The cyber fraud threat to online sportsbooks

shaunovery · 03-13-13, 05:19 PM

most of the British online gaming websites use encryption so your personal details are safe

teh · 03-13-13, 05:26 PM

Good to know for readers outside the U.S. The only sites I've tested were top U.S. facing sites.

shaunovery · 03-13-13, 05:35 PM

not sure about American sites but here in the uk websites are always being upgraded for professional hackers trying to gain info also we are always told to change passwords maybe every month

geebert74 · 03-13-13, 05:43 PM

Were encrypted at Heritage... Nothing to worry about.

teh · 03-13-13, 05:59 PM

Originally posted by geebert74

Were encrypted at Heritage... Nothing to worry about.

Any idea of the encryption method used?

teh · 03-13-13, 06:06 PM

Also a little off subject but I just returned this error when trying to access the store...

Administrators here should think about creating custom error pages because we now all know the exact software version used by SBR which helps greatly in database exploitation.

cankid · 03-13-13, 06:11 PM

Difficult to protect 100% of the time, but in general i think the books are doing a good job, plus the DOS attack are a real bitch

looneytunes · 03-13-13, 06:20 PM

Originally posted by teh

Any idea of the encryption method used?

starting to get the feeling that there's more to this thread than meets the eye

sourtwist · 03-13-13, 06:28 PM

Originally posted by teh

Any idea of the encryption method used?

Creepiest post ive seen on this forum. Figures its a newbie.

teh · 03-13-13, 06:42 PM

Originally posted by looneytunes

starting to get the feeling that there's more to this thread than meets the eye

Curious on the encryption type because anyone can say "we use encryption." While some methods of encryption are great some are a complete joke. For example, it's estimated that 56-bit AES encryption would take 399 seconds to brute-force while 128-bit AES encryption would take approximately one billion years(at this point). Disclosing a strong encryption type won't hurt anything. Disclosing a weak encryption type could open you up for lots of trouble... if it's a weak encryption type no need to respond. LOL

Nova99 · 03-13-13, 06:51 PM

considering the fact that i get asked my password during live chat and any over the phone transactions i would suspect the sites are not anywhere near the level as a banking site, cant imagine the pw is not in plaintext at a certain point...

Question is do you really want to mess with the bookmakers? For the books that are open to US players these people are handling a large sum of money while violating federal law, not the type of people you want to try to defraud...

onemoregoal · 03-13-13, 06:51 PM

Google chrome tells you the type of encryption, doesnt it?
I use a different laptop for banking/sports and cant be bothered to check at the moment....
Dont think you are being "creepy" by the way, its a good question.

sourtwist · 03-13-13, 06:56 PM

Originally posted by onemoregoal

Google chrome tells you the type of encryption, doesnt it?
I use a different laptop for banking/sports and cant be bothered to check at the moment....
Dont think you are being "creepy" by the way, its a good question.

It doesnt phase you that a new poster starts a thread out of the blue on a subject like this? Not strange at all, right?

onemoregoal · 03-13-13, 06:58 PM

Not really. If the information is readily available, I dont see what the problem is.

Nova99 · 03-13-13, 07:01 PM

Originally posted by sourtwist

It doesnt phase you that a new poster starts a thread out of the blue on a subject like this? Not strange at all, right?

Not too strange IMO, who better to ask then ppl who access these sites multiple times during the day. There is nothing he can gain from us that he cannot get by joining all the sites, i doubt many /if any of us will be able to really provide any insider info on the books security methods.

teh · 03-13-13, 07:01 PM

Originally posted by Nova99

considering the fact that i get asked my password during live chat and any over the phone transactions i would suspect the sites are not anywhere near the level as a banking site, cant imagine the pw is not in plaintext at a certain point...

Question is do you really want to mess with the bookmakers? For the books that are open to US players these people are handling a large sum of money while violating federal law, not the type of people you want to try to defraud...

No I personally do not want to mess with the bookmakers, although I do have many questions pertaining to sport book security. Questions like... where they find IT guys with enough skill to be able to protect these legally questionable databases? I find it hard to believe someone would spend years obtaining a degree in CS then go to work for a company which is in violation of federal law; especially when techs are in such high demand.

Nova99 · 03-13-13, 07:15 PM

Originally posted by teh

No I personally do not want to mess with the bookmakers, although I do have many questions pertaining to sport book security. Questions like... where they find IT guys with enough skill to be able to protect these legally questionable databases? I find it hard to believe someone would spend years obtaining a degree in CS then go to work for a company which is in violation of federal law; especially when techs are in such high demand.

Sorry didnt mean to imply you would want to mess with them personally. the little that I know: http://www.wired.com/threatlevel/201...-software/all/

like most industries the work is probably done by a third party web designer and they charge a fee to maintain the security and database, no cs graduate is going to move to costa rica to stay onsite for this.

tz0 · 03-13-13, 07:36 PM

Originally posted by geebert74

Were encrypted at Heritage... Nothing to worry about.

I don't think so. When I lost my password and asked a customer service rep to start a recovery process, he responded, "Are you sure you don't remember at all? It starts with m."

looneytunes · 03-13-13, 07:57 PM

Originally posted by teh

No I personally do not want to mess with the bookmakers, although I do have many questions pertaining to sport book security. Questions like... where they find IT guys with enough skill to be able to protect these legally questionable databases? I find it hard to believe someone would spend years obtaining a degree in CS then go to work for a company which is in violation of federal law; especially when techs are in such high demand.

yep

Kaabee · 03-13-13, 09:50 PM

pretty much none of the sites have case-sensitive passwords.

PassTheDutchie · 03-13-13, 10:05 PM

No, the books do not secure themselves on the same level as banks. Then again, they don't need to.

First, because part of the business is based on credit.
A credit book (or PPH) usually does not have any info from the players except the username/password combination.
The only risk then is an unauthorized person using the account and (worst case) losing money.
This can usually be confirmed by doing some IP checks by the book and remove the transactions.

Second, because the vast majority of the post up books don't keep any CC info on their systems.
They use payment processors that take care of this. This means that once you are logged in on the sportsbooks
website and you want to post up by CC, that page is actually encrypted.
sometimes it is already the page of the payment processor used by the book.

Security is also the main reason why books are doing an audit when they pay you out.
By making sure the money is only sent to you, an unauthorized person has nothing to gain from getting in your account.

Now the exception is poker. Using your money on a poker network,
it is possible to lose your money to the 'right person' at another book.
This is why a lot of books don't like the poker as they will have to pay the network, no matter what.
They will give you a hard time if unauthorized access abused money on the poker network.

Of course there are security incidents with books, but none that they want to be outed in public.
The worst problem is security incidents that involve the help of their own employees.

As to getting good IT personnel, do you really think IT personnel is only educated in the USA?
The companies are operating LEGALLY where they are located.
Do you really think these companies pay bad when they need someone to run a good stable operation?

PassTheDutchie · 03-13-13, 10:15 PM

Originally posted by Kaabee

pretty much none of the sites have case-sensitive passwords.

This has to do with calling in a wager, only makes the process more complicated when you have to tell the operator: capital P, lower case a, lower case s, etc, etc. Some systems allow for separate phone and internet password, but then people cant remember what was what and it only causes more confusion.

teh · 03-13-13, 10:59 PM

Originally posted by Nova99

Sorry didnt mean to imply you would want to mess with them personally. the little that I know: http://www.wired.com/threatlevel/201...-software/all/

like most industries the work is probably done by a third party web designer and they charge a fee to maintain the security and database, no cs graduate is going to move to costa rica to stay onsite for this.

Excellent article.

bobbywaves · 03-14-13, 12:40 AM

Originally posted by Nova99

considering the fact that i get asked my password during live chat and any over the phone transactions i would suspect the sites are not anywhere near the level as a banking site, cant imagine the pw is not in plaintext at a certain point...

Question is do you really want to mess with the bookmakers? For the books that are open to US players these people are handling a large sum of money while violating federal law, not the type of people you want to try to defraud...

My understanding was that books are in violation of federal law, only if their banking was done in USA (BetEd). If not, books don't answer to anyone. Please correct me if I'm mistaken.

PassTheDutchie · 03-14-13, 08:18 AM

Originally posted by bobbywaves

My understanding was that books are in violation of federal law, only if their banking was done in USA (BetEd). If not, books don't answer to anyone. Please correct me if I'm mistaken.

There are many different laws in place in the USA that try to make online gambling impossible. The problem (for the US government) is that most laws govern people within your borders. By not allowing the US banks to facilitate to gambling transactions, they forced the books to hide their transactions. usually this means they have to lie/cheat/fraud somewhere in the process to get the money out of the usa.

For example miss coding on cc transactions. It should say the CC is for gambling, but they will tell the CC company it's a shoes/clothing purchase. This is actually considered bank fraud and this is illegal on an international level. Including the countries where these books operate legally. This will also give the USA the rights to start using Interpol and sorts to go after them.

Nova99 · 03-14-13, 04:15 PM

Originally posted by bobbywaves

My understanding was that books are in violation of federal law, only if their banking was done in USA (BetEd). If not, books don't answer to anyone. Please correct me if I'm mistaken.

Good question, I dont know the answer to that, but I have a feeling it is not that simple. I remember when the ban was passed a few years ago several big European books that I used all closed my account, to my knowledge they have nothing other than customers in the US. I believe the law actually makes it illegal to place a wager over the wire (which the us courts include the internet), so books are not allowed to accept anything from anyone in the US, if you allow anyone in the US to place a wager with you then you are in violation of the law. This is how I understand it.

jstblaze · 03-14-13, 04:41 PM

Originally posted by Nova99

Good question, I dont know the answer to that, but I have a feeling it is not that simple. I remember when the ban was passed a few years ago several big European books that I used all closed my account, to my knowledge they have nothing other than customers in the US. I believe the law actually makes it illegal to place a wager over the wire (which the us courts include the internet), so books are not allowed to accept anything from anyone in the US, if you allow anyone in the US to place a wager with you then you are in violation of the law. This is how I understand it.

The wager is illegal, unless there is no exchange of funds. So without the banking part there is no real crime or evidence.

Nova99 · 03-14-13, 05:09 PM

Originally posted by jstblaze

The wager is illegal, unless there is no exchange of funds. So without the banking part there is no real crime or evidence.

Although this makes sense, I thought most of the top bookmakers in europe do not allow anyone to even log on in the us? In a scenario where someone can deposit cash into an account while in europe then they should in theory be allowed to use it in the us since no exchange of the funds will take place in the us, right? I guess this is is a very confusing law because it is very hard to define the wagering process online?

touchback · 03-14-13, 07:02 PM

Originally posted by Nova99

Although this makes sense, I thought most of the top bookmakers in europe do not allow anyone to even log on in the us? In a scenario where someone can deposit cash into an account while in europe then they should in theory be allowed to use it in the us since no exchange of the funds will take place in the us, right? I guess this is is a very confusing law because it is very hard to define the wagering process online?

This was addresses pretty much a short while ago in this thread... http://forum.sbrforum.com/sportsbook...ortsbooks.html

It is how I see it from my understanding and basically how I defended my position/platform about the legality of US offshore wagering....
This is an interesting thread and maybe in a good way and maybe not. Most big places are using 128bit AES crypt. But it is not as simple as just looking at the wagering platform. They are separated many degrees from processors and we are talking many and varied degrees. So what is the point of basically cracking a gaming platform ledger, it is not real cash and any major withdrawal of a non authorized fabricated account is going to be heavily scrutinized from an automated level and then a double manual level... YA, a guy is gonna go over deposits and action histories checking rollover if required, sign off on it and then a second guy is gonna do the same thing and if it is in excess of 5 dimes a bigger wig might just take a look at it and if it is 10 dimes or more a big wig is definitely gonna take a look. Man, that is a run on sentence... Anyway, all the processors are banking financial level encryption because that is basically what they are and are outsourced by the gaming provider usually if we are talkn CR. So go ahead, crack a P2P or CC... because messing with a book is a waste of time and as mentioned not really the kind of guys you want to take a run at.
True story, offshore had more problems from DOS ransoms in the past which they would have to pay to get their services back online. They were usually small ransoms to boot, like 20 dimes or 30 dimes... enough to make it easier to pay and be back up. Well, this happened to an outfit and they paid 20 dimes and the principle turned around and paid an equal amount to a contractor to find and have a talk with the problem... no more problems after that. Alot of these DOS problems were coming out of East Europe and or Russian States...
Books are pretty good now at dealing with DOS attacks now.... whether by technical means or by reputation. They do not happen that much any more.

teh · 03-14-13, 09:09 PM

After a little testing I've found the above mentioned secure book doesn't encrypt their user id's, ever. Id's are sent plain text in every transaction, although the password does seem to be hashed.

teh · 03-14-13, 09:25 PM

5dizzle appears to also send username in plaintext although not for login. They use md5 for their password hash's. Another thing I found a little odd is along with my user id they also send an agent ID which is clearly a someone's 5dizzle ID. Makes me wonder who's ID this agent ID is. :X

muffins · 03-15-13, 08:22 AM

The threat that books most often face seems to be DDOS attacks combined with blackmail, lot of incidents over the years. Even a book written about attack on BetCris.

touchback · 03-15-13, 05:06 PM

Originally posted by teh

5dizzle appears to also send username in plaintext although not for login. They use md5 for their password hash's. Another thing I found a little odd is along with my user id they also send an agent ID which is clearly a someone's 5dizzle ID. Makes me wonder who's ID this agent ID is. :X

You gonna look at everyone buddy... Chris, Bet365... really, what is your agenda. Is this a new plan from the think tanks of K.A.O.S or what... man, where is Maxwell Smart when you need him, or maybe Bond, James Bond.

erickvivar · 03-15-13, 05:18 PM

It is not about an agenda, those are obvious security concerns. Every serious book should have their login page with SSL, same goes for banking pages where CC or other information is included. Also, no clerk should ask for your password, the moment you ask the clerk "whats my password?" and he is able to tell you, thats it.

If they offer a forgot password and they are able to send you an email that includes your password, done again.

It is all the little details what tells you how things are done. Good thread.