A brief on online sports betting laws in India and how betrallyIndia operates in India.

Cyber Crime - Potential threat to Online Sports betting industry

Introduction

Internet, once just an idea is now one of the fastest-growing areas of technical infrastructure development globally. Growing at the rate of more than 11 users per second, or 1 million new users each day, internet users now constitute 57% of the world population. Today, information and communication technologies (ICTs) are omnipresent and the trend towards digitization is growing with the wave of commercialization of the Internet. Originally, vendors provided basic networking products, and service providers offered the connectivity along with basic internet services, but now with advancement in technology it has become almost a "commodity" service where goods and services can be sold and purchased online.  This has been tremendously accelerated by the widespread and rapid adoption of browsers and the World Wide Web technology, allowing users easy access to information and data linked throughout the globe making people more and more dependent on technology. However, such dependence leads to people being more vulnerable to cyber threats and the biggest hope in overcoming these issues seems to lie in sophisticated security techniques, and most of all, educating the general public as well as employees about dangers lurking within social engineering and the various types of fraud. 

Many companies lose millions of dollars on lawsuits caused by cyberattacks. Cybercrime has become a well thought-out, complex, and expensive form of organized crime. This is why the growing industry of online sports betting is also vulnerable to the threat of cybercrime. This paper tries to educate the users and sports betting operators by recognising the potential threat posed by cyber-attacks on the online gambling market across the globe and the need for a multi-dimensional regulatory legislation to fight Cybercrime.     

Growth of Online Gambling

The advancement of technology and easy access to internet has made individuals dependent on internet for all their needs while sitting at one place. Social networking, online shopping, storing data, gaming, online studying, online jobs, every possible thing that a person can think of can be done through the medium of internet, which now includes gambling and sports betting as well. Increase in the number of internet users is clearly driving the online gambling & betting market. In 2016, about 46% of the global population had access to the internet as compared to 43.5% in 2015. The number is anticipated to rise due to digitalization in the Asia Pacific region. Thus, the growth of the online gambling & betting market is evident in the near future. Some reports project, estimated growth in online gambling revenues from USD 3.1 billion in 2001 to USD 24 billion in 2010. It’s important to recognize that the overall size of the sports betting market is difficult to estimate because regulations and record-keeping are inconsistent. There is no definitive resource, from nation to nation, that researchers can solidly rely on.  Records are too disparate to paint an entirely accurate picture. That said, it doesn’t mean that there aren’t reliable estimates. international sports betting is estimated to have a market capitalization of $250 billion. According to Statista, a highly-reputable data firm, licensed online sportsbooks account for upwards of $39.7 billion of this revenue. In 2009, the sports betting market was valued at $20 billion. By 2016, it was valued at $40 billion. With a present market capitalization of (conservatively) between $60-73 billion, the market has conservatively grown at a rate of $10 billion per year. If this pace continues, worldwide, sports betting will occupy an increasingly significant share of the world market.

Growth in the internet gambling or online gambling is because internet allows people to circumvent gambling restrictions. Online casinos are widely available, most of them hosted in countries with liberal laws or no regulations on internet gambling. Users can open accounts online, transfer money and play games of chance from remote locations using local currencies with the help payment services such as Neteller, Skrill, etc. The majority of legal sportsbooks found online are operated over the internet from jurisdictions separate from the clients they serve, usually to get around various gambling laws in select markets. They take bets “up-front”, meaning the bettor must pay the sportsbook before placing the bet. Illegal bookies, due to the nature of their business, can operate literally anywhere but only require money from losing bettors, creating the possibility of debt to the bookie from the bettor. Thus, with the development of internet along with the growth of online gambling, it is evident that a lot of money and / or information is involved and is being transferred every day from one location to another, attracting cyber criminals to take advantage from this profit-making industry.

Cybercrime – Potential threat to online Gambling.

Cyber criminals often use illegal methods directed by means of electronic operations that target the security of computer systems and the data processed by them, which in a narrow sense is termed as “Cybercrime”. Cybercrime in a broader sense (computer-related crimes) covers any illegal behaviour committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession and offering or distributing information by means of a computer system or network. Consequently, growth of the information society owing to the growth of internet along with recent growth of online gambling is accompanied by new and serious threats. Attacks against information infrastructure and internet services now have the potential to harm society in new and critical ways. Online fraud and hacking attacks are just some examples of computer-related crimes that are committed on a large scale every day. The financial damage caused by cybercrime is reported to be enormous. In 2003 alone, malicious software caused damages of up to USD 17 billion. Today, these numbers have increased tremendously so much so that cybercriminals generate revenue of USD 1.5 trillion annually and are more organised and professional. It appears that the damage and thus security demands on a global scale are only going to continue to grow as the annual revenue generated by cybercriminals is expected to go up to USD 6 trillion by 2021. Given these statistics, rapid growth in online gambling industry is expected to aid cybercriminals as they get more opportunities to follow the money and in sports gaming—legalized or not—there’s plenty of it.

Illegal Access to Information

Sports betting operators store massive amount of information and data pertaining to the users placing bets on their respective websites and every day new users are sharing more and more sensitive information such as credit/ debit card details, passwords, personal details, and such other confidential information that has made users and operators both vulnerable to cybercrimes. As the offenders can hack into the operators’ servers or a users’ computer system to access this information via the internet from almost any place in the world. Information pertaining to trade secrets of the operators, customer data base, client personal details, credit card/ debit card/ account details, business projections and intellectual property can be easily accessed by alleged cybercriminals. Moreover, hackers nowadays can also access information pertaining to players, games, game analysis, strategies and such other information that is useful for the hackers to manipulate a bet in his/ her favour and can place bets within the guidelines of a completely legitimate and government-sanctioned gambling structure. The value of sensitive information and the ability to access it remotely makes data espionage highly interesting. Offenders use various techniques to access victims’ computers including software to scan for unprotected ports or circumvent protection measures, as well as “social engineering”. Recently, there have been incidents where a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people into breaking normal security procedures and disclose sensitive information with the intention of gaining access to computer systems and/ or online gambling account(s). Moreover, social engineering is usually used to entice online gamblers to gain information and is very successful, because the weakest link in computer security is often the users operating the gambling website. One example is “phishing”, which has recently become a key crime committed in cyberspace and describes attempts to fraudulently acquire sensitive information (such as passwords) by masquerading as a trustworthy gambling website or business (e.g. financial institution) in a seemingly official electronic communication. Further, offenders usually target business secrets, data stored on private computers and information pertaining to players and future games. They can use this information for their own purposes (e.g. bank-account details to make money transfers) or sell it to a third party or place bets on gambling websites or commit money laundering or use data/information for match fixing. Offenders can even intercept communications between users (such as e-mails) or other forms of data transfers (when users upload data onto webservers or access web-based external storage media in order to record the information exchanged. In this context, offenders can in general target any communication infrastructure (e.g. fixed lines or wireless) and any Internet service (e.g. e-mail, chat or VoIP communications). To gain access to sensitive information, some offenders set up access points close to locations where there is a high demand for wireless access (e.g. near bars and hotels). The station location is often named in such a way that users searching for an Internet access point are more likely to choose the fraudulent access point. If users rely on the access provider to ensure the security of their communication without implementing their own security measures, offenders can easily intercept communications. The use of fixed lines does not prevent offenders from intercepting communications. Data transmissions passing along a wire emit electromagnetic energy. If offenders use the right equipment, they can detect and record these emissions and may be able to record data transfers between users’ computers and the connected system, and also within the computer system.

Use of Encryption Technology

Data and information that is stored by online gambling operators is mostly encrypted to safeguard the interest of all the relevant stakeholders. Encryption is the use of secret codes that can be translated into meaningful communications only by authorized persons who have knowledge of the code. In other words, it is a technique of turning a plain text into an obscured format by using an algorithm. Like anonymity, encryption is not new, but computer technology has transformed the field. For a long-time it was subject to secrecy. In an interconnected environment, such secrecy is difficult to maintain, thus, making data and information stored by operators vulnerable to cyber-attacks. There are different technical strategies to cover encrypted data and several software tools are available to automate these processes. Strategies range from analysing weakness in the software tools used to encrypt files, searching for encryption passphrases and trying typical passwords, to complex and lengthy brute-force attacks. The term “brute-force attack” is used to describe the process of identifying a code by testing every possible combination. Depending on encryption technique and key size, this process could take decades. For example, if an offender uses encryption software with a 20-bit encryption, the size of the keyspace is around one million. Using a current computer processing one million operations per second, the encryption could be broken in less than one second. However, if offenders use a 40-bit encryption, it could take up to two weeks to break the encryption. In 2002, the

Wall Street Journal was for example able to successfully decrypt files found on an Al Qaeda computer that were encrypted with 40-bit encryption. Using a 56-bit encryption, a single computer would take up to 2 years to break the encryption. If offenders use a 128-bit encryption, a billion computer systems operating solely on the encryption could take thousands of billions years to break it. The latest version of the popular encryption software PGP permits 1024-bit encryption.

That said, online sports betting operators add encryption into important files like trade secrets, details of odd, game history and analysis and other sensitive information. If an offender gets into their network, the files will be meaningless to him but could be sold in the black market or to the competitors as sports betting is a very competitive market. Operators can encrypt important data such as credit card/ debit card/bank account numbers to protect their customers. However, with simple and basic software’s cyber criminals can decrypt these files and gain access to them. Thus, the availability and use of encryption technologies by criminals is a challenge for law-enforcement agencies.

Potential Financial Loss

More and more casinos and sports betting operators are incorporating internet services into their casinos and betting models, with benefits of 24-hour availability and worldwide accessibility. If offenders gain access and succeed in preventing computer systems used by the stakeholder from operating smoothly, this can result in great financial losses for all the stakeholders involved. If offenders are able to access the computer system, they can destroy hardware. However, for highly profitable sports betting businesses, the financial damages caused by attacks on the computer system are often far greater than the mere cost of computer hardware. Web-based scams pose a much higher and challenging threat on the businesses. Examples of these remote attacks against computer systems include computer worms and denial-of-service (DoS) attacks. Computer worms are a subgroup of malware (like computer viruses). They are self-replicating computer programs that harm the network by initiating multiple data-transfer processes. They can influence computer systems by hindering the smooth running of the computer system, using system resources to replicate themselves over the Internet or generating network traffic that can close down availability of certain services (such as websites). While computer worms generally influence the whole network without targeting specific computer systems, DoS attacks target specific computer systems. A DoS attack makes computer resources unavailable to their intended users. By targeting a computer system with more requests than the computer system can handle, offenders can prevent users from accessing the computer system, checking e-mails, reading the news, booking a flight or downloading files. In 2000, within a short time, several DoS attacks were launched against well-known companies such as CNN, eBay and Amazon. Similar attacks were reported in 2009 on government and commercial websites in the US and South Korea. As a result, some of the services were not available for several hours and even days. Thus, with over 400,000 DDOS attacks reported every month and 6.5 million DDOS attacks per year there is a serious threat that online gambling websites might encounter causing huge financial loss to all the stakeholders.

Impact of Virtual payment and currencies

Further, with the rise of cryptocurrencies in the past few years it is projected to fuel the growth of online gambling & betting market. Cryptocurrencies have started to gain popularity due to benefits over other traditional funding methods and the demand for anonymous payments which led to the development of virtual payment systems and virtual currencies enabling anonymous payments. Gambling with cryptocurrencies does not require legalization as real money is not used. Bitcoin was the first cryptocurrency used for payments by various online gambling platforms. At the beginning of 2017, the total value of cryptocurrencies was about USD 17.7 billion and is projected to rise over the next 5 years. Growth of cryptocurrencies and virtual payment services along with the growth of online gambling has attracted cyber criminals to launder money generated illegally and pipe it through various cryptocurrencies and digital payment services. Thus, online casinos and betting websites can also be used in money laundering and activities financing terrorism. If offenders use online casinos within the laying phase that do not keep records or are located in countries without money-laundering legislation, it is difficult for law-enforcement agencies to determine the origin of funds. It is difficult for countries with gambling restrictions to control the use or activities of online casinos and betting websites.

Aid to Terrorism

Further, terrorist organizations can make use of such illegal techniques to access gambling websites to transfer money or collect funds.  They can use websites to publish information on how to transfer money/ deposit fund, e.g. which bank account should be used for transactions. Another approach is the implementation of online credit-card donations. Both approaches carry the risk that the published information will be discovered and used to trace back financial transactions. It is therefore likely that anonymous electronic payment systems will become more popular. To avoid discovery, terrorist organizations are trying to hide their activities by involving non-suspicious players such as online gambling websites. Another (Internet-related) approach is the operation of fake websites. It is relatively simple to set up an online sports betting website on the Internet. One of the biggest advantages of the network is the fact that businesses can be operated worldwide. Proving that financial transactions that took place on those sites are not regular bets but terror funds is not at all easy. One strategy used by offenders is to ensure that each victim’s financial loss is below a certain limit. With a “small” loss, victims are less likely to invest time and energy in reporting and investigating such crimes as it would be necessary to investigate every transaction – which can be difficult if the online sports betting website is operated in a different jurisdiction or anonymous payment systems are used.

Challenges Involved

It is pertinent to note that current legal regulation of Internet-based financial services is not as stringent as traditional financial regulation. Apart from gaps in legislation, difficulties in regulation arise from challenges in customer / user verification, since accurate verification may be compromised, if the sports betting operator and customer never meet. In addition, the lack of personal contact makes it difficult to apply traditional know-your-customer procedures. Furthermore, the Internet transfers often involve the cross-border participation of providers in various countries. Finally monitoring transactions is particularly difficult if sports betting operators allow customers to transfer value in a peer-to-peer model. E-mails with illegal content often pass through a number of countries during the transfer from sender to recipient, or illegal content is stored outside the country. Within cybercrime investigations, close cooperation between the countries involved is very important. The existing mutual legal assistance agreements are based on formal, complex and often time-consuming procedures, and in addition often do not cover computer-specific investigations. The computer technology currently in use is basically the same around the world. Due to standardization, the network protocols used in countries on the African continent are the same as those used in the United States. Standardization enables users around the world to access the same services over the Internet and one of the reasons why incidents of cyber-attacks remains challenging is the constant technical development, as well as the changing methods and ways in which the offences are committed. Thus, the legal, technical and institutional challenges posed by the issue of cybersecurity of gambling websites are global and far reaching, and can only be addressed through a coherent strategy taking into account the role of different stakeholders and existing initiatives, within a framework of international cooperation.

However, it is difficult to base cooperation in cybercrime on principles of traditional mutual legal assistance. The formal requirements and time needed to collaborate with foreign law-enforcement agencies often hinder investigations. Data vital for tracing offences are often deleted after only a short time. This short investigation period is problematic, because traditional mutual legal assistance regime often takes time to organize. The principle of dual criminality also poses difficulties, if the offence is not criminalized in one of the countries involved in the investigation. Offenders may be deliberately including third countries in their attacks in order to make investigation more difficult.  The harmonization of cybercrime-related laws and international cooperation would help. Two approaches to improve the speed of international cooperation in cybercrime investigations are the G8 24/7 Network and the provisions related to international cooperation in the Council of Europe Convention on Cybercrime.

Conclusion

It is evident that the investigation and prosecution of cybercrime presents a number of challenges for law-enforcement agencies. It is vital not only to educate the people involved in the fight against cybercrime, but also to draft adequate and effective legislation considering rapid growth in internet technology along with increase in likeliness towards legalising online gambling across the globe and monitor the effectiveness of existing provisions. The implementation of existing strategies could enable developing countries to benefit from existing insights and experience.

Thus, to successfully draft a legislation and/ or policy, legislative body shall consider the regional as well as international difference with regards to cybersecurity and identity the relevant issues related to cybercrime by addressing the multi-dimensional challenges and adopt comprehensive approach that should include overall policies, legislation, education and awareness raising, capacity building, research as well as technical approaches. Furthermore, such approach needs to involve various stakeholders such as government, ministries and government agencies, private sector, schools and universities, customary leaders, community, international and regional bodies, law enforcement, judges, customs, prosecutors, lawyers, civil society and NGOs.

Strategies and especially legislation that is developed to address the challenges of Cybercrime should on the one hand side be in line with international standards and on the other hand side reflect the uniqueness of the region. There should be a provision criminalizing the intentional and illegally accessing sensitive information from users and sports betting operators and such related acts. Especially in this respect international standards should be taken into consideration. The legislation should in addition cover the criminalization of fraudulent financial transactions and development of fake and misleading gambling websites. An exemption that enables law enforcement agencies to carry out investigations should be included and shall allow international law enforcement agencies to work together harmoniously.

Further, in the fight against cybercrime and related attacks to their websites and user data, sports betting operators shall also play a key role in it. They shall adopt well-protected computer systems/ servers and encrypted files that are difficult to attack. Improving technical protection by implementing proper security standards is an important first step. For example, changes in the online banking system (e.g. the switch from TAN to ITAN) have eliminated much of the danger posed by current “phishing” attacks, demonstrating the vital importance of technical solutions. Technical protection measures should include all elements of the technical infrastructure – the core network infrastructure, as well as the many individually connected computers worldwide. Two potential target groups can be identified for protecting website users and betting operators: end users and betting websites (direct approach) and service providers and software companies. User protection can be achieved indirectly, by securing the services consumers use, such as online banking and virtual currency. This indirect approach to protecting bettors and operators can reduce the number of people and institutions that need to be included in steps to promote technical protection. On the other hand, as sports betting operators can directly contact users, they can operate as a guarantor of security activities (e.g. the distribution of protection tools and information on the current status of most recent scams) and educating their users of latest cybercrime threats.  

Thus, as we spend more time and money online and on sports betting websites, opportunities for criminals to attack users in their cyber scams will only continue to grow. In addition to pursuing profits, the sports betting operators and relevant stakeholders need to be educators and to a certain respect, enforcers of appropriate behaviour in the playing of the users on their gambling websites. It is hoped that the online gambling websites related issues identified here would be noticed by the stakeholders and the society so that these problems may be solved through education, laws and appropriate technologies. It is clear that implementing measures to mitigate cybercrime is necessary..

References

1.      Regarding the threat of attacks against computer systems integrated in cars, see: BBC News, Cars safe from computer viruses, 11.05.2005, available at:

http://news.bbc.co.uk/1/hi/technology/4536307.stm

2.      Regarding the possibilities and technology available to access the Internet in developing countries, see: Esteve/Machin,

Devices to access Internet in Developing countries, available at:  www2007.org/workshops/paper_106.pdf

3.      Current reports highlight that around 11 per cent of the African population has access to the Internet. See

www.internetworldstats.com/stats1.htm

4.      Regarding the attack against online service in Estonia, see: Toth, Estonia under cyberattack, available at:

www.cert.hu/dmdocuments/Estonia_attack2.pdf. Regarding the attacks against major online companies in the United States in 2000, see: Sofaer/Goodman, Cyber Crime and Security – The Transnational Dimension, in Sofaer/Goodman, The Transnational Dimension of Cyber Crime and Terrorism, 2001, page 14, available at: http://media.hoover.org/documents/0817999825_1.pdf.

The attacks took place between 07.02.2000 and 09.02.2000. For a full list of attacked companies and the dates of the attacks, see: Yurcik, Information Warfare Survivability: Is the Best Defense a Good Offence?, page 4, available at: www.projects.ncassr.org/hackback/ethics00.pdf.

5.      See Hayden, Cybercrime’s impact on Information security, Cybercrime and Security, IA-3, page 3.

6.      Cyber Security Communique, American Gas Association, 2010, available at:

www.aga.org/membercenter/gotocommitteepages/NGS/Documents/1011StuxnetMalware.pdf

7.      For an overview of cybercrime-related legislation and its compliance with the best practices defined by the Convention on Cybercrime, see the country profiles provided on the Council of Europe website, available at:

www.coe.int/cybercrime/. See, for example, the following surveys on national cybercrime legislation: ITU Survey on Anti-Spam Legislation Worldwide 2005, page 5, available at:

www.itu.int/osg/spu/spam/legislation/Background_Paper_ITU_Bueti_Survey.pdf;

8.      Regarding the transnational dimension of cybercrime, see: Sofaer/Goodman, Cyber Crime and Security – The Transnational Dimension in Sofaer/Goodman, The Transnational Dimension of Cyber Crime and Terrorism, 2001, page 7, available at: http://media.hoover.org/documents/0817999825_1.pdf.

9.      Regarding network protocols, see: Tanebaum, Computer Networks; Comer, Internetworking with TCP/IP – Principles,

Protocols and Architecture.

10.  Regarding cybersecurity in developing countries, see: World Information Society Report 2007, page 95, available at:

www.itu.int/osg/spu/publications/worldinformationsociety/2007/WISR07_full-free.pdf.

11.  The Phishing Guide Understanding & Preventing Phishing Attacks, available at: www.nextgenss.com/papers/NISR-WP-Phishing.pdf

12.  Crime and Abuse in e-Business, IPTS Report, available at:

www.jrc.es/home/report/english/articles/vol57/ICT2E576.htm

13.  Collier/Spaul, Problems in Policing Computer Crime, Policing and Society, 1992, Vol.2, page, 308, available at:

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.66.1620&rep=rep1&type=pdf;

14.  Zittrain/Edelman, Documentation of Internet Filtering Worldwide, available at:

http://cyber.law.harvard.edu/filtering/.

15.  Sifferd, The Peer-to-Peer Revolution: A Post-Napster Analysis of the Rapidly Developing File-Sharing Technology, Vanderbilt Journal of Entertainment Law & Practice, 2002, 4, 93.

16.  Emigh, Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures, 2005;

17.  McCusker, Transnational organized cybercrime: distinguishing threat from reality, Crime Law Soc Change, Vol. 46, page 270

18.  Conway, Terrorist Use of the Internet and Fighting Back, Information and Security, 2006

19.  Gercke, Cyberterrorism, How Terrorists Use the Internet, Computer und Recht, 2007, page 62 et seq.; Lewis, The Internet and Terrorism, available at:

www.csis.org/media/csis/pubs/050401_internetandterrorism.pdf

20.  See: Kabay, A Brief History of Computer Crime: An Introduction for Students, 2008, page 5, available at:

www.mekabay.com/overviews/history.pdf.