November 19, 2018
November 13, 2018
Posted September 7, 2018
In this episode Frank is joined by Satish KARRY, Fraud Consultant at ThreatMetrix. They discuss the need for digital identity in the sports betting industry.
Frank: Hey everybody. Welcome to another edition of Digital Identity 360. I’m honored to have Satish Karry with me today. Satish is a well known expert in the fraud business. Does his own webcast. We’re privileged at ThreatMetrix to have him be one of our Solutions Consultants. Today’s topic, Satish, very interesting and salient, is all about the opening up of the US market to gaming.
Frank: What happened recently that allowed this to happen?
Satish: Very good point. Recently supreme court overturned a law which has been there for a long time in our online sports betting. Just like sports betting and way back when the horses were there and people would bet in it. It was pretty fun and people made a lot of money and then slowly there were nefarious ways to make more money than way back in 1992 they said like okay, let’s stop all this you know, sports gambling. They put a stop to it. Now the Supreme Court has overturned that decision which means, being as a state, and it has passed on to the states saying that you can decide what you want to do. You can enforce it the way you want it. So that opens up a lot of … a new market, completely new market and also opens up to a lot of risk and if you were to remember the recent Superbowl which we talked about in February, the Eagles, so there was close to five billion dollars which was bet but it was all like under the wraps. There was nothing official about it and I think federal and state are looking at it to make some part of it legalized because it’s already out there. So I think legalizing that seemed to be a very good way of making some taxes around it.
Frank: Yeah, and interesting Satish, I mean you’re right. Most of this, you know, multi billion dollar industry was happening anyway, either off shore or, you know, kind of through other channels, so what’s interesting is if you think about the demands on online gaming, it’s very reactive, it’s driven impulsively, so your need to authenticate people is very important because it’s a constant high volume business. What are some of the risks you see as companies dive into this market? You know, as it relates to authenticating people, understanding their identities, and allowing them to place those bets.
Satish: Sure this opens up a completely new opportunity for an individual to bet on something and impulsive betting is something that’s pretty big and not only that, you’re looking at anti-money laundering, there is larceny, there are quite a few that come into play and here’s betting, right. It’s about age also. You cannot have an underage person bet. Just because I have a phone doesn’t mean that I can go and bet on it. So there are quite a few legislations that we need to be concerned about and a lot of rules around anti-money laundering. So all this, what this does is brings into light of that individual into focus and how do we manage it and how do we report it? What is the risk associated with it? All these we’re doing in a relatively easier way today. Maybe in eCommerce transactions you just want to make sure that credit card won’t bounce. Or is that a transaction I want to take. This one moves to the next level. You have to know who that individual is behind that device. And that’s not an easy task. There’s a lot of, you know, you look at the dark web today, there’s a lot of user names and password are already compromised with all the breaches around, so you think you are unique in terms of your username and password, but maybe not. There is enough information about you to say that I can create a synthetic identity based on the some of the email compromises and all this. So this item becomes much more crucial in this world today and with the regulation also playing a part I think it’s very important on how we look at it and also you’re looking at a few more industries opening up where age is an important factor and needs to be accounted for.
Frank: Yeah, it’s so interesting and you make a very super interesting point so we have a large community of customers globally that are in the gaming industry and those organizations that rely simply on known credentials of devices can really run afoul of age limits because how do I know that Frank is really of age when he places a bet? Simply by relying on a device or a credential and the other thing, and it’s very interesting, this connection between betting and sports betting and so forth and money laundering and criminal elements that are using these online platforms to launder money is super important. So now you’ve got a compliance element an OFAC element, Office of Foreign Asset Control, and is this really an individual who should be doing this or not? So as you think about our group here of companies at ThreatMetrix that are involved and certainly one of our largest markets where we’re a dominant player in global gaming, what is the biggest fraud risk or fraud attack vector that you have seen?
Satish: Sure, so when you’re looking at betting, right, initially when a user comes in, take the whole user journey. I wish it was just one spot and a silver bullet saying, “Hey this is where I find fraud and this is where I will focus.” But, it’s a lot more than that. I think organizations today look at hey payment is where I’m looking at chargebacks and this is where the fraud is, I’ll fight it right here. But the point is, you have to take into consideration the whole journey. From the time when somebody creates an account to the time they log in and let’s say they are doing an address change or a billing address change or adding a credit card. And it could be payment. So you have to take into consideration not just one point, there are multiple entry points and where there could be fraud associated with each of those events.
Frank: Yeah, multiple attack vectors.
Satish: Multiple attack vectors.
Frank: I set up the account with the synthetic identity. I use a stolen credit card to fund the account. Right, I off shore the money to an address or a location where it shouldn’t be going. So I’ve got all of that fraud compliance and all that going on.
Satish: Oh yeah, and also adding the technology behind it. So just having … I could be running a small BM on a machine and trying to look at technology, trying to spoof, saying that where I’m coming in from you’re trying to go through a proxy server or a VPN. You’re taking all that into account. So today, to go and say that, this is the individual, this is the network, this is where they are. It’s a lot more complicated and there various ways to do it. Also, looking at all those patterns, right, so the point is you just don’t want to fight fraud at that single event. You want to look at the history of those events. Like where did the device come from? Is it coming from the same place or is it a different person?
Frank: And it’s interesting Satish, it’s not just the device, it’s the behavior. I mean one of the outstanding elements of digital identity provides is that if you look at our international, you know, global gaming companies I can identify through the ThreatMetrix Digital Identity Network where the same identity and device combination are being used to place multiple bets at the same time across multiple platforms. Either an attempt to manipulate the betting outcomes or in an attempt to get as much money as quickly as possible, launder it and get away. So I think if you think of the theme of our company this year and certainly at our upcoming Digital Identity Summit, it’s that we’re now at a point where the network is broad enough and it is vibrant enough, it gets refreshed enough every day that we can be predictive of behavior simply by looking at what somebody’s doing in real time. So maybe speak a little bit about the importance of the power to predict not only as it relates to this industry, but also digital identities in general.
Satish: Sure, as of now, because of the limitations of the way we do things, a static identity, you make sure, before they get into the gate, you make sure that person is vetted enough and then after you assumed that would work I think that has changed and now we have to look at it more like a risk-based authentication solution where you’re looking at saying that, “Hey is there risk associated with this as of yesterday? Is today different?” What has changed today to say that my risk is either higher or lower? And what all this does is it adds more friction to the user and you don’t want to do that because then I’m looking at sports betting. If I want to just sign up right now and I want to bet right now, friction is the number one take-away, right? So you will always see that. If my sign-up page is longer than four or five fields I’m like trying to move away from it. So you don’t want to add friction already. So risk-based authentication is your best solution and look what that means is passively looking at the information which is available in terms of the device, in terms of the network, in terms of the user’s credentials. Take all those into account and decide if you really want to add friction to that event or do you think nothing has changed. If I’m sitting from my home and working on a payment. I just did a payment, everything looks the same. I don’t want to be authenticated one more time just before I make that transaction.
Frank: Yeah it seems friction is endemic as a problem irrespective of industry. It could be gaming, it could be banking it could be eCommerce. The user experience in the mobile first digital first world is, I want to place my bet, I want to place it now and if I can’t I’ll place it somewhere else. So abandonment is as high in this industry as it is in other industries. So Satish one last question and a little bit of a curve ball for you, given the power to predict and given your expertise as a person in this gaming industry, who’s going to win the Superbowl?
Satish: I want the 49ers to but I also know the answer to it, hopefully the Sea Hawks. Hopefully we’ll get to see them too.
Frank: So folks, super delighted to have Satish here with us. As he indicated, a vibrant industry, it is a multi billion dollar industry in the US alone. Many of our customers are getting into it and we’ve seen this trend across the world in our global gaming companies and the power to predict is so important as we authenticate users to this industry as well as any other industry. So Satish, real pleasure, thank you very much, an honor to have you today.
Satish: Thanks a lot.
Frank: Thank you.