So, we have given some thought to policy and procedure. This is important, because good policy and procedure will enable a casino organization to deter a lot of potential crime and will give them the best chance possible to speedily detect those individuals who, for whatever reason, cannot, or will not, be deterred.
But, even the best policies and procedures do not mean that a casino operation can rest on its laurels. Rather the opposite, they could be thought of as a foundation upon which the entire edifice of practical security and surveillance and revenue in game protection, can be built. Once policies and procedures in place that all of the required stakeholders agree with, and have confidence in, that the next step in securing any particular casino operation would be considering what I like to call threat vectors.
Threat vectors are methodologies that can be used, either from without, or from within to compromise the safety of elements of the casino operation, in some way. The aim, of course, as with all of the facts that I am going to address, is that “someone has to get paid”. Which, in practical terms, means that someone has to be able to obtain funds, from whatever source, and then they have to be able to translate these fraudulently obtained, or simply stolen, funds into cash.
This is the most important piece to develop. If you want to commit fraud, if you want to steal, in the end the aim is that you want to get the cash. Sooner or later, no matter how sophisticated, or simple, any schema may be the end result of it can always be known: you have to get the money.
Therefore threat vectors should be examined and understood for all areas of the operation by rigorous and non-partisan risk analysis. Wherever possible Managers of the departments affected should not be involved in the risk analysis process as they may bring institutionalised “blind spots” to their approach and may not question all of their own procedures as much as they should to ensure that they are fit for purpose.
Threat vectors are basically the methods of exploiting vulnerabilities in any area of the Operation. They need not be specific methods that have worked in the past but these can be used as templates for what can be done and for what needs to be changed to close off this vector.
A threat vector is therefore something of a generic vulnerability that can have several specific means to exploit it but where, when it is closed off, all the specific exploits are stymied too.
Threat vectors typically surround:
- Cash handling. When it is handled? How it is handled? Where it is counted? Where it is collected, or stored?
- Specific Table games. How they are dealt? How they are supervised or inspected?
- Card/Dice/Roulette ball stock control. How gaming implements are kept secure? Under what circumstances are they accessed? By who?
- Equipment control, with much the same provisos as above?
- Stadium and electronic gaming tables. Are the risks understood? The placing of “problem children” on the live games? Overseen by the Table Games or Slots department?
- Slot machines. TITO controlled by whom? From where? Testing TITO procedures? Game configuration? Part repair and replacement?
External Threat Vectors
To a large degree external threats are the easiest ones to deal with. External threats come in the shape of cheat teams, individual, or even team, card counters and the like. They are not staff members of the Casino Operation and all of their schemes are limited for this reason. All of the Casino can be vigilant against them.
External threat vectors can be, generally speaking, identified and policies and procedures as well as physical security measures can be implemented to mitigate against them.
External threat vectors should certainly be understood, but detection often hinges upon types of behaviour. There are only a certain number of ways that their planned schemes can be performed so the aim should be to look for these.
For example: Roulette cheat teams specialising in “past-post” moves, where bets are placed after the winning number is known, are a well-known threat (in addition a number of the actual people involved in this activity have been identified over the years and these identities, plus alias’ plus mug-shots are widely available). Whatever the relative skill level of the individuals involved they are still limited by their techniques relying upon the pay outs accepted by the Casino operation (via minimum and maximum bets) and the fraud cannot be perpetrated for long periods of time, simply because the risk of exposure goes up the longer things go on.
In such situations Gaming staff should always be encouraged to report things that they encounter that just “don’t seem right”. Often table game staff have an inkling that something is wrong, even if they are not sure exactly what and reporting this can allow additional resources, via inspection, or surveillance to be deployed. Also, no matter the relative sophistication of the move the end result is always the same, additional gaming chips have to be placed somewhere where they can be paid out.
Internal Threat vectors
Internal threat vectors are more pernicious from an operational standpoint. They can be purely internal, an example here would be staff theft, or they may operate with an external element, an example of this would be a dealer and a player-agent acting with them. Again, where the behaviour is purely internal then policies and procedures should have been designed to prevent the sorts of behaviours that make it possible. Where they have not been then, when such an internal scheme is detected and stopped a “post-mortem” of it should be conducted to determine what lessons can be learned and what loopholes need to be closed.
In addition the best methods to control these threats, prior to their becoming real problems, would be to enforce separation of powers and limit access to funds.
For example if you have a safe full of spare, or reserve, gaming cash chips then you should limit who has access to the safe. But to increase security you could have the person with the key and combination to the safe not have access to the room containing the safe; then you can have the person with access to the room not have access to the keys to the safe. In this case you now have two people who would have to be involved in any potential criminal exercise and the larger the circle of persons involved the less secure any scheme will be.
Now, obviously, this will not always be possible. There was a case when I was fairly young and green in the field of Surveillance where a casino dealer was caught palming cash value chips on Roulette and then placing them in his mouth before, later, transferring them to shorts with pockets that he was wearing beneath his uniform trousers. Clearly it would not be possible to limit his access to the cash chips in his gaming float, how else could he do his job? But, enforcement of “cleaning hands” after touching the cash chip float as well as better tracking of higher denomination cash chips and a more considered approach to the hourly “win/loss” report for the table would have uncovered his crime sooner than it was.
More worrying than the situations outlined above however are the cases where collusion is involved and Staff Members and Player Agents work together to circumvent security measures and policies. This sort of scheme, exemplified by scams as simple as deliberately overrating their friends and family are traditionally very difficult to detect.
For example I worked an operation once where a staff member was detected simply paying the Baccarat bets of his player agent whether these bets won or lost. While simple in the extreme, this fraud was surprisingly difficult to “see”; by this I mean to see and to recognise for what it was. People expect to see bets paid on gaming tables and this was what was seen in this case too, only the pay outs were not connected, in the minds of several observers, with what the game result actually was.
Indeed the fraud was finally uncovered during a routine check of winning “Bank 6” occasions on a non-commission baccarat game the dealer happened to be perpetrating it against. His player agent was betting “Player”, but was being paid. Because the surveillance operator who detected it was specifically looking to see if “Bank” bets were being paid 50% of their value, as they should have been, not 100%. Therefore paying Player bets stood out as unexpected. The perception filter that cloaked and camouflaged earlier behaviours was stripped away.
Again there are some behavioural tells here that can be used to good effect to detect these types of activities. Clearly, in the example above the fraud was only really practicable when the dealer and player agent were alone on the table together. Additional patrons would spoil things, and might report what was going on. This sort of pairing is, actually, fairly standard across a number of these sorts of scams.
Some thoughts on “Problem children”
Problem children are the type of gaming staff who are, for whatever reason, generally disliked by Management and, perhaps especially Pit Bosses. The end result of this is that such staff members can be “relegated” to dealing on empty tables to Stadium game patrons. Often completely without, or with only minimum, supervision. The belief being “well, the games are electronic so there is no threat…”, but this is fundamentally incorrect, the pay outs are electronic and thus they will be accurate, but the human element can control the result of the game.
This could be as easy as, on a game of roulette, simply catching the ball following the spin and placing it in the desired winning number. Or as, relatively complex on Baccarat as collecting the cards in such a way that the result of the winning coup is preserved and then simply not shuffling the cards so that a winning sequence can be recorded and “played back”.
Where “problem children” exist, case should always be taken on where they are assigned and for what reason. If they are disaffected anyway then they are more likely to try to perpetrate fraud, or theft, rather than less.
Some final thoughts
Whenever conducting some form of analysis into the various routes threats to the business can take I find it helpful to work backward from the end result. This is, usually, a method to make money. Ornce you have identified that money needs to be made then what physical assets, or goods or services can be diverted to obtain this end? Then what policies and procedures do I have in place to prevent this activity and what would it look like if someone was acting to circumvent these defences?
Such a step by step approach can help to uncover a number of potential threats and can even suggest ways to close some of the most common security loopholes.