Las Vegas: An IS Viewpoint on New Slot Machines
A current trip to Las Vegas prompted an “aha moment”. Immediately after I got more than the initial shock of how substantially items have changed given that the days when I employed to often travel to Vegas (I was 1 of these thousands who employed to on a regular basis attend the COMDEX show), I ventured back onto the gaming floor. Aside from obtaining a lot extra poker tables than I keep in mind from eight years ago, the factor that struck me was that the slot machines changed. Exactly where when the gaming floors had been complete of the “jing, jing, jing” of coins hitting the metal trays of the slot machines, there are now magnetic card readers, bar code scanners and separate machines that convert bills into “credits” and back once more. Income gets converted to digital bits, printed on bar-coded cards that players plug into slot machines and “all payouts are by money out slips only”. The Gaming Business has gone higher tech and like all firms that have worthwhile facts sources, they will need to shield them. Envision for a moment getting capable to “sniff” the website traffic on the wire amongst the gaming floor and the casino's information center! As a matter of reality, I was so interested in the new style of slot machine that I devoted the much better element of an afternoon to researching “Server Primarily based Gaming”.
It turns out that Server Primarily based Gaming (SBG) is the newest trend in slot machines and is not as new as I believed, obtaining been about given that 2006. If your thoughts is like mine, you are currently considering about the safety implications of turning stand alone, completely autonomous slot machines into computer system terminals. Of course the stand alone slots had been not with no issues but digitizing monetary information and sending it zipping across a network has a one of a kind set of issues that any monetary institution will attest to. Storing information on a centralized server is Safety Ideal Practice 101 and handful of could argue against the wisdom of it. Having said that, the problem becomes extra complex when we contemplate that a casino has hundreds, possibly even a thousand, slot machines scattered across hundreds of thousands of square feet of floor space. Initial safety issues regard the information transmission: what kind of cable is employed (fiber is the most safe but also most pricey and needs specific networking gear) are the machines themselves even wired to accept fiber or are the connections Cat five is every machine “house runned” or are they consolidated at a switch positioned in 1 of these locked cabinets below the slot machines if Cat five cable is employed, what preventive measures are in spot to stop a person from “sniffing” the electronic information leakage from the wire given that players are issued a “money out card” with a bar code on it, what encryption algorithms are employed to stop gamers from altering the information to improve their “payout”? The Gaming Business has a lengthy history of attracting really clever criminals (keep in mind the students from MIT who won $10M?). I wonder how lengthy just before a comparable group of intellectually gifted and monetarily motivated men and women focuses on SBG. In reality, a current study sponsored by the National Indian Gaming Commission (NIGC) has identified numerous locations of concern for SBG .
The NIGC findings sound hauntingly familiar to all these safety pros charged with guarding enterprise information sources. Issues about unauthorized access, intrusion detection, incident response, lack of safety policies and a disaster recovery strategy are popular in all Data Safety environments. What proactive measures are getting taken to shield the network? Are internally sponsored Penetration Tests performed? The challenge of guarding hundreds or thousands of computer system assets, insuring the Availability of the asset and guarding the Integrity of the information from these assets is likewise an every day be concerned for CISO's. What tends to make the Gaming Business diverse is that if any 1 of these assets is compromised, the monetary loss could be in the millions of dollars, and the likelihood is that an attack will not target only 1 machine. And as opposed to any casino scam of the previous, with information now getting stored electronically, the attacker(s) does not have to physically be present. Casinos are now topic to the exact same dangers as monetary institutions.
Let your self to picture an “Oceans 131/two” situation. The progressive slot machine jackpot is at $14M. A disgruntled technician at the slot machine manufacturer maintains a “backdoor” to the SBG slots to save the drive time and the lengthy stroll by means of the casino to a distinct machine. An accomplice is in spot spinning the wheels and losing dollar following dollar at the progressive slot. At a specified moment, the technician pushes an unauthorized ” computer software update” to the slot which alters the money out ticket computer software. The accomplice now cashes out and receives an altered ticket which shows $10,000 not $10. The technician then replaces the original computer software and the scam moves to yet another slot, yet another casino, yet another city. With only about six slot machine companies in the US, the possibility of “disgruntled employee” abuse is really higher. When this situation may well look farfetched, the notion of six college students beating Las Vegas casinos for $10M more than a 10 year period also seemed also outstanding to think. Till it occurred.
But extra most likely and substantially significantly less “Hollywood-esque” would be the exact same kind of safety breach that occurs at alarming levels in normal sector. A group of hackers finds an exciting IP address and starts exploring. Probably the IP address belongs to the slot machine manufacturer which permits them entry to the manufacturer's LAN. Or possibly the IP address belongs to a slot machine itself. Or picture if the IP belonged to the server which homes the facts for all the SBG machines in the casino. Mother lode! In addition to a treasure trove of facts contained inside the gaming network segment, could the attackers connect to the hotel and meals service segments of the casino's infrastructure? If so they would have access to reams of PII information as credit card information. As each fan of gaming knows, “whales” are the life blood of casinos and these multi-billionaires have credit cards with astronomically higher spending limits (an American Express black card is really wondrous to see). A information compromise of this scale would be a catastrophe for a gaming facility.
Defending such a one of a kind infrastructure presents a daunting process. Corporate sources will need to be allocated, policies will need to be written and implemented in an region that previously did not demand them, and staff will need to be educated about the new threats. Probably most significant is to preserve background checks on staff (each in the casino itself as nicely as for third parties) who have access to the servers and the SBG machines. And these dangers are in addition to the “regular, every day” dangers of operating a information center exactly where millions of dollars routinely fly across network cables. The Data Safety Specialists for Las Vegas casinos absolutely have their hands complete.