Hacking the McDonald's Monopoly Sweepstakes

Long and interesting story -- now two decades old -- of massive fraud perpetrated against the McDonald's Monopoly sweepstakes. The central fraudster was the person in charge of securing the winning tickets.

Posted on August 6, 2018 at 5:57 AM • 21 Comments

Comments

MajorAugust 6, 2018 9:37 AM

I don't get why the sentences were so minimal. The ringleader got 3 years, one month. Other key participants got probation. Was the judge or prosecutor a lucky winner?

While Barrett Brown gets over five years for sharing a link...

David RudlingAugust 6, 2018 10:28 AM

Interesting read. I wasn't previously aware of the story but I guess the timing of the key trial the day before 9/11 was a gift to the ability of the guilty to remain anonymous.

Quis custodiet ipsos custodes? surely remains the hardest security nut to crack - cyber-security or otherwise as in this case.

vas pupAugust 6, 2018 1:35 PM

Yeah, he did not know Ben's Franklin:
"Three could keep secret when two are dead." He had more than three involved. Each of them was the weakest link. At least Some winners should be overseas and in Canada.

HumdeeAugust 6, 2018 1:41 PM

What always interests me about these kinds of stories is how big a role chance plays when one tries to loot the community chest. If I am reading correctly, the long and the short line is that what parked this scam firmly into place was the dumb luck of accidentally getting sent a shipment of holographic seals. From that point on all the fraudster had to do was put on his top, grab his wheelbarrow of money, and from then one it was go, go, go.

@Major writes, "I don't get why the sentences were so minimal."

He drew the "get out of jail free" card. Duh.

echoAugust 6, 2018 1:54 PM

I remember this was a long read when I posted the link a few weeks ago after Slashdot noticed it. One thing stood out: an allegation someone in management had unofficially requested the results be rigged so nobody in Canada won a prize.

This kind of malpracice (and perjury) happens within the UK state sector when there is an unoffical squeeze and/or reallocation, or in some cases outright favoritism by an individual. In some instances it has been an open secret only nobody in an official position seems to be aware of it or if they are they deny it. The police have a habit of "no criming" this too. I would hate to estimate the theoretical global damages claims.

I definately think some older stuff is worth reading. OS News went though a week of regurgitating a few old links to articles discussing events and technology which are now history.

hermanAugust 6, 2018 2:04 PM

Interesting story. I actually talked on the phone to an American Express agent in the World Trade Centre, when the first plane struck and heard it all over the phone, which was really disconcerting and something I will never forget. I still wonder whether she managed to get out. That event completely masked this case in the news, so I never knew about it.

echoAugust 6, 2018 2:51 PM

@herman

US audiences may have missed a UK government special advisor was sacked after 9/11 for essentially saying it was a "good day to bury bad news". I'm fairly sure Jo Moore said what other people were thinking only she committed it to a memo. UK governments still pull these kinds of tricks with roll up legislation or contentious announcements.

See also Dick Cheney and "Never waste a good crisis".

I have a healthy mistrust of tower blocks at the best of times. I know the phsyics is sound but imagining all that mass and what could go wrong? What 7 billion people are like? Weather systems?

We are such tiny dots in the scheme of things.

65535August 6, 2018 5:28 PM

@ Major

“I don't get why the sentences were so minimal. While Barrett Brown gets over five years for sharing a link...”-Major

Yes, it does seem like and two tier legal system and very unfair.

I can only guess at why the sentence was minimal. The perp. was a cop and the FBI agents are also cops [birds of a feather and all]. The perp shook hands with the FBI agent during court possibly signaling a favorable plea bargin. Brown is not a cop and chose to fight the case.

John CowardAugust 6, 2018 6:32 PM

I wonder what other "fields of interest" this type of massive fraud might expose.

:-)

Bong-Smoking Primitive Monkey-Brained SpookAugust 6, 2018 6:36 PM

Old MacDonald caused some harm
E-I-E-I-O
His good luck charm raised a brow
E-I-E-I-O
With a Monopoly card here
And a Monopoly card there
Here a McSting., there a McSting.
Everywhere an LEO LEO
With a oink oink here And a oink oink there...
Old MacDonald loved the smarm
E-I-E-I-O ...

“A psychic had told him to invest money and he would be richly rewarded,”

Psychic: If you invest money, you'll be rich
Jacobson: Yea? And if you believe that, then I have a winning McDonalds ticket to sell you :)

GodelAugust 6, 2018 7:26 PM

I think they're about to release a movie about this which is why the story popped up again.

The main lesson I take from reading the full story, apart from not 'over sharing', is that they got greedy.

Just one or two large, widely spaced hits would have been more productive and less likely to be uncovered.

IsmarAugust 7, 2018 12:08 AM

3 things here

1. Story is told in a very much detailed way , yet as part of that detail it states that this is one of the fundamental properties of made-up stories

2. same goes for the length of the story where , once again, in the story itself some of the lying about the way the tickets were obtained is also via a very long narrative

3. why do we only hear about these stories after they are obsolete (who plays lotteries this way anymore?)

So you have an obsolete story that contains all the elements of a fiction piece for the readers to preoccupy themselves with :-)

Jon (fD)August 7, 2018 9:26 AM

Hi, Ismar.

1) It's a difference between relevant detail and irrelevant detail. The detail that he swapped out the tickets in the men's bathroom (where the auditor could not go) is relevant. Details like "And the other car at the Stop sign was yellow..." are irrelevant, and often made up by liars.

2) Again, it's not just length, it's relevant length. It took place over a long time with many characters, therefore telling the story requires length. Irrelevant length is pointless padding.

Experts (of which I am not one) can tell the difference.

3) While it was happening, nobody knew about it. There's one delay right there. Second, there's statues of limitations involved, and plea bargains that can include sealing the records (for awhile). The most important detail is that those who don't get caught NEVER tell their stories - that's quite a delay.

And I concur about the prison sentences. Steal a million bucks, get a few years in some cushy spot. Steal a $20 bill and you're looking at hard time in a hard place, especially if you're a poor black person.

Jon (fD)

bttbAugust 7, 2018 9:42 AM

From https://boingboing.net/2018/08/06/spideroak-warrant-canary-to-be.html :

"SpiderOak is a cloud backup service with a warrant canary: a formal statement that assured users that the company and its operators had never been made to secretly cooperate with the government, law enforcement or other surveilling authority. The canary reportedly disappeared this weekend, then reappeared, along with a statement saying it was being replaced by a "transparency report."

echoAugust 7, 2018 10:03 AM

@bttb

I'm of the personal opinion these canaries are hogwash. They sound fine in theory but in reality I'm not convinced the law as it stands supports them and there are very very real doubts about their assurance in practice at both a business economic and individual level, and also from the point of view that a well resourced entity with control of the network can control the published message.

@Jon (fD)

Speaking of controlling the narrative I have noticed in the UK more than once that investigations into police misconduct (and other "authorities") can have a habit of being very thorough on the surface and genereate lots of apparently reliable data but they miss the essence of the complaint. Judges convict on the evidence presented not on what is missing. I also note with investigations like this they get off on a "technicality" which itself whiffs of being a little on the wilfully blind construction out of thin air side of things. I certainly know of one investigation where the original complainent against a very senior UK police officer was left in the dark and never contacted as a witness and the investigation was prosecuted without them being aware until after judgment had been passed. This isn't the only time this kind of thing has happened when challenging an "authority".

HmmAugust 7, 2018 9:58 PM

@Bttb

"The canary reportedly disappeared this weekend, then reappeared, along with a statement saying it was being replaced by a "transparency report."

That's the sign, right there. The canary is dead and gone.

Anyone who fails to notice that missed the point.

bttbAugust 8, 2018 9:01 AM

Regarding Warrant Canaries @echo wrote:

“I’m of the personal opinion these canaries are hogwash. They sound fine in theory but in reality I'm not convinced the law as it stands supports them and there are very very real doubts about their assurance in practice at both a business economic and individual level, and also from the point of view that a well resourced entity with control of the network can control the published message.”

iirc, in layman’s terms, legal issues could involve something like not letting people take down, at least easily or cheaply, their Warrant Canaries. Anyway here are a couple more links:

https://en.wikipedia.org/wiki/Warrant_canary
https://www.eff.org/deeplinks/2014/04/warrant-canary-faq

in addition echo wrote: “That's the sign, right there. The canary is dead and gone.

Anyone who fails to notice that missed the point.”

And like you implied above, they may have supplied limited to no assurance in the first place.

Finally, I meant to post about Spider Oak's Warrant Canary in the current Squid. Once posted, however, I figured that I would just live with that mistake and not try to correct it.

HmmAugust 8, 2018 6:51 PM

@bttb

It appears they're now saying the warrant canary still exists and was only missing for a "few minutes" and are saying they've received no warrants or NSLs.

They haven't replied to commenters asking why the TR is being used to replace the WC, because it doesn't seem to fulfill the exact same function even if it claims to or is claimed to by Tervort. IMO it's not the same, it could be evidence of a dead canary even if they say it's not.

But you can't talk about an NSL when you get one, so Tervort is either uninformed of one and thus "not lying" by saying one doesn't exist, or they actually haven't received one and he's truly not lying, they just blew it on the canary and still haven't fixed it.

"Ignoring for the moment the situation at Spideroak about which I have no knowledge whatsoever, the lesson for all others who use a canary is do NOT attempt to replace your canary with a transparency report or anything else as it will be a PR disaster whatever the facts."
-Dave Rudling • August 8, 2018 1:09 PM

That seems to sum it up best IMO. Either way they've taken a hit to their trust.

bttbAugust 8, 2018 8:06 PM

Perhaps the illegal lottery provided better marketing/advertising value for McDonalds[2] initially relative to the new random lottery [1]. Some of the fraudulent interview stories, imo, although lies, were pretty good.

Footnotes from the first link above:
[1] “To ensure winners were truly chosen at random, there were no game pieces or prize boards. Instead, a prize patrol tapped random customers on the shoulder.”

[2] ”And when lady luck regained control of the McDonald’s competitions, she handed winning tickets to a man wearing a full Pizza Hut uniform; a Taco Bell owner; and a former homeless man who was later charged with beating up his fiancée—a PR nightmare.”

Can anybody think of a better solution than [1]? If so, maybe you should try to market it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.