The annual NCAA basketball tournament, better known as March Madness, is upon us. With it comes an influx of gambling, whether it be in the form of office pools, filling out brackets with friends or the enticing prospect of online gambling.
While the season may be ripe for underdogs, those who try their luck by partaking in online gambling may be putting more on the line than just their money. As huge sums of money are flowing between gamblers and bookies—an estimated $9.2 billion was spent betting on tournament games in 2015—gambling sites are ripe to be targeted by hackers and malicious actors for a major score.
Alex Heid is the chief research officer at SecurityScorecard, a cybersecurity rating and monitoring platform. He applied his company’s threat analysis to a number of top gambling sites for International Business Times to identify potential threats would-be gamblers may face as they place their bets for the year’s biggest tournament.
To assess the security of each site, he performed a number of risk assessments that looked at everything from the security protocol of the site itself, third-party applications designed to help protect the site, and the potential for social engineering attacks.
The analysis included scanning the site for any malware that may have infected the sites, as well as scouring the web for potential account credentials like leaked usernames and passwords that may be floating around on the shadier parts of the internet—or in some cases, sitting in plain sight.
SecurityScoreboard tracks gambling sites as entertainment, categorizing them with video game sites and others. Heid said gambling sites ranked as some of the most secure sites in the category.
"A majority of gambling sites are making use of DDoS solutions and web application firewall solutions," Heid said, explaining the sites were taking necessary precautions to protect their products and users.
He noted the biggest risk for online gamblers isn't necessarily the site itself getting hit, or even the security of their credit card information, as many gambling sites accept bitcoin and cryptocurrency. The real concern for users is in password theft and account takeovers.
"One of the things we see in hacker forums a lot and in botnet logs that we look at, hackers will buy, sell and utilize compromised credentials from online gaming sites because it's an easy way to essentially steal money," he said.
The risk of such an account takeover has increased in recent years, as credentials from a number of sites have leaked online and circulated among hackers and other potentially malicious actors.
Have I Been Pwned, a site that tracks websites that have been compromised, has recorded more than 2.5 billion leaked credentials from 200 websites. Only one of those sites was a gambling-specific site (none of those examined by Heid have reported breaches), but the existence of those other accounts present trouble for any user that reuses passwords.
For anyone who may have a password in a database that they use again for a gambling site, they are at risk of a hacker using the stolen credential to access their account. Once a hacker has access to an account, it is easy for them to quickly withdraw funds, especially with cryptocurrencies.
“The gaming sites themselves aren't really at fault for that, it's often times the lax security of the user that causes themselves to get hit," Heid said.
He recommended anyone partaking in online gambling take precautions to ensure their account is protected. Users should make sure they are using different passwords for their accounts, especially ones that are entirely unrelated to their other passwords and any personal information that could be gleaned from social media profiles.
When possible, Heid recommends using two-factor authentication. The extra security option should help mitigate any remote takeover of an account by requiring a second form of verification, often in the form of a code sent to another device owned by the account holder.
More than anything, he advised users to prepare for the worst by making sure they aren’t risking anything they aren’t ready to lose.
"Don't keep anything [in your account] more than you're okay with losing—either from gambling it away, the site getting hacked, or their account getting taken over. Only keep in what you can afford to lose," he said.
With billions of dollars changing hands during March Madness, these simple tips can afford you the extra bit of protection needed to make sure that any money you lose will only be the result of picking the wrong teams rather than getting hacked.