New multi-factor authentication regulations help mitigate risks of online proxy betting, experts say

Several months have passed since DraftKings’ settlement with the New Jersey Attorney General’s Office in a case where regulators determined that the sportsbook operator failed to prevent a series of out-of-state proxy bets, headlined by a mammoth $3 million parlay placed in Florida.

Last week, New Jersey Division of Gaming Enforcement (DGE) Director David Rebuck publicly addressed the high-profile incident for the first time since DraftKings settled with the state on Feb. 18, five days after the Super Bowl. The case centered on a purported arrangement DraftKings had with a VIP whale bettor that enabled the customer to place wagers on a New Jersey mobile sports betting app from his North Florida living room, nearly 900 miles from the Garden State’s southern border.

The bettor, who routinely placed risky seven-figure wagers through a proxy located in New Jersey, apparently had outstanding funds of at least $15 million in his DraftKings’ account when the company froze it in October 2020. Despite the settlement, DraftKings denies any such arrangement.

The practice of messenger betting is not allowed in New Jersey, based on regulations that prohibit licensees from knowingly allowing a proxy to make a wager utilizing the account of another person. The activity is also prohibited in DraftKings’ own terms and conditions, which deem it a violation to allow another person to use someone else’s personal account to participate in any game.

Given the severity of the infraction, an industry source told Sports Handle in 2020 that DraftKings could face a fine in the neighborhood of $20 million, one viewed as comparable to other notable casino industry compliance violations over the last three decades. The state ultimately issued a $150,000 civil penalty to DraftKings and ordered the sportsbook operator to submit a new set of internal controls with detailed training procedures for detecting and preventing proxy betting.

“We’re working with them, they have put in new controls, they have done a nice job,” Rebuck told Sports Handle at last week’s Seton Hall Law School Gaming Law, Compliance, and Integrity Bootcamp. “They had an anomaly. We’re moving forward.”

In the wake of the settlement, New Jersey’s DGE approved new regulations that require every online gaming operator to establish multi-factor authentication for their customers by June 30. Rebuck lauded FanDuel at the event for becoming the first sportsbook operator to implement a two-factor authentication (2FA) solution. DraftKings also implemented a 2FA solution in New Jersey this month, a company spokesman confirmed.

The DraftKings messenger betting case, Rebuck emphasized, did not serve as a driving force in the two-factor authentication requirements.

The new standards raise questions as to whether the DraftKings incident represents a lone case that slipped through the enforcement cracks or if it is among a larger pattern of messenger betting nationwide. Though determined bettors are adept at using high-tech solutions to outfox regulators, questions persist about whether the authentication standards will stem the tide of out-of-state proxy betting nationwide.

At a gambling industry conference last October, federal law enforcement sources told Sports Handle that DraftKings’ New Jersey case is not isolated. Nevertheless, the scope of the investigation is unknown, as is the scale of a potential multi-jurisdictional inquiry.

Two-factor authentication in sports betting

As cybercrime has grown at a rapid clip over the last decade, the corporate world has become more vigilant in combating identity fraud.

While many employees in the public and private sector consider two-factor authentication a nuisance, cybersecurity experts largely regard the multi-factor solution as an essential layer of protection in mitigating fraudulent digital activity. Whereas a customer could log into their account in the past on a single device (a website or mobile app), DraftKings bettors now receive a prompt to verify their identity through email or SMS text.

At a minimum, sportsbook operators can learn more about prospective customers with basic questions concerning the user’s name, date of birth, Social Security number, credit profile, and deposit methods. In evaluating some challenging cases in recent years, Rebuck admitted that the DGE learned some early lessons, but did not mention the DraftKings matter by name. When it comes to device verification, though, he pointedly said that if a device is not registered to you personally, it is a signal that someone may have stolen your identity.

“In the back of our minds, you can’t create an account unless you are identified with 100 percent certainty,” Rebuck said during a keynote address inside the law library.

Asked if DraftKings may have been able to spot the messenger betting infractions if the Know-Your-Customer (KYC) upgrades were in place several years ago, Rebuck replied, “I’m not going back, that’s a hypothetical.”

The state, Rebuck asserted, has not experienced a major gambling scandal since the Supreme Court’s historic PASPA decision four years ago.

Preventing proxy betting through 2FA

Once a FanDuel user satisfies the two-factor requirement, there are indications that the account will receive an exemption for the next two weeks. One New Jersey bettor told Sports Handle that once that initial requirement was met, FanDuel has compelled him to verify his identity every 14 days through 2FA.

With DraftKings, the prompts are more sporadic, he added. The sharp bettor, who places wagers on multiple New Jersey apps each day, has not received 2FA prompts from four other prominent online sportsbooks.

Although more than 30 states have legalized sports betting, Rebuck emphasized that the U.S. market is not approaching maturity, considering that the nation’s three most populous states — California, Texas, and Florida — do not offer online sports wagering. Since the U.S. sports betting ecosystem is so fragmented, online sportsbooks face considerable obstacles in thwarting nefarious bettors who attempt to illegally circumvent geolocation requirements, according to Tom Hill, head of sports betting and iGaming at Prove Identity Inc., an identity verification solutions provider. 

N.J.A.C. 13:69O-1.1 defines “multi-factor authentication” as a type of strong authentication that uses two of the following to verify a patron’s identity: ‍

1.Information known only to the patron, such as a password, pattern, or answers to challenge questions;

1. An item possessed by a patron such as an electronic token, physical token or an identification card; or
2. A patron’s biometric data, such as fingerprints, facial or voice recognition. 

Under the settlement, the New Jersey DGE instructed DraftKings to void 21 open wagers that the Florida bettor made via proxy and return the associated stakes to the bettor’s account. While not every 2FA method is capable of foiling attempts at facilitating proxy betting, some platforms can prevent the activity without impacting the player experience, according to Prove.

A number of jurisdictions regard New Jersey, with its early embrace of legal sports betting and online casinos, as the “tip of the spear” when it comes to developing regulations on sports wagering and iGaming, Hill told SBC Americas. As such, Hill anticipates that other states will use New Jersey as a model for adopting similar 2FA regulations moving forward.

New Jersey ordered DraftKings to permanently close the bettor’s account and to return all of outstanding funds within a period of seven business days of the DGE’s final order.

Other provisions of DraftKings’ settlement with the state of New Jersey: 

• DraftKings had to submit revised internal controls by March 1 that reflected enhanced training for player development personnel to identify and prevent potential “one-user, one-account” proxy violations by players who live outside New Jersey.
• The revised controls were to include additional training programs including, but not limited to, the DraftKings compliance, marketing, and customer service departments to enhance their ability to identify potential messenger betting infractions.
• As of Feb. 18, DraftKings implemented a cross-check program that enabled the company to match its Daily Fantasy Sports (DFS) geolocation data with its geolocation data for sports betting. DraftKings became aware that the bettor’s account was being accessed in New Jersey while he was physically located in Florida as early as 2019, according to court records. At the time, a geolocation velocity check determined that the account was accessed from Florida, then subsequently in New Jersey, within minutes.

David Opderbeck, a law professor at Seton Hall and co-director of The Gibbons Institute for Law, Science, and Technology, explained that there is a “delicate balance” that regulators must strike with enforcement actions involving large entities such as DraftKings. Federal laws can come into play when evidence is presented that the activity took place across a multitude of states, he noted. There is also a sense within the gaming industry that subsequent penalties could be substantially more stringent if other messenger betting infractions are uncovered after the settlement.

On the year, New Jersey sportsbooks had generated gross gaming revenue (GGR) of $147.5 million from sports betting as of April 28, resulting in tax revenue of about $22.5 million. That ranked second nationally in sports betting GGR, behind neighbor New York, according to state tax filings.

It is generally accepted within the sports betting industry that DraftKings maintains a market share of at least 20% in the Garden State. Last August, DraftKings CEO Jason Robins noted that the company generated $8 million in “contribution profit” in 2020 from New Jersey alone. For 2021, DraftKings projected profits of $65 million in the Garden State.

https://sportshandle.com/draftkings-proxy-new-jersey-2fa-standards/