Cybercrime in igaming: how it occurs, how to prevent it

With the growing threat of cybercrime, how can igaming companies protect themselves and their customers? Prevention and technology tools are key, says David Schollenberger of Healys LLP.

Cybercrime is currently one of the biggest concerns of igaming, operators, regulators and customers for igaming and betting services alike. As the business of online gaming has grown, internet fraud, theft and attacks have followed.

What is cybercrime? How does it most frequently occur in igaming? What are the challenges to operators and how can they best be addressed? What legislation currently covers cybercrime and is it adequate and being effectively enforced? This article will look at these issues.

What is cybercrime? Cybercrime is a broad term covering any criminal act involving the use of the internet. Cybercrimes generally fall into two categories. The first category is new offences using technological means such as hacking computer systems to steal or alter data or crash or infect a computer system.

This includes distributed denial of service attacks. Distributed denial of service attack (“DDOS”) means an intentional attack on a computer system, website or a specific computer, to try to disrupt or crash the system and make it not usable by users.  This might be done as a form of blackmail or to maliciously damage a company.

The second category is old offences using new technology such as identity fraud following theft of personal data. Identity fraud means the use of an individual’s personal information obtained by theft in order to obtain value by deception.

How does fraud and cybercrime most frequently occur? Cybercrime in igaming is actually more often targeted at users of igaming services than directly at operators.

Individuals may be targeted to obtain their user names and passwords to enable fraudsters to access and control online gaming accounts.

This information can be obtained by the use of a technique known as “phishing” whereby an individual is tricked into revealing personal information through fake email and websites. Another means of obtaining data is by the use of “malware” which upon infiltrating a computer system, can extract and send data on to the fraudster.

Another means of data theft is through data found on stolen laptops and memory sticks.

Less commonly, operators or gaming supplier businesses can be hacked and large amounts of data can be stolen in bulk from them if they are holding customer information centrally, for example the UK National Lottery's user accounts were hacked last year. This information can then be fraudulently used or sold on to other criminal organisations.

What are the main challenges in addressing cybercrime? There are a number of challenges to addressing cybercrime. With the phenomenal growth and use of the internet in daily life for personal and commercial transactions, the amount of data available for theft and fraudulent use is ever increasing. Technological advances have helped to protect computer systems against attack, but cybercriminals are technologically often one step ahead.

Cybercrimes are much easier and less risky for criminals to commit than burglary or physical theft, they are more difficult to detect and enforce, and typically carry lighter sentences than physical theft.

Police departments in many cities typically do not have the expertise or adequate resources to address the scale and sophistication of cyber crime. Although some large police departments, such as the Met in London, do have specialised units, and have expanded greatly over the past several years, they are still typically not of a size capable of addressing the full extent of cybercrime.

Cybercrimes are often committed remotely in different cities, regions or countries. The perpetrator may be difficult to locate unless information is received or they are detected and caught committing the act. Otherwise pursuing these crimes requires cooperation and resources between many police forces in many countries. Not all countries have adequate laws to prosecute cybercrime and vary in their degree of cooperation and effectiveness in enforcement.

Fraudsters are often sophisticated in concealing their identity and location, and are therefore difficult to track down and arrest. Further, when one means of hacking or fraud is addressed, another means is developed in its place.

What are the risks to operators? A breach of the cybersecurity of an igaming operator can have a number of very negative impacts on a company. These include loss of customer confidence in the company and loss of business from customers who may prefer to engage with operators that have more robust security. It can also lead to large fines by the relevant data protection regulator (Information Commissioner’s Office in the UK).

Under the new EU data protection regulation, those whose personal information was breached will have the right to sue the company directly for compensation. Inadequate cybersecurity may also be grounds for a gaming regulator to review an online operating licence. This is just part of the new UK regulatory landscape that operators will have to traverse this year.

What is the current applicable legislation in the UK? The Computer Misuse Act 1990 is the first piece of UK legislation to address computer misuse. It sets out three computer misuse offences:

1. unauthorised access to computer material;
2. unauthorised access to commit or facilitate commission of further offences;
3. unauthorised modification of computer material.

The original maximum prison sentences for each offence were (1) six months, (2) five years and (3) five years. The penalty for (1) was increased to two years with an amendment in the Police and Justice Act 2006.

The Serious Crime Act 2015 further amended the Computer Misuse Act. A new offence was created for unauthorised acts causing or creating risk of serious damage in relation to a computer. The serious damage must be of a material kind and includes damage to human welfare, the economy of a country and the national security of a country. A person guilty of an offence is liable to a prison sentence up to 14 years (and life imprisonment in some circumstances), a fine, or both.

The European Convention on Cybercrime (“Convention”) was adopted in 2001, was ratified in the UK and entered into force in 2011. It provides a common international framework for dealing with cybercrime including illegal access, illegal interception of data, data interference, system interference, misuse of devices, computer related forgery and computer related fraud.

Most EU member states and the US have ratified the Convention. Notable absences are Russia and China.

Are legislation and enforcement effective and robust enough? UK regulation has been substantially strengthened with the Serious Crime Act amendments to the Computer Misuse Act. The Convention sets out a good framework, but unfortunately not all countries are party to it, including Russia and China, where much of the misuse takes place.

In the UK, the National Cyber Crime Unit leads the UK’s response to Cybercrime. It works closely with regional organised crime units and with the London Metropolitan police cyber crime unit.

With respect to enforcement, the difficulty is as stated before the remoteness and difficulty of identifying, arresting and prosecuting Cyber criminals. This is further complicated by the lack of adequate policing resources for the scale of the problem.

Is the focus shifting from enforcement to prevention? Prevention is clearly a much better approach than enforcement, it is almost universally agreed by regulators, law enforcement, operators and law makers. There are increasingly sophisticated technological tools commercially available to operators to reduce the risk.

Cybersecurity audits, a dedicated team and continuing training of both operators and their customers on fraud avoidance are also critical.

Conclusion The threat of cybercrime is real and can have a very negative impact on an operator’s business. It will not be going away and needs to be urgently and continuously addressed. Operators are urged to have an effective plan and put the resources into their organisations to address it.

Related articles: Camelot confirms National Lottery online account hacks UK to increase focus on problem gambling, says Gambling Commission boss Information security round-up UK regulatory waters will require careful navigation in 2017 (paywall)