DraftKings Account Takeovers Frame Cybersecurity Dilemma in Sports Betting

Popular online betting platform DraftKings has been the target of credential stuffing attacks that have allowed cyber thieves to get away with around $300,000 in ill-gotten funds so far.

One of its competitors, FanDuel, also said this week that it has seen an increase in account takeover attempts against its customers.

Credential stuffing is a tactic in which cybercriminals attempt to compromise accounts using lists of username and password combinations obtained from previous breaches, often purchased on the Dark Web. They bet — quite literally — on account holders reusing their email addresses and passwords across multiple accounts, so credential phishing from, say, a Netflix user works against higher-value targets like financial or online gambling accounts.

From this weekend Reports on social media surfaced with DraftKings users complaining that they had been locked out of their accounts and had their funds withdrawn. The company soon confirmed the activity.

“DraftKings is aware that some customers are experiencing erratic activity with their accounts,” said Paul Liberman, DraftKings co-founder and president of global technology and products, in a media statement Monday. “We currently believe that these customers’ credentials were compromised on other websites and then used to access their DraftKings accounts where they used the same credentials.”

Although the number of affected accounts is unknown, the company said about $300,000 in funds have been withdrawn so far and that it intends to “cure every affected customer.”

Cybercriminals Eye World Cup and more

The increased activity could be due to the start of the NHL and NBA seasons and the NFL season entering the make-it-or-break-it phase before the playoffs – and, of course, the start of the 2022 FIFA World Cup Weekend.

“Online gambling sites are attractive targets because of the large amounts of money that are wagered every day,” Chris Hauk, consumer advocate at Pixel Privacy, told Dark Reading. “Many customers let their winnings run (don’t collect them if they win) so they have credit to use towards the next game, match or other sporting event. This is especially true now that the World Cup is being held in Qatar as football matches are attractive to bettors.”

And indeed, DraftKings isn’t the only one seeing a spike in attacks; One of its main competitors, FanDuel, told CNBC that there has also been increased account targeting (though no confirmed compromises so far). But amid increasing interest from cybercriminals, the success of the DraftKings attackers points to an ongoing problem with user awareness, according to James McQuiggan, security awareness advocate at KnowBe4.

“As many data breaches and attacks have taken place, people are still unaware of the impact of having their bank accounts linked to their gambling accounts. If they are not properly protected, they can be stolen,” he says. “Most of the time, people don’t believe this is going to happen to them and are unaware of the various attacks and efforts cybercriminals use to steal their money or identity.”

The stakes are also high for online gambling companies. “DraftKings and other online betting sites could see their reputations suffer if they are the target of such attacks,” says Hauk. “Betters may lose confidence in sites as to whether they are safe and able to protect their bettors’ bankrolls from exposure to bad actors.”

More robust multifactor authentication is required

Like most online account providers, DraftKings offers optional two-factor authentication for users. But it is not required.

“DraftKings does not force users to enable two-factor authentication for their accounts,” explains Paul Bischoff, data protection officer at Comparitech. “The only exception is Connecticut, where DraftKings must enforce activation of two-factor authentication for all accounts geolocated there. I think that’s a mistake considering how much money is at stake. Hacking accounts with 2FA enabled would require another attack using the one-time codes, making them far less vulnerable.”

Given what’s at stake for the company and its customers, Hauk notes that setting up more robust protection options for users should be a must, starting with the requirement to at least require 2FA, which is based on one-time passwords sent via SMS or email can be sent.

KnowBe4’s McQuiggan notes that there are also mechanisms to encourage better user decisions.

“Corporate approaches should do the same [include the ability to] Compare passwords to known passwords that have been involved in security breaches,” he explains. “If users are using simple and hacked passwords, they should require users to reset their passwords to unique and strong passwords.”

Of course, while these measures might eliminate some low-hanging fruit, simple 2FA can be subverted without too much effort. Therefore, the researchers state that the correct way to secure accounts with FIDO2-approved authentication methods would be using non-phishable MFA. But unfortunately, we probably won’t see this implementation anytime soon, as it’s often difficult for these types of organizations to adequately balance user experience with security.

“Much of this boils down to risk-based assessments of the risk of an attack versus the cost of implementing more robust MFA applications or features,” says McQuiggan. “The gambling sites also want to make it easy for people to sign up to the platform; if it’s too complex, users will go elsewhere to play. Most users are familiar with the SMS code these days, and while it’s one of the weaker MFA methods, it’s easier for users to complete account access.”


Leave a Reply

Your email address will not be published. Required fields are marked *