Online sportsbooks… A security and fraud nightmare
I’m a bit of a sports fanatic, especially for my local San Francisco Giants and 49ers. However march madness is my favorite, it’s like a religious holiday. Brackets, upsets, cinderellas, and those buzzer-beaters. Ohhhh my!
At any rate, I enjoy putting money on some of the madness games, and asked my friend who is an avid sports gambler which site he uses. He quickly responded 5Dimes…
“They have the best lines, most proposition bets, and nice tiered bonuses.”
The first yellow-flag (i’m not even at red yet) is their payment processor (where you provide your credit card deposit). It is hosted by a completely obscure 3rd party, and seems to rotate frequently. I pressed on though, as I had some great picks. The second yellow-flag, none of their site is encrypted via https. This definitely made me uneasy, but, gotta get those picks in.
I do have to give their betting platform some credit though, while not pretty by any stretch of the imagination, they have lines for most every possible sport and game. Proposition bets, parlays, futures.
After everything was said and done, and the nets cut down, it was finally time to withdraw my winnings. Here-in, comes the rub. There is no link in the interface to withdraw (only deposit). So, I fired up their friendly chat and asked to withdraw my account balance. A 5Dimes representative responded with, please provide your password in the chat window so we can verify your account. The first of many red flags has risen.
They are asking users to provide their account password in a plain text (non-encrypted) chat window. Second, I can almost guarantee that they are not hashing passwords, and all employees on the other end of their chat can view any account password.
Deep breaths… Not that big of a deal for me, since I use a randomly generated password for each site (1Password), but others are not so savvy. Anyway, 5Dimes agreed to withdraw my account (via PayPal payout), and said they would be sending an e-mail with further details. Shortly the e-mail with the details arrived, and I couldn’t believe they could be so incompetent.
1- Please refer to the attached authorization form you need to fill out (handwritten) in order to process your payment request.
2- Along with the authorization form make sure to include a copy of your ID (driver’s license or passport) and a copy of your Visa card ending in V-8921 (front of card only).
3- Also a copy of a utility bill or bank statement is required to validate your current address.
That is right, they require that you fill out a form (asking for the full credit card number), take a photo of your ID and credit card, and provide a bank statement, just to issue a withdraw. Not to mention, what does my original credit card used to fund the account have to do with receiving a PayPal payment? All of this sensitive information needed to be sent over unencrypted e-mail. I proceeded, but refused to provide the full credit card number on the form, and masked the full credit card number in the photo sent.
A 5Dimes representative then responded, that I must provide the full credit card number on the form, and a full photo of the credit card to process the PayPal withdraw. This is utter nonsense. Nevermind the fact they don’t need any of these details for a PayPal transfer, but they also don’t need the entire card number to verify a card. They can use the last 4, expiration, card type, and issuing bank, and have enough data points to verify a given card.
I pushed back and forth for a few e-mails, but they would not budge. In order to withdraw the money that I fairly won, I would have to send them my credit card number and a picture in a plain text e-mail.
Reluctantly, I caved in, and sent the e-mail off with my credit card details exposed. Once the PayPal process was initiated, I called my credit card company and reported the card lost, and had them re-issue a new card.
I’m not much for a conspiracy theorist, but I find it hard to believe that these online sportsbooks, who transact tens of millions of dollars a year, don’t know about common security practices. Their blatant lack of security and best practices almost makes me believe they intentionally do it so perhaps they can sell their users identities and even worse credit cards to black markets. I obviously don’t have proof of this, but it would not surprise me.
In closing, online sportsbooks are a market ripe for innovation and change. Just like Stripe brought online payments to the masses in a secure and trustworthy fashion, a legit, venture backed online sportsbook could do the same. The only thing preventing it, is US laws. Personally, I say legalize online gambling, and lets regulate it so it is secure, safe, and a reputable business.