Knocking Out ATO in Fantasy Sports

Rick Skawinski, Jr. is a data analyst specializing in fraud tools at, a one-day fantasy sports game website with millions of registered users that provides immediate cash payouts to winners. Rick has been fighting card-not-present (CNP) fraud for over four years, ever since his mother’s identity was stolen and used to file her taxes following the Anthem Blue Cross & Blue Shield data breach of 2014. Since then, Rick has been using advanced data analytical tactics and tools to combat CNP and account takeover (ATO) fraud.

RS: How long has account takeover been going on in fantasy sports? Is it a recent trend or has it been a long-time issue?

RSJ: First, let’s distinguish the difference between season long fantasy sports and daily fantasy sports. FanDuel is primarily a platform for daily fantasy sports (DFS), while traditional fantasy sports are normally an entire season long. DFS includes daily and weeklong contests, which means our operations as a financial risk operations department work under a very strict time parameter. Since our contests start and settle so quickly, ATO fraud historically has been a large component of fraud for FanDuel because users commonly withdrawing their winnings in a quick manner. Already, ATO fraud is very common in the gaming community due to the nature of allocating users with control of their own funds. However, we have a robust detection and prevention system in place specifically for this sort of fraud.

RS: Do you see any trends when using fraud tools that fight ATO?

RSJ: Yes, very much. Since we build most of our fraud fighting tools internally, we must constantly alter and recalibrate them to successfully repel various types of ATO attacks. Botnet attacks are very easy to spot and shut down due to the nature of the patterns they create. However, more unique ATO attempts, which usually involve much higher attempted withdrawal amounts, are where things get to be a bit tricky.

We are aware that fraudsters are closely analyzing what types of patterns we look for in our analysis and counter them, similar to two people playing a game of chess. This requires our team to vigilantly discover and react to new trends. Whether it’s a similar pattern in sign-up or changes in personally identifiable information (PII), we really hone in on the details of the event collector along with any false positives that may have slipped in.

RS: Do you use any specific indicators to isolate accounts likely to be suffering from ATO?

RSJ: As I mentioned earlier, we do have multiple systems in place to detect and prevent ATO. This includes a rules based conditional expression engine in SQL, along with extensive Python machine learning models with I recalibrate the rules engine daily, based around fraud trends and data input through third party tools like Emailage. By pulling the API of individual third party fraud-prevention tools through a data pipeline into Redshift, we can easily capture historical email data, along with valuable device and geo-location information.

We will never use a single data point to determine whether a withdrawal or deposit is due to an ATO. Instead, we use hundreds of data points working in harmony with each other, and good old human supervision to make the final call.

Call me what you like, but I think unsupervised machine learning (UML) is overhyped right now. I think the tech is on its way to becoming something great and our current ML compliments our detection and prevention system greatly. However, there is still something to be said for relying on human supervision and intuition.

RS: Is there any seasonal variation in the frequency of ATO attempts?

RSJ: Attacks on our platform come in waves, usually on weekends and holidays. Unfortunately for those fraudsters, our team works around the clock 365 days a year. This constant surveillance is required regardless of whether it’s Thanksgiving or Christmas morning.

Besides national holidays, we see spikes in ATO at high volume times in terms of the sports cycle. Since the NFL is our biggest traffic driver, we historically have seen most ATO fraud during the football season. Also special “sport holidays” like the Super Bowl, NCAA March Madness (U.S. collegiate basketball) and the NBA playoffs are prone to increased attacks in line with the increased volume of legitimate users.

RS:  Is there any difference in handling mobile vs. desktop devices?

RSJ: Since FanDuel is offered via mobile app and web browser, it requires my team to work with both our mobile engineers and web platform engineers. Traditionally, we’ve seen fraudsters primarily using mobile and mobile emulators (such as the Dalvik Android VMware), but we treat both mobile and web equally as far as gathering as much data as possible to determine whether user behavior is nefarious or genuine. If I’ve learned anything in specializing in fraud prevention, it’s that you cannot assume anything. Expect the unexpected, and that means being vigilant in wrangling data regardless of the device type.

RS: Have recent major identity theft breaches in the U.S. like the Equifax breach had any impact on ATO in gaming?

RSJ: I can’t imagine anyone in the gaming industry isn’t experiencing an uptick in ATO due these mammoth database breaches. Equifax and Yahoo alone have done more damage to personal identifiable information (PII) security than anything we’ve seen before. After Christmas, we we’re hit with the highest uptick in ATO I’ve seen since I started doing fraud analytics with FanDuel. I’m sure others in the gaming industry can relay similar experiences.

The most common and easiest to prevent reason behind ATO caused by the database breaches is password sharing between platforms. Multi-factor authentication aside, the best thing you can do to prevent yourself from being played by a fraudster is to create a platform-unique password for every website and application that requires you to use a password.  If you’re reusing, you’re losing!

Tagged with:
Posted in: ,
Author: Ronen Shnidman

Ronen Shnidman is the Managing Editor of