The cyber security behind online casinos

Cyber security is important for every sector, but particularly for some. For health services which rely on strong communications with patients and professionals, it can literally be a matter of life and death. For financial institutions,which rely on the ability to send and receive large sums of money, it can be critical to keeping firms in business.

But another, often less often considered sector for which it’s absolutely essential is the online casino industry. The reasons for this are threefold. Firstly, online casinos, by their very nature, hold a great deal of potentially sensitive information about their customers – including names, addresses, bank details and even their betting history. They’re obliged to do this by law – so they know everyone gambling with them is of the right age, and not using them to launder money.

Secondly, there is a constant flow of money in both directions as well as considerable sums held in the forms of deposits by players. Thirdly, if an online casino gains a reputation for not being 100% secure, it also brings into question a whole lot of other issues around whether it can be considered trustworthy at all.

The cost of cyberattacks

It’s this potential for reputational damage that can force even the most well-established businesses to the brink of collapse – and even beyond. Luckily, there haven’t been many high-profile instances of this in the casino industry to date. One of the most significant attacks was when IT professional Ashley Mitchell stole 400 billion chips (worth £7.5 million) from an American poker site in 2011. He was caught and sentence to two years in prison.

Communications company TalkTalk discovered the damage a cyberattack could do when it was the target back in October 2016. In their case, they shed around 100,000 customers in short order as well as sustaining costs estimated as being around £60 million.

Even the biggest and most successful online casino operators could be fatally wounded if this happened to them.So any online casino with plans to thrive has to have a range of robust measures in place. The leading operators invest a huge amount of money each year into keeping themselves and their customers safe from hackers who would dearly love to sink their businesses and extort some money in the process. That’s why you’ll see robust security measures, as well as a huge range of games, in place at a highly secure online casino such as 888, which also has responsible gaming measures and tools.

Here are the main threats casinos need to be aware of – and how they’re dealing with them.

The DDoS threat

The greatest fear of any casino is that it’s going to be a target of a Distributed Denial of Service (DDoS) attack that will effectively act to paralyse their business. As most casinos rely on being available 24/7 to their customers, any attack that compromises this ability is treated very seriously.

With more and more of these kinds of attacks happening all the time – 2018 saw a rise of 37% over the number reported in 2017 – DDoS issues are pretty high risk. And it’s not just the number of the attacks that’s on the rise, the size of them is increasing too.

DDoS attacks involve hackers gaining control over unsecured devices on a network, before flooding a website with an unmanageable level of requests by bots. The volume of requests can effectively paralyse a server, which often burns out and results in a website collapsed. However, sometimes the server can fight back and cause the corrupted devices to burn or explode.

Why might someone launch a DDoS attack at an online casino? Hackers can use the opportunity to steal everyone from chips to customers’ information.

A DDoS attack can shut down an online casino for a prolonged period of time, damaging its reputation as well as its ability to trade, which could amount to millions in just a short time.

Back in 2016, a 602 gigabytes per second attack knocked out the BBC website and was considered to be a major attack. But fast forward to 2018 and within the space of five days two attacks of 1.3 and 1.7 terabytes a second respectively were recorded in the USA. In both cases over 17,000 Memcached systems were highjacked for amplification purposes, hence the huge size of the attacks.

It goes without saying that online casino sites face exactly the same problem as every other site in fending off a DDoS attack – namely, how to differentiate between their normal traffic and that which is being sent to them with malicious intent.

As this is difficult to do at the best of times, casinos need to concentrate more on having strategies designed to mitigate the effects of an attack, especially when these are attacking several vectors simultaneously.

To offer protection, there are various different strategies.

Black Hole Routing

Although something of a blunt instrument, sometimes this is the only option available. It involves routing all traffic into a so-called ‘black hole’ as a means of protecting the site as a whole. Inevitably, it means some of the legitimate traffic is directed away from the site risking customer dissatisfaction.

Rate limiting

Although probably not enough on its own to protect casinos from a complex attack, rate limiting undoubtedly has the potential to slow down traffic enough to at least let the site continue working until the issue has been resolved.

Web application firewall

It’s reasonably safe to assume that all online casinos have an effective web application firewall in place. These can be particularly effective when the attack is on the Application Layer of a site and can help to filter out communications that are sent with malicious intent. An especially useful feature of this method is that it can quickly customise itself to be able to identify and separate out legitimate traffic from that associated with an attack.

Anycast network diffusion

Undoubtedly one of the most effective methods of dealing with a DDoS attack, this works in the same was as diverting a flooding river into a series of smaller streams. In this instance, it achieves this through using a network of distributed servers that can successfully absorb the traffic without disruption being caused.

Other cybersecurity issues which could affect casinos

Cyber hacking

While these are all measures that are capable of dealing with a serious attempt to bring a casino to its knees, the operators also have to be acutely aware of the dangers of hacking. As we’ve already mentioned, online casinos hold a wealth of information about their customers that could be very profitable indeed if it fell into the wrong hands.

So it’s fairly safe to assume that the highest levels of encryption technology are used and this may well also be requirement for the casino to hold its operator’s licence. Any reputable casino should also have the information readily available about its levels of security and any that don’t should probably be given a wide berth.

Phishing scams

This is a way hackers trick users into giving up their personal information or flooding their devices with malware. Understandably, it’s one of the top business concerns. The two types of phishing are:

  • Spear phishing – cyber attackers identify particular individuals (usually a Financial Director) to infect the computers of specific people at an organisation.
  • Whale phishing – hackers go after big targets such as board members of a company, and hold their accounts to ransom.

Companies are usually pretty well trained on how to spot a phishing scam by looking out for:

  • Impersonal emails
  • Poor English
  • Requests for personal information
  • URLs that don’t match the link provided
  • Suspect files attached


Of course, as with every sector, keeping one step ahead of the cyber criminals is a full-time occupation for online casinos with new and more sophisticated threats arising the whole time. But we can be sure that no-one is more aware of this fact than the casinos themselves who will be taking every step possible to mitigate the risks or, better still, eliminate them entirely.