Do You Need a Protection System for Your Machines?

This is the most common question I hear from arcade operators. The short answer: if your machines are earning money, and if you have not verified that they are not leaking revenue, then yes. The long answer requires looking at your specific situation — your location, your machine types, your historical revenue patterns, and whether you have ever noticed anomalies that you could not explain. This article walks you through a self-assessment that will tell you, definitively, whether you need a protection system.

The Self-Assessment: 10 Questions

Answer each question honestly. Each “yes” adds 1 point. Each “unsure” adds 0.5 points. A total score of 3+ means you should seriously consider installing protection systems.

1. Have you ever noticed a credit-to-cash discrepancy that you could not explain? A difference of more than 3% between the credits your machine recorded and the cash you collected is not normal variance. It is a signal that something is wrong.

2. Are your machines located in a region with known arcade cheating activity? The Philippines, Thailand, Malaysia, Cambodia, Vietnam, Mexico, and Brazil have documented arcade attack communities. If your venue is in or near these regions, your risk is higher.

3. Do you have machines that consistently earn less than their historical average, without explanation? A machine that earned $400/day for six months and now earns $300/day, with no change in customer traffic or machine configuration, is leaking revenue.

4. Have you ever had a customer who seemed to win far more often than probability would predict? Everyone gets lucky sometimes. But a customer who wins 60%+ of the time over 30+ sessions is not lucky. Something is wrong.

5. Are your machines accessible to customers during unattended hours? If you have machines in a lobby, a hallway, or any location where they are not continuously supervised, they can be accessed by attackers who test attack methods when nobody is watching.

6. Do you use the default configuration PIN on any of your machines? Default PINs are widely known. Anyone who knows the default can change your machine’s payout settings.

7. Have you ever found a broken tamper-evident seal or a scratched lock on a machine cabinet? Physical access to the machine’s internals enables firmware modification, component installation, and wire-tap attacks. Evidence of past access means someone may have already compromised the machine.

8. Do you operate machines that are more than 5 years old? Older machines have well-documented firmware vulnerabilities. Attack methods that exploit these vulnerabilities are shared in cheating communities. Newer machines have better security, but they are not immune.

9. Do you have staff members who have access to machine configuration and also handle cash reconciliation? This is an insider threat risk. One person who can both change settings and reconcile revenue can cover their tracks. If you have this situation, you need operational protection in addition to electronic protection.

10. Have you never performed a formal security audit of your machines? If you have never checked your machines for evidence of attacks, you do not know whether they have been attacked. The absence of evidence is not evidence of absence.

Interpreting Your Score

0-2 points: Your risk is relatively low, but not zero. You should still perform a basic protection measure: daily reconciliation (question 1) and changing default PINs (question 6). These cost nothing and eliminate the two most common vulnerabilities.

3-5 points: You have moderate risk. You should install bus monitoring devices on your highest-revenue machines (typically 3-5 machines cover 60-70% of venue revenue). Also implement daily reconciliation if you are not already doing it. The combination costs $500-1,500 and addresses the most likely attack vectors.

6-8 points: You have high risk. You should install bus monitoring devices on ALL machines, implement daily reconciliation with two-person verification, upgrade cabinet locks, and install cameras covering all machines. The total cost is $2,000-5,000 for a 20-machine venue. The revenue recovery typically pays for the system within 2-4 months.

9-10 points: You are almost certainly losing significant revenue to attacks or insider manipulation. Install comprehensive protection immediately. Do not wait. Every day you delay is a day of continued losses.

What Kind of Protection System Do You Need?

The protection system you need depends on your score and your budget. Here are three tiers.

Tier 1: Basic (Budget $0-500). Daily reconciliation (free, 5-10 min/day). Change all default PINs (free, 1 hour total). Reposition cabinet to block easy access to ports (free, 0 cost). This tier is better than nothing, but it will not stop a determined attacker. It will, however, stop the most basic attacks and give you visibility into whether you have a problem.

Tier 2: Standard (Budget $1,500-3,000 for 20 machines). All Tier 1 measures plus bus monitoring devices on all machines. This is the minimum I recommend for any venue with revenue of $2,000+ per month per machine. The bus monitors block 80-90% of electronic attacks. Combined with reconciliation, you will see revenue stabilization within 2 weeks.

Tier 3: Comprehensive (Budget $3,000-6,000 for 20 machines). All Tier 1 and 2 measures plus cameras, upgraded locks with tamper-evident seals, and a formal operational procedure (two-person reconciliation, restricted configuration access). This tier is appropriate for high-value venues, venues in high-threat regions, and venues that have already experienced confirmed attacks.

Frequently Asked Questions

What if I install protection and then find out I was not being attacked?

This is the best possible outcome. It means your revenue is safe, and the cost of protection is insurance against future attacks. You would rather spend $2,000 on protection and have no attacks, than spend $0 on protection and lose $15,000 per year to attacks you never detected. The protection cost is a known, fixed expense. The loss from undetected attacks is an unknown, potentially very large expense.

Can I install protection on just a few machines as a test?

Yes. Install bus monitors on your 3 highest-revenue machines. Monitor their status indicators and logs for 30 days. If the devices detect and block attacks during that period, you have your answer — and you should immediately protect the remaining machines. If no attacks are detected after 30 days, you can decide whether to expand protection based on your risk tolerance. Our guide includes a 30-day protection trial plan.

What is the monthly cost after installing protection systems?

For Tier 1: $0/month. For Tier 2: $0/month for basic bus monitors (no subscription). If you choose cloud-connected monitors with threat intelligence updates, the cost is $5-10 per machine per month. For Tier 3: same as Tier 2 plus any camera system maintenance (hard drive replacement every 2-3 years, $50-80). The ongoing cost is minimal compared to the revenue protection provided.

Every Machine That Earns Money Should Be Protected

The question is not “do I need protection?” The question is “how much protection do I need?” Every machine that earns money is a target. The only machines that do not need protection are the ones that do not earn money — and if they do not earn money, why do you have them? Protect your machines. Start with the self-assessment in this article. Your revenue will tell you whether you made the right decision.