From the incandescent neon signage of the Las Vegas Strip to the beachside attractions of the Atlantic City boardwalk to the exclusive destinations in Macau and Singapore, casinos act like makeshift banks; swiping credit cards, converting cash into chips (and vice versa), holding vast reservoirs of foreign currency, and accepting mobile payments for lodging and dining, as well as shopping and other activities.
Safeguarding this information—preventing hackers and cyber criminals from stealing this data—starts by spotting existing vulnerabilities involving smartphones and tablets. In an increasingly BYOD (bring-your-own-device) environment, in which guests, staff and executives use mobile devices on a seemingly nonstop basis, we must identify—and isolate—a new risk: “leaky” apps; unsecured applications that thieves can exploit to gain access to a treasure trove of personal or professional information.
This material is the one jackpot no casino has plans to offer, as it is the one payout that can be financially ruinous to resorts and patrons alike.
This challenge is all the more significant because a leaky app does not advertise itself as such; it does not have the visible glitches, sudden crashes and inexplicable bugs that characterize the type of massive hacking incident described above. On the contrary, most of these apps work as advertised: They respond to a user’s touch, never revealing any alarms or providing advance warning about potentially catastrophic consequences. This problem is complex because most people (including casino IT administrators) do not know if the apps they depend on are really secure. They don’t know how their favorite apps store sensitive information, or whether an app encrypts data or performs certificate authentication.
But cyber thieves know very well how these things function and they can quickly use a leaky app to unlock very lucrative content. And these attacks are not an aberration, unfortunately. A recent Gartner study found that 75 percent of apps released through 2015 will fail basic security tests. Our own internal audit finds that 60 percent of the 100 most popular apps (including those with dual appeal to individual consumers and executives) have a high risk rating in one or more security categories. All of these apps are available through Google Play and iTunes. None of them would cause a typical user to worry about data theft.
All of which means casinos need a thorough, fast and effective answer to this danger. A proactive strategy toward mobile security—one that addresses not just malware and targeted attacks, but the greater danger posed by leaky apps—represents a chance for the gaming industry to strengthen its credibility and enhance its relationship with some of its most preferred guests.
IT PAYS TO SCAN
Casino managers must, therefore, inform their workers about this subject, converting these individuals into vigilant agents on the front line of defense. One way to do this is to educate them about the SCAN principle of mobile technology—Systems, Configurations, Apps and Networks.
Systems: If employees use a mobile device as part of their job, they should make sure their running the latest version of the iOS or Android operating system. Older operating systems often have known security flaws an attacker can exploit.
Configurations: Devices should be protected by a strong password. Users should also avoid “jailbreaking” their smartphones, as this can make the devices more vulnerable to attack.
Apps: Your apps need to be tested and retested for security vulnerabilities before they are released to the public or implemented across your workforce. Apps should not store sensitive information on the device. If they absolutely must, developers need to make sure that the material is not stored in clear text or on an easy-to-find database. SSL/TSL protocols should be used to protect data in transit.
Your employees should use only apps offered in Apple’s App Store or Google Play since they are far less likely to be bundled with malware. Employees should also be wary of apps that request excessive permissions, and they need to stay updated with the latest versions of their apps, as many vendors use new releases to patch existing security holes.
Network: Casino staff should only use known and secure Wi-Fi networks. Attackers can use insecure or “open” Wi-Fi to intercept traffic and mine it for sensitive data.
Implementing these measures will help you maintain the safety of your data and that of your customers with the same professionalism and integrity that casinos bring to other aspects of their work.
That winning combination rewards both the house and her most respected players.