An expanding group of victims in an identity-theft and banking-fraud scheme targeting pro poker players has begun to generate mainstream headlines, with the corporate entities linked to the core of the fraud acknowledging that investigations into a possible hack and data-theft, if not internal fraud, have begun.
According to ESPN’s David Purdum, dozens of fraudulent accounts were set up via BetMGM’s online sportsbook services as part of the scheme. Joseph Cheong, Todd Witteles, Kyna England, Brock Wilson, David Bach, Sam Panzica, and Clayton Maguire were among the poker pros who had publicly acknowledged being among the scheme’s victims. The total number of victims is unknown, though some evidence suggests that the fraudster or fraudsters may have had knowledge of the poker world and well-known players who were likely to have well-funded checking accounts linked to their online accounts.
Since the initial wave of acknowledgements that followed Cheong’s initial tweet on the topic, other well-known poker pros have stepped forward, including Melissa Burr and Kathy Liebert:
Global Payments denies security breach
While much of the evidence uncovered by Witteles over the past several weeks points to a prominent online payment process, Global Payments Gaming Solutions, as being the common denominator, Purdum’s piece instead indicates that the problem might be located within BetMGM’s online sportsbook services, where many of the bogus accounts used to withdraw stolen funds were created. BetMGM acknowledged to Purdum that, “We’re aware of a potential incident and are actively investigating.”
Meanwhile, Purdum was also able to reach Las Vegas-based Global Payments, which issued a denial that their services were compromised. “There has been no security breach or fraudulent accounts opened at our gaming business in connection with this investigation,” a spokesperson from Global Payments told Purdum. “The protection of our customers and their clients’ information and funds is our top priority and we are working with these third parties to ensure any impacted individuals are refunded.”
However, such an implied pointer to BetMGM’s sportsbook system as to where the data was stolen ignores some of the evidence already known. Most, but not all, of the fraudulent accounts where the fraudster(s) deposited money stolen from victims’ bank accounts were indeed at BetMGM, but that more likely indicates just that the fraudster(s) were familiar with BetMGM’s online system, knew that it employed Global Payments’ “VIP Preferred” service, and perhaps had lax cashout standards. None of that equates to being the source of the stolen data itself, meaning Global Payments remains the more convincing source of the initial presumed data theft..
Instead, Joseph Cheong’s initial tweet indicates that his banking information was stolen elsewhere and then used to create a fraudulent account at BetMGM, where he had never gambled:
Cheong isn’t the only player to offer details that make BetMGM unlikely to be the root source of the identity and bank-account thefts. As noted in our initial report, Witteles believes his banking information was stolen from a deposit he made to WSOP.com last summer. WSOP.com is not connected to BetMGM in any way. Instead, BetMGM is likely the chosen channel for offloading funds accessible via the previously stolen ID and banking information. Whether BetMGM has subpar standards for allowing newly-created accounts to cash out deposits without play — an issue Witteles raised — is unknown publicly at this time.
Global Payments currently offers no direct options to disconnect previously used bank accounts
One of the problems many players and gamblers are encountering in trying to protect themselves from any ongoing fraud is that Global Payments, as of this report, does not have any function in place to easily remove one’s bank accounts from its VIP Preferred service. That service is employed by more than 500 casinos across the U.S. Global Payments does, however, make it easy to add additional banking accounts, which can contribute to the fraud, rather than safeguard against it. For example, Liebert discovered that the apparent fraudster had added a second banking account to her WSOP.com account, though that portion of the WSOP.com payments framework is in reality a white-label overlay also maintained by Global Payments.
With no interactive option available to delete an existing bank account, VIP Preferred eChecks customers are then forced to resort to an arduous process of contacting Global Payments’ customer-service department and manually requesting that bank-account information be deleted.
Just as damning to gamblers’ security and responsible-gambling preferences is that Global Payments runs its own credit check when a new user creates a VIP Preferred account for gambling use, and then establishes a deposit limit that may be much higher than what a gambler desires. This in turn increases the risk to a customer in the case of a data breach.
As an example, in these images of a VIP Preferred-linked bank account that have been provided to Poker.org, the bank account was used only once, for a $150 deposit. On its own, Global Payments hiked that account’s deposit limit to $1,000 per week without any customer notification other than within the deposit function.
In this account’s example, the fraudster(s) could have attempted to attempt to withdraw $1,000 per week, though this account was untouched and later limited in otherwise. Still, the large number of prominent poker players known to be victimized shows that the fraudster(s) likely preferred targeting known gamblers with larger deposit limits.
Featured image source: Haley Hintze