R. Paul Wilson On: Vegas Casino Hacking and Player Security

Author: R. Paul Wilson

I’m often amazed by the never-ending parade of dangers and deceptions that target gamblers, from brand-new tricks or traps to old, seemingly forgotten scams re-invented for modern victims. The internet has resurrected many old con games to take advantage of global communications, with new forms of connectivity opening the door to unexpected ways to steal, even from major casinos. On a recent trip to Las Vegas, I was reminded that anything is possible in the world of gaming.

I am talking about the recent security coup that has caused chaos in the world’s capital of gambling and how that now infamous “hack” might affect all of us in the future.

Let’s begin with how I became aware of this story: My journey began in Spain around three in the morning when I woke to pack, meet my driver and head to Bilbao airport. From there to London, where I needed to change airports and wait for a friend before our flight to Sin City. On arrival, we collected our bags, took a shuttle to pick up a hire car then drove to the place we were staying, one of Las Vegas’s best-known land-based casinos and hotels.

From Spain to Vegas, my trip had clocked in at twenty-six hours before arriving at registration to check in, grateful we still had time for dinner and a drink before heading straight to bed.

Except we didn’t.

The (mid-week) check-in line was surprisingly long, and from arrival to entering our room took FOUR HOURS! That’s right, four hours to get a room key, and as I soon learned, our hotel was not the only one with this problem. Other hotels had similar issues with guests locked out of rooms en-masse or credit cards unable to be verified, and even famous shows were unable to sell tickets because payment systems were down.

The Notorious Las Vegas Casino Cyberattack

Given my hectic schedule leading up to this trip, perhaps I could be forgiven for not knowing about all of this in advance: Days before our arrival, hackers attacked two of Vegas’s biggest casino groups, causing chaos in several major properties. The impact of these hacks was enormous, with hundreds of millions of dollars lost in the process and the smooth operation of typically excellent hotel services (like checking in) being badly affected, causing future losses when disgruntled customers choose to spend their money elsewhere on their next vacation.

“The hack”, as it was constantly called by people in the industry, also netted the hackers a huge payday, with one of the target corporations apparently paying a multi-million dollar ransom to restore services yet still suffering long-term issues afterward.

How could this happen? Was it a farm of foreign computer experts coordinating a cyber-attack on the city of Las Vegas? Were massive super-computers crunching billions of lines of code to break through firewalls or decrypt passwords? Was this a new form of technology like Professor Janus’s black box from the film Sneakers - a device that could render any cryptology useless or literally see into “the matrix”?

Or was it a ten-minute phone call where an unfortunate employee was talked into sharing a password?

The movie image of hackers is not entirely divorced from reality but there are many nuances that fail to reach the popular representation of digital deceivers.

Manipulating Minds in the Digital Age

A visit to any hacker conference will reveal a staggering diversity of characters of all ages, from quiet bespectacled geniuses to loud anarchists with purple mohawks and a loyalty card for Hot Topic, all sharing the same space with a wide range of ideas and ethical outlooks. Outside of these gatherings, an even wider spectrum of people use technology to corrupt all kinds of systems, and if there’s a shared outlook in this widely distributed “community,” it’s the fascination with what’s possible or the drive to solve puzzles many people don’t know exist.

Additionally, the need to manipulate media, devices or people towards a desired outcome is also a great motivator. The Hollywood image of hackers is based on a small subset of the hacking community and are often shown strong-arming their way past levels of online security with magical password decoding software and executing one of the greatest casino heists ever or bringing down alien motherships with bullshit viruses that somehow speak the same code (language) as an operating system from Alpha Centauri.

All of this is perfectly good fun until this image becomes dominant in the real world, and those seeking to protect their (or their company’s) interests fail to take the right precautions.

The truth is that while hacking the hard way is certainly possible and certainly happens, most successful breaches are achieved by much simpler means; why spend hours (or years) trying to crack a password when you can just call the right person and ask for it? It’s not always so blatant but it can be damned close.

Social engineering events like those at hacker conventions include challenges where competitors call real people in real businesses with a list of goals and during those phone calls I’ve seen talented individuals maneuver, dodge and re-direct conversations to gain router codes, passwords and even personal addresses just by being friendly, faking urgency or impersonating authority.

Social engineers are a modern spin-off of old-school con artists and have evolved a powerful toolkit to use conversation, timing or pre-determined situations to manipulate people towards a desired goal. They can use the anonymity of phone calls and text messages to pretend to be anyone and as AI evolves, a much more dangerous form of social engineering is becoming possible (we will discuss this another time).

As a player, you may be targeted directly (and in the future you will be) and probably already receive junk mail that may seem obvious today but will become more sophisticated and personalized in the future. That being said, following the malicious Las Vegas hack, you may now be a potential target yourself!

The Lingering Threat

If you were in Vegas during the aftermath, it might indeed have impacted you in one of several ways and there are long-term dangers for all players (now and in the past) in whatever information might have been stolen during the attack: I’m talking about player details.

Threatening to release private information relating to finances or customer data was part of the attack, but how much access they had is not yet certain. Files may be locked by a hacker using ransomware but still remain secure (depending on how they are managed internally), so whether or not someone has eloped with a backup of millions of lines of data is not necessarily a concern if those internal files are encrypted - and that’s where hackers might use other tools to break those internal passwords over time.

If information regarding players leaks onto the wilder fringes of the internet, financial information, playing history and personal details might all be used to target individuals. That doesn’t mean it will happen or that the businesses who were targeted have lost this kind of data, but be assured that if you have entrusted those details to any company for any reason and they are successfully hacked, your name could be on a list of potential marks in the future.

What can you do about it? Not much other than knowing the risks and being aware of the dangers.

Simply reading this article will open your mind to possible ways you might be exposed by a third-party target you’ve previously shared details with, such as unsecured live casinos, online stores or even government sites; it’s essential we understand none of us are as secure as we’d like to be.

Do I blame the casinos for being successfully hacked? Not really, no.

Training to protect companies against this kind of social engineering attack must be consistent and should be applied in a way that makes the process productive and protection persistent over time.

Large corporations do not turn on a dime but perhaps they will adjust their approach to data defense in light of recent events and if they do so, I hope they hire real experts in the field to guide their decisions moving forward.