Security Through Obscurity

While I'm sure the recent Ashley Madison hack affected no one reading this magazine, statistically one of your customers has had a difficult conversation with an upset spouse. These major website data breaches couple with a regular series of headlines hitting the mainstream press about security vulnerabilities in all desktop and mobile platforms is creating an environment where internet users are becoming more security aware.


We then have a web a native generation in their 20's who are far more security conscious from simple things such as being “fraped” by at least one friend and the basic security training provided by major sites such as Facebook, Twitter and Gmail to update security preferences on a regular basis.


When we look at the account level security available as standard across all three of these major international sites, we get the following:

1.     HTTPS encryption as default

2.     Two-Factor Authentication where a one-time password is sent to your phone as a text message with various triggers be it every time you login, once every 30 days or when you login from a different device/IP address

3.     Email notifications when you login from a different device, IP address or any of your account settings have been changed


Why is this important to the gaming industry? I would be confident that for the majority of sportsbook punters their password is a favourite football team followed by a two-digit number corresponding to the year that team won a league title. This means that with a little bit of snooping on someone’s various social media profiles you have a high percentage chance of guessing their password.  


When we surveyed our player panel and asked them to rate eGR Power50 homepages based on the security certificate displayed in the address bar. From most trustworthy to least trustworthy we had the following rankings in order of highest trust levels

1.     Extended Validation Certificate was the most trusted by far

2.     Green Padlock

3.     No Padlock

4.     Padlock with exceptions (triangle)  

5.     HTTPS with a red slash through it scared people


Interestingly and rather surprisingly, when we reviewed the eGR Power 50 gaming operators

·       Only 24% of sites had the extended certificate

·       46% had the green padlock

·       22% had a padlock with a warning symbol

·       8% of homepages had no SSL cert but confusingly 34% of homepages where available through both HTTP and HTTPS connections.


Why is this important? Our data forecasts that you can expect an approximate 1% increase in registrations by using the extended certificate validation. I agree that this feels like a Team Sky marginal gain, but realistically it’s still free money.


In terms of other security measures, we could only identify one company on the eGR Power50 list that offered two-factor authentication (2FA). What impact would two-factor authentication have for a gaming company?


2FA would obviously help prevent un-authorised access to an account including through a password being stolen in a data breach or a lucky guess. It would reduce the “help my account was hacked last night, refund my bets” requests to support. From a responsible gaming perspective we feel that a two-step process that gives a player that extra 10 seconds (yes we timed it) to login or deposit can only be a good thing.


But does it increase player values? Our analysis suggests that by making 2FA an optional account feature, educating players on 2FA and also letting players make the choice about enabling the feature does increase player values. Why? By giving a player a sense of security, control and the ability to customise their account they become more embedded with the brand and have a longer lifetime with that brand.  


Security through obscurity doesn’t work, waiting until your website gets hacked doesn’t work, getting in front of your competitors on player account security not only is the right thing to do but is also better for the bottom line and our data shows, does work.

Predictions for 2016