Securing Mobile Gambling Platforms

Online gambling concept; person using mobile phone for sports betting

Gambling has come a long way since the days of visiting a bricks and mortar outlet and filling in some paperwork to bet on a small set of events and outcomes. Recent years have seen dramatic changes in this market. In this article we’ll look at how it has evolved and what the security implications are.

The Evolution of Gambling

The business of gambling has gone through monumental changes since the days when you had to physically visit a fixed location in order to gamble. First of all came the Internet which enabled people to place bets from the comfort of their own homes and allowed gambling companies to significantly broaden the range of situations and events on which they were prepared to take bets. For example, it’s everything from sports betting to casinos via slots; and within each category there has been an explosion in the variety and immediacy of betting options.

This was significant enough already but it didn’t end there. Access to the Internet via smartphones enabled even more gambling opportunities. Betting through smartphones opened 2 further doors which fueled business growth further:

  • In-play betting. Within the context of live sport, instant betting options can be presented to users and accessed ‘on the go’, dramatically increasing the range of depth of ways to engage with the gambling platforms.
  • Young people. The combination of smartphone access and the diversity of opportunities to gamble in different ways on different outcomes has significantly reduced the age of the average gambler.

By way of an example of how dramatic the growth has been, the mobile component of Gross Gambling Revenue in Europe passed 10% of the total in 2012 but by 2021 was over 50%

What About Security?

With so much money involved, it’s clear that gambling is a natural target for criminal gangs as well as individual fraudsters. There are two key moments where security needs to be in place and effective:

  • Account setup. Know your customer (KYC) and other anti-money laundering (AML) mechanisms are required to allow gamblers on to the platforms. These are usually well understood and are also to some extent regulated, meaning that off-the-shelf protection solutions exist.
  • Gameplay. As long as betting odds exist on gameplay events, there will be people who will try to beat the system. There are a number of approaches to this but by far the most common is scripting, where bad actors create scripts to impersonate genuine app and API traffic. This enables them to rapidly evolve the attacks they are using as the live situation changes.

As mentioned above, protection of the onboarding process is relatively well executed today so that fake account creation and existing account takeover is less of a threat than it once was, although of course enterprises need to continue to be vigilant. 

Protection of gameplay is where the action is currently, primarily it has become such a dynamic environment where being able to react quickly to changes in betting choices can be key to making money. For this reason, scripts are a very effective threat vector. It’s common for gambling platforms to deploy significant effort to analyze incoming traffic patterns - searching for suspicious patterns which indicate fraudulent activity. This is fine for certain situations but you can’t do everything by traffic analysis. 

Effective security is usually based on a layered approach, where the use of each layer is informed by the security context of the incoming traffic. Without this context your security is partially blind and may miss easy wins such as the use of scripts. For example, if you can easily detect that an API request is coming from a script and not from your mobile app, do you really need to analyze it?

The topic of backend only security - sometimes called agentless security - is covered in detail in this article. If your gameplay security approach today is based on server-side traffic analysis, you might want to review the article to see how you can improve effectiveness and reduce running costs by adding context.

The Mobile Dimension

We mentioned earlier the impact mobile devices and mobile apps have had on the gambling industry. Not surprisingly, as well as creating business growth opportunities, mobile has introduced new attack vectors.

Although mobile is only one of the methods available to bad actors to attack you, it is the hardest to defend. Remember that anyone can download your mobile app and can examine the code and its behavior for as long as they want - and they don’t need to identify themselves to do this. This makes protecting your mobile channel very challenging. 

Bad actors will download your app in order to understand your APIs and once they extract credentials from your app code or in transit on your APIs they will have everything they need to build an effective script. To understand how fraudsters use your mobile app against you and what you can do to counteract this, you might find this article helpful.

Recommendations

As I am sure you know well, online gambling platforms from sports to casinos are very attractive targets for the full range of bad actors, from established criminal gangs right down to small groups of friends and even individuals. Sophisticated threats require sophisticated defenses and mobile is a particularly difficult channel to police effectively. 

After all, what other situations exist where you allow your code, containing valuable business logic and most likely also valuable secrets, to be downloaded and run by anyone? This is how the app stores work - for good reasons - but a lot of people don’t realise the inherent risks this enables.

For gambling platforms, there is a temptation to implement gameplay security in the backend only but we would argue that this is defense with one hand tied behind your back. We would strongly encourage you to embrace mobile and all of the security context it can give you in the fight against fraud.

At Approov, we are specialists in the protection of business that heavily rely on mobile apps as the primary end user touchpoint. Everything we do concerns continuous monitoring of threats and improvements to security of mobile businesses, end-to-end. This can only be achieved by considering the mobile app code, the mobile environment it is running in and the state of the API it is using to communicate with your backend platform.

And we have customers in the gambling/gaming space. Contact us today and speak to one of our security experts to help you assess where and how we can help: https://approov.io/product/consult