SBC News Philip Young, Luciditi: How to stop betting being a ‘ripe target’ for cybercrime

Philip Young, Luciditi: How to stop betting being a ‘ripe target’ for cybercrime

As betting continues to become increasingly digitised and the way consumers embrace new products continues to grow, vulnerability to cybercrime is also at risk of rising.

Outlining measures operators can introduce across a range of metrics to fight back against illicit actors, Luciditi Founder Philip Young underlined the importance of data and why digital ID can be a crucial tool.

Thanks for speaking to us Philip. Could you begin by giving us a breakdown of Luciditi and its operations in the gambling space?

Philip Young, Luciditi
Philip Young

At its core, Luciditi is a digital identity platform which allows operators and players to trust each other. We feel it is also a tool that can help combat a number of issues that already exist in the gambling space, such as preventing multiple accounts being set up to lower the risk of problem gambling and money laundering, plus, spreading sensitive information wider to help prevent serious data breaches.

Luciditi allows a player to prove their identity remotely using their mobile phone and a government issued ID. This may be during onboarding or a secondary operational process.  It removes the manual element of ID verification and provides the necessary KYC/AML attributes that operators require. 

Since it is a plug-and-play platform, operators can embed the process into their own apps and websites rather than building and maintaining their own solution.

Future interactions can be validated using a player’s Luciditi Identity. Since it’s re-usable across multiple sites/apps, trust can be established instantaneously in real time for both parties.  

Continually utilising a player’s digital ID keeps trust high and costs low, ensuring that identities remain valid and in possession of their owners. The fact that a player can only have a single Luciditi Digital Identity means that it’s easy to spot multiple accounts being used by the same individual.

In your view, what is the biggest cybersecurity threat to the betting industry and why?

Account takeover and cloning. Many systems still employ basic username and password authentication which are an easy target, especially when there are troves of credentials available for purchase on the dark web.

Pre-built hacking platforms can be used in conjunction with such credentials to coordinate high volume attacks by anyone with access to such software; without them even being highly-skilled clandestine hacking groups.

By extension, what would you say are the most common motivations for cyber attacks against betting firms?

Having access to an account connected to a payment source from which funds can flow in and out makes gambling accounts a ripe target for theft, fraud and money laundering.

The high volume of transactions makes the industry an easier target than others, plus many large companies across all industries are sometimes surprisingly not set up to defend against such large breaches.

While Multi-Factor Authentication (MFA) is essential and somewhat effective, in an ideal world, passwords should be phased out entirely. Hence the likes of Google, Microsoft and Apple recently backing FIDO2, a password-less standard that allows a user to store credentials on a device in place of a password.

Luciditi’s sign-In process takes this one step further, offering a FIDO2 compliant password-less service backed by a Digital Identity – making it even more secure than many operator’s current systems.

EGBA has formed an ‘expert group’ to address cybersecurity, but can the industry do more to counter such threats and what methods could it use?

As well as view it from the point of view of threats to operators, there is equally the need to view threats to players because these ultimately affect revenue streams – so that the vested interest is there and more safeguarding can be put in place.

Financial incentives tend to dictate what gets implemented, which in turn can help players be protected.

Is there a particularly strong threat surrounding the payments journey, and again if so, how can companies protect against this?

The PCI standards go a long way to addressing payment fraud, but that doesn’t stop hackers locating accounts with balances and redirecting funds. The journey can be strengthened throughout if it is possible to know transactions are being conducted by the real player – in which a digital ID existing via an external platform can prove this.

How much does the cyber threat to betting fluctuate? E.g. should operators look to bolster their cybersecurity around major tournaments such as the upcoming World Cup?

Whenever there is an increase in casual betting for a high profile event, the risk increases.  Usually, it’s because these types of players don’t regularly use their accounts. Re-validating that the player is who they claim to be after a period of non-account use would help spot real players from hackers taking over or cloning accounts.

The long-running Gambling Act review’s outcomes are apparently due soon, what do you predict this could bode for betting KYC and data handling standards

The one that interests me most is around data-handling and the risks introduced by enhanced forms of verification. Verifying the player to a higher degree of accuracy requires more data to be supplied and stored, which in turn increases the amount of sensitive data collected (and re-collected) which therefore increases the value of the honeypots of customer data across an operator’s systems.

We have anticipated this will be a heavy burden for operators of all sizes and this led directly to our GlassVault feature, which allows the company to confirm identity without holding all the data themselves, yet still enables them to establish that a player is genuine.

In emergency situations, the transparent break-glass feature allows that data to be accessed: for example, if requested by authorities.

How can operators access player data for cybersecurity and fraud prevention whilst respecting customer privacy?

It needs to be done transparently so that players know exactly what they are supplying and for how long. Providing consent in real-time in a way that is easy to digest also helps build trust. 

If you want to know how not to offer consent, look at pretty much any “cookie dialogue” out there. There are no standards and in almost all cases, they are stacked in favour of the service.

Players also need to be able to change their mind and easily revoke their consent at any time. Where there is a need for significant amounts of data used for a “point in time decision”, it should be accessible to operators via an escrow-type service like GlassVault but in doing so, the data owner would know that this has happened and why.