- March 28, 2016
- Posted by: Kerry Tomlinson, Archer News
- Category: Hacking, Posts with image, Vulnerabilities
Did the people selling lottery tickets just get lucky, or did the lottery retailers hack the lotto terminal?
They catch some thieves with fistfuls of lottery tickets, like the young man in Maryland accused of smashing a gas station window, grabbing more than $3,000 worth of tickets and running off.
But others may be using a glitch in the computer system to guarantee themselves a ‘win.’ And some of those “hackers” may be the very people selling you your ticket at lunch time on on the way home from work.
Police in Connecticut have arrested six people—all lottery retailers or employees—for allegedly manipulating the lottery terminals to earn themselves lottery cash in the 5 Card Cash instant winner game, according to the Hartford Courant.
The suspects found a way to make so many requests—like asking for reports or entering purchases—to the lottery terminal that it slowed down, the Hartford Courant reported. And when the terminal slowed down, it showed which tickets were instant winners and which were instant losers—before anyone actually paid money for that ticket. In theory, the person running the register could see the ticket was a no-payoff and cancel the transaction before being charged.
In one check, one of the stores in question showed a 76% win rate for instant lottery tickets.
“Boy, you want to talk about a software screw-up,” said Doug Jacobson, director of the Iowa State University Information Assurance Center.
How did it happen?
The 5 Card Cash software developers may have created a way to allow retailers to cancel bad transactions, Jacobson told Archer News.
“You have to have a way to back out of the transaction up until the point it’s being completed,” he said.
Cheaters may have used that path to cash in.
It would not have taken any special hacking skills, he explained. Lottery sellers might have found it by accident.
“You get a busy day and you start entering requests over and over again, and all of sudden, it’s telling me the answer and it hasn’t printed yet,” Jacobson said. “’Man, if I make it very busy, it’s giving me the answer before it prints the answer.'”
It can be hard to write software that is foolproof, said Jacobson. After all, even big companies like Microsoft that spend a lot of money on security have to send out updates and patches regularly, he pointed out.
“You can’t test every possible scenario,” he said.
But this problem might have been caught earlier.
“Usually, you try to do load testing and what happens if the machine does get busy,” Jacobson said. “Yeah, I think you could come up with a little better way of handling this one.”
Not the first sign of possible lottery cheating
Other states have investigated lottery sellers after reports of dramatic win rates for the owners and/or employees.
A Florida man who owned seven convenience stores won, along with his family, $1,000 or more 47 times in four years, reported WFTS in Tampa Bay last year. The state finally suspended his lottery privileges.
Another Florida family operating convenience stores won big almost 50 times, including a $3 million dollar prize, reported WFTS. The state ended up suspending their lottery sales because they did not tell the state about felony arrests on welfare fraud charges, as required.
In Washington, D.C., lottery sellers are very lucky. Astronomically lucky, according to WUSA. The station reported last fall that at least three sellers won the lottery about 100 times.
WUSA’s investigation found that most of the top five lottery “frequent winners” in D.C. are lottery sellers.
A lottery spokesperson said frequent wins by lottery sellers does not necessarily mean that they are cheating, according to the report. But statisticians said the chances are almost astronomical, according to WUSA.
“The chance that the top three occupations are all lottery retailers is one in 10,000,000,000” said Johns Hopkins University statistics professor Dan Naiman in the report.
Another store owner won 27 times, averaging $30,000 per payout, the station reported.
“That is statistically ridiculous. It just doesn’t happen,” University of Illinois Professor Emeritus John Kindt told WUSA. “With the computer software available to lotteries, these statistical red flags should have alerted lottery regulators as far back as 2012.”
Luck and tech
You can expect more issue like these, according to Jacobson, as we continue to mix technology and lottery games.
“People are very clever, and it’s the downside of any piece of software,” he said.
But there is an upside to these cases as well, he said.
“I think we’re seeing all the lotteries go back and review the processes and procedures, which is a good thing,” he said. “I think overall it’s going to make the game more fair.”
In “Lottery ‘Luck’” part two tomorrow, Archer News looks at an ‘historic’ lottery cheat case where a computer security insider may have pulled off a heist across five states.