The online poker boom was rocked to its very foundation in 2007 when cheating scandals of seismic proportions that cost unwary players millions of dollars erupted first with Absolute Poker followed soon thereafter by Ultimate Bet Poker.
The shocking developments attracted the attention of gamblers and non-gamblers alike, including most notably Gus Fritschie, who at the time was Vice President with SeNet International Corporation, a security firm that was focused primarily on the federal government sector.
“The gaming sector had always fascinated me, and when the scandals hit, it was obvious the integrity of online poker was impacted,” recalled Fritschie, who today is Senior Vice President of Information Services with Bulletproof, a GLI Company.
“I became curious about the lack of controls that were in place, which compelled me to do some research, including the regulatory requirements and how the companies were held accountable. In my mind, player protection was of the utmost importance, because if there is a lack of integrity you do not have a business.”
Fritschie’s investigation revealed multiple vulnerabilities in the sector, which inspired a presentation of his findings that he made at DEF CON, one of the largest and most respected security conventions in the world. It is held annually in Las Vegas.
He brought a robust resume to information security. He guided SeNet’s transition to primary focus of supporting many clients across the gaming spectrum from iGaming operators, land-based casinos, gaming manufacturers, lotteries, tribal gaming, and daily fantasy sports.
In addition to presenting his research at DEF CON in 2011 and 2017, he has also appeared before HackerCon, DerbyCon, iGaming North America, and NASPL (North American Association of State and Provincial Lotteries), as well as numerous government agencies on a variety of information security topics.
Under Fritschie’s leadership, SeNet became a leader in information security to protect gaming from both an operator and player perspective. GLI acquired the company in 2019, resulting in his role at Bulletproof, a GLI Company.
“When I first entered the gaming industry, I perceived the companies were secure based upon my observations from a player perspective,” Fritschie recalled. “Once I was in and had the opportunity to ‘pull back the covers,’ I realized gaming companies face some of the same challenges as other sectors, including budget constraints, technology debt, and a lack of basics when it comes to cyber hygiene.
“The threat actors originally felt that way too. Look back no further than 2014 when the widely publicized attack against The Venetian in Las Vegas took place. The attackers were able to penetrate the network externally to get all the way to the internal network. It was the first sign that gaming was not as secure as we thought.”
He acknowledged that another reason gaming is vulnerable is because the attack surface (potential attack vector) has expanded over the years. There are more ways for attackers to get in.
“MGM Resorts and Caesars Entertainment were breached in 2023, examples of how complexity can make it incredibly difficult to secure organizations of that size,” Fritschie said. “It is one of the reasons why I think GLI Bulletproof is in a prime position to help these organizations increase their cyber resiliency.”
The real concern is not attackers who are probing for one specific vulnerability that could lead them to unauthorized access he contends, saying “they do not know how the programs even work and are just trying to exploit ‘low-hanging fruit’ to gain access.”
“What you have to remember is that users of the network are always going to be our weakest link,” he continued. “It is extremely hard to protect against the users. An organization may invest hundreds of thousands of dollars to put sophisticated security controls in place, but all it takes is that one user who clicks the link of an email to allow an adversary into their internal network.
“We want to help companies to do more advanced testing and more advanced assessments to help them design security roadmaps to strengthen their cyber resiliency. I am pleased to say that we have a lot of customers in the gaming sector that want to do more than the minimum. They realize that they must raise the bar to stay ahead of the attacker.”
Observing that technology progresses at a rapid pace, Fritschie said that new vulnerabilities that could potentially be exploited are emerging. He explained that security tools have begun leveraging artificial intelligence to assist in identifying attacks.
“We use it ourselves in our security operations center to help our clients protect their networks from a defensive position,” he continued. “AI allows our analysts to better respond to threats, but at the same time threat actors are using AI to perform very sophisticated social engineering attacks. This is one reason overall security awareness training for users is so important.”
The expansion of iGaming and other verticals within the gaming industry has created new cyber security challenges. Instead of being confined to a property in a specific location, players are now able to wager across a broader geographic jurisdiction which expands the attack footprint.
“Online operator suppliers are typically more mature from a cyber security IT perspective than land-based operators,” Fritschie said. “You must remember that iGaming got its start in Europe, which is a much more mature market. Very sophisticated, battle-tested operators have come to the United States. They do not have technology debt, meaning they do not have old systems, old software, and outdated servers.”
New systems, new applications, and new software, he said, are typically more secure than antiquated systems.
“Because iGaming has a smaller footprint than a typical casino property, it is easier to protect and defend,” Fritschie observed. “I still think you have to be diligent from the online perspective and assured that the right security testing is taking place.”
