Over the course of his 12-year professional career, Josh Chin has broken into banks and high-stakes lotteries, infiltrating sophisticated networks that appear reasonably secure to the common employee.
“I’ve walked away a billionaire several times over. Sadly, I had to give the money back,” Chin told an assembled crowd of gaming experts last week in Las Vegas, drawing laughter from the audience.
Chin is not a cybercriminal, but rather an “ethical hacker,” a cybersecurity consultant hired by Fortune 500 companies and mom-and-pop shops alike to uncover vulnerabilities in cyber networks. Chin, managing partner of Net Force, a member of the Cyber Task Force Security, appeared on a digital fraud panel at the National Council Of Legislators From Gaming States (NCLGS) 2022 Winter Meeting at Resorts World Las Vegas. When conducting a large-scale assessment, a cyber practitioner such as Net Force will break down a system and then offer recommendations for an operator to methodically build it back up.
The panel convened in the wake of a cyber breach that reportedly has impacted more than 1,000 customers at DraftKings, resulting in six-figure losses from customer accounts. The sheer breadth of unauthorized intrusions reported on social media has led industry experts to wonder if the figure is exponentially higher. Last month, DraftKings confirmed that scores of bettors had aspects of their customer accounts compromised by irregular activity during Week 12 action in the NFL regular season.
DraftKings says no evidence systems were breached following report of a hack https://t.co/WPiAlC36cQ
— CNBC (@CNBC) November 21, 2022
Now, top legislators and regulators are working proactively to enact safeguards that will help lower the probability that another major sportsbook will experience a major cyber disruption.
In one prominent gaming state, the Nevada Gaming Commission will consider proposed regulations next week that would require gaming operators to determine the best practices needed to mitigate the risk of a cyber attack. While several other states could adopt similar policies on cybersecurity, some question whether hackers will still be able to exploit enforcement gaps. Those gaps raise vital questions on whether the policies will only have teeth if licensing sanctions come into play.
A look at credential stuffing
It appears that DraftKings’ customers may have fallen victim to a practice known as “credential stuffing,” a hacking technique that occurs when fraudulent actors gain access to hundreds of stolen usernames and passwords in one fell swoop. Quite often, customers will use the same password for a sports betting account that they maintain for other activities, such as online banking, student loan repayments, online shopping, or even a local gym.
Once a hacking team obtains a password from a gym such as 24-Hour Fitness or another third-party site, the group uses an automated bot to test out the password on dozens of other accounts. Chin is not surprised that credential stuffing could have been the preferred form of attack in the DraftKings incident, because there are huge databases online that pair usernames and passwords, he explained. Greg Giordano, a former Nevada deputy attorney general, also expressed little surprise at the manner of the attack given that customer passwords are easily accessible on the “dark web” at a low cost.
After the hackers obtained passwords on other sites, the actors used the same log-in information to access the DraftKings accounts, the company said. The company did not find any evidence to suggest that its own systems had been breached, said Paul Liberman, DraftKings president for global technology and product, on Nov. 21.
When it comes to cyber breaches among leading sportsbooks in 2022, DraftKings is not alone. FanDuel, DraftKings’ main rival, has also seen a spike in cyber breaches of late, according to media reports. A third major online sportsbook that ranks in the top five of U.S. market share was also targeted in the recent hacking incidents, an industry source told Sports Handle at the conference.
When asked by Sports Handle about the percentage of customers who have been reimbursed for lost funds as of Wednesday, a DraftKings spokesman declined comment. DraftKings also did not provide an update on the number of customers targeted by the cyber activity or the overall amount of stolen funds among impacted customers.
— DraftKings CX Team (@DK_Assist) November 21, 2022
The approach for new states
The panel also heard from Michael K. Morton, a senior policy counsel for the Nevada Gaming Control Board’s (NGCB) administrative division. Next week, the Nevada Gaming Commission could adopt changes to regulations that would require gaming operators to complete an annual cyber risk assessment. Under the rule, gaming operators must not only protect their own records and operations, but also the personal identifiable information of their “patrons, employees, and vendors.” Furthermore, an operator is required to inform the NGCB of a cyber attack no later than 72 hours after discovering the breach.
The panel was moderated by state Rep. Mike Finn of Massachusetts, a state preparing to launch online sports betting early next year. At the moment, Massachusetts does not have “notification language” similar to Nevada with guidance to operators on appropriate cyber defenses, Finn told Sports Handle. Finn and other legislators must work with state regulators to pass such rules.
Another 2023 newcomer, Ohio, is expected to be the most populous state to launch sports betting next year. One provision in the Ohio Casino Control Commission (OCCC) standards will require operators to undergo an independent audit of their security protocols and information technology systems at least once every three years. But OCCC Chair June Taylor indicated that the commission has the flexibility to shorten the window in cases that require expediency, telling Sports Handle that it could lower the amount to 18 months if necessary.
— Sports News & Videos (@robinsportsnews) December 15, 2022
Outrunning the regulators
A common theme among regulators, legislators, and tech experts who spoke with Sports Handle over the three-day conference is that the technology used by sophisticated hacking groups is often so advanced that state governments are struggling to keep pace. A state regulator could pass an emergency measure to require independent audits every 18 months, but are the policies effective when cyber criminals can devise a strategy to bypass a security system in less than 18 hours?
There are other complications. In some states, the legislature meets sporadically. The Nevada legislature, for instance, only meets for a period of 120 days every two years. As a result, the legislature has given regulators wide latitude to pass emergency measures when it is not in session, Morton explained.
Others griped that some legislatures have not earmarked enough in funds to enable enforcement teams to adequately address the problem.
To that end, Colorado Division of Gaming Director Dan Hartman will consider appointing a cybersecurity assessment task force in the coming months. The task force may include a dedicated cybersecurity chief who will work collaboratively with retail and online sportsbooks to assist the operators in better preparing for a potential intrusion. In the cryptocurrency space, Colorado has given consideration to appointing an official in a similar role, dubbed the “crypto czar.”
A host of state legislators were quick to point out that other major industries have fallen victim to massive cyber breaches.
NCLGS President Jon Ford hails from Indiana, where the Indianapolis Housing Agency dealt with a series of massive ransomware attacks over the fall. Washington state Rep. Shelley Kloba described a security incident at the height of the pandemic that affected the personal information of 1.6 million individuals who filed unemployment claims with the state. Kloba noted that the DraftKings incident could serve as a “wake-up call” for the industry.
For companies that brush off the threat of an attack, there could be a high price to pay. After Iran breached the cyber network of Las Vegas Sands in 2014, it cost the company $40 million to rebuild its network, Morton noted.
— CyberGuardNews (@CyberGuardNews) November 24, 2022
Another industry expert, SharpRank CEO Chris Adams, indicated that the best-case scenario for now is proactively setting guardrails, along with checks and balances, so that the occurrences of cyber attacks diminish.
“The only thing that needs to happen right now is setting a speed limit,” Adams told Sports Handle. “There is absolutely no need to put a governor on the industry’s growth engines, it’s more about setting the speed limit so that there are tangible solutions for bad actors who jeopardize this industry’s stability, growth, and ability to innovate.”
Ford, meanwhile, lauded his fellow legislators for making consumer protections a key priority of the conference. Regulations provide reasonable safeguards, but statutory mandates show that a state means business. Moreover, licensing matters are a serious undertaking, where a state often has a high bar to prove culpability — a task that is challenging given the prevalence of cyber attacks in nearly every online industry.
“We’re going to have high standards to ensure that consumers’ privacy will be protected,” Ford told Sports Handle. “If places don’t do it, they could lose their license.”
This story is the first part in a three-part series on the broad industry response to the cyber breach that impacted more than 65,000 DraftKings accounts. Next up: Part II — The technological solutions at the fingertips of stakeholders to respond effectively to cyber attacks.