[BreachExchange] Hacks Pose Huge Threat to Casinos

Wed Jul 20 19:38:34 EDT 2016

http://vegasseven.com/2016/07/19/hacks-pose-huge-threat-casinos/

A recent Wendy’s hack exposed the credit card information of many of its
customers. Coming on the heels of attacks on data ranging from infidelity
dating site Ashley Madison to drug chain CVS to the U.S. government’s
Office of Personnel Management, the Wendy’s breach is a reminder that our
sensitive data isn’t as secure as we’d like it to be. Casino operators face
challenges in keeping customer data safe, but they have a range of tools to
help them.

In the Wendy’s hack, like many other breaches that make the news, payment
data including cardholder name, card number and expiration date—the things
you need to make a purchase—were stolen from more than a thousand stores
(including three in Northern Nevada but none in Las Vegas).

The prospect of similar breaches of casino data—which can include not only
credit card details, but also sensitive personal and financial
information—has long been a concern in Nevada. More than five years ago
(“Serious About Cyber Security,” January 13, 2011), the Nevada Gaming
Control Board circulated a letter intended “as a reminder for all affected
licensees to conduct periodic reviews of security measures in place” and
ensure compliance with the state’s breach disclosure provisions. Further,
it indicated that failure to comply with all federal, state and local laws
mandating strong cyber security may be determined, in the Commission’s
judgment, “an unsuitable method of operation,” an extremely unpleasant
prospect for a licensee.

The most serious attack to date on a casino operator was the February 2014
hack of Las Vegas Sands Corp., owner of the Venetian and the Palazzo. After
a concerted effort, saboteurs unleashed a malware bomb that swept through
the company’s IT system. The assault, allegedly perpetrated by Iranian
“hacktivists,” resulted in a massive crash in the company’s computers in
Las Vegas and Bethlehem, Pennsylvania (where it owns the Sands Bethlehem).

Thousands of files were compromised in the attack, including customer and
employee data. Then-CEO Michael Leven estimated the damage at more than $40
million. The breach has not resulted in any regulatory action or claims
against Sands, but it highlights just how important cyber security is, and
how costly breaches can be.

Disturbingly, the Sands attack is only the tip of the iceberg for the
disaster potential of future attacks. The same innovation that demands
casinos offer customers new ways to play and connect makes them extremely
vulnerable.

“If you have an online gaming site,” says Curtis Levinson, director of
cyber security consulting for White Sand Gaming, “you are advertising,
‘Hack me.’ If you are a casino providing guest Wi-Fi, you are advertising,
‘Hack me.’”

“It really is everything,” White Sand CEO Sal Scheri says. “You have guests
using Wi-Fi and employees, too. Once you gain access, you can get into
everything, including internal systems and customer information.”

Free Wi-Fi—a welcome perk for most of us—is dangerous because cyber
criminals can use it to capture data transmitted, which can include phone
numbers, log-in data and passwords. In his executive protection practice,
Levinson recommends that traveling business leaders never, under any
circumstances, use a public Wi-Fi network, but instead use their phones to
set up their own hot spots. He advises all travelers do the same.

The ease and ubiquity of Wi-Fi hot spots, though, create more
vulnerabilities for casinos. Levinson describes a scenario in which cyber
criminals can hook a commercially available hot spot up to battery packs,
surreptitiously install it on a casino floor and set it to vacuum up
cellular and Wi-Fi data. “That includes,” he says, “cell numbers,
conversations, any data sent and passwords.” Criminals can also use these
hot spots to hack casino systems.

This kind of malfeasance can be combatted; Levinson recommends that casinos
do regular wireless site surveys, which reveal everything. “You can sit in
the surveillance room and watch the hot spots bloom all over the casino,”
he says.

The key to preventing attacks is good procedure; businesses can mitigate
the harm of ransomware attacks (in which hackers compromise systems and
demand payment to restore access) by developing good business continuity
and disaster recovery protocols. If backup and recovery procedures are good
enough, casinos need never pay a ransom; they simply wipe their systems and
restore them.

With the costs of compromised data and lost operations so high, Levinson
advises casinos—and customers—to make cyber security a priority before the
next big hack. With escalating stakes and rapidly advancing technology, it
is certain that cyberspace will continue to be a battleground.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160720/3afc2c23/attachment.html>