• About Us / Contact
  • Responsible Gambling
This site contains commercial content
SportsHandle
  • US Sports Betting
    • Arizona
    • Arkansas
    • Colorado
    • Connecticut
    • Delaware
    • Illinois
    • Indiana
    • Iowa
    • Kansas
    • Louisiana
    • Maine
    • Maryland
    • Massachusetts
    • Michigan
    • Mississippi
    • New Jersey
    • New Mexico
    • New York
    • Ohio
    • Oregon
    • Pennsylvania
    • Tennessee
    • Virginia
    • West Virginia
    • Wyoming
  • Pending States
    • California
    • Florida
    • Georgia
    • Missouri
    • North Carolina
  • Canada
    • Ontario
    • British Columbia
    • Alberta
  • Sportsbook Apps
    • FanDuel
    • BetMGM
    • Caesars
    • PointsBet
    • BetRivers
  • Tools
    • Sportsbook Bonuses Explained
    • Sports Betting Revenue Tracker
    • Sports Betting Podcasts
    • Partnership Tracker
    • Expected Value
    • Sports Scores And Odds Apps
    • Sports Betting Twitter
  • News
No Result
View All Result
SportsHandle
  • US Sports Betting
    • Arizona
    • Arkansas
    • Colorado
    • Connecticut
    • Delaware
    • Illinois
    • Indiana
    • Iowa
    • Kansas
    • Louisiana
    • Maine
    • Maryland
    • Massachusetts
    • Michigan
    • Mississippi
    • New Jersey
    • New Mexico
    • New York
    • Ohio
    • Oregon
    • Pennsylvania
    • Tennessee
    • Virginia
    • West Virginia
    • Wyoming
  • Pending States
    • California
    • Florida
    • Georgia
    • Missouri
    • North Carolina
  • Canada
    • Ontario
    • British Columbia
    • Alberta
  • Sportsbook Apps
    • FanDuel
    • BetMGM
    • Caesars
    • PointsBet
    • BetRivers
  • Tools
    • Sportsbook Bonuses Explained
    • Sports Betting Revenue Tracker
    • Sports Betting Podcasts
    • Partnership Tracker
    • Expected Value
    • Sports Scores And Odds Apps
    • Sports Betting Twitter
  • News
No Result
View All Result
SportsHandle
No Result
View All Result

Combating Fraud: High-Tech Solutions Help Sportsbooks Respond To Major Data Breaches

Companies such as GeoComply are working with sportsbook clients to mitigate the risk of fraud

Matt Rybaltowski by Matt Rybaltowski
January 17, 2023
in Industry
DraftKings MD

Courtesy of DraftKings

Share on FacebookShare on Twitter

Weeks after thousands of DraftKings customers fell victim to a comprehensive data breach on the weekend before Thanksgiving, the company provided additional details about a massive cyberattack that has rocked the sports betting industry.

In many respects, DraftKings identified a method of intrusion that cyber experts suspected from the outset. According to a data breach notification filed with the Maine Attorney General’s Office, DraftKings spotted a host of suspicious log-ins to certain accounts indicative of a technique known as “credential stuffing.”

A breach carried out through credential stuffing typically occurs when a hacker uses log-in credentials from third-party sites to gain access to a user’s account. The technique could be as simple as obtaining a user’s online password from a local gym before using the same password to enter a bettor’s online sports wagering account.

As is the case with many large-scale cyber intrusions, when an industry is targeted by cybercriminals it typically responds by beefing up its defense ecosystem to prevent future attacks. The breach impacted at least 67,995 customers, according to DraftKings, and sparked a vigorous discussion on cybersecurity at a recent National Council Of Legislators From Gaming States conference. The event was well-attended by a number of companies that offer high-tech, anti-fraud solutions, most notably Vancouver-based GeoComply Solutions Inc.

State legislators and regulators are brainstorming ways to curb cyber attacks in the wake of last month's breach. @MattRybaltowski explores:

– A look at 'credential stuffing '
– The approach for new states
– Outrunning the regulators #sportsbettinghttps://t.co/Fw5NM7zrpY

— Sports Handle (@sports_handle) December 15, 2022

While GeoComply is known throughout the sports betting world mostly for providing precision geolocation data in new states with mobile sports wagering, the company has also earned plaudits for helping online sportsbooks combat fraud. GeoComply bills itself on its website as a “one-stop shop” for geolocation compliance, anti-fraud, and Know Your Customer (KYC) solutions. On the sports betting side,  GeoComply counts high-profile names such as BetMGM, DraftKings, FanDuel, Caesars, and Rush Street Interactive among its partners.

Since DraftKings confirmed the November intrusion, there are indications that other leading operators were also targeted. FanDuel, DraftKings’ archrival, itself reported a spike in cybersecurity breaches around Thanksgiving. Then, days before Christmas, BetMGM CEO Adam Greenblatt disclosed that certain customer records were obtained in an unauthorized manner. The breach affected postal addresses, email addresses, and telephone numbers, as well as Social Security numbers, player ID numbers, and screen names, BetMGM confirmed.

“It will probably go away for a while, as everybody will kind of up their standards,” said Simon Marchand, a GeoComply vice president. “Eventually it might come back when it comes to account takeovers — account takeovers are cyclical.”

Precision geolocation data

GeoComply uses a combination of device data, location information, and behavioral indicators to help operators fight fraud. While fraudsters can switch devices often, since securing a burner phone is relatively easy, Marchand indicated that gaining access to a new address proves to be more difficult. GeoComply looks at outputs to determine whether a transaction is too risky for an operator. The company’s geolocation tracking capabilities are very precise, Marchand emphasized, delivering data with “one to two meter” accuracy.

From there, GeoComply can take two distinct approaches for the next steps in the investigative process. On one hand, the geolocation data will indicate if a bettor generally places wagers from the same location. If a bettor placed a series of wagers on the Minnesota Vikings-New York Giants wild card game from his living room couch, the same locale he used for betting on the NFL throughout the season, the transactions will generally be viewed as safe.

Ohio’s New Year launch means over 44% of US citizens have access to legal and regulated sports betting. @GeoComply recorded 11.3m geolocation transactions on Sunday and Monday.https://t.co/JoCZXTDiQP

— GeoComply (@GeoComply) January 3, 2023

Conversely, there are markers for heightened risks of fraud. A withdrawal request of $437 was made for one targeted sportsbook customer with instructions to send the check to an apartment in a Houston suburb. The request provides a clear example of an account takeover, according to the customer, since he lives nowhere near the city. In other instances, a company like GeoComply may detect a red flag by identifying a location that has been implicated in dozens of other fraud cases.

“If we see 400 transactions across 20 devices in an hour in a garage, there’s obviously something fishy happening there,” Marchand said.

High-level information sharing

Over the course of the intrusion, numerous users reported an oddity that prevented them from accessing their accounts. After surreptitiously breaking into the accounts, cybercriminals are able to change the password obtained in the data breach. Account takeovers are a common form of cybercrime, according to GeoComply. The method of intrusion is similar to what can happen with customer accounts in the banking industry.

Danny DiRienzo joined GeoComply in 2021 after spending 14 months as a sports gaming investigator with the Tennessee Education Lottery Corporation (TELC). Prior to that, DiRienzo spent more than 20 years as a special agent with the U.S. Secret Service, where he coordinated investigations of money laundering, bank fraud, mail fraud, wire fraud, and network intrusions, among other crimes. DiRienzo is now senior director of risk services at GeoComply, where he is widely regarded as one of the sports betting industry’s foremost experts on law enforcement practices.

Taking a page from his days as a Secret Service agent, DiRienzo holds a monthly meeting with law enforcement officials. The gatherings give officials an opportunity to swap information about various investigations. Periodically, DiRienzo also brings together gaming operators and private investigative teams to share intelligence and learn insights from each other.

While GeoComply maintains regular contact with the fraud teams of its sportsbook clients, the company also provides the teams with tools on how to leverage its data to combat fraud.

On this #LawEnforcementAppreciationDay, we extend our appreciation to all law enforcement officers for their continued dedication to protecting their communities.

If your Law Enforcement agency would like to attend our monthly LEA meeting next week, please reach out. pic.twitter.com/cToc0hcs8C

— GeoComply (@GeoComply) January 9, 2023

A primer on 2FA

Only two states have adopted regulations that require online sportsbooks to establish multi-factor authentications (2FA) for customer accounts. In essence, 2FA is an authentication method that provides an extra layer of security to a user by requiring at least two forms of verification to gain access to an account. A bettor that attempts to sign on to a mobile sports betting account in a 2FA state may receive a prompt on their phone with an additional code that is required for entry into the sportsbook app.

Sports betting accounts in a state that requires 2FA were among those breached during the intrusion, a state regulator told Sports Handle. DraftKings customers lost at least $300,000 in stolen funds in the breach, all of which apparently have been restored, according to the company. Nevertheless, strict regulations on 2FA can restore the public’s confidence that the proper safeguards are in place to reasonably protect customer accounts, the regulator indicated.

N.J.A.C. 13:69O-1.1 defines “multi-factor authentication” as a type of strong authentication that uses two of the following to verify a patron’s identity: ‍

1.Information known only to the patron, such as a password, pattern, or answers to challenge questions;

  1. An item possessed by a patron such as an electronic token, physical token or an identification card; or
  2. A patron’s biometric data, such as fingerprints, facial or voice recognition.

—New Jersey regulations on multi-factor authentication

Though DraftKings has issued public statements on the breach, the company did not answer questions from Sports Handle on whether it has a cybersecurity insurance policy to protect the company in the case of a major cyber intrusion. Such premiums are likely much higher for companies that do not require 2FA, one industry expert noted at the recent legislative conference for gaming states.

On New Year’s Day, Ohio became the most populous state to go live with online sports betting since New York began offering mobile sports wagering a year earlier. Regulators from the Ohio Casino Control Commission passed one rule that is unique to the Buckeye State. Under the regulation, online sportsbook operators may store customer data in cloud-based environments such as platforms designed by Amazon Web Services.

Ohio’s regulation differs from other states that require the servers for processing online sports wagers to be physically located inside the same jurisdiction, former Ohio state Sen. Bill Coley told Sports Handle.

“It has to be secure,” said Coley, when asked about the importance of enacting standards that will reasonably protect consumer data. “They researched that issue heavily. I’m sure they made the right call and know what they’re doing.”

When used correctly, the cloud is a “fantastic technology” to mitigate the risk of a breach, said Josh Chin, managing partner of Net Force, a member of the national Cyber Security Task Force. Still, there are several instances when data stored in an S3 bucket has been compromised, Chin notes. Amazon S3 is a moniker for “simple storage service,” a tailored solution for cybersecurity protection. While a company such as Amazon bears some responsibility for instructing users to properly understand their configurations, sportsbook operators still need to conduct their due diligence in protecting customer data, he noted.

At a recent Massachusetts Gaming Commission licensing hearing on its Category 3 untethered sports wagering application, DraftKings addressed issues surrounding the cyber breach. While commissioners pressed DraftKings on the company’s response to the breach, few details are known about the inquiry since the matter was discussed in an executive session that was not open to the public.

DraftKings made a favorable impression on the Massachusetts Gaming Commission, though it has issues to address around diversity, violations.https://t.co/T3c1K90soq

— Sports Handle (@sports_handle) January 11, 2023

Marchand, the fraud prevention expert at GeoComply, does not expect account takeovers to go away in 2023. If anything, the threat of a global recession could spawn a new class of non-professional fraudsters. For unemployed workers recently laid off from a job, there is temptation to engage in “opportunistic fraud,” he explained. In economic downturns such as the 2008 financial crisis or other periods with a spike in unemployment, anti-fraud specialists have been forced to keep their guard up for heightened cyberattacks.

“That’s why fraud experts will never be out of a job,” Marchand said. “They will always be kept busy with a new attack.”

This story is the second part in a three-part series on the broad industry response to the cyber breach that impacted more than 65,000 DraftKings accounts. Next up: Part III — How law enforcement officials have treated the first major cybersecurity disruption to impact the sports betting industry since the PASPA decision. Also check out Part I on the response from state regulators to the intrusion. 

ShareTweetShare
Matt Rybaltowski

Matt Rybaltowski

Matt is a veteran writer with a specific focus on the emerging sports gambling market. During Matt's two decade career in journalism, he has written for the New York Times, Forbes, The Guardian, Reuters and CBSSports.com among others. In his spare time, Matt is an avid reader, a weekend tennis player and a frequent embarrassment to the sport of running. Contact Matt at matt@usbets.com.

Related Posts

springfield thunderbirds betmgm opening
Industry

What’s Next For BetMGM As Entain Nears End Of Commitment To U.S. Joint Venture?

February 3, 2023
dorian-finney-smith-shooting-layup
Industry

NBA Tells Operators To Stop Saying ‘Risk-Free Bet’ In Advertising

February 3, 2023
Load More

Top Stories

fanduel-retail-sportsbook-front

Requiem For The So-Called ‘Risk-Free Bet’

February 2, 2023
garnett mgm springfield

Sports Betting Launches In Massachusetts, Giving Three Retail Books A Head Start

January 31, 2023
fanatics-grand-opening

Fanatics Sportsbook At FedEx Field Offers Unique Retail Option In Maryland

January 23, 2023
Shutterstock

Missouri Legislators Lament Exodus Of Bettors To Neighboring States

January 27, 2023

State Sports Betting Guides

Ohio (U.S. state) flag waving against clear blue sky, close up, isolated with clipping path mask alpha channel transparency, perfect for film, news, composition

Ohio Sports Betting – Where To Play, Bonus Offers And Promo Codes

by Brian Pempus
February 2, 2023

Downtown Detroit at twilight (Shutterstock)

Michigan Sports Betting – Where To Play, Online Sportsbooks, And FAQ

by Brett Smiley
February 3, 2023

VA captial

Virginia Sports Betting – Where To Play, Online Sportsbooks And Bonus Offers

by Brett Smiley
January 17, 2023

nj flag

New Jersey Sports Betting — Where To Play, Online Sportsbooks, And FAQ

by Brett Smiley
October 20, 2022

pa online sportsbooks

Pennsylvania Sports Betting – Where To Play, Online Sportsbooks And Bonuses

by Brett Smiley
October 6, 2022

Canada Sports Betting Guides

Canada Sports Betting – Best Sportsbook Apps & Bonus Offers

British Columbia Sports Betting – Legal Update, Available Sportsbooks, and FAQ

Ontario Sports Betting – Legal Status And Where To Play

gambling therapy
ncpg
igaming ontario
If you or someone you know has a gambling problem, crisis counseling and referral services can be accessed by calling 1-800-GAMBLER (1-800-426-2537) (IL). Gambling problem? Call 1-800-GAMBLER (MI/NJ/OH/PA/WV), 1-800-9-WITH-IT (IN), 1-800-522-4700 (CO), 1-800-BETS OFF (IA), 1-888-532-3500 (VA) or call/text TN REDLINE 1-800-889-9789 (TN).
19+. Please play responsibly. Terms and conditions apply. 
Individuals must be 19 years of age or older to participate in igaming in Ontario. Gambling can be addictive, please play responsibly. If you, or someone you know, has a gambling problem in Ontario and wants help, please visit ConnexOntario or call their helpline at 1-866-531-2600. Operators on this website operate pursuant to an Operating Agreement with iGaming Ontario.

Search Sports Handle

No Result
View All Result
  • About Us / Contact
  • Responsible Gambling

No Result
View All Result
  • US Sports Betting
    • Arizona
    • Arkansas
    • Colorado
    • Connecticut
    • Delaware
    • Illinois
    • Indiana
    • Iowa
    • Kansas
    • Louisiana
    • Maine
    • Maryland
    • Massachusetts
    • Michigan
    • Mississippi
    • New Jersey
    • New Mexico
    • New York
    • Ohio
    • Oregon
    • Pennsylvania
    • Tennessee
    • Virginia
    • West Virginia
    • Wyoming
  • Pending States
    • California
    • Florida
    • Georgia
    • Missouri
    • North Carolina
  • Canada
    • Ontario
    • British Columbia
    • Alberta
  • Sportsbook Apps
    • FanDuel
    • BetMGM
    • Caesars
    • PointsBet
    • BetRivers
  • Tools
    • Sportsbook Bonuses Explained
    • Sports Betting Revenue Tracker
    • Sports Betting Podcasts
    • Partnership Tracker
    • Expected Value
    • Sports Scores And Odds Apps
    • Sports Betting Twitter
  • News

loading

Please wait while you are redirected to the right page...

Please share your location to continue.

Check our help guide for more info.

share your location