iGaming operators must do more to ensure geo compliance. Here’s how your IP address geolocation service can evolve.
In early 2019, an individual in Nevada somehow managed to trick the online Hard Rock Casino site into thinking they were based in New Jersey.
The person lost a $29 bet.
A perfect example of how modern technology allows us to be connected at all times and anywhere in the world, and yet the legislations that govern online casinos are still a relic of the past.
Not only are they still strictly bound by international, or in North America, local state laws. Their users are also supposed to restrict their visits based on their current location.
As we’ll see in this post, these laws create all kinds of problems, challenges, and incentives for players to cheat the system. Non-abiding by geo compliance laws risks you hefty fines, but also opens the door to gambling fraud such as multi-accounting and bonus abuse.
The Downsides of Digital Fences
Regardless of their views on regional licensing laws, online casinos have to make sure of one thing: that users are where they say they are.
And the first port-of-call is to use a service that monitors and filters IP addresses. Using in-house IP analysis or third-party solutions, they can try to guess where users are connecting from, and block those in unsupported areas.
Unfortunately, anyone familiar with the following image will have no trouble understanding the discontentment felt by players.
And imagine how much more frustrating it is when users fail to access their legitimate account on holiday, or when their location is determined based on where the data comes from. An AT&T user based in New Jersey, for instance, may have their legitimate betting account blocked if the IP appears to be from Texas.
Player Churn, User Friction and Privacy Concerns
Another IP monitoring solution involves asking players to install tools themselves. These third party solutions act as a monitoring solution, either as:
- An app that the user must download on their phone
- A browser extension that they must install
- Software that must stay on their computers at all time
While in theory geolocation technology improves accuracy, their effectiveness also leaves a lot to be desired, which becomes apparent when you look at user reviews for one of the most popular IP tracking tool on the App Store:
These include complaints about users who cannot access their accounts, are inexplicably blocked from placing certain bets only, or simply cannot get the app to work properly on their devices.
And let’s not forget that installing what is essentially a tracking app raises all kinds of privacy concerns. Players may have no issues knowing that their IP address is analysed, but actively reporting their exact location (sometimes within meters) is not a step they are willing to take lightly.
Creating all these obstacles for users has clear consequences: it adds friction to the user experience, damages the casino’s reputation, and frustrates legitimate players trying to access their accounts.
It’s no wonders players take matters into their own hands and begin manipulating their IP addresses…
The Many Ways Players Fake IP Addresses
In our opening story, the Nevada geolocation cheater exploited a technical vulnerability. They gained access to the casino’s front-end debugger to change the IP location and pretend they were in New Jersey.
The average player needn’t be so tech-savvy to fool an IP address check. In fact, a quick Google search will reveal hundreds of tutorials on how to effectively use a VPN or proxy to access betting sites abroad.
These online resources even list casinos based on their licenses and restrictions, and actively compare different VPNs designed to bypass casinos’ digital fences.
And with a projected 12% CAGR between 2020 and 2026, the VPN market shows no signs of slowing down, which will give geohackers increasing options and technological resources to fake their locations for online gambling.
Evolving IP Spoofing Tools
Geochackers and compliance solutions play a constant game of cat and mouse. And the advances in technology often give those trying to fake their IP addresses the advantage.
Our consultant and data privacy expert showed in this post how easy it is to change an IP address using Chrome extensions, or advanced spoofing tools – and the kind of technology you need to detect these hacks.
GeoHacking and Fraudsters
Players, it turns out, have no qualms about using IP spoofing tools repeatedly, in spite of the legal risks. In March 2019, New Jersey’s Division of Gaming Enforcement seized $90,000 from an online gaming account belonging to a man playing from California.
The problem is that IP spoofing tools could also point to more serious types of fraud. We’ve written extensively about the changes of curbing bonus abuse in iGaming, but the key point is that fraudsters and criminal organizations will need multiple accounts to exploit your site. And the only way to do it is to control their IP addresses.
Which, in a way, is good news. If you can spot IP spoofing, you’re essentially killing two birds with one stone: reducing your fraud rates and improving your geocompliance at the same time.
Where Fraud Prevention Tools Can Help
An IP address geolocation solution, when it works, is only really designed to do one thing: track where users are. And as we’ve seen, their implementation is clunky, often creating user friction and still failing to protect casinos from fines.
Fraud prevention tools, on the other hand, offer many advantages. First and foremost, their IP monitoring features tend to be extremely sophisticated. Integrating SEON into your platform, for instance, will give you a real-time view of:
- Geolocation: the most basic feature, which pings local servers to see where the user is currently located. While easy to manipulate, the data can also reveal whether a customer is travelling too fast or if their login info matches that of the account and associated withdrawal address.
- TOR or VPN usage: by performing an analysis of the users’ ISP, you can find out if it’s residential, or from a public library, web server and datacenter. This can uncover VPN usage and TOR exit nodes.
- Open port scan: without going into technical details, we can scan ports to understand whether the user is using proxies, and calculate how risky the connection is.
- Spam checklist scan: you can cross-reference IP addresses to see if they have previously been flagged on spam blacklists. Those that appear on the DNSBL (Domain Name System Blackhole List) and RBL (Real-Time Blackhole List) are much more likely to be fraudulent than regular users.
The Power of Device Fingerprinting
While device fingerprinting is often used to monitor transaction fraud, in iGaming it also helps answering a key question: is the player really who they say they are?
A simple plug-and-play code integration on your online platform (or iOS and Android app) will reveal hundreds of hidden data points that may point to suspicious users. By looking at their software and hardware configurations, we can clearly see if users:
- Use specific browsers designed for geo hacking
- Automate login attempts for multi-accounting or bonus abuse
- Switch browsers, clear their cache or use incognito mode
- Spoof their connection data with emulators
And of course, you can access more device location attributes, which can help pinpoint where a user really is in the world, and remain compliant based on your location.
Gathering data is one thing, but too much of it can be a burden on your risk and compliance team. Which is where fraud prevention can also help, by automatically calculating how risky a user is.
With SEON, this comes in the form of a predictive fraud score, which you can use to automatically block suspicious users, or to trigger extra security steps instead of performing a manual review.
The scores are calculated with rules, which can be preset for iGaming compliance, or customized to your business needs.
Risk scores therefore allow your casino to create “dynamic friction”, only requesting more information on the player’s part when, say, they are logging into their account from a new device, or abroad.
How One SEON Client Prevents Risky Actions
There are many parallels between geo compliance and anti money laundering regulations. One of our clients, for instance, uses SEON to analyse user data and connects our platform via a Slack integration.
Their risk team is immediately alerted when a user performs an action that could risk them a compliance fine, which allows them to grow their business with more peace of mind, while proving to regulators that they have the right systems in place.
You can read more about SEON and productivity hacks here.
Finally, there’s one huge advantage of advanced fraud prevention tools over geo compliance vendors, and it’s that the whole analysis is completely invisible to the end-user.
No need for your players to download an extra app on their phone or computer. You can simply gather data as soon as they start browsing your site, and use that knowledge to facilitate their onboarding.
One great example is age verification. You can either ask the user to jump through hoops with a special field with a date of birth, or use a passive screening solution like SEON’s social media lookup to gather that information by yourself.
Not burdening your players with extra steps makes it easier to onboard them, without sacrificing security and compliance risk.
Geo compliance and geolocation technology are controversial topics in many industries. But the fines demanded by iGaming regulators are particularly damaging, and the rules are challenging to meet.
And while there is no shortage of IP address geolocation services, the technology tends to only look at one data point, which may not be enough to block geohacking users, or for that matter, sophisticated fraud attempts.
Which is why at SEON, we believe online casinos, gambling and betting companies and iGaming operators deserve more robust risk tools. With the right security layer in place, you will be able to mitigate risk, provide a better user experience, and lower your customer acquisition cost while controlling compliance exposure.