If you believe so you may wish to take a look at this incident which resulted in one casino VIP customer losing the equivalent of $387,000 from his funds deposited at a casino on Avenida da Amizade in Macau earlier this year.
The high roller left his funds at the casino cash desk on account. Customers must provide personal information such as their contact number to the VIP room when they deposit money into its account. Should any customer entrust another person to withdraw the money, then employees would call the customer using the contact number they have on file in their computer system to confirm this person is entitled to make the withdrawal. The system appears to have flaws such as money laundering but however, up until now the casino was satisfied with it.
So, when two men walked into the casino and requested the funds stating they had the permission of the owner, naturally the VIP room called the number listed on the customer’s records. The person on the other end of the phone confirmed they were acting on his behalf and rightly so the casino paid out the 3 million Hong Kong dollars to the two gentlemen.
When the real owner of the money popped by the casino to use his funds to play, the casino insisted they had been given his authority to pay out the two visitors. That is until they confirmed his contact number, then realised the casino computer system had been penetrated and the contact details altered.
The police were called in and luckily the two culprits were apprehended when re-entering Macau from Hong Kong. They will face public prosecution for illegally entering a computer system, altering data as well as belonging to a criminal organization.
We discussed this with our professional hacker (known as PH). PH gave us that smile that you give when you hear a joke and already know the punch line. What was new to us was daily bread and butter to him.
He enlightened us by detailing network vulnerabilities.
Every casino, whether online or bricks and mortar, uses computer networks and hackers can easily gain access through various methods.
PH illustrated his unique and valuable skills by explaining how a very recent and high profile client discreetly engaged his services to test their system security. He gained access quickly and easily through a test server left unprotected. This gave PH access to the online casinos’ internal network and eventually to their sensitive servers thus gaining passwords to the gaming servers.
But what about internal networks we asked? They aren’t exposed to the internet.
PH enlightened us that internal networks are not secure either. Due mainly to Trojans and other malicious software that infiltrate via infected employee laptops. Attackers will make use of malware to gain access and once in, the security is found to be extremely lax as the company still believes this internal system is a secure environment.
From our own experiences in major online companies, we knew this to be true. Many employees are granted extra privileges such as taking laptop home. Family members may use the laptop for their own use, may install and run programs that contain a back door or even simply use programs such as Skype that cannot easily be monitored for security incidents.
We all are pretty sure we are vigilant on what we do with our laptops though and PH realizing how confident we were demonstrated an example from another casino company contract.
He created a Skype account which looked like it was coming from his casino client. He then did a search for employees that stated publicly they also worked for the same casino company. After contacting them he stated he was the casino computer administrator and after a short conversation PH requested they run a program he would send them. The majority of employees complied which inevitably gave PH access to the victim employee’s computer and of course access to the main internal network. Once in, PH is in a position to gain access to further systems and access customer details as well as all other sensitive information that was not protected.
PH’s role at this point is to highlight these weaknesses to his client and propose recommendations to secure the system. The professional fraudster wouldn’t be so helpful until they have taken what they can for financial gain.
Luckily for us, PH is available for penetrative testing and we will gladly recommend his services. However, if any company still feels they are not vulnerable, then here are some quick reminders;
The online casino anti-fraud department are pretty good at stopping any attacker sending funds to a predetermined bank account. However their own vulnerabilities are in the back-end which is often excluded from security checks. PH confirmed he has accessed those even protected by firewall and not publicly accessible. Once in you are free to access customer data and reset passwords if you so wish.
If your website has nothing of value then even your reputation is greatly at stake. However, should you add items of value such as other web applications then one vulnerable web application can compromise the underlying system and any other website on the same system.
Firstly and obviously is the illegal access to customers’ accounts and banking page. More frightening is the penetration of the game rules. On one such attack, PH was able to compromise a game of his clients’ website to pay-out each time he lost! This was done by altering the game to permit wagers in negative number of chips.
One attack on a banking page permitted PH to add credits to his account by fooling the system that a third party payment gateway had authorised deposits into the account, using his own custom developed program.
Networks are used by both casinos and online casinos. As previously described, once you know how, it appears to be the easiest system to penetrate and at the expense of the integrity of the casino as well as loss of custom and funds.
Luckily, PH is on the side of the good guys only, and in superhero style, uses his skills to protect the weak preventing incidents before they happen.
AACASINO LTD adheres to and follows the Nine Principles of Data Protection of Malta.
These are as follows;
The controller shall ensure that: