More data, more risk: how affordability checks could make the industry more vulnerable

With yet another new prime minister in the UK, it’s difficult to know exactly what to expect when the long-awaited white paper on gambling reform is finally published. But from what’s been hinted at so far, and with the Gambling Commission also promising a consultation on affordability, it seems reasonable to assume operators will need to gather more data on their players in the future.

If operators are soon required to collect more detailed information about players’ financial circumstances, this will present not only a compliance challenge, but also a test of operators’ cybersecurity. As the need for data handling increases, so will the risk of that data being compromised.

There is a well-used phrase in cyber circles: “There are two types of business, those that have suffered a cyberattack, and those that don’t yet know they have.” While this may be overstating things slightly, it’s fair to say that all businesses are at risk of a data breach.

The gambling industry is possibly at even greater risk as it won’t only have been industry insiders taking note of the fact it may soon be storing more financial information on customers, but criminals too. While so far it may have avoided any breaches on the scale of the UK TalkTalk breach of 2015 or the very recent Optus breach in Australia, cyber criminals are likely to devote more time to penetrating operators’ systems if it starts to look potentially more profitable.

Gambling apps and websites are already a particularly lucrative target for hackers because they typically allow both payments and withdrawals to be made. For criminals, automated credential stuffing exploits, where usernames and passwords gathered from leaks from other sites are reused against a gambling site, are worthwhile even with very low success rates.

Even if operators themselves do not lose money, players will and this will lead to reputational damage for the operator in question. If we look at the SuperCasino breach that came to light in 2020, the big losers were players. Some of their personal data was exposed to criminals, who may have been able to use it on its own, or in conjunction with other leaked datasets. But SuperCasino was also a loser as it lost players’ trust.

The company statement didn’t say how the data was accessed but mentioned that an unauthorised person gained access. It seems reasonable to assume this was an external actor and given what we know about the most common attack vectors, using a set of compromised credentials.

Password protected

Verizon’s most recent Data Breach Investigations Report found that the most common way businesses are exploited (based on confirmed breaches) is via compromised credentials, particularly via web applications.

One of the most regularly hacked pieces of data is the password. Passwords are used to secure so many of our personal and business accounts that reuse becomes inevitable. Even password managers such as LastPass, which helps consumers create and store complex passwords, have been breached. That in itself should be enough to give everyone cause for concern about relying on passwords.

It’s a common misconception that the answer to mitigating the risks inherent in passwords is two-factor authentication (2FA) or multi-factor authentication (MFA), using a one-time token or an authenticator app. Unfortunately, these are not enough protection. MFA still requires users to create a complex password to secure accounts and these passwords can still be leaked. When any compromised account’s password – whether it’s from a 2FA/MFA-protected account or not – is leaked, hackers will use that password everywhere they can until they get a hit.

The real solution to the problem of password vulnerability is to get rid of them altogether. Eliminating passwords from situations where the network perimeter can be crossed is essential in order to prevent unauthorised access and protect players from large-scale data breaches.

New password-less systems typically rely on open standards technology such as FIDO2, WebAuthn and CTAP2 and authenticate users via methods such as biometrics and verified ID. This cuts the direct risk to companies themselves and, perhaps more importantly, allows them to play a part in the non-proliferation of passwords, which reduces cybercrime.

Operators should also be looking to secure their environments by utilising the zero trust and least privilege principles. Essentially, these principles require continual verification of accessing users and give the least access necessary for a particular function. While MFA plays a role in such systems, they go further by also addressing device authentication, preventing access to more data than is strictly necessary and monitoring access requests for anything that looks outside of the ordinary. If applied across the board and with sufficient granularity, even if attackers do gain access, their ability to access other parts of the system is limited.

Finally, operators need to take steps to reduce the risk of sensitive stored data being breached. Any requirement to prove players can afford to play will require more data points than are currently required for compliance. The most obvious way to handle this might seem to be to simply store more data and protect it. However, protection is difficult, requires continuous evolution and ultimately if a chink in the armour is found, breaches will occur, fines will be issued and player data will be compromised.

A far better approach to take is data minimisation – only take what is necessary and hold it for as long as you need it, with the caveat that operators must obviously comply with any regulatory requirements. For example, do you need to store a player’s date of birth and their address? Or do you simply need to know they are over 18 and a UK resident? Clearly there is a need to hold this information somewhere, but not everywhere and forever. Reducing the amount of data to only what is essential decreases risk. In a cyber world as fast-moving as today’s, eliminating risk entirely may not always be possible, but there are steps the gambling industry can take to reduce the risks to their businesses and their players.

Philip Young is chief technical officer and co-founder of Arissian, creator of digital identification app Luciditi. Luciditi is a real-time digital identification platform that is used by gambling operators such as Premier Picks to identify customers and store their data. Young has 25 years’ experience in software engineering and he previously co-founded UK software business Docman, which at one point held clinical records for two-thirds of the nation’s population.