Pennsylvania online gamblers are about to get an extra layer of security to protect their accounts. Gambling operators in Pennsylvania have until Dec 31 to enact two-factor authentication.
The Pennsylvania Gaming Control Board (PGCB) advised operators of the new policy over the summer to give them ample time to comply.
Two-factor authentication (2FA) – or, more generically, multi-factor authentication (MFA) – is a security method that requires more than just a password to access an account.
The PGCB’s rules require this strong authentication to be re-engaged every 14 days, regardless of activity. PGCB will require independent third parties to test the security of these measures annually and submit reports on their findings.
All Pennsylvania online casino, poker and sportsbook operators must also encrypt users’ information and ensure the data’s safety. They are to test their own security measures quarterly.
What is Two-Factor Authentication?
The primary goal of 2FA is to protect users’ personal and financial information. It makes it more difficult for cybercriminals to hack accounts. Without strong authentication, a username and password are enough to get full access to an account and the funds it contains.
2FA means requiring two of the following to authenticate a user:
- Knowledge: Something you know, most commonly a password (usually the first form of ID). Often security questions are used as a secondary form.
- Possession: Something you own that can approve authentication requests, including receiving text messages, phone calls, or emails. It also includes showing your ID.
- Biometrics: Using your physical attributes, including fingerprint detection, face recognition, speech patterns, or signature.
Most of us are familiar with 2FA in a retail environment. In addition to needing your physical payment card, you may have to input your zip code at the gas station pump or sign your restaurant bill.
How Does Two-Factor Authentication Benefit the User?
Nowadays, it’s hard to trust that your information is safe with only a password. Data leaks have become all too common in the 21st century.
2FA gives you an extra layer of security from attacks designed to obtain or exploit your password, such as:
- Phishing emails: These are fraudulent emails that prompt you to follow a link. The site they’ll lead you to will often ask you for login credentials or other personal information in order to steal it.
- Credential stuffing: Hackers often attack cell networks, cloud services, retail stores, or corporate servers to get access to users’ information in bulk. Other parties buy this information and use automation to try the username-password combinations on other sites, particularly those which would give them access to users’ money. (This is what happened to DraftKings and BetMGM).
- Malware/Ransomware attack: Some of the most devastating attacks involve installing malicious software on a victim’s machine. If a hacker has your password, they may be able to do this remotely, but 2FA protects against this.
Security experts advise against re-using passwords or anything that would be easy to guess, such as your birth date. However, the number of online services people use tends to make many of us lax about “password hygiene,” making stronger precautions necessary.
Who’s Ahead of the Curve With 2FA?
Though the PGCB’s deadline is over two weeks away, some casinos have already started using 2FA. FanDuel Casino PA, for one, launched the new feature on Dec 12.
FanDuel’s website uses the usual username and password as its primary security measure. It has chosen to send a security code via text message as its secondary form of authentication. That’s likely to be the combination selected by most operators, as it’s standard in many industries and will be familiar to users who’ve encountered it in other contexts like online banking.
There is also an option to use an authentication app, such as those provided by Google or Microsoft, rather than text messages. If the user doesn’t have access to their phone, they would have to contact Customer Service to confirm their identity some other way.
Although the PGCB makes it mandatory for operators to offer 2FA, it’s up to the user whether they want to opt in. To set up your 2FA at FanDuel, you must log in and go to Account Settings. There you will have the choice of setting up a text message or the authentication app. The process will be similar for other sites.
Pennsylvania Plans Predate Recent Breach
Although the new measures are coming into effect shortly after the industry has experienced an attack, the timing is coincidental. The PGCB issued the directive to operators in a proactive fashion in July, months before the users of DraftKings and BetMGM reported their funds missing.
DraftKings’ November breach cost its users a combined $300,000. According to the company, its users’ login information was stolen from other websites and used to access their DraftKings accounts which had the same information. That’s the “credential stuffing” approach we mentioned earlier.
A few days before that, BetMGM experienced fraudulent activity. Scammers had created new fake accounts for poker players, including VIP Preferred members, and changed their financial details to steal funds.
Pennsylvania Follows New Jersey in Implementation of 2FA
Pennsylvania will become only the second state to require 2FA in the US regulated gambling world. The Keystone State is following the lead of New Jersey, which launched the security feature at the end of June 2022. That rollout went off without a hitch, so Pennsylvania users should expect no issues.
The Garden State’s move was ahead of the recent breach, but it has had security issues, prompting higher security action. 2FA will make regulators’ jobs easier and help companies to comply with other regulations. In 2020, a gambler in Florida, where online gambling is illegal, placed a $3 million bet at DraftKings NJ using a proxy. The state fined the operator, but 2FA would have prevented the violation in the first place.
Two-factor authentication is used throughout the US in other industries, such as banking and healthcare. An early draft of Indiana’s 2023 online casino bill includes such a requirement, so we may see this become the standard for US online gambling as well.