Here we go again... BetMGM accounts once again being used as a vehicle to steal money from people

[Dan Druff]

A bit of history...

Remember when it came out in November 2022 that, dating back to October of that year, fraudsters were setting up fake BetMGM accounts in poker pros' names and stealing from their bank accounts?

The scheme was simple, yet effective:

1) Obtain the last 4 digits of the social security number and date of birth of a known poker pro

2) Set up a BetMGM account in a state where he/she does not live, using their name and info

3) Deposit to the account using Global Payments' "VIP Preferred" service, which will automatically give a dropdown to select a previously used bank account, if the person has used that service before

4) One the deposit hits, immediately cash out to a Venmo Prepaid Debit Mastercard, and make off with the funds


I was one of the victims of this, for $10,000.

If the correct SSN last 4 and date of birth were entered, and the player had been seen before by Global Payments (the payment processor), the fraudster was immediately assumed to be that person, with no verification done. Awful, right?

I made a huge deal about this last year, and after it appeared on a front page espn.com article, BetMGM and Global Payments finally took some measures to at least partially close the loophole.

Unfortunately, the key term was "partially", and now people are being hit by a second wave of account thefts. Read on...

[Dan Druff]

Last year's scandal involved new fake accounts set up on BetMGM in order to steal from victims' bank accounts.

This year, they're going after existing accounts.

Embedded Tweet

https://twitter.com/LasVegasLocally/status/1709360258051703010

Embedded Tweet

https://twitter.com/LasVegasLocally/status/1709377881363906737


When I posted about my (very strong) theory as to what's going on here (which I'll explain shortly), a skeptical person demanded a "source". And he got one:

Embedded Tweet

https://twitter.com/sairjordan23/status/1709624450021494842


So what's really happening here? And is this related to the massive hack of MGM Resorts last month? Read on...

[Dan Druff]

This is a "credential stuffing" attack. What is that?

A credential stuffing attack is quite simple. Bad actors obtain e-mail/password combinations used on other websites (not just gambling sites), either by hacking the sites themselves or buying this info on the dark web.

Then they take these exact e-mail/password combos and try them on OTHER sites, and they get into accounts where people use the same e-mail/password combo in multiple places.

It is VERY important not to use the same e-mail/password combination on multiple sites nowadays!

Making your password even slightly different on each site will prevent this. For example, if your password is Sun12345 on another site, changing it to Sun12346 on BetMGM will defeat credential stuffing attacks, despite the massive similarity. These attacks are done by bots trying the e-mail/password combinations from other hacks, and if they fail even a single attempt at logging into an account, they move on to the next one.

Two factor authentication also usually defeats this. That's because the site/app will force the person logging in to enter a code sent to another place (such as a cell phone), which obviously someone doing credential stuffing attacks will not have access.



Once the fraudster gets into your account, he will add some form of Prepaid Debit Card to your account, and then cash out all of your funds! Additionally, the fraudster might attempt to deposit to your account through any previously used method on that account, especially Global Payments' VIP Preferred. Once deposited, they will again steal the funds via a Prepaid Debit Card.



Is BetMGM at fault at all here? YES, they are. Read on....

[Dan Druff]

I am very disappointed that BetMGM and Global Payments continue to allow adding new Prepaid Debit Cards onto accounts for withdrawal, without any kind of verification.

Those cards are the exit strategy for the fraudsters. Without the ability to add these cards, they have no way to get the money off, and thus will stop stealing from people via BetMGM.

However, even a year later, this massive vulnerability still exists. There should be a strong identity check done before any withdrawal is approved to a newly added card/account!

Additionally, it should NEVER be allowed to withdraw immediately after depositing, without a strong identity check.

While you can perhaps say that this latest round of victims are a bit careless by using the same e-mail/password combination everywhere, BetMGM is EXTREMELY CARELESS by allowing fraudsters to add these debit cards onto breached accounts, and withdraw without any real identity check.

Several people have contacted me over the past few weeks, regarding these account breaches and thefts. All of them admitted that they used the same e-mail/password on BetMGM as they did on other sites, but that's no excuse for BetMGM and Global Payments to be as negligent as they've been, especially after what happened last year.

Everyone is reporting that BetMGM is being very uncooperative with solving this, and nobody seems to be getting their stolen funds back. At best, people are being delayed and told to wait, even with it taking weeks with no update.

I am in the process of speaking with major media about this matter. Hopefully this will light a fire under BetMGM's ass. Stay tuned.

[Dan Druff]

Oh, and I do want to address any concerns regarding the MGM Resorts hack from September 2023, and if this BetMGM situation has to do with that.

At first glance, you'd think it would have to. After all, the hackers made off with a LOT of MGM customer data, and these breaches seemingly started right after that.

However, despite the close timeline and both being MGM related, I believe these two breaches to be completely independent from one another.

Let me count the ways:

1) BetMGM was not on the same system as MGM Resorts.

2) The hackers of MGM Resorts make money via ransomware attacks, and don't bother stealing 3-4 figure amounts at a time from individual accounts of customers.

3) MGM Resorts has not said that login/password combos of customers were breached. Customers' personal data was stolen, but we have heard nothing about email/password combos being part of it.

4) Credential stuffing attacks come from a variety of hacks, where a bot tries tons of previously obtained e-mail/password combos within a very short time. They do not necessarily have to breach MGM Resorts to go after BetMGM customers with possibly the same e-mail/password combos. There are many sources for this data outside of MGM.

5) The turnaround time seems too quick. Remember, the hackers of MGM Resorts were still holding out for ransom payments when these BetMGM attacks were starting up again. It's unlikely the hackers would get involved in these small time thefts when they're trying to get $30 million out of MGM Resorts, especially if the small time thefts could potentially jeopardize the ransom being paid.


While it is not impossible that these are related, I'd say it's unlikely.


If you have a BetMGM account, change the password immediately, and also enable two-factor authentication!

[JeffDime]

Great stuff Druff. If people are near the casino and can bet window/kiosk do that for the time being. Make sure you have email notifications on for every sign in and of course two factor authorization. I do everything I can to avoid attaching my bank account to the app. Because of the hack cage withdrawals and deposits are not available. MGM contracts out to a third party to run Bet MGM but still would service withdrawals and cashouts at certain MGM properties. That service is still not offered. If you can avoid Bet MGM I would do so. Problem for me is what I bet they tend to have the best odds on.

[Mission146]

I am very disappointed that BetMGM and Global Payments continue to allow adding new Prepaid Debit Cards onto accounts for withdrawal, without any kind of verification.

Those cards are the exit strategy for the fraudsters. Without the ability to add these cards, they have no way to get the money off, and thus will stop stealing from people via BetMGM.

However, even a year later, this massive vulnerability still exists. There should be a strong identity check done before any withdrawal is approved to a newly added card/account!

Additionally, it should NEVER be allowed to withdraw immediately after depositing, without a strong identity check.

While you can perhaps say that this latest round of victims are a bit careless by using the same e-mail/password combination everywhere, BetMGM is EXTREMELY CARELESS by allowing fraudsters to add these debit cards onto breached accounts, and withdraw without any real identity check.

Several people have contacted me over the past few weeks, regarding these account breaches and thefts. All of them admitted that they used the same e-mail/password on BetMGM as they did on other sites, but that's no excuse for BetMGM and Global Payments to be as negligent as they've been, especially after what happened last year.

Everyone is reporting that BetMGM is being very uncooperative with solving this, and nobody seems to be getting their stolen funds back. At best, people are being delayed and told to wait, even with it taking weeks with no update.

I am in the process of speaking with major media about this matter. Hopefully this will light a fire under BetMGM's ass. Stay tuned.

This is fucking laughable.

Offshore online casinos have better withdrawal verifications than this!

Shit, I received a $200 prepaid VISA Gift Card from Cope Rewards and I had to confirm my identity better than that to activate the thing!*

*Also, Copenhagen, started in Pittsburgh, Pennsylvania, is the premier chewing tobacco of the United States. With several flavors and coming in your choice of long cut, fine cut, or pouches, Copenhagen is sure to more than satisfy all tobacco chewers. Copenhagen has a rewards program called Cope Rewards, by which you can enter your codes from the can to receive coupons off of later purchases (both mobile and mail coupons are available), receive special 'Milestone' items through the mail and also participate in special giveaways...such as the $200 VISA Prepaid Gift Card that I won.

Copenhagen: Satisfying the toughest customers since 1822.

No, I'm not sponsored by Copenhagen, but I'd like to be. Inbox is open, boys. Your move.

[Mission146]

Also, just in general, I recommend play and immediately withdraw. When you withdraw, immediately move that money to a bank account NOT attached to any online casinos as soon as possible. From that account, move it to yet another account that is not attached to the thing that you used to move it to the first account.

DO NOT leave funds sit anywhere for any reason longer than necessary. Yes, it is a pain in the ass, but at least this won't happen.

DO NOT use credit cards (use Debit Cards to deposit instead), turn off Overdraft Protection, do not have more than $1 in that account unless you are depositing...in which case, deposit only what you need to make the deposit into the casino.

[sah_24]

REGULATED ... lols