Online casino and sportsbook operations have recently begun implementing a Pennsylvania Gaming Control Board requirement that multi-factor authentication be adopted by the end of the year for customers to use their accounts.
FanDuel sent a note to customers this week saying the “extra layer of protection” — typically the required use of a six-digit code sent to a customer’s mobile phone — would be added starting with log-ins on Dec. 12.
Other operators have issued similar notices in recent weeks saying either multi-factor authentication was coming or that customers should consider voluntarily opting into it immediately, in light of reports of hacking episodes that had affected the security of online platforms.
An email sent Monday by Unibet advised customers the new precautions were imminent “over the next few weeks” to ensure account security and compliance with state regulations.
BetPARX was apparently the first to actually adopt the two-step requirement, sending an email to customers Nov. 23 telling them that beginning that day, they would have to use a log-in verification code sent to their phones via SMS text message before they could access their accounts for betting.
“We want to ensure that all users are protected. At this time, betPARX has proactively enabled Two-Factor Authentication (2FA) to all accounts,” the email stated.
Recent hacking did not cause new rule
New Jersey’s gaming division on June 30 made it the first state to implement similar requirements for operators, with a process that appeared to be carried out with no serious glitches.
Its requirements came well in advance of recent hacking that has affected customer accounts nationally of FanDuel, DraftKings, and other operators.
Pennsylvania gaming board spokesman Doug Harbach told Penn Bets that the agency’s requirement also had nothing to do with the recent problems.
“The PGCB has been proactive in this area, issuing a directive in June of this year to all interactive gaming operators to employ a multi-factor authentication (MFA) method for each device that a patron utilizes to access their Interactive Gaming Account. The new MFA requirement must be implemented by December 31, 2022,” Harbach said by email.
The operators have had the option to institute the new safety protocol before the year ends, as some like betPARX and FanDuel are doing. They and others have also recommended that customers, for their own protection, use different passwords if they have multiple accounts.
Harbach said that as part of the requirements for operators, “each unique device is required to have MFA performed every 14 days” to ensure the owner of the account is the one accessing it.
Also, he said, the gaming board “requires annual security assessments performed by independent third-party cyber security companies” to identify any potential vulnerabilities and weaknesses on an operator’s platform.
“PGCB regulations require player personal information to be encrypted in the operator’s database and operators must attest that this regulation is being strictly enforced as part of the annual security assessment,” Harbach said. “The PGCB requires all PA operators to perform quarterly vulnerability and penetration tests that check against existing and new IT security risks.”