Business is booming for the online gaming industry, to the tune of billions of dollars worldwide each year.
However, it has a distinction among online businesses: its income stream is not predictable. An online retailer may be able to project future sales growth, but not so with the gaming industry. Consequently, cyber criminals see opportunity here to commit fraud without detection.
The ubiquity of the Internet and the mass adoption of mobile devices have been key drivers of the phenomenal growth of the online gaming industry. Unfortunately, while the Internet makes it easier and more convenient to place bets, it also provides the means for more organized cybercriminals to defraud these sites and their good players. But as the industry booms, the threat of criminal activity looms.
The gaming industry is quite clear about this threat and has developed incredibly sophisticated data analysis tools that can determine with high accuracy if, for example, a six-player poker hand is being gamed by one person with multiple accounts. But that just looks at one point in the player’s history and is not always sufficient in the fight against fraudsters, who are also constantly evolving their own tools. By using methods to circumvent traditional detection like IP address, geolocation, third-party credit verifications, even using data analysis of other players, it means that despite the gaming industry’s best efforts, fraudulent deposits, cheating and collusion, chargebacks and money laundering persist.
So then, observing a game at one point in time is a useful tool for gaming sites, but it cannot be the only tool. Instead, there is another security layer that should be added, one that observes the players before the game starts and even across the lifetime of the player. Building complex models of behavior is the secret weapon about to sweep online security – a real game changer that will show the difference between a flesh-and-blood player and sock puppet accounts and scam artists.
There’s a reason that there are two different words for “person” and “robot.” While a robot does the same thing over and over based on its program, a person is an individual with unique behaviors and habits that identify them. This is why behavior-based security is so effective. Behavior-based security looks at hundreds of signals that allow us to confidently know when we are seeing the genuine player, signals such as how they hold their device, how they type or whether they use a mouse or a track pad when playing. It is these non-identifying but wholly unique behaviors that create a player profile that can’t be spoofed.
Fraud takes on several forms in online gaming. Often, fraudsters use stolen credit cards to set up or fund betting. In some cases, these stolen cards are used by a single player running several accounts in the same game so they can purposefully lose on the stolen card and funnel the winnings into their personal account, which can be cashed out later.
Another scam doesn’t need stolen credit cards. In this scenario, a single user running multiple accounts does not necessarily have to use stolen credit cards to perpetuate the scam. A typical scenario looks like this: a six-player room contains only two players, one who is unaware of the scam and another running the other five players, essentially guaranteeing that the scammer will win.
The use of multiple accounts is not limited to intentionally scamming other players by rigging the odds. Many gambling sites offer an incentive for new players, matching an initial startup deposit or giving the players cash bonuses for completing a set number of games.
Each of these scams hinges on the ability to create multiple fraudulent accounts. Account creation is the first point of contact for legitimate users and would-be scammers. While robust data analysis can catch some of the scammers when the games are happening, wouldn’t it be better to catch fake accounts before they can even start a game?
Online gaming fraud produces multiple victims. The gaming site suffers financial loss, of course, but so does the legitimate player who is just there to play a hand of cards and doesn’t know they have been hit with the bad luck of being in the same virtual room as a scammer. And once they find themselves defrauded, customer retention becomes a huge issue. If a site becomes known for fraud, there is little a company can do besides invest in a costly rebranding and build anew.
Online gaming sites, understandably, set forth a rigorous account set-up process. A first round of registration needs to confirm things like the user’s birthday, and checks are typically run against personally identifying information. But with the prevalence of data breaches flooding the market with exactly these kinds of credentials, such types of checks are of limited use. If personally identifiable information can be faked or stolen, what is left? Behavior.
As mentioned above, individuals have characteristic ways of behaving that identify them. In this case, the behavior of a legitimate user signing up for and using a service will be different from someone creating multiple accounts to perpetrate fraud. How the user goes on to use the site after account creation, outside of even game play, continues to build profiles very distinct from each other.
Gaming sites need to be able to tell which account has a human being on the other end and which is one of an array of puppets. But behavior-based fraud detection goes deeper than this to also tell you if an account has been stolen from its owner or if a customer with past gaming difficulties is making a new account. Behavior can even be leveraged into predicting a budding gaming addiction by comparing the behavior of past addicts against current users and taking the necessary steps to stop chargeback complaints, also known as first-party fraud, from players who have gone overboard.
As the online gaming industry embraces behavior-based fraud detection, it will realize significant benefits. It will be able to identify and block fake accounts at the point of creation, before fraud can occur. Understanding the nature of the person creating an account will reduce chargebacks. The review process will stay behind the scenes, allowing legitimate players to enjoy gaming without interruption. Behavior-based security methods create greater trust, which benefits both the player and the business.
Ryan Wilk is the vice president of customer success for NuData Security.