As the investigation continues into the recent cyberattack that affected an unconfirmed number of accounts with major U.S. sportsbook operators, including FanDuel and DraftKings, state gaming regulators are placing a greater emphasis on two-factor authentication and consumer protection, although the responsibility to secure accounts lies with the licensee.
Last month, DraftKings confirmed that it would reimburse customers affected by a credential stuffing attack that led to losses of up to $300,000.
Most of the accounts that were hacked seemed to follow the same trend, with an initial $5 deposit followed by the attackers changing the password. By changing the password, it enabled the attackers to use two-factor authentication (2FA) on a different mobile number, and then withdraw money from the customers’ linked bank accounts.
DraftKings advised customers to not use the same password for more than one online service and never share their credentials with third-party platforms, including wagering apps.
The cyberattack occurred as gaming regulators are already putting a greater emphasis on cybersecurity and related know your customer (KYC) practices, with both New Jersey and Pennsylvania taking steps to require multi-factor authentication for all online accounts over the past few months.
Two-factor or multi-factor authentication requires a user to enter their username and a password. Instead of immediately gaining access to their account, they will be required provide another piece of information, such as a personal identification number, a code sent to their mobile device, or answers to “secret questions.”
The Pennsylvania Gaming Control Board (PGCB) issued new industry guidance on July 1, 2022 requiring operators to offer players the option to utilize multi-factor authentication (MFA) at each login.
“Each unique device is required to have MFA performed every 14 days,” according to the industry guidance, which is similar to best practices also put into effect in New Jersey.
“This additional security measure ensures the player who is accessing the account is the player who owns the account by authenticating the account and device used to access the account.”
“The security and protection of Pennsylvania gaming public is and always has been the foremost priority of the Pennsylvania Gaming Control Board,” spokesman Doug Harbach told VIXIO GamblingCompliance.
Harbach noted that Pennsylvania law further allows regulators to closely monitor iGaming and mobile sports-betting activity, and each licensee is required to adopt standards to protect the privacy and security of players engaged in online and mobile gaming.
Those standards require plans to respond to suspected or actual cyberattacks, hacking or tampering with a website or mobile app. The procedures must include the process for the reconciliation or repayment of a registered player's interactive gaming account, according to control board regulations.
Maryland’s mobile sports-betting industry launched on November 23, with seven apps going live on that first day accepting online wagers from anywhere in the state.
“Generally, we view protection of customer data to be a customer service responsibility for the sportsbook operators,” said Seth Elkin, a spokesman with Maryland Lottery and Gaming.
“Our regulations also require operators to lock a customer's account after three failed login attempts, and the operators are required to have customers use multi-factor authentication in order to recover or reset a password or user name after an account has been locked,” he added.
For all deposits and withdrawals, Elkin said, sportsbook operators “are required to determine whether the information provided by the customers is inconsistent with the funding information the customer previously provided; and whether the information provided by the customer fails to verify the customer’s identity.”
Regulators in Pennsylvania and New Jersey adopted the multi-factor authentication to prevent so-called credential stuffing, like what happened to sportsbook operators last month. In credential stuffing, bad actors use automated tools to make repeated attempts to gain access to user accounts using credentials stolen from other websites.
Cyber criminals can gain access to accounts whose owners have reused credentials across multiple platforms.
“On the players side, the PGCB encourages gamers to use best practices to protect their accounts and personal information,” Harbach said. “For example, a user should not use the same password for multiple account logins across different operators and businesses.”
Concerns about cyberattacks and attempted fraud led the New Jersey Division of Gaming Enforcement (DGE) to set a June 30, 2022 deadline for every online gaming operator to establish multi-factor authentication for their customers as part of their KYC obligations. Multi-factor authentication is required for any new devices used by the patron and every two weeks for known devices and accounts.
Julia Wiacek, a DGE spokeswoman, told VIXIO the agency is aware of recent incidents concerning player accounts but does not comment on the existence of investigations.
The FBI on Friday (December 2) declined to comment on the matter, following a report by ESPN that it too was probing the incidents.
In Nevada, regulators require multi-factor authentication for interactive gaming or online poker games, and only before funds are withdrawn from accounts.
“We do not have similar requirements for mobile casino style gaming or for mobile race and sports wagering,” said Michael Lawton, senior economic analyst with the Nevada Gaming Control Board.