Tuesday, 28 November 2023

I.M. Roundtable | Payments Fraud

By Emily D. Swoboda
28 November 2008
Emily Says:
    I'd like to welcome you to the very first IGamingNews online roundtable discussion. Today we are discussing fraud in online gaming, the costs of an attack and how to protect against it. Our experts on the subject are Lennart Ehlinger, group security controller of Unibet, and Keegan Johnson, president and co-founder of Ethoca Ltd., a data sharing and fraud management firm. Welcome gentlemen. Thank you for joining us today. Let's jump right in.

Emily says:

    To start, what sectors of the online gaming industry are most vulnerable to payments fraud and what can be done about it?

Lennart says:

    There is no secret that player-to-player products like poker create most problems for the companies.

Keegan says:

    Fraudsters are looking to make money -- therefore, they attack the places they feel they can make money the easiest. This means poker -- p-to-p products are the biggest target. This is followed by casino/sports betting and then bingo as it can be hard for fraudsters to make money on bingo.

Keegan says:

    Poker and other p-to-p products are also targets because they can be used for money laundering.

Lennart says:

    There is no Holy Grail, internal end external control systems, close cooperation with both games and payments providers. We very often talk about what technical tools we need; we forget the right employees can make a big difference.

Emily says:

    Interesting. So how can you ensure you are hiring the right people? We've seen recent examples of the "wrong employees" carrying out the fraud attacks.

Lennart says:

    I had to trust my human resources department. But if you have people in the fraud department that are dedicated, and if, everyday, they want to come in and be challenged, it is a good start.

Keegan says:

    Managing internal fraud typically starts with a review of your policy -- who has access to sensitive information -- and a record of which transactions are being accepted and rejected by which agent.

Emily says:

    Tough job!

Keegan says:

    For external fraud, my biggest piece of advice would be to, one, learn from your past experiences and, two, work with others/peers to learn from their experiences.

Lennart says:

    It is true, with control systems you put yourself in the risk zone.

Lennart says:

    There has been a change in the industry over the last years; fraud detection is no more "keep-for-yourself."

Keegan says:

    Great point. The industry is maturing. A few years ago everyone saw fraud as an area to compete with other merchants. Now everyone wants to cooperate and work against the fraudsters. This way everyone wins -- except the fraudsters.

Emily says:

    O.K. Do either of you have anything else to add before we move on to the next question?

Lennart says:

    No, please go ahead.

Keegan says:

    Let's proceed.

Emily says:

    Along the same lines, are there any regions that are particularly vulnerable?

Lennart says:

    I think this is down to where the individual companies have their main markets. Unibet have fewer problems in Northern than Southern Europe in percentage, for example, but it's difficult to point fingers at certain countries.

Keegan says:

    Outside of specific regions international fraud can be a problem. By this I mean that a United Kingdom merchant can have problems with fraud coming from outside the United Kingdom, but similarly a non-United Kingdom merchant can have problems with fraud coming from the United Kingdom. International fraud can result from the local merchant not being familiar with different jurisdictions, or having experience abroad.

Lennart says:

    And as the Internet is border-crossing tool, so are the fraudsters. For example, Russian hackers can steal German credit card details and sell them to fraudsters in the United Kingdom.

Emily says:

    Should we move on?

Keegan says:

    O.K.

Lennart says:

    O.K.

Emily says:

    Online attackers are ever evolving in their methods of menace. What are some of the newest forms of fraud, payments and otherwise, hitting online gambling sites?

Keegan says:

    Professional fraudsters are getting more sophisticated (as Lennart said, Russian hackers can steal German credit card details and sell to United Kingdom fraudsters). These professionals also have the patience to create "sleeper accounts" that appear to be good, but then commit fraud and transfer (typically in poker) funds to the good sleeper accounts.

Lennart says:

    As the companies get more technically skilled so too do the fraudsters. What was done 10 years ago with tip-ex on a fax is today created very good copies of both identity cards and utility bills.

Keegan says:

    This can mean the fraudsters can get away with larger amounts in a smaller period of time. A single account may seem good, but it is a part of a co-coordinated attack.

Keegan says:

    Lennart makes a good point. Identity theft in general is a concern. Fraudsters can have all of (or more) information than the actual customer.

Keegan says:

    It makes it very difficult for a merchant to distinguish between good customers and fraudsters.

Lennart says:

    I think we soon can come to a point when a customer registration is too good -- it is a concern.

Emily says:

    On average, how much money is lost per year to online attacks?

Keegan says:

    Difficult to put a specific number on this. Merchants can be losing up to 1 percent to direct fraud (i.e., chargebacks), but this can just be the tip of the iceberg. Once you factor in the cost of performing manual reviews, fraud checks, or both, and the cost of insulting or turning away good customers, the cost can be very high.

Lennart says:

    I cannot discuss numbers but this something big companies take very seriously and put in a lot of efforts to minimize.

Emily says:

    I understand.

Lennart says:

    I agree with Keegan. It is as important to find the good customers so more resources can be put toward bad and suspicious ones.

Emily says:

    Can someone walk me through an attack? A hypothetical one, of course.

Lennart says:

    It is very difficult to have typical case. You have everything from an almost industrial attack to a single pickpocket doing a one-off.

Keegan says:

    As Lennart mentioned, difficult to have specifics. We can give three high-level examples. One, the first-party fraud, where an individual simply lost money on the gaming site and then calls his bank and says it wasn't him.

Lennart says:

    A problem if you are in a network. Everything can look good on your side, then the fraudster has found a weak link in the other end of the network.

Keegan says:

    Two, the amateur fraudster -- this guy buys a credit card (or an identity) on the Internet for a few dollars, shows up at your site and registers with all of the information that appears good. He then walks away with the money he wins.

Keegan says:

    Three, the professional, who has all of the correct customer information, but also takes their time to understand the merchant's fraud management practices. This fraudster understands what the merchant is looking for (higher amounts, suspicious I.P. addresses) and can be working with others to setup multiple accounts. Everything will look O.K. and then you will get chargebacks from a large number all at once.

Emily says:

    Mr. Ehlinger? Anything to add?

Lennart says:

    No, that was covered very well by Keegan.

Emily says:

    O.K. This question may have already been answered by both of you, but what are the best tools for protection?

Lennart says:

    Yes, for me there is no single product you get and then relax -- this is an ever-developing area, both from us and the bad guys.

Emily says:

    Right.

Emily says:

    So you will always be in business. Which is both sad and good.

Keegan says:

    Yes, no single tool. There are the usual things to check (e.g., I.P. geolocation), but the key process is to learn from your own history and the history of others.

Keegan says:

    When fraud has occurred, close the account, check for related accounts (i.e., link-analysis) and then check to see how you could have noticed this fraud occurring in the first place.

Keegan says:

    You can then take steps to make sure this type of fraud doesn't occur again. The other key area Lennart mentioned earlier is to work closely with others in your industry to understand and learn from their experiences. It is the same fraudsters who are stealing from everybody.

Emily says:

    Eventually they'll get clumsy?

Emily says:

    The fraudsters, that is.

Lennart says:

    Yes, in my experience they always make a mistake at some point.

Emily says:

    Or, do you pick up on a pattern?

Keegan says:

    You don't need to rely on the fraudsters being clumsy. You will be able to catch the clumsy fraudsters quickly. The better ones you can catch by looking at patterns that are different from good customers. In the end they are not good customers so they will be behaving differently. The more data you can look across, the more patterns you will be able to find.

Lennart says:

    Many times we have already blocked accounts before we are informed by the payment providers.

Emily says:

    O.K.

Emily says:

    Do either of you have anything else to add?

Keegan says:

    One of the newer approaches to fighting fraud that has been talked about is data sharing or collaboration. This provides a way for merchants to work together more closely -- not just by sharing best practices, but by actually having their systems spot patterns across the merchants data in real-time. The fraudsters have been working together and now the merchants are looking to turn the tables.

Lennart says:

    If I can have a wish list for the future it would be even faster alerts from payment providers, easier access to public registers to combat identity theft, etc., but I am aware there is financial, data protection and legal hurdles.

Keegan says:

    This is one of the areas where Ethoca has focused. We work on taking care of all of the difficult concerns (security, privacy, legal) so that merchants and payment providers can work closer together on sharing experiences.

Keegan says:

    Similar to Lennart, most merchants are very good at spotting and catching fraud, when they have the right information. Currently, merchants are limited by only being able to directly incorporate their own experiences. By working together, if a fraudster attacks one merchant the other merchants can know about this before the fraudsters moves on to the next merchant.

Emily says:

    Gentlemen, I think this is a good place to end.

Emily says:

    Again, thank you Mr. Ehlinger and Mr. Johnson for being here today and sharing your expertise with me.



Emily Swoboda is the senior staff writer at IGamingNews. She lives in St. Louis, Mo.