Betting Ticket Forged Based on Selfie

This is an interesting story. Someone posts a photograph of herself holding a winning horse-race betting ticket, and someone else uses the data from the photograph to forge the ticket and claim the winnings.

I have been thinking a lot about how technology is messing with our intuitions about risk and security. This is a good example of that.

Posted on November 12, 2015 at 7:01 AM • 31 Comments

Comments

AlexNovember 12, 2015 7:55 AM

It's really clever. There have been similar scams during the Rugby World Cup, where tickets were going up to £715. Bottom line, don't take pictures of things that can be forged...

RichardNovember 12, 2015 8:01 AM

The amount of people in my timeline posting a hi-res photo of the keys to their new home ("hurray, we finally got the keys to our new house") is getting awkward as well.

zucNovember 12, 2015 8:20 AM

A related issue is cheating on exams: devices that can potentially be used for cheating are becoming commonplace, and turning up in all sorts places. Examination centres now ban watches. I wouldn't be surprised if you can get bluetooth earpieces that are undetectable without a close inspection. It wouldn't be hard to come up with a system that is essentially undetectable in a typical exam situation, eg a vibrating device (which could be an ordinary phone) hidden in your clothing and tapping morse code to you, and it wouldn't be hard to devise a system for two-way communication. The protection against this now is that the effot of obtaining such devices, or building them yourself, is generally going to be more than the effort of studying for the exam. But not for long.

wyllysNovember 12, 2015 8:38 AM

This happens all too often when people post concert or sporting event tickets on facebook/twitter/whatever and don't cover up the bar codes. eBay has been warning people not to post barcodes when selling tickets on their site for a long time.

shakeyNovember 12, 2015 8:41 AM

Also, unless the ticket maker has salted it, it's possible that the barcode can be generated by a forger if the number(s) can be read from photograph(s).

sideshowbobNovember 12, 2015 8:53 AM

Kind of reminds me of when online sellers didn't obscure the COA on computers they were selling. Need a free key just hit them up. Of course now they blur the COAs so it's of no use today but pretty clever at the time.

Also another reason why facebook et al are completely worthless...

Dirk PraetNovember 12, 2015 9:21 AM

From the article: "“When Prince of Penzance’s name came up we were pretty stoked, being amateurs at it. Naturally I took a selfie to show my friends.”

For most people stupid comes natural. It's part of the human condition. Some just take it further than others.

jaysonNovember 12, 2015 9:41 AM

Somewhat in her defense, in the age of cameras everywhere any particular camera, security or otherwise, in the area could have recorded her glee and winning bar code. Not necessarily her facebook post.

I would imagine that those which produce tickets will eventually need to move to a more secure method of encoding or be held liable for loss.

ChelloveckNovember 12, 2015 9:50 AM

@sideshowbob: Worthless? Sounds to me like Facebook is worth at least $825 to someone.

Kyle RoseNovember 12, 2015 10:30 AM

> The amount of people in my timeline posting a hi-res photo of the keys to their new home ("hurray, we finally got the keys to our new house") is getting awkward as well.

Except that it's actually easier just to have a bump key for every common lock type than it is to recreate the actual key. Residential locks are ridiculously low-security.

Tony H.November 12, 2015 11:01 AM

Not saying that publishing selfies of barcoded tickets is a good idea, but...

Sounds to me like just more of the ongoing pushing of liability from institutions/businesses to individuals. Surely the organization who paid out the money to the fraudster should take the hit, not the legitimate winning ticket holder. Same for tickets to games, concerts, etc. If two people show up with the same barcode for one seat, there are other ways for the rightful holder to prove ownership. Credit card used, other details of the purchase. Do they arbitrarily deny entry to the second (and subsequent...) person to arrive, with no recourse?

AnoniNovember 12, 2015 11:31 AM

It's more interesting how the big company pushes the liability for fraud off on the consumer. They're the ones who didn't do due-diligence before handing over the money. I wonder what a lawyer would make of this in the US?

albertNovember 12, 2015 12:11 PM

@David Allen Wilson,
"Locks keep honest people honest."
.
Moral of the story? "Experience is a dear teacher."
.
Physical endangerment aside (the increasing number of folks who are killed or maimed as a result of taking selfies), psychologists are studying the selfie phenomenon. I'm sure there's a syndrome in the making. Unfortunately, there are no drugs for curing stupidity.
.
. .. . .. _ _ _ ....

DanielNovember 12, 2015 12:36 PM

Honestly, the most newsworthy part of this story is that people still go to watch horseraces. (snark).

In any event, when talking about risk let's not forget the other side of the coin.

Chantelle went on to tell TripleM that she has contacted the authorities, who stated that they have surveillance footage of the “friend” claiming the winnings and that they are confident they will be able to find them.

So as smart has he was he wasn't smart enough to hide his identity from the security camera.

mishehuNovember 12, 2015 12:50 PM

o/` You never count your money... when you're sitting at the table... there'll be time enough for counting, when the dealings' done... o/`

In other words, I'd have claimed the money first, THEN maybe posted the selfie (if I was the type of person who felt the need to post such a selfie, which I'm not).

Fred PNovember 12, 2015 1:28 PM

Send out the picture after you cash it.

Back when I worked for this industry (Autotote Systems, about 12-17 years ago), this sort of scam appeared to be very easy from anyone who prepped, had a few minutes, a way to print out a good fake ticket, and took a picture of a winning ticket. I have no reason to believe that any of our competitors were better (indeed, the information I had stated that one of our competitors used a nearly identical system).

In another barcode money system to which I had the specification (unnamed in the case that it still has this gaping hole), it appeared to be feasible even without seeing the ticket; the ticket numbers were essentially sequential (if you had the spec, or enough tickets to reverse engineer enough of it for your purposes), so with any earlier ticket you could (in theory) derive the barcode of a later ticket.

DexterNovember 12, 2015 2:05 PM

"Naturally I took a selfie to show my friends.”

I wonder which "friend" is on her naughty list this Christmas?

Right up there with the picture of the TSA security keys.

Count 0November 12, 2015 2:17 PM

I found it more interesting that it won't work in the end. They have video of the "friend" getting the money. I'm sure that was very easy to do because I'm sure the video surveillance system is connected to the ticket system and they can just call up the footage for that ticket being cashed and there it is. Cross reference that image with the list of her FB friends and send the police around for a bit of a chat.

This is MUCH easier than the old days of going though stacks of VHS tapes with no data interfaces. This os what most people don't seem to understand about the interconnections between all these systems today: what would have taken days now only takes seconds.

Anonymous CowNovember 12, 2015 3:36 PM

I admit that I haven't been to a horse race in a long time. But I remember the wagering tickets were on inlayed paper, akin to currency paper, which most of us cannot get. The printing had two different elements, one of which forced the ink all the way through the paper. That's another process that most of us cannot get, certainly not through any computer printer off the shelf. They also used different colored inks that blended into one another. Each ticket did have a serial number, but I don't remember if the technology of the day allowed the serial numbers to be databased.

The ticket showed in the picture looks like it could be easily forged with little effort. Bar codes are great, but for this application they should not be considered a security feature.

albertNovember 12, 2015 4:10 PM

@Dexter,
The danger is not necessarily a friend, but a friend of a friend,.....If it was one on her friends...well the cops should already have that list. Do you think that 'friend' is smart enough not to make a single deposit $825 in his bank account?
.
@Fred P, @Anonymous Cow,
Thanks for the interesting info.
.
Oh what a tangled Web we weave.
. .. . .. _ _ _ ....

JonSNovember 12, 2015 4:26 PM

@zuc:
"The protection against this now is that the effot of obtaining such devices, or building them yourself, is generally going to be more than the effort of studying for the exam. But not for long."

Well, that and data throughput. The kinds of papers I do generally give me 3 hours to write 4-5 essays. Trying to make sense of a morse signal against my thigh, or a series of vibrations against my ribcage in that context is going to slow me down so much that there's no feasible way I'd be able to answer *sufficient* questions to pass, almost regardless of how *well* I answered the ones I did get to.

A similar problem exists with maths-syle questions - generally the answer is worth a couple of marks, but the logic and working used to get to the answer is worth the bulk of if. How do you encode a formula - or a graph - in morse?

For a couple of the engineering papers I've done, the lecturer allows one sheet of notes to be bought in to the exam. It can be whatever you want, written as large or small as you want, etc, and it is handed inwith the script at the end of the exam. The lecturers secret - and wisdom - here, of course, is that the effort of condensing a year's worth of content down into a meaningful page of key prompts, facts, and equations means that you more than likely already know the material well enough to pass the exam anyway. And, it means the lecturer can ask curlier, more interesting and involved questions. And an invisibly vibrating earpiece wouldn't have been the least bit useful.

On the other hand, a paper I'm doing now has had *exactly* the same set of essay-style exam questions for the last 4-5 years. In terms of 'studying for the exam', I could just pick four questions from the stock list, craft answers for those, condense them to key prompts (like the first three words of each paragraph), and bin the rest of the course material.

The common thread here is that the answer to cheating lies largely with the lecturer. Ask questions that require engagement and application of knowledge, not mere recitation of stock facts. Time is a critical resource in exams, and that is a key factor which can be used to mitigate against cheating.

JonSNovember 12, 2015 4:35 PM

@anonymous cow;
AIUI, the pay out is essentially automated - go to the machine (like an ATM or carpark fee machine), show the scanner your barcode, collet cash from the tray at the bottom. There's no human interface, and so no one to check the print quality or textured artisanal paper.

GodelNovember 12, 2015 7:37 PM

@Daniel "Honestly, the most newsworthy part of this story is that people still go to watch horseraces. (snark)."

Actually no. This is a once a year special event where people who know nothing about racing go to dress up and drink with their friends, and have an occasional bet pretty much at random, based of whether they like the horse's name or if its racing colors are pretty.

DominicNovember 12, 2015 8:11 PM

@Daniel

The 'Spring Racing Carnival' is a series of race meetings that are heavily promoted as social events at this time of year. 'The Cup' is the pinnacle of this and for a lot of people it is the only time they ever go to the races.

We actually have a public Holiday for the race here in Melbourne. Locally it is promoted as 'the race that stops a nation' and from my experience in Sydney it pretty much does.

SJNovember 13, 2015 12:46 PM

@mishehu,

good reference. Some country music is good...for a story or a lesson on life.

Been a few years since I heard that song.

k14November 13, 2015 2:10 PM

Where is the citizen security exam, that has this among its "is this wise and why?" questions?

PeterNovember 13, 2015 4:04 PM

"Well, that and data throughput. The kinds of papers I do generally give me 3 hours to write 4-5 essays."

That's an understatement... is more like 4-5 books. ;)

KarellenNovember 15, 2015 5:42 AM

Given that Facebook, and probably a lot of other social media sites, do a fair amount of image scanning and processing for e.g. facial recognition on all photos uploaded these days, I'm wondering how hard it would be for them to recognise bar codes in photos and blur them out by default. Or blur them out to friends-of-friends or further separated people. They could still give owners the ability to make barcodes visible if they wanted with an explicit action, but the default could be secure.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.