Taking a byte out of crime
Taking a byte out of crime
Halting identity theft and protecting sensitive information is key to maintaining successful and safe operations at casinos
By Steven Marlin
As security breaches involving loss or theft of personal information become commonplace, casinos are taking extra precautions to safeguard data with technology products and services aimed at minimizing the risk of identity theft and related crime.
High-profile incidents involving information brokers (Axciom, ChoicePoint, LexisNexis), financial-services companies (Ameritrade, Bank of America, Citigroup), and retailers (DSW Shoe Warehouse, Polo Ralph Lauren) have grabbed headlines and gotten the attention of lawmakers. The National Indian Gaming Commission, for example, has established its Minimum Internal Control Standards, which contain strict IT audit guidelines like restricting access to gaming systems, maintaining computerized access logs, and documenting changes to programs and data.
Such laws, however, have done little to deter ID theft criminals. Indeed, this past June saw the largest incident to date. It involved CardSytems Solutions Inc., which reported a breach that exposed more than 40 million Visa and MasterCard records. The breach involved an infiltration into CardSystems' network by an unauthorized individual who accessed cardholder data.
Casinos, among the most security-conscious of businesses, have gone to great lengths to protect information from attack from both inside and outside. Tools and technologies run the gamut from surveillance, network monitoring devices, wireless terminals for handling credit card transactions-even chips implanted with radio frequency identification devices.
Sensitive information
InfoGenesis, whose Revelation POS system is used in many casinos, adheres to strict rules from American Express, Visa, and MasterCard to safeguard data.
"We store only the minimum amount of data needed to recall a transaction," said Brent Christensen, vice president of sales at InfoGenesis. "We don't store the full credit card record."
However, the full record is needed by InfoGenesis' primary back-end processor, Shift4 Corp., which transmits authorization codes from the card networks back to the POS system. InfoGenesis encrypts all information stored on a card's magnetic stripe before sending it to Shift4, but doesn't store the information itself-a practice that's landed some merchants in hot water.
"We hand off credit card information securely, in encrypted format," Christensen said.
With a heavy reliance on cash transactions and large amounts of personal data being collected by casino, hotel, restaurant, and POS systems, casinos make tempting targets for would-be identity thieves.
"Casinos have all the security issues associated with any large retail establishment, plus the fact that they're dealing with huge amounts of cash," said Mark Rasch, senior vice president at Solutionary Inc., a security software and assessment company.
Solutionary works with casinos to identify security gaps before information leaks out. External assessments include evaluating firewalls, servers, and other network devices that could create opportunities for unauthorized access to networks, systems, and information assets. Internal assessments focus on general security practices, controls for access to systems, and virus protection.
Its ActiveGuard software detects unusual patterns or anomalies by examining security-related events from servers, firewalls, routers, intrusion detection systems, physical security systems, or any event detection mechanism.
Guarding networks' 'back doors'
When crooks are thwarted from entering through the front door, they'll look to enter through the back; in particular, by exploiting vulnerabilities in networks.
"Casinos spend millions of dollars on video and audio surveillance, but their networks are full of holes," said Gary Johnson, vice president of sales and marketing at Procera Networks Inc., which manufactures network security devices.
Casino executives acknowledge that networks represent the soft underbelly through which thieves can pilfer Social Security numbers, names and addresses, and other sensitive data.
"In the gaming business, particularly Native American gaming, there are numerous checks and balances covering things like counterfeit bills and surveillance," said Brian Latona, IT director at Robinson Rancheria Resort & Casino, a tribal establishment in northern California. "But the Achilles Heel is the data."
Robinson Rancheria uses Procera Networks' OptimIP network appliance to monitor and control Internet traffic, ensuring that it's in compliance with the National Indian Gaming Commission's rules as well those of the California Gambling Control Commission. It also helps ensure that sensitive data doesn't leave the premises.
"Once the device has identified that private information such as driver's licenses or Social Security numbers are being sent, it locks down the Internet port and alerts system administrators," said Latona.
It's especially important to guard information on high-rollers. "Casinos need to be extra vigilant in protecting their player's club information," he said.
OptimIP is used to restrict Internet and e-mail access in Robinson Rancheria's vault, pits, and cages.
"It allows us to ensure there's no opportunity for collusion during the end-of-day drop," Latona said.
The product acts a sentinel guarding the Internet backbone that weaves across some 25 servers running systems for Robinson Rancheria's casino, food and beverage operations, hotel, conference center, and retail shops. The appliance analyzes packets of information flowing into, out of, and through Robinson Rancheria's networks.
"By identifying applications running through the network, we have the ability to control everything from the speed at which applications run to removing unwanted applications like peer-to-peer, which are loaded with viruses and worms," said Procera Networks' Johnson.
OptimIP monitors traffic moving at wire speed, a necessity for spotting potential data leaks.
"When you're trying to manage anomalies in local-area networks or virtual private networks, you need the high speeds," said Johnson. Robinson Rancheria has deployed OptimIP's add-on surveillance tool, which works in "cloaked" mode so individuals can't detect they're the subject of an investigation or that their online behavior is being monitored.
On-site security
Another innovative product for combating ID theft is TableSwipe from Communication Transaction Solutions Inc. The product is a handheld, wireless device that allows restaurant patrons to make credit card payments without having their card leave their tables. It prevents skimming, in which a waiter steals information stored on the card's magnetic stripe using pocket-sized scanners.
The TableSwipe device transmits card information directly to the restaurant's POS system for approval, without human intervention. Data is transmitted wirelessly in rapid, encrypted bursts to a receiver connected to the POS station, and receives authorizations back from the credit-card networks. It then prints out receipts for signature.
The product, which was launched in June, has drawn the interest of several restaurant chains and casinos, said Wayne Steiger, CEO of Communication Transaction Solutions.
"TableSwipe fills a pressing need in terms of fraud prevention and the goal of secure, remote devices for interfacing with POS stations, while boosting profit through quicker table turns," he said.
For example, casino guests can quickly be authorized to purchase chips while remaining at the casino table or charge drinks at poolside. TableSwipe interfaces with POS systems from Aloha and Micros, and an interface is under development with InfoGenesis.
The TableSwipe system includes a secure wireless network plus software and terminals. A typical restaurant would use 10-12 terminals; the product can be expanded to accommodate any number of terminals and receivers. With a range of up to 300 feet, the device can be used at any location in a restaurant, as well as at curbside.
Importantly, from the standpoint of preventing ID theft, the devices store no information, so are useless if stolen.
Another of the latest technologies for preventing identity-related theft is radio-frequency identification (RFID). Gaming Partners International Corp. has sold more than three million RFID gaming chips and hundreds of readers to casinos in Europe, Asia, and the United States, including the Wynn Las Vegas Resort on the Las Vegas Strip.
The RFID-embedded chips have the same feel and quality as gaming chips familiar to dealers and players. Gaming Partners sells RFID chips and readers directly to casinos and also sells components, such as readers and antennas, to original equipment manufacturers. With RFID chips and readers, casinos can control their own currency securely and efficiently, said Gaming Partners president and CEO Gerard Charlier.
Eyes in the sky
An additional tool being used to combat ID theft is video surveillance. Casino Vision, a digital video system from SmartConnect, has been installed in several major casinos, including the Stratosphere Las Vegas and properties owned by MGM Mirage and Caesar's Entertainment said Henry Valentino, SmartConnect's president and CEO.
The system integrates with casino management systems and POS systems, allowing food and beverage managers to set triggers, such as whether excessive tips are being charged to a credit card. By interfacing data streams from POS systems with surveillance images, Casino Vision provides a powerful boost to fraud detection and prevention.
Casinos are rapidly moving to replace their old VHS video systems with digital video, Valentino said. An average casino and resort with 1,000 to 2,000 slots, 50 to 100 table games, other types of gaming, as well food and beverage and retail may be supported by as many as 1,000 cameras, all feeding hundreds of VHS cassettes.
"Even if you watch it in fast forward, it takes a lot of time," said Valentino. "With Casino Vision, you can identify incidents based on transaction details, and go right to the video."
Many other surveillance providers such as Sanyo Security Products, Panasonic, Bosch Security Systems and Honeywell are also touting their own digital security products. More and more casinos-as costs of the digital systems fall-are moving away from their older, analog systems.
The result? Surveillance and security officials have more time to watch the casino versus changing tapes and monitoring equipment to make sure it's working correctly.
Protecting your future
As financial companies, casinos are subject to federal and state regulations such as the Gramm-Leach-Bliley Act, the United States Patriot Act, and California's security breach notification law. Movement is also afoot in Washington to enact a federal identity-theft law that would require any company that stores personal data on more than 10,000 people to create a data-privacy and protection program, including assessing, maintaining, and controlling risks to data privacy and security.
Businesses would have to provide employee training, perform vulnerability tests, and ensure that third-party service providers have adequate security programs. Companies that engage in interstate commerce would have to notify anyone whose personal information, such as name, Social Security number, or date of birth, has been affected by a security breach.
In order to stay ahead of the curve, casinos are implementing data privacy enforcement policies and systems.
"Casinos collect information, such as on patrons playing on credit, that's even more sensitive than what banks collect," said Saverio Scheri, managing director of WhiteSand Consulting, which advises casinos on technology and operations. "The prospect of someone getting into a casino's data through the Web site is scary."
WhiteSand works in partnership with Intrusion Inc., whose Compliance Commander product has been deployed by the Venetian Resort Hotel Casino to monitor network traffic for the presence of unencrypted customer information, including credit card and Social Security numbers, loyalty data and other private, personal information. Perched behind the perimeter firewall, Compliance Commander can instantly detect, protect, block, and report unauthorized transmission of private customer information.
"So far, every time we install Compliance Commander, we've found holes due to employee issues or unexpected network vulnerabilities," said Ben Bittle, Intrusion's director of product management.
As more technologies become available, the more potential holes and risks can be exposed, and many casinos may not be as safe with their sensitive information as they think they are.
Sidebar:
Security Cache
Cache Creek Casino Report pays special attention protecting information
Casinos are at a fundamental disadvantage when it comes to security: They have to identify every vulnerability, while thieves and hackers only have to find one.
An effective security program involves lots of planning and reliance on outside consultants, said Jim Hamersley, CIO at Cache Creek Casino Resort. It also requires being proactive, such as not relying on a single security systems vendor and encrypting sensitive data.
"Anything that pertains to customer data should be encrypted," Hamersley said.
Here are the major components of Cache Creek's data security program:
• Availability - Cache Creek works with its Internet service providers to protect against denial of service attacks.
• Internet transactions - Cache Creek uses two separate firewalls and packet filtering to restrict traffic between the Internet and the casino's enterprise network, while allowing guests to access the Internet.
• Detection - Cache Creek has deployed network appliances from Internet Security Systems Inc. to monitor all network traffic.
• System security - The casino uses tools to authenticate access to systems and ensure that can detect and breaches of data security.
• Virus protection - Cache Creek regularly scans for viruses using an automated online virus protection tool.
-Steven Marlin
Halting identity theft and protecting sensitive information is key to maintaining successful and safe operations at casinos
By Steven Marlin
As security breaches involving loss or theft of personal information become commonplace, casinos are taking extra precautions to safeguard data with technology products and services aimed at minimizing the risk of identity theft and related crime.
High-profile incidents involving information brokers (Axciom, ChoicePoint, LexisNexis), financial-services companies (Ameritrade, Bank of America, Citigroup), and retailers (DSW Shoe Warehouse, Polo Ralph Lauren) have grabbed headlines and gotten the attention of lawmakers. The National Indian Gaming Commission, for example, has established its Minimum Internal Control Standards, which contain strict IT audit guidelines like restricting access to gaming systems, maintaining computerized access logs, and documenting changes to programs and data.
Such laws, however, have done little to deter ID theft criminals. Indeed, this past June saw the largest incident to date. It involved CardSytems Solutions Inc., which reported a breach that exposed more than 40 million Visa and MasterCard records. The breach involved an infiltration into CardSystems' network by an unauthorized individual who accessed cardholder data.
Casinos, among the most security-conscious of businesses, have gone to great lengths to protect information from attack from both inside and outside. Tools and technologies run the gamut from surveillance, network monitoring devices, wireless terminals for handling credit card transactions-even chips implanted with radio frequency identification devices.
Sensitive information
InfoGenesis, whose Revelation POS system is used in many casinos, adheres to strict rules from American Express, Visa, and MasterCard to safeguard data.
"We store only the minimum amount of data needed to recall a transaction," said Brent Christensen, vice president of sales at InfoGenesis. "We don't store the full credit card record."
However, the full record is needed by InfoGenesis' primary back-end processor, Shift4 Corp., which transmits authorization codes from the card networks back to the POS system. InfoGenesis encrypts all information stored on a card's magnetic stripe before sending it to Shift4, but doesn't store the information itself-a practice that's landed some merchants in hot water.
"We hand off credit card information securely, in encrypted format," Christensen said.
With a heavy reliance on cash transactions and large amounts of personal data being collected by casino, hotel, restaurant, and POS systems, casinos make tempting targets for would-be identity thieves.
"Casinos have all the security issues associated with any large retail establishment, plus the fact that they're dealing with huge amounts of cash," said Mark Rasch, senior vice president at Solutionary Inc., a security software and assessment company.
Solutionary works with casinos to identify security gaps before information leaks out. External assessments include evaluating firewalls, servers, and other network devices that could create opportunities for unauthorized access to networks, systems, and information assets. Internal assessments focus on general security practices, controls for access to systems, and virus protection.
Its ActiveGuard software detects unusual patterns or anomalies by examining security-related events from servers, firewalls, routers, intrusion detection systems, physical security systems, or any event detection mechanism.
Guarding networks' 'back doors'
When crooks are thwarted from entering through the front door, they'll look to enter through the back; in particular, by exploiting vulnerabilities in networks.
"Casinos spend millions of dollars on video and audio surveillance, but their networks are full of holes," said Gary Johnson, vice president of sales and marketing at Procera Networks Inc., which manufactures network security devices.
Casino executives acknowledge that networks represent the soft underbelly through which thieves can pilfer Social Security numbers, names and addresses, and other sensitive data.
"In the gaming business, particularly Native American gaming, there are numerous checks and balances covering things like counterfeit bills and surveillance," said Brian Latona, IT director at Robinson Rancheria Resort & Casino, a tribal establishment in northern California. "But the Achilles Heel is the data."
Robinson Rancheria uses Procera Networks' OptimIP network appliance to monitor and control Internet traffic, ensuring that it's in compliance with the National Indian Gaming Commission's rules as well those of the California Gambling Control Commission. It also helps ensure that sensitive data doesn't leave the premises.
"Once the device has identified that private information such as driver's licenses or Social Security numbers are being sent, it locks down the Internet port and alerts system administrators," said Latona.
It's especially important to guard information on high-rollers. "Casinos need to be extra vigilant in protecting their player's club information," he said.
OptimIP is used to restrict Internet and e-mail access in Robinson Rancheria's vault, pits, and cages.
"It allows us to ensure there's no opportunity for collusion during the end-of-day drop," Latona said.
The product acts a sentinel guarding the Internet backbone that weaves across some 25 servers running systems for Robinson Rancheria's casino, food and beverage operations, hotel, conference center, and retail shops. The appliance analyzes packets of information flowing into, out of, and through Robinson Rancheria's networks.
"By identifying applications running through the network, we have the ability to control everything from the speed at which applications run to removing unwanted applications like peer-to-peer, which are loaded with viruses and worms," said Procera Networks' Johnson.
OptimIP monitors traffic moving at wire speed, a necessity for spotting potential data leaks.
"When you're trying to manage anomalies in local-area networks or virtual private networks, you need the high speeds," said Johnson. Robinson Rancheria has deployed OptimIP's add-on surveillance tool, which works in "cloaked" mode so individuals can't detect they're the subject of an investigation or that their online behavior is being monitored.
On-site security
Another innovative product for combating ID theft is TableSwipe from Communication Transaction Solutions Inc. The product is a handheld, wireless device that allows restaurant patrons to make credit card payments without having their card leave their tables. It prevents skimming, in which a waiter steals information stored on the card's magnetic stripe using pocket-sized scanners.
The TableSwipe device transmits card information directly to the restaurant's POS system for approval, without human intervention. Data is transmitted wirelessly in rapid, encrypted bursts to a receiver connected to the POS station, and receives authorizations back from the credit-card networks. It then prints out receipts for signature.
The product, which was launched in June, has drawn the interest of several restaurant chains and casinos, said Wayne Steiger, CEO of Communication Transaction Solutions.
"TableSwipe fills a pressing need in terms of fraud prevention and the goal of secure, remote devices for interfacing with POS stations, while boosting profit through quicker table turns," he said.
For example, casino guests can quickly be authorized to purchase chips while remaining at the casino table or charge drinks at poolside. TableSwipe interfaces with POS systems from Aloha and Micros, and an interface is under development with InfoGenesis.
The TableSwipe system includes a secure wireless network plus software and terminals. A typical restaurant would use 10-12 terminals; the product can be expanded to accommodate any number of terminals and receivers. With a range of up to 300 feet, the device can be used at any location in a restaurant, as well as at curbside.
Importantly, from the standpoint of preventing ID theft, the devices store no information, so are useless if stolen.
Another of the latest technologies for preventing identity-related theft is radio-frequency identification (RFID). Gaming Partners International Corp. has sold more than three million RFID gaming chips and hundreds of readers to casinos in Europe, Asia, and the United States, including the Wynn Las Vegas Resort on the Las Vegas Strip.
The RFID-embedded chips have the same feel and quality as gaming chips familiar to dealers and players. Gaming Partners sells RFID chips and readers directly to casinos and also sells components, such as readers and antennas, to original equipment manufacturers. With RFID chips and readers, casinos can control their own currency securely and efficiently, said Gaming Partners president and CEO Gerard Charlier.
Eyes in the sky
An additional tool being used to combat ID theft is video surveillance. Casino Vision, a digital video system from SmartConnect, has been installed in several major casinos, including the Stratosphere Las Vegas and properties owned by MGM Mirage and Caesar's Entertainment said Henry Valentino, SmartConnect's president and CEO.
The system integrates with casino management systems and POS systems, allowing food and beverage managers to set triggers, such as whether excessive tips are being charged to a credit card. By interfacing data streams from POS systems with surveillance images, Casino Vision provides a powerful boost to fraud detection and prevention.
Casinos are rapidly moving to replace their old VHS video systems with digital video, Valentino said. An average casino and resort with 1,000 to 2,000 slots, 50 to 100 table games, other types of gaming, as well food and beverage and retail may be supported by as many as 1,000 cameras, all feeding hundreds of VHS cassettes.
"Even if you watch it in fast forward, it takes a lot of time," said Valentino. "With Casino Vision, you can identify incidents based on transaction details, and go right to the video."
Many other surveillance providers such as Sanyo Security Products, Panasonic, Bosch Security Systems and Honeywell are also touting their own digital security products. More and more casinos-as costs of the digital systems fall-are moving away from their older, analog systems.
The result? Surveillance and security officials have more time to watch the casino versus changing tapes and monitoring equipment to make sure it's working correctly.
Protecting your future
As financial companies, casinos are subject to federal and state regulations such as the Gramm-Leach-Bliley Act, the United States Patriot Act, and California's security breach notification law. Movement is also afoot in Washington to enact a federal identity-theft law that would require any company that stores personal data on more than 10,000 people to create a data-privacy and protection program, including assessing, maintaining, and controlling risks to data privacy and security.
Businesses would have to provide employee training, perform vulnerability tests, and ensure that third-party service providers have adequate security programs. Companies that engage in interstate commerce would have to notify anyone whose personal information, such as name, Social Security number, or date of birth, has been affected by a security breach.
In order to stay ahead of the curve, casinos are implementing data privacy enforcement policies and systems.
"Casinos collect information, such as on patrons playing on credit, that's even more sensitive than what banks collect," said Saverio Scheri, managing director of WhiteSand Consulting, which advises casinos on technology and operations. "The prospect of someone getting into a casino's data through the Web site is scary."
WhiteSand works in partnership with Intrusion Inc., whose Compliance Commander product has been deployed by the Venetian Resort Hotel Casino to monitor network traffic for the presence of unencrypted customer information, including credit card and Social Security numbers, loyalty data and other private, personal information. Perched behind the perimeter firewall, Compliance Commander can instantly detect, protect, block, and report unauthorized transmission of private customer information.
"So far, every time we install Compliance Commander, we've found holes due to employee issues or unexpected network vulnerabilities," said Ben Bittle, Intrusion's director of product management.
As more technologies become available, the more potential holes and risks can be exposed, and many casinos may not be as safe with their sensitive information as they think they are.
Sidebar:
Security Cache
Cache Creek Casino Report pays special attention protecting information
Casinos are at a fundamental disadvantage when it comes to security: They have to identify every vulnerability, while thieves and hackers only have to find one.
An effective security program involves lots of planning and reliance on outside consultants, said Jim Hamersley, CIO at Cache Creek Casino Resort. It also requires being proactive, such as not relying on a single security systems vendor and encrypting sensitive data.
"Anything that pertains to customer data should be encrypted," Hamersley said.
Here are the major components of Cache Creek's data security program:
• Availability - Cache Creek works with its Internet service providers to protect against denial of service attacks.
• Internet transactions - Cache Creek uses two separate firewalls and packet filtering to restrict traffic between the Internet and the casino's enterprise network, while allowing guests to access the Internet.
• Detection - Cache Creek has deployed network appliances from Internet Security Systems Inc. to monitor all network traffic.
• System security - The casino uses tools to authenticate access to systems and ensure that can detect and breaches of data security.
• Virus protection - Cache Creek regularly scans for viruses using an automated online virus protection tool.
-Steven Marlin
