The internet has created a profitable marketplace for bricks and mortar retailers and spurred many new ventures that would not exist in the physical world.
One such company is online gaming firm Betfair, which handled one billion bets in 2005 and claims to process twice as many credit and debit card transactions as any other European web site.
But with the growth of ecommerce has come an influx of criminals looking to get rich through exploiting the internet.
‘Criminals will be interested in any place on the internet where there’s a lot of money,’ says Rorie Devine, IS director at Betfair.
‘That’s why one of my core challenges is security. It is not something we just pay lip-service to; we put a lot of time and money into it.’
To tackle this challenge the internet betting exchange has recruited a team of security specialists to monitor and respond to hacking attempts and distributed denial of service (DDoS) attacks.
‘The size of the attacks is increasing and the challenge they pose is getting bigger,’ says Devine.
Among Betfair’s tactics are vulnerability management monitoring systems, which produce threat reports and carry out regular penetration tests to ensure the company’s defences are secure.
One of the biggest threats the firm has faced over the past two years is the growth of DDoS attacks, where criminals take control of an army of infected computers and, unbeknown to the PC owners, use them in an attempt to take down web sites for blackmail purposes.
In March 2004, the UK’s online betting industry witnessed its first cases of large DDoS attacks when Russian criminals attempted to profit from the Cheltenham horse races.
Located in St Petersburg and in south-west Russia, the gang targeted prominent betting companies, including William Hill, Paddy Power, Blue Square and Canbet (Computing, 5 August 2004).
Betfair saw even more activity last year during the final of the American football Super Bowl.
‘Criminal gangs are like any other business in terms of adapting their approach so that they can be as effective as possible and make as much money as possible,’ says Devine. ‘This means that they are increasing the size and the sophistication of the attacks.
‘These people are not stupid and they will realise that as an industry there are certain times that are more important than others.’
Since the initial online attacks, bookies have invested heavily in technologies to try to combat them and have joined forces to form a forum where they can share their experiences – see box below.
‘DDoS attacks are part of the landscape now; they have become something we all have to live with. But you need to keep abreast of the constant changes and new approaches they take,’ says Devine.
Security is also a key part of Betfair’s strategy for complying with regulations set out by the Department of Culture, Media and Sport for gambling businesses, as well as helping the organisation to comply with regulations set by the financial services industry.
From 30 June last year, Betfair and other firms that take credit and debit card payments have to adhere to a set of stringent security guidelines called the Payment Card Industry Data Security Standard, which aim to limit the risk of financial information being stolen.
Devine welcomes the initiative and says it could help to reduce identity
‘They are setting quite a high bar and we are working very closely with the authorities on it,’ he says.
But he adds that regardless of regulations, companies with smaller IT security budgets can still do a great deal to improve their defences by looking around at what is going on in other organisations.
‘You need to look at the knowledge that is out there. I suggest making contact with other companies that have been attacked and trying to learn from their experiences. This will not cost you anything if you speak to the right people,’ he says.
Internet service providers could also do more to reduce the impact of DDoS attacks and phishing emails by educating internet users and improving their own security, says Devine.
‘But the commercial reality is that being an internet service provider in the UK is a low-margin business and sets priorities accordingly,’ he says.
IT security is not a one-off thing, says Devine. ‘The attack sophistication is moving forward and every day you need to keep improving your defences.’
Online gambling firms pool financial data
IT security in the online gambling industry is benefiting from businesses sharing their experiences and knowledge.
Betfair, Blue Square, Eurobet and the National Hi-Tech Crime Unit formed the Internet DDoS Forum in 2004 to share information on criminals’ tactics and to decide on steps to take to prevent attacks.
‘One of the best things to come out of the first wave of DDoS attacks in 2004 was that the online gaming community came together to share experience,’ says Betfair IS director Rorie Devine. ‘It got us all up the learning curve very quickly.’
By pooling information about attacks and discussing tactics, the industry has come up with a consistent way to respond to criminals’ blackmail demands, he says.
‘We all take a very mature view. We all want to cure the problem by stopping these attacks from being successful. Rather than take a short-term view that it is our competitor that has a problem, we’re looking at the bigger picture,’ says Devine.
‘It is going to work both ways. One time you might be the recipient of the attack and other times you might benefit from another company’s experience.’