Securing the future of the iGaming industry is no easy task. While some companies tend to worry about customer acquisition, retention and changing consumer habits, companies such as Hedgehog Security work hard to ensure products and services are safe and secure.
With cyber-attacks increasing, and nefarious third-parties becoming more inventive in the ways they seek to mislead consumers, iGaming has sought the expertise of established security companies that bring a comprehensive product and service offering to provide the necessary levels of protection that businesses and consumers require.
Today we speak with Peter Bassill from Hedgehog Security; he has agreed to talk to us about internet security and how important it is in the iGaming world.
Q: We hear all these stories about personal data leaks and ransomware attacks. How challenging is it to protect businesses that concentrate huge amounts of money, such as iGaming operators, from these attacks?
A: One of the biggest challenges is providing an online platform that, should the worst happen for the end user, you can prove you have done more than is reasonable to adequately protect the user’s accounts from being accessed.
Gone now are the days where you can rely on just a username and password. Two factor authentication, and more commonly now an addition second factor authentication, is deriguour.
But that is simply one side to the many-sided die of cyber protection. Weekly patching, daily AV scanning, hourly signature updates and constant vigilance is needed to protect both the iGaming operator and its customers.
Q: Do you reckon there is an inherent difference in what an iGaming business needs to protect itself to, for example, a hotel database which stores the data of possibly millions of customers?
A: No. To be honest, the vast majority of mass consumer businesses have a level of security that is lamentable. Almost all major hotel chains have had a breach and it’s not only the hospitality industry.
It is almost a bit of a cliché now, but criminals used to rob banks because that was where the money is. Information is currency now, so criminals hit the easiest path to a pay day and that, I am sad to say, is mass consumer business such as online casinos.
Q: What software usually proves a vulnerable entry-point that hackers use to gain entry into a gaming operator’s database or compromise customers?
A: The most typical way into a business comes from one of two directions. A badly written web application or human manipulation.
Picture this very real scenario; an iGaming operator asks us to test their security and in the space of a week we become embedded in their business. They purchased some of the best software out there and followed all the advice given but they didn’t change one of the engineering passwords used during our deployment.
That password was very easily guessable as it was the name of the software company and the two-digital year on the end. Of course, our team found it. But not before they simply sent a malware file embedded in an ID document to the KYC team.
Q: It seems to us that even the best software and safety measures cannot fully mitigate an attack if a hacker’s mind is on it. Do you reckon operators should also try and boost awareness about online safety among consumers?
A: Communication is key. The banks haven’t got it totally right yet, but they are well on the way. So, why don’t operators do the same, I hear you ask.
Some are! Communicate with your consumers, educate and advise. It is excellent customer service; it aids in player retention and it stops them inadvertently being conned into giving up their account details.
Q: How do you think gaming operators can be fully prepared for an attack and are there cases in which you would call a safety system put in place as “inadequate” and other cases when the system was up to the industry standard, but the attackers just proved too clever?
A: There are so many examples that come to mind. Here are three that really sum up the majority of what people are doing wrong:
A savvy vendor account manager for a gaming provider said to me back in my Gala days, “You don’t need security, you have our software.” We ran a pentest, we found multiple security holes in that software which granted access from the outside. Don’t believe everything vendors say. Get verification.
Working in an incident response role, an iGaming operator couldn’t believe they got totally breached. “We purchased all the tools from the Gartner top right” they said. That’s great, but a piece of tin with flashing lights is useless unless you are reacting to the alerts they are providing. Read all the alerts and respond to them.
Helping a provider understand why they were losing money on a particular slots game, we asked to see their testing results. “We don’t perform security testing past automated code reviews. It’s a false economy.” Five minutes later we manipulated the front end to provide a negative stake and won every time. Human testing involves gut feel and experience, something programmatic testing can not do. Use human security testing.
Q: Should we be scared when we log in to play our next iGaming session or are we in good hands?
A: I love to play. I have a fair number of accounts but from a KYC point of view, I am a total pain. But I trust no-one and take significant steps to protect my own data.
- I use disposal debit card numbers through my bank and I change that card every time;
- I use specific email addresses for platforms, such as email@example.com and firstname.lastname@example.org. If I see my addresses come up on any alerts, I know there is a problem;
- I use a unique password for every account and keep those passwords in my password safe;
- I keep my balances at a level that if I lost it all, I wouldn’t really care and
- Above all, I relax and enjoy.
As an aware consumer, I have mitigated a lot of the risks myself. It doesn’t remove the platform’s obligation to protect my data and money, but in the event that it all goes wrong I will just make a cup of tea, shrug and find a more responsible platform. Vote with your accounts people.