Comments (13) | Add a comment
Casinos cautioned to restrict access to player card information
Tools
LAS VEGAS REVIEW-JOURNAL
Casino companies may not be the only ones keeping track of how many points you have on your player card.
The cards represent a growing number of fraud cases in Las Vegas, as hackers target the popular programs and casinos' customer databases in an effort to gain access to customers' personal information or steal points, gaming regulators and security analysts said.
"We are investigating several cases at the moment," said Jerry Markling, chief of the enforcement division of the Nevada Gaming Control Board in Carson City. "We've been seeing a lot of cases involving players club programs and the stealing of points."
Markling declined to comment on specific cases or give further details.
The problem has become serious enough that regulators sent a letter in December reminding casino companies of their obligations to protect customer information and periodically review their database security.
"Nevada has some very strict laws in place regarding customer confidentiality," said Rob Meyne, vice president of corporate communications with Boyd Gaming Corp. "In addition, the Nevada Gaming Control Board has recently reminded licensees that they are responsible for maintaining security of customer databases."
Meyne stressed that his company takes the issue of customer privacy "very seriously" and provides safeguards for its customers.
Other casino companies declined to comment on the issue.
The security threat doesn't just involve player cards, either.
State gaming officials and security analysts said casinos' smart phone applications -- which require users to provide personal information that is stored in casino databases-- are also a concern. Hackers are attempting to hack into these databases to gain access to credit card or debit card information, or banking and other financial information.
All of this information is potentially at risk, according to security analysts.
"The bad guys like casinos because they have a lot of personal information," said Jon Oltsik, principal analyst with the Enterprise Strategy Group in Milford, Mass. "The days of viruses and worms have been replaced with targeted attacks."
Oltsik said targeted attacks against casino databases primarily come from Eastern Europe.
"They are very skilled and know what they are doing," he said. "They are very good at poking around a network and finding its weak points."
Customer information is vulnerable to theft in other ways, too.
A casino company can easily steal a guest's information off a laptop or personal computer or an employee can be bribed to download sensitive information from the casino's database.
The letter to casino companies about the security threats came from former Control Board member Randall E. Sayre and said there had been "numerous incidents" where databases "have been compromised and the potential for identity information theft existed."
"As technology advances and more and more information is stored in these databases, they will almost certainly become a more inviting target for cyber-criminals," the letter noted.
He also warned about the ease with which this information can be stolen.
"Any area of crime involving the Internet is growing," said Dr. B. Grant Stitt, professor and chair of the Department of Criminal Justice at University of Nevada, Reno.
Sayre's letter did not say which incidents the Control Board had investigated, but two recent incidents that became public involved the theft of personal information in Las Vegas.
In July, a hacker acquired information about attendees at Cisco Live 2010, a computer industry event at Mandalay Bay. The information stolen, however, was not attached to Mandalay Bay's database.
The Desert Rose Resort also reported that an "unspecified number" of guests at the hotel between June and October had their debit and credit card information stolen by a malicious software infection.
Messages left with Shell Vacations Hospitality in Chicago, parent company of Desert Rose Resort, were not returned. In a statement, Shell Vacations President Susan Kelley said investigators found the breach occurred within a specific management software program.
The hotel chain, which doesn't operate a casino at its Las Vegas property, was forced to process credit cards through a separate system, while debit cards were no longer accepted for a time
These two attacks illustrate how cyber-criminals are becoming more targeted in the information they attempt to steal.
Martin Drew, president of iView Systems in Oakville, Ontario, said there is always a threat to databases that store personal and financial information.
"Based on our experience, casinos are very professional about the collection and storage of personal information," said Drew, whose company designs security and surveillance software.
He said while information security is complex, casinos never rely on one layer of protection. They always deploy multiple layers of protection and generally use encrypted information.
"There are no easy fixes," Oltsik said. "Security is the cost of doing business. Take the threats seriously. Remember, I don't have to be in Nevada to get this information."
Contact reporter Chris Sieroty at csieroty@reviewjournal.com or 702-477-3893.
Comments
Terms & Conditions
The following comments are provided by readers and are the sole responsiblity of the authors. The Review-Journal does not review comments before publication nor guarantee their accuracy. By publishing a comment here you agree to abide by the comment policy. If you see a comment that violates the policy, please use the Report Abuse button.
Some comments may not display immediately due to an automatic filter. These comments will be reviewed within 24 hours. Please do not submit a comment more than once.
Sign In to Comment
Please sign in or register to comment. For more information visit the Registration FAQ.
Note: Comments made by reporters and editors of the Las Vegas Review-Journal are presented with a yellow background.
RSS
Twitter
Facebook
Chris,
I have been doing theft prevention and detection for casinos for a number of years. I have also been interviewed by your paper related to tickets scams in the past. This article contains information I have been speaking about for more than a year. The most common scams happening in the casino industry in the past year has been players club employees downloading names, and issuing promotional points above what is authorized. I have not been to a casino in the past year and a half that has not caught an employee doing this. Also, transferring of points from customers about to be deleted for inactive play is another very common problem. They transfer the points to friends or family. This is very common when the casino offers cash back. When you run the numbers of what casinos are losing to promotional point abuse it can be staggering.
.....Really ? nnnnnnnn
Mr Markling has seen " stealing of points " , has he ? Hmmmm. Closer he should look ,yes ?
......Why? hmmmm
How hackers spend points , they do ? NGCB lie , it must ? nnnnnn
I was wondering how long it would take before some dolt tried to turn this into a policial argument. Very first comment....not surprised.
Corruption within NGCB destroy Vegas , it will ? hehehehe
I HAVE TO HAVE MY PLAYERS CARD TO GET MY BUFFET DISCOUNT!!!! Heres an idea, GAMBLE LESS and PAY for your meal!!!
I will never be able to understand how so many people are scared to death and outraged by the idea of government surveillance, but don't give this kind of thing a second thought. If the government spies on you, it's "Big Brother." If a private company spies on you, it's "customer service."
I never bought into that something for nothing players and grocery store card thinge. If they can not treat all customers the same I will go elsewhere.
They want to charge me more because I won't give them my personal information? Up theirs.
Everyone wants to be in their little eighth grade clubs?
Yes Sir Sonny this little plastic card includes a free ride to town on the turnip truck.