Betfair Fights Off The Fraudulent Attacks

Published: Thursday, January 12, 2006 Online-Casinos.com

BETFAIR FIGHTS OFF THE FRAUDULENT ATTACKS

Forewarned is forearmed at betting exchange group

The onling gambling industry's original and major betting exchange group, Betfair has strengthened its defences against an increase in online fraudulent attacks according to an interesting article in "Computer" this week.

The article reports that the growth of e-commerce has brought with it an influx of criminals looking to get rich through exploiting the internet, and quotes Rorie Devine, IS director at Betfair.

"One of my core challenges is security. It is not something we just pay lip-service to; we put a lot of time and money into it," Devine says, revealing that Betfair has recruited a team of security specialists to monitor and respond to hacking attempts and distributed denial of service (DDoS) attacks.

"The size of these attacks is increasing and the challenge they pose is getting bigger," says Devine.

Among Betfair's tactics are vulnerability management monitoring systems, which produce threat reports and carry out regular penetration tests to ensure the company's defences are secure. One of the biggest threats the firm has faced over the past two years is the growth of DDoS attacks, where criminals take control of an army of infected "zombie" computers and, unbeknown to the PC owners, use them in an attempt to take down websites for blackmail purposes.

Betfair saw more activity last year, especially during the final of the American football Super Bowl.

"Criminal gangs are like any other business in terms of adapting their approach so that they can be as effective as possible and make as much money as possible," says Devine. "This means that they are increasing the size and the sophistication of their attacks. These people are not stupid and they will realise that as an industry there are certain times that are more important than others."

Since the initial online attacks, bookies have invested heavily in technologies to try to combat them and have joined forces to form a forum where they can share their experiences. DDoS attacks are part of the landscape now; they have become something everyone has to live with by keeping abreast of the constant changes and new approaches used.

IT security in the online gambling industry is benefiting from businesses sharing their experiences and knowledge.

Betfair, Blue Square, Eurobet and the National Hi-Tech Crime Unit formed the Internet DDoS Forum in 2004 to share information on criminals' tactics and to decide on steps to take to prevent attacks.

"One of the best things to come out of the first wave of DDoS attacks in 2004 was that the online gaming community came together to share experience," says Devine. "It got us all up on the learning curve very quickly."

By pooling information about attacks and discussing tactics, the industry has come up with a consistent way to respond to criminals' blackmail demands, he says.

"We all take a very mature view. We all want to cure the problem by stopping these attacks from being successful. Rather than take a short-term view that it is our competitor that has a problem, we're looking at the bigger picture," says Devine.

Security is also a key part of Betfair's strategy for complying with regulations set out by the Department of Culture, Media and Sport for gambling businesses, as well as helping the organisation to comply with regulations set by the financial services industry.

From 30 June last year, Betfair and other firms that take credit and debit card payments have to adhere to a set of stringent security guidelines called the Payment Card Industry Data Security Standard, which aims to limit the risk of financial information being stolen.

But regardless of regulations, companies with smaller IT security budgets can still do a great deal to improve their defences by looking around at what is going on in other organisations, says Devine. "You need to look at the knowledge that is out there. I suggest making contact with other companies that have been attacked and trying to learn from their experiences. This will not cost you anything if you speak to the right people," he says.

Internet service providers could also do more to reduce the impact of DDoS attacks and phishing emails by educating internet users and improving their own security, says Devine.