For veteran and neophyte bettors alike in the legal sports gambling market in the U.S., mobile sports betting offers a convenience and ease of use that cannot be replicated inside a noisy casino.
Earlier this week as a polar vortex swept across the nation, customers in two Eastern states had the option of placing bets on their mobile apps instead of braving sub-zero wind chills.
But there are also theoretical drawbacks to doing everything online instead of using a retail sportsbook at a brick-and-mortar location, particularly for those reluctant to give out their personal data. The challenge for the industry is to build confidence in users that their data is safe.
Putting the ‘security’ in ‘social security’
Setting up online gambling accounts in a regulated market means relinquishing anonymity and sharing some personal information in order to pass minimum-age checks. For example, Station Casinos in Nevada requires patrons to provide their social security number as part of the process to obtain a mobile betting account.
Conversely, a bettor who wagers several hundred dollars at a face-to-face location can usually do so without revealing any personal information.
And Big Brother is watching: Geotracking devices follow sports bettors to prevent them from placing wagers outside Nevada and New Jersey.
Many bettors, especially those who are used to doing their gambling in person, will naturally wonder whether their personal information can remain protected during an online intrusion.
“This is something that the gaming industry takes extraordinarily seriously,” said Sara Slane, senior vice president of public affairs at the American Gaming Association.
The concerns apply equally to mobile sports betting platforms and applications for loyalty cards at brick-and-mortar locations, she added.
Mobile sports betting environment in New Jersey
Since New Jersey legalized sports betting last June, 10 brands have rolled out mobile or online sports betting apps, the most recent coming from Hard Rock Hotel & Casino Atlantic City. That total places the Garden State just two behind Nevada, which began offering mobile sports betting in 2010.
Prior to the introduction of legal sports betting within the state, the New Jersey Division of Gaming Enforcement’s (DGE) rules have required sensitive personal information to be encrypted since the advent of iGaming roughly six years ago. The rigorous standards helped the DGE establish a framework for mobile regulations when it came to legalized sports betting.
Under Section 13:69O-1.3 of the division’s regulations on sports wagering, a customer’s online or mobile account may be funded through an electronic, bank-to-bank transfer provided that the operator has the proper internal controls to prevent payments fraud. Such payments, commonly known as ACH transfers, are processed through the Automated Clearing House.
The division has taken even stricter measures to protect customers. Since a bevy of casino and sportsbook sites across the industry accept credit card transactions and hold funds on deposit for patrons, the operators are required to meet PCI compliance standards, said David Rebuck, director of New Jersey’s Division of Gaming Enforcement. The data security criteria established by the payment card industry are meant to encourage companies to create a secure environment for processing credit card transactions.
Furthermore, online gaming companies, along with sportsbook operators, must adhere to the Bank Secrecy Act and other requirements set forth by the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FINCEN). Casinos, under federal law, must file a Currency Transaction Report on single or multiple transactions of at least $10,000 by one person on a single day.
“The importance of protecting patrons’ information is always a top priority, not just during noteworthy events,” Rebuck said. “To ensure the integrity of the internet gaming and sports betting system, it is critical that casinos and sportsbook sites adhere to these high standards when storing patron data.”
The role of end-to-end sportsbook providers
In certain cases, software suppliers that provide the high-tech solutions powering a mobile betting app are not privy to sensitive data that could reveal a customer’s identity
The industry’s most prominent suppliers — such as Scientific Games, International Game Technology PLC (IGT), Kambi Group plc, and Gaming Innovation Group (GiG) — are reputed for delivering a range of solutions to sportsbook operators beyond mobile platforms. The suppliers can provide a sportsbook with comprehensive risk management and back-end content management, as well as user interface and technical platforms to help facilitate their operations. But when a customer places a bet, the supplier typically only receives a reference number to differentiate the wager from other transactions, along with basic information pertaining to the user’s location.
Instead, the personal identifiable data is left to the sportsbook as they work to build their customer database. Some books offer protections to limit customer liabilities. MGM, for instance, guarantees that customers can lose no more than $50 if they have experienced an unauthorized electronic funds transfer or if they can demonstrate that their pin or account has been lost, stolen, or compromised. The company stipulates that all claims must be made within two business days from the time the incident occurred.
Safeguards to protect apps from a serious data breach
Given the excitement surrounding legalized sports betting in New Jersey and other states along the East Coast, gaming operators would like to avoid the embarrassment of being the first company to fall victim to mobile hackers. While numerous sportsbooks worldwide use SSL encryption certificates to help protect transaction data, it is unclear the scope of encryption for mobile betting apps.
Customers should also be aware of the best practices associated with Application Programming Interfaces (APIs) on their mobile platforms. An app containing authorized APIs can limit the possibility that information sent between a sportsbook and a bettor could be intercepted by a third-party. Mobile platforms that lack the proper authorization could be vulnerable to third-party interference.
At present, it is difficult to ascertain how many mobile sports betting apps nationwide are devoid of authorized APIs, according to a specialist at a mobile app development agency.
Beyond sports, mobile banking apps have proven to be susceptible in recent years to both traditional and advanced hacking methods such as phishing, key logger software, and Man-In-The-Middle attacks, NerdWallet reported.
The Federal Bureau of Investigation declined to comment through a spokesperson.
While 15 states have either active or pre-filed legislation to legalize sports betting in 2019, more than half have pending bills explicitly legalizing mobile sports betting, according to the AGA’s Slane.
“State legislatures clearly recognize that in order to bring consumers into the legal, regulated market they need to offer convenient access,” Slane said.
For this year’s Super Bowl, approximately 23 million Americans are expected to wager around $6 billion, according to AGA research.