Hacking Lotteries

Two items on hacking lotteries. The first is about someone who figured out how to spot winner in a scratch-off tic-tac-toe style game, and a daily draw style game where expcted payout can exceed the ticket price. The second is about someone who has won the lottery four times, with speculation that she had advance knowledge of where and when certain jackpot-winning scratch-off tickets would be sold.

EDITED TO ADD (8/13): The Boston Globe has a on how to make money on Massachusetts' Cash WinFall.

Posted on August 4, 2011 at 7:36 AM • 31 Comments


Alan KaminskyAugust 4, 2011 8:25 AM

@ Nathan Gilliatt

This particular lottery is a tax on the statistically challenged, but the tax money goes to those who can afford to spend $100K on lottery tickets. Robin Hood in reverse -- take from the poor to give to the rich.

AlanSAugust 4, 2011 8:39 AM

The Boston Globe has a detailed account of the how to make money on Massachusetts' Cash WinFall:

"For a few days about every three months, Cash WinFall may be the most reliably lucrative lottery game in the country. Because of a quirk in the rules, when the jackpot reaches roughly $2 million and no one wins, payoffs for smaller prizes swell dramatically, which statisticians say practically assures a profit to anyone who buys at least $100,000 worth of tickets."

No OneAugust 4, 2011 9:14 AM

The interesting thing about the WinFall game is that it's a gambit -- you have to assume that you will be purchasing the majority or at least a statistically significant number of tickets during the rolldown phase.

By making this winning period more well-known it could have the effect of increasing play of the game and, by doing so, making it less lucrative to game like this, making it "more fair".

I think this would be exactly what the lottery commission wants as well.

AliaAugust 4, 2011 9:50 AM

There is usually little incentive to fix little quirks like this because, over time, those running the lotteries always come out ahead.

For the scratch-off games, it doesn't matter who wins all the prizes as long as it does not significantly decrease the number of non-winners.

For the draw games, the times when payouts exceed purchases is built into the overall system. Over the course of a year, the organizers still make plenty of money. As long as they maintain the thought in people's minds that anyone can win the huge jackpot, they will be assured plenty of customers.

SQBAugust 4, 2011 10:13 AM

The remarkable thing about Joan R. Ginther is, besides her four wins of course, that she bought her winning tickets at the same store. Now I know next to nothing about lottery games and other types of gambling in Texas (I'm on the other side of the Atlantic, for starters), but I'd say that four big (over one million) prizes showing up in one store, even over a span of several decades, is pretty unusual. Or are those amounts paid out on a daily basis?

toddAugust 4, 2011 11:28 AM

my wife is from spain; there, it is relatively common practice for black money to be laundered through the purchase of winning lottery tickets (at over face value)

scottnottheotherscottAugust 4, 2011 11:54 AM


It is pretty unusual, I've only ever heard one story of it happening! ;-)

I'm not sure that the location is a huge mulitiplier though. If you model ticket buyers as people of habit who enjoy the weekly (daily? I don't know, I don't play) ritual of picking up a ticket and chatting a bit with the cashier, it's not a huge factor, because routine brings them back to the same place again and again.

100% of buyers don't buy from only one store(if they did location would have no effect on probability of winning at the same store four times, it would just be the probability of winning four times) but it might be a better model than people picking a random store every time, which they certainly don't do.

DanielAugust 4, 2011 12:17 PM

"(Winning tickets cannot be randomly placed because of the chance that they might all bunch up in one pack.)"

From one of the article noted above...

Huh? and double..wait..what. How can it possibly be considered a random draw if the draw is not random? All the lotteries I know list the odds of winning based upon the assumption there is a random draw.

JimFiveAugust 4, 2011 12:34 PM

For draw type lotteries that is true. For scratch-off lotteries that isn't true. The ticket is a winner or not when it is printed. Each roll of tickets has some number of winners on the roll. To accomplish this the winners cannot be distributed randomly, but must be distributed "evenly" (for some definition of even). In this case the "randomness" (more properly, arbitrariness) of the winner is based on no one knowing

  1. which winners are on which roll

  2. which store will get which roll

  3. when each roll will be sold

  4. which tickets on any given roll are winners

  5. Who will by any given ticket

If a player can identify a ticket as a winner/loser before buying then 4 and 5 have failed and it becomes possible to beat the game.

Bryan FeirAugust 4, 2011 1:24 PM


Part of the problem is the difference between 'actually random' and 'perceived as random'. After all, if you're dealing out four bridge hands, the probability of dealing out all cards of one suit to each of the four people is exactly the same as the probability of any other specific arrangement of four hands, but anybody looking at the result would automatically assume that there had been cheating going on.

In the same way, scratch-and-win lotteries and promotional giveaways will often deliberately do partially non-random arrangements to the grand prize winners to ensure that they don't all group in one area.

For example, the Tim Horton's 'Roll up the rim to win' contest deliberately spreads out their car-winning cups to make sure that there is at least one in each of the western provinces and a couple in the Maritimes, with the result that people outside of Ontario and Quebec have a higher chance of winning the big prizes than the people inside, but distributing them purely randomly by population would increase the chances that all the prizes ended up in Ontario and Quebec, which would cause other issues.

Nick PAugust 4, 2011 2:29 PM

I'm not a Harper's subscriber so I couldn't read that article. However, I think she's definitely gaming the system. Her math background, multiple wins against huge odds, and wins at the same store are all just too good to be chance. There was an old saying spies had in the Cold War days: "If it (suspicious event) happens twice it's a coincidence. If it happens three times, it's a conspiracy." How about four?

I think the online lotteries also have opportunities for subversive attacks. I wonder what they do if two people come in with the same exact ticket. Let's say both or the first one got paid. Steal a machine & reverse engineer it to develop a rootkit. The rootkit would be a cheap hardware module that could be embedded in the system + a piece of software that runs in privileged mode on the lottery appliance. The hardware would have bluetooth for communicating with the attacker.

The rootkit could be used to monitor all numbers sold & cashed in to find patterns. However, it's primary purpose is to cause the printer to print arbitrary tickets upon command. The attacker would press a button on his bluetooth enabled phone, activating the rootkit & telling it what to print next. The rootkit could also be ordered to delete itself from the system, covering its tracks. (Hardware module might have a "Restore appliance to original state feature" that's used before it's removed.) The attacker would wait for the TV to show the winning ticket, go to the store, and have it print that ticket.

The above is step 1. Step 2 is accessing the database. Presumably there is a database that keeps track of what ticket numbers were sold, where and at what time. This prevents someone from succeeding by doing what I mentioned above. The attacker must take control of this database to the point that the attacker can inject false entries covertly. When the winning ticket is displayed on TV, the attacker has the machine create a record that his store sold a ticket by that number at some time in the past. Then, he has the store print the ticket with identical information. Then, he runs to cash it in before anyone else who had that number.

Any thoughts, people?

Note: This primarily applies to the state or city lotteries. I think MegaMillion and PowerBall would require more sophisticated, expensive and/or mob-style attacks. Please gear any responses toward the resources, operational procedures and security precautions a state- or city-level lottery would likely take.

cleekAugust 4, 2011 2:40 PM

the problem with the scratch-off break is that it doesn't help your odds of winning. all it does is reduce the amount of scratching you have to do.

SparkyGSXAugust 4, 2011 2:58 PM

Of course it helps your odds of winning; you simply buy the tickets with 3 singletons in a row, and don't buy the other tickets.

The problem would be that it would take some time to figure out which tickets are winners, and it is based on the assumption that you are allowed to see the tickets beforehand, and choose which tickets you buy.

It might be a problem for a regular customer, because taking an hour with a lot of notebook scribbling before deciding which tickets to buy would at least seem somewhat suspicious. For a clerk working at a gas station, it would be easy. Also, one could write an app for a smartphone or similar device, to enable them to take a picture of the ticket and quickly determine if it's a winner.

AndyAugust 4, 2011 3:47 PM

Lotto in our country has 40 numbers and you need to pick 6 to win. If you pick 9 and make all the combinations out of those it costs about $80, for i think about 1 chance to win once a year. If the detect allot of the same number(9) they might biase the result to something else, if you know the biase maybe get one more ticket and use the $80 group to direct the biase to the one ticket.

Or spend $5000 and use about 16-20 groups of 9, you should have a pretty good chance of winning, or like smoking paper :)

cAugust 4, 2011 5:35 PM

@NickP - re: spies in cold war

"Once is happenstance. Twice is coincidence. Three times is enemy action."
- Auric Goldfinger, in "Goldfinger" by Ian L. Fleming (1908-1964)

MWAugust 4, 2011 7:24 PM


The idea of buying winning lottery tickets at over face value to launder money has occurred to me, but it seems very easy for authorities to break. They buy many tickets, make note of the winning ones then sell them to some guy in the pub, and then arrest whoever cashes them for money laundering.

Alternatively, the launderers buy the tickets themselves, accepting the house take as the price for laundering their money, but again - if someone claims to have made $1M from mostly small prizes from 20,000 lottery tickets, the authorities can very reasonably question where they got the money to buy the 500,000 tickets required to generate so many winners.

Rich WilsonAugust 5, 2011 1:49 AM

I worked in a small town gas station many many years ago, where one of the owners made a habit of buying small winner scratch tickets. If you're the person selling them, and you haven't sold any winners in the sheet, and you're down to only a few left, you know your odds are good to pick up a few bucks. Every sheet had a few $2 and $5 winners.

This made the other owner quite irate because he rightly recognized that those small winners were what kept people coming back for more. By taking those tickets, they were discouraging people from buying more, which, for the owners, was where the real money was.

JimFiveAugust 5, 2011 9:10 AM

The odds of winning a 40 choose six lottery (with 1 prize) is 1 in 3,838,380

The odds of winning if you buy 80 tickets is, then, 80 in 3,838,380.

If you play 80 tickets every week your odds of winning in a given year is: 4158 in 3,838,380 or P=.00108

That isn't anywhere near 1.

If your goal is to win the little prizes you would have to calculate the expected value of each ticket and then multiply that by P to get your expected payout. You would also need to recalculate the odds of one ticket, but I doubt that you would get a positive return with only 80 tickets a week.

Clustering your plays around the same numbers probably doesn't help or hurt you. You will win less often, but win more money at a time.

The draw is probably not biased based on numbers sold because a) it doesn't matter and b) it would be difficult. At least here, the lotto drawing is done live on TV using a machine that blows numbered balls into the air.

SeiranAugust 5, 2011 11:10 AM

@Nick P: Most lottery tickets have additional validation data on them that cannot be predicted from knowledge of only the winning numbers. In fact, many lotteries tell you to make a copy of the winning ticket before sending it to them, which suggests that it is possession of the information - not the authenticity of the printing process - that authenticates the winner.

For even more security, part of the winning information may be hashed, to prevent attacks by those who have read, but not write access to the database. Or it could be stored in a separate repository. For example, ticket_id and ticket_key_0 are known in plaintext only to the lottery company. ticket_key_1 is generated at the time the ticket is printed, and the hash is stored in the lottery_db.

Even many years ago, when calottery tickets were printed with dot-matrix, they had a grid of little rectangles that formed a "2D Barcode" arrangement which in my intuition and recollection certainly acted as a machine-readable authenticator. Today, calottery and most other lotteries use a Code 39 barcode.

Many have scan-it-yourself ticket checkers that will check scratch off tickets. I would give those a lot more scrutiny than an online lottery terminal.

Nick PAugust 5, 2011 11:31 AM

@ Seiran

Hmm, that would require further compromise. Interesting thought. As for scratch-offs, many of these are checked by scanning the barcode. I figure they have a means to check whether an individual ticket was scanned twice, meaning this wont help. Perhaps cracking *that* database might be useful, though. ;)

B. D. JohnsonAugust 5, 2011 11:57 AM


"which suggests that it is possession of the information - not the authenticity of the printing process - that authenticates the winner."

It'd pretty much have to be. Keeping thousands of machines in a condition to generate high-quality tickets that could be authenticated would be a nightmare.

I know New York knows, within a few minutes, how many and where winning tickets were sold (for the regular lotto drawings). And, as soon as the ticket is redeemed, the database is updated.

It *seems* like a fairly trivial process to keep secure. The weak link in the system probably is the physical security on the balls themselves. Tampering with the drawing has happened a few times that I know of.

AndyAugust 5, 2011 6:50 PM

@JimFive, "The odds of winning a 40 choose six lottery (with 1 prize) is 1 in 3,838,380
The odds of winning if you buy 80 tickets is, then, 80 in 3,838,380.
If you play 80 tickets every week your odds of winning in a given year is: 4158 in 3,838,380 or P=.00108
That isn't anywhere near 1."
Not good a stats, but if you had all the combinations for 9 numbers, 40/9 = 4.4(25%) chance if you then add 9 with 4 overlaped and another 9 with four overlaped from the first, to make four groups of 9 combination sets to cover 18 you would have 50% chance, but still 3mill proablity of winning(shouldn't) change, the chance is still 50% there high in youre favour, but you could still go a billion years and not win.

Does that make sense.
9 numbers 78rows 60cents per row, first half used for second 9, last half used for third 9, and a fourth somewere

AndrewAugust 7, 2011 6:39 PM

Personally I've always wondered why the State government, churches, and non-profits are allowed to create these gambling enterprises while most private people and corporations are prohibited from doing so.

They're all swindles and should all be prohibited unless the terms are explicitly known and agreed upon.

hopeAugust 14, 2011 6:48 AM

@JimFive, 3,838,380
if you win ever weekend for ten years, thats still 1 in 3,838,380?

if you throw dart(1) at a dart board and someone ask you were it is going to land, if you can mark 100 places you still have the proable of dart width and board size, but a large chance to land on one of the 100

Tim AMarch 29, 2012 12:24 AM

@ Nick P
Regarding a hacked cash register printing tickets with numbers that the attacker desires.

This would not because like stated previously the scratch lottery winning tickets are placed non-randomly by the lottery holder. In order to do that they must of course know exactly in which batch the winning ticket is located, and they must also know exactly to which location they're sending it to. So I'm sure as a part of a verification process they check to make sure that the bar code on the winning ticket that you bring in, the batch number of the ticket etc, matches their records. So unless you know exactly which store location the winning ticket will be sent to, ticket id number, lot number, the above method would not work.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..