An embezzlement scheme at sports-betting company William Hill outlined last week by Nevada Gaming Control Board investigators shows how insider threats are a problem for the gaming industry.
The topic of insider threats is a focus of the World Game Protection Conference taking place at the Tropicana Las Vegas March 7-9. Registration is under way.
In the William Hill scheme, employees are alleged to have altered sports-betting kiosks to redeem vouchers for cash. More than $300,000 was stolen.
The speakers at this year’s conference include Shawnee Delaney, a former clandestine officer with the Defense Intelligence Agency who conducted intelligence operations throughout the world and served in Iraq and Afghanistan. Another speaker will be Terry Rich, former CEO of the Iowa lottery, which uncovered the largest lottery fraud in U.S. history for a $16.5 million ticket involving a rogue IT security director of the Multi-State Lottery Association. He was convicted of rigging the computer system.
“The way I look at the insider-threat problem is that it’s a human problem,” Delaney said. “Everyone thinks it’s a cyber issue, but it’s not. Humans have to click on the ransomware link or commit fraud. Humans sometimes leverage cyber means. I’m going to educate the audience to look at the human vector, like I did as a clandestine- services officer.”
To recruit vulnerable insiders, Delaney used the same steps organized-criminal groups and malicious actors employ. In the gaming industry, fraud is one of their biggest concerns, but there are other vulnerabilities, such as targeting well-known people. Even state-sponsored actors can target people by using information gleaned about them.
“Casinos serve a lot of high rollers and VIPs and a lot of malicious actors want to get their data or whereabouts,” Delaney said.
Many casinos have neither the proper training nor employee-engagement and awareness programs where employees are taught what to recognize and how to respond to the threat vectors and red-flag indicators, Delaney said.
“I think there’s still a cultural issue, where people don’t want to be seen as a narc or tattletale,” Delaney said. “A lot of casino employees think, that can’t happen to me. I don’t have access to anything sensitive. I’m just a dealer or a floor manager. They don’t recognize that it takes someone like me to start putting little pieces together from multiple people in the organization and each piece puts that puzzle together easily.”
Delaney said casino executives might acknowledge the potential threats to VIPs, but since it hasn’t happened, they don’t give it a high priority. The problem is it takes only once for it to devastate a business.
“If it got out that at x casino, employees were leaking information about the whereabouts, habits, and personal identifiable information of the VIP clients, that news would get out fast and they’d lose all VIP clients. Public blowback is very real. Look at social media nowadays.”
By making sure their enterprise is up to speed in recognizing and taking steps to thwart these threats ahead of time, organizations can get a return on investment.
The lottery fraud was against a 15-state game, Hot Lotto, in 2010, perpetrated via a random generator number spit out by a computer, rather than balls in a machine that people can watch on television.
Terry Rich said the focus is generally on threats from the outside, but “anytime you’re doing something with money and don’t have the proper checks and balances, you’re ripe for fraud. People get tempted to do something internally. If one person has all the keys to the kingdom, you may be in trouble as an organization.”
The lottery fraud that occurred under his watch caught them off guard, Rich said. The checks, balances, and security features put in place, however, helped catch it.
“Most people don’t realize that 40% of all internal fraud is found by employees and vendor and anonymous tips,” Rich said. “Only 4% to 5% of internal fraud is found by auditors. It’s key to have a tip hotline and let people know how to turn someone in.”
Rich is convinced that if they hadn’t busted the lotto fraud, it would still be going on in the industry.
“It’s not just a computer that can cause fraud. There’s been fraud with balls in Pennsylvania and Milan (Italy). But of the millions of drawings each year, the number of cases is really small,” Rich said. “And it’s not just in the gambling world, but with churches and school districts. Somebody is going to try a way to beat it. That’s the importance of checks and balances, plus accountants, auditors, and security folks doing their work.”
Those dealing with fraud need to ask themselves how they should handle it as an organization. It’s important to show people that you’re out there looking and willing to prosecute and publicize it, Rich said.
“The entire time that we were saying we had a problem, but were doing everything we could to make this game fair and honest, we had an increase in sales,” Rich said.
