Deal Fraud Out
CASINOS OFFER CUSTOMERS any number of games of chance, but they don't like to play games with their own bottom lines. Whether in the real world or virtual online environment, gaming establishments need reliable tools for turning the table on thieves. In the case studies that follow, two gaming organizations enlist the help of powerful software to make connections between fraudsters acting in collusion, and to recognize, analyze, and alert loss prevention specialists to a higher percentage of fraud incidents.
Ante Up
Since its inception in 1995, online gambling has grown into a $9.2 billion global industry, according to a 2004 report by investment bank Dresdner Kleinwort Wasserstein, and it is expected to continue to grow 22 percent a year. One of the highest rated online gaming sites is UltimateBet.com (UB), a virtual-poker Web site that opened in 2000. The site is run by Excapsa, Inc., a Canadian company that developed and owns the software that makes the site work.
At the site, UB’s players are set up with real-money U.S. dollar accounts through MasterCard and Visa, or with “electronic wallets” such as Citadel, FirePay, and NETELLER. These accounts allow players to bet and also to front money to each other. After establishing a UB account, persons can play single games or enter tournaments.
By 2002, UB’s business was booming. On an average night at the site, there could be upwards of 200 virtual tables with more than a thousand players signed in for various types of poker, including Texas Hold ’Em, Omaha, Seven-Card Stud, as well as other card games.
Unfortunately, crime was also booming. In 2002, UB’s stolen credit card chargebacks jumped from the industry norm of about 1.25 to 2 percent to an astounding 10 percent of deposits, equating to roughly 20 percent of gross revenues. Millions of dollars were lost within a few months, and the site was about to go under.
Part of the problem was that on the site, players could either retain their winnings in their accounts for further betting, cash out for a credit to their card of record or electronic wallet, or request a money wire or check.
“UB prides itself on the speed that it processes withdrawals,” says Jim Ryan, CEO of Excapsa. But that speed helped the criminals carry out their scheme.
Members of the fraud ring would open accounts using stolen credit cards; then they would play, intentionally losing to others in the group, who then lost to still other confederates—with money moving up a pyramid to some of the highest-level players, who then cashed out their “winnings.” By the time the credit cards’ owners found out about the unauthorized transactions, these fraudsters had the money and were long gone, leaving UB with the massive chargeback losses.
Excapsa had begun an investigation at the first signs of the problem. Its investigators found that a fraud ring had infiltrated the site, but exactly who was involved remained unclear.
Excapsa tried to crack the fraud ring by analyzing IPs, hiring top poker champs to conduct play analysis (for example, a red flag would be if someone with a pair of aces raised, then folded), and tracking how often certain individuals played together.
Although investigators ascertained that players were using stolen but still valid credit card numbers to set up accounts, then were purposefully losing to others who cashed out, they could not identify and permanently stop (or report to the police) the individuals, because of the complex structure of the fraud ring’s operation, the speed of the transactions, and the anonymous nature of the online environment. As a result, the hemorrhage of chargeback losses continued.
“These people were very carefully avoiding being caught by these techniques, and if they were identified and the account terminated, they would quickly reappear with a new account,” says Jon Martin Karl, vice president of business development for Iovation, of Portland, Oregon.
Excapsa had turned to Iovation, a software developer with which Excapsa already had a client relationship, for help in stemming the losses. “They said to us, ‘We have to find a way to stop this, but we can’t deny accounts to customers without evidence, or we’ll lose customer confidence,’” Karl states.
Power play. Since all of Excapsa’s bets were over the Internet, rather than face to face, Iovation decided that it should not focus on trying to identify problem individuals, as has been done to date in the gaming industry.
When dealing with stolen card numbers, a negative-persons database doesn’t work, says Excapsa’s Ryan. “Say you get a criminal with 100 stolen cards. This individual sets up accounts on all these cards and commits fraud. The cards have not been reported stolen. You’ve got 100 cardholders who never caused a chargeback in their lives. There’s no red flags at all,” he explains.
To tackle this problem, the company chose instead to focus on the IT devices being used. It created software for UB called ieSnare that tracks devices rather than people.
The ieSnare negative-devices database—called the Device Reputation Authority—is made up of DevicePrints. These small bundles of data, created when a device logs onto the site, include information on the user’s hardware, software, network, trace routing, and other identifying information, creating a kind of digital fingerprint. Currently there are about 2 million DevicePrints in the database. Each is given a unique identifier, but because they contain no account numbers, names, addresses, or other personal information, customer privacy is protected.
The Device Reputation Authority can be searched to illuminate the relationships between device users. “It’s very powerful,” says Ryan. For example, an investigator can look at an account and see all the devices that the account has ever logged in with.
While, on the surface, it may appear to investigators that there is one player using one computer, in fact, the DevicePrints will reveal that the same account is being used by multiple persons using multiple computers. That is a red flag, because it is a practice often used by fraud groups. Thus, investigators can search accounts by Device Print to see whether they exhibit this characteristic.
Among the other search options that ieSnare gives investigators is the ability to associate chargeback accounts—those accounts where the credit card bank rejected a payment request—with the devices via which users of that credit card logged in. At UB, this was a key feature in terminating the fraud problem it had. That ability allowed the site to shut out those devices.
The fraudsters who are banned can create new accounts in only one way—reenter the site with a completely different DevicePrint, which involves a new computer, ISP, and physical location, among other requirements. But as soon as any fraudulent activity is noted, that account will also be shut down. Iovation’s Karl says that some fraudsters have taken this approach, but that the cost and effort of regularly having to start over will “push them away to where the pickings are better.”
Using another ieSnare search feature, Excapsa investigators were also able to map out the connections between players, accounts, and devices. Looking at this data for those involved in the massive fraud ring that drained UB’s revenues revealed that some 250 accounts, originating from multiple countries, were using the stolen credit card numbers.
Within months of cracking the fraud ring, the chargeback rate had dropped from more than 10 percent to 1.5 percent. Today, chargebacks are less than half a percent. This rate is “unheard of” in the industry, says Ryan.
The success of the software has also allowed Excapsa to operate with only two fraud investigators on staff. “Other places might have twenty investigators to do the same thing,” says Ryan. “That’s a huge bottom-line savings.”
With the full support of Excapsa, Iovation has now redeveloped and released ieSnare for wider use in the online gaming world and other industries.
Small Fraud Focus
The surveillance team at Las Vegas’s Stratosphere hotel and casino has long fought fraud with cutting edge technology. The well-known landmark on the Vegas Strip was a pioneer user of point-of-sale software. Today, it is testing a new generation of that software with the enhanced ability to help detect even minor, previously unnoticed frauds that in the aggregate can amount to significant lost revenue.
The Stratosphere includes an 80,000 square-foot casino featuring some 50 table games and more than 1,500 slot and video poker machines, and a sportsbook. The hotel includes more than 2,400 rooms and luxury suites, seven restaurants, and multiple lounges and entertainment facilities.
According to Derk Boss, CPP, the Stratosphere’s vice president of surveillance, the software—SmartConnect.net Digital Surveillance—has been undergoing its own surveillance for the last year, which is to say that staff have been putting it through its paces at various food venues within the Stratosphere to test its performance.
SmartConnect is Web-based software that interfaces with the existing point-of-sale and camera systems. The software converges information from both sources to provide routine time, date, and type-of-transaction video of the actual transaction receipt, and video of the employee and customer involved in the transaction.
“The software can be customized to alert our team to anything we feel is indicative of theft or fraud,” says Boss, or is a violation of policy procedure such as the cash drawer remaining open too long, voids, “no such sale amount” in the system, or employee discounts.
“Where this particular system is different is that it continuously runs in the background and constantly monitors all locations and notifies us” when there is an alarm, says Boss.
With this program, surveillance staff can, as before, view live transactions with corresponding video. But now the staff can also view a history of up to 30 days of similar transaction types, including the corresponding video, all on one terminal at one time. In this way, investigators can look for patterns of fraud that would otherwise go unnoticed, as well as honest mistakes resulting from poor training, explains Boss.
For example, last summer, the surveillance department was tipped off that a cashier at one of the food venues was giving away or undercharging items to guests and employees. An investigation was conducted by Stratosphere Surveillance Investigator Matthew Galloway using the SmartConnect software.
Galloway explains that if he had investigated using the existing software, he would have had to run a report of the cashier’s activities, then manually search the analog tapes for the correct segment for comparison. This time-consuming effort tended to result in a triage approach, where higher-ticket incidents took precedence.
However, with the new software Galloway can sit at his computer and view multiple reports based on standard and customized queries, which can be specifically reviewed by date, time, cashier, and venue. He can then simultaneously view each incident with the video, eliminating the exhausting manual hunt through hours of analog tapes.
The Stratosphere did not have to switch to digital recording as a part of the software upgrade. SmartConnect installs the system as either a standalone system or a network, which can include existing analog cameras. It connects the analog cameras to an encoder that sends the video feed to the SmartConnect server in digital format that is stored on hard drives.
In addition to the viewing options just mentioned, Galloway could watch the cashier in real time. In the two days that Galloway observed the cashier, each day he documented several fraud incidents, with a combined total value of less than $10. This may not sound like much, but Galloway says, “If the incidents were not detected…and the cashier continued with her activities daily throughout the year, the resulting average annual loss would be in the thousands of dollars.”
Boss notes a commonly cited loss prevention statistic from a national retail food and beverage venue survey, which determined that 5 cents of every dollar is lost to fraud. “I believe it is higher in the gaming industry because of things like comps, giveaways, coupons, and free drinks,” which create more opportunities for fraud, he adds.
For example, in one case concerning casino comps, surveillance personnel noticed an individual who was frequently in the casino, but wagered little. He did, however, frequently take advantage of comped food.
The easy video-incident review showed that the individual getting the comped food had wagered less than $600 dollars in one month, but had received more than $100 in free food. Those free meals were granted by two casino supervisors.
The SmartConnect software allowed Galloway to generate reports on the number of comps granted and found that the two casino supervisors’ numbers were higher than those of other managers. In this case, the surveillance staff concluded that those providing the comps were not intentionally committing fraud; the two supervisors who granted the comps were retrained and instructed not to issue comps for small monetary play.
Another example occurred last September, when a large number of voids at another food venue drew Galloway’s attention. He found that the voids were largely caused by weaknesses in operating procedures. But the problem also alerted him to a string of unauthorized discounts. It was unknown how often these discounts had occurred in the past, but if they occurred daily, the establishment would lose thousands of dollars per year.
Through further investigation, Galloway found that these discounts were being given to friends of the employee. He also discovered employees comping meals without authorization.
Earlier in the year, in yet another case, Galloway had spotted an abnormally large application of coupon discounts in yet another food venue. The search revealed that the cashiers were illicitly applying the codes on printed coupons they kept on site to orders where the diners had not supplied their own.
At the rate these illegal discounts were being performed, losses might have exceeded $1,000 per year.
Galloway’s overall testing of the system revealed how lots of small frauds could add up—in this case to a suspected average loss of more than $27,000.
In reaction to these cases, new policies and procedures concerning all discounts, comps, and coupons were put in place at all point-of-sale locations. All of the cashiers received retraining on coupon use, and those who had been incorrectly providing the discounts received written warnings.
Boss, who says the software “does everything it says and better,” wants to install SmartConnect at all points-of-sale at the Stratosphere, and also at other casinos owned by the same parent company, American Casino and Entertainment Properties, LCC. They include the Sands in Las Vegas, and Arizona Charlie’s in Boulder, Colorado, and Decatur, Illinois.
Boss also wants to apply the technology to all the slot machines. In that case, events such as illegal slot machine door openings on slot machines would be alarmed so that surveillance officers would see them in real time.
Right now, he says, surveillance personal randomly patrol for fraud whether at point-of-sale operations or slots or elsewhere. The problem with that approach, Boss notes, is that “random patrol equals random results.”
The new software would allow surveillance to work globally, looking for red flags before losses of any magnitude occur. “This…will revolutionize how surveillance operates,” Boss says.
He gives one more example of the everyday impact the software would have. In a test, one of the restaurants was monitored for 12 hours. During that time, there were 80 alarmed events, eight of which were violations of policies and procedures. Two transactions were proven to be fraudulent.
These 80 alarmed events were viewed on a one-page table or graph that linked to the transaction details and related video. The investigator could either go directly to the video and observe the transaction—with scrolling detail to the side—or review just the transaction details. Also available within the table view, a preview window is shown when the mouse is placed over the desired transaction. This made for fast and convenient review while going down the list, says Boss, and cut the investigation time to hours rather than days.
Boss estimates that a global installation of the system at all properties will cost about $366,000. Based on test results, somewhere between $110,000 and $184,000 per year in savings should result, which means that the system will return the investment in two to three years. Also, no additional staff would need to be hired. The global installation is currently scheduled for 2006.
Frauds could be called the snake eyes of the gaming industry. The key for management is to find a way to keep them from coming up. By combining technology, surveillance, and training, the Stratosphere has shown that, indeed, it need not leave detection to the role of the dice.
Ann Longmore-Etheridge is an associate editor of Security Management and editor of Dynamics.
