A major security flaw in the gambling sites’ payment processing systems allowed a fraudster to create accounts in the names of poker players and get money directly from their bank accounts. [Image: Shutterstock.com]
The scammer creates accounts in the names of professionals
The world of poker is at the center of yet another scandal, though this time it does not involve cheating (alleged or proven) or foul play by a player. This week, several professional poker players announced that someone had set up online gambling accounts in their names, depositing money from Players’ bank accountswithdraw most of them instantly, and win thousands of dollars per account.
Poker pro Joseph Cheong was the first to bring the theft to public attention, tweeting that his bank account had been debited by BetMGM for $9,800, even though he does not have an account there. Other players, such as David Bach and Kenna England, said they were victims.
The man shedding light on the situation is poker supporter and founder of PokerFraudAlert.com, Todd “Dan Druff” Witteles, who was also a $10,000 victim. On the message board of his site, Witteles explained in depth what happened and the possible cause: the gambling sites’ use of a payment processor called Global Payments Gaming Solutions.
The robbery only took a few minutes
Witteles lives in California, but on October 20 someone set up a BetMGM account in his name in West Virginia. He does not have a BetMGM account anywhere, so he is not flagged as a duplicate. On the same day, whoever made the account deposited $10,000, but—and here’s the scary part—the money came directly from Witteles’ bank account.
Spend three-quarters of it into a dummy Venmo account
At the same time, the fraudster set up a Venmo Debit Mastercard, again in the name of Witteles, and used it as a destination account to withdraw $7,500 of the $10,000. The person did not gamble at all. They deposited the money from Witteles’ bank account and then cashed three-quarters of it into the fake Venmo account.
Then that Venmo account sent the money to another Venmo account in someone else’s name and that’s it, it’s gone. On November 4, the scammer took another $2,500 from the BetMGM account.
The payment processor does not require re-verification of identity
Through some research, thought Whitleys That the scammer was able to achieve all this very easily because BetMGM, WSOP.com and a lot of other US gambling sites use Global Payments Gaming Solutions to process eCheck deposits. Witteles said he deposited a few thousand dollars on WSOP.com in Nevada this summer and had to go through some identity checks before he could do so. For any subsequent deposit, the client can skip all verifications and get the right to deposit.
Very little information is required to actually create an account on these gambling sites
There are two things that made the scam possible without any kind of website or database hack. First, very little information is required to actually create an account on these gambling sites. Just the basic name and address type of information. The most difficult information to obtain is the last four digits of a person’s Social Security number; Whitliss is not sure how the imposter got hold of it. The second security leak is that Global Payments keeps a person’s bank account information on hand so that a customer can use the “VIP Preferred” service to quickly deposit at every gambling site that uses the company as a payment processor.
Since both BetMGM and WSOP.com use Global Payments, the scammer was able to create an account in Witteles’ name and because the information matched what Witteles used with WSOP.com, the system immediately allowed the thief to make a large deposit with Witteles. The bank account that has already been linked.
It appears that only high-level professional poker players were targeted, possibly because their identities are known to the public and they likely had large sums of money in bank accounts that they used for electronic check deposits. According to Witteles, all of the fraudulent accounts were set up via BetMGM and Viejas Casino in California, the latter due to the casino’s cashless banking system. Most, but not all, of the victims were originally exposed to the global payments system through WSOP.com.
