Slashdot Mirror

← Back to Stories (view on slashdot.org)

Computerized Betting System Proves Vulnerable

Posted by michael on from the risks-digest dept.

count3r writes "A front page article in today's New York Times reports that an employee of Autotote has been fired for (allegedly) hacking the system responsible for 65% of all horseracing bets in North America. The caper, if it is indeed a caper, resulted in a series of six bets that paid a total of $3,000,000 in last Saturday's Breeders' Cup."

20 of 282 comments (clear)

  1. dumbass. by Unknown+Poltroon · · Score: 5, Interesting

    WHy not just hit them up for several thou a week? Like theyre not gonna notice a 3,000,000 blip.

    --
    All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
    1. Re:dumbass. by nolife · · Score: 3, Interesting

      I know a guy that was arrested for a fraudulent 900 scam. I do not know the details of HOW it was done but.. He had a 1 900 Job Line provided by MCI. He rigged it to fake calls and rack up his payout from MCI. In one month MCI owed him almost $400,000 for some cheasy job line. Times were tough back then but not that bad! At the MCI office, an FBI undercover handed him a check and then immediately arrested him.

      I'm sure a smaller amount would not have been as obvious and he may have been able to sustain it. Of course these horse cheats in the story could have started small years ago and have just now got caught.

      --
      Bad boys rape our young girls but Violet gives willingly.
  2. Too much too quickly... by Anonymous Coward · · Score: 1, Interesting

    If they hadn't tried to hoover it all at once they could have kept it going for years... but then, criminals are by definition stupid, so there ya go.

    1. Re:Too much too quickly... by Anonymous Coward · · Score: 1, Interesting

      Shoulda' sold the Malibu, and had that bastard whacked (unfortunate freak accident?). Hell, I know people who would have done it for free.

  3. I used to write betting software by yamla · · Score: 5, Interesting

    Until a little over a year ago, I was employed at a company that wrote gambling software for sports betting houses. It is big business, let me tell you. :) If anyone has any questions, fire away and I'll answer them.

    I never put any backdoor code into anything I submitted but it would have been very easy to do so. We had well over 300,000 lines of code and very little of it was audited. The only problem would have been getting the backdoor in without other programmers noticing as everyone was responsible for different areas. Still, I know it could have been done, I can picture exactly what it would have taken to do so.

    Would it have been noticed? Possibly eventually, though I have my doubts. Apparently, there was a bug in our code for one of the complex bet types. It ended up _always_ overpaying a specific complex winning bet type by $1. That is, it always rounded up to the next dollar instead of down and this bug went undetected for YEARS.

    All the code was written in VB and we worked crazy amounts of overtime ALL the time. Additionally, the 'business experts' could never get their act in gear and agree to how things should work. I ended up resigning my position.

    --

    Oceania has always been at war with Eastasia.
    1. Re:I used to write betting software by WatertonMan · · Score: 5, Interesting
      Actually wasn't there a huge scandal in Las Vegas a few years ago where someone hacked a lot of the slot machines to screw with the odds? If I recall it actually was one of the distributors of the slot machines. So it wasn't some obscure employee but some people fairly high up in the company. But it is the same idea.

      I'm sure that had the company tried to screw over one of the bigger casinos that they'd have been caught. (And depending upon the casino probably taken care of independently from the police) However so long as regular people are getting screwed, they don't care.

      Same thing with gas stations. Once again I remember a scheme that extra charged gas slightly using computers. Nothing but a few cents on every fillup. But it added up. Once again more the company themselves. But how hard would it have been for an employee to do it?

      The only thing that keeps these schemes for working for individual employees is the cost/danger ratio. These schemes are only worth the risk if you make a fair amount of money. But to make a fair amount of money you have to get that check from the company which is then noticable by the company auditors. If the "checks" or "expense" is spread out over thousands of people, the auditors are far less likely to discover it. But by the same measure you are far less likely to be able to make use of the money.

    2. Re:I used to write betting software by smileyy · · Score: 4, Interesting

      I recall seeing a story about a programmer who reversed engineered the pseudo-random number generator used in Keno games. The impression I got was that it was a clean-room solution, and yet he was arrested for fraud anyway. Needless to say, I disagreed with the notion that his act was illegal (assuming it was clean room).

      --
      pooptruck
    3. Re:I used to write betting software by Reality+Master+101 · · Score: 5, Interesting

      A long time ago I used to write software for computerized gambling games, such as draw poker. One of the features of the software was being able to dial in a certain payback percentage. The way it worked was that when it drew the final hand (after the cards were held), it would decide on a random basis to redraw the hand if it was a winner. If it was paying out too much, it would gradually redraw the hand more often until it was back to the right payback.

      Anyway, one of the problems we had was that our payout amount field was only 4 digits for a maximum of 9999 coins. The problem was that you had the option to play up to 50 coins at a time, and the highest payout odds were 500 to 1. So management had me make the machine NEVER pay out the big winner if you bet 20 coins or more to avoid the problem.

      The latter was probably illegal, but this company was pretty shady. I didn't work there for very long, and they went bankrupt not long after.

      I still look at the machines in Vegas with suspicion, though. :)

      --
      Sometimes it's best to just let stupid people be stupid.
  4. Re:No registration by jimand · · Score: 5, Interesting

    Note that if you follow this link, there is a link to the NYT story that you can see without registration. The URL ends with "&partner=GOOGLE" so it seems that if you are a partner of the NYT, you can access articles without registration. Could /. apply to the Times for partnership status?

  5. Picking 4 Horses by richlb · · Score: 3, Interesting

    If it turns out to be cheating, it just goes to show what happens when you want too much too soon. You know, just winning $1,000 or $10,000 probably wouldn't have raised an eyebrow.

    And, I wonder how often this bet hits? Technically, the bet was really picking the winner or 4 straight races, plus betting on every horse in next 2. I won a trifecta once that paid a cool grand. To think, if I'd only tried for one more......

    If they're guilty, they're idiots.

  6. Not really hacking; still a problem... by Anonymous+Custard · · Score: 5, Interesting

    This is, just as the article said, a misuse of power, rather than a skillful hack. If I remember, isn't hacking usually prosecuted over the fact that the person obtained illegal access by knowingly circumventing security measures? He was given clearance as part of his job; he misused his security clearance, he didn't gain unauthorized access.

    In any case, I'm surprised that ANYONE has the access to modify bets. Shouldn't that info be encrypted or protected or something, kind of like how your Bank's customer service rep can't look up your pin, but can only reset it to a new pin?

    --
    $8.95/mo web hosting
    1. Re:Not really hacking; still a problem... by aiken_d · · Score: 3, Interesting

      Yes, but the database *coders* for your bank could easily reset your pin, or code an app such that when the teller goes to reset it, it always gets set to some value that they'd know.

      This wasn't a case of a front-end person, working the phone banks, manipulating data. If it was indeed a hack/theft, it was someone with access to the code and/or database itself. Encryption doesn't do you much good, there.

      Cheers
      -b

      --
      If I wanted a sig I would have filled in that stupid box.
  7. VLT Backdoors? by Rikardon · · Score: 5, Interesting

    Here in Alberta, Canada we have VLTs (Video Lottery Terminals) that let you play a number of different card games and other assorted forms of gambling on a touch-screen terminal. They're a HUGE profit center for the pubs and bars that host them, and for the provincial government. If I were a VLT programmer of questionable moral character, it would be awfully tempting to code a backdoor triggered by some easter egg-type series of screen touches that would let me score a couple hundred dollars at each terminal.

    Anybody ever heard of anything like this happening in real life? As an earlier poster said, if you kept your take down to a couple thousand a week, I think it would be pretty unlikely you'd get caught.

    1. Re:VLT Backdoors? by Anonymous Coward · · Score: 1, Interesting

      a computer bingo programmer did that.

      he jumped off the golden gate bridge.

      he was actually smart, small bets etc. but a security guard noticed "eratic gambling" which is pretty believable, thsoe guys will pick up on the smallest things that are out of the ordinary.

    2. Re:VLT Backdoors? by scottmartinnet · · Score: 3, Interesting

      IIRC, someone did this with video poker in Vegas. A certain series of bet amounts (number of coins inserted) triggered a sure royal flush. They were smart, spread out the wins, and weren't caught for a long time.

      There have been a lot of very smart scams that were caught. It makes you wonder how many extremely smart scams were never caught. I remember watching a show about that stuff, and there was a security consultant with this quote: "A casino is the only place in the world where you can steal millions of dollars and if you do it right, no one ever notices that it's missing."

  8. I have friends who work (and worked) there... by kelleher · · Score: 5, Interesting

    Two relavent bits of info:
    1) They fired the QA department due to cutbacks over a year ago.
    2) There is no "Production Control" group. The same people who develop the apps support them (with little to no oversight). They have never had a way of preventing this type of fix.

  9. Re:No registration by elmegil · · Score: 3, Interesting

    it's even simpler than that. You don't need the ex, en, ei values. And it doesn't care what partner is set to: http://www.nytimes.com/2002/11/01/sports/otherspor ts/01RACI.html?partner=YOMAMA works just fine. Brilliant coding, I must say.

    --
    7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
  10. Go and handicapping similar. by buswolley · · Score: 2, Interesting

    handicapping is a lot like the game of Go. Its all about pattern recognition. What the patterns translate to.Computers have a hell of a time being good at it.

    --

    A Good Troll is better than a Bad Human.

  11. Similar case with bingo by HeroicAutobot · · Score: 2, Interesting
    This reminds me of a similar story about a programmer for GameTech rigged their bingo machines to let him cheat.

    Is there some development methodology or practice a company can implement to protect itself from "rogue" programmers like this? The NSA / CIA / FBI / Pentagon must have software that they want to guarantee is uncompromised. How do they do it?

    --
    I'm looking for a HEPA media filter for my TV. I'm alergic to reality shows.
  12. Re:answer by Evil-G · · Score: 2, Interesting

    On race tracks... I don't know if this still goes on, but have you ever seen a man stood on a box waving his arms about like a mad seal at a race course? They are signalling the odds of different horses in some kind of sign language.

    I believe the name is tic-tac man... aha, ive found a link which explains it a bit better here