SVG Tech Insight: Securing New Sports Betting Value Chains

This fall, SVG will be presenting a series of White Papers covering the latest advancements and trends in sports-production technology. The full series of SVG’s Tech Insight White Papers can be found in the SVG Fall SportsTech Journal HERE.

No less an authority than the Encyclopedia Britannica states that gambling is “one of mankind’s oldest activities.” Evidence of ancient gambling can be found in caves and on tomb walls. Of course, the EB researchers also cast an eye to the present day by noting that the “Internet has made forms of gambling accessible on an unheard-of scale.”

Digital sports betting changes the business landscape for all interested players in the value chain: casino operators, sports leagues and teams, broadcasters, financial services and FinTech companies, and infrastructure providers.

New value chains are forming and there will be new interfaces between companies and entire industries. This will also create new opportunities for fraud, ransomware, and other forms of criminal hacking. Any weak link in these new value chains impacts every other player.

The goals of this white paper are to outline where the risks are and suggest a security approach to make things more resilient

Not long ago, gambling was limited to destination cities like Las Vegas or Atlantic City. Today, gambling comes to the consumer through digital technology.

The fan experience has undergone constant innovation through digital technology. Sports betting is the next step.

Betting, Brands, and APIs

Today, many states — not all — have legalized online sports gambling. Different states have different rules, making administering these sites a challenge. For instance, many states require any consumer data to remain within the state’s borders.

The opportunities are now huge, though cross-industry links are vital to make it work.

Sports gambling will alter the business models of the established sports, media, and gambling industries. No one organization can do this alone. Each will need the data, capabilities, and brand power of others to put together an entire value chain that delivers sports content, processes bets, and handles the flow of money through the entire process.

For instance, the National Football League announced its first sportsbook partners in April 2021, naming Caesar’s Entertainment, DraftKings, and FanDuel as their sports betting partners. That’s just a high-profile example of the brand partnerships happening to make sports betting available. Major broadcasters and streamers also play a role since they carry the games and can cash in on their place in the value chain.

Yet, there will also be other layers of complexity to complete the overall experience for consumers, populated by companies that sports fans might never hear about. There will be technology intermediaries tying all the pieces of the value chain together. Banks and other financial services companies will handle the flow of dollars. Mobile apps will be involved as everyone will want their brands in front of as many eyeballs as possible to capture the sports wager wherever the fan happens to be looking.

Application programming interfaces (APIs) will link this complex web together as wagers pass through the value chain from one player to another. APIs can enhance the user experience, making it possible to tap into historical data, refer to a variety of odds-makers, and gather other information for informed betting.

To be frictionless for the consumer, these handshakes and passthroughs must happen at blazing speed. Latency is a huge issue. For instance, in-game prop bets might be a very lucrative source of revenue as well as small-wager entertainment for the sports fan. Will the next football play be a pass or run? Will the next serve be a fault or an ace in tennis? The integrity of that bet — for the fan and the sportsbook — is entirely dependent on the proper synchronizing of the gaming infrastructure with a video stream. If there is latency between the two, fans can be frustrated, sportsbooks can close betting too soon, or conceivably too late after a fan with an unknowing architectural advantage saw the play before betting closed.

This digital pathway, brokered by its APIs, must operate as efficiently as possible. Yet, each API is a gateway that introduces risk for everyone in the value chain. You don’t want bad actors walking through that door. Industry analyst and consulting firm Gartner Inc. is urging enterprises to secure their APIs, predicting these interfaces will become “the most-frequent attack vector” for bad actors.

No one wants to be the weak link that enables the breach.

The United Nations Office on Drugs and Crime noted in 2021 that many Americans use illegal betting sites without understanding they are illegal.

Bad Actors and Bad Acts

Securing this sports betting value chain must be a top priority for everyone involved. Many bad actors could be culprits, but at least two broad categories are worth noting here.

Criminals go where the money is and there will be a lot of money flowing in sports betting. Getting access to consumer data such as bank or credit card accounts could not only be a significant financial loss, but it would also taint all the brands involved as consumers lose faith. Ransomware is also a tremendous concern. Because there are so many pieces of the value chain — and each component will need to operate 24/7 — no single entity can afford to have its data locked up, so it will quietly pay the ransom.

Distributed Denial of Service (DDoS) attacks are also a concern and they can come from anywhere. For instance, operators of offshore illegal gambling sites stand to lose revenue from these new legal competitors. The United Nations Office on Drugs and Crime noted in 2021 that many Americans use illegal betting sites without understanding they are illegal. The amounts involved could be as high as $1.7 trillion.4 If that number is even remotely accurate, moving just a fraction of those dollars to legal channels with trusted brands represents a serious financial loss. This creates a significant motive for those site owners to launch DDoS attacks on the new legally sanctioned infrastructure to frustrate fans and hopefully drive them back to the illegal channels.

That’s in addition to other exploits such as taking over user accounts or launching various attacks from malicious bots. Bad actors have the time and incentive to be persistent in their attempts at entering these value chains. Once in, they can quietly move from one part of the infrastructure to another, potentially breaching all the partners.

Architecting for Success

Just as the nature of threats has evolved, security architecture has moved well beyond firewalls and gateways. Those structures are still important, but it’s not just the infrastructure under attack today. You must protect the applications and the data flowing through the system. That places a large focus on API security.

API security starts with proper API Discovery, the way that APIs are documented so they can be used by partners. Your partner developers need to be able to find the right API for their needs. Often this is through some type of marketplace that can either be very public API marketplaces that are open to developers in general, or through limited-access API repositories. Large companies have many APIs, so the right API needs to be easily discoverable. Likewise, partner developers need to be able to find the features they need to use and understand how to access those features efficiently and securely. Precise documentation and available code is key.

Deep Packet Inspection is deployed to analyze the data crossing APIs. Analytic tools can determine if this is a legitimate request and block illegitimate requests, protecting the rest of the value chain.

One challenge is to add these layers of security without introducing latency or friction in the user experience. Utilizing edge compute resources, DDoS scrubbing systems can be placed in front of key functions in the value chain. That will protect those functions and keep them running. This edge compute capability can also put authentication close to the users to quickly determine that they are in states with legalized online sports betting. That way they can be politely turned away before any access to the actual betting resources — and possible legal liability for the gambling operation — is allowed.

Real-time threat intelligence can also head off attacks before they impact infrastructure. Lumen, for instance, is a major carrier of Internet traffic and our Black Lotus Labs unit analyzes patterns in Internet traffic to find threats before they propagate. Through automation, countermeasures can be kicked off without manual intervention.

Automation in general can reduce any manual burdens. The amount of traffic these sports betting operations will see could easily overwhelm security analysts. By applying analytics, false positives can be alleviated, further reducing manual burdens.

Conclusion: It’s A New Ballgame

The fan experience has undergone constant innovation through digital technology. From the in-stadium experience to those watching at home, technology has raised expectations and excitement. Sports betting is a natural next step.

New partnerships have already formed. Supporting the major brands from broadcasters, leagues and casinos will be a host of supporting players. No one wants to be the weak link that opens the entire team to attack.

The approach to security is not just about defense. You need a proactive offense as well that protects your APIs, your applications and most importantly the trust of consumers.