Fool Me Once…… Buddy Frank, CDC Gaming Reports · April 1, 2019 at 11:15 am Early last month, the World Game Protection Conference (WGPC) held their annual expo and meetings at the M Resort in Las Vegas. The conference was dedicated to helping casinos detect and deter fraud and cheating. At about the same time, the RSA Conference in San Francisco was focused on cybersecurity threats and solutions. This June, the Gartner Group will be meeting in National Harbor, MD to hit many of those same topics. Likewise, the Black Hat Conference Series will take place in Las Vegas in August to again discuss security research and technical training. There are at least three dozen annual conferences held in the US that focus on things like bodyguard training, counterterrorism, and surveillance, not to mention a like number conducted worldwide. Some of the oldest sayings still seem the most relevant. It may have been a Chinese proverb initially, but this gem first made the printed page in 1651: “Fool me once, shame on you; fool me twice, shame on me.” In other words, learn from one’s mistakes and avoid being tricked again in the same way. The conferences mentioned above, especially the WGPC, are a great way to learn how others were first fooled at their casino. The commonality for all the events cited above is that sharing is a major key to protection. Learning from past scams, and sharing what’s been learned about them, is a vital step toward preventing future ones. I encourage you all to have representation at one or more of these conferences as your time and travel budgets allow. But you don’t always need to formalize this process at conferences and seminars. Creating your own smaller networks can be equally powerful. Your equipment vendors are excellent sources of information about vulnerabilities, especially if the problem is with a competitor’s product. Do you want to know if counterfeit bills are making the rounds? No one knows them better that the folks who make bill validators. Hopefully you’ve developed some strong relationships with your reps from JCM and MEI/Cash Code. With slot machines, most vendors also self-report in the form of Customer Notifications (CNs) or Technical Bulletins. Over the years, it has become common knowledge that if a CN says “Mandatory,” it’s almost always because some scammer found a weakness in that machine or sub-assembly. It should be standard practice that such notifications are read and, most importantly, acted upon immediately. Have you checked recently to make sure that is consistently happening? Perhaps the best step you can take is to share with your competitive peers. Most slot executives attend multiple vendor or industry events each year where they socialize with their regional competitors. Do you make it a point at these gatherings to bring up the topics of theft and scams? You should. Countless times, we were able to implement a change that protected our casino based on information shared by a colleague down the street or across the country. With that as background, I’d like to share just four of the hundreds of scams and attempted scams that I’ve encountered in my career that still seem relevant today in providing lessons for the future: – Check Your System Before his death in 2010, Dennis Nikrasch was in the Nevada Black Book, the state’s List of Excluded Persons & Most Wanted. He earned that honor by stealing over $15 million from Las Vegas casinos from the 1980s through the 90s. I was working in Reno at the time, luckily, but I was able to consult with the FBI on his last, and boldest, scam. Dennis Nikrasch Nikrasch began working with New York organized crime families as a skilled locksmith with expertise in breaking into homes and cars. Those activities eventually landed him in jail for 10 years. Upon his release, he didn’t stay clean for long, landing another five-year sentence by using his lock picking skills on various slot machines in Nevada. By the time of his second release in 1991, he noticed that slot machines had changed drastically. They were more computerized and less mechanical, which required a whole different approach – one that still involved a bit of locksmithing. His master plan took shape in the fall of 1996, and over the next year his team hit casinos over 10 times for major jackpots and expensive cars. Most reported stories about this incident don’t detail exactly how this worked, but, taking a little literary license, here’s the con: Most casinos at the time secured a game’s EPROMs (the chips with the game’s program) with a special tape seal that prevented them from being manipulated. If tweekers tried to remove the chips to replace or re-program, the tape seal would indicate tampering. Therefore, regulators always checked these seals, and their numbers, before declaring a legitimate jackpot. Often, they would also break the seal themselves, remove the chip, and run a simple checksum electronic verification test to see if the chip was valid. On all of Nikrasch’s phony jackpots, the tape seal was intact and the chips tested good. They did it by using his (and his team’s) locksmith skills. They opened the main door, turned off the power, removed the motherboard – where the sealed chips were installed – and plugged their own computer into the board’s main bus (which connects the motherboard to the slot machine). This allowed one of Nikrasch’s team to reprogram the EPROMs without removing them. They also made sure that the now-phony chip had a new, correct, checksum. They then replaced the motherboard and, surprise, hit the jackpot. After his arrest, investigators raiding his residence found several slot machines, microchips, and other tools that Nikrasch had used to study and practice his craft. They also learned he was getting ready to hit a $17M Megabucks machine just before the bust. Nikrasch was caught, finally, when one of his disgruntled teammates turned him in (“dropping a dime” on confederates is perhaps the most common downfall of casino crooks.) But the casinos could, and should, have caught him sooner themselves. The industry made several changes after this scam was unearthed. Today, most motherboards are locked in their own metal box to reduce access to the chips and the main bus. Nikrasch was good enough that he might have defeated this second lock, too. The biggest mistake is that operators didn’t check the basic system event logs before making payouts. By performing this simple step, you would see the following sequence (or something pretty close): “illegal door open; power off; power on; door closed; jackpot.” You’d hope no one would quickly pay a large jackpot with this history of events. Do you have a procedure in place to check your event logs before making any large payout? It only takes a minute or two. – Greed Is Good (for us) Harris’ mug shot If you worked for the Nevada Gaming Control Board in the mid-to-late 1990s, there was a name that was hardly ever mentioned. Like Voldemort in the Harry Potter novels, the name Ron Harris was almost forbidden in Reno, Las Vegas and Carson City. Not because anyone at the NGCB was scared, but because they were embarrassed and somewhat humiliated: Harris was not only one of the most talented slot crooks of all time, he was also an employee of the Control Board, tasked with catching other cheaters (and he was very good at it.) You’ll find lots of talk on the internet about the 1995 keno game incident at Bally’s in Atlantic City. Harris and his partner, Reid McNeal, were caught after they set up a $100,000 Keno jackpot. I’ll let you do you own research on that incident. Before he hit the east coast, though, Harris launched an almost-perfect scam in Reno and Las Vegas. Like Nikrasch, he reprogrammed EPROM chips, but in a much more sophisticated manner. Embarrassingly, he used good guys to do his bad work: I learned this one the hard way, as I was the slot director at Fitzgeralds in Reno where he rigged one of our $1 games. You can learn more about Harris’ work in Jeff Burbank’s excellent 2005 book, License to Steal. There’s also a DVD available from the History Channel called Slot Buster that’s not bad, either, but does change a few names. Here’s my version of Harris’ crime: During this time, Nevada Gaming Control agents frequently audited the state’s casinos and did spot checks of the EPROM chips in our machines to make sure they were legitimate. Completely unbeknownst to the agents doing this work, Harris – who was in charge of most of the computers and software work at NGCBs lab – had rigged their field laptop computers. Instead of reading the chips and compare them to the manufacturers’ master software to make sure they hadn’t been altered, Harris reprogrammed the laptops to automatically overwrite new code onto the chips. Once these innocent agents had unknowingly planted the bogus software, Harris’ associates, including his ex-wife, could play the games with a certain pattern of Coin In bets (for example, one coin, then two, then one, then three, then three again, etc.) Once the game recognized the unique pattern, it would hit a jackpot. At Fitzgeralds Reno, those were $9,000 each, and Harris’ team hit lots of them. When the chips were checked, either by us or gaming control, they of course looked fine: our tests looked only at simple checksums, which Harris faked, and the Gaming Control Board’s much more extensive exams were conducted on laptops that had all been rigged by Harris. Why didn’t these phony jackpots start to show up on our monthly loser lists? Because Ron Harris was brilliant. His new program directed the machine to overhold dramatically. The coin pattern wouldn’t work until the hold built up. Once it had accumulated enough, the jackpot would hit on command. Therefore, the reports showed the machine was performing correctly. It was our players who were being cheated. How did we catch this? The short answer is that we didn’t. After Harris was busted in New Jersey, agents seized his equipment and discovered what he’d done, and, in time, eventually worked out which machines had been rigged. Could something like this happen today? Maybe, maybe not. The biggest change after Harris’ scam was discovered was that the laptops NGCB agents use now cannot write new code onto the chips; they can only read them. Smaller regulatory and tribal agents don’t have the master software, and therefore they only use simple checksum readers. If your team is using laptop computers, hopefully they, too, can only read. Thankfully, it was the simple, common criminal mistake of greed and wanting to go bigger that saved us in this case: that, and some good fortune from New Jersey’s Keno game. – Threshold Reports Pellegrini Perhaps the most prevalent crime today are variations of free play and ticketing schemes. I wrote about the subject in a longer piece last August. Here’s an excerpt: “due to an obscure bug in the software (of an ETG roulette game at my casino), a married couple inadvertently discovered that by using a pattern of downloading credits and well-timed betting, they could receive free play that would not be subtracted from their system account balance… They tried to hide their crime by cashing out often to prevent large hand pays, and then washing these small tickets through several other machines to confuse the audit trail… The amount of this fraud was thousands of dollars.” Here’s another excerpt that may seem unrelated that occurred at Mohegan Sun Poconos: “Before they were busted, this team hit the casino for $478,350 in free play, which they converted to $418,793 in cash, from May 2014 to April 2015. Perhaps most surprising was that one of the perpetrators was Robert Pellegrini, a VP-level executive in charge of Player Development. The operation involved a cocktail waitress who… passed info to Pellegrini, who then created duplicate loyalty cards and loaded them with credits. A male working with them would then gamble the free play, and they’d split any profits. Unfortunately for them, there was also a little love triangle element involved with the waitress, the customer and a non-participating dealer. The dealer spilled the beans to regulators. Pellegrini was sentenced to 32 months in prison last June, the cocktail waitress pled guilty with a plea agreement and $2k in fines, and the customer went to jail for 18 months on money laundering… the casino was fined $1 million by Pennsylvania regulators.” What ties these two stories together is free play. The solution is not difficult: you, or your IT team, need to create a set of threshold reports, which run automatically to let you know if any predetermined limits are hit. Areas of concentration would include: any machine redeeming or issuing too much free play; any host or clerk issuing too much free play; any player redeeming too much free play; anyone changing too many player passwords, etc. Your limits are determined by looking at past averages, and these can be changed over time if machines, or policies, evolve. These reports can, and will, give a few false positives, but those can easily be checked. Note that this simple action won’t stop fraud, but it will give you a chance to catch it before it causes serious damage. – Sharing I began this story talking about the importance of sharing, so I’ll end it with some examples of sharing. It is also the story of a specific type of fraud that occurred at both the beginning and the end of my slot ops career: cracking the Random Number Generator (RNG). My first stint as a slot director was at the former Nevada Club in downtown Reno. It was one of the few casinos that still had a large selection of the old Jennings mechanical slot machines. When our reports showed there was something wrong with a few games, an old-timer showed me how the RNG could be rigged to make a payout. Those early machines used a fan clock as a random timer, or RNG. The clock was spring-wound by the customer’s handle pull, causing the fan to spin freely, influenced only by barometric pressure, humidity, air density, and the handmade holes or bends in the shape of the fan. When the spring ran down, it would “randomly” trigger the machine to stop the reels and look for any pays. However, a crooked slot mechanic could open the main door, pull the handle, and place an ice cube in the path of the fan, so it wouldn’t spin. He could then set the reels to a winning combination and re-lock the door. His partner in crime would play the machines on both sides, waiting for the ice cube to melt; once it did, the fan clock would spin. Since the reels were already lined up, it seemed like a legitimate jackpot. Everything looked good to the spotters behind the old two-way mirrors because no one had been in the machine for quite a while. The only overlooked clue was the small puddle of water at the bottom of the game. The fix was to first go to electronic RNGs and then, later, a feature called “last game recall,” which showed the correct reel positions regardless of where anyone moved or manipulated them. Today’s electronic RNGs are so good, no one can cheat them. At least, that’s what most of us thought. Here’s where more sharing comes in. At Pechanga Resort & Casino in Southern California, we got a call from Darrin Hoke, a top surveillance expert now working in Lake Charles, LA. I had met him years earlier in Reno while I was teaching at the university there. He told us there was something strange going on with some Russians at their casino. When they ran various background checks, they saw that some of these guys had financial transactions at a motel in Temecula, CA a few weeks earlier, where Pechanga was located. We immediately checked our stored surveillance videos and spotted two of these folks. They had hit a few jackpots that were reportable ($1,200 and greater), and therefore we confirmed their ID information. Later, we learned that hitting these jackpots was not their intent and was an “unlucky” accident. Since we didn’t know about them in advance, most of our camera coverage consisted of wide shots, so we couldn’t determine exactly what they were doing. We could, however, see that they always had one hand moving around in their pants pocket, and that the machine lights were flashing more than normal – indicating bonuses, but not jackpots. We had been studying the videos for about three days when Surveillance alerted us that one of them was back and currently playing a machine. This time, we got excellent closeup video, from multiple angles, and immediately called the California Department of Justice to make an arrest. Two cell phones were found on his person, and law enforcement later discovered a large amount of cash and a lot more cell phones in the trunk of his car. We turned over our evidence and the machine to Aristocrat, GLI and the FBI. It turned out that a large Russian gang had broken the timing routine of the RNG on several game themes running on older Aristocrat Mark VI cabinets. They had used the cell phones to indicate when to play. We were not the only ones hit, but we did make the first arrest; other arrests followed in Missouri, Illinois and Singapore. This crew hit major gaming corporations, Native American casinos, and small-to-large operations across the US. Their run had begun in Europe years earlier, where they were also hitting older Atronic and Novomatic cabinets. Brendan Koerner of Wired magazine has done an excellent job of reporting on this scam, even scoring an exclusive interview with Alex, the purported head of the gang. I highly recommend reading his Wired article if you get a chance. For us, finding this scam would have been difficult if Hoke hadn’t shared his intelligence. We, in turn, shared our experience to help others. To repeat: it is critical that you talk with your peers, share details, stay informed, and constantly remain skeptical about anything unusual. Ask questions. Ask lots of them. Bruce Lee once said that a wise man can learn more from a foolish question than a fool can learn from a wise answer. We can all become wiser by asking questions and seeking advice from those who were once fooled.