- March 30, 2016
- Posted by: Kerry Tomlinson, Archer News
- Categories: Cyberattack, Posts with image, Vulnerabilities
Tech experts explain how someone can rig the system for big payouts.
It was supposed to be a random draw.
But back in 1980, someone injected latex paint into some of the ping pong balls used for the Pennsylvania lottery, to make them heavier and sink to the bottom. The balls with fours and sixes did not have paint, and rose to the top. The winning number, as seen on live television, was 666.
It turned out that the TV host, a studio technician and a lottery official had conspired to rig the game, according to WESA, a National Public Radio station in Pittsburgh. The conspirators behind the “Triple Six Fix” ended up under arrest, the theft totaling $1.2 million.
But cheaters are still finding ways to get around the system, from lottery sellers arrested and accused of manipulating the terminals to get only winning tickets, to a lottery security officer who was convicted of using malware to help him and his friends win big.
Some lotteries use random number generators on computers to spit out the winning combination of digits.
But there may be a weakness in the system, according to Doug Jacobson, director of the Iowa State University Information Assurance Center.
“The funny thing about the random number generator is, on a computer, it’s not really random,” he said.
Jacobson said you have to start with a seed number to input into the computer for the random number generator.
“You try to get as random number as possible for the seed,” he said. However, he added, “If I know the seed, I know the answer to the random number generator.”
A formal Iowa Lottery official, Eddie Tipton, was convicted of fraud in July, after prosecutors said he manipulated the numbers for Hot Lotto, reported the Des Moines Register. They said he bought a winning Hot Lotto ticket worth $14 million in 2010, and had friends and family buy other big jackpot tickets.
Tipton was the information security director for the Multi-State Lottery Association, a group that runs big-name lottery games like Powerball and Mega Millions, and had access to the random number generator, according to the Des Moines Register.
Tipton may have been able to manipulate the seed number, Jacobson told Archer News.
Prosecutors said Tipton accessed the computer in 2010, resetting the surveillance camera to take pictures only once every sixty seconds, and inserted a USB drive with malware that erased itself to cover up its tracks, reported The Daily Beast.
Tipton could have set the seed number to the time of day, Jacobson suggested, so that he could calculate the Hot Lotto winning numbers at any point in the future.
“If I can pick the seed value, I can know the answer, and I can tell you on that day what the answer to the Hot Lotto is going to be,” he said. “So, my malware would sit there, and I’d go, ‘It’s the day I’m going to win.’”
Protecting lottery computers
Some lotteries take many steps to protect their number-generating computers.
In Oregon, the Megabucks random number generator sits at lottery headquarters in the state capital, under 24-hour video surveillance, reported the Portland Tribune.
It is not connected to the state lottery’s central computer system, lottery spokesperson Chuck Baumann told the Tribune, and is monitored for security issues, as well as tested by an independent testing laboratory.
When it is time to draw the numbers, the spokesperson said the central computer systems asks the random number generator for the winning numbers, according to the report.
But this system may not be foolproof, according Jacobson.
Separating the random number generator from the central computer system is usually a good step toward safety, to prevent malicious hackers from getting in through the web, cybersecurity experts say.
“These aren’t on the Internet. You can’t go to www.iowalottery.randomnumbergenerator.com” said Jacobson.
But someone could try to intercept the communication between the central computer system and the number generator computer, he said, perhaps manipulating the communication to show the wrong numbers.
“The really key thing is if I can get everybody along the line to agree—this is the lottery number,” he added. “That’s how I win.”
The communication hack might be discovered pretty quickly, according to Jacobson. The easier way, he suggested, would be Tipton’s method.
“They live in glass cases,” he said, describing the random number generator computers, “But you still periodically have to do maintenance on them. You have to update the software.”
“Eddie would have the ability to take things out of their glass boxes and update them,” he said. “That’s the most logical time to insert the rootkit [software that lets you have administrator-level access to a computer], is during this update process.”
Failure in process?
The solution to the Hot Lotto case could have been a human one, he said.
“Most organizations that deal with large sums of money always have two people to look at each other,” he said. “They only had one person. To me, the process would be: two people update the computer. It’s harder to have multiple people in collusion.”
“This was as much of a process failure as it was a computer security failure,” he added. “If a malicious person has physical access to a computer, can touch it, hold it, it’s pretty much game over.”
Tipton is not the first lottery official to face charges. The former deputy director of security at the Arkansas Lottery Commission, Remmele Mazyck, stole more than 22,000 lottery tickets between 2009 and 2012 and won almost $500,000 in cash, reported KATV in Little Rock.
The Arkansas Lottery Commission Director, Bishop Woosley, told KATV after Mazyck’s guilty plea that “Mazyck implemented many of the commission’s internal security measures, so he was able to design them in a way that he could manipulate them.”
After Tipton’s sentencing hearing in September, where he received 10 years in prison, the Iowa lottery CEO said the agency is working on security.
“We will continue to make sure that games are fair in every way, shape or form and investigate any lead that we may have that it’s not,” CEO Terry Rich told KCCI in Des Moines.
Tipton has filed an appeal.
Prosecutors have since filed more charges against Tipton, alleging that he was involved in more false payouts, reported the Des Moines Register.
Tipton told The Daily Beast he didn’t do it.
“I know how the game works,” Tipton said in the article. “So either I’m an incredible genius that did something stupid or I’m just plain incredibly stupid. But how can I be an incredible genius and do something stupid at the same time?”
Fallout for lottery players
Some say the Iowa Lottery should have known better.
A new Hot Lotto winner filed a lawsuit in February, saying the $6 million prize he won should have been bigger, reported the Des Moines Register.
Lottery officials “followed its protocols” and re-set the winnings back to $1 million after Tipton’s conviction, according to the article, but the lawsuit says that money should have instead continued to accumulate, giving the new winner $16 million. Also, the lawsuit said lottery officials should have had security technology that could uncover employee wrongdoing.
“For nine years, this person was able to access the lottery equipment,” attorney Jerry Crawford said in the article. “You might ask yourself what kind of oversight was actually being provided.”
As for the Iowa Lottery, the Des Moines Register said the agency does not believe it owes the new winner more money.
“We believe that Mr. Dawson rightfully was paid the jackpot to which he was entitled,” said Rich, in the report. “… Our lottery will defend its efforts to protect lottery players in any forum, including in this litigation.”
Buying a ticket?
Cases like these may help lotteries improve their systems, Jacobson said.
“Any time you have a security breach, it helps everybody else who wasn’t affected. They learn something if they’re doing the same thing or have the same system. They can learn from that,” he said.
Should these breaches make people think twice about buying a ticket?
“I don’t think it should make people very afraid of playing the lottery, if they are already playing it,” he said.
“There is a reason not to play the lottery. But that’s a different discussion,” he added.