Photo Credit: WaveBreakMedia | Shutterstock
Andy Still, CTO at Netacea reveals why sports betting is the prime target for cyber-criminals and how they take advantage of the system to exploit bookmakers.
It’s been a long wait for many, but sporting events are finally back. However, experts in the industry expect punters to be cautious and have a look at a few games first to work out what bearing the break and current circumstances will have on games and results.
But whatever the odds, there is one person that wins big, every time: the cyber-criminal. Through techniques such as arbitrage betting, sometimes used in combination with bonus abuse, cyber-criminals are exploiting the business logic of bookmakers using bots. The notion is simple—exploit any odd to their advantage so they win every time, regardless of the game’s outcome. While manually checking all the different odds, across multiple betting sites, using different accounts is time consuming and complicated, bots make the process not only possible, but simple.
Arbitrage betting, therefore, poses a huge threat to the betting industry. While it doesn’t take long for a gambling organisation to earn a lot of money, all that profit can be lost just as quickly as placing a bet if arb-bots attack.
An own goal for cyber-criminals
Arbitrage betting is when opportunists exploit bookmakers’ different predictions and odds on the outcome of an event. This enables them to place one bet on each outcome, therefore profiting from any outcome. It guarantees the bettors don’t lose money and gives them the possibility of winning big.
Let’s look at the example of a World Cup football match with no possibility of a draw between England and Sweden.
Bookmaker A has Sweden at 8/15 and England at 12/7, while bookmaker B has Sweden at 2/5 and England at 9/4. Say then the opportunist bets £100 on Sweden with bookmaker A and £47.18 on England with bookmaker B. If Sweden wins, they receive a return of £153.30*. While if England wins, they’d see a return of £153.30**. From that bet of £147.18, there’s a guaranteed profit of £6.12***.
Now, if cyber-criminals undertake arbitrage betting multiple times, with larger sums of money, it’s easy to see how serious risk-free profit accumulates. Add bots betting on arbitrage opportunities automatically into the mix, and the problem intensifies.
Bots are used to manage multiple different accounts at once, on behalf of a bad actor. Not only do they scrape bookmakers’ sites, collecting information on odds in real time, but many are also capable of interacting with the front-end of these sites. This means bad actors can programme bots to place arbitrage bets on their behalf. For example, the ‘each-way sniper bot’, automatically places bets on opportunities with only two outcomes. Using arbitrage, it guarantees the actor to win each time, and works 24 hours a day, in effect printing money while the bad actor sleeps.
Levelling the playing field
Many think the answer is to just block all bots. Problem solved. But the bot landscape is more complex than ever. There are bad bots mimicking human behaviour and good bots, such as search engine scrapers, which are key to ensuring online visibility. Not only do companies risk blocking customers through the ‘block all bot’ approach, but seriously hindering marketing and SEO strategies.
Instead, bookmakers must analyse their website traffic and identify patterns of behaviour. There are some obvious red flags. For example, speed—bots will place bets quicker, and in higher frequencies, than a single user ever could. Yet, betting companies must also watch out for unknown IP addresses or traffic from unexpected countries as these too can be characteristic of bad bot behaviour.
But there’s another tell-tale sign. Bots and bad actors exploiting arbitrage betting are likely to place very specific amounts of money, such as in the England vs Sweden example above. This is where the odds are most likely to be out of sync between the different bookmakers.
Yet, to truly protect their betting platforms, bookmakers must go one step further.
By looking at all their website traffic it is possible to build up a profile of what a ‘usual’ user journey looks like. From here, it’s then possible to identify ‘unusual’ user journeys and patterns of behaviour. Once bookmakers can understand and cluster groups of behaviour, it then becomes possible to investigate and take action against the nefarious bots and bad actors, while preserving the user experience for genuine customers.
The sports betting industry must get ahead of the bot problem to ensure profits are maintained and bad actors using bots are stopped. While the ‘block all bot approach’ doesn’t work in today’s complex environment, the industry must deal with this sophisticated threat with a sophisticated response, focused on the behaviour of their website traffic. Then, and only then, will the sports betting playing field truly become level.
*(100 *(1+ 8/15))
**(47.18 *(1+ 9/4))
***(£153.3 – £147.18)