Cyber Security Casino

Casinos Can’t Gamble with their Cyber Security

There are almost 1,000 casinos in the United States, and over 200 in Canada with a combined annual revenue nearing 75 billion dollars, with hundreds of transactions happening per second. The casino knows just how profitable one minute of attention can be from one of its guests. Therefore a casino knows just how much one minute of downtime can cost. Now how about several days? 

Examples of Real Casino Attacks: 

This was the case for several casinos in western Oklahoma in June 2021 when they were a target of a ransomware attack. Nearly a year prior, the Cache Creek Casino in Northern California was forced shut down for three weeks due to the effects of a cyber attack. 

A Las Vegas Casino was infected with malware through the Point-Of-Sale (POS) terminal in the nightclub attached to the casino. The POS server allowed online access for remote desktop support with password and username set to the name of the POS vendor. The casino and nightclub had a very flat network with minimal security controls. This allowed the hacker to easily come in through the POS remote desktop, elevate privileges, and access critical information. Many casinos have hotels, restaurants, and clubs attached. It is critical to separate all aspects where possible. A name brand hotel in New York had a similar example where the attached restaurant had a POS system which was connected to the Hotel’s corporate network, which connected to hundreds of locations across the country. In addition to this oversight, the Hotel Wi-Fi was on the same network as the POS system, and the servers had not been updated or patched in some time. This led to hackers being able to connect to 35 hotel locations and steal a large amount of data, including credit card information of the guests. Interestingly enough, in this attack, the hackers actually needed to install updates to the system and apply patches just so that their malware could run. One step forward …. Many steps backwards. 

In this last example, video poker machines were the target of credentialed malware. The machines themselves were locked down quite well, and therefore the hackers were required to employ more creative methods. A common tactic in this case is to focus on machines that are not inside the casino, but rather in more public areas such as a hotel lobby, restaurants, convenient store or airport. The attacker can disguise themself as a repair person to gain access to the inner workings. Once inside, most machines are operated via low-end computers having standard default passwords. A hacker can easily infect these computers via a small USB key. Once infected, the attacker can program in a series of inputs from the machine (hold, bet, fold, etc.) that will change the outcome of the game. Additionally, there have been examples of machines that have been infected at the factory floor during the production of the machine by compromised employees of the manufacturer. The machines will operate normally, however if you know the series of inputs, you can make it look like you have incredible luck. 

 

Challenges for Casinos: 

A casino offers a financially motivated attacker an incentive to be persistent and to find creative ways to get a foothold. A casino has several other challenges to other companies in the hospitality sector. For example, a casino operates hundreds, or maybe even thoughts of different machines (slot machines, virtual games, virtual betting) or kiosks. Each of these kiosks are connected to a network, which may host a whole range of other IoT devices through the casino such as air sensors, thermostats, lighting controls and others. There was a famous case where hackers exploited a Fish Tank with IoT sensors to gain access to the Casino network. 

And yes, every casino movie shows us the vast security measures, and NASA-like monitoring stations where they can watch every guest from 10 different angles. This is all typically true, however, it can be very difficult to watch every camera in real time. In fact, most of the time the staff is watching those cameras to ensure guests are not cheating or manipulating the games in some fashion. Therefore it can be difficult to monitor suspicious behavior as it might relate to cybersecurity.

Casinos also tend to be very large operations which employ hundreds or thousands of employees and contractors. With many people involved, most with some sort of digital access, Social Engineering starts to become a critical concern. Social Engineering is where an attacker manipulates your people into gaining access. Your employees might participate in their attack unknowingly, or, in some cases, a disgruntled employee will play an active role. Phishing attacks are the most common way for hackers to have your employees participate unknowingly. Whether it is through email, phone, or text message, a Casino has many weak points if their staff is not trained properly. 

Summary

Unique Challenges for Casinos

  • Many end points (Kiosks, digital games)
  • Updating and patching software across the entire network
  • Updating hardware becomes expensive
  • Plenty of distractions (noise, lights, activity)
  • Many employees/staff for Social Engineering Attacks
  • Building Automation and IoT Devices (thermostats, lighting, HVAC, etc.)

Suggestions for Casinos

  • Lockdown kiosks to prevent any sort of tampering
  • Strict policy for updating and patching. Overall hardening of all games and machines.
  • Strict policy for Independent Contractors.
  • Strict policy for Repair people or construction/renovation contractors. 
  • Conduct regular Penetration Testing and Red Team Exercises
  • Regular and exhaustive employee training on Social Engineering, Unknown Device Policies, Password Policies.
  • Isolate hotel & restaurants networks from casino networks
  • Regular tabletop exercises.

 

If you work for a Casino, we would be happy to meet with you and discuss a custom-tailored approach for your company. Reach out here: https://nivee.ca/free-quote/