A recent spate of fraud has hit the U.S. online gambling industry, as sports bettors and poker players found themselves victimized by online fraudsters. The damage has been limited, and sites have reimbursed affected players. Still, the industry can and is using the breaches as a learning opportunity to autopsy what happened and to put measures in place to prevent future breaches.
Enter GeoComply, and its geolocation technology that the industry leans on to verify user locations. According to GeoComply’s Senior Director of Risk Services Danny DiRienzo, a 22-year veteran of the Secret Service where part of his law enforcement responsibilities was investigating financial crimes, that same technology can detect fraud.
“When you start analyzing device data and analyzing linkages between accounts and devices, your ability to identify multiple forms of fraud grows pretty quickly. In any financial fraud, in any e-commerce vertical, and even in retail, being able to link users and accounts, devices, payment methods, all of that technology is what’s needed.”
How the Fraud Was Perpetrated
Anyone who has been a victim of an account takeover will recognize parts of the scheme.
The fraud was outlined by Gambling.com’s Daniel Smyth:
“When someone uses VIP Preferred for the first time, certain pieces of banking information are stored in a database. This makes it possible for the user to make subsequent deposits without entering their bank details.
“The fraudster is exploiting this feature to make payments to fake online poker accounts without needing someone’s bank details. Once the fraudster deposits an eCheck using VIP Preferred, they request a withdrawal to a fake Venmo account. The scam is complete once the withdrawal has been processed and the fraudster transfers the money from the fake Venmo account to their own.”
But as DiRienzo notes, it’s essential to understand this is not unique to online poker, sports betting, or gaming.
“Any type of fraud in e-commerce, whether we’re talking about identity theft, credit card fraud, or account takeovers, happens in every e-commerce vertical,” said DiRienzo. “The interesting thing about the online gaming space is that we have so much data and so many tools in place, including precision geolocation, that allows us to quickly identify these types of fraud and also identify the perpetrators of the fraud.”
According to DiRienzo, “Gaming is far better suited than most e-commerce verticals to identify the fraud, identify the perpetrators, and help mitigate the damages that are done.”
With its proprietary technology, DiRienzo believes GeoComply is uniquely positioned to deploy and develop technology to combat online fraud in the gaming space.
“We believe additional measures can be taken to further protect both industry and players from things like identity theft and account takeover,” DiRienzo said. “We are working with all operators in this industry to implement those solutions.”
Utilizing Data to Detect Fraud
Here is an example of fraud detection at work.
A customer has historically made all deposits and withdrawals through the same PC but plays a lot on their phone. Data can also show that the hypothetical customer is a snowbird that spends the winter in Florida, so a location change isn’t abnormal, nor would a new device immediately trigger a red flag.
GeoComply can use additional logic (data) to determine if the transaction is abnormal.
In addition to recognizing a new device, a new location, and changes in play (the time of day, length of session), there are other tools GeoComply brings to the table. “Maybe it’s a very specific PC that has certain characteristics like other programs you like to have running when you place bets or other devices you are usually around,” DiRienzo said.
But the best way to use GeoComply’s bountiful data is to layer it with data from sites, whether it’s betting behaviors or a recent change to an email address, verification method, address, bank account, or payment method.
Balancing Safety and User Experience
The goal is to balance player safety with user experience and reduce friction points. And that’s where data intelligence comes in. As DiRienzo explained, it’s not just about discovering red flags. It’s also about finding green flags to make the user’s experience as painless and unobtrusive as possible.
“This isn’t all about just identifying fraudsters,” DiRienzo said. “It’s also about making the experience for trusted players much better.”
DiRienzo is talking about established customers in the gaming ecosystem who use easily identifiable trusted devices and locations and display betting behaviors that are low risk for fraud. As DiRienzo put it, “it’s not only about throwing up red flags and stoplights at fraudsters but also about throwing up green lights to people we know we can trust.”
There’s a lot of attention paid to privacy in the mobile era. Debates over access to your location and your phone’s apps and features are tense. But there is also an understanding that the balance between safety and user experience requires collecting certain data. On that front, GeoComply is being as transparent as possible about what and when it gathers.
“The only time we’re ever collecting information about your location or device is when you’re actively betting,” DiRienzo said. “It’s not happening when you’re not betting or when the app isn’t open.”
Proactive vs. Reactive
When it comes to lessons, the first step is to conduct a cyber autopsy to determine what happened and where vulnerabilities might exist. An after-action review might uncover data points that indicated an attack was coming and create countermeasures to fill any discovered gaps.
“You can figure out what technology and data points are available, whether it’s additional geolocation, device identifiers, behavior patterns, and leverage that technology to fill those gaps,” DiRienzo said. “And we’re used to that approach for other types of fraud. Our day-to-day relationships with operators are very proactive as we work to eliminate all types of attempted fraud from their business ecosystem.
“From an investigative or a reactive approach, our technology is extremely valuable. We can help point to locations, devices, you name it. But our goal is always for the proactive solution, the real-time alerts, and the data that can allow you to flag accounts.”
Nothing’s 100%, but being able to alert a possible account takeover in real time before it happens is the goal. It’s also important to understand that this is a Day 1 problem. Fraudsters are ready on Day 1 and will likely target new markets, testing for vulnerabilities.
The Customer’s Responsibility
To prevent fraud, customers must accept some inconvenience.
There are real-time barriers that can be put in place that will perhaps frustrate legitimate users. As DiRienzo states, “it comes down to having some pretty robust data and algorithms to make sure you are as right as possible in diagnosing a problem versus distinguishing innocent transactions.”
Customers can also help by having good cyber-security hygiene.
Enabling multi-factor authentication wherever possible. Regularly changing and not reusing passwords and not storing financial information, even if that means a couple of extra steps in the deposit and withdrawal process.
“The vast majority of compromised credit card numbers don’t come from somebody stealing credit cards out of a wallet. They come from hacks, from gas pump skimmers. Likewise, in the vast majority of account takeovers, the credentials aren’t obtained by somebody shoulder-surfing and watching you type your password. They’re obtained through credential-stuffing attacks.
“And that’s not simply within this industry. They’re looking for the low-hanging fruit of server security where you have created a password, and if they obtain one, they feel like they have all of them because people rinse and repeat the same login credentials.
“I think the consumer needs to be educated. If you have an account that holds value, you may want to make sure you frequently change your passwords and use different passwords across accounts.”
To combat online fraud, DiRienzo believes in a multi-pronged approach. “The industry takes this challenge very seriously. Every operator and client I’ve spoken to are more than willing to tackle this problem with technology,” he said. “So, I think it’s probably a multi-pronged approach that needs to be deployed, leveraging technology along with consumer education.”