Slashdot Mirror

← Back to Stories (view on slashdot.org)

Computerized Betting System Proves Vulnerable

Posted by michael on from the risks-digest dept.

count3r writes "A front page article in today's New York Times reports that an employee of Autotote has been fired for (allegedly) hacking the system responsible for 65% of all horseracing bets in North America. The caper, if it is indeed a caper, resulted in a series of six bets that paid a total of $3,000,000 in last Saturday's Breeders' Cup."

8 of 282 comments (clear)

  1. dumbass. by Unknown+Poltroon · · Score: 5, Interesting

    WHy not just hit them up for several thou a week? Like theyre not gonna notice a 3,000,000 blip.

    --
    All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
  2. I used to write betting software by yamla · · Score: 5, Interesting

    Until a little over a year ago, I was employed at a company that wrote gambling software for sports betting houses. It is big business, let me tell you. :) If anyone has any questions, fire away and I'll answer them.

    I never put any backdoor code into anything I submitted but it would have been very easy to do so. We had well over 300,000 lines of code and very little of it was audited. The only problem would have been getting the backdoor in without other programmers noticing as everyone was responsible for different areas. Still, I know it could have been done, I can picture exactly what it would have taken to do so.

    Would it have been noticed? Possibly eventually, though I have my doubts. Apparently, there was a bug in our code for one of the complex bet types. It ended up _always_ overpaying a specific complex winning bet type by $1. That is, it always rounded up to the next dollar instead of down and this bug went undetected for YEARS.

    All the code was written in VB and we worked crazy amounts of overtime ALL the time. Additionally, the 'business experts' could never get their act in gear and agree to how things should work. I ended up resigning my position.

    --

    Oceania has always been at war with Eastasia.
    1. Re:I used to write betting software by WatertonMan · · Score: 5, Interesting
      Actually wasn't there a huge scandal in Las Vegas a few years ago where someone hacked a lot of the slot machines to screw with the odds? If I recall it actually was one of the distributors of the slot machines. So it wasn't some obscure employee but some people fairly high up in the company. But it is the same idea.

      I'm sure that had the company tried to screw over one of the bigger casinos that they'd have been caught. (And depending upon the casino probably taken care of independently from the police) However so long as regular people are getting screwed, they don't care.

      Same thing with gas stations. Once again I remember a scheme that extra charged gas slightly using computers. Nothing but a few cents on every fillup. But it added up. Once again more the company themselves. But how hard would it have been for an employee to do it?

      The only thing that keeps these schemes for working for individual employees is the cost/danger ratio. These schemes are only worth the risk if you make a fair amount of money. But to make a fair amount of money you have to get that check from the company which is then noticable by the company auditors. If the "checks" or "expense" is spread out over thousands of people, the auditors are far less likely to discover it. But by the same measure you are far less likely to be able to make use of the money.

    2. Re:I used to write betting software by Reality+Master+101 · · Score: 5, Interesting

      A long time ago I used to write software for computerized gambling games, such as draw poker. One of the features of the software was being able to dial in a certain payback percentage. The way it worked was that when it drew the final hand (after the cards were held), it would decide on a random basis to redraw the hand if it was a winner. If it was paying out too much, it would gradually redraw the hand more often until it was back to the right payback.

      Anyway, one of the problems we had was that our payout amount field was only 4 digits for a maximum of 9999 coins. The problem was that you had the option to play up to 50 coins at a time, and the highest payout odds were 500 to 1. So management had me make the machine NEVER pay out the big winner if you bet 20 coins or more to avoid the problem.

      The latter was probably illegal, but this company was pretty shady. I didn't work there for very long, and they went bankrupt not long after.

      I still look at the machines in Vegas with suspicion, though. :)

      --
      Sometimes it's best to just let stupid people be stupid.
  3. Re:No registration by jimand · · Score: 5, Interesting

    Note that if you follow this link, there is a link to the NYT story that you can see without registration. The URL ends with "&partner=GOOGLE" so it seems that if you are a partner of the NYT, you can access articles without registration. Could /. apply to the Times for partnership status?

  4. Not really hacking; still a problem... by Anonymous+Custard · · Score: 5, Interesting

    This is, just as the article said, a misuse of power, rather than a skillful hack. If I remember, isn't hacking usually prosecuted over the fact that the person obtained illegal access by knowingly circumventing security measures? He was given clearance as part of his job; he misused his security clearance, he didn't gain unauthorized access.

    In any case, I'm surprised that ANYONE has the access to modify bets. Shouldn't that info be encrypted or protected or something, kind of like how your Bank's customer service rep can't look up your pin, but can only reset it to a new pin?

    --
    $8.95/mo web hosting
  5. VLT Backdoors? by Rikardon · · Score: 5, Interesting

    Here in Alberta, Canada we have VLTs (Video Lottery Terminals) that let you play a number of different card games and other assorted forms of gambling on a touch-screen terminal. They're a HUGE profit center for the pubs and bars that host them, and for the provincial government. If I were a VLT programmer of questionable moral character, it would be awfully tempting to code a backdoor triggered by some easter egg-type series of screen touches that would let me score a couple hundred dollars at each terminal.

    Anybody ever heard of anything like this happening in real life? As an earlier poster said, if you kept your take down to a couple thousand a week, I think it would be pretty unlikely you'd get caught.

  6. I have friends who work (and worked) there... by kelleher · · Score: 5, Interesting

    Two relavent bits of info:
    1) They fired the QA department due to cutbacks over a year ago.
    2) There is no "Production Control" group. The same people who develop the apps support them (with little to no oversight). They have never had a way of preventing this type of fix.