The online betting and gambling industry is thriving, with the global market expected to grow at a compound annual growth rate of 8.54% until 2027. By the end of 2023, this industry was already worth a staggering $95.05 billion. However, this rapid expansion has brought with it a growing threat: cybercrime. Among the most prevalent and damaging attacks plaguing this sector is fraud, specifically fraud stemming from account takeover, where cybercriminals gain unauthorized access to legitimate users’ accounts, often with devastating financial and reputational consequences.
Account takeovers aren’t just a hassle for users—they pose a serious risk to your entire platform.
Let’s take a closer look at how big this problem is, the financial impact it’s having on the industry, along with actionable advice on what companies can do to protect both themselves and their customers.
What is Account Takeover (ATO)?
Account takeover happens when an attacker gains access to a legitimate user’s account, typically through methods such as phishing, credential stuffing (using leaked usernames and passwords), or exploiting weak security measures like poorly protected passwords. Once inside, these fraudsters can siphon off money, steal personal information, and even use the compromised account to place fraudulent bets or withdraw funds.
This type of fraud is especially prevalent in online betting because of the lower barriers to entry and the sheer volume of funds moving through these platforms. Alarmingly, 4% of all login attempts on gambling platforms in 2023 were attempts at account takeover, highlighting how common this problem has become.
The Appeal of Betting Sites to Cybercriminals
The rise in cybercrime targeting the gambling industry is driven by several factors that make these platforms highly attractive to fraudsters:
- Rapid Growth and Popularity: The betting and gambling sector has seen exponential growth, reaching billions of dollars in revenue. This rapid expansion makes it a prime target for cybercriminals looking to capitalize on poorly secured platforms.
- Ease of Access: Online betting platforms are easy to sign up for and often have less stringent security protocols compared to industries like banking. This lowers the entry barriers for both legitimate users and criminals looking to exploit vulnerabilities.
- High Financial Gain: The potential financial rewards for successful account takeover attacks are significant. Research shows that even inexperienced fraudsters can make up to $20,000 a month, while seasoned cybercriminals can rake in as much as $600,000 monthly.
The Scope of Fraud in the Betting Industry
In 2023, the online gambling and sports betting industry was hit hard by fraud. The Onfido Identity Fraud Report highlighted something these platforms should keep in mind: the fraud rate for gambling companies surged from 4.2% in 2022 to 7.6% in 2023, an 80% increase. This rate far exceeds the fraud levels seen in other industries.
The rise in Dark Web activity related to gambling credentials is another alarming indicator. The volume of compromised gaming credentials available for sale has surged, particularly during major events like the Super Bowl or FIFA World Cup, when betting activity peaks. Cybercriminals often sell these stolen credentials in bulk, enabling other fraudsters to access multiple accounts and carry out more account takeovers.
The Cost of ATO to Betting Platforms
The financial toll of account takeover attacks on the betting industry is staggering. Betting platforms are not only losing money from fraudulent activities but also from the cascading effects these breaches have on their business. Consider the following statistics:
The damage extends beyond the immediate financial losses. When accounts are compromised, customers lose trust in the platform, often resulting in decreased user retention. 25% of betting customers have had their accounts compromised due to weak password security, which underlines the importance of strong authentication practices.
Why Password Policies and Dark Web Monitoring are Crucial
Account takeovers often begin with compromised credentials. These credentials—combinations of usernames, passwords, and sometimes even personal information—are frequently sold on the Dark Web, where they are purchased by cybercriminals looking to exploit them for profit. Studies have shown that 65% of people reuse passwords across multiple sites. A common way credentials become compromised is through users reusing the same passwords across multiple platforms, including third-party sites. When these third-party sites are breached, the reused credentials are also exposed, leaving users vulnerable across multiple accounts.
This means that a single data breach can have far-reaching consequences, as hackers apply stolen credentials to different platforms in what’s known as credential stuffing attacks.
For gambling platforms to protect their customers and themselves from the dangers of ATO, it is essential to monitor for leaked credentials on the Dark Web and proactively address these vulnerabilities. While it’s helpful to encourage strong password management practices, such as using unique credentials for each platform, the only way gaming platforms can protect themselves is through Dark Web monitoring.
Dark Web monitoring tools scan these illicit marketplaces for compromised credentials, allowing platforms to identify and remediate potential threats before they lead to account takeovers. By alerting users when their credentials have been exposed, operators can prompt users to change passwords and implement additional security measures. This can be implemented without negatively impacting the user experience by simply having them reset their password to a strong, uncompromised password at the next login flow.
Password Hygiene and the Benefits of Dark Web Monitoring for Authentication
In addition to promoting strong password practices, Dark Web monitoring offers a seamless solution to prevent ATO without the friction often associated with multi-factor authentication (MFA). Instead of requiring users to adopt complex authentication methods, platforms can enhance security by automatically checking for compromised credentials every time a user logs in.
Many betting platforms, for example, might avoid implementing MFA due to its impact on user experience, with 60% choosing not to implement MFA. MFA introduces friction by requiring users to authenticate through multiple steps, and while it adds security, it only reduces the chances of an account compromise by around 50%.
Dark Web monitoring, on the other hand, provides a much more user-friendly approach. By continuously scanning the Dark Web for stolen credentials and cross-referencing user login data with known breaches, platforms can quickly identify when a user’s password has been compromised. When such activity is detected, the system can automatically prompt the user to reset their password—without affecting the usual login flow. This ensures users maintain secure access without the additional hassle or disruption caused by MFA.
This proactive approach not only reduces the chances of an ATO attack but also maintains a frictionless experience for users, ensuring high engagement levels while still providing strong security. As attacks become more sophisticated, betting platforms that leverage Dark Web monitoring can protect their systems effectively without sacrificing user experience, thereby minimizing both security risks and the potential financial loss that could arise from a data breach.
While Dark Web monitoring can operate independently to ensure security without disrupting the user experience, it can also be implemented alongside MFA to create a layered defense against cyberattacks. By combining the two methods, platforms can provide even stronger protection for user accounts.
Previously, when they identified a compromised account through location signals, their IT team had to work closely with marketing to notify the affected users, which was a time-consuming process. This also impacted the user experience, as some accounts even had fake bets placed. Since they started using Enzoic, they haven’t experienced any account compromises. While there was internal resistance to implementing MFA, the Splash Sports IT team chose to integrate Enzoic as a solution that wouldn’t introduce hurdles for their users. They’ve seen about a 2-3% hit rate on compromised credentials in the last ~20,000 they’ve tested.
– Enzoic Sports Betting Customer
The Way Forward
Cyberattacks on sports betting platforms cost the industry an estimated $2.3 billion annually by 2024. Beyond the financial losses, the reputational damage can be even more devastating. When users lose trust in the security of a platform, they are unlikely to return, leading to a long-term decline in user engagement and revenue.
The widespread availability of stolen credentials on the Dark Web means that betting platforms must be vigilant in monitoring for potential threats and educating their users about the importance of secure passwords and authentication measures. Without proper defenses, betting platforms risk not only losing money but also the trust of their users, which can be even more costly in the long run. By implementing strong password security and staying one step ahead of cybercriminals, betting platforms can promise their users a more secure betting experience.
AUTHOR
Josh Parsons
Josh is the Product Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.
*** This is a Security Bloggers Network syndicated blog from Blog | Enzoic authored by Enzoic. Read the original post at: https://www.enzoic.com/blog/ato-betting-gambling-and-sports-betting-sites/