[ISN] Thieves Inside the Machine

From: InfoSec News (alerts@private)
Date: Thu Dec 06 2007 - 23:14:21 PST


http://www.lasvegassun.com/sunbin/stories/sun/2007/dec/06/566653097.html

By Liz Benston
Las Vegas Sun
December 06, 2007

High-tech thieves have discovered a new way to rip off slot machines - 
stealing more than $1 million from the Orleans before management shut 
down their computer-assisted heist.

Gaming regulators say the crime - one of the largest in years - shows a 
vulnerability in casino security that could lead to new surveillance 
standards.

The theft began in September 2006 and allegedly involved three slot 
workers who, over several months, manipulated software that prints slot 
machine payout tickets. They allegedly worked with two accomplices who 
posed as customers and cashed the tickets.

One defendant, slot technician Seferino Romero, pleaded guilty last 
month and will be sentenced in Clark County District Court on Jan. 24. 
Felony theft carries a maximum 10-year prison term. His attorney, 
Jeffrey Segal, said his client didn't mastermind the heist and has 
agreed to pay restitution of $100,000.

"I think that his actions subsequent to the conduct indicate that this 
is a person of good character who got caught up in something and 
realizes it was a mistake," Segal said.

The Orleans incident shows that other casinos are similarly vulnerable 
to inside jobs by casino workers, security experts say. Employee theft - 
sometimes as simple as pocketing cash or chips - is a recurring problem 
in the cash-rich industry, which can corrupt the most trusted employees. 
Most crimes are not publicized by casinos and regulators are reluctant 
to discuss them for fear of tipping hieves to new techniques.

Boyd Gaming Corp., which owns the Orleans, declined to discuss the 
particulars of this case, which is still in progress.

"It could compromise the investigation" and assist other cheats, 
spokesman Rob Stillwell said.

Four other defendants are awaiting arraignment next year on felony theft 
charges.

The Gaming Control Board's enforcement chief says the Orleans incident 
was a new one to him, although it had a familiar ring to security 
experts.

In this case, Orleans workers printed winning tickets on test machines 
in a back room, using software allowing the machines to mimic machines 
on the slot floor that had been turned off, investigators told the Sun. 
The tickets were for relatively small amounts - a few hundred dollars 
each - to escape the notice of casino bosses.

Stealing from cashless machines is a new challenge for thieves.

Casinos have turned from coin slot machines to ticket machines because 
they are easily played and maintained and had been considered more 
secure than old-generation coin slots, which skilled thieves could 
quickly compromise using mechanical tools such as magnets and metal 
wands.

These newer thefts typically involve casino employees with access to 
sensitive areas of a casino's nerve center.

And therein lies the problem - and the solution - for casinos.

The slot technicians involved in the Orleans theft had appropriate 
access to the slot testing room but probably shouldn't have been allowed 
to tinker with the slot system that communicates with the machines on 
the floor without some interaction with other departments or higher-ups, 
said Jerry Markling, chief of the Gaming Control Board's enforcement 
division.

The good news for casinos is that "these are no longer easy scams" and 
can mostly be defeated with "strong internal controls," Markling said.

Michael Crump, a Fresno-based slot security consultant, said the Orleans 
case is typical of an emerging scam that is foiling casinos nationwide.

Many casinos rely on manufacturers to create security clearances for 
casino employees to access their slot tracking software, said Crump, a 
former executive with Boyd Gaming in Las Vegas. But those casinos may 
lose track of what clearances those employees have, allowing them to 
exploit the system later on, he said. Typically, employees who steal 
have stumbled upon access they shouldn't have, he said. What's 
especially troubling for casinos is that some employees can cover their 
tracks by erasing transactions or signals that could red-flag auditors, 
he said.

The theft came to light during last month's Gaming Control Board 
meeting, when regulators discussed and approved a request by the South 
Point to put slot machines in a relatively remote part of its casino. 
Regulators worried about surveillance and the casino offered to post 
either a security guard or a slot technician at the machines.

At the meeting, board member Randy Sayre said ticket machines may not be 
as secure as industry executives would like to believe.

"It's not just a matter of, we have got the room, we have the people to 
watch it, let's put (slots) out there," he said. "Technology is moving 
forward on us and the bad guys are getting smarter."

Regulators are loath to discuss details of how slot machines can be 
exploited, but indicated that, in a general sense, surveillance of the 
slots is important.

Regulators generally require surveillance cameras on remote machines, 
though regulations specify dedicated cameras only for big jackpot 
machines. Some casinos don't train cameras on machines that have been 
shut down.

Cameras may not stop an actual theft but they can be used to watch 
employees who might be breaking some procedure by, say, not being on the 
floor when they should, Crump said.

Still, security clearances, rather than surveillance, are the real 
culprit in this case, he said.

Sayre says his concern isn't with the distance of any particular slot 
machine from the main casino floor but the possibility that with the 
spread of slot machines into remote areas, a casino's security staff 
could be spread too thin.

He says a standard policy for surveillance of remote machines would help 
casinos and regulators combat crooks.

Sayre wonders whether manning the machines with a gaming employee would 
be preferable to a guard, who is trained to spot underage gamblers but 
perhaps not as familiar with the technical aspects of the games and how 
they can be compromised by cheats.

Casinos lose an estimated 6 percent of revenue to internal theft, which 
is chalked up as a cost of doing business, Crump said.

Many thieves prefer to ply their trade at smaller casinos outside of 
Nevada with cruder security mechanisms, he said. But Las Vegas 
eventually attracts the most accomplished and polished criminals, who 
try their hand here "to prove they can get away with it."

The Orleans scam was hardly the perfect crime, Markling said.

"It was only a matter of time" before the thieves were caught because 
the casino's high-tech slot monitoring systems can detect deviations 
from the expected payout of any particular slot machine, he said.

All contents copyright 2005 Las Vegas SUN, Inc.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Thu Dec 06 2007 - 23:35:01 PST