Online Casino Abuse | Cybersecurity Sessions #3 with Ozric Vondervelden

hello good day and welcome here we are again back with the latest installment. of the cyber security sessions. our regular postcards a regular podcast, talking about all things cyber security with myself andy still cto and. co-founder of neticia the world's first fully agent with spot management product. today we're going to be talking about, gambling. now gambling has never had the best. reputation as an area could be. completely free of corruption i guess people in general prefer to gamble when, they know that they can't lose fact i was only reading earlier on today about, one of the earliest uses of sports statistics being the, use of the new science of baseball, statistics to identify the fixing of the. 1919 world series illustrating that the. tradition of exposing and capturing. corruption using science is a long and, indeed very honorable one. so, is no surprise that online gambling. suffers the same challenges and we're lucky to be joined today by ozrik van de velden from lovelace consultancy who. spends his time today helping gambling. companies protect themselves from online. exploits welcome oswick thank you very much for, joining us today and could you quickly, introduce yourself for our listeners, sure so um, i'm a founder of lovelace consultancy. and sort of the new um co-director of. greco um, our background is well we've spent many years specializing in, protecting operators in the online. gambling industry from an array of techniques that essentially lead to unintended. losses, um so this ranges uh for a whole diverse, mix of areas within the within any given. operation, so we focus on multi-accounting duplicate accounting process abuse in relation to aml. affordables and verification, content bugs content and bonus logic interoperability. issues integration issues advantage play. inclusion affiliate fraud, uh bonus logic bugs and flaws and as i say more recently where we started development on the world's first, commercially available gameplay risk, engine which is greco. thank you very much i was like i think what we've got from, that brief introduction is the fact that the, amount of different challenges faced by, online gambling companies it's it's an. ever expanding list and all of which you're actively working to. try and to try and help companies. prevent we can't talk about all of them today but. i think there was one in particular that. you have. recently started um seeing an increasing source of compromise and you've given. that the rather nice name of ed ed and, eddie the ed and eddie problem can you just tell us a little bit more. about that, yeah so the the wider topic is uh, duplicate accounting so the ed and eddie, technique is one particular, um type of uh one particular process, of achieving that which we named after ed who's co-director of lovelace um he's uh, he likes his beer and uh he's been known to extend his uh free. trial periods and so we gave it the name the edit and eddie technique, um so just to explain sort of what, duplicate accounting is then. so in simple terms it's the process of creating more than one account using a. single identity. and there's several reasons why someone might attempt this form of abuse and it. ranges sort of uh from quite innocent to extremely fraudulent so um there's the case of, subscriptions and. you know prolonging subscription periods or the or the the, incentive periods, um they can also remove limits on, project uh product purchase limits so. things such as um. limited supply trainers for example. uh or event tickets or regaining access to sites that you've been banned from which is, obviously a big issue in the gambling. industry. or repeatedly taking advantage of. affiliate links or free samples or as i. mentioned sort of promotions, uh the the other one the other big issue. that we're seeing is cpa forward as well so if you can create multiple accounts. um you can essentially as an affiliate be incentivized for each, account you create, and is is this something then that i, mean it sounds like there's, you know relatively uh simple ways that you could you could, stop the obvious, ways of doing this i mean i'm thinking obviously address checking and. validation what what are some of the, techniques that go that people are using to do this and is, this kind of automated or is this manual processes that people are going through so i'll go through some of the techniques, um it's a mix of manual unautomated to be, honest, and so there's the ed and eddie, technique that we've talked about um, which is a simple case of, changing your details every time you register subtle changes um. to to your registration details in order, to scale, um so ed and eddie for example would be a change of name that may be seen as, different in a duplicate account system um. then there's more sophisticated techniques so there's, we call it manual manipulation which is, the process of changing your details within an account um essentially what this. if a system is only looking at the most. recent. details for a player, this can essentially allow the player to cr create multiple accounts with the same data by simply changing the data, after after they've exhausted whatever. reason they they created the account so in the case of the bonus industry quite, often someone will create an account exploit the welcome offer um change the details and then create. another, and then there's sort of social, enrichment uh sorry social engineering

or kind of manual override as we call it so this is the process of creating. an account with your true details and, then creating a second account uh that intentionally fails verification so this could be, a case of, changing, um, the format of the data so it could be. like an american style date of birth and. such um. that you do intentionally to fail verification, that then requires you to upload, documents and what what can happen is that the operative checking this, information can see oh there's just a, simple mistake here i'll correct that. information and verify the account and what this has done is bypass the, automated process, um and then there's, another area as well which kind of plays, into. operators overreaction of gdpr uh the kind of right to be forgotten so, another technique is just to ask for all, of your data to be removed and then, create a new account, and while this isn't sort of, a regular regulatory requirement at. least in the gambling industry um there. is kind of an allowance for for storing data that's. a kind of a security risk um a lot of operators kind of overreact. or misinterpret the legislation which. can which can lead to this kind of exploit, yeah i mean it is clearly outside the, scope of, gdpr's it's a legitimate retention use. of data to track for these sorts of, things isn't it so. um, is it and i know you you kind of raise this as something that's becoming more common. is this um increasing usage is this being driven. by, the, um. security processes that these companies. have put in place to try and to try and prevent fake accounts creation and. and things like that and basic kind of, validation processes that they've got. so, it's always been there i wouldn't say it's necessarily increasing but it's kind of a game of, cat and mouse in that regard so um so when i was younger kind of growing up with the internet while it was still, figuring itself out. um verification products all processes, sorry were still very rudimentary if, existing at all uh most account most significant sites you could create duplicate accounts on. um it was maybe when i was, well maybe 17 years ago um i was. starting to play around with, with these different processes to see. see how the wall systems could be exploited um so i i actually uh dabbled a little. bit when i was younger um. kind of it was in free samples um seeing if i could scale the process. of receiving free samples and i'd be. selling them on ebay. um. and then looking to, streamline that by having the samples, sent direct to the person i was selling them to, and then i'd scale with bots, as well it was very rudimentary stuff i, mean there wasn't any kind of randomization on you know the form submissions there was a clear pattern in. the uh kind of, changes of the data that was being, entered um and it was probably very obvious to the naked eye like i was doing thousands, of form submissions for a single kind of. free sample i i think the problem. actually was a process issue that meant that they were likely subcontracting a sampling company who was probably being incentivized per unit and so it was kind of overlooked, and and this is an example of a kind of poor. process um the processes have got better. now. um, but so have the abuse tactics as i say, the sort of um. apart from the ed and eddie technique they're all kind of a little more, advanced, um and it's really down to. each company so. there's pockets of knowledge all over. the place um, it wouldn't be fair to generalize but there are still, many sites out there that are very, vulnerable in this regard so it's it's a need for process improvement just generally. and and do you think that i think it's interesting just to pick up on the fact that the companies actually may not be, incentivized to do this if they're so. contracting about that how much of these, um, process changes you think, are. not being made because. they come it's ways of either the. company themselves or subcontracted areas of the company. making making money out of this. i don't think that's necessarily, uh at least not in the industry i'm working in the issue anymore there's, just other kind of. misalignments so there's a whole world of complications, toward to the solutions that can be um. kind of imposed to solve these problems, one of them being as people do lose access to their email addresses and want to register again. um people do change address people do, change their name um you know people's details change and you, know just working on someone's date of, birth isn't isn't gonna it's gonna have. a lot of false positives so the challenge is in creating a fuzzy. kind of fuzzy matching logic that's effective. um and that you don't have uh kind of. rules that are too relaxed or if you do. unleash your backup processes, yeah i i going going back this is many many years ago when i first graduated i had a data. entry job and one of the one of the, responsibilities was to check for, duplicates um and we did actually end up in the, situation where there were there were two people who were who were actually twins so they had the same date of birth,

the same address the same second name, and one letter different in their first name and they continually were being, brought up as a data entry error because, they were um seen as too similar but it, was legitimate and i guess one of the, key challenges with the idea is that for, every. um, way you try and clamp down on that there. will be a legitimate um personal use of like you say a legitimate person trying to trying to actually use the service properly. and what what kind of advice do you have for companies who are who are trying to address this issue well there are some sort of basic solutions i mean there's, there's a lot of basic problems still, out there that could be. quite easily fixed, um. so i'll kind of go through them so. in the case of, the ed and eddie technique in the, gambling industry i mean the gambling, industry does have age-restricted content and so they you know legally at least in uh most regulated markets um require some form of background verification um the way this works is um it's a slight play on the dead and eddie technique in the uh the person is looking to. make the name different enough to, to bypass the duplicate accounts. detection system that's similar enough. to fall within the margins of deviation of the, verification system and so that's very. easy to solve. either the rules need to be aligned so, um you've got two kind of mirrored processes or you need to, kind of put a limit on how many people. are verified as a single identity for. your verification process and then there's the kind of social. engineering aspect where where i talked about. somebody. um, sort of, going in with mistakes in their details. and trying to get a manual override that, could be solved with somebody just doing a manual duplicate check before, approving any account. in the case of gdpr it's just a case of, you know um having a better understanding of of what your rights are in that regard so there's a lot of easy quick wins out. there obviously there's a lot of nuances and complications along the way, depending, on like i say your processes for how people change address or um you know, people like you say that are twins even there's nuances that need to be um, sort of given acceptance, yeah i mean not like um any security problem um process it's, about balancing the risk of um stopping legitimate activity versus the risk of stopping illegitimate activity and i think it's uh, i i think this is a real challenging area because. the sophistication that we're seeing in. the. kind of attackers out there and the. tooling available even um, the growth of. kind of. legitimate single-use credit card um. numbers being generated for specific. uses. um which which mask a a card a single. car behind is is already reducing the kind of strength of using credit cards as a single source of. validation and i think as we're starting, to see some again some of the the tools to allow people to to hide their, identity behind other areas for. legitimate or at least semi-legitimate. purposes in some cases i think that just, throws another challenge um, of course. onto those companies which i guess keeps you on your toes. wow. absolutely as the industry becomes more. sophisticated so do so the the opposition um like you said this is one part of a. wider process i mean payment payments uh. uh having a nightwear nightmare with. virtual, like you say virtual cards and. disposable card numbers at the moment because again now the payment process can be scaled as well so you, you can create multiple accounts without the need of recruiting or stealing additional identities you can, scale the payments without with a single bank card, um and it's you know there's sort of. widespread understanding now of um, browser ip and device fingerprinting as. well um so, the sophistication level there has grown also so. it's a constant battle trying to stay. one step ahead essentially. well so well i think we're we're getting, towards the end of time now if if you, had, one last piece of advice um you wanted, to to give to companies with this issue what would it what would it be, um i think there's a lot of pride in the, industry and everybody uh thinks they. have uh a competitive edge um which limits data sharing and i think it's important that operators come together um. either for worse or directly um to kind. of, understand what's happening to other, operators and collaborate on coming, towards the solution that's great advice and um thank you very much i was weak for your time today. and, um hopefully we can get you back at some. point in the future to talk more about. greco which sounds a very interesting. project potentially game changing project for yourselves in the industry um so thank you very much and thank you. everyone for tuning in today um as usual we'll like um subscribe um we'll love to hear your feedback we have a twitter account. at cyber tech pod. um or you can email him, to podcast at netaceae.com and, thank you very much and we will see you again in the next episode, you