Crypto Site Hacked

10 September 2001
One of the major players in developing software for the online gaming business fell prey to a recent hacker attack, and some e-security experts feel that the incident was not an isolated attack on the industry.

Last week CryptoLogic Inc. said it experienced a "system intrusion" sometime in late August. The incident lasted only a couple of hours because the company was able to identify the attack immediately, company officials said, but not before nearly $2 million was won because games had been rigged to allow players to win more frequently.

Two games were targeted in the attack: craps and slots. The games were altered so that every roll of the dice in craps turned up doubles, and every spin on the slots generated a perfect match, the company said.

CryptoLogic spokeswoman Nancy Chan-Palmateer said the attack was focused on two different Crypto licensees and the winners were paid their amounts in full after analysis showed them to be frequent customers of the casinos. She said the attack was most likely from someone who had worked with the company in the past and was trying to give the firm a black eye in the industry.

"To the best of our knowledge, at this time it is looking like it was an individual that has had intimate knowledge of our system," she said. "This is not just someone from the general public. It would seem that the intention was not to take advantage of the winnings by playing on the other end, but rather to actually hurt the company."

It is that deduction that drives home points made last month to the Nevada Gaming Commission by leading Internet security experts, who said the online gaming sector was more susceptible to attacks from internal sources than from outside sources.


"To the best of our knowledge, at this time it is looking like it was an individual that has had intimate knowledge of our system. This is not just someone from the general public. It would seem that the intention was not to take advantage of the winnings by playing on the other end, but rather to actually hurt the company."
- Nancy Chan-Palmateer

One Internet security expert told Reuters on Monday that Crypto actually got off easy with the incident, noting that many hackers in the last year have targeted the online gaming industry and have tried to extort even more money once was the system was invaded.

"No one is going to say it has happened, because that's bad for business. But there is anecdotal evidence,'' said Steve Donoughue, managing director of The Gambling Consultancy in London.

Neil Barrett, technical director for London-based Information Risk Management, said his firm has seen an increase in business from the online gaming sector as more and more operators are the targets of hacker attacks.

"It's become one of the most common fraud scams,'' he said.

Many Internet attacks have originated in Eastern Europe and Russia, and Barrett and Donoughue agree that the trend has carried over to online gaming, with many sites targeted by hackers in that region.

"I've seen well-engineered hack attacks coordinated with very well-engineered extortion attacks coming from Leningrad,'' Barrett said.

Crypto, though, said it is still investigating the actual root of its attack and has confirmed only that someone who had privileged information probably did it.

The company now turns its focus to damage control, something that Chan-Palmateer said was done right off the bat.

"From the point of the initial detection to the point that we disabled the accounts, it was a matter of hours," she said. "We had an alarm and our security escalations procedure engaged promptly, and we started to narrow it down. We were then able to see that there were some abnormal occurrences of winnings and identify those affected players and accounts. Then we were able to disable them and discuss the situation with the licensees."


" The distinction here is not guaranteeing 100 percent, because that is not realistic. Rather it is how quickly you can mitigate against these attacks to ensure the highest safety to players' concerns."
- Nancy Chan-Palmateer

The ability for Crypto to spot an attack as soon as possible helped to lesson the severity of the problem, according to Chan-Palmateer. She said no system can truly be hacker-proof, but being able to recognize an attack quickly should be a focus of all system providers.

"The distinction here is not guaranteeing 100 percent, because that is not realistic," she said. "Rather it is how quickly you can mitigate against these attacks to ensure the highest safety to players' concerns."

Like any software company, Crypto is subject to public attacks, said Chan-Palmateer, but being in the business of gaming leaves the system open to even more attacks. She said if governments moved toward more regulation within the industry, hacker attacks would decrease.

"Particularly in gaming, one thing that we have always advocated is a move toward regulatory compliance," she said. "It isn't just us saying and thinking that we have put the proper measures in place, it's also subjecting ourselves to independent third party testing. For others to come to us and say, 'Here are other ways you can enhance your system,' is something that we always seek."

Like the message that was delivered recently in Las Vegas, Chan-Palmateer said other software companies should never get lackadaisical in their approach to security.

"One of the main priorities is to pay the utmost attention to the security of your systems," she said. "It is an ongoing process and you should never let up because you do need to stay one step ahead."

The incidence of Internet fraud has hit every sector of online commerce from banking to shopping sites. But casino attacks are considered a ripe target for hackers who are enticed by the large number of casinos still operated in poorly policed jurisdictions such as the Caribbean and by the large number of wagers they handle.

CryptoLogic is liable for $600,000 of the misappropriated winnings, as a $1.3 million insurance claim will cover the remainder.

Chan-Palmateer said paying out the winnings was the only option in the minds of the company and the operators.

"We believe that supports and is in compliance with regulatory practices," she said. "We stood by our licensees' agreement to do that."

The attack is the first intrusion against Crypto, and Chan-Palmateer is confident it will be the last. She said the company started immediately to change policies and increase procedures to cut back on the chances of a similar attack happening again.

The main goal of the company in the near future, other than taking the proper steps to find the actual person responsible for the attack, is to cut the response time down on any future attempts.

"The intention is to take that from a matter of hours, which is still a rather quick time frame, to a matter of minutes," she said. "We looked at ways in which we could restrict access even further immediately. It will make things tighter, and from a production point of view a longer process, but from a safety point of view that is the tradeoff."




Nobody knows where Kevin Smith came from. He simply showed up one day and started writing articles for IGN. We liked him, so we decided to keep him. We think you'll like him too. Kevin can be reached at kevin@igamingnews.com.