Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Software Crime The Almighty Buck IT Your Rights Online

Six Charged For Hacking Lottery Terminals To Spew Only Winning Tickets (theregister.co.uk) 44

An anonymous reader cites an article on The Register: Six people have been charged with exploiting a bug in lottery terminals to print off winning tickets on demand. Connecticut prosecutors say the group conspired to manipulate automated ticket dispensers to run off '5 Card Cash' tickets that granted on-the-spot payouts in the US state. According to the Hartford Courant, a group of shop owners and employees set up the machines to process a flood of tickets at once, which caused a temporary display freeze. This allowed operators to see which of the tickets about to be dispensed would be winning ones, cancel the duff ones, and print the good ones, it's alleged. The winning tickets would be cashed and billed to the state lottery.
This discussion has been archived. No new comments can be posted.

Six Charged For Hacking Lottery Terminals To Spew Only Winning Tickets

Comments Filter:
  • They honestly did not foresee that someone would track a sudden spike of winning ticket activity to their locations?

    • by Ecuador ( 740021 ) on Saturday March 26, 2016 @01:12PM (#51782717) Homepage

      I'm sure they thought of it and discussed how they would be careful and not overdo it and spread the transactions etc. Then, greed.

      • by WarJolt ( 990309 )

        These guys are charged with "hacking", but accidently stumbling on a bug and exploiting it doesn't necessarily make you a hacker. Additionally, it clearly doesn't prove any sort of intelligence. Hacking in my opinion requires a bit more intent and insight, which usually is associated with a bit more intelligence than that possessed by this group of buffoons.

        They didn't even have to modify the machine in any way to exploit this. Come on! Hacking? Seriously?

        • by narcc ( 412956 )

          Why does it need to conform to your particular vision? Hacking, in this context, in the old days was mostly social. Calling someone to nab credentials or insider info was most of it. The bulk of the technical side was pitifully simple: make this tone, pick an option not displayed, call every phone number in this exchange, etc.

          accidently stumbling on a bug and exploiting it doesn't necessarily make you a hacker. [...] Hacking in my opinion requires a bit more intent and insight, which usually is associated with a bit more intelligence

          Why? Stumbling in to a bug and exploiting it is, well, pretty much the vision of hacking you seem to have in your head. The only difference being how the bug is found. Though I won

        • accidently stumbling on a bug and exploiting it doesn't necessarily make you a hacker

          Usually it is deliberate searching, but otherwise it is kind of the definition of hacker!
          (although to be true to the term, the exploitation would only be in pursuit of further knowledge of how the system worked)

    • by lucm ( 889690 )

      Maybe there's a piece of information in this quote from the article that could help to better understand things:

      The charges filed against two members of the group, Pranav Patel and Vikas Patel, include first-degree felony counts of computer crime and larceny as well as felony rigging charges.

    • by Tx ( 96709 )

      They probably did. They could probably have got away with it so long as the kept the amount of wins low enough, they would have guessed that, but having successfully set up the hack, the temptation to take just a little bit more probably got the better of them. Especially with a bunch of people involved, there's always going to be one or two that can't help being greedy idiots.

      • by tnk1 ( 899206 ) on Saturday March 26, 2016 @01:28PM (#51782787)

        Thing is, I bet that the lottery companies know the average win rate of the tickets per machine. So almost any deviation from that percentage would have been a yellow flag. I suppose the perpetrators could have kept it below the level at which the lottery bothers to investigate, but it seems to me that the way this bug works would have made the times that the tickets were dispensed within also very suspicious.

        Together, a cross reference of daily reports on winning percentages and winnings dispensed within say 60 minutes of one another could have found this really quickly.

        So, the amount of winnings that they could have walked away could have been a lot less than even a non-greedy person would have taken. Messing with equipment that is computerized and which sends back data to a home office for analysis is always a really bad idea unless you know exactly what the tolerances are for investigation. It's way too easy to develop alarms on specific behaviors which can place a report in someone's inbox for investigation when they come into the office the morning after the incident happened.

        • by smooth wombat ( 796938 ) on Saturday March 26, 2016 @01:37PM (#51782837) Journal
          Thing is, I bet that the lottery companies know the average win rate of the tickets per machine.

          Yes they do. From the article:

          The Courant says that the lottery commission wised up to the scheme back in November when it heard that people were winning the 5 Card Cash game at a higher-than-expected rate.

          So almost any deviation from that percentage would have been a yellow flag.

          Which it did:

          The game was temporarily halted.
        • Yes, they monitor lottery results for atypical events. An entertaining description of one such event involving the "Powerball" lottery, which occurred on March 30, 2005 and which was not due to anybody's illegal actions is described in the Prologue to Jennifer 8 Lee's book The Fortune Cookie Chronicles. And yeah, her middle name really is "8".

          Amazon's "Look Inside This Book" allows viewing of the pages describing this:

          http://www.amazon.com/gp/product/0446580074?ie=UTF8&tag=thefortcookch-20&l [amazon.com]
      • They probably did. They could probably have got away with it ... [snip]

        ...if it weren't for those meddling kids.

  • Yet it's legal to make a machine that pays out 50 cents on the dollar, for which they dare to TAX you if you win too much. Because government.

    And first post.

    • by sims 2 ( 994794 )

      have you seen what they do with claw machines?
      https://www.youtube.com/watch?... [youtube.com]
      Imho its even worse.

      • The only thing that makes me angry about that, is that there's no way to just play the game unless you buy your own machine.
        I would gladly pay $12 and take only 1 prize (if I won any) if it meant I got to do $12 worth of tries that were unrigged.
    • It is right to scheme to cheat the lottery players. But if you come up with any way to actually avoid being cheated and win, that is illegal.
    • Which machine pays out 50 cents on the dollar?

      • by Mal-2 ( 675116 )

        50% is about the average rate of return for all lotteries nationwide. I didn't care enough to check what it is specifically in this case.

  • Criminals take idiots for what they can get.

  • by Anonymous Coward

    Guilty by definition, because "hackers".

  • by LordKronos ( 470910 ) on Saturday March 26, 2016 @01:29PM (#51782793)

    WTF...the client, which is in the hands of thousands of potentially-hostile vendors, has control over the transaction and is allowed to decide whether it is committed or not AFTER receiving the winning/losing info?

    But that implementation failure aside, I sure hope they fired whoever had the brilliant idea to have printable instant tickets. That's just insane. Having a printable ticket that is instantly identifiable as a winner/loser is just asking for fraud. Aside from the absolutely terrible design of the system in this story, even in a properly designed system, it would be easy to cheat. You setup a system that, when a ticket is printed, a computer scans it and decides if it's a winner. If it is, you keep it for yourself and instantly print up another ticket to hand over to the customer. This is exactly why almost all instant ticket have scratch off covering to conceal the answer and instantly identify tampering to the customer buying it.

    • Printable instant tickets can work.

      But the foolish design thing here was having the machine know the outcome of the ticket before it prints (or even at all). A printable instant ticket should just consist of a random number which can be checked elsewhere to see if it won. Much like a lotto ticket.

      The machine doesn't know which ones are winners so it can't decide to print only winners.

      There will still be a "refund errant ticket" attack as long as there is a refund system for errantly printed tickets. But hon

      • But the foolish design thing here was having the machine know the outcome of the ticket before it prints (or even at all).

        By law, individual machines generally need to maintain a guaranteed payout rate. As a result, they need to know whether the player will win or not. When the numbers are computer-generated, then it can be exploited via software. If it's a roll of tickets it is distributing, then the roll is already configured with a specific payback rate.

        • by tlhIngan ( 30335 )

          By law, individual machines generally need to maintain a guaranteed payout rate. As a result, they need to know whether the player will win or not. When the numbers are computer-generated, then it can be exploited via software. If it's a roll of tickets it is distributing, then the roll is already configured with a specific payback rate.

          What happened was stupider. They basically requested the machine print a bunch of tickets, and for some stupid reason or other, the machine reveals the winners to the reatil

      • But honestly, I don't see why you need a system of that sort in a system where you don't get to pick your numbers anyway.

        Same reason that they put silver stuff on the payout information on scratchers. If you cna buy a ticket from someone who can already know if it is a winner or a loser, teh customer has to assume the clerk already looked at it, and is only selling the losers. The only two ways to counteract that are (a) have it not be knowable at the time of sale (powerball) or (b) have it obviously be u

    • yes, the obvious strategy is to make people send their $5 to the state lottery and wait 4-6 weeks for their ticket to be mailed back them. that will get people playing.
      • by Calydor ( 739835 )

        No, the obvious strategy is having one machine that prints the numbers, and another machine that can check which numbers have won. NOT the same machine.

    • by delt0r ( 999393 )
      The lesson you must learn is that most security is very very poor, adhoc and sloppy. Even locks on a house hardly slow you down. It just that most people are honest or stupid. Mostly honest in my experience.
    • by Agripa ( 139780 )

      The nature of the implementation and flaw makes me think that it was programmed this way deliberately and these people are being charged are not part of the group that was suppose to take advantage of it.

  • I think a lottery should be "buy a ticket" and "win or lose later". For example simple lotto just works by buying in advance and then watching the draw on TV. There is almost no chance to cheat (maybe if you work for the lottery ... but then you may have a lot of other immoral options as well).

    • That's probably far too expensive and wastes far too much time, as far as the lottery runners are concerned. Can't sell people more lottery tickets if they're all waiting to find out if their last one won or not!

      The possibility of instant wins makes the whole concept more like a slot machine with a printer instead of spinning reels.

  • By not printing the worthless tickets, they were acting in the interest of the environment. Good for them!

  • [The charged] were identified Tuesday as Prakuni Patel and Rahul Gandhi, both of Jobs Road,

    Wait till Indian news papers get wind of this story ...

  • by Anonymous Coward

    This proves the old adage.

              Please don't steal
              The Government hates the competition

    So, when the Government gains the advantage, the people are damned.
    When the People gain the advantage, the People are damned.

    It's a Lose-Lose situation for us.

  • All the California terminals are linux based. Monta Vista linux I believe. I wonder what these were.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...