The past couple of weeks have not been good ones for online gaming. Quite simply, there was too much news. As the reports spread on the Caesars attack the week before last and then MGM Resorts last week, that kind of attention is not what the industry—any industry, really—wants its fans to have top of mind before putting down $50 on the Ravens-Browns game (Browns by 2.5 points, by the way, as of the time of writing).
Held for ransom
Headlines spread of a ransomware attack by hackers, thrust into the limelight for breaching the systems of two of the world’s largest gambling companies—MGM Resorts and Caesars Entertainment Ltd.
As the news unfolded, it was reported that for MGM, the point of entry was via targeted individuals with privileged access to the identity management firm used by the company. According to reports, Caesars agreed to pay a ransom of $15 million. MGM Resorts apparently did not, but instead chose to rebuild its affected IT infrastructure (at a cost of $8.4 million per day of systems down).
Exploiting human frailty
Ransomware attacks have been an increasingly common occurrence in the online gambling industry and beyond over the past few years. According to the security firm CrowdStrike, there have been 52 attacks tracked globally by this single group (responsible for the MGM attack) since March 2022, most of them in the United States. Nearly every industry, from telecommunications to finance, hospitality to media, has been hit.
The hackers acquire employee information including passwords by social engineering, especially “SIM swapping,” a technique where they trick a telecom company’s customer service representative to reassign a specific phone number from one device to another.
The attacks have become increasingly sophisticated and have challenged the industry to stay ahead of the wave—have cast doubt upon the efficacy of passwords (and other forms of knowledge-based authentication in general). A common theme in many circumstances is that the weak point is the human link—either at the telecom service desk that permits the SIM swap or for the “authorized employee” who holds passwords to log into the company’s identity management systems.
Fortunately, the human face is the new weapon of defense, in the form of biometric identity verification. Done correctly, facial biometrics is a comprehensive but easy process that involves validating users’ identities during the onboarding process. Its significance lies in ensuring that only legitimate users gain access to the platform.
By employing rigid identity verification, both companies at the source of the challenge (telecoms) and endpoint (gaming in this instance) can significantly reduce the risk of unauthorized access and subsequent ransomware attacks.
Is this a trigger event for the gaming industry, with chips falling to the ends of the casino floor?
Protecting the players
When it comes to regulations that touch on the gaming industry, two of note are “responsible gaming” and “know your customer” (KYC). From my viewpoint, regulators and operators alike have taken on responsible gaming with more seriousness (and hopefully, for operators, with sincerity).
One reason is that following the legalization of sports betting in 2018, states were motivated to roll out their license programs with the lure of a good tax revenue stream. However, regulators had to balance implementation with player protection because of (i) public expectation from the regulators and (ii) the importance of preserving the regulator/operator/player ecosystem.
As a result, the issue of responsible gaming appears as a key concern consistently across iGaming and in states that allow sports betting, with gaming agencies and operators talking the talk. Case in point: Any gaming conference that you attend will likely have several panel discussions around responsible gaming.
Do you really know your customer?
When it comes to KYC regulations in the gaming sector, the level of attention of the regulator is vastly lower. I see two primary reasons for this.
The first is that AML/KYC as prescribed under the Bank Secrecy Act (and regulations) applies a risk-based approach to KYC. This means the money laundering (ML)/terrorist financing (TF) risks are identified, assessed, and managed by the company using its discretion (granted with some suggestions on best practice) on the application of appropriate AML and KYC controls.
One result of this risk-based flexibility is that the gaming industry (based on observations of US operators) applies a light touch approach to KYC for onboarding players, for example, by not asking for users to present a form of ID; accepting copies of ID documents (opens the door to forged paperwork); and not using comprehensive ID verification tools. It’s a push-pull between onboarding as quickly as possible and check-the-box KYC. One result: The doors to the kingdom are opened to fraudsters and ML actors from far and wide. And once they’re in, they’re in.
The second reason is that the regulatory agency which oversees the gaming industry, Financial Crimes Enforcement Network (FinCEN), is detached from operators’ day-to-day operations and tend to step in only when federal attention is raised on a hot button issue. Fines are few and infrequent. Case in point: From a quick search on FinCEN enforcement in the gaming industry, the last imposed penalty that I read of was in 2017.
Back to the future
Getting back to today and, as mentioned above, too much attention. With the news of the security attacks on MGM and Caesars, odds have increased that the spotlight will move some focus onto the gaming industry.
For starters, the gaming sector has a mystique to it that heightens attention to the sector, relative to the same incident taking place in, for example, boring consumer goods. And even though the recent incidents were internal systems breaches, it takes one curious federal regulator to apply a “broken windows” approach to check security across other parts of the building too.
Central to the challenges highlighted above is that responsibly deployed face-based biometric ID verification is a solution available today to the gaming industry to meet KYC requirements—during onboarding or for re-authentication—in an effective, secure, and customer-friendly way.
It is plausible that as regulators shift focus onto the gaming industry, facial biometric verification will emerge from the skipped chapters of the operators’ playbooks to take a more central role for improving both internal controls and KYC and other federal regulatory compliance.
About the post:
Images are generative AI-created. Prompt: Trippy, psychedelic version of someone entering Las Vegas casino floor, their face being scanned by a futuristic scanner to verify their identity, swirling lights, floating slot machines. Tool: Midjourney.
About the author:
Terry Brenner is the Head of Legal, Risk, and Compliance for IDVerse’s American operations. He oversees the company’s foray into this market, heeding to the sensitivities around data protection, inclusivity, biometrics, and privacy. With over two decades of legal experience, Brenner has served in a variety of roles across a diverse range of sectors