back to article Teen in court after '$600K swiped from DraftKings gamblers'

An 18-year-old Wisconsin man has been charged with allegedly playing a central role in the theft of $600,000 from DraftKings customer accounts. Joseph Garrison – who potentially faces years in the clink if convicted and apparently bragged to his co-conspirators that "fraud is fun" – surrendered to the cops Thursday morning in …

  1. DS999 Silver badge

    I'm sure fraud IS fun

    Until you get caught! Or if you're worried about getting caught. Or worried about getting killed if you defraud the wrong party.

  2. Anonymous Coward
    Anonymous Coward

    Does rate limiting mean anything to anyone ?

    x login attempts in y minutes and then deny the connection for 12/24 hours ?

    Yes, against a really well resourced attacker with a fleet of bots and UP addresses it can be tricky. But not against a script kiddie and his matez.

    1. Cheshire Cat

      Re: Does rate limiting mean anything to anyone ?

      Nonono... more than x failed connection attempts, using different passwords, in y minutes from the same IP, and you deny the *login* for 24h, not the connection. But tarpit by 4s. Don't deny the *connection* - then they won't realise they've been blacklisted, and will continue to waste more time in the tarpit, and will think everything in their database is a bad password.

      1. Anonymous Coward
        Anonymous Coward

        Re: Does rate limiting mean anything to anyone ?

        Meanwhile, I have a script which just feeds phishing emails with a shit tonne of bogus credentials.

        It did occur to me that the most effective way to implement this would be to spread it like a bot so it can run from loads of different IP addresses. Which given how scammers work would be ironic.

        It then occurred to me that this is probably already happening.

      2. Roland6 Silver badge

        Re: Does rate limiting mean anything to anyone ?

        I would include login attempts using different usernames from the same IP and /24 address block.

        One of the bands of my life is how getting hold of this information can be practically impossible. Also “y”, it seems this is probably well known and not admin configurable; encountered this when being attacked from 6~8 IPs from the same /24 which belonged to some Russian ISP. They probed to find out the value of y and then simply set their retry timer to y + 10 seconds. It was nearly 2 months before the logs no longer showed connection attempts from this ISP.

      3. Julian Bradfield

        Re: Does rate limiting mean anything to anyone ?

        Depends how much you like using your resources to slow people down. Me, I blacklist (with DROP) the IP address on one failed login to my mail server, for 24 hours. I typically have 8k banned addresses at any one time; that's quite a lot of log-in attempts being blocked (and not filling up my log file). And with a bit of luck, they spend some time trying to establish a connection before giving up.

    2. doublelayer Silver badge

      Re: Does rate limiting mean anything to anyone ?

      If you're pulling in hundreds of thousands of dollars, and you already bought a bunch of credentials on the dark web, then you have the resources and ability to find the people selling access to a botnet to run your scripts on. You only need each bot for about two minutes before it does something worth blocking. Buy a few thousand of those for a few minutes and spam some out. Wait a day and buy some more, either the same ones again or try a different product. That gives you tens of thousands of login attempts per day. Sure, trying your entire dataset in one day would be faster, but that decrease in speed is probably not extreme enough to cause problems for the criminal.

    3. gyterpena

      Re: Does rate limiting mean anything to anyone ?

      In this specific industry (gambling) it's often more cost effective to refund scammed money than it is to beef up security. You could introduce 2FA etc. But customers just go elsewhere and you end up loosing more. Or so am I told.

  3. Clausewitz4.0 Bronze badge
    Black Helicopters

    Meanwhile in the real Intelligence world

    USA + 5-eyes vassals are in a room in Lisbon discussing how to stop their open-secret microchip AI involuntary intelligence/slavery program, plus names of FBI/CIA officials and collaborators, to spread to China/Russia/Iran.

    USA + vassals won't succeed.

  4. John Brown (no body) Silver badge
    WTF?

    relevant jurisdictions?

    ""DraftKings provided notice to customers in relevant jurisdictions..."

    What does "relevant jurisdictions" mean in this context? It seems redundant, unless they really mean to say that those customers not living in jurisdictions where notification of a data breach is required were NOT told about it. In which case "The safety and security of our customers' personal and payment information is of paramount importance to DraftKings," is a lie.

  5. MachDiamond Silver badge

    New password for everything

    I don't think it's good advice and neither is changing your passwords every so often. My l/p here at El Reg is used elsewhere, but other than somebody impersonating me and causing a bit of grief, I'm not going to be all that affected if this or where the same L/P is used is hacked. When it comes to anything that has to do with money, yes, every one of those sites has a different L/P that aren't shared anywhere else. What I'm trying to do is limit the credentials I have to try and remember to mainly the most important things. Being forced to change a login can inadvertently take you from a fairly secure L/P to one that isn't. About the only place where this is useful is if somebody is brute forcing an account and you get lucky that what you change your L/P to has already been tried and discarded. You have to hope that whoever is operating that site is actively looking out to prevent brute force attacks in the first place. If they've left that wide open, chances are they have other holes in their security as well.

    I think it's more important to avoid using anything in credentials that's easily found personal information such as a child's name or the name of a pet. I don't comment on what sorts of things I use for credentials but they aren't really things even a comprehensive biography would have. I wonder if anybody has attempted a hack based on things a person strongly dislikes or the name of the bully that tortured one at school decades ago. I get odd thoughts like that. I'm still waiting for the post office to issue "hate mail" stamps to put on mail going to pay bills and taxes.

    1. Richard 12 Silver badge

      Re: New password for everything

      Use a password manager with a good password.

      Then you only have to remember one password, and it's one that's not used anywhere else at all.

      1. Dinanziame Silver badge
        Devil

        Re: New password for everything

        Until the password manager gets hacked, and then you're in deep trouble

        1. Mr. Flibble

          Re: New password for everything

          Use a local one, no a stupid cloudy one

          1. Anonymous Coward
            Anonymous Coward

            Re: New password for everything

            THIS. KeePass, which stores things locally, was recently found to have a security hole in which local memory dumps might contain most of the password. But that would require access to the computer on about the same level as needed for a keylogger, so not exactly that severe a vulnerability...

  6. CowHorseFrog Silver badge

    I wonder how many families have been ruined by problem gamblers due to DraftKings ?

    1. John Brown (no body) Silver badge

      It was DraftKings customers who were robbed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like