Casinos have long been tempting targets for thieves and scammers, but
the reality bears little resemblance to movies like Ocean’s Eleven. The
majority of attempts have either been foiled whilst in progress, or the thieves were later caught and punished. Casinos are notoriously reticent to publicise such incidents, but the biggest heist to date is believed to be a 2013 security breach at the Melbourne Crown Casino.
The scammers managed to hack the casino’s security cameras, feeding
information to a high-rolling player who walked away with $32 million. It seems that the Crown security caught on to the ruse, and the money was recovered. Indeed, that’s how it usually goes with attempts like these on physical casino establishments – the security know what to look out for and most people don’t get away with it.
Brick and mortar casinos may have well-established and effective security
protocols in place, but when it comes to casino sites, security is an ongoing
challenge. One of the first things that potential customers must do when
deciding to make an account at a casino website is look at the licensing,
regulation and security credentials. Read more here about how to identify if casino sites are secure and trustworthy.
The stakes are high; casino websites hold a huge amount of personal data
on their players, including identifying information and bank details – they are required by law to do so. This information is of great value to cyber
criminals, as demonstrated by the 2016 cyber attack on the Casino Rama in Canada.
Up to 200,000 players had their personal data stolen, some of which was
published online, and a class-action lawsuit is underway to the tune of $60
million. It is reported that the hackers demanded money in return for not
publishing more of the information, although at the time the shady group behind the attack claimed that they were merely attempting to force the casino to improve security.
Phishing
Luckily, there have not been many such attacks on entirely web-based
casinos to date. A large-magnitude data breach would likely be fatal for any
online casino; their reputation would simply never recover from the loss of
trust. But the Rama incident raises serious concerns in the industry,
especially because it is believed to have been achieved via a phishing scam.
Such attacks can be the hardest to manage, since they rely on fooling users
into giving access to their personal data.
The scale of the Rama data breach suggests that the phishing victims may
not have been individual clients, but rather employees with access to customer data. Phishing is in the realm of a human error issue, and the only tools available to combat it are strong messaging for customers and thorough training for employees.
DDoS Attacks
All casino sites are also alert to the threat of a Distributed Denial
of Service (DDoS) attack. These are particularly damaging to a 24/7 business like a casino, where customers expect access at all times. During a DDoS attack, hackers use bots to overwhelm site servers with requests, leading to the site crashing and sometimes even causing physical damage to the servers.
Such an incident can be a great blow to the reputation of a casino site,
but a DDoS attack can also be part of something even more serious than a site crash. Large-scale attacks are on the rise, but smaller ones can go undetected and be used as a smokescreen to install ransomware or malware. Hackers need only minutes to gain access to customer information and more.
Even if a DDoS attack is not accompanied by a more significant security
breach, crashing a casino site can lead to the loss of millions in revenue and permanently harm the name of the casino. In a crowded market, loss of faith in site security is enough to close anyone down. As DDoS attacks have such potentially devastating consequences, today’s casino websites must ensure that all precautions are taken to mitigate the risk.
Manual DDoS mitigation is no longer recommended, as it requires a manual response to an attack – in the case of a smaller-scale, undetected attack, such mitigation would be useless. Instead, a more proactive and preventative approach needs to be taken, which may well require the services of a dedicated DDoS mitigation provider. Such providers employ a variety of techniques, such as rate limiting, blacklisting and firewalls.
One effective way to mitigate against DDoS is by abandoning unicast DNS
in favour of anycast. This allows traffic to be absorbed by a network of
servers that share an IP address, rather than routing all traffic to a single
server.
Hacking and Encryption
While the threat and magnitude of DDoS attacks increases, it’s important
not to neglect defence against other forms of hacking. The usual way that this is done is via data encryption, and the majority of casino websites use TSL (Transport Layer Security) to provide a secure channel for data to pass through without being intercepted or tampered with. Most sites still refer to TSL as SSL, the name of its predecessor.
Many casino sites are today boosting their SSL encryption and adding an
extra layer of security with RSA algorithm – a robust method of encrypting and decrypting data so that it can be safely transmitted via the internet.
Casino sites take security just as seriously as their land-based
counterparts, and utilise a variety of sophisticated methods to mitigate and
eliminate risks. Coupled with stringent KYC (know your customer) practices, the security protocols at casino sites are some of the most rigorous to be found at any e-commerce site.
As tools and methods of attack become increasingly sophisticated, casino
sites must be responsive to change and be proactive in staying one step ahead of the hackers. Since it is in everyone’s interests to make security a priority, reputable casino sites afford customers the same levels of safety as online shopping with a major retailer or using an internet banking service.