A major security flaw in gambling sites’ payment processing systems has allowed a fraudster to create accounts in the name of poker players and obtain money directly from their bank accounts. [Image: Shutterstock.com]
Scammer creating accounts on behalf of pros
The poker world is at the center of yet another scandal, although this time it’s not about cheating (presumed or proven) or wrongdoing on the part of a player. This week several professional poker players reported that someone had created online gambling accounts in their name, deposited players’ bank accountsand immediately withdrew most of it, walking away with thousands of dollars per account.
Poker pro Joseph Cheong was the first to bring the theft to public attention, tweeting that his bank account had been debited $9,800 by BetMGM, even though there was no account. Other players, like David Bach and Kyna England, have also said they were victims.
The man shining the most light on the situation is poker pro and PokerFraudAlert.com founder Todd “Dan Druff” Witteles, who was also victimized to the tune of $10,000. On his site’s message board, Witteles detailed what happened and the probable cause: the gaming sites’ use of a payment processor called Global Payments Gaming Solutions.
The flight only lasted a few minutes
Witteles lives in California, but on October 20, someone created a BetMGM account in his name in West Virginia. He doesn’t have a BetMGM account anywhere, so he wasn’t flagged as a duplicate. That same day, whoever set up the account deposited $10,000, but – and here’s the scary part – the money came directly from Witteles’ bank account.
collected three-quarters of it on the fake Venmo account
At the same time, the fraudster set up a Venmo Debit Mastercard, again in Witteles’ name, and used it as the destination account to withdraw $7,500 of the $10,000. The person did not play at all. They deposited the money from Witteles’ bank account, then cashed out three-quarters of it into the fake Venmo account.
This Venmo account then sent the money to another Venmo account in someone else’s name and that was it, it was gone. On November 4, the scammer took the remaining $2,500 from the BetMGM account.
The payment processor does not require repeated identity verification
Through some research, Witteles speculates that the fraudster was able to accomplish all of this so easily because BetMGM, WSOP.com, and many other gaming sites in the United States use Global Payments Gaming Solutions to process eCheck deposits. Witteles said he deposited a few thousand dollars at WSOP.com in Nevada this summer and had to go through ID verification before he could do so. For any subsequent deposits, a customer can skip all verifications and proceed directly to the deposit.
very little information is required to create an account on these gambling sites
There are two things that made the scam possible without any kind of website or database hacking. First of all, very little information is needed to create an account on these gambling sites. Just the basic name and address kind of information. The trickiest piece of information to acquire is the last four digits of a person’s social security number; Witteles doesn’t know how the scammer got this. The second security flaw is that Global Payments retains the person’s bank account information so that the customer can use the “VIP Preferred” service to quickly deposit at each gambling site that uses the company as a payment processor.
Since BetMGM and WSOP.com both use Global Payments, the scammer was able to create the account in Witteles’ name, and since the information matched what Witteles had used with WSOP.com, the system let the thief carry out immediately a large deposit with Witteles. bank account already linked.
It appears that only high-level professional poker players have been targeted, likely because their identities are public knowledge and they are likely to have large sums of money in the bank accounts they used to eCheck deposits. According to Witteles, all of the fraudulent accounts were created through BetMGM and Viejas Casino in California, the latter due to the casino’s cashless banking system. Most, but not all, of the victims were initially exposed to the Global Payments system through WSOP.com.