Credential stuffing: a risk for the global wagering and sports betting industry with customers having betting accounts with multiple brands

Credential StuffingCybercriminals
Written By Katherine McGowan

Author: Alex Hoskins, Principal

One of the major threats faced by B2C industries, including the wagering and sports betting industry, is credential stuffing. Despite growth in wagering and sports betting industry regulation and compliance, the industry is at risk of becoming a target for cybercriminals due to the large amounts of money involved and the likelihood of customers holding betting accounts with multiple brands.

The Australian Cyber Security Centre defines credential stuffing as a cyber-attack where cybercriminals use previously stolen passwords from one website and try to reuse them elsewhere so they can gain access to more accounts. This is made possible when people use the same username and password combination for different online betting accounts.

The gambling and sports betting sector in Australia continues to grow with new operators entering the market, along with emerging markets like the US which is seeing new operators being licensed in different states. Given the choice of brands available for consumers, it's not uncommon for customers to hold a betting account with multiple operators.

In a 2018 study conducted by leading Australian gambling researcher, Professor Sally Gainsbury, from the University of Sydney Gambling Research and Treatment Clinic, Wagering Activity Participants were found more likely to have two (26.4%) or three to four active accounts (29.6%). Only one-fifth of participants had a single active account (19.0%).

Cyber hackers seek to source large collections of data sets containing usernames and passwords, often acquired at low prices from the dark web, and subsequently try to utilise these login details, or “stuff” the details into as many online platforms as possible. Data sets on the dark web containing thousands of usernames and passwords are reported to be available for just a few dollars.

Cybercriminals use automated tools to test these stolen credentials on various websites, akin to using a key and then going through a neighbourhood to find the door that the key fits. With wagering and sports betting customers holding betting accounts with different brands within the same industry, it may become attractive to cyber hackers seeking to hack system and obtain data for the purpose of using the credentials on other sites.

The most obvious risk for operators and customers is financial loss due to fraudulent transactions made using stolen credentials who may have their accounts compromised and personal information exposed.

In addition to financial loss, credential stuffing can also damage the reputation of a company. Customers rely on companies to keep their personal and financial information safe, and a successful credential stuffing attack can greatly undermine their trust. This could result in a loss of customers and revenue for the company.

To protect against credential stuffing attacks, companies in the wagering and sports betting industry need to consider different types of security measures that can protect customer information, including:

  • multi-factor authentication;

  • regularly monitoring login attempts;

  • educating customers about the importance of using unique passwords for each account. Customers should avoid using the same username and password in the first instance and opt for a passphrase instead of a password (the difference being a passphrase uses uppercase, lowercase, numbers and special characters);

  • send emails at regular intervals advising customers to update their passwords to keep their accounts secure; and

  • consider cybersecurity solutions including security audits to identify and address any vulnerabilities.

Credential stuffing does pose an emerging risk to the wagering and sports betting industry in where customer hold accounts with multiple brands. Operators must take proactive measures to protect their customers' accounts and sensitive information from potential cyber threats and educate their customers in relation to keeping their account and personal information secure.

Katherine McGowan
Previous

Let the games begin! A guide to sports product fee and integrity approvals in Australia
Next

And they’re off! A guide to race fields approvals in Australia