Q.& A. | Jim Noakes

12 January 2009
As an industry veteran and cybercrime fighter, Jim Noakes has seen a lot of action.

While the head of transactional services for Gala Coral humbly admits that there is no foolproof answer for putting an end to online fraud, Mr. Noakes continues, as he has for the last 10 years, to work for customer safety and company transparency.

As part of his quest to thwart fraudsters, Mr. Noakes also serves as the chairman of Gamshield, a cooperative of licensed and regulated online bookmakers working to ensure a safe and secure online gaming environment.

In an e-mail interview, Mr. Noakes shared with IGamingNews facts and figures about online gaming fraud and ways the I-gaming industry can best protect itself from cybercrime attacks.

How much is lost to fraud in the I-gaming industry on a yearly basis?

    Figures from the U.K. payments association, or APACS, for card fraud registered in the U.K. (in the 12 months to June 2008) imply just over £21 million was reported for gambling services, compared to an industry total of over £315 million for card-not-present transactions in the same period -- so around 6 percent of the total.

    There will undoubtedly be an element of misallocation as cards reported as lost or stolen, or ID theft, are not directly allocated against the gambling sector, and no stats are collected for the myriad wallet services and online banking fraud specific to gambling. But since the controls and checks surrounding these are more robust it's not likely to inflate the figure by more than between 10 percent and 15 percent. So, around £25 million seems a reasonable estimate for U.K.-based companies.

    Doesn't exactly smack of an industry rife with fraud when this is taken as a percentage of the hundreds of millions moved by remote gambling companies every year!

How can the Internet gambling industry be best regulated to fight against fraud attacks?

    An "open constructive dialogue" with regulators to share risks and their probability of occurrence seems, to me, by far the most fruitful approach. It is possible to put in place controls to achieve zero fraud. The trouble is that the barriers this places in front of customers are likely to be so restrictive that the result will be zero business as well! A lose-lose scenario.

    Regulators are rightly concerned with the "art of the possible" when it comes to fraud and risk, but what is really required is definition of the "art of the probable." I believe the regulators should ensure that commensurate controls are put in place to address the most damaging issues, rather than try to enforce controls which are prohibitively expensive for the risks they aim to address and present unnecessary barriers to good business.

How does fraud prevention in online gaming compare to fraud prevention in other types of e-commerce? Can the two industries overlap or work together, or both?

    Online gambling is different from most other types of e-commerce in that we don't have a physical product to deliver, so it takes away from us one of the key security checks that most e-commerce merchants have -- to prove the physical location of a customer at time of product delivery. So the gaming industry has to rely on other techniques based mainly on tracking source and destination of funds and correlation of information provided by customers to perform satisfactory verification.

    There is a view that sharing of information used in the perpetration of fraud can assist in prevention, but it seems to me that with increasing identity theft, the ability for fraudsters to simply use a complete, new set of data for each fraud attempt degrades the usefulness of this sort of system. But I do see growing opportunity to use customer data that has been used online for shopping, for example, (including e-mail and mobile numbers) gets used to crosscheck that the same data set is used for online gaming accounts.

What are some of the more clever ways you've seen fraudsters carry out an attack?

    Fraudsters are always coming up with new tricks in order to try to circumvent controls; one of the downsides of being in such an innovative industry is that there are always new vulnerabilities to exploit too! I wouldn't like to be too specific for fear of giving other ideas, although when we do see a new fraud approach it's obviously top of our list to put in place new controls to stop it from happening again. I'm more worried about the fact that there are still too many unsavvy people using online services that still fall for well-known tricks such as phishing (replying to an e-mail asking them to verify their security details for example) or where they have a username and password that is linked to their screen name and easily guessable, making them a ripe target for account takeover. No one wants to scare users, as the incidents are very few and far between, but we all ought to do more to educate users on ways to protect themselves from falling victim to such scams.

What is the most important thing a company can do to protect itself? Or is there one single thing?

    No silver-bullet solutions, as you might expect. Card fraud remains the biggest area of risk, and I'm still surprised by those in the gaming industry that haven't adopted Verified by Visa or MasterCard SecureCode. Liability shift and significantly cheaper merchant fees made it a no brainer for me, and the perception that customers wouldn't want to put in the extra password never figures on our research as a dissatisfier. Yes, it has its flaws. But until the card issuers get to stand the full pain of "it wasn't me" after the bet lost, then they are only going to pay lip service about improving card security, generally, and being collaborative about customer age and ID verification issues.

How long have you been in the I-gaming industry and what drew you to it?

    This year will mark my 10th year in the industry, starting with Coral Eurobet in 1999 which is now Gala Coral Remote Gaming Division. It's been an exciting time! Main attraction was the way the industry is an early adopter of technology and often pioneers -- witness to things like the emergence of e-wallet solutions such as Neteller and Moneybookers that built huge businesses on the back of meeting a need for e-gaming merchants. And despite growing regulation and the current economic climate (but in part also because of it) the industry remains innovative with a desire to provide interesting products for our customers and meet regulatory aims to keep crime out and protect the vulnerable. So there is always something new in the inbox!

What would you be doing if the Internet had never been invented?

    Running a Starbucks franchise, but I'd probably drink the profits.

What's the best part of working in the I-gaming industry? The worst?

    The best part is the people, both in our company and the counterparts I meet from the many "competitors" out there. I think it's generally recognized, by the fraud/security and payments managers at least, that fraud control is not a competitive issue, it's an industry one. So there is an openness about working together on security issues that doesn't generally happen in the financial services industry as a whole.

    The worst part at the moment seems to be the growing trend towards zero tolerance regulation, and an expectation that we should have controls in place for every possible scenario irrespective of value or impact. Open dialogue is addressing this as mentioned above. It's quite an education process but proving fruitful in many areas as both sides understand the others' concerns and risks.


Conference Spotlight: Combating Cybercrime in Betting & Gaming

Jim Noakes will serve as chair of the CCGB conference January 27 at Earls Court in London.

Click here for more information on this event.




Emily Swoboda is the senior staff writer at IGamingNews. She lives in St. Louis, Mo.