All Bets Are Off on Casinos and Cybersecurity

Posted by UpGuard

All Bets Are Off on Casinos and Cybersecurity

You've seen enough empty Hollywood blockbusters about casino heists to know that today's gambling institutions are constantly in the crosshairs of attackers—online and off. In the digital realm, however, better malware tools and access to deep funding make today's cyber criminals more than a bad movie, especially when lucrative payloads are for the taking.

Recently, the Hard Rock Casino announced its second data breach in a year, marking a worrisome trend among data breach victims: most targets have suffered one or more similar compromises in the recent past. This is especially true of retailers and banks, and increasingly—casinos and gaming enterprises. In the Hard Rock's case, investigators hired by the casino discovered unauthorized POS network access and the presence of malware, leading to this statement issued on June 27th regarding the data breach.

A similar data breach occurred last May when attackers were able to steal cardholder names, credit card numbers, and CVV codes belonging to hotel guests and customers. However, this time the attack was more widespread, targeting the resort itself—as opposed to restaurants and retail locations within the hotel. And like other recent attacks, PoS scraping malware was used to steal customer data as it entered the resort’s payment card system.

monitor your configs

It may come as no surprise that casinos and gaming firms are ideal cyber attack targets, but how competent are these enterprises when it comes to rudimentary security? Given the volume of privileged financial data collected, you'd expect to see corresponding security measures in place. Let's take a look at some of the top casino/resorts and see if this is the case.

Bellagio: 751

CSTAR - Bellagio

The Italian-themed Las Vegas hotel/resort and casino scores a solid 751 CSTAR rating. Apparently its fortress-like facade is more than just looks—but a few gaps such as lack of HTTP Strict Transport Security and DNSSEC make for a less-than-optimal security posture.

Caesars Palace: 504

CSTAR - Caesars

Arguably Las Vegas' most well-known hotel/resort, Caesars Palace—despite its towering facade—has left its digital fortress poorly protected. Lack of DNSSEC and server data leakage are a few of its security shortcomings, along with a 53% CEO approval rating, which increases the risk of internal attack.

The Venetian: 561

CSTAR - Venetian

This five-diamond luxury hotel/casino may not be the only Italian-themed megaresort on the Las Vegas Strip, but unlike its counterpart the Bellagio, the Venetian lacks various website perimeter security controls—sitewide SSL, DMARC, and DNSSEC, to name a few. 

Are Online Casinos More Resilient?

Brick-and-mortar gambling establishments are one thing, but what about online casinos born in the cloud? You wouldn't be be blamed for assuming that data-intensive firms like online casinos transacting strictly in the digital domain possess stronger security controls. We can assess their respective security postures and cyber risk profiles by determining their CSTAR scores.

Casino.com: 356

Screen_Shot_2016-07-07_at_6.19.31_PM.png

Despite scoring big with perhaps the most valuable domain name for online gambling, Casino.com receives low marks for a myriad of website perimeter security risks. Lack of sitewide SSL, secure cookies, DMARC, and DNSSEC are a few of its security flaws.

Euro Palace: 532

Screen_Shot_2016-07-07_at_6.23.18_PM.png

Leading European online gambling site Euro Palace musters up a decent CSTAR score for sitewide SSL and industry-grade encryption strength, but falls short due to lack of SPF and DMARC, among others.

Ignition Casino

Screen_Shot_2016-07-07_at_6.35.27_PM.png

Online gambling upstart Ignition Casino offers Blackjack, Slots, Poker on its website; fortunately, the company has also taken the requisite security measures for bolstering its website and email security.

Making the World's Largest Banks More Resilient  

You read that correctly—many of today's casinos are essentially the world's largest banking operations. But unlike banks, casinos resorts are faced with a myriad of risks introduced by on-site retail establishments, service operations, and countless public-facing ATMs and card readers. The Hard Rock Casino may have fallen victim to sophisticated malware and PoS scraping technologies, but if recent history is any indication, proper patching and vulnerability detection could have saved them from a repeat compromise. This is what UpGuard's resilience platform provides: validation that your systems are free from security flaws, vulnerabilities, and misconfiguations that could lead to data breaches and outages.

How does UpGuard help IT Security?

More Articles

The Amex Partner Data Breach and Downstream Liability

If you're one of its 140 million cardholders around the globe, American Express wants you to know that your data is safe. The data breach recently announced by the U.S.' second largest credit card network reportedly involved a partner merchant and not Amex itself.
Read Article >

The Nightmare Scenario: When Your Security Provider Becomes a Security Problem

You’ve spent months with your team designing your company’s security strategy-- you’ve demoed and chosen vendors, spent money, and assured your users that this investment will pay off by keeping their business safe.
Read Article >

Top Retailers Who Should Know Better

The following is a list of 11 online retailers who really should know better when it comes to security.
Read Article >

Topics: malware, CSTAR, vulnerabilities, data breach

UpGuard Customers