SecureWorld News

The High Stakes of Cybersecurity in Online Gambling

Written by Cam Sivesind | Thu | Sep 12, 2024 | 5:26 PM Z

The world of online gambling has exploded in popularity, offering convenience and excitement to millions of players worldwide. However, with this digital gold rush comes a host of cybersecurity risks and challenges that affect gambling companies, players, and the third-party vendors who support them.

There are risks, challenges, and opportunities for the online gaming companies, the folks who partake in online gambling, and the third-party vendors who are there to help keep systems and data secure.

For online gambling companies, prioritizing cybersecurity is not just about protection—it's a competitive advantage. Robust security measures can build trust with users and regulators alike, potentially opening up new markets and opportunities. The risks are fairly obvious:
  • Data Breaches: Online casinos hold vast amounts of sensitive user data, including personal and financial information. This makes them prime targets for cybercriminals.
  • DDoS Attacks: Distributed Denial of Service attacks can cripple gambling sites, causing downtime and loss of revenue.
  • Fraud: Sophisticated scams, including bonus abuse and account takeovers, pose significant financial risks.
  • Regulatory Compliance: Meeting strict data protection regulations across different jurisdictions is a constant challenge.
Online gamblers, meanwhile, must remain vigilant. Using strong, unique passwords, enabling multi-factor authentication when available, and being cautious about sharing personal information are crucial steps in protecting oneself. The risks are also pretty obvious:
  • Identity Theft: Personal and financial data can be compromised if a gambling site is breached.
  • Unfair Play: Hackers might manipulate game outcomes, leading to unfair losses.
  • Addiction Vulnerability: Cybercriminals could exploit data to target vulnerable individuals with personalized marketing.

"Beyond the traditional security measures, an online gambling professional or enthusiast must always consider their software stack, and be cautious installing any third party application from sites like TwoPlusTwo, and other forums, regardless of their perceived usefulness," said Michael Skelton, Vice President of Operations and Hacker Success at Bugcrowd—and an ex-professional poker player (2003-2010). "The protection of your online wallet should be considered top of mind, and the reputation of a site when it comes to security should be a significant factor. Historically, UltimateBet and Absolute Poker had cheating at the platform level, leading to significant losses—a risk that is much more likely in lesser known crypto currency gambling sites."

Personal data is always at risk when doing any activity online, whether gaming or not.

"Anytime you reveal your personal data to an organization—including an online gaming company—you're increasing your chances of being adversely impacted by a data breach," said Col. Cedric Leighton. "In essence, you're providing potential hackers with a bigger target. The more you expose your data to different organizations, the more likely it is that you'll be compromised."

The National Cybersecurity Alliance (NCA) helps the public and businesses by providing resources and tips for keeping themselves safe; and their advice is simple and straightforward for online gamers.

"Online betting is a potentially exciting activity for interested gamers, but they should always proceed with patience, vigilance, and caution," said 
Cliff Steinhauer, Director, Information Security and Engagement, at the NCA. "Don't forget to enable MFA, use strong, unique passwords, and be suspicious of inbound messages about gaming that could be phishing attempts. Attackers see opportunities to exploit the excitement around online betting as a way to trick users into acting too quickly, without thinking about the source or red flags in the message. Slow down, have fun, and stay safe!"

Third-party vendors have the opportunity to position themselves as indispensable partners by staying ahead of emerging threats and offering innovative solutions. Their expertise can be a valuable asset in an industry where security is paramount. They are tasked with a few challenges in their efforts to help their clients:

  • Supply Chain Attacks: As crucial links in the security chain, vendors are attractive targets for hackers seeking to infiltrate gambling platforms.
  • Reputation Risks: A security lapse could damage relationships with gambling companies and other clients.
  • Rapid Evolution: Keeping up with emerging threats and new technologies is a constant challenge.

Despite these challenges, the online gambling industry also presents significant opportunities for cybersecurity innovation:

  • Advanced Authentication: Implementing cutting-edge biometric and multi-factor authentication can enhance security and user experience.
  • AI and Machine Learning: These technologies can be leveraged for real-time fraud detection and prevention.
  • Blockchain Technology: Decentralized systems could provide enhanced transparency and security for transactions and game outcomes.
  • Regulatory Tech: New solutions to help companies navigate the complex landscape of international gambling regulations and compliance.
  • Educational Initiatives: Opportunities to educate users about cybersecurity best practices, benefiting both the gambling industry and wider society.

Physical casinos are clearly at risk judging by recent—and costly—attacks on some staples on the Vegas Strip. It's not just the gaming side; it's hotel operations, rewards programs, rooms access, and more.

[RELATED: MGM Resorts Reports Losing $100 Million in Data Breach Incident]

"Gambling casinos have also been victims of cyberattacks. Last September, MGM Resorts was struck by a massive cyberattack, which crippled everything from ATMs to electronic room keys, not to mention the gambling operations themselves," Col. Leighton said. "The ransomware group Scattered Spider, affiliated with ALPHV or BlackCat, claimed responsibility. MGM Resorts did not pay a ransom, but the attack reportedly ended up costing the company $100 million in lost revenues and other costs."

"In addition to MGM Resorts, Caesars Entertainment was also recently hit by a ransomware attack. Unlike MGM, Caesars opted to pay a $15 million ransom," Col. Leighton added. "As the MGM and Caesars cases illustrate, cybercriminals and other actors will 'follow the money.' They are clearly putting the online gambling industry in their crosshairs."

Online gambling sites are ripe for the bad actor picking, for sure, including gambling-themed phishing sites that lure victims looking to strike it rich from their couch or home or in-office chair.

"The sophistication of today's phishing threats is becoming more difficult to detect, especially for users," said Patrick Harr, CEO at SlashNext. "Online gambling-themed phishing sites continue to pop up and they will be used to steal credentials for future corporate-based attacks or to commit credit card fraud."

Krishna Vishnubhotla, Vice President of Product Strategy at Zimperium, breaks down how cybercriminals operate in the online gaming arena: "Cybercriminals can exploit online gambling to launch attacks via phishing emails, malicious links, or fake betting websites and mobile apps. Due to the prevalence of smartphones for these activities, they often target mobile users," Vishnubhotla said, offering the obvious and not-so-obvious vectors for criminals:

What's obvious

  • Phishing Scams: Phishing scams are common. They often involve emails or messages mimicking legitimate betting sites, aiming to steal credentials or personal information.
  • Unsecured Wi-Fi Networks: Using public or unsecured Wi-Fi can expose users to eavesdropping and data theft.

What's not obvious

  • Social Engineering Beyond Email: Cybercriminals may use social media or messaging apps to target individuals with scams. Messaging apps and in-app messages on social apps are great for these.
  • Compromised Mobile Apps: Not all apps related to online gambling are legitimate. Some may be designed to look genuine, however, they are actually created to install malware or steal data from mobile devices. In particular, betting and gambling apps will lure you into installing them by promising exponential returns.

"Since online gambling doesn't only take place outside of work hours, organizations should proactively educate their employees about these risks, advise caution with unsolicited communications, ensure the security of their mobile devices, and verify the legitimacy of websites and apps used for betting," Vishnubhotla concluded.