Cyber Security- in the Gaming Industry

Money!

The word alone evokes excitement, and no other industry combines recreation, banking, tourism, risk, hospitality, retail, surveillance, and online apps like the gaming industry. Gambling and associated business’ is massively complicated, and given the amount of money involved, is one of the most targeted in the cybersecurity industry.

The gaming industry today operates around four main revenue centres. First, are the traditional casinos, where people exchange cash for proprietary chips or tokens and bet on any number of sports, card games, slot machines, etc.

Second, surrounding a modern casino’s gaming floor are high-end retail and food outlets; and while not specific to the act of gambling, the retailers like to associate high-value brands with the image of luck, wealth, and success arising from gaming.

Also attached to many casinos is the third source of revenue, hotels. Typically, operated under licence by branded hotel chains’, the casino operators own the freehold on the hotels and again align the ‘wealth experience’ for gaming tourism. Many hotel rooms will market and provide easy ‘virtual’ online gaming for patrons who’d rather not leave their rooms to game but still enjoy the experience of gambling tourism.

Lastly, the fourth income source is online gaming. Varying based on demographics, online gambling whether it be bingo for the elderly or action games for teenagers involves paying for the experience of the game, and the chance of winning, status, virtual rewards, and money.

Willie Sutton.

A gaming organisation will often be a combination of these four sources of revenue, and cybersecurity must be viewed holistically from the multiple attack vectors arising from each. Increasingly, online gaming companies are adopting brick-and-mortar venues; and traditional casinos are building shopping malls with attached hotels. Gaming, like banking, is an extremely heavily regulated industry. It’s also one of the most targeted for cybercrime.

A reporter once shouted to Willie Sutton, the infamous American bank robber, “Hey Willie, why do you rob banks?” “Because that’s where the money is!” Was Willie’s retort.

The reality is that the gaming industry is under constant attacks from cyber criminals. The challenge is the number of attack-surfaces to which the gaming industry is exposed. Online gaming apps can be exploited by hackers to gain unauthorised access, manipulate gameplay or compromise players’ data. Given the relative newness of the industry, the focus onDevSecOps is mandatory and an embedded part of the game development process.

Traditional casinos are hard to protect. Take the simple example of hotels. Hotels have multiple online applications such as reservation systems, Point-of-Sales stations, Wi-Fieverywhere (with at least one network open to the public), surveillance systems, and many automated building elements such as heating, aircon, physical access such as key cards, and many staff members for whom to validate access controls and permissions.

Moreover, if the hotels' networks are also attached to the retail shops, as part of the shopping mall encircling the gaming floor, and then the networks of gaming machines, and the building’s critical infrastructure, many operating on proprietary protocols, the cybersecurity risk becomes multi-dimensional. A breach anywhere could lead to command and control being established and a hack in one part of the operation could then expose vulnerabilities in others.

Attempting to steal money is traditionally the bad actor’s objective, but increasingly this is cryptocurrency-focused, and delivering ransomware or a DDOS attack is the easier alternative.

Surveillance and licensing.

As a casino CISO recently told me “…if, for example, our retail POS systems are breached and customers' credit card credentials are stolen, it’s embarrassing, it’s awkward, people will be fired, and we will pay a fine. But the business will continue. However, if the surveillance cameras on the gaming tables are hacked and disabled, we must close the tables. If the tables close, and we can’t game, we lose our gaming licence. That will kill our business.”

Types of cyberattacks on gaming.

For this reason, a gaming organisation will often segment networks and have air gaps (or airwalls) between critical networks. Surveillance cameras will often be isolated, with redundancy designed for the network itself, but also for power supplies.

Furthermore, critical infrastructure must be protected. Power supplied could be targeted for a DDOS attack, likewise, air-conditioning systems for a casino's data centre would have the same effect.

Man-in-the-middle (MitM) attacks are commonplace in venues with a high flow of people such as shopping malls, gaming floors, and hotels. These allow attackers to intercept communications between clients (such as gamers) and servers, again to manipulate or exfiltrate data. Unlike a secure office building, the difficulty of authenticating guests of retail shops, and hotels is impossible, thus making network security the first line of cyber defences.

The growth of online gambling (globally a US$281 billion business in 2023) is the fastest sector with an estimated 13% YoY growth. Mobile devices are the most common interfaces, hence securing gaming applications is paramount. Common attack vectors for online gambling include the following:

Buffer Overflow: Where data written to the buffer exceeds capacity. This can potentially lead to a code execution or privilege escalation.

SQL injection: Attackers can insert malicious SQL code into a game’s database queries allowing access to sensitive data or modifying the database.

Cross-Site Scripting (XSS): Where malicious scripts are injected into web-based games, which can then be executed in players’ browsers leading to data theft or session hijacking.

Remote Code Execution: Where a game’s server-side code is vulnerable to exploitation allowing other code to be executed.

DLL Hijacking: Where attackers replace legitimate game Dynamic Link Libraries with malicious ones.

Authentication Bypass: By exploiting flaws in the gamer’s login processes, attackers can access user accounts without proper credentials.

Denial of Service (DDOS): Attacks where gaming or application servers are overwhelmed with traffic disrupting gameplay for legitimate players. These attacks are not unique to online betting as discussed above but are technically relatively easy to execute for bad actors.

How can the gaming industry protect itself from cybercrime?

Traditional casinos have long-established protocols for physical security. These are now having to be extended for online gaming, and the extended physical elements of shopping malls and hotels. Often a breach in one can expose vulnerabilities in other parts of the business. Anti-money laundering laws and data privacy mean the consequences of a casino being breached may not simply be an embarrassment and manageable monetary cost.

Building sophisticated Security Operations Centres are commonplace in the gaming world, but incorporatingBuildings Assurance and DevSecOps as functions are key as bad actors look to these less traditional vectors of attack.

Call to Action.

As the threat landscape continues to evolve, CyberQ Group continue our service of transforming your business to be cyber resilient. Services such as vulnerability assessments are key to the gaming world, as are building assurance, physical and cyber penetrating tests, and continuous breach detection and cyber simulations. Get in touch with us now to start safeguarding your digital future.