Gaming Strategy
Featured Stories
Legal News Financial News Casino Opening and Remodeling News Gaming Industry Executives Author Home Author Archives Search Articles Subscribe
Newsletter Signup
Stay informed with the
NEW Casino City Times newsletter!
Recent Articles
Anne Lindner

Wireless Gaming Presents New Security Challenges

17 January 2002

It's old news in interactive gaming circles that the next generation of casino games and sports betting will take the form of wireless gambling. Several I-gaming companies have already developed products aimed at this new type of gaming. While increasing consumer access to games will inevitably be good for business, with it comes a range of new security concerns. In the words of one expert, security risk increases as technology becomes more complex.

Christopher W. Klaus is founder and chief technology officer of Internet Security Systems, a security management firm that specializes in helping business identify possible security gaps and prepare for the worst. The company, which has been described by USA Today as one of the industry's most important business-to-business Internet companies, was started in 1992 by Klaus and today has more than 1,500 employees in 17 countries.

Klaus said although the security industry is only beginning to think in wireless terms; there are issues that I-gaming companies need to address. The wireless infrastructure, he explained, consists of multiple layers. On a low level, there is the actual wireless protocol--examples of that are GPRS and WAP--which are standards that enable people to surf the Web using a cell phone or PDA. Above that, there's the security infrastructure of the cell phone itself, and on the top is the infrastructure of the site's back-end server, which is where Klaus expects most sites will focus their hacking-prevention efforts.

"Presumably, whoever's providing the Internet gambling over the wireless connection has some servers in place that are providing that capability," he said. "We're starting to see more and more security focused at that level and at the application level."

The primary source of security problems for Web sites--whether they are accessed by a computer, mobile phone or handheld--is the database, Klaus said. Internet Security Systems has consulted for quite a few gambling sites, he said, that have been hacked on their backend servers, the site of their databases. So whatever risk is involved for the consumer in plugging his or her credit card into a computer or cell phone to gamble, the I-gaming company itself experiences too when it leaves its back-end servers open to hacking. The e-business could stand to lose its database of consumers' credit cards, not to mention players' trust.

"What happens is, for most of the hackers, they don't target a single credit card, they target a whole database," Klaus said. "So rather than sit there and say, 'Hey, I think I got a credit card. Let me try and crack it and set up a bunch of computers to de-crypt this single credit card. . . ." If I can get into the database, where you have 10,000 customers and all their credit cards are stored there, I just grab that, and it's much more effective. There's usually much less security around the database, and that's a big concern."

To keep that precious data away from hackers, Klaus recommends I-gaming sites perform tests in their infrastructure to determine how easy it would be for unwelcome visitors hack. There are many companies in the United States and abroad, including his own, that will consult with e-commerce companies to assess their security risk, he said. With the results of a security penetration test, an Internet company will be better equipped to come up with a plan of action to both deter hackers and deal with emergency security leaks.

"Could someone break in? How could they break in? What are the flaws? Typically, you go from a penetration test to a complete security assessment," he said. "That's really to look at--whether the casino has a security policy, and is their infrastructure in compliance with the policy. We're seeing more and more companies, and that includes casinos and others that are starting to really take advantage of wireless. They're adding a wireless security policy section, really thinking through the policy of how to properly deploy the wireless application and making sure that it is secure."

A security risk particular to wireless gaming relates to the particular application protocol used, Klaus said. WAP, a popular standard in Europe, contains a security flaw that stores users passwords on the phone, leaving the application developer responsible for clearing out the variables from the phone. If an individual gamer's password variable isn't cleaned out, Klaus said, it would be easy for it to be stolen.

"Depending on the variable name, if someone was smart about it, they could figure out, 'This is the (MGM) Mirage password,' depending on the naming of the variables," he said.

While wireless may pose some unique security concerns, one threat the devices don't pose, for the moment, is that they cannot be used to hack into an Internet site. Klaus said he has yet to see a site hacked directly through a cell phone. The devices are not sophisticated enough yet.

"We're probably two years away from having really functional cell phones, meaning that the cell phone today has very limited functionality, in that usually it's just for voice and maybe some very limited getting small amounts of information and sending back small amounts of information," he said.

PDAs are another story, however. They offer more functionality--almost as much as a laptop, Klaus said. Once mobile phones start to take on more characteristics of PDAs, they could be used to hack sites.

"Once that functionality starts to be inserted into cell phones, then the cell phone can become an attack tool," he said. "Right now it's like your television remote in that it's very limited in capability. No one's going to hack the Internet with their TV remote."

Klaus recommends not only penetration tests to make sure the back end is as hack-proof as possible, but also an emergency response plan to determine how security breaches will be handled. Who will be notified, when the authorities should be alerted and how a site can clean out its back doors--devices hackers can leave behind to assure themselves entrance to the same sites over and over again--are all things a company should know before it hits "panic mode," Klaus said. It's a matter of protecting current customers and making sure the site's brand stays attractive to new ones.

"Imagine if MGM, as they are trying to put a lot of money into trying to sell an online gambling site to their customer base, if they get noted as being a very vulnerable and hacked site, where everybody who gave their credit cards gets compromised. . . " Klaus said. "Obviously there'd be very few people jumping to use their services."

Wireless Gaming Presents New Security Challenges is republished from
Anne Lindner
Anne Lindner