Put it all on hack. It’s not like Ocean’s 11, 12 or 13 at all
They say that the house always wins. But have hackers turned the tables on the dealers?
CBC reports that, “Private SIN and debt info, credit card data of customers, staff, suppliers [were] accessed” in what is the second major breach of a Canadian casino’s internal databases this year.
In reaction to the breach, a class action lawsuit is set to be filed on Monday for $50 million against Casino Rama Resort, which only discovered the hack on November 4. According to a statement on the casino’s website, some of the data has now been publicly posted online. It may go back as far as 2004, and the hackers may have had access to the system as recently as this March.
The other breach earlier this year, at the River Cree Resort and Casino, saw an as-yet undisclosed quantity of patron and staff data compromised by hackers. It is unclear if Rama can claim sovereign immunity, since it is owned by the Chippewa First Nation rather than a regular corporate entity, but even if it does, it can still expect to incur costs and legal action.
Some malware uses casino advertisements as its entry vector, perhaps hoping to compromise people likely to visit casinos. Not every such person is a deep-pocketed high roller, but there are enough people with disposable income going about an evening on site to make it worthwhile. Of course, casinos also employ a lot of people so there is that, and deal with specific kinds of financial transactions with easy credit card data access.
Other breaches in recent years have caused headaches in the casino industry. In 2014, Iranian hackers, perhaps seeking to score political points due to its connection to the highly critical Sheldon Adelson, wiped the hard drives of the Sands casino and resort complex, affecting over 25,000 employees and wiping out member rewards’ records. The hackers used brute force attacks to guess passwords at one of the company’s smaller US casinos, and from there collected login credentials to go big in the next phase.
As Sands noted in its report to investors that year, not only do such attacks cost the casino a lot of money to fix, $40 million according to Bloomberg, but undermine customer confidence.
Absent the internet, it is also possible to physically compromise the gaming machines by modifying their firmware, though much harder to do so and not as attractive as other options these, even hacking security cameras remotely to see other players’ hands to cheat and win.
In late 2015, Affinity Gaming was hacked, compromising 300,000 customers’ credit cards. And this summer, the Las Vegas Hard Rock Hotel and Casino was affected by credit card scanning malware. Although casinos take cyber security more seriously now in light of these incidents and the resulting lawsuits, they remain attractive targets. FireEye noted in a 2015 investigation of 150,000 hacked credit cards that a lot of past attacks could have been stopped or at least caught sooner with basic precautions that were lacking.
Even online gambling hasn’t been immune.
Digital casinos have been targeted by hackers before, but in different ways from brick-and-mortar ones. Denial of service attacks are used to block access to try and force ransoms out of the site owners. Another common tactic is breaking into the servers and programming cheats into the games to award extra chips or create ghost players. Neither of these tactics have been especially effective, though.
One of the most common illicit uses of these venues is reportedly, “to transfer money from one type of online payment system to another” by gambling small amounts of money and cashing-out, and setting up accounts where stolen credit cards deliberately lose against real ones to ensure a payoff.