Every so often, we get a reminder of the extent to which financial systems rest on confidence and faith. In the digital era, money is more abstract than ever.
Events of the past week have perhaps rattled that faith for some and highlighted the importance of regulation in preserving it.
Several US operators, including BetMGM and DraftKings, have suffered cyber-attacks leading to fraudulent transactions. Those events come on the heels of an even more dramatic breakdown in the crypto space. Prominent exchange FTX went bankrupt, taking billions of dollars worth of users’ cryptocurrency with it.
The extent to which our economy has become as digitized over the past decade and a half is genuinely remarkable. More often than not, when something goes wrong, there’s no physical branch to drive to. Even getting a human customer service representative on the phone can be difficult.
In those cases, the value of a robust regulatory backstop becomes apparent.
The Downside to Easy Payments
Last week, news broke that several BetMGM Poker and WSOP.com account holders had been the victims of identity theft. As reported by USPoker, some noticed the disappearance of thousands of dollars from their bank accounts.
Todd Witteles, a poker player who runs PokerFraudAlert, believes that the breach originated with Global Payments Gaming Solutions (GPGS). This online payment processor handles deposits and withdrawals for numerous online poker operators.
The exact cause and extent of the breach are still officially unknown. BetMGM’s investigation is ongoing, while Las Vegas-based GPGS has emphatically claimed that its systems were not breached:
There has been no security breach or fraudulent accounts opened at our gaming business in connection with this investigation. The protection of our customers and their clients’ information and funds is our top priority and we are working with these third parties to ensure any impacted individuals are refunded.
Worryingly, the problem hasn’t abated in recent days. Players continue to report having fraudulent GPGS accounts set up in their names and connected to their BetMGM and WSOP accounts.
Witteles was himself among the victims. He says that he suspects an inside job. Barring that, however, he says the weakest link appears to be GPGS’s VIP Preferred feature and its interaction with BetMGM’s Know Your Customer (KYC) process:
BetMGM Nevada requires you to scan ID with your phone camera in order to get verified (or to do it in person at a sportsbook)… other BetMGM states, such as New York, only require first name, last name, last four digits of your Social Security number, date of birth, and address… Then if you select ‘deposit’, and click on ‘VIP Preferred,’ it auto-loads your previously used payment methods… As long as Global Payments previously processed a payment for them, nothing is verified.
Poker Celebrities Targeted
The story first came to light because several prominent names in the poker world had been affected. As well as Witteles, these included Joseph Cheong, Sam Panzica, and 2009 World Series of Poker Main Event winner Joe Cada.
Additional victims came forward as the days rolled on. Witteles, an expert on poker fraud, says the scope of the scam is remarkable:
This is definitely the worst case of any kind of bank account theft in poker history. I’ve seen cheating scandals at the poker table, online and live that have resulted in bigger thefts than this, but as far as directly stealing out of people’s bank accounts, I’ve never seen anything like this.
Panzica also expressed frustration that despite BetMGM’s publicly stated commitment to “working with impacted patrons to make sure refunds are processed,” the company’s support staff privately told him to talk to his financial institution.
Despite Panzica’s objections, that may, in fact, be the correct approach. Several affected players have reported successfully getting the fraudulent charges reversed that way.
Credential Stuffing Attack on DraftKings
Though the timing was similar, the attack on DraftKings appears to have used a different method. On Monday, the online sports betting giant said that an undetermined number of customer accounts had been hacked and nearly $300,000 stolen.
Upon noticing suspicious activity, some customers tried to log in to their DraftKings accounts only to find that their password had been changed. Requests for a password change at DraftKings result in a text message being sent to the user’s phone number. However, the hackers had also changed the numbers on file.
DraftKings has insisted that the hacks are not the result of a breach of its servers but rather those of other sites. Despite frequent warnings not to reuse logins, many people still do so, which leads to these so-called “credential stuffing” attacks. Hackers purchase databases of login information obtained from lower-security sites. They then try those username-password combinations on the target site until they find ones that work.
In a statement, DraftKings co-founder and President for Global Technology & Product Paul Liberman said:
DraftKings is aware that some customers are experiencing irregular activity with their accounts. We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information… We have seen no evidence that DraftKings’ systems were breached to obtain this information.
In the same statement, Liberman said that DraftKings will “make whole any customer that was impacted.”
The response by DraftKings seems to have satisfied investors, at least. The company’s shares initially fell by over 11% on Monday but have since rebounded.
The FTX Implosion
FTX isn’t technically a gambling site, though the difference between cryptocurrency speculation and gambling isn’t as large as some would like to believe.
Indeed, what happened to FTX is highly reminiscent of the final days of Full Tilt Poker in the aftermath of Black Friday and later Lock Poker. Not only that, but one user has pointed out that its Chief Regulatory Officer, Daniel Friedburg, was also directly involved in the most infamous poker scandal of all time – that of UltimateBet.
FTX, Full Tilt and Lock all committed the same sin of failing to segregate customer funds. Companies that do this can make more money by reinvesting those funds or spending them on marketing. However, if word gets out that they don’t have sufficient cash on hand to cover those balances, people panic and start to withdraw. The company runs out of liquid capital and goes bankrupt.
That’s precisely what happened to FTX and Lock Poker. The collapse of Full Tilt started differently, with the shutdown of its site by US authorities. However, the endpoint was the same, at least until PokerStars stepped in and made former Full Tilt customers whole again.
The requirement to segregate funds is perhaps the most important of all the protections offered by a regulated market. When banks and other financial companies are allowed to reinvest customer funds, the government provides insurance for those balances. But when it comes to offshore companies, user balances always depend on the company’s continued solvency.
Safety in Regulation
The New York Times recently ruffled feathers across the industry by publishing an article heavily critical of the path the US has taken to regulating sports betting. The report makes a few valid points. At the same time, it misses the most important one: Whatever criticisms one can make of the US-regulated market, it is vastly preferable to the former status quo, which was an offshore black market.
For evidence of that, we have only to look at the difference in outcomes between BetMGM, WSOP and DraftKings customers and those who were keeping money on FTX – or, conversely, those who had accounts on Full Tilt or Lock Poker when those sites went under.
Quick Reimbursement vs. Endless Lawsuits
All these US casino companies are locally regulated and legal, meaning users have various fraud protection available. Some people are already getting their money back from their banks and credit card providers. Furthermore, if regulators were to find operators at fault in a case like this, they’d be on the hook for reimbursement.
And what about FTX customers? The custodial company BitGo says it has managed to recover $740 million of the assets. That’s only a fraction of what was lost, however.
Many customers see no recourse except litigation. However, those lawsuits will be time-consuming and expensive. Moreover, FTX is incorporated in Antigua and Barbuda, not the US, so they couldn’t sue it directly even if it could pay. Instead, the plaintiffs are going after those who promoted the site. That includes multiple celebrities and even the Golden State Warriors NBA team.
They will probably get something. Former SEC regulator John Reed Stark told Bloomberg that he expects many defendants to settle to preserve their reputations. However, proper oversight can prevent many such problems in the first place and avoid the need to involve the courts when a situation arises.
Bonus News Managing Editor Alex Weldon contributed to this article.