[toc]The editorial board of the Worcester Telegram-Gazette criticized Massachusetts‘ state legislature for not imposing stricter security controls when it legalized and regulated daily fantasy sports last year in a piece this week.
The state enacted a DFS law in 2016 that piggybacked on regulations put in place by state Attorney General Maura Healey.
Massachusetts, of course, is the home of DFS operator DraftKings.
The editorial on Massachusetts and DFS
The editorial — entitled — “Loaded Dice? No one is checking in fantasy sports games in Massachusetts” — praised the responsible gaming regulations but criticized the absence of baseline cybersecurity requirements and independent testing of the software for integrity and fairness.
The paper’s editorial board calls the lack of security benchmarks in regulations a “gaping hole in current state law governing online fantasy sports.”
The board goes on to say:
“No regulator monitors the hardware and software on behalf of the state to insure that the games are honest. And at a time of angst over foreign powers reaching through computer networks to influence a presidential election – some even worry about the potential for hacking actual voting machines – the state must pay attention to a critical issue. The state’s new commission must push for this change.”
DFS operators disagree
In a statement to Legal Sports Report, a spokesperson for FanDuel and DraftKings pushed back against the assertions made by the editorial.
“The Massachusetts regulations are extremely strong: they require the companies to have data security measures – to protect confidential customer information or any information that could affect contest outcomes — and they are subject to state prosecution if they fail to implement reasonable measures. Additionally, Massachusetts already has extremely strict data breach security laws all companies in the state must follow.
Part of the beauty of fantasy sports is the data is all public – not only are we all picking players with the same easily attainable information about their past performances, but once games begin and lineups lock, the lineup information is all public. It would be impossible to change a lineup after seeing game results – anyone trying to do so would be quickly exposed.”
Are there DFS security issues?
Legal Sports Report also spoke with Gus Fritschie, the chief technical officer of SeNet International, to get his take on the potential vulnerabilities. Particuarly, is there is a need for stricter security controls written into daily fantasy sports regulations?
Here’s what Fritschie had to say.
Possible security breaches
Legal Sports Report: What are the potential security threats to daily fantasy sports sites, and what could security breaches result in?
Gus Fritschie: I believe there are two primary types of security issues to be concerned about.
First, are those types of security issues in the application software (i.e. code vulnerabilities such as SQL injection), operating system (missing patches), and/or IT infrastructure that could allow a system or organization to be exploited by an attacker.
Once an attacker has access, it depends on his motivation on the next step. Is it to install ransomware? An attempt to capture user credit card data or PII? Or, is it to remain persistent on the network and attempt to access information that could be used to impact the integrity of the games.
The second issue I see, and related to my previous statement, are vulnerabilities that would allow a user to obtain information or circumvent security controls that could affect the gameplay.
For example, if there was an application vulnerability that allowed a user to change their lineup after a contest started that could have a major impact. Likewise, and taking a story from previous security issues in online poker, if a rogue developer added code that allowed certain users to see other players’ lineups prior to a contest that impacts the integrity of the gaming operations.
As for the threat sources, I don’t believe it is much different from other sectors.
You will always have those attackers that are looking for a system with a known vulnerability that they have an exploit for. It does not matter if you are FanDuel or Marriott; if you have that vulnerability you are going to be exploited. The threats I am more concerned about are those targeting the sites for a specific reason, most often to gain an advantage and disrupt gaming operations.
Why little talk of security for DFS?
LSR: Why do you think security isn’t discussed as much as other regulations?
GF: I wouldn’t say that security is not discussed as much. If you look in the gaming regulations for states where iGaming is regulated, you will find security standards and requirements.
Now, often the majority of these are focused on player protection, such as requiring the ability for multi-factor authentication, or the ability to set gaming limits on amount deposited or stakes played. However, there are also standards for what the operator needs to have on the backend (i.e., auditing, IT, security staff).
New Jersey, [like] other states, also has a requirement for annual independent security testing. This way there is a third party that assesses the security of the sites and provides a report to regulators.
What states should be doing
LSR: What tests and security monitoring should states require?
GF: I think that, prior to being allowed to operate, sites should have to meet a set of required security controls.
A standard could be created specific to iGaming, but my recommendation would be to borrow from other established security benchmarks, such as NIST, CIS, and ISO.
After that initial certification, the site should have to undergo annual security testing similar to what New Jersey mandates. This should include evaluation of technical, operational and management security controls.
We currently provide this annual testing service to some of the operators in New Jersey. Currently the focus is on technical controls — testing the gaming applications, servers and databases. However, I think that could be expanded and enhanced in order to provide an even greater level of assurance on the integrity of the games.
One area that is extremely important, but often not performed, is a security audit of the code. There was recently a case in the lottery sector where the RNG had a logic bomb programmed into the code that allowed winning numbers to be determined. This may have been prevented if annual independent security code reviews were required and performed correctly.
Differences for small and big DFS sites
LSR: Is lacking baseline security requirements an even bigger deal for a small DFS site that might not be able to put the same resources into security?
GF: Sure, this is always going to be an issue for smaller organizations with less staff and trained security personnel. [That’s] not to say that large organizations are not at risk. I have seen plenty of small companies that have a higher security posture than huge organizations.
It all comes down to their philosophy and buy-in and support from upper management. But this is another reason for compliance and regulations, as it will force sites to do something.
However, we must remember that regulations are not the silver bullet. Sometimes they have the opposite effect, as organizations will do the minimum to show compliance and turn the process into a paperwork exercise. The important concept I like to stress is that compliance does not equal security, but if you are secure you will be compliant.