Do you think that a number of regtech tools form an effective protective barrier that protects you from bonus abuse? Think again, says Greco co-founder Ozric Vondervelden.
In the world of high-stakes gambling, the thrill of beating the house is a story as old as time. But even with advanced fraud, verification and payment risk management tools, the industry still struggles with fraudsters scaling bonus abuse, a problem that costs billions.
The gambling industry’s reputation often makes it easy for opportunists to justify ethical violations. When answering the question “What do you do for a living?” I am always curious about the ingenuity of the scammers who outsmart the industry. It’s the defiance of all odds, the Robin Hood story.
Hollywood blockbusters like Ocean’s Eleven have glorified this aspect, and real-life characters like the MIT card counters have achieved legendary status. It is often perceived as an intellectual duel against the epitome of raw capitalism.
Take the case of Jonathan Howard, a husband and parent who was jailed in the UK earlier this year. If you asked him, I don’t think Howard would see his actions as fundamentally wrong. This moral ambiguity, coupled with the enormous potential gains, drives individuals to go to extraordinary lengths to exploit system and process vulnerabilities. After all, scaling bonus abuse is akin to owning your own money printing machine.
Despite a plethora of fraud and verification tools on the market, the multi-billion dollar bonus abuse counter industry continues to thrive. The secret, all too well known in bonus abuse communities but less well known in the industry, is the relative ease of bypassing these security solutions.
Gaps in the armor
For example, device fingerprint recognition, a common security measure, has its limitations. Our research in New Jersey found that a single identity taking advantage of every welcome offer could net over $18,000 in profits. In many jurisdictions this value is even higher.
Fraudsters can extend this to multiple identities by using unique devices and IP addresses for each identity. The additional costs of the required hardware will only slightly reduce your profits. But usually the methods are simpler. There are dynamic IPs, deleting cookies, and using common browsers and devices that fall into a gray area of false positives.
Good verification is always at odds with user experience and cost. While background verification provides minimal user friction, it remains extremely vulnerable to hacked and stolen data.
In the UK, the data required for thousands of verifiable casino accounts is publicly available on the Companies House register. Guess what data source many verification tools use? Using social security numbers is considered safer, but constant data leaks have shown this method to be quite ineffective.
Another common verification practice is “document upload on withdrawal,” which fraudsters exploit through collusion. By aggregating profits from multiple accounts into a single account and using sophisticated forgeries, only a single set of convincing forged documents is needed to target an operator with thousands of identities.
Advances in AI have made detecting these counterfeits increasingly difficult. In fact, a recent viral demonstration on LinkedIn showed how AI can animate still images to bypass costly liveness checks, considered one of the safest defenses.
This AI versus AI scenario creates a technological arms race, resulting in security measures being outsmarted.
The introduction of digital wallets and virtual cards has dramatically changed the landscape of payment-based risk management in gambling. Until now, the one-time payment card requirement was a huge obstacle to multiple account management. However, digital wallets such as PayPal, Apple Pay, Neteller, and Skrill have made it easier to create multiple accounts linked to a single wallet.
The emergence of virtual cards has exacerbated this problem, allowing users to generate hundreds, if not thousands, of unique card details for a wallet. The dilemma arises when trying to block virtual cards because their identification codes (BINs) often overlap with those of physical cards.
Blocking all cards from providers such as Monzo and Revolut could upset a significant customer base. And it runs counter to trends in banking innovation and consumer privacy demands.
Maybe we can find a solution to these challenges. Perhaps blockchain-based digital identities can bind players to a digital trust score validated via an encrypted retina scan.
The problem is that this still doesn’t solve the syndicates’ challenge.
Here’s how it works: A ringleader recruits people to take advantage of bonuses. The ringleader provides them with instructions on how to take advantage of each offer, and the ringleader takes a share. The problem with this setup is that each player uses their own device, IP, cookies, browser, location, payment method and KYC documents, so there is no traceable connection.
Finnish bonus abusers are notoriously elusive as they introduced this process in response to open banking, which has led to the bankruptcy of many operators. The US faces the same challenge in response to geolocation tracking.
Analysis of gameplay to stop bonus abuse
Don’t get me wrong, risk solutions are an absolute necessity. But none of these are currently a complete solution, and anyone who relies on them is putting themselves at risk.
In markets with high bonuses, a complete solution requires device fingerprinting, verification, payment analysis and game analysis. The problem is that almost all risk mitigation products used in the industry are multi-industry focused. They neglect what makes this industry unique – gameplay.
Gameplay is the only process that cannot be spoofed and acts as a failsafe. When a player takes value, he takes value. If a player cheats, then a player cheats. It’s black and white.
The problem is that operators are not well equipped to make these distinctions. Many top operators can be exploited for more than 12 months on a single account, costing thousands before they can identify it. Then it will be too late. We need to get better at analyzing gameplay risks and break down the silos between risk teams and CRM.
After all, VIPs and bonus abusers are at two ends of the same value scale.
Ozric Vondervelden is considered a leader in igaming bonus abuse and risk management. He has consulted with more than 40 operators and has a proven track record of saving his customers millions annually. Ozric is co-founder of Grecothe industry’s first gameplay risk engine dedicated to identifying gameplay risks and determining the true value of each player.