Interesting Lottery Terminal Hack

It was a manipulation of the terminals.

The 5 Card Cash game was suspended in November after Connecticut Lottery and state Department of Consumer Protection officials noticed there were more winning tickets than the game's parameters should have allowed. The game remains suspended.

An investigation determined that some lottery retailers were manipulating lottery machines to print more instant winner tickets and fewer losers....

[...]

An investigator for the Connecticut Lottery determined that terminal operators could slow down their lottery machines by requesting a number of database reports or by entering several requests for lottery game tickets. While those reports were being processed, the operator could enter sales for 5 Card Cash tickets. Before the tickets would print, however, the operator could see on a screen if the tickets were instant winners. If tickets were not winners, the operator could cancel the sale before the tickets printed.

Posted on March 25, 2016 at 6:31 AM • 14 Comments

Comments

ChristopherMarch 25, 2016 7:17 AM

Ahh, timing attacks, and the problems of multi-threaded code. Gaming the game is a nice, elegant hack.

DanielMarch 25, 2016 11:02 AM

It seems to me that the crooks didn't think their cunning plan through. If they were smarter, they would not have canceled the order for the non-winning tickets. They would have placed those orders and then resold the tickets to a third-party (the next customer who came into the store). This way, it would have looked like the correct amount of tickets were being sold and the real victims would not be the state, it would have been the unwitting victims who bought the losing tickets.

pdMarch 25, 2016 1:03 PM

Interesting to see how simply pushing buttons in a certain order to reveal a software bug can be construed as "manipulating" a machine to the point of three felonies. Stupid poor people, don't you know you're not supposed to win a rigged game?

JeremyMarch 25, 2016 1:50 PM

@pd

You would prefer a world in which it is legal to intentionally utilize a software bug to rob the lottery, leaving the public to foot the bill?

MrDudeMeisterMarch 25, 2016 2:19 PM

Solution: Mandatory fine/bounty for software bugs, exposed to the public.

ToddMarch 25, 2016 6:02 PM

@ pd said,

"Stupid poor people, don't you know you're not supposed to win a rigged game?"

As a side joke, trick-to-win appears to be winning just enough as to not let the game be alerted of it to apply the kick-in ('The Matrix' sends Agent K), because in order to beat the game you must beat the "game."

We're all f*cked.

B-)

JardaMarch 25, 2016 6:02 PM

An how it is even possible that the results are known while it is still possible to sell tickets??? E.g. Belgian National Lottery has a deadline after you can't buy a ticket, sales open again after the draft is done and published.

AnuraMarch 25, 2016 6:24 PM

@Jarda

There are different lottery games; this one had "instant win" tickets that weren't based on a national drawing.

tyrMarch 25, 2016 6:39 PM


Since random behaviors are supposed to be the essence
of gambling. I find the idea that the officials know
how many are supposed to win a lot more disturbing
than the hack.

Then again cynics would suspect such a game might be
rigged to fleece the unwary soul.

AnuraMarch 25, 2016 7:01 PM

@tyr

They keep a database of all the tickets sold. So if they sell 5000 instant-win tickets, and then 5500 are claimed they know something is wrong. Even then, let's say the probability of a win was .25, but with over a million tickets sold there were 270,000 winners, there is almost certainly something wrong as the probability of that many winning tickets being sold is extraordinarily low.

TatütataMarch 26, 2016 8:20 AM

If "you're not supposed to win a rigged game" then why are the three-card monte and the shell game illegal?

I remember a case thirty years ago about a punter outwitting some electronic game at a casino. Turned out the device had a really such a sh*tty RNG that it was no match for the fellow's grade school arithmetic. The guy wasn't allowed to keep the money, IIRC.


Clive RobinsonMarch 26, 2016 9:27 AM

@ Tatütata,

The guy wasn't allowed to keep the money, IIRC.

If we are remembering the same case it was rather worse than that.

He kept his winnings in his lodgings in cash. The IRS decided it was "taxable income". The local police preasured his landlord into letting them into his room where they found the money and confiscated it, to supposadly give back to the Casino even no legal action for a crime had been taken (nor was it likely to be). The casino quite legaly deducted the guys winning from their taxable income, even though they have supposadly had the money returned.

Even though the guy is not responsible in any way for the money taken by the police and landlords action, the IRS were going to take him to court for not paying the tax they claim he owed.

Such is the way these things work, especialy when the police are apparently quite biased in their actions.

In theory the guy could start legal proceadings, but the police in effect have immunity, the Casino would bankrupt him, and the landlord probably has no realisable assets... And he would still have to pay the IRS before any legal bills. Thus he has had "his rights stripped" by "eminent domain" and is now in effect a criminal by the actions of others, even though it is highly unlikely he commited a tort let alone a crime...

As somebody once said "Welcome to Vegas baby, where you loose your money, morals and alot more besides, as the price of getting out"...

JakeMarch 27, 2016 2:20 PM

I so wish I were somebody's special brother in law.

They don't work that well for Lotteries, but should be fine in voting booths. No problem there.

F SchickelMarch 28, 2016 11:15 PM

As someone who works for a lottery retailer in California I find this extremely interesting. As far as our terminals go, there is no display whatsoever of a pending ticket; the make-up of a computer generated play (quick pick) is only visible after the ticket prints. My mind just boggles at the concept of making a (potential) ticket visible (and cancellable) before the ticket is actually printed.

As far as the actual hack goes, it seems to have been pretty simple. Just request a ticket and look for a winning poker hand. Even if you don't match the draw portion you could still win up to $5,555; pretty nice odds if you can swing it.

One good point brought up on the LotteryPost site was that it the retailers had kept all the tickets and sold the non-instant-winners to the next unsuspecting player, they might have been able to keep this under wraps a little longer.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.