A major security flaw in gambling sites’ payment processing systems has allowed a fraudster to create accounts in poker players’ names and get money right from their bank accounts. [Image: Shutterstock.com]
Scammers creating accounts in pros’ names
The poker world is at the center of yet another scandal, though this time it does not involve cheating (alleged or proven) or doing wrong by a player. This week, multiple professional poker players have made it known that someone created online gambling accounts in their names, deposited money from the players’ own bank accountsand immediately withdrew most of it, making off with thousands of dollars per account.
Poker pro Joseph Cheong was the first to bring the theft to the public’s attention, tweeting that his bank account was debited $9,800 by BetMGM, even though he doesn’t have an account there. Other players, such as David Bach and Kyna England, have also said they have been victimized.
The man who is shining the spotlight the brightest on the situation is poker pro and founder of PokerFraudAlert.com, Todd “Dan Druff” Witteles, who was also victimized to the tune of $10,000. On his site’s message board, Witteles explained in depth what happened and the likely cause: the gambling sites’ use of a payment processor called Global Payments Gaming Solutions.
Theft took just a few minutes
Witteles lives in California, but on October 20, somebody created a BetMGM account in his name in West Virginia. He does not have a BetMGM account anywhere, so it wasn’t flagged as a duplicate. That same day, whoever made the account deposited $10,000, but – and here is the scary part – the money came directly from Witteles’ bank account.
cashed out three-quarters of it to the fake Venmo account
At the same time, the fraudster setup a Venmo Debit Mastercard, again in Witteles’ name, and used it as the destination account to withdraw $7,500 of the $10,000. They deposited the money from Witteles’ bank account then cashed out three-quarters of it to the fake Venmo account.
That Venmo account then sent the money to another Venmo account in someone else’s name and that’s it, it was gone. On November 4, the scammer took the other $2,500 from the BetMGM account.
Payment processor doesn’t require repeat identity verification
Through some research, Witteles surmises that the fraudster was able to accomplish all of this so easily because BetMGM, WSOP.com, and loads of other gambling sites in the United States use Global Payments Gaming Solutions to process eCheck deposits. Witteles said he deposited a few thousand dollars on WSOP.com in Nevada this summer and had to go through some identity verification before being able to do so. For any subsequent deposit, a customer can skip all the verifications and get right to depositing.
very little information is required to actually create an account on these gambling sites
There are two things that made the scam possible without any sort of website or database hacking. First, very little information is required to actually create an account on these gambling sites. Just basic name and address type of information. The trickiest piece of info to acquire is the last four digits of the person’s social security number; Witteles is not sure how the scammer got that. The second security leak is that Global Payments keeps the person’s bank account information on hand so that the customer can use the “VIP Preferred” service to deposit quickly on every gambling site that uses the company as its payment processor.
Since BetMGM and WSOP.com both use Global Payments, the scammer was able to create the account in Witteles’ name and because the information matched what Witteles had used with WSOP.com, the system let the thief immediately make a large deposit with Witteles’ bank account that was already linked.
It appears that only high-profile professional poker players have been targeted, probably because their identities are publicly known and they are likely to have large amounts of money in the bank accounts they used for eCheck deposits. According to Witteles, all of the fraudulent accounts have been created via BetMGM and Viejas Casino in California, the latter because of the casino’s cashless banking system. Most, but not all, victims were originally exposed to the Global Payments system through WSOP.com.