Stolen Biometrics & Casino Cyber Security

in #biometrics5 years ago

You can change your password – you can’t change your face.

Facial Recognition is inevitable for mass adoption. Casinos across the globe are installing this technology to accomplish everything from the detection of unwanted guests, the personalization of VIP experiences, access control, and the merging of transactional data, player ratings, and existing rewards systems.

It’s a no-brainier that casinos the world over are flocking towards this technology. The ability to enhance the overall guest experience with streamlined processes directly affects the guest’s behavior and willingness to spend.


Guest are accustomed to being watched by the eye-in-the-sky as soon as they step into a casino property. Obviously, surveillance cameras in casinos are nothing new – neither are the arguments for and against facial recognition technology. However, with the inevitable adoption of this technology, the need for data security is higher than ever. It’s one thing to have your credit card and PIN information stolen while shopping at Target – it’s another thing entirely to have your entire biometric identity stolen. And, yes – it’s happened.

The secure storage of biometric information will be a critical element for security planning within the casino industry for decades to come as the potential for “bio-crime” grows. There are clear risks to individuals with identity theft and financial crime, should their facial biometrics be stolen and reproduced for spoofing.


Casinos, where this technology is being deployed, sometimes in less than secure networks, must understand just why the personalized player identification and associated facial biometric data they hold is so valuable to cybercriminals and take steps to ensure they understand the security required to prevent a data breach.

I’ve written articles previously that highlighted how a Las Vegas casino’s network was penetrated when hackers found an unsecured access to the internet-connected thermometer in a fish tank in the hotel’s lobby; allowing for over 10gb of player data to be stolen and sent to Finland. However, this pales in comparison to the damage which can be done to individuals when their face is stolen.


While I am personally unaware of a biometric data theft yet occurring at a casino, it certainly has happened elsewhere. In 2015, 21.5 million people were affected by a breach of U.S. Government systems. Biometric identity data gathered over the previous 15 years was compromised. Fingerprint images linked to other biometric data and identities were among the information stolen when the U.S. Office of Personnel Management was breached.


Facial Recognition compounds this problem. Corporations and individuals, both, must understand that biometric data such as fingerprints and facial recognition patterns can (and will) be hacked as cybercriminals look to steal and spoof the information to gain access to other systems secured by the same information. While a player at a casino who is classified as a “high roller” my have their wallet stolen, with a network password to their company ignorantly scribbled on a post-it-note on the inside; they can always change their password. However, when that same high roller has their facial information stolen, it can lead to an unmitigated disaster as their face was used to control access to their bank, their corporate trade secrets, and a myriad of other “secured” databases – and they can’t change their face. The information is forever compromised.

Imagine the cost to a casino when the full and unchangeable identity of a Fortune 500 CEO has his/her facial data stolen from the casino network, causing that CEO to be forever labeled as a security risk to their – and every other – corporation they could conceivably work for. There will be data breaches. There will be facial data stolen. There will be lawsuits. It’s just a matter of when.

The adoption of this technology is akin to nuclear proliferation. It was developed. It was deployed. It will continue to be placed into use. But when something goes wrong – it REALLY goes wrong.

This is why its more important now, than ever before, that casinos focus on hardening their network security. Penetration testing, above and beyond the minimum compliance mandates are necessary. Reviews of IT best practices and instituting more robust solutions for the protection from social engineering of employees who have access to the biometric databases must occur in advance, during, and routinely after the implementation and deployment of any facial recognition technology.

Engaging a company such as Link Technologies (www.linktechconsulting.com) and benefiting from their Enterprise Risk Assessments, Security Gap Analysis, Vulnerability Remediation Management, and general Cyber Security Consulting is a necessary step to ensure the sensitive data which they collect on their guest is kept from those who seek to exploit it.


While previous data breaches have exposed credit card information, and personal identification of individual casino patrons; those affected could always change their accounts and passwords. They can never change their face.

Contact me today at [email protected] to discuss how we can assist in identifying the vulnerable points in your network and provide remediation services to limit exposure.