Online Gaming Payment Fraud
While exact figures are nearly impossible to pinpoint, online gaming is at the very least a multi-billion dollar a year industry. With that much money flowing through any industry, it becomes highly susceptible to fraud or theft. Payment fraud is a type of theft and represents a significant financial threat to online gaming establishments. Here is an overview of online gaming payment fraud, including some of the different types of fraud online gaming establishments are vulnerable to and what can be done about it.
What is Online Gaming Payment Fraud?
There are two main types of payment fraud in the gaming industry, although there is a range of ways to commit different types of payment fraud. "Friendly" fraud is committed by the legitimate cardholder and most other types of fraud are some form of identity theft. Here are some of the different ways players can commit payment fraud.
Contrary to what the name implies, so-called friendly fraud still potentially costs gaming establishments millions of dollars in lost revenue. Most credit issuers offer cardholders guaranteed protections against unauthorized purchases. Many online gaming organizations are caught in something of a conundrum. On the one hand, online gambling is illegal in the U.S., yet many Americans still want to gamble online and there is a great deal of money to be made by offering this service. Since gaming companies are often conglomerates that run a number of different sites, they still try and keep a low profile. In addition, they are often registered in small or somewhat obscure countries. As a result, this makes them more susceptible to chargeback fraud because the charges look more like they came from a shady or illegitimate organization, which makes them more suspect to the bank or card issuer.
In some cases, authorized cardholders may not want other cardholders such as parents or spouses to know about their activities and so may dispute the charges. In other cases, one cardholder may not know about another cardholder's activities and so may also dispute the charges. Because gaming companies are often licensed or registered in obscure foreign countries and use rather generic LLC names, banks will often simply reimburse the customer for the charges without doing a thorough investigation. At that point, it becomes the responsibility of the gaming company to invest the time and energy in proving the charges are valid. Since many of these charges are for a few hundred dollars or less, it is not fiscally feasible to defend every charge, yet cumulatively they can add up to several millions of dollars worth of losses each year to various gaming companies.
Account takeover or ATO can occur in a range of ways. In some cases, cybercriminals will try and get a user's login credentials through a phishing scam. In this type of scam, a cybercriminal will send a user an email with some type of warning, urging the user to log into the site to check their account. The email will contain a helpful link that will actually take them to a site controlled by the phisher, where they can capture the user's login credentials. The cybercriminal can then use the user's login credentials to log into their account on the legitimate site and drain their account.
Cybercriminals can also go the opposite route as well by paying for gaming activities with credit accounts they have taken over. Gambling establishments even provide cyberthieves the opportunity to turn stolen credit information into cash through a process called chip dumping. This is where one person purposefully loses to another in online poker. For instance, a cybercriminal can open up an account with an online casino using a financial account they have gained access to and load several hundred dollars onto their account. They then simply lose at poker to either another account they have set up or one set up by a co-conspirator. Once they have drained the fraudulent account by "winning" all their chips, they can simply cash out and close both accounts.
A BIN attack is also a type of account takeover, but it is much harder for any type of fraud detection software to detect or deter. Most banks produce payment cards with a certain portion of numbers that appear in sequential order, known as the BIN or Bank Identification Number. Cybercriminals have learned that most cards with the same BIN code also have the same expiration date. What they are missing is a valid CVV code, but there are still plenty of online merchants that do not require CVV's to make a purchase. By finding a valid BIN code and date, cybercriminals can play with the remaining numbers until they hit upon one that works. Once they know they have a valid credit card number and expiration date, they can then use the card to make a single large transaction. Gaming sites are often prime targets for these purchases and even for finding a valid number in the first place. Since most fraud detection software is looking for unusual patterns of spending, one small purchase and one large purchase are unlikely to raise alerts, which allows the spending to go undetected until the authorized cardholder checks their statement.
How To Prevent Payment Fraud
Online gaming organizations already suffer from a number of setbacks that make them more susceptible to payment fraud. For a number of reasons, many online gamers prefer to remain anonymous and many gaming sites try to facilitate this. As a result, however, this practice opens them up to all kinds of payment fraud. The only way for gaming sites to protect themselves from payment fraud is to institute security protocols which verify the identity of the user. Unfortunately, this creates something of a Gordian knot for online gaming sites. By instituting protocols that force users to verify their identity, they may lose significant business. By not doing so, however, they may lose significant revenue to fraud.
Ready for the next step?
Spot user behaviors and device information that’s suspicious, and stop those fraudsters in real time. We track billions of devices and our fraud analysts add evidence to make this intelligence even more effective.