Page 2 of 5 FirstFirst 12345 LastLast
Results 21 to 40 of 85

Thread: Fraudster stole up to $10,000 each from poker pros, likely due to a legalized betting payment processor breach. I was one of the victims.

  1. #21
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,626
    Blog Entries
    2
    Load Metric
    65648597
    I will be going on with Matt Berkey and his Only Friends crew tomorrow to talk about this.


     
    Comments
      
      JeffDime:

  2. #22
    Cubic Zirconia
    Reputation
    13
    Join Date
    Nov 2022
    Posts
    12
    Load Metric
    65648597
    Quote Originally Posted by Dan Druff View Post
    Thank you, Dizzy, for registering and posting this clarification.

    Are you saying that someone with only your name, address, DOB, and last 4 of your social can automatically access your "stored" payment method with Global Payments, even if you did not elect to store it?

    If so, that's a HUGE security flaw.

    BetMGM support is very poor, and is mostly outsourced. It was very tough dealing with them. However, after this blew up today, I was put in contact with two executives there, so hopefully I can get some answers.

    I agree they were extremely negligent in allowing this cashout (to a different account, no less) on the exact same day of account creation and deposit (and with no play!)
    Yeah. I'm saying that's all you really need to sign up a new account with BetMGM (or any of the other legal US site) as far an unique info.
    The scammer can use a newly created burner email/fake phone number.

    If your name/address/last 4 are correct and automatically match with the 3rd party KYC database betMGM or whatever site uses..The new account is good to go.

    I've signed up for just about every online casino and when I click ACH deposit my bank account is always right there without doing anything. It shows the last 4 of my checking account and amount available for deposit

    Maybe I agreed to this at some point... but I think that's part of initial Global Pay process we all did, not something extra I signed up for

     
    Comments
      
      JeffDime:

  3. #23
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,626
    Blog Entries
    2
    Load Metric
    65648597
    Yup, Dizzy is right.

    This is insane. While BetMGM Nevada requires you to scan ID with your phone camera in order to get verified (or to do it in person at a sportsbook), other BetMGM states, such as New York, only require the first name, last name, last 4 of your SSN, date of birth, and address.

    Then if you select "Deposit", and click on "VIP Preferred", it auto-loads your previously used payment methods with Global Payments.

    This makes it incredibly easy for anyone to steal from a victim's bank account, utilizing any website/app operating with Global Payments, if you simply have their name, phone number, last 4 of SSN, DOB, and address. As long as Global Payments previously processed a payment for them, nothing is verified!

    I still think it was an insider, but this now also opens up more of a possibility that this was just extreme negligence on the part both BetMGM and Global Payments.

    I just tested it with BetMGM New York, where I did not have an account before. I downloaded the BetMGM app, selected New York, and registered under a new e-mail (not one used before), and clicked on Deposit. The only info I entered was my name, date of birth, address, phone number, and last 4 of my social. It did NOT attempt to verify the phone number, either.

    I got this screen:

    Name:  betmgm-ny1.jpg
Views: 8195
Size:  65.1 KB


    When I clicked on VIP Preferred shown above, I got the following screen. Note that it wouldn't let me deposit because I was "over my limit" (thanks to the fraudster), but notice the dropdown where I can select any account previously used via Global Payments!

    It's that easy!!!

    Name:  betmgm-ny2.jpg
Views: 10101
Size:  94.8 KB

     
    Comments
      
      JeffDime:

  4. #24
    Cubic Zirconia
    Reputation
    13
    Join Date
    Nov 2022
    Posts
    12
    Load Metric
    65648597
    Quote Originally Posted by Dan Druff View Post
    Quote Originally Posted by Dizzy View Post

    Yeah. I'm saying that's all you really need to sign up a new account with BetMGM (or any of the other legal US site) as far an unique info.
    The scammer can use a newly created burner email/fake phone number.

    If your name/address/last 4 are correct and automatically match with the 3rd party KYC database betMGM or whatever site uses..The new account is good to go.

    I've signed up for just about every online casino and when I click ACH deposit my bank account is always right there without doing anything. It shows the last 4 of my checking account and amount available for deposit

    Maybe I agreed to this at some point... but I think that's part of initial Global Pay process we all did, not something extra I signed up for
    That's really interesting. Maybe I'll try this tonight, though I've already blacklisted myself from a lot of them, as a result of what happened.

    Are you sure you're only entering the last 4 of the social?
    Yes.. I'm talking about when signing up. That's all they ask for is last 4, not the full thing.

    The KYC system these sites use automatically pulls the the first 5 of your social from whatever system they use when you pass the verification.

    Once you pass the verification you can just click cashier and your Global info will be there if you have used it before on another site. Don't need to re enter social or last 4 or anything.

    To be safe, I just double checked this on a site I signed up to 11 days ago and the ach info is stored there.
    It shows the last 4 of my checking account number, the bank name, and the available limit they will let me deposit.

    Edit: yep i see the post above now. Glad we could confirm it 100%

  5. #25
    Cubic Zirconia
    Reputation
    13
    Join Date
    Nov 2022
    Posts
    12
    Load Metric
    65648597
    Quote Originally Posted by Dan Druff View Post
    Thank you, Dizzy, for registering and posting this clarification.

    BetMGM support is very poor, and is mostly outsourced offshore. It was very tough dealing with them. However, after this blew up today, I was put in contact with two executives there, so hopefully I can get some answers.

    I agree they were extremely negligent in allowing this cashout (to a different account, no less) on the exact same day of account creation and deposit (and with no play!)
    One last thing i wanted to mention before bed:

    I know about the poor support. Every regulated casino is really bad with the support/security. At least at the entry level at minimum.


    Those exec guys can probably get you in touch with a fraud manager who will be better equipped to look into it.

    The good news is, if someone competent at BetMGM does look into this - They have access to a lot of info that will be helpful for the police with your case.

    With the Geocomply software BetMGM will be able to see with almost pinpoint accuracy exactly where your account was logged in/created from.

    It's possible the scammer was smart enough not to install the geocomply software. (You can technically login and make a deposit/withdrawal without it) In that case BetMGM see significantly less information.

    Either way they will be able to see the IP address used at absolute minimum. Presumably the scammer logged in and created the account with a VPN, but you never know. Hopefully I am giving them too much credit.

  6. #26
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,626
    Blog Entries
    2
    Load Metric
    65648597
    Quote Originally Posted by Dizzy View Post
    Quote Originally Posted by Dan Druff View Post
    Thank you, Dizzy, for registering and posting this clarification.

    BetMGM support is very poor, and is mostly outsourced offshore. It was very tough dealing with them. However, after this blew up today, I was put in contact with two executives there, so hopefully I can get some answers.

    I agree they were extremely negligent in allowing this cashout (to a different account, no less) on the exact same day of account creation and deposit (and with no play!)
    One last thing i wanted to mention before bed:

    I know about the poor support. Every regulated casino is really bad with the support/security. At least at the entry level at minimum.


    Those exec guys can probably get you in touch with a fraud manager who will be better equipped to look into it.

    The good news is, if someone competent at BetMGM does look into this - They have access to a lot of info that will be helpful for the police with your case.

    With the Geocomply software BetMGM will be able to see with almost pinpoint accuracy exactly where your account was logged in/created from.

    It's possible the scammer was smart enough not to install the geocomply software. (You can technically login and make a deposit/withdrawal without it) In that case BetMGM see significantly less information.

    Either way they will be able to see the IP address used at absolute minimum. Presumably the scammer logged in and created the account with a VPN, but you never know. Hopefully I am giving them too much credit.
    I want to thank you for your informative posts here.

    I am indeed discussing the IP/geolocation matter with the detective investigating, and hopefully that will yield something.

    I am editing my post to reflect the new/corrected information you brought up regarding the stored payment methods. Thanks for that.

  7. #27
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,626
    Blog Entries
    2
    Load Metric
    65648597
    Two people have reported that a DraftKings removed Global Payments' "VIP Preferred" eCheck service, and that it happened "very recently".

    I have updated the main writeup to reflect this. Very interesting.

  8. #28
    Diamond BCR's Avatar
    Reputation
    2014
    Join Date
    Mar 2012
    Posts
    6,864
    Load Metric
    65648597
    I wonder if this is huge. I didn’t even think about it, but my longtime legal book has been putting my through a nonsensical document review. Mail with address, front and back of card, license, and it was out of nowhere about two weeks ago. I just got done bitching via chat last weekend and it’s still pending in review. Usually they fix shit quickly. Have a mid 4 figure withdrawal pending for weeks.

    Really bizarre because they are launching in Ohio and begging me to join, yet making me jump through hoops on PA site I’ve always used. That they got jammed up also and put some hold on everything until they can verify more shit makes way more sense than them pissing me off like this after years of no issues.

     
    Comments
      
      JeffDime: There using their own failures as in excuse to jam up solid accounts like yours.

  9. #29
    How Could You? WillieMcFML's Avatar
    Reputation
    1049
    Join Date
    Mar 2012
    Posts
    5,928
    Load Metric
    65648597
    eChecks huh?

    Hi Lew!!!

  10. #30
    Bronze
    Reputation
    71
    Join Date
    Jun 2012
    Posts
    271
    Load Metric
    65648597
    I want to confirm what Dizzy said, and maybe add to it.

    I am in NY, I have used Global Payments with the sportsbook PointsBet and was automatically enrolled in VIP Preferred after enough successful transactions.

    From that point forward the Global Payments ACH payment option appeared on my existing sports accounts. BetRivers, and Caesars were the 2 I was using at the time. I was able to deposit via the bank account that I registered with Global Payments via Pointsbet now on any sportsbook without any type of verification. Legitimately 1 click to withdraw from my account.

    I also noticed that when I registered for a new book that opened in NY (Bally Bet) ACH for Global Payments was already on my account and had all of my banking info.

    This was concerning to me.
    I wish I had brought my concerns to this site.

  11. #31
    Diamond BCR's Avatar
    Reputation
    2014
    Join Date
    Mar 2012
    Posts
    6,864
    Load Metric
    65648597
    I have a feeling someone hit these legal online books and it’s not going to be confined to just poker players, albeit they’re a great target.

    I looked through my summary. They erased the first round of document reviews, and then still have license sitting there in review from this last weekend. Every time I send them everything, they ask for it again


    This started on 10/28 according to first round of emails and I sent all this stuff twice. It was baffling to me as usually I have money in 48 hours and felt like I couldn’t get it resolved for some reason. I actually was going to call my casino host at land based casino it’s affiliated with this weekend. I ended up cancelling one withdrawal and I’m betting with it, but still have another mid four figure one pending. That they got jammed up makes sense. I bet this is going to be huge with such lax security.



    In Review Drivers License ID request 11/12/2022 1:36:05 PM EST
    Complete Credit Card VISA ************XXXX 11/12/2022 1:28:31 PM EST
    Complete Utility Bill Updated proof of address 11/12/2022 1:27:33 PM ES

  12. #32
    Cubic Zirconia
    Reputation
    13
    Join Date
    Nov 2022
    Posts
    12
    Load Metric
    65648597
    Quote Originally Posted by Dan Druff View Post
    Two people have reported that a DraftKings removed Global Payments' "VIP Preferred" eCheck service, and that it happened "very recently".

    I have updated the main writeup to reflect this. Very interesting.
    Just double checked this.

    Draftkings does still have global pay on the casino/sportsbook side in both NJ and PA.
    I don't see it on the daily fantasy cashier.

    I would say its highly unlikely this is why they removed. More likely something with regulations or global not wanting to process for DFS transactions. (pure speculation)

    Global Pay is huge for these casinos because it's a way for customers to make relatively large deposits with no risk to the site. Meaning that if the eCheck deposit were to bounce Global Pay is on the hook for it, rather than the specific casino site.

    This is not the case with most methods (credit card ect..) which is why sites will allow a 10k first deposit with ACH but not VISA
    Last edited by Dizzy; 11-16-2022 at 10:23 AM.

  13. #33
    Platinum JeffDime's Avatar
    Reputation
    1473
    Join Date
    Apr 2020
    Location
    Brick City, USA
    Posts
    2,703
    Load Metric
    65648597
    Quote Originally Posted by Dizzy View Post
    Either way they will be able to see the IP address used at absolute minimum. Presumably the scammer logged in and created the account with a VPN, but you never know. Hopefully I am giving them too much credit.
    It’s been between Bet MGM & Caesers as to which customer service is more useless than the last. Bet MGM ended up being the worst. Obviously this matter is worlds above support now for Druff, so that’s a good thing. They been spending all their money hiring celebrity endorsers and making commercials. Not giving a shit about the service, product & now unfortunately it’s clear…the security. This will be a bit messy to sort out. But they scammer(s) picked the wrong guy to screw with in Druff.

    All great info Dizzy, so no need for me to add much. I will say I think it’s a very low probability this was done with burner phones within each respective state boundary. In that case you would expect at least a token bet to be made on the accounts before attempting a cashout. It’s clear the accounts on Bet MGM can be opened from anywhere. This is something bettors would not necessarily know about, because it wouldn’t make much sense to open an account if I was not currently located in that state, at the time, in order to bet.

    You can open up about 6 (2 in Jersey with Borgata & MGM) MGM accounts in a relatively small area in the East. Only saving grace is that the Global Payments limits are meant to be cumulative for every site under your social. So if you use your allotted limit on one site you can’t on the other. Obviously this is to cover Global Payments ass, so no one deposits 10K in multiple accounts around the same timeframe. At least this policy capped the amount the scammers could get from each individual.

    I did receive a strange email from Borgata on Saturday warning me about a debit card deposit I attempted to make months back. I messed up a single digit when entering my card info. It was pretty obvious, but I didn’t respond to the email which was a warning. Never seen anything like this and I think it has to be related to everything that’s going on.

    I seriously hope they don’t use this as an excuse to hassle accounts in long good standing, but BCR’s post is somewhat alarming. It’s clear what these scammers targeted and I hope the sites concentrate on that.

    Anyways, like I said they picked the wrong guy in Druff. It will be interesting to see how this resolves. Hoping everyone is made whole and this is a wake up call for these books to put more resources in to security & the actual product. (No they will still suck tbh, but let’s hope everyone is made whole)
    Last edited by JeffDime; 11-16-2022 at 11:29 AM.

  14. #34
    Diamond BCR's Avatar
    Reputation
    2014
    Join Date
    Mar 2012
    Posts
    6,864
    Load Metric
    65648597
    Quote Originally Posted by JeffDime View Post
    Quote Originally Posted by Dizzy View Post
    Either way they will be able to see the IP address used at absolute minimum. Presumably the scammer logged in and created the account with a VPN, but you never know. Hopefully I am giving them too much credit.
    It’s been between Bet MGM & Caesers as to which customer service is more useless than the last. Bet MGM ended up being the worst. Obviously this matter is worlds above support now for Druff, so that’s a good thing. They been spending all their money hiring celebrity endorsers and making commercials. Not giving a shit about the service, product & now unfortunately it’s clear…the security. This will be a bit messy to sort out. But they scammer(s) picked the wrong guy to screw with in Druff.

    All great info Dizzy, so no need for me to add much. I will say I think it’s a very low probability this was done with burner phones within each respective state boundary. In that case you would expect at least a token bet to be made on the accounts before attempting a cashout. It’s clear the accounts on Bet MGM can be opened from anywhere. This is something bettors would not necessarily know about, because it wouldn’t make much sense to open an account if I was not currently located in that state, at the time, in order to bet.

    You can open up about 6 (2 in Jersey with Borgata & MGM) MGM accounts in a relatively small area in the East. Only saving grace is that the Global Payments limits are meant to be cumulative for every site under your social. So if you use your allotted limit on one site you can’t on the other. Obviously this is to cover Global Payments ass, so no one deposits 10K in multiple accounts around the same timeframe. At least this policy capped the amount the scammers could get from each individual.

    I did receive a strange email from Borgata on Saturday warning me about a debit card deposit I attempted to make months back. I messed up a single digit when entering my card info. It was pretty obvious, but I didn’t respond to the email which was a warning. Never seen anything like this and I think it has to be related to everything that’s going on.

    I seriously hope they don’t use this as an excuse to hassle accounts in long good standing, but BCR’s post is somewhat alarming. It’s clear what these scammers targeted and I hope the sites concentrate on that.

    Anyways, like I said they picked the wrong guy in Druff. It will be interesting to see how this resolves. Hoping everyone is made whole and this is a wake up call for these books to put more resources in to security & the actual product. (No they will still suck tbh, but let’s hope everyone is made whole)

    I don’t necessarily think they’re hassling me, or that I lost anything. I looked at bank account. Just they may have got hit and just froze everything until they figure out what exactly happened. There’s a decent chance Druff and poker players are ahead of lower level people at figuring it out. Just some exhaustive document review that errs on side of extreme caution.

  15. #35
    Platinum JeffDime's Avatar
    Reputation
    1473
    Join Date
    Apr 2020
    Location
    Brick City, USA
    Posts
    2,703
    Load Metric
    65648597
    Quote Originally Posted by BCR View Post
    I don’t necessarily think they’re hassling me, or that I lost anything. I looked at bank account. Just they may have got hit and just froze everything until they figure out what exactly happened. There’s a decent chance Druff and poker players are ahead of lower level people at figuring it out. Just some exhaustive document review that errs on side of extreme caution.
    For sure BCR, but I can say that discounting Nevada, I was only asked to provide my debit card and license to one book for a small 4 figure cashout. That was for Barstool NJ. Typically the documentation asks were a slow pay mechanism that offshore books would use, not really giving a shit about the actual docs they were asking for. I’ll give the book the benefit of the doubt. But like I said, for years I’ve been putting in a lot of action and was only asked to provide documentation for the legal books for a cashout one time.

    My point really is I want the books to fix this the right way. Not make everything more of a pain in the ass and just look safer. Actually overhaul the system to protect the bettors. Get the people their money back and start using resources optimally.

    At this point 1. Want to see those scammed made whole. 2. Hopefully find the fraudster. 3. The other stuff into the future. But I do believe this scam is a huge deal. I hope it gets the attention it deserves.

  16. #36
    Platinum JeffDime's Avatar
    Reputation
    1473
    Join Date
    Apr 2020
    Location
    Brick City, USA
    Posts
    2,703
    Load Metric
    65648597
    My post regarding Druff on Only Friends…

    Berkey is an ambassador for Bet MGM (Poker) but I think he was fair for the most part. I caught some of this but it’s important we can’t put all the blame on Global Payments. Withdrawals are reviewed by Bet MGM and once they give it the ok the payment processor is then able to proceed.

    I think he makes a great point on 2 factor authentication. If a simple code was sent to Druff’s cell in order to complete the transaction, that may have stopped it. Once you have a history with Bet MGM some cashouts will immediately be approved without any scrutiny. Obviously on a new account & withdrawal this size, this shouldn’t be the case. So some culpability rests with Bet MGM without a doubt. They had the opportunity to catch these. Scammers were brazen enough to not even put in token bets. This is a failure on many ends.

    Addl note*** Most of my withdrawals with Bet Borgata go through without even being reviewed internally. I suspect that will change going forward. It was nice to get the cashouts so fast but for the overall security of both the bettors & the site, all withdrawals will probably have to be given at least some level of scrutiny. You would think anyone with even the smallest amount of competence would flag the withdrawal done on Druff’s account. Question is why?

    Well I didn’t want to put the tin foil hat on but I would be a little curious why Bet MGM West Virginia was used and if the team in charge of reviewing withdrawals is centralized or does West Virginia have its own department doing that.

  17. #37
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,626
    Blog Entries
    2
    Load Metric
    65648597
    Someone messaged me who was hit via Viejas on October 5. Another person, a well known pro, was hit on October 12. These are the two earliest incidents so far. Mine is no longer the first one, so that somewhat removes the likelihood that it was a listener to PFA Radio (which makes me glad).

    It seems that all of the fraud was done through Viejas, BetMGM, and Borgata.

  18. #38
    Platinum FRANKRIZZO's Avatar
    Reputation
    482
    Join Date
    Sep 2014
    Posts
    3,393
    Load Metric
    65648597
    Sorry it was noted in title that Todd was a victim, hope you get your moneyz back

  19. #39
    Cubic Zirconia
    Reputation
    13
    Join Date
    Nov 2022
    Posts
    12
    Load Metric
    65648597
    Is it just me or does it seem like the hacking issue Melissa Burr is tweeting about likely unrelated to this?

    Of course its just as bad to get hacked, but it doesn't seem to match what happened to Dan and the others at all?

    https://twitter.com/burrrrrberry

    (That's her twitter for anyone who doesn't know what I'm talking about, she linked to this thread.)

    From my prospective, I don't really think global payments had data breach... rather it's just an unsecure system where if anyone can get ahold of a small amount of info, they can make a new gaming account as you and deposit.

    Name:  twitter1.png
Views: 1082
Size:  200.5 KB

    In her case it looks like someone got her existing Borgata password, and tried to make a Paywithmybank deposit.
    This is a deposit method where you login with your online banking username/password and approve a payment to the site. Totally different than ACH, and requires info that Dan's scammers almost certainty didn't have.

    To me this doesn't seem related at all and could be a coincidence. Even though the timing is weird.

     
    Comments
      
      JeffDime: +1

  20. #40
    Platinum JeffDime's Avatar
    Reputation
    1473
    Join Date
    Apr 2020
    Location
    Brick City, USA
    Posts
    2,703
    Load Metric
    65648597
    Quote Originally Posted by Dizzy View Post
    In her case it looks like someone got her existing Borgata password, and tried to make a Paywithmybank deposit.
    This is a deposit method where you login with your online banking username/password and approve a payment to the site. Totally different than ACH, and requires info that Dan's scammers almost certainty didn't have.

    To me this doesn't seem related at all and could be a coincidence. Even though the timing is weird.
    There is def something more going on with Borgata specifically. It may be the same scammers just using a different route. NJ is also a target because the sites take credit card deposits as well, which opens up a whole new avenue to make new accounts. Borgata is a skin of Bet MGM NJ. If you go to the Borgata they will sign you up on Bet MGM NJ. All the branding is Bet MGM. So it is a lesser priority. It seems clear that it is being targeted for more than the ACH scam. Just don’t know how badly or if it’s related. Hell of a coincidence though.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 11
    Last Post: 04-12-2022, 08:37 AM
  2. Replies: 28
    Last Post: 03-26-2017, 11:18 AM
  3. Attack Poker (free-money poker site) signs convicted payment processor Chad Elie
    By Dan Druff in forum Scams, Scandals, and Shadiness
    Replies: 3
    Last Post: 07-17-2013, 02:04 PM
  4. Replies: 8
    Last Post: 11-20-2012, 05:44 PM
  5. Replies: 0
    Last Post: 03-26-2012, 07:04 PM