FlashbackBy Larry Barrett, Sean Gallagher | Posted 2004-04-04 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
The lure of quick scores has made Las Vegas the most vigilant and diligent user of advanced surveillance, identification, background-checking and security technologies. If domestic security were prosecuted as aggressively as casino security, the terroris
: Summer of 2001">
Flashback: Summer of 2001
The Econo Lodge motel on Las Vegas Boulevard where Atta stayed is a short walk from both the Stratosphere Casino Hotel & Tower, the tallest building west of the Mississippi River, and the FBI's Las Vegas headquarters. Perhaps more significantly, his motel room was also seven miles north of the headquarters of Systems Research and Development Inc. (SRD).
SRD makes software that casinos have used since 1994 to spot "non-obvious" relationships within mountains of data collected on individuals. The Department of Homeland Security and other federal agencies now use the software to pursue known and suspected terrorists.
According to SRD chief executive officer Jeff Jonas, if those agencies had been working with the private sector—read: "Las Vegas casinos"—three years ago, chances would be much higher that Atta would have been arrested or detained in Las Vegas, perhaps even in his Econo Lodge room. Atta, after all, was traveling with an expired tourist visa and, according to the State Department, was already on its list of suspected or known terrorists.
A simple query of his passport, visa, driver's license or credit card against State Department or FBI databases would have resulted in a match.
This initial match would have alerted the FBI, CIA and Las Vegas police that a known or suspected terrorist was in Las Vegas. From there, SRD's software would have begun churning through billions of lines of code in multiple databases, including telephone directories, rental-car records and airline reservations, as well as the State Department's suspected-terrorist list and the list of expired visas maintained by what was then called the Immigration and Naturalization Service, to create an immediate, up-to-the-moment profile of Atta, his whereabouts and his activities.
The software also would have sent out warnings. Even something as simple as a clear image of Atta's face distributed to local law enforcement throughout the country might have been enough to save more than 3,000 lives.
The software would also make connections, on its own. Anyone who ever listed a similar address, name or phone number to Atta—even anyone who had ever used "Mohamed Atta" or any similar spelling as an identity—would have been red-flagged by the software and then subsequent checks of private and public databases would have been initiated for those people. The links also are likely to have discovered, for instance, that Atta and Jarrah had visited a cybercafé near the University of Nevada in Las Vegas at the same time on the same date.
As DHS and other federal and international authorities struggle to find elusive details that connect otherwise innocuous transactions and events to known threats, Las Vegas casinos identify these links every day.
Had Atta, for instance, driven a rental car into the parking lot at any major casino that August evening, the license plate would have been photographed by digital cameras at the entrance and compared to a database provided by federal and local law enforcement looking for that specific vehicle. Had he arrived by taxi at the front valet entrance, another camera would have recorded an image of the taxi's license plate, number and company.
If he had arrived on foot, he would have been caught on video well before he even entered the main casino. Once inside the casino, he would have been photographed continuously in every location inside the casino except for an individual guest room or a bathroom. But the casino would have date- and time-stamped images of him entering and leaving either of those places.
In addition, a digital image of his face would have been captured and compared to a database of undesirables such as known card counters (known as "advantage players"), those with a proclivity for illegally manipulating slot machines, dice and cards as well as those known for stealing from casinos, guests and the public. If there was a match, he would have been detained by casino security in less than two minutes.
Casino security chiefs such as the Venetian's Dave Shepherd say threats— including potential terrorists— can come in either gender, any age and any nationality. Meaning: All individuals must get equal scrutiny. Casino personnel are trained to pay attention to and question those who fit the typical terrorist profile, such as Middle Eastern origin, whenever the nation's alert status is elevated. Yet now, each casino also regularly checks bags, laptops and parcels with X-rays and bomb- sniffing dogs. Bellhops ask people who are dropping off bags for their names and what hotel they're staying at.
Though gambling is frowned upon in the Muslim community, it's possible Atta might have indulged anyway. Any game-playing would have been captured on surveillance cameras. Had he purchased or cashed in more than $1,000 in chips at any time, he would have been subjected to a clandestine investigation designed to catch money launderers. In either scenario, Atta would have been required to produce two pieces of identification that would have been added to a running dossier managed by hotel security.
Had he been enthusiastic enough to get himself a casino's equivalent of a frequent-flyer account, known as a Player Card, his activities at the tables and the times he was there would have been recorded in great detail. In effect, a step-by-step journal of his movements would have been kept.
While it may be unlikely Atta or any other terrorists visiting Vegas would have bothered with a Player's Card, FBI investigations into the 9/11 attacks revealed that at least two of the 19 terrorists used a frequent-flyer number when booking their flights for the morning of September 11, 2001.
But avoiding use of a Player's Card doesn't mean a player avoids detection. If even an amateur gambler wins more than $600 on a one-armed bandit—the traditional type of slot machine—that person has to produce two legitimate forms of identification before receiving the payout.
Even out of luck is not out of sight. If Atta had ordered a gin-and-tonic from a cocktail waitress, that information would be available to investigators. Had he sauntered over to a restaurant for a bite to eat, details on the purchase of food would be available. If he tipped, the amount would be known. If he used cash, the serial number of the bill would be recorded.
Inside the room, the time, number dialed and duration of every phone call is automatically recorded for billing purposes. Even "free" local calls are noted. Room-service orders and movie choices also are noted, through the billing system.
All pretty innocent? Consider this: Today, if another Atta were to check into the Bellagio, both casino and federal officials would know instantly if he arrived, for example, in a white 2003 Ford Escort with Nevada license-plate number THF456 rented from Hertz and parked it in the main lot on the third floor at 11:22 p.m. They would know if he checked a black duffel bag at the front desk at 11:30 p.m. under the name "Hakim."
They would know if he spent 17 minutes on the gaming floor and if he lost $7.50 in quarters at slot machine number 1845. They'd know he used Elevator 2 at 11:47 p.m. to get to the 19th floor where he twice failed to properly insert his key card into the door of room 19-257.
They'd know he made local phone calls at 12:06 a.m. and 12:09 a.m., respectively, to the Olympic Gardens and Glitter Gulch strip clubs, and that he made an international long-distance call at 12:14 a.m. to Munich that lasted 27 minutes. They could see he left at 1:05 a.m. wearing the same blue polo shirt and khaki slacks and used Elevator 2 to return to the casino floor. And that he walked directly to the taxi stand, where he departed at 1:11 a.m. Without his black duffel bag.
Casinos spare no expense in protecting their guests, their employees and, most important, their cash from nefarious characters. A new 110,000-square-foot casino in Las Vegas today will spend at least $10 million on security and surveillance technology alone, according to Jerry Keller, security director at Wynn Las Vegas, a $2.4 billion hotel/ casino that will open next year. That figure does not include the salaries and equipment that will be invested for a full-time security staff of more than 200.
But in 2001, the State Department, FBI and CIA could not make connections between the mountains of data they had and what was happening out on the streets. They had lists of suspected terrorists and lists of foreign visitors still in the U.S. on expired visas, but they didn't have the ability to connect this information with the tiny clues left by Atta and others in the years, months, days and even hours leading up to 9/11.
Now, the technologies exist to make those connections. And they are working, around the clock, in Las Vegas. Tom Ridge and others charged with protecting the homeland would be smart to watch closely, mimic the tracking techniques to identify threats before they get out of hand—and tap into the expertise that Las Vegas uses to store and analyze data.
"Most every security chief in Las Vegas is either a former FBI agent or retired military," says Joe McDonald, a consultant for ADT Inc., a provider of security systems to casinos. (See Dossier, Case 085, September 2003, p. 60.) "The differences are huge," McDonald says. "In this industry, you're given a generous budget to solve the problem and the tools to share and collect the information you need. It's a huge advantage and a philosophy that Washington needs to embrace."
Here is a rundown of the current state of information systems deployed in Las Vegas—and how they can be employed for domestic security.