This webinar summary covered the following key points:
1) Iovation processes over 500 million gambling transactions annually and stops over 9 million fraudulent transactions, serving 8 of the top 10 global gambling providers.
2) Trends shaping the industry include focusing on enhancing the mobile and player experience, navigating increasing regulatory uncertainty, and leveraging fraud prevention to strengthen authentication.
3) Payment Service Directive 2 (PSD2) compliance requires balancing security and compliance while minimizing player friction through risk-based authentication and fraud insights.
3. 3
8 OF THE TOP 10
Worldwide Gambling Platform
Providers Use iovation
100+
Active Gambling Operators
& Platform Providers
781,000
Confirmed Reports of Fraud
& Abuse Placed in 2018
518 million
Gambling Transactions
Processed in 2018
9.2 million
Fraudulent Transactions
Stopped in 2018
4. 4
3 TRENDS SHAPING THE MARKET
Player
Experience
Regulatory
Uncertainty
Convergence of
Fraud & Authentication
Mobile strategy
Shifting player
preferences
Penetrating
new markets
Player self
exclusion
Money laundering
and fraud rings
PSD2 Compliance
Privacy Regulations
Attracting new players,
not fraud
Fraud trends in 2018
Emerging threats
Leveraging technology
and collaboration to
stop threats
6. 6
WIN THE DAY WITH MOBILE EXCELLENCE
A T T R A C T N E W P L A Y E R S W I T H A M O B I L E F I R S T A P P R O A C H
% of Mobile Transactions v. Total Gambling
Transactions
600M
500M
400M
300M
200M
100M
0M
6%
10%
22%
40%
55%
62%
70%
2012 2013 2014 2015 2016 2017 2018
7. 7
MOBILE APP
KOISK
LOYALTY
PROGRAM
WEB
CALL
CENTER
AUTHENTICATION IN
NATIVE APPLICATION
B U ILD TR U ST A S A MA R K ET D IFFER EN TIATOR
O M N I C H A N N E L A U T H E N T I C A T I O N A N D A U T H O R I Z A T I O N E X P E R I E N C E
Companies with a strong
omnichannel strategy saw
an average customer
retention rate of 89%
8. 8
FOCUS ON THE PLAYER EXPERIENCE, OR STAY
HOME
Automate to dominate
Unique regulatory
requirements
Opening of new markets
2017 U.S. Sports Betting Market
Legal Illegal
$2.5 to $3B
$270M
10. 10
ATTRACT NEW PLAYERS, NOT FRAUD
B O N U S A B U S E , A C O N T I N U I N G T H R E A T T O N E W B U S I N E S S
250K
6%
2015 2016 2017 2018
200K
150K
100K
50K
0K
11. 11
FRAUD INSIGHTS FROM THE IO DATABASE
C H E A T I N G R E P O R T S G R O W T H I N I G A M I N G
Cheating Reports
2013 2014 2015 2016 2017 2018
140K
120K
100K
60K
20K
0K
80K
40K
12. 12
FRAUD INSIGHTS FROM THE IO DATABASE
C R E D I T C A R D F R A U D G R O W T H I N I G A M I N G
Credit Card Fraud - 5 Year Trend
600M
500M
400M
300M
200M
100M
0M
2014 2015 2016 2017 2018
13. 13
IGAMING ACCOUNTS HAVE INCREASING VALUE
T H R E E E M E R G I N G T H R E A T S
Account
Vending
Distraction
Attacks
Account
Takeover
14. 14
IMPACTS OF ACCOUNT TAKEOVER
Loss of brand reputation
Regulatory non-compliance
Damage to player relationships
Cost of lost revenue and chargebacks
15. 15
ATO ATTACK METHODS
Phishing Attacks
Credential Stuffing
Social Engineering
Malware, Bots, Spyware
Data breaches were up 45% in 2017
17. 17
PROTECT PLAYERS AND MEET REQUIREMENTS
S O C I A L R E S P O N S I B I L I T Y A N D P L A Y E R S E L F E X C L U S I O N
965K
Accounts
795K
Devices
223K
Reports
Associated with player
self-exclusion
Self-exclusion placed
By operators
Associated with player
self-exclusion
18. 18
ASSOCIATION
ASSOCIATION
A user account on
a mobile
or web app
User
account #528
User
account #921
User
account #150
Is this legitimate new account or a
self excluded player?
Block new transactions if any of our
clients have previously reported PSE
Get notified if a global velocity of
transactions is exceeded
Identify fraud rings
FRAUD
Blocked User
account
FIGHT ORGANIZED CRIME
S H U T D O W N M O N E Y L A U N D E R I N G A N D F R A U D R I N G S
19. 19
ASSOCIATION
ASSOCIATION
A user account on
a mobile
or web app
User
account #528
User
account #921
User
account #150
FRAUD
The fraudster now knows that the
device they are using is being blocked
…so they switch to another one
Blocked
transaction
Blocked
transaction
And through the power of associated
fraud, transactions can now be
blocked from this device too
FIGHT ORGANIZED CRIME
S H U T D O W N M O N E Y L A U N D E R I N G A N D F R A U D R I N G S
20. Payment
Services
Directive #2
Key Objectives
Make cross-border payments as easy, efficient and secure as
'national' payments within a Member State
Reduce the cost of transactions
Make payments more secure
Increase protection for the consumer
Foster innovation and competition in payment services
Create a level playing field for all players, including new ones
The PSD2’s stated aims are:
21. Article 4 of the PSD2 (Directive (EU) 2015/2366) defines
“Strong Customer Authentication” as authentication based
on the use of two or more elements categorized as:
Each are independent, so the breach of one
does not compromise the reliability of the
others.
SCA
Requirements
Goes Into Full Effect
September of 2019 something the user is
Knowledge
Possession
Inherence
something only the user knows
something only the user possesses
22. 22
PSD2 COMPLIANCE, MINIMIZE PLAYER
FRICTIONL E V E R A G E F R A U D P R E V E N T I O N T O R E D U C E S C A R E Q U I R E M E N T S O F
P S D 2
Exemption
Threshold Value
Reference Fraud Rate %
Remote Card-based Payments
€500 <0.01
€250 0.01 - 0.06
€100 0.06 - 0.13
€30 (default rate) >0.13
23. Maximize fraud exemptions
Reduce total number of transactions
subject to SCA requirements
Satisfy Strong Customer Authentication
(SCA) requirements
Low friction, in-app MFA
Transparent, frictionless
Detect and stop: device spoofing,
jailbroken devices, bots, high velocities,
geo mismatch
SCA
Transaction Risk
Insight Exemption
Fraud Detection
and Prevention
24. Data Minimisation
Decreased Friction
Transparent Authentication
Reduced Attack Surface
High Identity Assurance
Decentralized Credentials
Strong Customer Authentication
Privacy by Design
Balancing
Compliance
Customer
Experience
25. 25
KEY TAKEAWAYS
PLAYER
EXPERIENCE
CONVERGENCE OF
FRAUD & AUTH
REGULATORY
UNCERTAINTY
• Mobile first
strategy
• Shifting player
preferences
• Penetrating new
markets
• Attract new
players, not fraud
• Technology and
collaboration
• Combatting
emerging threats
• Player self exclusion
• Money laundering
and fraud rings
• Balance compliance
w/ player experience
Thank you all taking the time to join us today. I’m really excited to be able to share some of the results of the 2019 Gambling report with all of you today.
A little background for those that may not be familiar with iovation. We’ve been working with gambling operators and platform providers for going on 15 years now.
Helping secure online operations and prevent fraud. In fact, iovation’s first customer success came from fighting fraud rings using stolen credit cards to launder funds on gambling sites.
Since helping to shut down those fraud rings, we’ve protected over 4 billion transactions for our gambling customers and stopped over 47 million fraudulent transactions.
Here’s a snapshot for Gambling in 2018. We aggregated that data, along with insight from our clients and customer success team to pull out three market trends
Operators are facing a myriad of new challenges and an increasingly competitive market, where player experience can make or break an operator.
With the convergence of offline and online identities, it’s important to fight fraud and protect players across the entire lifecycle without degrading the player experience. We’ll dig into what we saw in 2018 and emerging threats going into 2019. And look at some of the ways you can stay ahead of emerging threats
We saw a dramatic increase in fines levied against operators in 2018, particularly in the U.K. where you saw an increase of over ten fold from in only a year. We’ll look at some areas of top concern and methods to combat.
In the last 6 years, iovation has seen transactions processed via mobile devices grow at an average annual rate of 95% from only 6% in 2012 to 70% in 2018.
Customer experience is the new battleground, but customers have never been more fickle. Which is why operators need to go to where their players are, on their smartphones.
A recent study found that businesses with the strongest omnichannel customer engagement strategies have an average customer retention rate of 89%, as compared to 33% for companies with weak omnichannel strategies. (source: v12 Data, https://www.v12data.com/blog/25-amazing-omnichannel-statistics-every-marketer-should-know/)
gambling in many new geographies, including the United States, The Netherlands, Singapore and India, presents an opportunity for market expansion but also comes with competition from new operators. Success in these markets depends on executing to meet regulatory requirements while still providing a differentiated customer experience.
automate management of such functions as age verification, Know Your Customer (KYC) and document
verification. Processes have traditionally been cumbersome process that creates barriers to play. Automation can not only increase efficiencies, but it can
also increase customer satisfaction.
Bonus abuse was again the number one reported fraud by our gambling clients in 2018. We saw a 68% increase from 2017 to 2018
And In the past 3 years, we’ve seen a rise 287%
Many operators are augmenting KYC solutions with predictive analytics.
The growth in game abuses and cheating reports continued, but the growth has slowed from 55% in 2017 to 12% in 2018.
Chip Dumping: player caught dumping chips in tournaments
Player Collusion: players collaborating to commit fraud
All-In Abuse: a player repeatedly abuses the all-ins
Over the past 5 years, we’ve seen credit card reports increase 155%, an average annual growth of 39%.
Operators are met with the challenge of reducing credit card fraud without increasing false declines, reviews and unnecessary step-ups.
In 2018 many of our gambling clients saw an increase in the cultivation and selling of VIP accounts for the purposes of enabling money laundering. These accounts are typically subject to less scrutiny from operators and can be sold for a large profit on the dark web. Putting your business at risk of non-compliance.
Another emerging trend is distraction attacks. Cybercriminals use bot attacks to create a distraction while they perpetrate other fraudulent activity, which often goes undetected because of the focus on the larger scale attack.
There are a number of tactics that can be used to combat such attacks. At login, device authentication can be used to confirm that an account is being accessed only by a previously authorized device. If an unauthorized device attempts to access an account, additional step-up authentication can be used to prevent access. Another approach is to add device intelligence and reputation checks at any high-risk touchpoints beyond login. Looking for risk signals such as groups of related devices trying to access multiple accounts or high velocities. Lastly, another effective strategy is to focus on detecting and preventing the fraud caused by such attacks.
Lastly, account takeover or ATO. The massive data breaches over the last decade have provided a flood of stolen login credentials and personal data to the dark web. This is accelerating account takeover (ATO), synthetic and true identity fraud which will, in turn, drive other types of fraud. While ATO isn’t yet one of the top threats for Gambling, it is growing and can have major impacts both in terms of revenue and reputation.
At least 16 separate security breaches occurred at retailers from January 2017 until now. Many of them were caused by flaws in payment systems, either online or in stores. - https://www.businessinsider.com/data-breaches-2018-4
Data breaches were up 45% in 2017, with the flood of stolen credentials and personal data available on the dark web fraudsters are using that data to perpetrate ATO through a variety of tactics.
Credential Stuffing - According to Verizon’s 2017 Data Breach Investigations report the number of data breaches involving stolen or weak passwords has gone from 50 percent to 66 percent to 81 percent during the past three years. This alarming trend clearly illustrates that today’s security isn’t working. Source: https://www.cso.com.au/mediareleases/29642/hacked-passwords-cause-81-of-data-breaches/
Social Engineering - Case study on ATO: https://drive.google.com/file/d/1G4C0IqUSTUsIm4oYLk0plsqPbMy7SB7P/view?ts=5b906058
Operators are under increased regulatory scrutiny.
Fines rose against gambling operators in the United Kingdom from £1.6 million to £18 million over the year from April 2017 to 2018 for money laundering
violations and unfair practices.
The U.K. Gambling Commission issued another round of fines totaling £14 million in November 1, so this trend doesn’t look to be slowing.
In 2018 we saw the U.K. Gambling Commission impose numerous multi-million pound fines on operators for ‘fair gaming’ violations. Of particular concern is managing player self-exclusion (PSE).
When players self-exclude on a gambling site that uses iovation, that operator submits a self-exclusion report on that account. We have seen a marked increase in the number of reports from operators in the last 2 years, increasing 73% since 2016.
Managing and preventing self-excluded players from creating new accounts and attempting to use your service requires collaboration across the industry. During 2018, over 795,000 devices and nearly a million accounts associated with a self exclusion report attempted to access one or more of the digital
properties in our network of iGaming clients — more than four times the number of self-exclusion reports placed in 2018.
Even with national databases such as GamStop, being able to associate self-exclusion with multiple devices and accounts, across operators, is a key tool in managing this problem.
Secure Customer Authentication (SCA) through the use of Multifactor Authentication (MFA)
Every single user has to be protected from fraudulent activity by all means
Prevent unauthorized access to consumer accounts by adding strong multi-factor authentication at the login
Protect against risky behavior such as profile changes or password resets by requiring step up authentication for user action verification
Secure Customer Authentication (SCA) through the use of Multifactor Authentication (MFA)
Every single user has to be protected from fraudulent activity by all means
Prevent unauthorized access to consumer accounts by adding strong multi-factor authentication at the login
Protect against risky behavior such as profile changes or password resets by requiring step up authentication for user action verification
GDPR has ushered in a wave of awareness regarding the responsible use and protection of personal data. There are many new privacy mandates including California Consumer Privacy Act, which is widely believed to be just the start of similar data protection laws worldwide. What to do?
Embrace it!
Data Minimization – look at solutions that are built with data privacy in mind. The GDPR’s requirement for “data minimization” means that organizations should only collect the data necessary for a specific purpose. This reduces the amount of personal information your organization is responsible for protecting. Less data to protect means less impact in the event of a breach.
This is something that iovation has embraced in all of our solutions. Our device-recognition technology uses hundreds of device attributes and their unique orientation with each other to instantly identify over 5B devices in our database without requiring users’ directly identifying information.
Shut down account takeover
Most authentication solutions continue to rely on usernames and passwords. Yet time and again we’ve seen how easy it is for criminals to steal, buy, or brute force these credentials — raising the possibility of account takeover (ATO).
The spirit of the GDPR seeks to preserve users’ privacy and the security of their accounts. By adding adding a layer of transparent authentication, you can gain powerful risk insight that allows you to assess risk factors indicative of ATO, including device anomalies, spoofing, and evasion. This adds a second, invisible layer of authentication that drives step-up authentication if new or suspicious devices try to access an account, enhancing your existing authentication procedures without heavy lifting or intense coding. Allowing you to decrease ATO, and increase security without adding customer friction
Minimize Your Breach Risks
Pseudonymisation – The GDPR actually states that breaches involving data that has been pseudonymised will not necessarily require notification to the regulator or data subject where the risk to the subject is low. A major benefit when the fines are so steep. So it’s important to make sure any solutions you employ use advanced cryptography or tokenization to pseudonynimize data
Decentralized Credentials – Take away the target
What are you hearing from your customers on potential emerging threats? - Star Sports
What do you think explains significant rise in bonus abuse?
Is subscribers sharing of reputation reports compliant with the GDPR?
Is iovation a global company? Good question, yes we serve clients across 54 countries