Online Casino Abuse – Ozric Vondervelden, Greco

[00:00:00] Ozric Vondervelden: So I actually dabbled a little bit when I was younger. Seeing if I could scale the process of receiving free samples. And I'll be selling them on eBay. And then looking to streamline that by having the samples sent direct to the person I was selling them to, and then I'd scale with bots.

[00:00:16] Andy Still: Hello, good day, and welcome. Here we are again, back with the latest installment of the Cybersecurity Sessions, our regular podcast talking about all things cybersecurity with myself, Andy Still, the CTO and co-founder of Netacea, the world's first fully agentless bot management product. Today, we're going to be talking about gambling. Now gambling has never had the best reputation as an area could be completely free of corruption. I guess people in general prefer to gamble when they know that they can't lose. But I was only reading earlier on today about one of the earliest uses of sports statistics, being the use of the new science of baseball statistics to identify the fixing of the 1919 World Series, illustrating that the tradition of exposing and capturing corruption using science is a long and indeed very honorable one. So it's no surprise that online gambling suffers the same challenges. And we're lucky to be joined today by Ozric Voldervelden from Lovelace Consultancy, who spends his time helping gambling companies protect themselves from online exploits. Welcome Ozric. Thank you very much for joining us today. Could you quickly introduce yourself for our listeners?

[00:01:21] Ozric Vondervelden: Sure. I'm a founder of Lovelace Consultancy and, or the new co-director of Greco. We've spent many years specializing in protecting operators and the online gambling industry from an array of techniques that essentially lead to unintended loss. So this ranges for a whole diverse mix of areas within any given operation. So we focused on multi-accounting, duplicate accounting, process abuse in relation to AML, four doors and verification, content bugs, content and bonus logic into operability issues, integration issues, advantage play, clues, you and affiliate for. Bonus logic, bugs and flaws. And as I say more recently, we started development on the world's first commercially available gameplay risk engine, which is Greco.

[00:02:08] Andy Still: Thank you very much, Ozric. I think what we've got from that brief introduction is the fact that the amount of different challenges faced by online gambling companies is it's an ever expanding list. And all of which you're actively working to try and help companies prevent. We can't talk about all of them today, but I think there was one in particular that you have recently started seeing an increasing source of compromise. And you've given that the rather nice name of an Ed, Edd and Eddy problem. Can you just tell us a little bit more about that?

[00:02:45] Ozric Vondervelden: Yes. So the wider topic is duplicate accounting. So the Ed, Edd and Eddy technique is one particular process of achieving that, which we named after Ed, who's co-director of Lovelace. He likes his beer and he's been known to extend his free trial periods. And so we gave it the name of the Ed, Edd and Eddy technique. So just to explain what duplicate accounting is. And so in simple terms, it's the process of creating more than one account using a single identity. And there's several reasons why someone might attempt this form of abuse and it ranges from quite innocent to extremely fraudulent. There's the case of subscriptions and, prolonging subscription periods or the incentive periods. They can also remove limits on product purchase limits. So things such as limited supply trainers, for example, or events. Or regaining access to sites that you've been banned from, which is obviously a big issue in the gambling industry. Or repeatedly taking advantage of affiliate links or free samples, or as I mentioned, promotions. The other one, they have a big issue that we're seeing is CPA fraud as well. So if you can create multiple accounts you can essentially, as an affiliate, incentivize for each account you create.

[00:03:59] Andy Still: It sounds like there's relatively simple ways that you could stop the obvious ways of doing this. I'm thinking, obviously address checking and validation. What are some of the techniques that people are using to do this? And is this kind of automated or is this manual processes that people are going through?

[00:04:16] Ozric Vondervelden: So I'll go through some of the techniques. It's a mix of manual and automated, to be honest. And so there's the Ed, Edd and Eddy technique that we've talked about which is a simple case of changing your details every time you register, subtle changes to your registration details in order to scale. So Ed, Edd and Eddy, for example, would be a change of name that may be seen as different and they're duplicate accounts. Then there's more sophisticated techniques. So there's manual manipulation, which is the process of changing your details within an account. Essentially, if a system is only looking at the most recent details for a player, this can essentially allow the player to create multiple accounts with the same data by simply changing the data after they've exhausted whatever reason they created the accounts. In the case of the bonus industry quite often someone will create an account, exploit the welcome offer, change the details and then create another. And then there's social engineering or kind of manual override as we call it. So this is the process of creating an account with your true details and then creating a second account that intentionally fails verification. So this could be a case of changing the format of the data. So it could be like American style date of birth and such, that you do intentionally to fail verification that then requires you to upload documents. And what can happen is that the operative checking this information can see, oh, there's just a simple mistake here. I'll correct that information and verify the account. And what this has done is bypass the automated process. And then there's another area as well, which kind of plays into operator's overreaction of GDPR, the kind of right to be forgotten. So another technique is just to ask for all of your data to be removed and then create a new account. And while this isn't a regulatory requirement, at least in the gambling industry that there is and allowance for storing data. That's a kind of a security risk. A lot of operators overreact or misinterpret the legislation, which can lead to this kind of exploit.

[00:06:16] Andy Still: It is clearly outside the scope of GDPR, it's a legitimate retention, use of data, to track for these sorts of things, isn't it. I know you raised this as something that's becoming more common. Is this increasing usage? Is this being driven by the security processes that these companies are putting in place to try and prevent fake creation and things like that? And basic kind of validation processes that they've got?

[00:06:41] Ozric Vondervelden: So it's always been there. I wouldn't say it's necessarily increasing, but it's a game of cat and mouse in that regard. So when I was younger, growing up with the internet while it was still figuring itself out, verification processes were still very rudimentary if existing at all. Most significant sites you could create duplicate accounts on. Maybe 17 years ago I was starting to play around with these different processes to see how the wall systems could be exploited. So I actually dabbled a little bit when I was younger, seeing if I could scale the process of receiving free samples, and I'll be selling them on eBay. And then looking to streamline that by having the samples sent direct to the person I was selling them to, and then I'd scale with bots. It was very rudimentary stuff. It wasn't any kind of randomisation on the form submissions. There was a clear pattern in the kind of changes of the data that was being entered. And it was probably very obvious to the naked eye, like doing thousands of form submissions for a single kind of free sample. I think the problem actually was a process issue. That meant that they were likely subcontracting a sampling company. It was probably being incentivized per unit. And so it was overlooked. this is an example of a kind of poor process and the processes have got better now. But so have the abuse tactics. As I say, the sort of, apart from the Ed, Edd and Eddy technique, they all a little more advanced. And it's really down to each company so that there's pockets of knowledge all over the place. It wouldn't be fair to generalize, but there are still many sites out there that are very vulnerable in this regard. So it's a need for process improvement just generally.

[00:08:40] Andy Still: I think it's interesting just to pick up on the fact that the companies may not be incentivized to do this. If they're subcontracting about that. How much are these process changes you think are not being made because either the company themselves or subcontracted areas of company, making money out of this?

[00:09:03] Ozric Vondervelden: I don't think that's necessarily, at least not in the industry I'm working in, the issue anymore. There's just other kind of misalignments. So there's a whole world of complications to the solutions that can be imposed to solve these problems. One of them being, people do lose access to their email addresses and want to register again. People do change address, people do change their name. People's details change, and just working off someone's date of birth, it's gonna have a lot of false positives. So the challenge is in creating a fuzzy matching logic that's effective. And that you don't have rules that are too relaxed, or if you do at least you have backup processes.

[00:09:40] Andy Still: Going back. This has many years ago when I first graduated, I did a data entry job, and one of the responsibilities was to check for duplicates. And we did actually end up with a situation where there were two people who were actually twins. So they have the same dates of birth, the same address, the same second name, and one letter different in their first name. And they continually were being brought up as a data entry error because they were seen as too similar, but it was legitimate. And I guess one of the key challenges with the Ed, Edd and Eddy problem is that for every way you try and clamp down on that, there will be a legitimate person trying to actually use the service properly. What kind of advice do you have to companies who are trying to address this issue?

[00:10:24] Ozric Vondervelden: There are some basic solutions. There's a lot of basic problems still out there that could be quite easily fixed. So I'll kind of go through them. So in the case of the Ed, Edd and Eddy technique in the gambling industry, the gambling industry does have restricted content. And so they, legally, at least in most regulated markets, require some form of background verification. The way this works is, it's a slight play on the Ed, Edd and Eddy technique in that the person's looking to make the name different enough to bypass the duplicate accounts system detection system, and similar enough to fall within the margins of deviation of the verification system. And so that's very easy to solve. Either the rules need to be aligned. You've got two mirrored processes. Or you need to put a limit on how many people are verified as a single identity for your verification process. And then there's the kind of social engineering aspect where I talked about somebody going with mistakes in their details and trying to get a manual override. That could be solved with somebody just doing a manual duplicate check before approving any account. In the case of GDPR, it's just a case of having a better understanding of what your rights are in that regard. So there's a lot of easy, quick wins out there. Obviously there's a lot of nuances and complications along the way, depending on your processes for how people change address or people, like you say, the twins. Even that, there's nuances that need to be sort of given acceptance.

[00:11:53] Andy Still: Yeah. It's about balancing the risk of stopping legitimate activity versus the risk of stopping illegitimate activity. I think this is a real challenging area because the sophistication that we're seeing in the kind of attackers out there and the tooling available, even the growth of legitimate single use credit card numbers being generated for specific uses, which mask a single card, is already reducing the kind of strength of using credit cards as a single source validation. As we're starting to see some of the tools to allow people to hide their identity behind other areas, egitimate or at least semi legitimate purposes in some case, I think that just throws another challenge onto those companies, which I guess keeps you on your toes.

[00:12:43] Ozric Vondervelden: Ah, absolutely. As the industry becomes more sophisticated. So to the opposition like you said, this is one part of a wider process. Payments are having a nightmare with virtual cards and disposable card numbers at the moment. Because again, now the payment process can be scaled as well. So you can create multiple accounts without the need of recruiting or stealing different identities. You can scale the payments with a single bank card. There's widespread understanding now of browser IP and device fingerprinting as well. So the sophistication level that has grown also, so it's a constant battle trying to stay one step ahead, essentially.

[00:13:22] Andy Still: So I think work getting towards the end of time now. If you had one last piece of advice you wanted to give to companies with this issue, what would it be?

[00:13:33] Ozric Vondervelden: I think there's a lot of pride in the industry and everybody thinks they have competitive edge which limits data sharing. And I think it's important that operators come together either through us or directly to understand what's happening to other operators and collaborate on coming towards the solution.

[00:13:51] Andy Still: That's great advice. And thank you very much for your time today. And hopefully we can get you back at some point in the future to talk more about Greco, which sounds a very interesting project and potentially game-changing projects for yourselves and the industry. So thank you very much and thank you everyone for tuning in today.

As usual, like and subscribe. We'd love to hear your feedback. We have a Twitter account @CyberSecPod pod or you can email podcast@netacea.com. Thank you very much. And we will see you again in the next episode.