Can Online Casinos Be Hacked?
Can online casinos be hacked?
This is a common question among online casino players in the UK but is a question that FindMyUKCasino.com feels has never been properly answered.
All slot sites licensed by the UK Gambling Commission must have certain protocols in place and deploy specific technologies to ensure they cannot be breached by hackers or cyber criminals.
This includes using powerful SSL encryptions and state-the-art-firewalls alongside best practice cyber security systems and processes.
But the question still remains whether these technologies and processes are enough to fend off cunning cyber criminals whose attacks are becoming increasingly sophisticated.
To find out more, we spoke with ethical hacker and founder of Hedgehog Security, Peter Bassill.
Peter is one of the world’s leading cyber security experts and is hired by online casino operators to put their defence systems to the test and report back with any weaknesses he finds.
Online casino sites then use Peter’s findings to make the necessary changes to ensure they are as safe and secure as possible, meeting the highest possible cyber security standards.
The first question we put to Peter was a simple, and, given his job description, perhaps an obvious one – can online casinos be hacked?
It is possible for any online casino operator to be hacked if they are not looking after their people and digital systems and protecting them correctly.
New vulnerabilities are a daily occurrence and we see exploits of around 5% of these new vulnerabilities. This is why patching and maintenance is so very important.
This needs to be done in conjunction with regular penetration testing as it will enable operators to identify around 95% of weaknesses in their systems.
We get asked to test the robustness of defences of operators of all sizes and it is rare that we fail to find a way in.
How to hack an online casino:
Peter is a talented hacker and leading cyber security specialist with a unique skill set that enables him to push an online casino’s defences to the absolute limit.
It is not something that a normal person or even a semi-capable hacker could achieve. That said, Peter is only successful at effecting a complete breach of an online casino around 5% of the time.
In most cases, the technologies and processes that the online casino has in place provide such a high level of protection that even Peter and his team cannot break through.
But in some instances the online casino has a small chink in its armour and that is all Peter needs to squeeze through the defences in place and gain access to its systems, data and cash.
We are only successful in a small number of digital attacks. That is finding a hole in the operator’s systems or defences that allows us to bypass the protection and get access.
More common than the digital attack is finding information within the online casino’s supply chain and using that to gain access.
We recently performed a penetration test against a large operator and during our reconnaissance we found the root password of their database system in an online source code repository.
The repository had not been protected properly. Armed with this, it was a simple case of identifying a database server that was exposed to the internet and then we were in.
Another method Peter uses is something that most people will be familiar with – phishing emails.
These are official looking emails that encourage the recipient to provide information, data, passwords, etc to someone they believe works within their organisation or a related third-party.
Peter sends these emails directly to employees or people that work at related organisations – game providers, payment processors, etc – to gain access to an online casino’s systems.
A simple phishing email with a well created file that runs some code when opened has gotten us access on more occasions than I would care to mention – around 60% of the time, in fact.
With access to an employee or user’s system, it is simply time and patience before we have access to the crown jewels.
This method of attack bypasses the vast majority of defences and we remain hidden on operator networks for weeks on end despite them having invested heavily in powerful technologies.
This is an issue being faced not only by online casino sites, but by all businesses and is why cyber security education and training among staff is the best line of defence.
What would happen in the event of a breach:
While Peter has a relatively high success rate when it comes to breaching online casino security systems, in the real world it does not happen very often at all.
This is because the processes and technologies the UK Gambling Commission requires operators to deploy are, in most instances, capable of preventing breaches.
Operators also have procedures in place to fight off any attacks that their systems identify and register before the hacker is able to gain access to their systems.
Peter explains what would happen in the event a hacker were to break through the ring of steel and what would it mean for the money in your wagering account and the personal data you have provided to the casino.
Hackers are usually motivated by money and online gambling operators have money. They also have a reputation at stake and will go to great lengths to protect both their cash and their name.
Because online casinos hold large sums of money, their financial systems are always going to be a target, too. But increasingly, hackers are looking to access data and then ransom it.
There is also the monetisation of player information such as usernames and passwords, which hackers will sell on to organisations and individuals.
If a single player’s information is worth £1 and they gain access to the information of 250,000 players, the math speaks for itself.
Thankfully, these attacks are on the decline and it is far more common for hackers to break into a system and encrypt all the data they gain access to.
This effectively takes the business offline until the operator pays the hacker’s ransom fee, at which point the hacker releases the data and moves on to their next target.
How online casinos are taking the fight to hackers:
The UK Gambling Commission requires online casino and slot site operators to deploy certain cyber security technologies as standard to protect against possible attacks.
SSL encryption – Very simply, this is a mechanism of encrypting the user’s traffic between their computer and the operator’s systems.
Firewall – This is like the bouncer on the front door of a club. They look at the people (digital traffic) coming into the club (website) and make a decision as to whether they are allowed to pass or not.
Patching – This is the updating of software and systems to ensure they are kept up to date and free of known security and performance weaknesses.
Penetration testing – This is where Peter and his team get to play the bad guys in a controlled manner. They will attempt every way to digitally or physically break into the casino that is allowed in the rules of the engagement.
These technologies, combined with using experts like Peter and his Hedgehog Security team to identify weaknesses, means that online casinos are fully equipped to take the fight to hackers.
Q: What technologies do you have in place to prevent cyber security attacks?
A: We use imperva, a turnkey cyber security software solution that ensures our online casino sites are protected from the risk of an attack or being hacked. This is the same technology used by some of the largest banks, telecom providers and insurance companies in the world.
Q: What processes do you have to monitor potential attacks and stop them happening?
A: Imperva takes care of that for us, monitoring, alerting and combating any attempted cyber security threat in real-time. When it comes to our data centres where we hold player data, we have an additional private tunnel where an advanced security layer processes traffic.
Q: Do you work with third-party experts to help with cyber security?
A: Yes. Alongside imperva we also work with ethical hackers who regularly target our sites and back-office systems to identify any weaknesses that may be present. We then use their reports to close any chinks in our armour.
Q: Have you ever suffered a cyber security attack? If so, how did you respond?
A: Yes, many years ago we were the victim of a cyber security attack. We were able to get on top of it quickly and no player data was lost. As a result of the attack, we really improved our standards and processes, and started to work with imperva.
Q: Are online casinos more secure than other ecommerce/entertainment sites?
A: That really depends on the cyber security protections in place at ecommerce and entertainment sites. What I can say is that players at UK licensed online casinos such as All British Casino and Fun Casino can play in confidence that our brands are meeting the highest possible standards.
For example, we undergo six-month audits of our information security and management systems. We also undertake fail-over tests and penetration testing to make sure that information and data, including player data, is as protected as it can be.
Online casinos are safe:
Online casinos are entertainment and ecommerce sites and, from a cyber security perspective, operate in the same way as online retailers, gaming platforms, streaming services and so on.
But unlike these industries, UK-licensed online casinos have to deploy modern technologies and best-practice procedures and processes in order to accept customers from the UK.
So, while cyber security threats remain, and the nature of the threats constantly changing, online casinos offer some of the highest levels of protections to consumers.
The best way to put this into context is to look at success rates of penetration tests. Putting the financial services sector against casino operators, we have seen a 5:1 ratio of significant success.
This is, in part, down to the regulatory control governing online gambling operators, but it is more to do with operators knowing they are targets and being very well prepared.
This is why it is so important to only play at online casino and slot sites licensed by the UK Gambling Commission – view our A-Z list of recommended UK-licensed online casinos.
If you don’t, there is no guarantee the online casino site has any of the cyber security technologies and processes that those licensed by the UKGC must have in place.
The steps you can take to better protect yourself:
Peter shares his top four tips below:
The first, and most important protection, is to make sure you play from your own device. You know your device; you know what is on it and you should be able to trust it.
Secondly, use the best anti-virus and anti-malware you can afford/bear to live with. There are many out there but choose one with a good reputation. Brands such as Trend and Symantec are good, but don’t discount services such as Microsoft Defender. At the end of the day, choose the one you feel comfortable with.
Third is really for those who move around and play from everywhere. Use a VPN. It doesn’t provide a defence from hackers, despite what the adverts say, but it does mean that someone sitting in the coffee shop with a fake wireless hotspot won’t capture your keystrokes.
Finally, keep your devices up to date with the current patches. The fastest way for us to get into a system is by manipulating badly patched computers.
To answer the original question – can online casinos be hacked? Yes, they absolutely can be, but only by the most skilled and experienced hackers in the world.
Peter is one of these hackers, and thankfully he works with online casinos to identify areas of weakness and help them improve the technologies and processes they use to prevent attacks.
Online casino sites licensed by the UK Gambling Commission are safe and secure and go to great lengths to prevent attacks and protect player funds and personal information.
Indeed, they are required to do more than other popular entertainment options and ecommerce websites so you can play at UK-licensed online casinos knowing they are safe and secure.
One final word from Peter...
Playing at an online casino is fun but treat it with the same level of concern as you do with your online banking.
A healthy level of paranoia doesn’t mean the hackers are out to get you, but it does mean if they try they will likely go after easier victims.