Computerized Betting System Proves Vulnerable

count3r writes "A front page article in today's New York Times reports that an employee of Autotote has been fired for (allegedly) hacking the system responsible for 65% of all horseracing bets in North America. The caper, if it is indeed a caper, resulted in a series of six bets that paid a total of $3,000,000 in last Saturday's Breeders' Cup."

dumbass.

[Unknown+Poltroon]

WHy not just hit them up for several thou a week? Like theyre not gonna notice a 3,000,000 blip.

Re:dumbass.

[ergo98]

Sounds debatable to me. On the one hand a huge payout will garner a lot of attention, but on the other hand committing a fraud over and over every week sounds quite high on the risk scale too.

As a bit of background regarding this, these guys didn't transfer from one bank account to another, or some other thing that's caught "in the books": One purportedly made an electronic bet, and the other altered the electronic bet after the fact to match the winners. It really isn't that ridiculous of a scam as people do win every now and then. It isn't entirely inconceivable that someone one.

Having said that, it is the duty of responsibility of the operators to exercise due diligence, and truly not trust anyone: i.e. all databases have multiple layers including audit logs, in this case catching his transaction as it occurs for future analysis. In this case I presume that exactly that happened, as they obviously caught him.

Re:dumbass.

[nolife]

I know a guy that was arrested for a fraudulent 900 scam. I do not know the details of HOW it was done but.. He had a 1 900 Job Line provided by MCI. He rigged it to fake calls and rack up his payout from MCI. In one month MCI owed him almost $400,000 for some cheasy job line. Times were tough back then but not that bad! At the MCI office, an FBI undercover handed him a check and then immediately arrested him.

I'm sure a smaller amount would not have been as obvious and he may have been able to sustain it. Of course these horse cheats in the story could have started small years ago and have just now got caught.

Re:dumbass.

[ACNeal]

The problem is that betting is all pool driven.

A lopsided payout will be noticed, not because someone one, people always win in a properly booked race/game/whatever, it is that the payout was disproportionate to the take.

If you make your book properly, you aren't making money off of people losing their bets, you make money off of the vig. Your payouts and take should roughly be equal if you did your books right.

A horse isn't a 100:1 long shot because the book maker thinks its a bad horse. The horse is a 100:1 long shot, because off all the betting dollars, only 1 out of every 100 dollars was bet on that horse.

The only way the house wins is to avoid making stupid bets. How does the house avoid making stupid bets? By nt betting. If I make sure that the other 99 dollars are going to cover your 1 dollar bet, and I collect the 10% vig from the losers, I make money, and don't have to worry about the long shot.

Legalized horse betting does the same thing, except since they can't charge a vig to the losers, they don't make a 100% payout. That way, no matter who wins, they have made sure they can cover the bets, and still make a profit. In this scenerio, the winner pays the vig in the shape of the odds aren't as high as they should have been, the winner didn't win as much as was proportionally alloted to him.

The reason why this was a dumb scheme, and the reason why they got caught is pure math. The track paid out more money then they took in, and immediately knew something was amiss. If the systems worked properly, that can't happen. Long shots hit all the time, even 100:1 long shots, but if your computer system adjusted the odds according to the bets made before post, you won't lose money.

The fact that they changed the bet afterward means that the odds were wrong. Of course most people don't realize these subtelties to book making, so probably thought it wasn't a dumb mistake.

Re:dumbass.

[andynyc]

The reason why this was a dumb scheme, and the reason why they got caught is pure math. The track paid out more money then they took in

No, the win did not pay out more than the track earned. Each winning ticket paid $428,392 from a pool of $4,569,515, which means that there were probably 8 or 9 winning tickets in total, nationwide. The guy they are investigating had 6 of them.

Having 6 of only 9 winning tickets is obviously unusual. His betting strategy is even more unusual... making single selections for 4 races, then "wheeling" then entire field for the last 2, which means if the first four come in, he's guaranteed to win. Combined with the "flaw" in the system which doesn't report the ticket to the central database until after the fourth race, this is an obvious red flag. Finally, making the same bet 6 times is simply stupid. It's the same as buying 6 lottery tickets with all of the same numbers... the only justification is to increase your percentage of the winner's pool if you KNOW you are going to win.

Think of recent Powerball lottery wins... if they announce there were 6 winners, and one guy shows up with 4 of the winning tickets, it's going to raise eyebrows.

Had this guy never made these wagers, most likely there would have been 2 legit winners, each of whom would have won about $1.8 million (or maybe 3 winners each getting $1.2 mil). Instead, since there were a lot more winning tickets, the payout on each was reduced to only $428 thousand.

Again, the track didn't lose anything, and if they disqualify his tickets, the money will get paid to the legit winners. That's how pari-mutual wagering works... the total pool is calculated, the house percenatge is taken out, and everything left is split among the winning tickets. When there are 9 winning tickets, each one gets paid less than if there were 3 winning tickets. The racetrack is unaffected. The legitimate winners are the victims.

Pallidum would have solved this.

[_LORAX_]

DRM will be our savior.....

Oh wait, he required that kind of access to do his job? So DRM wouldn't have helped. What do you mean that most hacks are inside jobs? .... nothing to see, please move along.

What happened to the old days

[nogoodmonkey]

when people used to give horses steroids so that they would win their bets. All this new technology is confusing!

No registration

[DeadSea]

Or why don't we look at one of the many articles that don't require registration. Darn NYTimes.

Re:No registration

[aridhol]

Hey...I have an idea (not that it will be accepted). Why don't we stop allowing registration-required links on the front page? Including free-registration. We can now find many sources for the same story with Google News, so there's no reason to keep linking to NYT.

Re:No registration

[jimand]

Note that if you follow this link, there is a link to the NYT story that you can see without registration. The URL ends with "&partner=GOOGLE" so it seems that if you are a partner of the NYT, you can access articles without registration. Could /. apply to the Times for partnership status?

Re:No registration

[1984]

I have another idea. Why don't you presume to never pay for anything, ever? To live in a fantasy world where all you have to do is consume.

(Or perhaps you don't mean that, in which case I apologise. But I'm getting sick of seeing people here with the attitude, "We're all for 'Free'. And look, we can just take shit! Stick it to the man! Yeah!")

Re:No registration

[bwdunn]

Replace GOOGLE with SLASHDOT and you are in.

http://www.nytimes.com/2002/10/29/sports/othersp or ts/29RACI.html?ex=1036472400&en=51e22b7df3931513&e i=5062&partner=SLASHDOT

Linked to Partner "Slashdot"

Re:No registration

[elmegil]

it's even simpler than that. You don't need the ex, en, ei values. And it doesn't care what partner is set to: http://www.nytimes.com/2002/11/01/sports/otherspor ts/01RACI.html?partner=YOMAMA works just fine. Brilliant coding, I must say.

Not too smart.

[Desmoden]

I will never understand how people come up with good, well thought out crime plans, and then totally screw up the execution by rushing things or bring too much attention to the project. Just dumb.

Re:Not too smart.

[jazman_777]

I will never understand how people come up with good, well thought out crime plans, and then totally screw up the execution by rushing things or bring too much attention to the project. Just dumb.

Well, the brilliant plan to milk billions from the Federal Reserve Bank in Denver is still going strong, undiscovered.

So?

[Lawbeefaroni]

Buttloads of $ vs. determined individual: vulnerability.

Someone will always find a way to steal and no matter how good your security, when you have the human element on the inside, you are vulnerable. That's why auditing to detect theft is as important as securing against it.

This wouldn't have happened when the mob ran it!

[webperf]

see what happens when you legalize it??? all these crooks get in and screw it over.

No way!

[zuggy]

Nah, it can't be vulnerable. Online betting is trustworthy. Why, as soon as I get my bonus back from the Nigerian Petroleum Company, I'm going online to bet on the ponies!

I used to write betting software

[yamla]

Until a little over a year ago, I was employed at a company that wrote gambling software for sports betting houses. It is big business, let me tell you. :) If anyone has any questions, fire away and I'll answer them.

I never put any backdoor code into anything I submitted but it would have been very easy to do so. We had well over 300,000 lines of code and very little of it was audited. The only problem would have been getting the backdoor in without other programmers noticing as everyone was responsible for different areas. Still, I know it could have been done, I can picture exactly what it would have taken to do so.

Would it have been noticed? Possibly eventually, though I have my doubts. Apparently, there was a bug in our code for one of the complex bet types. It ended up _always_ overpaying a specific complex winning bet type by $1. That is, it always rounded up to the next dollar instead of down and this bug went undetected for YEARS.

All the code was written in VB and we worked crazy amounts of overtime ALL the time. Additionally, the 'business experts' could never get their act in gear and agree to how things should work. I ended up resigning my position.

Re:I used to write betting software

[WatertonMan]

Actually wasn't there a huge scandal in Las Vegas a few years ago where someone hacked a lot of the slot machines to screw with the odds? If I recall it actually was one of the distributors of the slot machines. So it wasn't some obscure employee but some people fairly high up in the company. But it is the same idea.

I'm sure that had the company tried to screw over one of the bigger casinos that they'd have been caught. (And depending upon the casino probably taken care of independently from the police) However so long as regular people are getting screwed, they don't care.

Same thing with gas stations. Once again I remember a scheme that extra charged gas slightly using computers. Nothing but a few cents on every fillup. But it added up. Once again more the company themselves. But how hard would it have been for an employee to do it?

The only thing that keeps these schemes for working for individual employees is the cost/danger ratio. These schemes are only worth the risk if you make a fair amount of money. But to make a fair amount of money you have to get that check from the company which is then noticable by the company auditors. If the "checks" or "expense" is spread out over thousands of people, the auditors are far less likely to discover it. But by the same measure you are far less likely to be able to make use of the money.

Re:I used to write betting software

[smileyy]

I recall seeing a story about a programmer who reversed engineered the pseudo-random number generator used in Keno games. The impression I got was that it was a clean-room solution, and yet he was arrested for fraud anyway. Needless to say, I disagreed with the notion that his act was illegal (assuming it was clean room).

Re:I used to write betting software

[Reality+Master+101]

A long time ago I used to write software for computerized gambling games, such as draw poker. One of the features of the software was being able to dial in a certain payback percentage. The way it worked was that when it drew the final hand (after the cards were held), it would decide on a random basis to redraw the hand if it was a winner. If it was paying out too much, it would gradually redraw the hand more often until it was back to the right payback.

Anyway, one of the problems we had was that our payout amount field was only 4 digits for a maximum of 9999 coins. The problem was that you had the option to play up to 50 coins at a time, and the highest payout odds were 500 to 1. So management had me make the machine NEVER pay out the big winner if you bet 20 coins or more to avoid the problem.

The latter was probably illegal, but this company was pretty shady. I didn't work there for very long, and they went bankrupt not long after.

I still look at the machines in Vegas with suspicion, though. :)

Re:I used to write betting software

[russiste]

You've got a great memory - that was 6 years ago. :-)

Here's the story from "The Risks Digest" ("Forum on Risks to the Public in Computers and Related Systems").

Basicly, they caught the guy, and then released him and even gave him the money back with interest.

The "source" of the problem? A missing clock that was supposed to seed the random number generator. Thus, upon rebooting (every morning I suppose), the same number sequence would be generated as the seed would be the same...

Greg

Picking 4 Horses

[richlb]

If it turns out to be cheating, it just goes to show what happens when you want too much too soon. You know, just winning $1,000 or $10,000 probably wouldn't have raised an eyebrow.

And, I wonder how often this bet hits? Technically, the bet was really picking the winner or 4 straight races, plus betting on every horse in next 2. I won a trifecta once that paid a cool grand. To think, if I'd only tried for one more......

If they're guilty, they're idiots.

This is not the way to go.

[Prince_Ali]

A lot of people make a lot of money on internet gambling sites without breaking a single law. The people who play online poker suck so bad compared to professional poker players that it is like printing money for anyone who plays the game seriously. I suck which is why I don't play, but a lot of people are willing to give up there hard earned money to a redneck who has played poker since before he could write.
It may not get you $3M, but they won't have to work anymore, and they don't get put in FPMA prison.

Not really hacking; still a problem...

[Anonymous+Custard]

This is, just as the article said, a misuse of power, rather than a skillful hack. If I remember, isn't hacking usually prosecuted over the fact that the person obtained illegal access by knowingly circumventing security measures? He was given clearance as part of his job; he misused his security clearance, he didn't gain unauthorized access.

In any case, I'm surprised that ANYONE has the access to modify bets. Shouldn't that info be encrypted or protected or something, kind of like how your Bank's customer service rep can't look up your pin, but can only reset it to a new pin?

Re:Not really hacking; still a problem...

[aiken_d]

Yes, but the database *coders* for your bank could easily reset your pin, or code an app such that when the teller goes to reset it, it always gets set to some value that they'd know.

This wasn't a case of a front-end person, working the phone banks, manipulating data. If it was indeed a hack/theft, it was someone with access to the code and/or database itself. Encryption doesn't do you much good, there.

Cheers
-b

VLT Backdoors?

[Rikardon]

Here in Alberta, Canada we have VLTs (Video Lottery Terminals) that let you play a number of different card games and other assorted forms of gambling on a touch-screen terminal. They're a HUGE profit center for the pubs and bars that host them, and for the provincial government. If I were a VLT programmer of questionable moral character, it would be awfully tempting to code a backdoor triggered by some easter egg-type series of screen touches that would let me score a couple hundred dollars at each terminal.

Anybody ever heard of anything like this happening in real life? As an earlier poster said, if you kept your take down to a couple thousand a week, I think it would be pretty unlikely you'd get caught.

Re:VLT Backdoors?

[scottmartinnet]

IIRC, someone did this with video poker in Vegas. A certain series of bet amounts (number of coins inserted) triggered a sure royal flush. They were smart, spread out the wins, and weren't caught for a long time.

There have been a lot of very smart scams that were caught. It makes you wonder how many extremely smart scams were never caught. I remember watching a show about that stuff, and there was a security consultant with this quote: "A casino is the only place in the world where you can steal millions of dollars and if you do it right, no one ever notices that it's missing."

Another computerized wagering event coming up:

[burgburgburg]

Tuesday's elections

Fortunately, all of those systems are closed, so I'm sure that security was motto number 1.

Of course, motto number 2 was "Ignore motto number 1".

Things you don't do

[El_Smack]

Tug on Superman's cape.
Spit into the wind.
Rip off the NY mafia to the tune of $3,000,000.

Re:This wouldn't have happened when the mob ran it

[ShawnDoc]

The same thing happenes when the mob runs things. Its just instead of it making it into the paper as a "hacker" story, it would wind up in the paper as "Headless Body Found in East River".

Anyone who's tried this hates it...

[Embedded+Geek]

I work for a major supplier of in flight entertainment systems and we are always getting pressure from customers (especially on the Pacific Rim) to implement in flight gaming (i.e. electronic poker or slots). While some of our competitors have dipped a toe into this, we have pretty much steered clear to date.

The fact is that implementing a gaming system is a nightmare, be it on the ground or in the air. IMHO, quite a bit more difficult than point of sale or banking systems. In addition to being secure, it's gotta be completely fail safe (so if a passenger's terminal goes down seconds after a jackpot he won't loose his winnings and take it out on the cabin crew). Also, it's going to be transaction heavy - hundreds of smaller, individual bets over a gambling session as opposed to, say, a higher end credit card transaction every minute at a department store cash register. If you add in the fact that gambling is a potentially addictive activity that piques the interest of organized crime, you have a recipe for any disaffected insider to slip in hacks and back doors.

On the whole, I'm not surprised that someone corrupted a gambling system. I'm just surprised that this doesn't make the newspaper more often.

Re:Anyone who's tried this hates it...

[Embedded+Geek]

...it's really racist of you to mention that dig about the Pacific Rim demanding gambling.

(*SIGH*)

No racism intended - it's just a fact that Pacific Rim airlines have been primary movers in in flight gaming. Gambling is more accepted there than in the West, with less stigma attached. No Asian businessman expects to get dirty looks from another passenger if he drops a bundle of his own money on blackjack, but I bet you (yes, lame pun intended) that you'd see a lot of that on any US, Canadian, or European carrier (exception: I know Swissair has at least tried gaming. 'Don't know if it's still going strong). And when you think of it, they've got a point - what business is it of anyone how someone looses their cash?

Also, the U.S. flight attendants' unions fight airborne gaming tooth and nail. As my cousin, an attendant for Delta told me "So now they'll expect us to deal with a guy who's both drunk *and* has lost $500?!"

Again, this is just a simple observation of cultural differences. The fact is that most of our Asian customers (the arilines) don't understand why we regulate gaimng so strongly in the U.S. Once we pitch the technical (and regulatory) challnanges, though, they usually decide to request different features in lieu of gaming.

Software is insecure

[adb]

Also, the ocean is wet, and there is porn on the internet.

Just so you know.

Vulnerable, Period

[gradji]

I'm trying to figure out why people think computerized betting is any more vulnerable to fraud than the non-computerized variety.

The Breeder's Cup incident was an inside job! There have been numerous Casino incidents where employees have tried to scam their employers. A security system is only as good as the people with whom the system is entrusted. This is true for physical security as well as computer security.

Lastly, criminals are not, inherently, stupid. It only seems like that as the stupid ones are the ones that usually get caught. Borrowing from Kaiser Sousay (Kevin Spacey) in Usual Suspects : the greatest trick a master criminal has ever pulled is convincing the world that a crime has not been committed.

Hmm...Next week's headline?

[voice+of+unreason]

In other news, shortly after being dismissed the former employee had an unfortunate accident resulting in the breaking of both his kneecaps.

I have friends who work (and worked) there...

[kelleher]

Two relavent bits of info:
1) They fired the QA department due to cutbacks over a year ago.
2) There is no "Production Control" group. The same people who develop the apps support them (with little to no oversight). They have never had a way of preventing this type of fix.

He needn't worry about the authorities...

[bshroyer]

It's organized crime that's going to get him. Revenge.

I see evidence that this guy is pretty lame - he's dumb enough to screw up a good scam his first time out by shooting for the moon. We can't assume that a novice is the first person to find this scam, but AutoTote indicates he's the first to be caught.

I'll wager dollars to doughnuts that he's just closed the loop on a lucrative betting system being utilized by any number of "organized" gamblers, and will be hearing from a guy named Vito in the near future.

Re:"Wasn't that dumb"??

[Multiple+Sanchez]

The winning tickets featured "singles," or races with only one horse selected, in the first four legs of the ticket, and then every horse in the final two races. On a $2 ticket, those combinations and strategy cost $192.

Mr. Davis bet a $12 pick-six ticket, or played that exact combination six separate times, costing him $1,152. It was a highly unusual strategy for betting the pick six -- horseplayers like to cover as many combinations as possible -- and the configuration raised suspicions of New York Racing Association officials, who alerted Breeders' Cup Ltd. and the state wagering board.

Mr. Davis had opened the Catskill OTB account within two weeks of the Breeders' Cup, had deposited money on five occasions -- four increments of $500 and one of $250 -- but had not made a bet until that pick six, according to investigative sources.

The six winning tickets were each worth $428,392. In addition, by including every horse in the last two races, the bettor collected 108 of the 186 consolation payoffs for hitting five of six winners; each consolation ticket was worth $4,606.20.

snip.

It's still confusing no matter how many times I read it, but it sounds like he made six identical bets, when the point of the pick-six ticket is to place several different bets on one ticket. Anyone who can clarify this a bit more, please do.

Re:From the horse's mouth

[uncoveror]

Scientific Games also does lotteries. Here is how they are rigged. Only the gangsters running the rackets make money from gambling.