Schneier on Security
A blog covering security and security technology.
« Stink Bombs As Terrorist Tools |
| University of California's Tips for What to Do When There's a Shooter on Campus »
May 7, 2007
Weird Lottery Hack
This is a weird story:
On January 4, 2005 Dr Lee and Ms Day presented their Lotto ticket at the World Square Newsagency Bookshop. A friend took their photo with the ticket before they handed it in and filled in a claim form.
After the transaction, the employee who had served them, Chrishartato Ongkoputra, known as Chris Ong, substituted their claim form for one of his own. He then sent his form, and their winning ticket, to NSW Lotteries.
"The stars really aligned for him," said the barrister James Stevenson, SC, who is representing newsagents Michael Pavellis and his partner Sheila Urech-Tan.
Mr Ong knew that NSW Lotteries would not pay out for 14 days. He told his boss he was having visa problems and needed to return temporarily to Indonesia. He gambled that the backpackers would not chase up their win until after he had left the country.
Posted on May 7, 2007 at 11:07 AM
• 14 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Wow. Leaving the gaping secuirty hole aside - I'm surprised with a $500K payout the lottery folks do not do a formal presentation! You know - big check, local media, lots of pictures.
He still may have scammed them, but it becomes a lot more risky if you have to do a media show.
Or isn't 220K pounds a lot in Britian these days :-)
Weird? Bold maybe, but hardly "weird."
There is clearly a security risk in allowing retailers to verify and redeem winning tickets. Taking advantage of that fact is a rather obvious hack rather than a "weird" one.
In a similar vein, there are stories of retail clerks doing this on a smaller scale with gift cards which have no retail value printed on them. In one method, the clerk contrives a way to claim the card is lower in value than it actually is and keeps the the remaining balance by retaining the supposedly drained card.
In Ontario, the lottery corporation has started installing "self check terminals". While these do reduce the load on clerks checking tickets for customers, they also let customers know they have a winning ticket *before* they give it to a clerk for redemption.
Previously, it appeared to be possible for clerks to carefully substitute a non-winning ticket for the scan, so that the terminal would not sound the "you've won!" music. The customer would go away mildly disappointed, while the clerk would check the ticket later. I can see how more careful clerks could study the winning numbers so as to identify winning tickets at a glance, and only substitute on moderate winnings so as to avoid drawing suspicion.
I don't know if it's possible in this case, but wouldn't it be better to go to the lottery office to turn in the ticket? If I won $100, I can see turning in the ticket at any random place. If I won a significant amount of money, I would take it to the lottery HQ. On tickets here in Seattle, they have text on them that says winning tickets can be turned in at the lottery offices, and I would hope such a thing is fairly standard. Why leave prize retrieval to chance, show up in person and get your money.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.