CT Lottery Hacked. Claimed to be easy “unsophisticated” hack

Once again, we wonder which is safer Gambling or Voting?

Courant story:  Suspended Lottery Game Had Too Many Winners <read>

The Connecticut Lottery and state Department of Consumer Protection shut down the 5 Card Cash game after noticing there were more winners than the game’s parameters should have allowed, and determining that some lottery agents were manipulating machines to print more winning tickets and fewer losers…

Just how some lottery agents were able to manipulate their machines is not clear, but
investigators believe there was a vulnerability between the time a ticket was ordered at a terminal when it was printed…

[Consumer Protection Commissioner Jonathan] Harris said he does not think those who manipulated the system were sophisticated hackers, but rather people who were able to figure out how the lottery terminals work.

As for how many agents and terminals were involved, “That’s the part we still don’t know,”  Harris said. It’s also not clear how much money was lost, Harris said...

Lora Rae Anderson, a spokeswoman for the Department of Consumer Protection, said the fact  there were more winners than there should have been raised a flag

The Connecticut Lottery and the state Department of Consumer Protection were alerted to the  possibility of problems involving 5 Card Cash a year ago. A lottery retailer in Weston was accused of holding back winning tickets and selling losing tickets to unsuspecting customers. State authorities were alerted and suspended the retailer’s license to sell lottery tickets.

We are not reassured.

  • Is it really an unsophisticated hack?  If that is true we are concerned because,
    • The vulnerability was not corrected in a year
    • They have no idea who did it, how often it was done, how exactly it is accomplished, and how much was stolen
    • Apparently ignored red flags that too much money was being awarded
  • Yet, it could be sophisticated, which would be even more concerning, since they apparently have gotten away with the money

We ask:

  • Why do they assume it was unsophisticated hackers?
  • Was it really a hack? Or the did the system simply pay out too much?
  • What kind of security expertise does the vendor have, if a system could be broken by unsophisticated hackers?
  • What kind of security review and testing does the Lottery employ, if any?
  • Is anyone sure the random algorithms that choose winners are operating correctly?
  • Are they sure it is not an inside job?
  • Is there an audit trail of tickets cancelled?  Can’t they tell which terminals cancelled numbers of losing tickets?

We also wonder if the Lottery is up to the standards of Los Vegas gambling machines or closer to the weaker standards of voting machines <compare>


Leave a Reply

You must be logged in to post a comment.