In the last few years, sports betting websites like DraftKings and FanDuel have exploded in popularity and controversy. Anyone who watched last year’s NFL season shouldn’t be surprised that those two sites alone spent over $200M on national television advertising in 2015, amounting to around 60,000 commercials. At the same time, betting sites have been in the news due to their questionable legality and the lawsuits being brought against them from various parties. With March Madness in full effect, people are turning to online gambling sites to place their bets. Aside from the increasing legal resistance these companies face, should users be concerned about the security of sharing their information with these sites? As it turns out, it depends on the site.
We scanned eight of the major gambling sites with our risk grader and the results are all over the board. FanDuel scored the highest at 827, followed closely by Bovada at 789. WagerWeb came up last at a grim 266, while RealBet lagged behind with a 361. These scans assess the external security of the website as well as several breach-related business metrics to provide a comprehensive picture of the site’s resiliency. If a site’s score is low, it suggests that several standard security measures are probably not in place or may not be configured correctly. A high score means the site’s administrators have given thought to web security and are taking steps to keep your data as private as reasonably possible.
With all of the legal questions being raised about online gambling, it’s easy to overlook something like a site’s cybersecurity as it factors into the overall risk of using a site. Bovada is a leader in online gambling and their 789 score, though not perfect, reflects at least an attempt to harden their site against attacks, whereas the picture of Las Vegas on their about page reflects an attempt to bring the atmosphere of a casino floor at 2am into your living room.
Sportsbook.ag has “The highest credit card acceptance rates in the industry.” But should you pass your credit card information through their site? 694 is an “average” score, meaning that although they have some of the key requirements like SSL and SPF, there’s still plenty they could do to improve their site’s resiliency.
RealBet has one of the lowest scores on our list at 361, and that’s a problem when it comes to web security. Without SSL enabled, the likelihood of a compromise is much higher. Add to that the lack of SPF for email communication and it should become apparent that penetrating RealBet’s security, whether through social engineering or exploitation of vulnerabilities, would be easier than some of their competitors. How much customer data would be at risk in the event of a breach is unknown, but usually a lack of security awareness on the homepage translates to poor practices across the board.
DraftKings is actually the most surprising result of this set, because while their company is valued at over a billion dollars and they spent over a hundred million on advertising, their 599 score is average, and lower than some of their less well-funded competitors. Like Sportsbooks.ag, they have the basics-- SSL, SPF, not on any blacklists-- but nothing much beyond that. For the amount of traffic and money going through the site, one would expect a larger investment in securing their systems.
FanDuel is probably the second most well-known sports betting site on the net and they have the strongest score of the lot with 827. They have good SSL practices and SPF, as well as high CEO and company ratings (via GlassDoor), which can help assess the likelihood of an internal breach. Unlike DraftKings, FanDuel matches their popularity with an extra assurance for their customers and investors that they take security seriously.
BetOnline has been around since 2004 and you might remember them from a bizarre stunt in 2009 involving placing a bet from the summit of Mt. Everest. Their website rating is average, although still higher than the much more popular DraftKings. Like most companies with an average score, they have basic protection in place. We will try scanning them again from the summit of Mt. Everest sometime next year.
TopBet’s 409 score puts the site in “warning” status on the scanner, meaning that they have a high risk of vulnerability and outage. This comes mostly from the fact that SSL is not enabled on the main page. They do have SPF enabled for email though, bumping them up slightly higher than RealBet, who had similar issues.
WagerWeb had the lowest of our scores with a 266, a sign of an extremely insecure website. Like RealBet, WagerWeb does not have SSL or SPF enabled, and has several other issues on top of that lowering their score even further. With a score this low, and with competitors to compare them to, it would be ill advised to give any personal or financial information to this site.
No matter what kind of site you’re browsing to, you can use UpGuard’s website risk grader to get a quick readout of their external security profile so you can judge whether to use it or not. For activities like online sports betting, where financial information is constantly passed back and forth, a data breach or other exploitation could be disastrous for both the business and its customers. Knowing the risk up front allows you to make an informed decision before putting your data in a dangerous situation.