Weeks after thousands of DraftKings customers fell victim to a comprehensive data breach on the weekend before Thanksgiving, the company provided additional details about a massive cyberattack that has rocked the sports betting industry.
In many respects, DraftKings identified a method of intrusion that cyber experts suspected from the outset. According to a data breach notification filed with the Maine Attorney General’s Office, DraftKings spotted a host of suspicious log-ins to certain accounts indicative of a technique known as “credential stuffing.”
A breach carried out through credential stuffing typically occurs when a hacker uses log-in credentials from third-party sites to gain access to a user’s account. The technique could be as simple as obtaining a user’s online password from a local gym before using the same password to enter a bettor’s online sports wagering account.
As is the case with many large-scale cyber intrusions, when an industry is targeted by cybercriminals it typically responds by beefing up its defense ecosystem to prevent future attacks. The breach impacted at least 67,995 customers, according to DraftKings, and sparked a vigorous discussion on cybersecurity at a recent National Council Of Legislators From Gaming States conference. The event was well-attended by a number of companies that offer high-tech, anti-fraud solutions, most notably Vancouver-based GeoComply Solutions Inc.
State legislators and regulators are brainstorming ways to curb cyber attacks in the wake of last month's breach. @MattRybaltowski explores:
— Sports Handle (@sports_handle) December 15, 2022
While GeoComply is known throughout the sports betting world mostly for providing precision geolocation data in new states with mobile sports wagering, the company has also earned plaudits for helping online sportsbooks combat fraud. GeoComply bills itself on its website as a “one-stop shop” for geolocation compliance, anti-fraud, and Know Your Customer (KYC) solutions. On the sports betting side, GeoComply counts high-profile names such as BetMGM, DraftKings, FanDuel, Caesars, and Rush Street Interactive among its partners.
Since DraftKings confirmed the November intrusion, there are indications that other leading operators were also targeted. FanDuel, DraftKings’ archrival, itself reported a spike in cybersecurity breaches around Thanksgiving. Then, days before Christmas, BetMGM CEO Adam Greenblatt disclosed that certain customer records were obtained in an unauthorized manner. The breach affected postal addresses, email addresses, and telephone numbers, as well as Social Security numbers, player ID numbers, and screen names, BetMGM confirmed.
“It will probably go away for a while, as everybody will kind of up their standards,” said Simon Marchand, a GeoComply vice president. “Eventually it might come back when it comes to account takeovers — account takeovers are cyclical.”
Precision geolocation data
GeoComply uses a combination of device data, location information, and behavioral indicators to help operators fight fraud. While fraudsters can switch devices often, since securing a burner phone is relatively easy, Marchand indicated that gaining access to a new address proves to be more difficult. GeoComply looks at outputs to determine whether a transaction is too risky for an operator. The company’s geolocation tracking capabilities are very precise, Marchand emphasized, delivering data with “one to two meter” accuracy.
From there, GeoComply can take two distinct approaches for the next steps in the investigative process. On one hand, the geolocation data will indicate if a bettor generally places wagers from the same location. If a bettor placed a series of wagers on the Minnesota Vikings-New York Giants wild card game from his living room couch, the same locale he used for betting on the NFL throughout the season, the transactions will generally be viewed as safe.
— GeoComply (@GeoComply) January 3, 2023
Conversely, there are markers for heightened risks of fraud. A withdrawal request of $437 was made for one targeted sportsbook customer with instructions to send the check to an apartment in a Houston suburb. The request provides a clear example of an account takeover, according to the customer, since he lives nowhere near the city. In other instances, a company like GeoComply may detect a red flag by identifying a location that has been implicated in dozens of other fraud cases.
“If we see 400 transactions across 20 devices in an hour in a garage, there’s obviously something fishy happening there,” Marchand said.
High-level information sharing
Over the course of the intrusion, numerous users reported an oddity that prevented them from accessing their accounts. After surreptitiously breaking into the accounts, cybercriminals are able to change the password obtained in the data breach. Account takeovers are a common form of cybercrime, according to GeoComply. The method of intrusion is similar to what can happen with customer accounts in the banking industry.
Danny DiRienzo joined GeoComply in 2021 after spending 14 months as a sports gaming investigator with the Tennessee Education Lottery Corporation (TELC). Prior to that, DiRienzo spent more than 20 years as a special agent with the U.S. Secret Service, where he coordinated investigations of money laundering, bank fraud, mail fraud, wire fraud, and network intrusions, among other crimes. DiRienzo is now senior director of risk services at GeoComply, where he is widely regarded as one of the sports betting industry’s foremost experts on law enforcement practices.
Taking a page from his days as a Secret Service agent, DiRienzo holds a monthly meeting with law enforcement officials. The gatherings give officials an opportunity to swap information about various investigations. Periodically, DiRienzo also brings together gaming operators and private investigative teams to share intelligence and learn insights from each other.
While GeoComply maintains regular contact with the fraud teams of its sportsbook clients, the company also provides the teams with tools on how to leverage its data to combat fraud.
On this #LawEnforcementAppreciationDay, we extend our appreciation to all law enforcement officers for their continued dedication to protecting their communities.
If your Law Enforcement agency would like to attend our monthly LEA meeting next week, please reach out. pic.twitter.com/cToc0hcs8C
— GeoComply (@GeoComply) January 9, 2023
A primer on 2FA
Only two states have adopted regulations that require online sportsbooks to establish multi-factor authentications (2FA) for customer accounts. In essence, 2FA is an authentication method that provides an extra layer of security to a user by requiring at least two forms of verification to gain access to an account. A bettor that attempts to sign on to a mobile sports betting account in a 2FA state may receive a prompt on their phone with an additional code that is required for entry into the sportsbook app.
Sports betting accounts in a state that requires 2FA were among those breached during the intrusion, a state regulator told Sports Handle. DraftKings customers lost at least $300,000 in stolen funds in the breach, all of which apparently have been restored, according to the company. Nevertheless, strict regulations on 2FA can restore the public’s confidence that the proper safeguards are in place to reasonably protect customer accounts, the regulator indicated.
N.J.A.C. 13:69O-1.1 defines “multi-factor authentication” as a type of strong authentication that uses two of the following to verify a patron’s identity:
1.Information known only to the patron, such as a password, pattern, or answers to challenge questions;
- An item possessed by a patron such as an electronic token, physical token or an identification card; or
- A patron’s biometric data, such as fingerprints, facial or voice recognition.
—New Jersey regulations on multi-factor authentication
Though DraftKings has issued public statements on the breach, the company did not answer questions from Sports Handle on whether it has a cybersecurity insurance policy to protect the company in the case of a major cyber intrusion. Such premiums are likely much higher for companies that do not require 2FA, one industry expert noted at the recent legislative conference for gaming states.
On New Year’s Day, Ohio became the most populous state to go live with online sports betting since New York began offering mobile sports wagering a year earlier. Regulators from the Ohio Casino Control Commission passed one rule that is unique to the Buckeye State. Under the regulation, online sportsbook operators may store customer data in cloud-based environments such as platforms designed by Amazon Web Services.
Ohio’s regulation differs from other states that require the servers for processing online sports wagers to be physically located inside the same jurisdiction, former Ohio state Sen. Bill Coley told Sports Handle.
“It has to be secure,” said Coley, when asked about the importance of enacting standards that will reasonably protect consumer data. “They researched that issue heavily. I’m sure they made the right call and know what they’re doing.”
When used correctly, the cloud is a “fantastic technology” to mitigate the risk of a breach, said Josh Chin, managing partner of Net Force, a member of the national Cyber Security Task Force. Still, there are several instances when data stored in an S3 bucket has been compromised, Chin notes. Amazon S3 is a moniker for “simple storage service,” a tailored solution for cybersecurity protection. While a company such as Amazon bears some responsibility for instructing users to properly understand their configurations, sportsbook operators still need to conduct their due diligence in protecting customer data, he noted.
At a recent Massachusetts Gaming Commission licensing hearing on its Category 3 untethered sports wagering application, DraftKings addressed issues surrounding the cyber breach. While commissioners pressed DraftKings on the company’s response to the breach, few details are known about the inquiry since the matter was discussed in an executive session that was not open to the public.
DraftKings made a favorable impression on the Massachusetts Gaming Commission, though it has issues to address around diversity, violations.https://t.co/T3c1K90soq
— Sports Handle (@sports_handle) January 11, 2023
Marchand, the fraud prevention expert at GeoComply, does not expect account takeovers to go away in 2023. If anything, the threat of a global recession could spawn a new class of non-professional fraudsters. For unemployed workers recently laid off from a job, there is temptation to engage in “opportunistic fraud,” he explained. In economic downturns such as the 2008 financial crisis or other periods with a spike in unemployment, anti-fraud specialists have been forced to keep their guard up for heightened cyberattacks.
“That’s why fraud experts will never be out of a job,” Marchand said. “They will always be kept busy with a new attack.”
This story is the second part in a three-part series on the broad industry response to the cyber breach that impacted more than 65,000 DraftKings accounts. Next up: Part III — How law enforcement officials have treated the first major cybersecurity disruption to impact the sports betting industry since the PASPA decision. Also check out Part I on the response from state regulators to the intrusion.