Insight: Why casinos must heed data breach lessons

Insight: Why casinos must heed data breach lessons

Monday, July 13, 2015 Totally Gaming
Craig Jacobs on how casinos need to evaluate their VPN options

Data breaches appear to have increased in frequency in the betting and gaming sector over the past 18 months. columnist Craig Jacobs explains why casinos must heed the lessons of such incidents to avoid becoming the next victim.


By Craig Jacobs

Everyone dreads it. The automated message from your credit card issuer that notifies you of “suspected fraudulent activity on your account.”

A few weeks ago I received the all too familiar recording on one of my personal accounts. My issuer knows my habits and their big data solutions knew that after filling my gas tank earlier in the day that I should be hard at work, not making two large purchases at a cosmetics store. After verifying the charges were fraudulent and canceling the existing card, I also noticed something that has become a familiar sight to hoteliers, an authorization for a hotel room in Kansas that I had never heard of before.

Hotels and Casinos should take note of a technique being used by fraudsters to validate that the credit cards they have stolen are valid and working. Many hotel booking engines still do not require a CVV code (the 3 or 4 digit number on the back of the card) and this can allow “carders” (fraudsters who create fake credit cards) to authorize a credit card by making a phantom booking on a hotel website. It is important to identify this for two reasons:

1) These “guests” will never show up and it could result in lost revenue

2) Identifying a pattern may help slow or stop fraud

Data breaches are nothing new to our industry, but the frequency of incidents seems to have increased in the last 18 months. Affinity Gaming, Las Vegas Sands, Firekeepers and Hard Rock Hotel & Casino – Las Vegas have all experienced data breaches since 2014.

The most recent case reported by Hard Rock Hotel & Casino – Las Vegas and Firekeepers were eerily similar. Both identified a breach of PAN and CVV data that had been stolen by hackers via malware inserted into their Point of Sale card payment card processing system. Their hotel, casino and third-party lessees were not impacted so it seems safe to assume that whatever malware was inserted was specifically designed to grab payment information in transit to the payment processor. In addition, because PIN data wasn’t compromised, it is unlikely that the physical card swipes were infected with malware as had occurred in the Target and Home Depot breaches.

Casinos should take heed of these recent examples if they would like to avoid from becoming the next publicly outed victim. What many in the casino industry must understand is that 99% of companies are told by an external company that their systems have been compromised and IBM’s recent Global Analysis calculated the average cost of a data breach to be $3.8 million (2014).

How It Happens

Two of the most common ways these attackers are making their way into systems seems to be VPN (virtual-private network) and vulnerable website servers. Attackers are able to compromise weak VPN practices that do not enforce two factor authentication. Unpatched website servers also create small, externally facing holes that give the attackers a way to get into casino systems and insert malware.

Casinos should evaluate their VPN solutions by checking the following:

1) Enforce Two Factor Authentication (text message or phone call)

2) Review users with VPN access regularly and determine if it is necessary

3) Enforce complex passwords for all VPN users, no exceptions

Casinos should evaluate their website solution by checking the following:

1) Ensure Operating System and Content Management Systems are patched regularly

2) Patch Firewalls that protect the casino systems from the website servers regularly

3) Evaluate whether external hosting of websites is a better solution

The threat of payment card theft is on the rise and the casino industry has many business channels that are ripe for attack. Some extra diligence can go a long way to prevent the dreaded, but all too familiar phone call from being made to our guests.


Craig Jacobs is the Director of Incident Response and Problem Management for MGM Resorts International where he drives priority incident escalation, communication restoration, analysis and review. He is also author of Breaching America, which explores what it takes to better protect America's organisations from security breaches.

The views expressed on this site are Mr. Jacobs' and do not necessarily reflect the views of MGM Resorts.

Hard Rock Hokkaido

Hard Rock details plans for integrated Japanese resort

American football

Caesars strikes New York and NFL deals


AGS agrees $49m acquisition of Integrity Gaming

Scientific Games

Scientific Games settles Shuffle Tech patent case

Gaming Products & Services Directory

The essential directory for the gaming industry