Gambling has come a long way since the days of visiting a bricks and mortar outlet and filling in some paperwork to bet on a small set of events and outcomes. Recent years have seen dramatic changes in this market. In this article we’ll look at how it has evolved and what the security implications are.
The business of gambling has gone through monumental changes since the days when you had to physically visit a fixed location in order to gamble. First of all came the Internet which enabled people to place bets from the comfort of their own homes and allowed gambling companies to significantly broaden the range of situations and events on which they were prepared to take bets. For example, it’s everything from sports betting to casinos via slots; and within each category there has been an explosion in the variety and immediacy of betting options.
This was significant enough already but it didn’t end there. Access to the Internet via smartphones enabled even more gambling opportunities. Betting through smartphones opened 2 further doors which fueled business growth further:
By way of an example of how dramatic the growth has been, the mobile component of Gross Gambling Revenue in Europe passed 10% of the total in 2012 but by 2021 was over 50%.
With so much money involved, it’s clear that gambling is a natural target for criminal gangs as well as individual fraudsters. There are two key moments where security needs to be in place and effective:
As mentioned above, protection of the onboarding process is relatively well executed today so that fake account creation and existing account takeover is less of a threat than it once was, although of course enterprises need to continue to be vigilant.
Protection of gameplay is where the action is currently, primarily it has become such a dynamic environment where being able to react quickly to changes in betting choices can be key to making money. For this reason, scripts are a very effective threat vector. It’s common for gambling platforms to deploy significant effort to analyze incoming traffic patterns - searching for suspicious patterns which indicate fraudulent activity. This is fine for certain situations but you can’t do everything by traffic analysis.
Effective security is usually based on a layered approach, where the use of each layer is informed by the security context of the incoming traffic. Without this context your security is partially blind and may miss easy wins such as the use of scripts. For example, if you can easily detect that an API request is coming from a script and not from your mobile app, do you really need to analyze it?
The topic of backend only security - sometimes called agentless security - is covered in detail in this article. If your gameplay security approach today is based on server-side traffic analysis, you might want to review the article to see how you can improve effectiveness and reduce running costs by adding context.
We mentioned earlier the impact mobile devices and mobile apps have had on the gambling industry. Not surprisingly, as well as creating business growth opportunities, mobile has introduced new attack vectors.
Although mobile is only one of the methods available to bad actors to attack you, it is the hardest to defend. Remember that anyone can download your mobile app and can examine the code and its behavior for as long as they want - and they don’t need to identify themselves to do this. This makes protecting your mobile channel very challenging.
Bad actors will download your app in order to understand your APIs and once they extract credentials from your app code or in transit on your APIs they will have everything they need to build an effective script. To understand how fraudsters use your mobile app against you and what you can do to counteract this, you might find this article helpful.
As I am sure you know well, online gambling platforms from sports to casinos are very attractive targets for the full range of bad actors, from established criminal gangs right down to small groups of friends and even individuals. Sophisticated threats require sophisticated defenses and mobile is a particularly difficult channel to police effectively.
After all, what other situations exist where you allow your code, containing valuable business logic and most likely also valuable secrets, to be downloaded and run by anyone? This is how the app stores work - for good reasons - but a lot of people don’t realise the inherent risks this enables.
For gambling platforms, there is a temptation to implement gameplay security in the backend only but we would argue that this is defense with one hand tied behind your back. We would strongly encourage you to embrace mobile and all of the security context it can give you in the fight against fraud.
At Approov, we are specialists in the protection of business that heavily rely on mobile apps as the primary end user touchpoint. Everything we do concerns continuous monitoring of threats and improvements to security of mobile businesses, end-to-end. This can only be achieved by considering the mobile app code, the mobile environment it is running in and the state of the API it is using to communicate with your backend platform.
And we have customers in the gambling/gaming space. Contact us today and speak to one of our security experts to help you assess where and how we can help: https://approov.io/product/consult