A recent advisory letter from the Nevada Gaming Control Board sent to gambling establishments in Sin City and across the state warned casinos of the threat. "The Board has recently investigated numerous incidents where such databases have been compromised and the potential for identity information theft existed," Randall Sayre, a board member, wrote to Nevada casinos last month. "Additionally as technology advances and more and more information is stored in these databases they will almost certainly become an even more inviting target for cyber-criminals who the Board and allied law enforcement have found are becoming increasingly aware of the value of said information and the relative ease with which it can be stolen."
Security experts were not surprised that hackers would target casino systems, which are rich with information and money-making possibilities. "It always interests me when someone finds a new and novel way to get money out of information," says Mike Murray, managing partner at MAD Security, who is based in Las Vegas. "It's brilliant if you think about it. The casinos around here have so much traffic and so much stuff going on with so many moving parts that it's really difficult for them to catch it."
The board has been mum about the kinds of criminal activity plaguing these databases. But experts such as Murray speculate that cybercrooks might not only be after patron information, but also the points rewards themselves. Underground criminals have a knack for making money off of anything with some kind of tangible value. For example, Murray cites some criminals' penchant for hacking World of Warcraft accounts to steal the virtual money contained within them and sell them on online marketplaces.
Meanwhile, Steve Santorelli with Team Cymru, a security consultancy, notes that one recently nabbed criminal in the U.K. was taking advantage of a database he had access to containing supermarket rewards points that abused to steal millions of dollars. "It doesn't really matter what type of widgets are being abused," Santorelli says. "The bottom line is the underground economy is all about stealing money. Criminals look at any system and see if they can break it -- whether it's casino points, Coke rewards, or rewards for grocery store shopping. You can go into any of the underground forums now, and you can buy and sell not just credit cards, but also any kind of widget that has some kind of tangible value."
MAD Security's Murray wonders if the letter from the Gaming Control Board is the first sign that the casino computer security regime is in need of a reboot. He says that in spite of a storied history of strong physical security, casinos are struggling to deal with a new world where their endless banks of slot machines are really just a massive network of computers exposed to the public and linked into back-end databases, such as those holding rewards information.
"I mean, you sit down in front of it and put your rewards cards into the system. This thing is networked to whatever database the reward card is accessing," he says. "So there's a lot of opportunity now for criminals that didn't use to exist. There is a huge threat surface and not necessarily the expertise and the long history in computer security to deal with that issue."
Having spent a long time in Vegas, Murray notes that part of the casino world's problem is that the security niche within the gaming industry is very insular. "And one of the things I've noticed across the entire security industry is when you find pockets of insularity, they often haven't caught up with the rest of the industry," he says. "I mean, look at how long the process control industry has taken. That sort of an insular industry has a tendency to be behind. So this could be [the casinos'] wake-up call."
According to Joe McCray, a consultant for Strategic Security, gambling establishments definitely could use improvement in all areas of security, not just database security. Based on his experience doing work for four major Las Vegas casinos, he'd rate most casinos security practices as a six out of 10.
"I don't think they're very good at it yet," he says. "They're just not used to dealing with it. Everything that they need to do is just industry standard security practices that anyone that does a lot of e-commerce has had to learn."
However, he doesn't think the casinos will be adhering to these standards just yet and wonders how much impact the Gaming Control Board's warnings will really have. "I don't think they're going to take it seriously," he says. "I think they're going to have to learn the same way most people in the industry learn: through pain. Something bad, and something really public, has to happen. "
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.