Safety first: Slotegrator’s guide to iGaming cybersecurity
In the digital era of today, we enjoy unprecedented access to information and entertainment. But this connectivity comes at a price. The internet is full of people with the knowledge and willingness to put online casinos’ defenses to the test and try to gain access to sensitive data or extort money from business owners. Where do these threats come from? How can you guard against them? Let’s take a deep dive into cybersecurity for online casinos and sportsbooks.
What are they after?
In contemporary digital environments, no business is truly safe from cyberattacks. The only variable for hackers is how much they can gain from their efforts.
A small family business is as likely to get hacked as a big international gambling company, but the latter not only has funds that these bad actors can extort or steal, they can also lose millions if the flow of their business is interrupted.
But money is not the only thing that can be lost in a hack. The personal data of your players that you are responsible for can be lost. When criminals get access to players’ personal accounts, they can use this information to hack into their email or social media and either blackmail them with whatever information they find there, hold their data hostage, or simply resell it to other bad actors. In either case, you risk dealing with considerable reputational damage and loss of players’ trust.
Where do the threats come from?
Where would such an attack originate? There is no shortage of potential wrongdoers. It doesn’t have to be personal or even targeted. There are plenty of opportunistic hackers that just scan the net for vulnerabilities and openings they can take advantage of.
In an industry as competitive as iGaming, trying to gain an unfair advantage over another online casino or sportsbook is also not unheard of. In the struggle for players, businesses that don’t prioritize quality gaming content, can’t offer excellent player support, or just have an inferior platform can decide to instead spend their money on hackers who will attempt to damage their competitors.
Not all hacking is inherently malicious — there is a growing trend of ethical, or white-hat, hacking. These freelance specialists (sometimes called bounty hunters) find bugs and vulnerabilities in the software and report them to the companies for a reward. Unlike their criminal, or black-hat, counterparts, these hackers don’t aim to misuse the data, instead helping companies fix vulnerabilities before they are utilized by any bad actors.
It should be noted, however, that the line between those two can sometimes blur. Some bounty hunters that expect a reward but don’t get one may take advantage of the knowledge they have of your security flaws and launch an attack themselves.
Common types of cyberattacks
Port Scan Attacks
As was mentioned previously, hackers constantly scan for weaknesses. This process can be completely automated and involve just trying to connect to random IP addresses, to find an opening, or guess a password.
Every server (and every computer in general) has a lot of different services running on it. Unfortunately, the ports they use to connect to the internet aren’t a one-way street.
While some ports are completely necessary (they allow for web functionality and remote administration), others are better kept closed from everyone on the world wide web.
A Port Scan is usually the beginning of a cyberattack, a way for a hacker to find a vulnerability to exploit and gain access to your system.
To better illustrate the process, imagine your server is a cabin in the woods. The hacker is a thief who constantly circles it, trying every door handle and looking under every door mat to see if there is a spare key.
And while you may welcome guests that announce themselves and enter through the front door, you wouldn’t be happy to have somebody enter your property through a bathroom window.
When you launch your web server for the first time, many services launch automatically with open ports and default passwords, which immediately makes you vulnerable. A lucky hacker that stumbled upon your IP address during a scan can then quickly get their hands on your data or even gain root access.
Port Scan attacks are very common and very simple, but countermeasures are well known. The best means of defense are constant and keeping all unnecessary doors closed.
A distributed denial-of-service (or DDoS) attack is an extremely simple and widespread cybersecurity threat. In simple terms, the attack takes the form of a flood of traffic aimed at overloading the target system, and as a result, drastically slowing down communication or causing the server to crash.
Bad actors use vast networks of computers infected by malware, called botnets, to perpetrate these attacks. As the traffic isn’t coming from a single source but instead originates from multiple, seemingly random machines, it’s impossible to easily separate it from legitimate users.
There is a huge variety of different types of DDoS attacks, varying by technical implementation. Very broadly, they can be classified as volume-based attacks, protocol attacks, and application attacks.
Structured Query Language (or SQL) is a computer language used in database management.
Every time your player interacts with any kind of input field, on the back-end, the data they input often goes in some kind of database or prompts a retrieval of information from one.
All this involves SQL, and by inputting a carefully crafted command, a hacker can retrieve confidential data.
Most modern databases are secured against SQL injection attacks that were extremely prevalent for more than a decade. However, it’s still possible for hackers to find the vulnerabilities they’re looking for.
One of the most dangerous and destructive hacks, and a nightmare for every cyber-security manager, is ransomware. Ransomware is a type of malware that uses encryption to make files on the computer completely inaccessible. The methods used in these attacks guarantee that the data can’t be deciphered within a reasonable timeframe. Hackers then ask for ransom money in exchange for a decryption key that can be used to get the files back.
Ransomware is by far the worst kind of cybersecurity breach because until the data is decrypted, your platform will be completely disabled. One example of how devastating such a hack could be is an attack on SBTech that happened in March 2020.
The incident came at the worst possible time, as they were in the middle of the merger with DraftKings. SBTech’s platform for sports betting and iGaming wasn’t working for an entire week.
The fallout goes beyond lost revenue and reputational damage. As a result of a subsequent re-negotiation of the acquisition terms, SBTech had to put an additional $30 million into a fund to deal with the aftermath of the attack, such as lawsuits from hundreds of partners that lost revenue while the system was down.
The land-based sector is also vulnerable to ransomware attacks. A recent hack in Tasmania completely disrupted the operations of two casinos owned by the Federal Group, a company that has a monopoly on gaming machines in the country. Hackers not only captured valuable customer data but also caused the venues to completely suspend their operations for 10 days.
While many of the hacks on this list sound like clandestine operations, there are bad actors that go for low-hanging fruit and just try to steal some small change by subverting platform functionality available to the players. These hacks include everything from finding ways to get free bonus money to reverse-engineering the game mechanics to get desired results.
If you ask a cybersecurity professional “What is the weakest link in any security system?”, the reply might surprise you: people.
It’s a common misconception that hackers only operate online. In reality, hackers use so-called social engineering to misguide and deceive their victims and make them reveal information they can then use to gain access to the target system.
The simplest form of social engineering is actually a phone call or a message — the hacker masquerades as a person of authority within the company and tries to get the employee to reveal their password or other credentials.
Another offline tactic that is a staple of social engineering is baiting. Bad actors leave a USB stick or other piece of hardware infected with malware in employees’ proximity, waiting for somebody to get curious and pick it up. As soon as the device is used on a work computer, it becomes infected, and hackers easily get access to the network.
To hack a high-profile target, hackers may even try entering the company’s own headquarters. The simplest tactic criminals use is called tailgating, and doesn’t involve disguises or counterfeit credentials: a tailgater simply passes behind an authorized person as they open the door.
Using manipulation and clever tricks, hackers skilled at social engineering can bypass security guards, gain access to computers, and even steal physical documents.
Phishing and Spoofing
Phishing is a fraudulent internet communication, disguised as legitimate, that is used to gain access to information or to steal data. It’s commonly attributed to social engineering because this scam relies on human error.
Phishing can target both your players and your employees, with different objectives and strategies. Your player may receive a spoofed email that looks like it was sent from you, asking to “confirm” personal information or credit card details. Or the email might offer a bonus that can be redeemed by clicking on a link to the platform, except the website it leads to is a copy of yours, meant to deceive your players.
Your employees may receive an email appearing to be from a trusted partner, a solution provider, or even within your own company. The message can have a malicious link or an attachment that will expose the network to further hacks. A classic tactic that bad actors use is to pretend to represent an IT manager or a system administrator and ask an unsuspecting employee to share their login or password.
Bad actors can use spoofing to make this forgery look extremely similar: a spoofed website would have the same design as yours, as well as have a similar url, and the email would have a legitimate email address in the From: header.
Some phishing attacks are specifically targeted at company owners and c-level executives — this is called whaling. Such emails are usually personalized and usually try to persuade the victim to transfer funds to an account that belongs to a bad actor.
But most importantly, the most dangerous cyberattack is the one that hasn’t happened yet. So cybersecurity experts remain vigilant and do their best to anticipate where the next danger will be coming from.
Keep software up to date
Simply put, software is complicated. And malicious hackers constantly probe it for weaknesses. Developers fix bugs and plug openings that can be used to get into the system, but to be protected, it’s important to actually implement these changes.
In an infamous WannaCry hack that happened in May 2017, companies in 150 countries lost $4 billion. The attack could have been prevented by just downloading an update that was sadly overlooked.
The same things happen to casino platforms that don’t take cybersecurity seriously. If hackers find out that some components of your system are outdated, they can find what vulnerabilities were fixed by the developer in the following versions and use them against you.
Additionally, a company that has better protection is less likely to be chosen as a target in the first place — it’s cheaper and simpler to hack an softer target.
Make sure your staff is trained
Even the most clandestine hacks often need a human to click on a link, download a file, or press a button. For this reason, staff trained to be aware of cybersecurity threats can be an impenetrable bastion of defense.
Awareness of social engineering tricks and strategies makes them considerably less effective.
As for other types of attacks, having a comprehensive plan of action in case of a DDoS attack or a security breach will help your team mitigate damage and deal with the situation quickly and efficiently.
Better safe than sorry. The best way to make sure your casino platform is to test it.
Penetration testing is when you pay a cybersecurity company to hack you. And if they succeed, you can patch up the vulnerabilities and protect yourself from a real malicious attack.
Make sure the law is on your side
Dealing with the aftermath of a cyberattack is hard enough, but if you can’t count on the authorities for help, the situation is even more disastrous.
Unlicensed black-market operators are a prime target for hackers. If operators can’t turn to authorities for help, bad actors can steal data, extort money, and avoid punishment even if the hackers themselves are exposed.
In some cases, these hackers are even mandated by the government itself.
Two Israeli cybersecurity companies, Security Joes and Profero, published reports claiming five companies that were illegally promoting their services to Chinese nationals had become targets of coordinated cyberattacks. According to the report, this effort is connected to the Chinese government’s efforts to combat illegal operators.
Use secure technology
It’s better to be safe than sorry, especially in IT.
Technologies like Cloudflare can protect from DDoS attacks by channeling and filtering traffic through their cloud network, and even a simple VPN goes a long way to make you a difficult target. CAPTCHA is another popular solution for mitigating DDoS attempts, as it prompts every user to solve a simple task, filtering out non-human visitors. DDoS attacks use bots, and while no solution offers 100% protection, every one of them forces hackers to commit more bots or make them smarter, or maintain the attack for longer to succeed. All this makes an attempt more difficult and expensive than hackers would like.
The best protection against SQL injections is to encrypt your databases. These attacks mostly target companies with outdated or substandard infrastructure, so investing in security can dramatically lower your risk.
Finally, make sure you partner up with solution providers that understand the necessity of security. Slotegrator’s platform solutions are equipped with a full set of comprehensive tools to protect the casinos and sportsbooks that use them. All gaming content that is available for integration comes from reputable game developers, and the technologies that are used by solution providers are vetted carefully to be in line with contemporary security standards.
If you want to know more about how we protect our customers, contact our team.