With the growing threat of cyber crime, how can i-Gaming companies protect themselves and their customers? Prevention and technology tools are key, writes David Schollenberger of Healys LLP.
Cyber crime is currently one of the biggest concerns of i-gaming operators, regulators and customers alike. As the business of online gaming has grown, internet fraud, theft and attacks have followed.
What is cyber crime?
How does it most frequently occur in i-Gaming?
What are the challenges to operators and how can they best be addressed?
What legislation currently covers cyber crime and is it adequate and being effectively enforced?
This article will review these issues.
What is cyber crime?
Cyber crime is a broad term covering any criminal act involving the use of the internet. Cyber crimes generally fall into two categories. The ﬁrst category is new offences using technological means such as hacking computer systems to steal or alter data or crash or infect a computer system.
This includes distributed denial of service (“DDOS”) attacks, this means an intentional attack on a computer system, website or a speciﬁc computer, to try to disrupt or crash the system and make it not usable by users. This might be done as a form of blackmail or to maliciously damage a company.
The second category is old offences using new technology such as identity fraud following theft of personal data. Identity fraud means the use of an individual’s personal information obtained by theft in order to obtain value by deception.
How does fraud and cyber crime most frequently occur?
Cyber crime in i-Gaming is actually more often targeted at users of i-Gaming services than directly at operators. Individuals may be targeted to obtain their user names and passwords to enable fraudsters to access and control online gaming accounts. This information can be obtained by the use of a technique known as ‘phishing’ whereby an individual is tricked into revealing personal information through fake email and websites.
Another means of obtaining data is by the use of ‘malware’ which upon inﬁltrating a computer system, can extract and send data on to the fraudster.
Another means of data theft is through data found on stolen laptops and memory sticks.
Less commonly, operators or gaming supplier businesses can be hacked and large amounts of data can be stolen in bulk from them if they are holding customer information centrally. This can then be fraudulently used or sold on to other criminal organisations.
What are the main challenges in addressing cyber crime?
There are a number of challenges to addressing cyber crime. With the phenomenal growth and use of the internet in daily life for personal and commercial transactions, the amount of data available for theft and fraudulent use is ever increasing. Technological advances have helped to protect computer systems against attack, but cyber criminals are technologically often one step ahead.
Cyber crimes are much easier and less risky for criminals to commit than burglary or physical theft, they are more difﬁcult to detect and enforce, and typically carry lighter sentences than physical theft. Police departments in many cities typically do not have the expertise or adequate resources to address the scale and sophistication of cyber crime. Although some large police departments, such as the Met in London, do have specialised units, and have expanded greatly over the past several years, they are still typically not of a size capable of addressing the full extent of cyber crime.
Cyber crimes are often committed remotely in different cities, regions or countries. The perpetrator may be difﬁcult to locate unless information is received or they are detected and caught committing the act. Otherwise pursuing these crimes requires cooperation and resources between many police forces in many countries. Not all countries have adequate laws to prosecute cyber crime and countries vary in their degree of cooperation and effectiveness in enforcement.
Fraudsters are often sophisticated in concealing their identity and location, and are therefore difﬁcult to track down and arrest. Further, when one means of hacking or fraud is addressed, another means is developed in its place.
What are the risks to operators?
A breach of the cyber security of an igaming operator can have a number of very negative impacts on a company. These include loss of customer conﬁdence in the company
and loss of business from customers who may prefer to engage with operators that have more robust security. It can also lead to large ﬁnes by the relevant data protection regulator (Information Commissioner’s Ofﬁce in the UK). Under the new EU data protection regulation, those whose personal information was breached will have the right to sue the company directly for compensation. Inadequate cyber security may also be grounds for a gaming regulator to review an online operating licence
What is the current applicable legislation in the UK?
The Computer Misuse Act 1990 is the first piece of UK legislation to address computer misuse. It sets out three computer misuse offences:
- unauthorised access to computer material;
- unauthorised access to commit or facilitate commission of further offences;
- unauthorised modiﬁcation of computer
The original maximum prison sentences for each offence were (1) six months, (2) ﬁve years and (3) ﬁve years. The penalty for (1) was increased to two years with an amendment in the Police and Justice Act 2006.
The Serious Crime Act 2015 further amended the Computer Misuse Act. A new offence was created for unauthorised acts causing or creating risk of serious damage in relation to a computer. The serious damage must be of a material kind and includes damage to human welfare, the economy of a country and the national security of a country. A person guilty of an offence is liable to a prison sentence up to 14 years (and life imprisonment in some circumstances), a ﬁne, or both.
The European Convention on Cyber crime (Convention) was adopted in 2001, was ratiﬁed in the UK and entered into force in 201 . It provides a common international framework for dealing with cyber crime including illegal access, illegal interception of data, data interference, system interference, misuse of devices, computer related forgery and computer related fraud. Most EU member states and the US have ratiﬁed the Convention. Notable absences are Russia and China.
Are legislation and enforcement effective and robust enough?
UK regulation has been substantially strengthened with the Serious Crime Act amendments to the Computer Misuse Act. The Convention sets out a good framework, but unfortunately not all countries are party to it, including Russia and China, where much of the misuse takes place.
In the UK, the National Cyber Crime Unit leads the UK’s response to cyber crime. It works closely with regional organised crime units and with the London Metropolitan Police cyber crime unit. With respect to enforcement, the difﬁculty is as stated before the remoteness and difﬁculty of identifying, arresting and prosecuting cyber criminals. This is further complicated by the lack of adequate policing resources for the scale of the problem.
Is the focus shifting from enforcement to prevention?
Prevention is clearly a much better approach than enforcement, it is almost universally agreed by regulators, law enforcement, operators and lawmakers. There are increasingly sophisticated technological tools commercially available to operators to reduce the risk. Cyber security audits, a dedicated team and continuing training of both operators and their customers on fraud avoidance are also critical.
The threat of cyber crime is real and can have a very negative impact on an operator’s business. It will not be going away and needs to be urgently and continuously addressed. Operators are urged to have an effective plan and put the resources into their organisations to address it.