Vegas Casinos Face New Threat: Database Hackers

  /     /     /  
Publicated : 22/11/2024   Category : security


Vegas Casinos Face New Threat: Database Hackers


Crooks going after casinos valuable player rewards databases, experts worry casinos ill-equipped to secure them



In a region known for its physical security legacy, Las Vegas casinos could very well be at the mercy of unrelenting database thieves if theyre not careful: Hackers are now targeting their systems that control player rewards points.
A recent advisory letter from the Nevada Gaming Control Board sent to gambling establishments in Sin City and across the state warned casinos of the threat. The Board has recently investigated numerous incidents where such databases have been compromised and the potential for identity information theft existed, Randall Sayre, a board member, wrote to Nevada casinos last month. Additionally as technology advances and more and more information is stored in these databases they will almost certainly become an even more inviting target for cyber-criminals who the Board and allied law enforcement have found are becoming increasingly aware of the value of said information and the relative ease with which it can be stolen.
Security experts were not surprised that hackers would target casino systems, which are rich with information and money-making possibilities. It always interests me when someone finds a new and novel way to get money out of information, says Mike Murray, managing partner at MAD Security, who is based in Las Vegas. Its brilliant if you think about it. The casinos around here have so much traffic and so much stuff going on with so many moving parts that its really difficult for them to catch it.
The board has been mum about the kinds of criminal activity plaguing these databases. But experts such as Murray speculate that cybercrooks might not only be after patron information, but also the points rewards themselves. Underground criminals have a knack for making money off of anything with some kind of tangible value. For example, Murray cites some criminals penchant for hacking World of Warcraft accounts to steal the virtual money contained within them and sell them on online marketplaces.
Meanwhile, Steve Santorelli with Team Cymru, a security consultancy, notes that one recently nabbed criminal in the U.K. was taking advantage of a database he had access to containing supermarket rewards points that abused to steal millions of dollars. It doesnt really matter what type of widgets are being abused, Santorelli says. The bottom line is the underground economy is all about stealing money. Criminals look at any system and see if they can break it -- whether its casino points, Coke rewards, or rewards for grocery store shopping. You can go into any of the underground forums now, and you can buy and sell not just credit cards, but also any kind of widget that has some kind of tangible value.
MAD Securitys Murray wonders if the letter from the Gaming Control Board is the first sign that the casino computer security regime is in need of a reboot. He says that in spite of a storied history of strong physical security, casinos are struggling to deal with a new world where their endless banks of slot machines are really just a massive network of computers exposed to the public and linked into back-end databases, such as those holding rewards information.
I mean, you sit down in front of it and put your rewards cards into the system. This thing is networked to whatever database the reward card is accessing, he says. So theres a lot of opportunity now for criminals that didnt use to exist. There is a huge threat surface and not necessarily the expertise and the long history in computer security to deal with that issue.
Having spent a long time in Vegas, Murray notes that part of the casino worlds problem is that the security niche within the gaming industry is very insular. And one of the things Ive noticed across the entire security industry is when you find pockets of insularity, they often havent caught up with the rest of the industry, he says. I mean, look at how long the process control industry has taken. That sort of an insular industry has a tendency to be behind. So this could be [the casinos] wake-up call.
According to Joe McCray, a consultant for Strategic Security, gambling establishments definitely could use improvement in all areas of security, not just database security. Based on his experience doing work for four major Las Vegas casinos, hed rate most casinos security practices as a six out of 10.
I dont think theyre very good at it yet, he says. Theyre just not used to dealing with it. Everything that they need to do is just industry standard security practices that anyone that does a lot of e-commerce has had to learn.
However, he doesnt think the casinos will be adhering to these standards just yet and wonders how much impact the Gaming Control Boards warnings will really have. I dont think theyre going to take it seriously, he says. I think theyre going to have to learn the same way most people in the industry learn: through pain. Something bad, and something really public, has to happen.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Vegas Casinos Face New Threat: Database Hackers