Slashdot Mirror

← Back to Stories (view on slashdot.org)

Six Charged For Hacking Lottery Terminals To Spew Only Winning Tickets (theregister.co.uk)

Posted by msmash on from the gaming-the-system dept.

An anonymous reader cites an article on The Register: Six people have been charged with exploiting a bug in lottery terminals to print off winning tickets on demand. Connecticut prosecutors say the group conspired to manipulate automated ticket dispensers to run off '5 Card Cash' tickets that granted on-the-spot payouts in the US state. According to the Hartford Courant, a group of shop owners and employees set up the machines to process a flood of tickets at once, which caused a temporary display freeze. This allowed operators to see which of the tickets about to be dispensed would be winning ones, cancel the duff ones, and print the good ones, it's alleged. The winning tickets would be cashed and billed to the state lottery.

44 comments

  1. Money Lust Before Sanity by Freshly+Exhumed · · Score: 1

    They honestly did not foresee that someone would track a sudden spike of winning ticket activity to their locations?

    --
    I deny that I have not avoided attaining the opposite of that which I do not want.
    1. Re:Money Lust Before Sanity by Ecuador · · Score: 3, Insightful

      I'm sure they thought of it and discussed how they would be careful and not overdo it and spread the transactions etc. Then, greed.

      --
      Violence is the last refuge of the incompetent. Polar Scope Align for iOS
    2. Re:Money Lust Before Sanity by lucm · · Score: 1

      Maybe there's a piece of information in this quote from the article that could help to better understand things:

      The charges filed against two members of the group, Pranav Patel and Vikas Patel, include first-degree felony counts of computer crime and larceny as well as felony rigging charges.

      --
      lucm, indeed.
    3. Re:Money Lust Before Sanity by Tx · · Score: 1

      They probably did. They could probably have got away with it so long as the kept the amount of wins low enough, they would have guessed that, but having successfully set up the hack, the temptation to take just a little bit more probably got the better of them. Especially with a bunch of people involved, there's always going to be one or two that can't help being greedy idiots.

      --
      Oh no... it's the future.
    4. Re:Money Lust Before Sanity by tnk1 · · Score: 4, Interesting

      Thing is, I bet that the lottery companies know the average win rate of the tickets per machine. So almost any deviation from that percentage would have been a yellow flag. I suppose the perpetrators could have kept it below the level at which the lottery bothers to investigate, but it seems to me that the way this bug works would have made the times that the tickets were dispensed within also very suspicious.

      Together, a cross reference of daily reports on winning percentages and winnings dispensed within say 60 minutes of one another could have found this really quickly.

      So, the amount of winnings that they could have walked away could have been a lot less than even a non-greedy person would have taken. Messing with equipment that is computerized and which sends back data to a home office for analysis is always a really bad idea unless you know exactly what the tolerances are for investigation. It's way too easy to develop alarms on specific behaviors which can place a report in someone's inbox for investigation when they come into the office the morning after the incident happened.

    5. Re:Money Lust Before Sanity by smooth+wombat · · Score: 3, Informative

      Thing is, I bet that the lottery companies know the average win rate of the tickets per machine.

      Yes they do. From the article:

      The Courant says that the lottery commission wised up to the scheme back in November when it heard that people were winning the 5 Card Cash game at a higher-than-expected rate.

      So almost any deviation from that percentage would have been a yellow flag.

      Which it did:

      The game was temporarily halted.

      --
      We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    6. Re:Money Lust Before Sanity by flargleblarg · · Score: 1

      They probably did. They could probably have got away with it ... [snip]

      ...if it weren't for those meddling kids.

    7. Re:Money Lust Before Sanity by WarJolt · · Score: 1

      These guys are charged with "hacking", but accidently stumbling on a bug and exploiting it doesn't necessarily make you a hacker. Additionally, it clearly doesn't prove any sort of intelligence. Hacking in my opinion requires a bit more intent and insight, which usually is associated with a bit more intelligence than that possessed by this group of buffoons.

      They didn't even have to modify the machine in any way to exploit this. Come on! Hacking? Seriously?

    8. Re:Money Lust Before Sanity by narcc · · Score: 1

      Why does it need to conform to your particular vision? Hacking, in this context, in the old days was mostly social. Calling someone to nab credentials or insider info was most of it. The bulk of the technical side was pitifully simple: make this tone, pick an option not displayed, call every phone number in this exchange, etc.

      accidently stumbling on a bug and exploiting it doesn't necessarily make you a hacker. [...] Hacking in my opinion requires a bit more intent and insight, which usually is associated with a bit more intelligence

      Why? Stumbling in to a bug and exploiting it is, well, pretty much the vision of hacking you seem to have in your head. The only difference being how the bug is found. Though I wonder where you'd draw the line when it comes to defining what is and is not an accident. Is there a difference, for example, between stabbing randomly at a keypad hoping to find a bug and stabbing it randomly in frustration and finding a bug? This doesn't make a lot of sense to me.

      --
      Required reading for internet skeptics
    9. Re:Money Lust Before Sanity by just+another+AC · · Score: 1

      accidently stumbling on a bug and exploiting it doesn't necessarily make you a hacker

      Usually it is deliberate searching, but otherwise it is kind of the definition of hacker!
      (although to be true to the term, the exploitation would only be in pursuit of further knowledge of how the system worked)

    10. Re:Money Lust Before Sanity by Swave+An+deBwoner · · Score: 1

      Yes, they monitor lottery results for atypical events. An entertaining description of one such event involving the "Powerball" lottery, which occurred on March 30, 2005 and which was not due to anybody's illegal actions is described in the Prologue to Jennifer 8 Lee's book The Fortune Cookie Chronicles. And yeah, her middle name really is "8".

      Amazon's "Look Inside This Book" allows viewing of the pages describing this:

      http://www.amazon.com/gp/product/0446580074?ie=UTF8&tag=thefortcookch-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=044658007

    11. Re:Money Lust Before Sanity by Anonymous Coward · · Score: 0

      Hacking, in this context, in the old days was mostly social. Calling someone to nab credentials or insider info was most of it. The bulk of the technical side was pitifully simple: make this tone, pick an option not displayed, call every phone number in this exchange, etc.

      In the old days we called that "social engineering", which we considered to be different from hacking. Only the ignorant media looped it all together.

  2. Yet it's legal... by Mal-2 · · Score: 0

    Yet it's legal to make a machine that pays out 50 cents on the dollar, for which they dare to TAX you if you win too much. Because government.

    And first post.

    --
    How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
    1. Re:Yet it's legal... by sims+2 · · Score: 2

      have you seen what they do with claw machines?
      https://www.youtube.com/watch?...
      Imho its even worse.

      --
      Minimum threshold fixed. Thanks!
    2. Re:Yet it's legal... by frovingslosh · · Score: 2

      It is right to scheme to cheat the lottery players. But if you come up with any way to actually avoid being cheated and win, that is illegal.

      --
      I'm an American. I love this country and the freedoms that we used to have.
    3. Re:Yet it's legal... by UnknownSoldier · · Score: 1

      Which machine pays out 50 cents on the dollar?

    4. Re:Yet it's legal... by Mal-2 · · Score: 1

      50% is about the average rate of return for all lotteries nationwide. I didn't care enough to check what it is specifically in this case.

      --
      How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
    5. Re:Yet it's legal... by Anonymous Coward · · Score: 0

      I think you will find its even higher than that, as long as its less than $1 on the dollar the company is making money and the players have a better feeling of winning. Which then reinforces the behavior.

    6. Re:Yet it's legal... by UnknownSoldier · · Score: 1

      Exactly. I thought casino's paid out ~97%, Casino's still make money, player feel like they are getting something.

    7. Re:Yet it's legal... by s0nicfreak · · Score: 1

      The only thing that makes me angry about that, is that there's no way to just play the game unless you buy your own machine.
      I would gladly pay $12 and take only 1 prize (if I won any) if it meant I got to do $12 worth of tries that were unrigged.

  3. This just in by ihtoit · · Score: 1

    Criminals take idiots for what they can get.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  4. No need for deliberation by Anonymous Coward · · Score: 1

    Guilty by definition, because "hackers".

  5. Printable instant tickets? by LordKronos · · Score: 4, Interesting

    WTF...the client, which is in the hands of thousands of potentially-hostile vendors, has control over the transaction and is allowed to decide whether it is committed or not AFTER receiving the winning/losing info?

    But that implementation failure aside, I sure hope they fired whoever had the brilliant idea to have printable instant tickets. That's just insane. Having a printable ticket that is instantly identifiable as a winner/loser is just asking for fraud. Aside from the absolutely terrible design of the system in this story, even in a properly designed system, it would be easy to cheat. You setup a system that, when a ticket is printed, a computer scans it and decides if it's a winner. If it is, you keep it for yourself and instantly print up another ticket to hand over to the customer. This is exactly why almost all instant ticket have scratch off covering to conceal the answer and instantly identify tampering to the customer buying it.

    1. Re:Printable instant tickets? by YesIAmAScript · · Score: 2

      Printable instant tickets can work.

      But the foolish design thing here was having the machine know the outcome of the ticket before it prints (or even at all). A printable instant ticket should just consist of a random number which can be checked elsewhere to see if it won. Much like a lotto ticket.

      The machine doesn't know which ones are winners so it can't decide to print only winners.

      There will still be a "refund errant ticket" attack as long as there is a refund system for errantly printed tickets. But honestly, I don't see why you need a system of that sort in a system where you don't get to pick your numbers anyway.

      --
      http://lkml.org/lkml/2005/8/20/95
    2. Re:Printable instant tickets? by omgwtfroflbbqwasd · · Score: 1

      But the foolish design thing here was having the machine know the outcome of the ticket before it prints (or even at all).

      By law, individual machines generally need to maintain a guaranteed payout rate. As a result, they need to know whether the player will win or not. When the numbers are computer-generated, then it can be exploited via software. If it's a roll of tickets it is distributing, then the roll is already configured with a specific payback rate.

    3. Re:Printable instant tickets? by known_coward_69 · · Score: 1

      yes, the obvious strategy is to make people send their $5 to the state lottery and wait 4-6 weeks for their ticket to be mailed back them. that will get people playing.

    4. Re:Printable instant tickets? by Anonymous Coward · · Score: 0

      How do they guarantee a payout rate when you ask the machine to print Powerball tickets with computer-generated numbers?

    5. Re:Printable instant tickets? by Anonymous Coward · · Score: 0

      Computer based gambling machines in casinos says that you are wrong.

    6. Re:Printable instant tickets? by Anonymous Coward · · Score: 0

      Pseudo-random numbers are used with seeds that produce predictable outcomes.

      And the law state that a machine must pay UP TO a certain percentage; not that
      there is anything that says a minimum amount or percentage must be paid.

      -- the more you know.

      CAP === 'medium'

    7. Re:Printable instant tickets? by Calydor · · Score: 1

      No, the obvious strategy is having one machine that prints the numbers, and another machine that can check which numbers have won. NOT the same machine.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    8. Re:Printable instant tickets? by Anonymous Coward · · Score: 0

      In my state you don't have to scratch anything off to see if it's a winner. The clerk can just scan the back and tell if it's a winner.

      So how do they keep people from cheating? When you buy a scratch ticket the clerk rips it off the roll in front of you. You would notice and hear the beep if the clerk scanned it to see if it was a winner. Also I hear if you scan too many losers the machine stops working or you get a visit from someone.

    9. Re:Printable instant tickets? by penguinoid · · Score: 1

      In my state you don't have to scratch anything off to see if it's a winner. The clerk can just scan the back and tell if it's a winner.

      So how do they keep people from cheating? When you buy a scratch ticket the clerk rips it off the roll in front of you.

      So what is to stop the clerk from scanning the tickets ahead of time, and looting any time there is a winner at the end of the roll? (Obvious countermeasure: check for double-scanning. Obvious counter-countermeasure: keep a local cache of scanned tickets, which is checked first.)

      You would notice and hear the beep if the clerk scanned it to see if it was a winner. Also I hear if you scan too many losers the machine stops working or you get a visit from someone.

      Not if they disable the beeper, or put a switch on it.

      Seriously, this sounds terrible from a security standpoint.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    10. Re:Printable instant tickets? by delt0r · · Score: 1

      The lesson you must learn is that most security is very very poor, adhoc and sloppy. Even locks on a house hardly slow you down. It just that most people are honest or stupid. Mostly honest in my experience.

      --
      If information wants to be free, why does my internet connection cost so much?
    11. Re:Printable instant tickets? by tlhIngan · · Score: 1

      By law, individual machines generally need to maintain a guaranteed payout rate. As a result, they need to know whether the player will win or not. When the numbers are computer-generated, then it can be exploited via software. If it's a roll of tickets it is distributing, then the roll is already configured with a specific payback rate.

      What happened was stupider. They basically requested the machine print a bunch of tickets, and for some stupid reason or other, the machine reveals the winners to the reatiler's screen. The software doing the displaying halted display updates (froze the screen because there was too much to display) so the non-winning tickets were refunded, while the winning ones cashed.

      So basically the retailers knew which tickets were winners the moment they printed them.

      And you can't just rig your machine to print only winning tickets - all the tickets report back to the lottery commission for verification and tracking purposes.

      Of course, the real thing is to make the lottery mainframe the one who creates tickets for the terminal so the lottery commission knows what tickets are winners before the tickets are printed, and the terminals don't get such information. Maintaining payout rate is easy, just a trivial database access and bookkeeping.

    12. Re:Printable instant tickets? by Actually,+I+do+RTFA · · Score: 1

      But honestly, I don't see why you need a system of that sort in a system where you don't get to pick your numbers anyway.

      Same reason that they put silver stuff on the payout information on scratchers. If you cna buy a ticket from someone who can already know if it is a winner or a loser, teh customer has to assume the clerk already looked at it, and is only selling the losers. The only two ways to counteract that are (a) have it not be knowable at the time of sale (powerball) or (b) have it obviously be uncheckable at the time of sale (silver scratchoff or see it get printed in front of you.)

      --
      Your ad here. Ask me how!
    13. Re:Printable instant tickets? by Agripa · · Score: 1

      The nature of the implementation and flaw makes me think that it was programmed this way deliberately and these people are being charged are not part of the group that was suppose to take advantage of it.

  6. Who created the bugs? by Anonymous Coward · · Score: 0

    Have any employees been fired? Any contractors fined?
    How many "security consultants" and firms sucked down big bucks to declare the flawed system secure? Are those same failures getting fat new contracts to re-check the systems?

  7. Why is this possible? by allo · · Score: 1

    I think a lottery should be "buy a ticket" and "win or lose later". For example simple lotto just works by buying in advance and then watching the draw on TV. There is almost no chance to cheat (maybe if you work for the lottery ... but then you may have a lot of other immoral options as well).

    1. Re:Why is this possible? by wonkey_monkey · · Score: 1

      That's probably far too expensive and wastes far too much time, as far as the lottery runners are concerned. Can't sell people more lottery tickets if they're all waiting to find out if their last one won or not!

      The possibility of instant wins makes the whole concept more like a slot machine with a printer instead of spinning reels.

      --
      systemd is Roko's Basilisk.
  8. Why is this a bad thing? by StripedCow · · Score: 1

    By not printing the worthless tickets, they were acting in the interest of the environment. Good for them!

    --
    If Pandora's box is destined to be opened, *I* want to be the one to open it.
  9. OMG, Rahul Gandhi is arrested! by 140Mandak262Jamuna · · Score: 1

    [The charged] were identified Tuesday as Prakuni Patel and Rahul Gandhi, both of Jobs Road,

    Wait till Indian news papers get wind of this story ...

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  10. Please don't steal... by Anonymous Coward · · Score: 1

    This proves the old adage.

              Please don't steal
              The Government hates the competition

    So, when the Government gains the advantage, the people are damned.
    When the People gain the advantage, the People are damned.

    It's a Lose-Lose situation for us.

  11. Linux based terminals by basecastula+ · · Score: 1

    All the California terminals are linux based. Monta Vista linux I believe. I wonder what these were.

  12. That's right, kids... by Anonymous Coward · · Score: 0

    It's only legal to dupe and trick your way into millions of dollars if you work FOR the lottery; if you're supposed to be one of the marks, (the morons who give money to the lottery,) you're not supposed to win, nor at least, not as much as you LOSE.

    Lotteries are taxes on people who are bad at math, and who don't have a clue about probability and statistics.