Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:32 PM

Vegas Casinos Face New Threat: Database Hackers

Crooks going after casinos' valuable player rewards databases, experts worry casinos ill-equipped to secure them

In a region known for its physical security legacy, Las Vegas casinos could very well be at the mercy of unrelenting database thieves if they're not careful: Hackers are now targeting their systems that control player rewards points.

A recent advisory letter from the Nevada Gaming Control Board sent to gambling establishments in Sin City and across the state warned casinos of the threat. "The Board has recently investigated numerous incidents where such databases have been compromised and the potential for identity information theft existed," Randall Sayre, a board member, wrote to Nevada casinos last month. "Additionally as technology advances and more and more information is stored in these databases they will almost certainly become an even more inviting target for cyber-criminals who the Board and allied law enforcement have found are becoming increasingly aware of the value of said information and the relative ease with which it can be stolen."

Security experts were not surprised that hackers would target casino systems, which are rich with information and money-making possibilities. "It always interests me when someone finds a new and novel way to get money out of information," says Mike Murray, managing partner at MAD Security, who is based in Las Vegas. "It's brilliant if you think about it. The casinos around here have so much traffic and so much stuff going on with so many moving parts that it's really difficult for them to catch it."

The board has been mum about the kinds of criminal activity plaguing these databases. But experts such as Murray speculate that cybercrooks might not only be after patron information, but also the points rewards themselves. Underground criminals have a knack for making money off of anything with some kind of tangible value. For example, Murray cites some criminals' penchant for hacking World of Warcraft accounts to steal the virtual money contained within them and sell them on online marketplaces.

Meanwhile, Steve Santorelli with Team Cymru, a security consultancy, notes that one recently nabbed criminal in the U.K. was taking advantage of a database he had access to containing supermarket rewards points that abused to steal millions of dollars. "It doesn't really matter what type of widgets are being abused," Santorelli says. "The bottom line is the underground economy is all about stealing money. Criminals look at any system and see if they can break it -- whether it's casino points, Coke rewards, or rewards for grocery store shopping. You can go into any of the underground forums now, and you can buy and sell not just credit cards, but also any kind of widget that has some kind of tangible value."

MAD Security's Murray wonders if the letter from the Gaming Control Board is the first sign that the casino computer security regime is in need of a reboot. He says that in spite of a storied history of strong physical security, casinos are struggling to deal with a new world where their endless banks of slot machines are really just a massive network of computers exposed to the public and linked into back-end databases, such as those holding rewards information.

"I mean, you sit down in front of it and put your rewards cards into the system. This thing is networked to whatever database the reward card is accessing," he says. "So there's a lot of opportunity now for criminals that didn't use to exist. There is a huge threat surface and not necessarily the expertise and the long history in computer security to deal with that issue."

Having spent a long time in Vegas, Murray notes that part of the casino world's problem is that the security niche within the gaming industry is very insular. "And one of the things I've noticed across the entire security industry is when you find pockets of insularity, they often haven't caught up with the rest of the industry," he says. "I mean, look at how long the process control industry has taken. That sort of an insular industry has a tendency to be behind. So this could be [the casinos'] wake-up call."

According to Joe McCray, a consultant for Strategic Security, gambling establishments definitely could use improvement in all areas of security, not just database security. Based on his experience doing work for four major Las Vegas casinos, he'd rate most casinos security practices as a six out of 10.

"I don't think they're very good at it yet," he says. "They're just not used to dealing with it. Everything that they need to do is just industry standard security practices that anyone that does a lot of e-commerce has had to learn."

However, he doesn't think the casinos will be adhering to these standards just yet and wonders how much impact the Gaming Control Board's warnings will really have. "I don't think they're going to take it seriously," he says. "I think they're going to have to learn the same way most people in the industry learn: through pain. Something bad, and something really public, has to happen. "

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting