Sin City, A.K.A Las Vegas, Nevada – is once again playing host this week to the Black Hat and DEFCON security conferences. With throngs of computer experts patrolling the Strip, it seems only fitting to take a moment to consider the threat landscape of online casinos.
The Hacker, the Insider and Everything in Between
Online gambling sites face security challenges from a number of different sources. First, there’s the external hacker, who at his own convenience – from his home, a cafe or on the road – can launch attacks in attempt to steal sensitive data, raise havoc or commit fraud. Then there’s the insider – the rogue administrator who can cash in others’ chips or harvest customer details. Finally, there’s everything in between, such as the challenges posed by privacy concerns to the problem of adhering to regulations, such as PCI. Let’s take a closer look at some of the ways criminals beat the house when they play online.
• Denial of Service (DoS) - The impact of such an attack renders the server unavailable. This causes a direct loss to the business as customers cannot engage with the site. Two years ago, Australian betting sites suffered from Distributed DoS (DDoS) attacks which reportedly caused millions of dollars in losses. A few months ago, two individuals were arrested under allegations of conducting a DDoS attack against rival South Korean gambling sites.
• Theft of Goods - The attacker steals the victim’s “chips” in order to sell or redeem them for cash.
• Counterfeit - A malicious individual generates chips, causing devastating consequences for an online casino.
• Cheating – For example, when a single player creates multiple online poker personas. In each poker table, several of these personas are placed so the individual gains an unfair advantage over other players.
• Online Transactions - Gambling sites are usually an efficient tool for cashing in on stolen credit cards. For example, one popular method used by the criminals is to open two separate accounts. One account is attached to the legitimate card, while the other is attached to the stolen card. Both accounts, operated by the same user, play in the same game with the “illegal” account losing intentionally to the “legal” account. It is ultimately the sites that are subject to pay all incurred losses to the bank.
• Insider Threat - This is a major concern due to the sensitivity of the information (payments, chips, game-rigging) being processed and stored by a gambling site. This casino employee abuses the inherent trust and access obtained in order to perform the job. For example, an insider with the right authorization can perform fraudulent payments, generate chips and harvest customer details. A few months ago, an individual posing as a trusted administrator was able to siphon 400 billion gaming chips. The plan was simple: by hacking into the system and gaining administrative credentials, the administrator can use the system to transfer chips to fake Facebook accounts. Then, he can sell these chips at a lesser market value and cash in on the loot. As an interesting side-note, the hacker’s attorney mentioned that his client was “wrestling with a gambling addiction”, and was “now drawing a six-figure salary from a Facebook application called Gambino Poker”. An online gambling provider employing a gambling addict? I call that taking a chance!
• Regulations - Although a less direct threat, online casinos deal with payment processing, placing them under regulation scrutiny. First, there’s the adherence to federal law to prove that transfers are made in accordance to basic banking laws. Just a few months ago, the US Department of Justice cracked down on the payment processors of online casinos. Second, there’s the Payment Card Industry Data Security Standard (PCI DSS) which casinos are required to comply with due to the processing of credit cards
• Privacy - This is a concern for gamblers who fear the consequences of exposure (which may lead to job loss, black-mail, etc.). Consequently, for the online casinos to attract the gamblers, they need to ensure the privacy of their customers.
Containing the Threats
Different attacks of course call for different defenses. Many of these countermeasures will sound familiar to you.
• Application Security – Exploiting different Web 2.0 vulnerabilities may lead to any of the above threats. An attacker, for example, can obtain administrator credentials by exploiting a vulnerability in the gambling site. A different vulnerability may allow the attacker to perform a simple DoS attack without even using a botnet. Securing the applications will block exploits targeting these vulnerabilities.
• Automation Deterrence – As research has shown, attacks are mainly automated, with hackers attempting to obtain administrator credentials through brute force password cracking. Casino application vulnerabilities are actively sought using search engine scripts and can then be exploited automatically. Gambling sites should apply controls that slow-down these automated attacks in such a manner that it will make the cost of attack too high for the attacker. For example, limiting the number of failed login attempts within a short time period.
• Reputation Controls - Requests which originate from known malicious sources (for example, computers that are actively known as belonging to a botnet) may indicate an attack against the site. In addition, requests from regions that are notorious for generating malicious traffic may also be flagged. This will allow the online casinos to stop the malicious requests at the “door”, even before any engagement with the client.
• Monitoring Sensitive Data – Protecting data starts with monitoring. In this case, rigorously monitoring sensitive data such as “chips” and issuing alerts based on abnormal or suspicious behavior is important for catching criminals in the act. If a low-privileged user for example transfers chips from one account to another, this control should sound the alarm. Even the access to customer details should be monitored to ensure the customers’ privacy.
• Monitoring of Privileged Employees – Security controls can’t just stop at the data however. They must also be put on the privileged employees – those who are able to access the sensitive data. In the case of an attempted chip-heist, this control should alert and even block the user’s activity. In other words, these controls ensure that it is not the fox guarding the hen-house!
|Part in a Cybercrime Series - Read Noa's Other Featured Columns Here|
• Fraud Detection –These tools mainly correlate different identifying information together with the initiator of the transaction in order to flag fraudulent purchases. These are similar to the anti-fraud measures deployed at retailers. For example, the controls can correlate the source of the transaction initiator together with the personal details on the (legitimate) owner of the credit card.
Update: Reader Eugene Kogan has shared with me some additional insight into how criminals use online gambling systems to transfer money from one type of online payment system to another. These sites usually support many types of online transactions, making tracking very problematic. Hackers, knowing this, pass several payment systems before cashing out. In which case, a single player does not necessarily need to lose to another player. Sometimes, they just use the smallest possible betting amount with nearly a 50% chance to win. When enough bets are put, they are likely to stay with, more or less, the original sum. Later, they can cash-out using some other type of payment system (for example, from a credit card to a bank transfer or to a check).
For those attending Black Hat, I hope to see you there! There are quite a few talks I’m looking forward to attending. Next column I’ll discuss the most valuable tools researchers use.