Experts: AI, Social Engineering Pose New Challenges

In expert presentations at last week’s World Game Protection Conference in Las Vegas, social engineering experts commented that operators must deal with new challenges from artificial intelligence and high-tech hacks.

Experts: AI, Social Engineering Pose New Challenges

The recent cyberattacks on MGM Resorts and Caesars Entertainment reflect a sophistication developed by criminal hackers that requires renewed vigilance from operators, according to experts interviewed by security expert Willy Allison at the 19th World Game Protection Conference, held last week at the Tropicana in Las Vegas.

In a session titled “The Human Hacker,” Christopher Hadnagy, founder and CEO of Social-Engineer, LLC an author of the book Human Hacking, said hackers are using technology to refine their ability to penetrate what he calls “human firewalls,” through cons that use AI to scam employees of a given organization.

Hadnagy commented that over the past 10 years, bad actors have used the Dark Web to refine their skills using website designed to educate each other on developing opportunities for cybercrime.

Meanwhile, he said, artificial intelligence has advanced to the point where bad actors can use a “digital mask” to successfully scam people—so-called “vishing,” or voice phishing. He noted that AI permits callers to take away accents, and imitate the voice of important executives in schemes, noting one instance where a hacker impersonated a person’s boss and convinced him to do a wire transfer of $25 million.

He also noted the recent instances in which casino cage managers were convinced their boss was telling them to deliver cash from the cage to locations outside the casino.

He said video phishing also is advancing in AI technology, and advised officials in charge of money to always second-guess and fact-check any request that is unusual. That includes text messages, now vulnerable to another AI method, “smishing,” or SMS phishing.

He said it is vital for operators to stay ahead of the game. “Two weeks ago is like 100 years ago in AI,” he said.

Hadnagy also noted the ease with which ransomware can be downloaded from the Dark Web. He said one reason the MGM ransomware attack was successful was that MGM had insufficient backup systems—a “flat network” in which all systems are bunched together.

Hadnagy described how his company is normally hired to instigate hacks of companies, to reveal where they are vulnerable and advise how to guard against cybercrime. He said it is vital that companies falling victim to attacks share information with other companies, whether or not they are competitors.

Another session at WGPC addressed vulnerabilities of casino equipment and games to hacking. In a session titled “Hacking and Rigging Casino Equipment: Not Everyone Can Do it… But Some Can,” security researcher Joseph Tartaro, a principal security consultant at IOActive, broke down the recent report on the vulnerability of casino card shufflers to hacking.

IOActive audits equipment to reveal how bad actors may compromise it to their advantage. Tartaro described his research project that revealed the vulnerabilities to hacking in the popular Deck Mate automatic shuffler. He was able to show how the shuffler could be altered by bad actors to reveal the order of the deck in a baccarat, poker or other table game, and relay that information to a player, whether or not the player is assisted by a dealer accomplice.

Tartaro revealed how easy the prep work was for the project. He said he was able to download service manuals and public patent information, and to buy an actual Deck Mate unit on eBay, and reverse-engineer the unit (actually, two—the earlier version required a crooked dealer to help; the revised version, with a camera, did not) to reveal its vulnerabilities.

The presentation, which showed how researchers reveal the methods of so-called “Black Hat” hackers, led right into the next session, titled “Call Them What You Want—They’re Con Men!” R. Paul Wilson, world-renowned magician, author of The Art of the Con and expert on the art of deception, emphasized that cybercriminals are basically con men, and the best way to battle cybercrime is to enlist those con men to reveal where a company’s vulnerabilities are.

Wilson likened this activity to “war games,” because as in the military world, companies need to simulate how an attack may proceed. “You need to talk to people who know how to attack,” he said.

Wilson also noted how rapidly the sophistication of scams and cons has accelerated with technology, from old scams like the “Jamaican switch,” where one person tricks another into thinking they need help handling a large sum of money, to advanced attacks that developed after the Covid-19 crisis, when people took their laptops home an operated them with vulnerable home Wi-Fi, to the cyberattacks that are now accelerating against resort casinos and other entertainment venues.

“The world has changed around us,” Wilson said.

As noted by Hadnagy, Wilson said one thing making the hacking problem worse is the fact that victims of hacks are reluctant to share what has happened, particularly with competitors. “Scammers count on that,” he said.

Articles by Author: Frank Legato

Frank Legato is editor of Global Gaming Business magazine. He has been writing on gaming topics since 1984, when he launched and served as editor of Casino Gaming magazine. Legato, a nationally recognized expert on slot machines, has served as editor and reporter for a variety of gaming publications, including Public Gaming, IGWB, Casino Journal, Casino Player, Strictly Slots and Atlantic City Insider. He has an B.A. in journalism and an M.A. in communications from Duquesne University in Pittsburgh, PA. He is the author of the humor book How To Win Millions Playing Slot Machines... Or Lose Trying, and a coffee table book on Atlantic City, Atlantic City: In Living Color.

**GGBNews.com is part of the Clarion Events Group of companies (Clarion). We take your privacy seriously. By registering for this newsletter we wish to use your information on the basis of our legitimate interests to keep in contact with you about other relevant events, products and services which may be of interest to you. We will only ever use the information we collect or receive about you in accordance with our Privacy Policy. You may manage your preferences or unsubscribe at any time using the link in our emails.