to get more credits, she explains. If, for example, a casino offers $10 deposited into new users' accounts upon joining, online fraudsters can write a script to "not open one account, but open 100,000 accounts," Sutherland says. If multiple new accounts are opened with a different name but using the same address, or if multiple accounts are associated with one device, that's a sign that the accounts might be illegitimate, she says.
"We try to help to identify identity anomalies or when the velocity of an identity element has been used too many times ... so that way, at least the business will have the ability to identify that, and they can make the ultimate decision as to whether they approve or deny," Sutherland says.
When it comes to onboarding online gambling customers, casinos try to strike a balance between creating a seamless sign-up experience and screening out potential fraudsters, Sutherland says. Among the telltale signs IT and cybersecurity teams should be looking for to spot cybercriminals are a suspicious location — which is especially important for the regionally regulated casino industry — an unusual phone number, or any email address that's associated with multiple accounts, she explains.
There are passive ways to verify new customer identities so that casinos' IT and cybersecurity teams aren't relying solely on passwords, Sutherland says. Behavioral biometrics such as whether a customer types their password and phone number or copy-and-pastes it from a document could tip off when a fraudster is trying to log into a legitimate account. Another sign of suspicious activity is a recently swapped SIM card or a forwarded phone number, she adds. Organizations can use a one-time password sent via SMS text to spot whether a SIM card or device has changed before verifying the device, Sutherland explains. Most major mobile carriers offer real-time gateways to let companies inquire about whether a SIM card has recently changed, and software is available to check whether a SIM card has recently changed, she says.
Casinos' IT and cybersecurity teams can use biometrics stored on devices to authenticate users' identities, such as a face or fingerprint ID, Sutherland says. There's software available that prompts users to unlock their phones using those biometric markers to double-check their identities, she adds.
"With this significant increase in digital customers, a lot of people are not necessarily tech savvy. So we saw a lot of new-to-digital individuals in the last two years," Sutherland says. "[It's the] first time we've seen that device before, or the age of the population that is online is starting to really diversify significantly as well. So there's a lot of older adults. There's a lot of younger adults. All of those things change the way that cybersecurity teams have to operate."
Going forward, the primary way that consumers will blend the in-person and online gambling experience is via mobile devices, because that's the device that they'll have with them wherever they go, Sutherland foresees. She advises casinos to harness and verify the mobile data they collect to reduce their cybersecurity risk.