It was bound to happen regardless of safeguards in place. Fraud, compromising mobile sports betting and online casino accounts. Even the presence of two step authentication is not a guaranteed safety net.
DraftKings acknowledged that hackers used a program called credential stuffing. In this crime, hackers buy a database of usernames and passwords, run these through sports betting and online casino sites to see if they can log into accounts. If so, the scammers change the bank account information to withdraw funds, change the phone number and/or email on the account to lock the real user out.
“DraftKings is aware that some customers are experiencing irregular activity with their accounts. We currently believe that the login information of these customers was compromised on other sites and then used to access their DraftKings accounts, where they used the same login information,” the company said in a statement. The firm promised full restitution for affected clients, which could come to more than $300,000.
“In light of recent reports of a hack impacting some other sports betting websites, we are reaching out to remind our customers about the importance of good cybersecurity hygiene,” FanDuel Sportsbook said in a statement.
BetMGM customers suffered fraud involving a poker hack, where the culprits created new accounts. Essentially, scammers were creating new accounts for players enrolled in the Global Payment Solutions’ VIP Preferred program. When funds were deposited into a stored bank account, the scammers changed the account info and withdrew funds to a different account.
Poker player Phil Galfond posted some of the communication from Global Payment Solutions when he reached out to close his account after it was hacked.
“They got back to me in less than an hour and closed my account (per my request). Impressive customer service experience during what’s likely an extra busy time for them.”
Global Payment Solutions released a statement to SBCAmericas:
“Our gaming business has been assisting law enforcement with an investigation into fraudulent accounts set up at unaffiliated third parties using stolen personal information. There has been no security breach or fraudulent accounts opened at our gaming business in connection with this investigation. We have been working closely with these third parties to ensure all impacted individuals receive refunds.”
MIRACL co-founder and CEO Rob Griffin spoke with SBCAmericas about how this fraud took place and what steps can be done to avoid a repeat.
New Jersey and Ontario mandate a two-factor authentication for all online accounts. Otherwise that decision is left to the consumer.
“This story serves as another example of the downfall of optional MFA. With credential stuffing attacks on the rise, it’s absolutely essential that MFA is mandated across the board, and fast. The fact of the matter is, if the victims had enabled MFA, this would not have happened,” MIRACL Co-founder and CEO Rob Griffin said. MIRACL is a multi-factor authentication company focused on consumer applications that is pushing for the expansion of that technology across regulated markets.
Griffin also mentioned that multi-factor authentication did not guarantee accounts free of fraud. Indeed scammers can lockout account holders by turning the MFA against the consumer.
Here’s one way it works. A hacker reaches out to the phone company and reports that the sim card on the victim’s phone has been compromised, then moving text messages over to a different phone number. It’s very lucrative, Griffin said.
To make such a move more difficult, Griffin suggested Instead of a code as the second factor, require a specific device which can be cleared for access.
While the bulk of two-factor remains text message-based, customers should be careful to change their passwords frequently, and not use the same passwords across multiple accounts, and of course, enable two-factor authentication on their accounts.
DraftKings intended to refund those accounts impacted, the operator said. The company also urged customers to use unique passwords for its accounts.
“We have seen no evidence that DraftKings’ systems were breached to obtain this information,” DraftKings President and Co-Founder Paul Liberman said.
Liberman told Legal Sports Report DraftKings urged customers to use unique passwords and do not share passwords with anyone.
BetMGM has offered this response to ESPN and other outlets via a company spokesperson:
“We’re aware of a potential incident and are actively investigating. The security of our patrons’ accounts is of the utmost importance to us. We encourage any impacted patrons to contact our customer service department directly.”
Many states have implemented the ability to use two-factor authentication — including a code sent via text message upon login — to make accounts more secure.
Josh Cooper, 39, told Yahoo Sports that hackers attempted to withdraw more than $19,000 from his DraftKings account.
Cooper said, “I think that I was just right there while it happened, logged in, able to hit the cancel button as soon as it popped up.”
