DraftKings Account Takeovers Frame Sports-Betting Cybersecurity Dilemma

  /     /     /  
Publicated : 23/11/2024   Category : security


DraftKings Account Takeovers Frame Sports-Betting Cybersecurity Dilemma


Cybercrooks have drained DraftKings accounts of $300K in the past few days thanks to credential stuffing, just as the 2022 FIFA World Cup starts up.



The popular online betting platform DraftKings has been targeted by credential-stuffing attacks — allowing cyberthieves to make off with around $300,000 in ill-gotten funds so far.
One of its rivals, FanDuel, also said this week that its seen an uptick in account takeover attempts against its customers.
Credential stuffing is a tactic where cybercrooks try to compromise accounts by using lists of username-and-password combinations gleaned from previous breaches, often purchased on the Dark Web. They bank — quite literally — on account holders reusing their email addresses and passwords across multiple accounts, so that a credential phished from, say, a Netflix user will work against higher-value targets like financial or online-gambling accounts.
Starting this weekend,
reports on social media
began cropping up from DraftKings users, complaining that they had been locked out of their accounts and their funds drained. The company soon confirmed the activity.
DraftKings is aware that some customers are experiencing irregular activity with their accounts, Paul Liberman, DraftKings co-founder and president for global technology and product, said in a media statement on Monday. We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information.
While the number of accounts affected is unknown, the company said that about $300,000 in funds have been drained so far, and that it intends to make whole any customer that was impacted.
The increased activity could be due to the confluence of the NHL and NBA seasons starting, and the NFL season entering the make it-or-break-it phase before the playoffs — and, of course, the
2022 FIFA World Cup
kicking off over the weekend.
Online gambling sites are attractive targets due to the large amounts of money that are wagered on a daily basis, Chris Hauk, consumer privacy champion at Pixel Privacy, tells Dark Reading. Many customers let their winnings ride (dont cash in when they win) so they have balances they can wager for the next game, match, or other sporting event. This is particularly true now, as the World Cup is now being conducted in Qatar, as soccer matches are attractive to bettors.
And indeed, DraftKings is not alone in seeing an uptick in attacks; one of its main competitors, FanDuel,
told CNBC
that it has also seen increased account targeting (though no confirmed compromises so far). Yet amid the increased cybercriminal interest, the success of the DraftKings attackers points out an ongoing issue with user awareness, according to James McQuiggan, security awareness advocate at KnowBe4.
As many data breaches and attacks have occurred, people still dont realize the implications of having their bank accounts attached to their gambling accounts. If not protected adequately, they can be subject to theft, he says. Most of the time, people dont think it will happen to them and lack the awareness of the various attacks and lengths that cybercriminals will go to steal their money or identity.
The stakes are high for online gambling businesses too. DraftKings and other online betting sites could see their reputations suffer if they are targeted by attacks like this, Hauk says. Bettors may lose their faith in the sites as to whether they are secure and can keep their bettors balances safe from being drained by bad actors.
DraftKings, like most online account providers, offers two-factor authentication for users as an option. But its not required.
DraftKings does not force users to enable two-factor authentication on their accounts, explains Paul Bischoff, privacy advocate at Comparitech. The only exception is Connecticut, which requires DraftKings to force-enable two-factor authentication for all accounts geolocated there. I think this is a mistake given how much money is at stake. Hacking accounts with 2FA enabled would require a further attack to acquire the one-time codes, which makes them far less vulnerable.
Given whats at stake for the business and its customers, Hauk notes that putting more robust protection options in place for users should be an imperative, starting with requiring, at the very least, 2FA that relies on one-time passwords sent via text or email.
KnowBe4s McQuiggan notes that there are also mechanisms for encouraging better user choices.
Companies approaches should also [include the ability to] cross-reference passwords against known passwords involved in breaches, he explains. If the users are using simple and breached passwords, they should request that the users reset their passwords to unique and secure passwords.
That said, while these measures could remove some low-hanging fruit, simple 2FA
can of course be subverted
without too much effort. Thus, researchers note that the proper way to secure accounts would be with FIDO2-approved authentication methods, using non-phishable MFA. But unfortunately, were not likely to see that implementation anytime soon, given that its often difficult for these types of companies to adequately balance the user experience with security.
Much of it comes down to risk-based assessments of the risk of an attack versus the costs to implement more robust MFA applications or features, McQuiggan says. The gambling sites also want to make it simple for people to log into the platform; if its too complex, the users will go elsewhere to play. Most users nowadays are familiar with the SMS code, and while its one of the weaker MFA methods, its easier for the users to complete account access.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
DraftKings Account Takeovers Frame Sports-Betting Cybersecurity Dilemma