Slashdot Mirror

← Back to Stories (view on slashdot.org)

Computerized Betting System Proves Vulnerable

Posted by michael on from the risks-digest dept.

count3r writes "A front page article in today's New York Times reports that an employee of Autotote has been fired for (allegedly) hacking the system responsible for 65% of all horseracing bets in North America. The caper, if it is indeed a caper, resulted in a series of six bets that paid a total of $3,000,000 in last Saturday's Breeders' Cup."

27 of 282 comments (clear)

  1. dumbass. by Unknown+Poltroon · · Score: 5, Interesting

    WHy not just hit them up for several thou a week? Like theyre not gonna notice a 3,000,000 blip.

    --
    All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
    1. Re:dumbass. by ergo98 · · Score: 5, Insightful

      Sounds debatable to me. On the one hand a huge payout will garner a lot of attention, but on the other hand committing a fraud over and over every week sounds quite high on the risk scale too.

      As a bit of background regarding this, these guys didn't transfer from one bank account to another, or some other thing that's caught "in the books": One purportedly made an electronic bet, and the other altered the electronic bet after the fact to match the winners. It really isn't that ridiculous of a scam as people do win every now and then. It isn't entirely inconceivable that someone one.

      Having said that, it is the duty of responsibility of the operators to exercise due diligence, and truly not trust anyone: i.e. all databases have multiple layers including audit logs, in this case catching his transaction as it occurs for future analysis. In this case I presume that exactly that happened, as they obviously caught him.

    2. Re:dumbass. by ACNeal · · Score: 5, Informative

      The problem is that betting is all pool driven.

      A lopsided payout will be noticed, not because someone one, people always win in a properly booked race/game/whatever, it is that the payout was disproportionate to the take.

      If you make your book properly, you aren't making money off of people losing their bets, you make money off of the vig. Your payouts and take should roughly be equal if you did your books right.

      A horse isn't a 100:1 long shot because the book maker thinks its a bad horse. The horse is a 100:1 long shot, because off all the betting dollars, only 1 out of every 100 dollars was bet on that horse.

      The only way the house wins is to avoid making stupid bets. How does the house avoid making stupid bets? By nt betting. If I make sure that the other 99 dollars are going to cover your 1 dollar bet, and I collect the 10% vig from the losers, I make money, and don't have to worry about the long shot.

      Legalized horse betting does the same thing, except since they can't charge a vig to the losers, they don't make a 100% payout. That way, no matter who wins, they have made sure they can cover the bets, and still make a profit. In this scenerio, the winner pays the vig in the shape of the odds aren't as high as they should have been, the winner didn't win as much as was proportionally alloted to him.

      The reason why this was a dumb scheme, and the reason why they got caught is pure math. The track paid out more money then they took in, and immediately knew something was amiss. If the systems worked properly, that can't happen. Long shots hit all the time, even 100:1 long shots, but if your computer system adjusted the odds according to the bets made before post, you won't lose money.

      The fact that they changed the bet afterward means that the odds were wrong. Of course most people don't realize these subtelties to book making, so probably thought it wasn't a dumb mistake.

  2. Pallidum would have solved this. by _LORAX_ · · Score: 5, Funny


    DRM will be our savior.....

    Oh wait, he required that kind of access to do his job? So DRM wouldn't have helped. What do you mean that most hacks are inside jobs? .... nothing to see, please move along.

  3. What happened to the old days by nogoodmonkey · · Score: 5, Funny

    when people used to give horses steroids so that they would win their bets. All this new technology is confusing!

  4. No registration by DeadSea · · Score: 4, Informative

    Or why don't we look at one of the many articles that don't require registration. Darn NYTimes.

    1. Re:No registration by jimand · · Score: 5, Interesting

      Note that if you follow this link, there is a link to the NYT story that you can see without registration. The URL ends with "&partner=GOOGLE" so it seems that if you are a partner of the NYT, you can access articles without registration. Could /. apply to the Times for partnership status?

    2. Re:No registration by bwdunn · · Score: 5, Informative

      Replace GOOGLE with SLASHDOT and you are in.

      http://www.nytimes.com/2002/10/29/sports/othersp or ts/29RACI.html?ex=1036472400&en=51e22b7df3931513&e i=5062&partner=SLASHDOT

      Linked to Partner "Slashdot"

  5. So? by Lawbeefaroni · · Score: 4, Insightful

    Buttloads of $ vs. determined individual: vulnerability.

    Someone will always find a way to steal and no matter how good your security, when you have the human element on the inside, you are vulnerable. That's why auditing to detect theft is as important as securing against it.

    --
    "When it rains, it pours." --Morton's Salt
  6. This wouldn't have happened when the mob ran it! by webperf · · Score: 5, Funny

    see what happens when you legalize it??? all these crooks get in and screw it over.

  7. No way! by zuggy · · Score: 5, Funny

    Nah, it can't be vulnerable. Online betting is trustworthy. Why, as soon as I get my bonus back from the Nigerian Petroleum Company, I'm going online to bet on the ponies!

  8. I used to write betting software by yamla · · Score: 5, Interesting

    Until a little over a year ago, I was employed at a company that wrote gambling software for sports betting houses. It is big business, let me tell you. :) If anyone has any questions, fire away and I'll answer them.

    I never put any backdoor code into anything I submitted but it would have been very easy to do so. We had well over 300,000 lines of code and very little of it was audited. The only problem would have been getting the backdoor in without other programmers noticing as everyone was responsible for different areas. Still, I know it could have been done, I can picture exactly what it would have taken to do so.

    Would it have been noticed? Possibly eventually, though I have my doubts. Apparently, there was a bug in our code for one of the complex bet types. It ended up _always_ overpaying a specific complex winning bet type by $1. That is, it always rounded up to the next dollar instead of down and this bug went undetected for YEARS.

    All the code was written in VB and we worked crazy amounts of overtime ALL the time. Additionally, the 'business experts' could never get their act in gear and agree to how things should work. I ended up resigning my position.

    --

    Oceania has always been at war with Eastasia.
    1. Re:I used to write betting software by WatertonMan · · Score: 5, Interesting
      Actually wasn't there a huge scandal in Las Vegas a few years ago where someone hacked a lot of the slot machines to screw with the odds? If I recall it actually was one of the distributors of the slot machines. So it wasn't some obscure employee but some people fairly high up in the company. But it is the same idea.

      I'm sure that had the company tried to screw over one of the bigger casinos that they'd have been caught. (And depending upon the casino probably taken care of independently from the police) However so long as regular people are getting screwed, they don't care.

      Same thing with gas stations. Once again I remember a scheme that extra charged gas slightly using computers. Nothing but a few cents on every fillup. But it added up. Once again more the company themselves. But how hard would it have been for an employee to do it?

      The only thing that keeps these schemes for working for individual employees is the cost/danger ratio. These schemes are only worth the risk if you make a fair amount of money. But to make a fair amount of money you have to get that check from the company which is then noticable by the company auditors. If the "checks" or "expense" is spread out over thousands of people, the auditors are far less likely to discover it. But by the same measure you are far less likely to be able to make use of the money.

    2. Re:I used to write betting software by smileyy · · Score: 4, Interesting

      I recall seeing a story about a programmer who reversed engineered the pseudo-random number generator used in Keno games. The impression I got was that it was a clean-room solution, and yet he was arrested for fraud anyway. Needless to say, I disagreed with the notion that his act was illegal (assuming it was clean room).

      --
      pooptruck
    3. Re:I used to write betting software by Reality+Master+101 · · Score: 5, Interesting

      A long time ago I used to write software for computerized gambling games, such as draw poker. One of the features of the software was being able to dial in a certain payback percentage. The way it worked was that when it drew the final hand (after the cards were held), it would decide on a random basis to redraw the hand if it was a winner. If it was paying out too much, it would gradually redraw the hand more often until it was back to the right payback.

      Anyway, one of the problems we had was that our payout amount field was only 4 digits for a maximum of 9999 coins. The problem was that you had the option to play up to 50 coins at a time, and the highest payout odds were 500 to 1. So management had me make the machine NEVER pay out the big winner if you bet 20 coins or more to avoid the problem.

      The latter was probably illegal, but this company was pretty shady. I didn't work there for very long, and they went bankrupt not long after.

      I still look at the machines in Vegas with suspicion, though. :)

      --
      Sometimes it's best to just let stupid people be stupid.
  9. This is not the way to go. by Prince_Ali · · Score: 4, Informative

    A lot of people make a lot of money on internet gambling sites without breaking a single law. The people who play online poker suck so bad compared to professional poker players that it is like printing money for anyone who plays the game seriously. I suck which is why I don't play, but a lot of people are willing to give up there hard earned money to a redneck who has played poker since before he could write.
    It may not get you $3M, but they won't have to work anymore, and they don't get put in FPMA prison.

    --
    Slashdotter are stupid and biased.
  10. Not really hacking; still a problem... by Anonymous+Custard · · Score: 5, Interesting

    This is, just as the article said, a misuse of power, rather than a skillful hack. If I remember, isn't hacking usually prosecuted over the fact that the person obtained illegal access by knowingly circumventing security measures? He was given clearance as part of his job; he misused his security clearance, he didn't gain unauthorized access.

    In any case, I'm surprised that ANYONE has the access to modify bets. Shouldn't that info be encrypted or protected or something, kind of like how your Bank's customer service rep can't look up your pin, but can only reset it to a new pin?

    --
    $8.95/mo web hosting
  11. VLT Backdoors? by Rikardon · · Score: 5, Interesting

    Here in Alberta, Canada we have VLTs (Video Lottery Terminals) that let you play a number of different card games and other assorted forms of gambling on a touch-screen terminal. They're a HUGE profit center for the pubs and bars that host them, and for the provincial government. If I were a VLT programmer of questionable moral character, it would be awfully tempting to code a backdoor triggered by some easter egg-type series of screen touches that would let me score a couple hundred dollars at each terminal.

    Anybody ever heard of anything like this happening in real life? As an earlier poster said, if you kept your take down to a couple thousand a week, I think it would be pretty unlikely you'd get caught.

  12. Things you don't do by El_Smack · · Score: 5, Funny


    Tug on Superman's cape.
    Spit into the wind.
    Rip off the NY mafia to the tune of $3,000,000.

    --


    There are 01 kinds of cars in the world. The General Lee, and everything else.
  13. Re:This wouldn't have happened when the mob ran it by ShawnDoc · · Score: 4, Funny

    The same thing happenes when the mob runs things. Its just instead of it making it into the paper as a "hacker" story, it would wind up in the paper as "Headless Body Found in East River".

  14. Anyone who's tried this hates it... by Embedded+Geek · · Score: 5, Insightful
    I work for a major supplier of in flight entertainment systems and we are always getting pressure from customers (especially on the Pacific Rim) to implement in flight gaming (i.e. electronic poker or slots). While some of our competitors have dipped a toe into this, we have pretty much steered clear to date.

    The fact is that implementing a gaming system is a nightmare, be it on the ground or in the air. IMHO, quite a bit more difficult than point of sale or banking systems. In addition to being secure, it's gotta be completely fail safe (so if a passenger's terminal goes down seconds after a jackpot he won't loose his winnings and take it out on the cabin crew). Also, it's going to be transaction heavy - hundreds of smaller, individual bets over a gambling session as opposed to, say, a higher end credit card transaction every minute at a department store cash register. If you add in the fact that gambling is a potentially addictive activity that piques the interest of organized crime, you have a recipe for any disaffected insider to slip in hacks and back doors.

    On the whole, I'm not surprised that someone corrupted a gambling system. I'm just surprised that this doesn't make the newspaper more often.

    --

    "Prepare for the worst - hope for the best."

    1. Re:Anyone who's tried this hates it... by Embedded+Geek · · Score: 5, Insightful
      ...it's really racist of you to mention that dig about the Pacific Rim demanding gambling.

      (*SIGH*)

      No racism intended - it's just a fact that Pacific Rim airlines have been primary movers in in flight gaming. Gambling is more accepted there than in the West, with less stigma attached. No Asian businessman expects to get dirty looks from another passenger if he drops a bundle of his own money on blackjack, but I bet you (yes, lame pun intended) that you'd see a lot of that on any US, Canadian, or European carrier (exception: I know Swissair has at least tried gaming. 'Don't know if it's still going strong). And when you think of it, they've got a point - what business is it of anyone how someone looses their cash?

      Also, the U.S. flight attendants' unions fight airborne gaming tooth and nail. As my cousin, an attendant for Delta told me "So now they'll expect us to deal with a guy who's both drunk *and* has lost $500?!"

      Again, this is just a simple observation of cultural differences. The fact is that most of our Asian customers (the arilines) don't understand why we regulate gaimng so strongly in the U.S. Once we pitch the technical (and regulatory) challnanges, though, they usually decide to request different features in lieu of gaming.

      --

      "Prepare for the worst - hope for the best."

  15. Software is insecure by adb · · Score: 4, Informative

    Also, the ocean is wet, and there is porn on the internet.

    Just so you know.

  16. Vulnerable, Period by gradji · · Score: 5, Insightful

    I'm trying to figure out why people think computerized betting is any more vulnerable to fraud than the non-computerized variety.

    The Breeder's Cup incident was an inside job! There have been numerous Casino incidents where employees have tried to scam their employers. A security system is only as good as the people with whom the system is entrusted. This is true for physical security as well as computer security.

    Lastly, criminals are not, inherently, stupid. It only seems like that as the stupid ones are the ones that usually get caught. Borrowing from Kaiser Sousay (Kevin Spacey) in Usual Suspects : the greatest trick a master criminal has ever pulled is convincing the world that a crime has not been committed.

    --

  17. Re:Not too smart. by jazman_777 · · Score: 4, Funny
    I will never understand how people come up with good, well thought out crime plans, and then totally screw up the execution by rushing things or bring too much attention to the project. Just dumb.

    Well, the brilliant plan to milk billions from the Federal Reserve Bank in Denver is still going strong, undiscovered.

    --
    Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
  18. I have friends who work (and worked) there... by kelleher · · Score: 5, Interesting

    Two relavent bits of info:
    1) They fired the QA department due to cutbacks over a year ago.
    2) There is no "Production Control" group. The same people who develop the apps support them (with little to no oversight). They have never had a way of preventing this type of fix.

  19. Re:"Wasn't that dumb"?? by Multiple+Sanchez · · Score: 5, Informative
    The winning tickets featured "singles," or races with only one horse selected, in the first four legs of the ticket, and then every horse in the final two races. On a $2 ticket, those combinations and strategy cost $192.

    Mr. Davis bet a $12 pick-six ticket, or played that exact combination six separate times, costing him $1,152. It was a highly unusual strategy for betting the pick six -- horseplayers like to cover as many combinations as possible -- and the configuration raised suspicions of New York Racing Association officials, who alerted Breeders' Cup Ltd. and the state wagering board.

    Mr. Davis had opened the Catskill OTB account within two weeks of the Breeders' Cup, had deposited money on five occasions -- four increments of $500 and one of $250 -- but had not made a bet until that pick six, according to investigative sources.

    The six winning tickets were each worth $428,392. In addition, by including every horse in the last two races, the bettor collected 108 of the 186 consolation payoffs for hitting five of six winners; each consolation ticket was worth $4,606.20.
    snip.

    It's still confusing no matter how many times I read it, but it sounds like he made six identical bets, when the point of the pick-six ticket is to place several different bets on one ticket. Anyone who can clarify this a bit more, please do.