Oh dude. What a question to ask! Of course, nerds can hack online slots, nerds can hack anything… hack the planet! On a serious note though, as online slots are big business for many providers, there are plenty of protections in place to protect both gambling houses and their players from hacking.
So today we’ll check out where potential vulnerabilities can lie in online slots and how protections are put in place to guard against hacking attempts.
Security and jurisdiction compliance
The jump-off point for slots providers is in compliance with local regulations in the player’s jurisdiction. This includes a bunch of technical compliance hoops to jump through, for instance, the UK Gambling Commission’s Remote gambling and software technical standards June 2017 include a whole section on Security Requirements. This includes policies, organization, HR, access control, cryptography, physical and environmental security, operations security, communications security, system acquisition, development and maintenance, supplier relationships, information security incident management, and compliance.
However, jurisdiction compliance in terms of technical requirements is generally concentrated on the consumer side of things. Governments want to ensure fair play and that consumer funds in a slots’ house online wallet don’t get stolen (or will be repaid if they are). It’s up to online slots houses to protect themselves adequately from hacking attempts.
Online slots companies make mistakes, too
Like many other companies before them (and after them, no doubt), sometimes online slots houses forget to adequately secure existing infrastructure.
Such was the case with Mountberg Limited, a multi-house provider. In this case, a security researcher uncovered an insecure ElasticSearch server which the company had neglected to password-protect. The contents? “Leaked information on over 108 million bets, including details about customers’ personal information, deposits, and withdrawals,” according to ZDNet.
As with most of these uncovered accidental data exposures, it’s unclear how long the information had been exposed for, although the company made no mention of the data being accessed by other more sinister parties.
This is why online gambling houses often employ penetration testers themselves – to see whether they can uncover any weaknesses in their cyberdefenses.
Of course, this isn’t hacking the game itself, it’s simply grabbing the (hopefully financial) details for hackers, or otherwise identity details that can later be used to commit fraud if we are talking about non-ethical hacking here.
The malicious insider
Guess where nerds work? In nerdy jobs, at all sorts of companies – and that includes online slots houses! As you can imagine, if someone wanted to put in a line of code or two into a game that slightly altered the outcome and then siphoned off the micro-amounts of funds skimmed off the top… Well, they could do just that.
That’s why online slots houses will do intensive code reviews to check over code before deployment. There is never a time when the second set of eyes hasn’t passed over a slot game before it is released.
Hiring practices will generally involve thorough background checks to reduce the risk of malicious insider threats. After all, even if a person isn’t actively trying to shift funds from within a company, they may have the ability to do data dumps from systems and then on-sell the data to the highest bidder – or just release it on the internet if they’re feeling salty.
Much like any other business, online slots providers are at risk of phishing attacks, whereby hackers can gain access to systems by installing malware from clicking on an infected file or downloading content from a linked website.
Even though email security has come a long way, phishing attacks have also increased in their sophistication. Now, malware can even hide in a Word file. If an unsuspecting employee opens a document that looks like it’s from a legitimate source, then they could unwittingly wreak havoc on systems.
Good old DDoS attacks
While many online slots providers have infrastructure that’s both elastic and can spot DDoS traffic from real traffic, that’s not to say that all providers have this in place. Get yourself together a botnet and you could render certain slots providers incapacitated for a period of time.
While this technique isn’t always effective, when it is, it’s enough to cause real headaches and plenty of thought about infrastructure configuration in the future.
Not only this, but a DDoS attack can also be a mere distraction as something more sinister is going on. Italian provider Eurobet.it found themselves on the losing end of a ransomware attack on their systems that started out looking like a simple DDoS attack but ended with an $80k demand. Ouch.
Hacking games themselves?
Hacking the actual slots games themselves from outside is a far more difficult task than the other avenues that have been mentioned.
While Flash games were far easier to hack, with browser-based games switching over so it’s now HTML5 as a default, hackers can’t quite as easily mess around with switching up the games themselves – a reassuring move for players of online slots.
Attack surfaces abound
Like any online data-based business, and particularly one that deals with lots of transactions, online slots provide plenty of attack surfaces ready for nerds to hack – hopefully, to collect bug bounties, rather than use for illegal purposes. While hacking the games themselves might be more difficult, traditional hacking techniques are more likely to land their mark. Clever slots providers will have a strong cybersecurity policy and processes that are continuously refined to help protect against these attacks.