According to a recent report, casinos and hotels in Las Vegas have become soft targets for cybercriminals who are targeting the huge numbers of financial transactions and no deposit bonus codes that take place in those institutions every day.
It’s estimated that, in the last few years, casino resorts including the Las Vegas Sands and Hard Rock Hotel & Casino have lost more than $1 billion due to cyber attacks on their operational networks.
Las Vegas Sands
In the most recent attack, an FBI cyber squad determined that a group of Iranian hackers had penetrated into the Las Vegas Sands’ network and gained access to personal details – including earnings – of hotel customers and staff.
Two websites, those of the Palazzo and the Venetian -- were hacked. Personal information of some high profiled customers and staff members was leaked. The cost of the hack was estimated to be approximately $40 million. The resort giant has been quiet about the attack since going public would surely affect their reputation and result in loss of trust in their brand.
Sands spokesman Ron Reese declined comment on the details of the attack. “I’m not going to confirm anything that was speculated or written,” Reese said.
The attack marks one of two known cases where a company on U.S. soil has been attacked with “wiper” malware. The malware wipes all data from the computer hard drive and makes the computers inoperable. The second case known to officials involved an attack on Sony Corp’s Hollywood studio.
The intensity of attacks is high but the Nevada Gaming Board says that it is not worried. They say that there haven’t been any casino property cyber attacks that have affected gaming operations or resulted in monetary loss.
Estimates are that, in the first half of 2017, there were 900 data breaches that comprised of nearly 2 billion data records. The nature, number and severity of these attacks is increasing exponentially each year and the casino industry is a big target. One of the biggest breaches took place at a credit bureau where personally identifiable information was released.
Gaming companies are one of the biggest targets of these cybercrimes. Observers say that the public expects the companies to prepare for cyberattacks by taking action to protect them from malicious agents. 23% of gaming operator executives admit that cyber security is their #1 threat.
There are multiple reasons why casinos are such a rich target. Gaming is a cash business. Tens of millions of dollars flow though the average property every month. Many casinos, especially those that aren’t industry giants, use older gaming systems that don’t necessarily include the latest anti-cybercrime technologies.
This is especially true regarding random number generators that run on computers. Those machines are highly susceptible to cyberattack, if not properly protected. Also, all of the AI devices such as smart light bulbs and smart air conditioning units have computing power. If they aren’t secured, they can act as back doors into an organization.
In one actual attack, a U.S. casino installed an iPhone-controlled fish tank. These kinds of fish tanks are capable of monitoring everything from temperature to algae levels to operating automatic feeders. Unknown to the casino, the fish tank’s smart-system was secretly connected to a remote server in Finland. Through hacking the fish tank, tens of billions of bytes of information was stolen from the local network and sent, using channels normally reserved for multi-media, to Finland.
Hacker devices work by spreading control across all computer-capable devices in the organization. Rooting out the damage requires massive disruption to the gaming operation. Some hackers use cyber to carry out a direct attack on an organization. That’s different than a typical cyber-attack in which the goal of the hacker is to extract funds from the target.
Recently, a massive cyber-attack was directed at the company in which credit card data, social security numbers, and customers’ driver’s license numbers were stolen by a foreign government. This gave the hacker the ability to control sensitive information and deploy it in personal attacks against the individuals whose data was stolen.
After the attack was identified, it took over a week to contain the damage which included publication of private information of employees (including social security numbers). The hackers also took over the company’s website where they placed pictures of the casinos burning and inserted their own messages. The customer database was also stolen and with it, customer data which included ID numbers, names, addresses and email addresses. Now the hacker can continue activities against the customer base at any point.
Casinos are obligated to protect their customers from such actions. The credit bureau hack has the potential to defraud 143 million people. That information contained information on winnings, spending patterns and socialization activities.
Such information could be used in a variety of ways. Hackers could identify people most likely to borrow money. They could lend them money from an offshore site and collect repayments to a local site to advance a money laundering scheme.
Another scenario might involve identifying a customer’s credit history, personal details and gaming patterns to establish a line of credit, in the individual’s name, at a number of properties. Finally, through these and other situations, the hackers could blackmail the casino, promising to keep quiet in return for a payment. Casinos very well might make the decision that the monetary loss is secondary to the damage to the casino’s good name which could be irreparably damaged if it gains a reputation as being unable to protect the sensitive information of its customers.
Anti-virus software, which you would think could be relied upon to prevent cybercriminals from hacking into a system, is the ultimate Trojan Horse. Blake Darché, a former NSA operator and co-founder of Area 1 Security, describes how anti-virus software can be used by hackers. “It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”
That’s exactly what happened to the National Security Agency in a stunning 2017 attack when the Russian government hacked into a NSA’s contractor’s computer using Kaparsky anti-virus software. The Russians accessed sensitive information on a large range of top secret subjects.
Casinos Must Consider
Casinos must consider how they can operate securely among such sophisticated adversaries. The hackers have nothing to lose and everything to gain as they launch attacks against a facility. Casinos need to protect staff members and customers from external attackers.
Protections starts with the organization’s network and extends to home computer usage. Home computers, including personal cell phones, are notoriously insecure. Even one hacked cell phone’s connection to a secure network compromises the entire network.
Anti-cybercrime experts warn casinos to ensure that data, systems and history are backed up in an isolated environment. This will mitigate the impacts of an attack if one occurs so that the system can restore the systems and the data to a prior state quickly and effectively.
It’s also important to work with experts in cyber security so help can be accessed at any time. Technology partners must be readily available so that they can jump in, assess the situation and repair it at a moment’s notice.
The consequences an attack on one gaming operation can cause a ripple effect that impacts all casinos. Investments in proper technology and processes to ensure cyber security exist.