Computerized Betting System Proves Vulnerable

count3r writes "A front page article in today's New York Times reports that an employee of Autotote has been fired for (allegedly) hacking the system responsible for 65% of all horseracing bets in North America. The caper, if it is indeed a caper, resulted in a series of six bets that paid a total of $3,000,000 in last Saturday's Breeders' Cup."

Not too smart.

[Desmoden]

I will never understand how people come up with good, well thought out crime plans, and then totally screw up the execution by rushing things or bring too much attention to the project. Just dumb.

So?

[Lawbeefaroni]

Buttloads of $ vs. determined individual: vulnerability.

Someone will always find a way to steal and no matter how good your security, when you have the human element on the inside, you are vulnerable. That's why auditing to detect theft is as important as securing against it.

Re:No registration

[aridhol]

Hey...I have an idea (not that it will be accepted). Why don't we stop allowing registration-required links on the front page? Including free-registration. We can now find many sources for the same story with Google News, so there's no reason to keep linking to NYT.

Re:dumbass.

[ergo98]

Sounds debatable to me. On the one hand a huge payout will garner a lot of attention, but on the other hand committing a fraud over and over every week sounds quite high on the risk scale too.

As a bit of background regarding this, these guys didn't transfer from one bank account to another, or some other thing that's caught "in the books": One purportedly made an electronic bet, and the other altered the electronic bet after the fact to match the winners. It really isn't that ridiculous of a scam as people do win every now and then. It isn't entirely inconceivable that someone one.

Having said that, it is the duty of responsibility of the operators to exercise due diligence, and truly not trust anyone: i.e. all databases have multiple layers including audit logs, in this case catching his transaction as it occurs for future analysis. In this case I presume that exactly that happened, as they obviously caught him.

Re:No registration

[1984]

I have another idea. Why don't you presume to never pay for anything, ever? To live in a fantasy world where all you have to do is consume.

(Or perhaps you don't mean that, in which case I apologise. But I'm getting sick of seeing people here with the attitude, "We're all for 'Free'. And look, we can just take shit! Stick it to the man! Yeah!")

Anyone who's tried this hates it...

[Embedded+Geek]

I work for a major supplier of in flight entertainment systems and we are always getting pressure from customers (especially on the Pacific Rim) to implement in flight gaming (i.e. electronic poker or slots). While some of our competitors have dipped a toe into this, we have pretty much steered clear to date.

The fact is that implementing a gaming system is a nightmare, be it on the ground or in the air. IMHO, quite a bit more difficult than point of sale or banking systems. In addition to being secure, it's gotta be completely fail safe (so if a passenger's terminal goes down seconds after a jackpot he won't loose his winnings and take it out on the cabin crew). Also, it's going to be transaction heavy - hundreds of smaller, individual bets over a gambling session as opposed to, say, a higher end credit card transaction every minute at a department store cash register. If you add in the fact that gambling is a potentially addictive activity that piques the interest of organized crime, you have a recipe for any disaffected insider to slip in hacks and back doors.

On the whole, I'm not surprised that someone corrupted a gambling system. I'm just surprised that this doesn't make the newspaper more often.

Re:Anyone who's tried this hates it...

[Embedded+Geek]

...it's really racist of you to mention that dig about the Pacific Rim demanding gambling.

(*SIGH*)

No racism intended - it's just a fact that Pacific Rim airlines have been primary movers in in flight gaming. Gambling is more accepted there than in the West, with less stigma attached. No Asian businessman expects to get dirty looks from another passenger if he drops a bundle of his own money on blackjack, but I bet you (yes, lame pun intended) that you'd see a lot of that on any US, Canadian, or European carrier (exception: I know Swissair has at least tried gaming. 'Don't know if it's still going strong). And when you think of it, they've got a point - what business is it of anyone how someone looses their cash?

Also, the U.S. flight attendants' unions fight airborne gaming tooth and nail. As my cousin, an attendant for Delta told me "So now they'll expect us to deal with a guy who's both drunk *and* has lost $500?!"

Again, this is just a simple observation of cultural differences. The fact is that most of our Asian customers (the arilines) don't understand why we regulate gaimng so strongly in the U.S. Once we pitch the technical (and regulatory) challnanges, though, they usually decide to request different features in lieu of gaming.

Vulnerable, Period

[gradji]

I'm trying to figure out why people think computerized betting is any more vulnerable to fraud than the non-computerized variety.

The Breeder's Cup incident was an inside job! There have been numerous Casino incidents where employees have tried to scam their employers. A security system is only as good as the people with whom the system is entrusted. This is true for physical security as well as computer security.

Lastly, criminals are not, inherently, stupid. It only seems like that as the stupid ones are the ones that usually get caught. Borrowing from Kaiser Sousay (Kevin Spacey) in Usual Suspects : the greatest trick a master criminal has ever pulled is convincing the world that a crime has not been committed.