Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Computerized Betting System Proves Vulnerable 310

count3r writes "A front page article in today's New York Times reports that an employee of Autotote has been fired for (allegedly) hacking the system responsible for 65% of all horseracing bets in North America. The caper, if it is indeed a caper, resulted in a series of six bets that paid a total of $3,000,000 in last Saturday's Breeders' Cup."
This discussion has been archived. No new comments can be posted.

Computerized Betting System Proves Vulnerable

Comments Filter:
  • dumbass. (Score:5, Interesting)

    by Unknown Poltroon ( 31628 ) <unknown_poltroon1sp@myahoo.com> on Friday November 01, 2002 @01:36PM (#4579471)
    WHy not just hit them up for several thou a week? Like theyre not gonna notice a 3,000,000 blip.
    • I think the temptation would be too great. Greed is a powerful thing, and perhaps that big score was just too hard to resist.

      On a side note, their are so many Office Space jokes running through my head right now that they're getting stuck, like two fat guys trying to go through an open door at the same time.
      • On a side note, their are so many Office Space jokes running through my head right now that they're getting stuck, like two fat guys trying to go through an open door at the same time.

        A minimum secrutiy prision is no picnic. I have a client in there right now. He says the trick is, kick someone's ass the first day or become someone's bitch. Then everything will be alright.
    • Re:dumbass. (Score:5, Insightful)

      by ergo98 ( 9391 ) on Friday November 01, 2002 @01:56PM (#4579652) Homepage Journal
      Sounds debatable to me. On the one hand a huge payout will garner a lot of attention, but on the other hand committing a fraud over and over every week sounds quite high on the risk scale too.

      As a bit of background regarding this, these guys didn't transfer from one bank account to another, or some other thing that's caught "in the books": One purportedly made an electronic bet, and the other altered the electronic bet after the fact to match the winners. It really isn't that ridiculous of a scam as people do win every now and then. It isn't entirely inconceivable that someone one.

      Having said that, it is the duty of responsibility of the operators to exercise due diligence, and truly not trust anyone: i.e. all databases have multiple layers including audit logs, in this case catching his transaction as it occurs for future analysis. In this case I presume that exactly that happened, as they obviously caught him.
      • It was a relatively expensive and complicated bet based on the cumulative outcome of six separate races... and he placed the exact same bet six times.

        Once you've done that, putting a flashing marquee on your front lawn that reads "cheating the OTB out of millions of dollars is my very smart, infallible plan" is officially redundant.
      • Re:dumbass. (Score:5, Informative)

        by ACNeal ( 595975 ) on Friday November 01, 2002 @03:02PM (#4580153)
        The problem is that betting is all pool driven.

        A lopsided payout will be noticed, not because someone one, people always win in a properly booked race/game/whatever, it is that the payout was disproportionate to the take.

        If you make your book properly, you aren't making money off of people losing their bets, you make money off of the vig. Your payouts and take should roughly be equal if you did your books right.

        A horse isn't a 100:1 long shot because the book maker thinks its a bad horse. The horse is a 100:1 long shot, because off all the betting dollars, only 1 out of every 100 dollars was bet on that horse.

        The only way the house wins is to avoid making stupid bets. How does the house avoid making stupid bets? By nt betting. If I make sure that the other 99 dollars are going to cover your 1 dollar bet, and I collect the 10% vig from the losers, I make money, and don't have to worry about the long shot.

        Legalized horse betting does the same thing, except since they can't charge a vig to the losers, they don't make a 100% payout. That way, no matter who wins, they have made sure they can cover the bets, and still make a profit. In this scenerio, the winner pays the vig in the shape of the odds aren't as high as they should have been, the winner didn't win as much as was proportionally alloted to him.

        The reason why this was a dumb scheme, and the reason why they got caught is pure math. The track paid out more money then they took in, and immediately knew something was amiss. If the systems worked properly, that can't happen. Long shots hit all the time, even 100:1 long shots, but if your computer system adjusted the odds according to the bets made before post, you won't lose money.

        The fact that they changed the bet afterward means that the odds were wrong. Of course most people don't realize these subtelties to book making, so probably thought it wasn't a dumb mistake.
        • Re:dumbass. (Score:2, Insightful)

          by ergo98 ( 9391 )
          he reason why this was a dumb scheme, and the reason why they got caught is pure math. The track paid out more money then they took in, and immediately knew something was amiss. If the systems worked properly, that can't happen. Long shots hit all the time, even 100:1 long shots, but if your computer system adjusted the odds according to the bets made before post, you won't lose money.

          Obviously you understand horse racing. Having said that, I question your claim that it's entirely pool driven. Most tracks offer multiple win wins that are many multiples the win for a single race. i.e. If this guy changed a single $1 bet for #7 in the 3rd to be a $10000000 bet, then that seems obvious. If, on the other hand, he changed a $1 bet (so $6) for #7 in the 1st, #2 in the 2nd, #4 in the 3rd, etc, for $6 races, and the track offers a mega win for six successive wins, the difference that his bets make in the win is miniscule.
        • Re:dumbass. (Score:3, Informative)

          by andynyc ( 65686 )
          The reason why this was a dumb scheme, and the reason why they got caught is pure math. The track paid out more money then they took in

          No, the win did not pay out more than the track earned. Each winning ticket paid $428,392 from a pool of $4,569,515, which means that there were probably 8 or 9 winning tickets in total, nationwide. The guy they are investigating had 6 of them.

          Having 6 of only 9 winning tickets is obviously unusual. His betting strategy is even more unusual... making single selections for 4 races, then "wheeling" then entire field for the last 2, which means if the first four come in, he's guaranteed to win. Combined with the "flaw" in the system which doesn't report the ticket to the central database until after the fourth race, this is an obvious red flag. Finally, making the same bet 6 times is simply stupid. It's the same as buying 6 lottery tickets with all of the same numbers... the only justification is to increase your percentage of the winner's pool if you KNOW you are going to win.

          Think of recent Powerball lottery wins... if they announce there were 6 winners, and one guy shows up with 4 of the winning tickets, it's going to raise eyebrows.

          Had this guy never made these wagers, most likely there would have been 2 legit winners, each of whom would have won about $1.8 million (or maybe 3 winners each getting $1.2 mil). Instead, since there were a lot more winning tickets, the payout on each was reduced to only $428 thousand.

          Again, the track didn't lose anything, and if they disqualify his tickets, the money will get paid to the legit winners. That's how pari-mutual wagering works... the total pool is calculated, the house percenatge is taken out, and everything left is split among the winning tickets. When there are 9 winning tickets, each one gets paid less than if there were 3 winning tickets. The racetrack is unaffected. The legitimate winners are the victims.

    • WHy not just hit them up for several thou a week?

      Maybe because it's not a simple matter of hacking into the system to change a ticket, assuming he actually did that?
    • Re:dumbass. (Score:3, Interesting)

      by nolife ( 233813 )
      I know a guy that was arrested for a fraudulent 900 scam. I do not know the details of HOW it was done but.. He had a 1 900 Job Line provided by MCI. He rigged it to fake calls and rack up his payout from MCI. In one month MCI owed him almost $400,000 for some cheasy job line. Times were tough back then but not that bad! At the MCI office, an FBI undercover handed him a check and then immediately arrested him.

      I'm sure a smaller amount would not have been as obvious and he may have been able to sustain it. Of course these horse cheats in the story could have started small years ago and have just now got caught.
    • ... the way the betting system worked, according to this article [globeandmail.com]:

      An investigation this week by the Daily Racing Form revealed that while the amount of a Pick Six bet is transmitted immediately to a central computer, the horses selected are not often transmitted until after four of the six races have been run. Skeptics believe there is a window of opportunity here to change the selections after the winners are known.

      Charge the company that programmed the betting system too, why don't you!
  • by _LORAX_ ( 4790 ) on Friday November 01, 2002 @01:37PM (#4579478) Homepage

    DRM will be our savior.....

    Oh wait, he required that kind of access to do his job? So DRM wouldn't have helped. What do you mean that most hacks are inside jobs? .... nothing to see, please move along.
  • by nogoodmonkey ( 614350 ) on Friday November 01, 2002 @01:38PM (#4579489)
    when people used to give horses steroids so that they would win their bets. All this new technology is confusing!
  • No registration (Score:4, Informative)

    by DeadSea ( 69598 ) on Friday November 01, 2002 @01:38PM (#4579490) Homepage Journal
    Or why don't we look at one of the many articles that don't require registration [google.com]. Darn NYTimes.
    • Re:No registration (Score:3, Insightful)

      by aridhol ( 112307 )
      Hey...I have an idea (not that it will be accepted). Why don't we stop allowing registration-required links on the front page? Including free-registration. We can now find many sources for the same story with Google News [google.ca], so there's no reason to keep linking to NYT.
      • Re:No registration (Score:3, Insightful)

        by 1984 ( 56406 )
        I have another idea. Why don't you presume to never pay for anything, ever? To live in a fantasy world where all you have to do is consume.

        (Or perhaps you don't mean that, in which case I apologise. But I'm getting sick of seeing people here with the attitude, "We're all for 'Free'. And look, we can just take shit! Stick it to the man! Yeah!")
        • not a good point. The newspapers and news organizations make money off of advertising. in all likelyhood they got this story from another source (which is why we see it from other sources)

          they make tons of money off advertising - and requiring readers to register for their stories is rediculous.

          I cant stand all the people who try to argue for the registration on a site that is just going to give you a story that is available from other sources without such restrictions.

          Do you pay for a subscription to slashdot? i doubt it - and if it was required from the first day, i doubt you would even be here....

          News is information that is meant to be free. If I want opinionated biased *stories* I will pay for it. If I want news about whats happening in the world around me - I will get it from traditional news sources with a very long history of subsidizing the cost of production through advertising. The model has been like that for a very long time - and by the amounts that most major news anchors make, I dont think they are hurting - or even would be hurting from our wanting of free access to the "news" they are offering.
        • That sounded more like a Flamebait to me. Give me one reason to pay for a service when there is another that exceed the quality of the former, while being perfectly legal. Besides, the guy didn't even complain about pay sites, but sites that requires that you go through a lot of steps just to simply read an article.
      • Why don't we stop allowing registration-required links on the front page? Including free-registration.

        Slashdot itself requires a free registration to post even off-topic comments like that one, so besides being needlessly elitist, it would be just a bit hypocritical.
      • Another option:

        Go through the free registration. Is your time really that valuable? You're reading Slashdot, aren't you?

        Tell them that you're a 90 year old high school dropout millionaire from Afganistan (which is usually the first country on the alphabatized list). Give your email address as Fake@AOL.com (might as well waste some of their CPU time while you're at it).

        -B
      • In the time it takes for you to type this,
        you can easily register as a 123-year-old
        polynesian software engineer, earning 400,000
        a year. (If you are one, pick another
        example :).
    • Re:No registration (Score:5, Interesting)

      by jimand ( 517224 ) on Friday November 01, 2002 @01:47PM (#4579578)
      Note that if you follow this link, there is a link to the NYT story that you can see without registration. The URL [nytimes.com] ends with "&partner=GOOGLE" so it seems that if you are a partner of the NYT, you can access articles without registration. Could /. apply to the Times for partnership status?
    • From the Sports Section [washingtonpost.com] of the Washington Post.

      Well, they do want some registration stuff, but nothing identifiable to you.

  • Not too smart. (Score:3, Insightful)

    by Desmoden ( 221564 ) on Friday November 01, 2002 @01:38PM (#4579492) Homepage

    I will never understand how people come up with good, well thought out crime plans, and then totally screw up the execution by rushing things or bring too much attention to the project. Just dumb.

    • by jazman_777 ( 44742 ) on Friday November 01, 2002 @02:14PM (#4579800) Homepage
      I will never understand how people come up with good, well thought out crime plans, and then totally screw up the execution by rushing things or bring too much attention to the project. Just dumb.

      Well, the brilliant plan to milk billions from the Federal Reserve Bank in Denver is still going strong, undiscovered.

  • So? (Score:4, Insightful)

    by Lawbeefaroni ( 246892 ) on Friday November 01, 2002 @01:41PM (#4579522) Homepage
    Buttloads of $ vs. determined individual: vulnerability.

    Someone will always find a way to steal and no matter how good your security, when you have the human element on the inside, you are vulnerable. That's why auditing to detect theft is as important as securing against it.

  • by webperf ( 560195 ) on Friday November 01, 2002 @01:42PM (#4579523)
    see what happens when you legalize it??? all these crooks get in and screw it over.
  • No way! (Score:5, Funny)

    by zuggy ( 613001 ) on Friday November 01, 2002 @01:43PM (#4579535)
    Nah, it can't be vulnerable. Online betting is trustworthy. Why, as soon as I get my bonus back from the Nigerian Petroleum Company, I'm going online to bet on the ponies!
    • Nah, it can't be vulnerable. Online betting is trustworthy. Why, as soon as I get my bonus back from the Nigerian Petroleum Company, I'm going online to bet on the ponies!

      This isn't "online betting." Autotote is the electronic system used to place bets all across the country. You could be at an OTB (off-track-betting) center placing a bet on a race getting ready to run at Saratoga in a few seconds.

      And it's not like people normally get screwed out of their winnings. This guy is getting put on hold because of suspicious circumstances. It has nothing to do with how he placed the bet or betting "online."
  • Some posts seem to be some confused about what they did. The scheme was simply to change one guy's (electronically registered) bettings after the race was over, with the help of an insider.

    Tor
  • by yamla ( 136560 ) <chris@@@hypocrite...org> on Friday November 01, 2002 @01:44PM (#4579550)
    Until a little over a year ago, I was employed at a company that wrote gambling software for sports betting houses. It is big business, let me tell you. :) If anyone has any questions, fire away and I'll answer them.

    I never put any backdoor code into anything I submitted but it would have been very easy to do so. We had well over 300,000 lines of code and very little of it was audited. The only problem would have been getting the backdoor in without other programmers noticing as everyone was responsible for different areas. Still, I know it could have been done, I can picture exactly what it would have taken to do so.

    Would it have been noticed? Possibly eventually, though I have my doubts. Apparently, there was a bug in our code for one of the complex bet types. It ended up _always_ overpaying a specific complex winning bet type by $1. That is, it always rounded up to the next dollar instead of down and this bug went undetected for YEARS.

    All the code was written in VB and we worked crazy amounts of overtime ALL the time. Additionally, the 'business experts' could never get their act in gear and agree to how things should work. I ended up resigning my position.
    • by WatertonMan ( 550706 ) on Friday November 01, 2002 @01:52PM (#4579621)
      Actually wasn't there a huge scandal in Las Vegas a few years ago where someone hacked a lot of the slot machines to screw with the odds? If I recall it actually was one of the distributors of the slot machines. So it wasn't some obscure employee but some people fairly high up in the company. But it is the same idea.

      I'm sure that had the company tried to screw over one of the bigger casinos that they'd have been caught. (And depending upon the casino probably taken care of independently from the police) However so long as regular people are getting screwed, they don't care.

      Same thing with gas stations. Once again I remember a scheme that extra charged gas slightly using computers. Nothing but a few cents on every fillup. But it added up. Once again more the company themselves. But how hard would it have been for an employee to do it?

      The only thing that keeps these schemes for working for individual employees is the cost/danger ratio. These schemes are only worth the risk if you make a fair amount of money. But to make a fair amount of money you have to get that check from the company which is then noticable by the company auditors. If the "checks" or "expense" is spread out over thousands of people, the auditors are far less likely to discover it. But by the same measure you are far less likely to be able to make use of the money.

      • by smileyy ( 11535 ) <smileyy@gmail.com> on Friday November 01, 2002 @02:16PM (#4579815)

        I recall seeing a story about a programmer who reversed engineered the pseudo-random number generator used in Keno games. The impression I got was that it was a clean-room solution, and yet he was arrested for fraud anyway. Needless to say, I disagreed with the notion that his act was illegal (assuming it was clean room).

        • You've got a great memory - that was 6 years ago. :-)

          Here's the story [ncl.ac.uk] from "The Risks Digest" ("Forum on Risks to the Public in Computers and Related Systems").

          Basicly, they caught the guy, and then released him and even gave him the money back with interest.

          The "source" of the problem? A missing clock that was supposed to seed the random number generator. Thus, upon rebooting (every morning I suppose), the same number sequence would be generated as the seed would be the same...

          Greg
      • Heh. I somewhat remember a diatribe about this from Office Space [imdb.com] when they attempt to do the same thing to their company's banking software.
        • I somewhat remember a diatribe about this from Office Space
          And I remember a similar plot used in Superman III [imdb.com], where Richard Pryor's character steals the partial cents from his employer. I think that they even mention Superman III in the movie Office Space.

    • A long time ago I used to write software for computerized gambling games, such as draw poker. One of the features of the software was being able to dial in a certain payback percentage. The way it worked was that when it drew the final hand (after the cards were held), it would decide on a random basis to redraw the hand if it was a winner. If it was paying out too much, it would gradually redraw the hand more often until it was back to the right payback.

      Anyway, one of the problems we had was that our payout amount field was only 4 digits for a maximum of 9999 coins. The problem was that you had the option to play up to 50 coins at a time, and the highest payout odds were 500 to 1. So management had me make the machine NEVER pay out the big winner if you bet 20 coins or more to avoid the problem.

      The latter was probably illegal, but this company was pretty shady. I didn't work there for very long, and they went bankrupt not long after.

      I still look at the machines in Vegas with suspicion, though. :)

      • Buddy, these days every line of code is audited by a Government agency, and if they find a backdoor or payout tweaking, you can kiss your licence goodbye (manufacturer), and they would not get a licence for the next 15 years in that jurastiction. Other jurastictions take note of these incidents, and audit the devision in their jurastiction. Since every manufacturer knows this, they have enourmous compliance departments whose sole job is to ensure the legality of the software.

        The government agencies these days also supply the random number generator to all manufacturers, and if the source code was displayed on the slot machines to every patron, and you had a BeoWolf cluster of G4's, it would take you 10^8 years to figure out the next RNG outcome, assuming you can hit the spin button with an accuracy of 250 micro seconds, which is when the RNG is reseeded.
  • by CySurflex ( 564206 ) on Friday November 01, 2002 @01:45PM (#4579560)
    There have been reported sightings of a pimply geek buying $3,000,000 worth of Doritos 3D, Moutain-Dew Code Red and 30 clustered Compaq Database servers - each with 3 GB of RAM, nVidia GeForce 4, 1TB SCSI HD, a Microsoft Side-Winder Joystick and a Dance Dance Revolution gaming pad.
  • by burgburgburg ( 574866 ) <splisken06&email,com> on Friday November 01, 2002 @01:45PM (#4579565)
    Professional wrestling.

  • Picking 4 Horses (Score:3, Interesting)

    by richlb ( 168636 ) on Friday November 01, 2002 @01:50PM (#4579604)
    If it turns out to be cheating, it just goes to show what happens when you want too much too soon. You know, just winning $1,000 or $10,000 probably wouldn't have raised an eyebrow.

    And, I wonder how often this bet hits? Technically, the bet was really picking the winner or 4 straight races, plus betting on every horse in next 2. I won a trifecta once that paid a cool grand. To think, if I'd only tried for one more......

    If they're guilty, they're idiots.
  • by Prince_Ali ( 614163 ) on Friday November 01, 2002 @01:51PM (#4579609) Journal
    A lot of people make a lot of money on internet gambling sites without breaking a single law. The people who play online poker suck so bad compared to professional poker players that it is like printing money for anyone who plays the game seriously. I suck which is why I don't play, but a lot of people are willing to give up there hard earned money to a redneck who has played poker since before he could write.
    It may not get you $3M, but they won't have to work anymore, and they don't get put in FPMA prison.
    • Yeah, but "professional" poker players are dweebs and geeks on a scale to make Everquest players look like well-adjusted humans. At least they talk to one another and have fun, instead of a few words before eating a greasy comp "meal" at Binion's snack bar before heading to the tables for an 8-hour shift cooperating with their cronies to throw jackpots.
  • by Anonymous Custard ( 587661 ) on Friday November 01, 2002 @01:52PM (#4579617) Homepage Journal
    This is, just as the article said, a misuse of power, rather than a skillful hack. If I remember, isn't hacking usually prosecuted over the fact that the person obtained illegal access by knowingly circumventing security measures? He was given clearance as part of his job; he misused his security clearance, he didn't gain unauthorized access.

    In any case, I'm surprised that ANYONE has the access to modify bets. Shouldn't that info be encrypted or protected or something, kind of like how your Bank's customer service rep can't look up your pin, but can only reset it to a new pin?
    • In any case, I'm surprised that ANYONE has the access to modify bets. Shouldn't that info be encrypted or protected or something

      Yeah, but then how would the employees be able to go in and create winning tickets after the fact?

      I mean, that's a perk for working at autotote, like stock options.
    • Re: (Score:3, Interesting)

      Comment removed based on user account deletion
      • "If it was indeed a hack/theft, it was someone with access to the code and/or database itself. Encryption doesn't do you much good, there."

        There are some ways in which it could help. For example, imagine a two machine setup where machine1 accepts bets and cryptographically signs them (including a timestamp) using a private key known only by machine1. Machine1 then passes the bet off to machine2 for a second timestap/signature and longer storage.

        Under this system, an attacker would have to subvert both machines in order to place a retroactive bet. If the attacker only subverts machine1, then the machine2 timestamp won't be correct for a bet supposedly placed in the past. If the attacker only subverts machine2, then the stored machine1 signature will be wrong.

        Of course to make the system viable, you have to implement policies to make it difficult for a single person to get access to both machines. If someone's responsible for uploading the final betting data to the track, for example, they'd only get access to machine2.

        It's not a panacea, and it also doesn't help that they're holding the bets until 4 of the races are done, but it does increase the difficulty of subverting the system if it's properly implemented.

  • VLT Backdoors? (Score:5, Interesting)

    by Rikardon ( 116190 ) on Friday November 01, 2002 @01:58PM (#4579666)
    Here in Alberta, Canada we have VLTs (Video Lottery Terminals) that let you play a number of different card games and other assorted forms of gambling on a touch-screen terminal. They're a HUGE profit center for the pubs and bars that host them, and for the provincial government. If I were a VLT programmer of questionable moral character, it would be awfully tempting to code a backdoor triggered by some easter egg-type series of screen touches that would let me score a couple hundred dollars at each terminal.

    Anybody ever heard of anything like this happening in real life? As an earlier poster said, if you kept your take down to a couple thousand a week, I think it would be pretty unlikely you'd get caught.
    • IIRC, someone did this with video poker in Vegas. A certain series of bet amounts (number of coins inserted) triggered a sure royal flush. They were smart, spread out the wins, and weren't caught for a long time.

      There have been a lot of very smart scams that were caught. It makes you wonder how many extremely smart scams were never caught. I remember watching a show about that stuff, and there was a security consultant with this quote: "A casino is the only place in the world where you can steal millions of dollars and if you do it right, no one ever notices that it's missing."
  • They want us to vote online?
  • Tuesday's elections

    Fortunately, all of those systems are closed, so I'm sure that security was motto number 1.

    Of course, motto number 2 was "Ignore motto number 1".

  • Nitpick / Details (Score:2, Insightful)

    by LookSharp ( 3864 )
    resulted in a series of six bets

    Was was reading this yesterday, it's actually interesting. It wasn't six bets, it was one bet on six consecutive races (called a Pick 6, apparently). The ticket cost over a grand just to purchase.

    Apparently, the winning ticket including the first 4 race winners, followed by picking every horse in the field for the 5th and 6th races. This was suspicious because the betting management company allows the bets to be submitted during simulcasting through the end of the 4th race to prevent system congestion, according to the article.

    The theory is that the employee submitted a fixed bet at the end of the 4th race. The ticketholder himself, apparently unrelated to the employee who is under investigation for fraud, claims that he is innocent, and is telling the company to put up some evidence or give him his 3 mils.

    I dunno about you, but I do detect a strong odor of fish. On the other hand, if the lottery hit for this guy and he is legit, more power to him.
  • Just wait... (Score:2, Insightful)

    OK, maybe there were some glitches with electronic betting. No big deal, it's only gambling on horses.
    Fortunately, such a thing could never happen with electronic voting machines.

    Right?

  • by El_Smack ( 267329 ) on Friday November 01, 2002 @02:03PM (#4579716)

    Tug on Superman's cape.
    Spit into the wind.
    Rip off the NY mafia to the tune of $3,000,000.
  • Worker Dismissed as Inquiry Widens Into Big Racing Bet

    By JOE DRAPE

    As the authorities investigated whether an exotic bet worth $3 million on last Saturday's Breeders' Cup horse races was rigged, the company that processed the wager said yesterday that it had fired a "rogue software engineer" who exploited a weakness in its system.

    The company, Scientific Games Corporation of New York, said it had turned over the employee's name and evidence of potential wrongdoing to the state police and state wagering officials.

    The employee attended Drexel University in Philadelphia with the winner of the bet, racing officials and a state investigator said.

    The head of the company, Lorne Weil, said the worker had the access and know-how to breach the system run by the company's subsidiary Autotote, which processes 65 percent of racing wagers in North America.

    Industry and law enforcement officials said that the F.B.I. had joined the police and the New York State Racing and Wagering Board in the inquiry of the wager, known as a pick six, which requires bettors to pick winners in six straight races. Payoff on the bet, made through the Catskill Off-Track Betting hub by telephone from Baltimore, has been held up.

    Investigators are also looking into whether there have been questionable payoffs at other tracks. "This goes beyond one afternoon and the East Coast," said an investigator, speaking on condition of anonymity.

    Though Mr. Weil tried to calm investors in his conference call yesterday, his disclosures pointed up the vulnerability of the $14.5 billion-a-year betting industry for which consumer confidence is crucial.

    As racing has become more reliant on off-track and telephone betting, it is also depending more on a network of computers that link tracks and off-track sites. If the systems are proved flawed, or susceptible to manipulation, it could scare off bettors worried about the integrity of the process.

    "There needs to be total review of the system so everyone can feel good and see that these things are not widespread," said Bill Nader, a New York Racing Association vice president. "Without integrity in the way a wager is processed, we don't have a sport."

    The case in question involves the pick six bet on the last six races of the Breeders' Cup, horse racing's season-ending championship. The entire winning pool was held by Derrick Davis, a 29-year-old Maryland man who made the bets by phone.

    Investigators are looking into whether the computer system was manipulated so that a bet made after several races had been run would appear to have been made beforehand.

    Though Mr. Weil did not name the dismissed employee, the state investigator and racing officials identified him as Chris Harn, 29, who worked in Autotote's offices in Newark, Del.

    Mr. Davis owns a Baltimore-based computer networking business, Utopian Networks Inc., but said yesterday that he was a knowledgeable bettor whose winning tickets were legitimate. "I didn't do anything wrong here," he said, refusing to elaborate and referring questions to his Baltimore lawyer, Steven A. Allen. Mr. Allen said his client was cooperating with the authorities and had nothing to hide.

    "He is caught in the middle of a maelstrom," Mr. Allen said. "As far as he's concerned, he made a legitimate bet. The race was run, and he won, and he should have received his payoff. And that should have been the end of it. Now, instead, there's an investigation, people are making a variety of wild accusations, and his reputation is being sullied for no good reason."

    Thomas Davis, Derrick's father, said his son grew up in Baltimore and attended engineering school in Pennsylvania, but would not be more specific. "I just think it's like the equivalent of his hitting the lottery," the father said. "I know in the bottom of my heart that it's a legitimate bet."

    Stacy Clifford, a spokeswoman for the state wagering board, would not comment on the personnel involved in the investigation or its progress.

    "The board routinely involves other organizations in its investigations and will involve law enforcement if it feels appropriate," she said. "They fired this person in connection with what happened Saturday, and since we're investigating what happened Saturday, we're certainly looking into it."

    What started the investigation last Sunday was the configuration of the winning tickets and that they belonged to one bettor, Mr. Davis, who called his bets in by phone to the Catskill OTB hub, one of five regional corporations that, with New York City OTB, handle off-track bets in New York.

    The winning tickets featured "singles," or races with only one horse selected, in the first four legs of the ticket, and then every horse in the final two races. On a $2 ticket, those combinations and strategy cost $192.

    Mr. Davis bet a $12 pick-six ticket, or played that exact combination six separate times, costing him $1,152. It was a highly unusual strategy for betting the pick six -- horseplayers like to cover as many combinations as possible -- and the configuration raised suspicions of New York Racing Association officials, who alerted Breeders' Cup Ltd. and the state wagering board.

    Mr. Davis had opened the Catskill OTB account within two weeks of the Breeders' Cup, had deposited money on five occasions -- four increments of $500 and one of $250 -- but had not made a bet until that pick six, according to investigative sources.

    The six winning tickets were each worth $428,392. In addition, by including every horse in the last two races, the bettor collected 108 of the 186 consolation payoffs for hitting five of six winners; each consolation ticket was worth $4,606.20.

    After an initial review on Monday, officials for Autotote and Catskill OTB said the tickets were recorded about 20 minutes before the first leg and appeared legitimate. But after further review, Mr. Weil said, the company determined that the fired employee had taken advantage of a weakness in the processing of bets.

    While the tickets were logged and totaled at satellite sites such as Catskill OTB, they were not transferred to the host site, Arlington Park outside Chicago, until after the fifth race when the exact bets were verified. In this state of limbo, Mr. Weil said, the employee, who had the password to the data system, was able to alter the ticket after the results of the first four races of the pick six were known.

    When Scientific Games announced the firing, trading in its stock was suspended on Nasdaq for more than 20 minutes. The stock closed at $7.62, down 57 cents. Mr. Weil maintained he was confident Autotote's systems were impenetrable to outside hackers.

    "I think people see this for what it is -- a rogue individual bound and determined to exploit the only weak link we see in the system so far," he said.

    • Obligatory request to MOD THIS DOWN!

      NY Times only asks that you spend 30 seconds of your life to make a login. They don't spam you and they won't sell your e-mail. Support the media when they create something you're actually interested in. CLICK ON IT... or just go to the Google link. Or DON'T READ IT!

      An interesting question: Why can't Slashdot get a partner link like Google has.

      Feel free, to mod ME down with the above post.
  • I have several friends who work for Autotote (as well as some who work for Amtote) and they're all laughing their asses off over this whole thing; especially the media coverage.

  • by Embedded Geek ( 532893 ) on Friday November 01, 2002 @02:10PM (#4579766) Homepage
    I work for a major supplier of in flight entertainment systems and we are always getting pressure from customers (especially on the Pacific Rim) to implement in flight gaming (i.e. electronic poker or slots). While some of our competitors have dipped a toe into this, we have pretty much steered clear to date.

    The fact is that implementing a gaming system is a nightmare, be it on the ground or in the air. IMHO, quite a bit more difficult than point of sale or banking systems. In addition to being secure, it's gotta be completely fail safe (so if a passenger's terminal goes down seconds after a jackpot he won't loose his winnings and take it out on the cabin crew). Also, it's going to be transaction heavy - hundreds of smaller, individual bets over a gambling session as opposed to, say, a higher end credit card transaction every minute at a department store cash register. If you add in the fact that gambling is a potentially addictive activity that piques the interest of organized crime, you have a recipe for any disaffected insider to slip in hacks and back doors.

    On the whole, I'm not surprised that someone corrupted a gambling system. I'm just surprised that this doesn't make the newspaper more often.

    • I am sure you are perfectly right in that it is a royal pain in the butt to get an inflight gambling sytstem to work properly.

      That being said, I am sure it is just a matter of time before it is commonplace. The payoff is just too high, and the airlines are just too hard pressed to let go of a profit opportunity like this.

      Tor
  • Software is insecure (Score:4, Informative)

    by adb ( 31105 ) on Friday November 01, 2002 @02:11PM (#4579768)
    Also, the ocean is wet, and there is porn on the internet.

    Just so you know.
  • by oiuyt ( 128308 )
    Next we'll find out that people cheat on things that DON'T pay like SETI@HOME stats....


    -B

  • Vulnerable, Period (Score:5, Insightful)

    by gradji ( 188612 ) on Friday November 01, 2002 @02:13PM (#4579786)
    I'm trying to figure out why people think computerized betting is any more vulnerable to fraud than the non-computerized variety.

    The Breeder's Cup incident was an inside job! There have been numerous Casino incidents where employees have tried to scam their employers. A security system is only as good as the people with whom the system is entrusted. This is true for physical security as well as computer security.

    Lastly, criminals are not, inherently, stupid. It only seems like that as the stupid ones are the ones that usually get caught. Borrowing from Kaiser Sousay (Kevin Spacey) in Usual Suspects : the greatest trick a master criminal has ever pulled is convincing the world that a crime has not been committed.
    • Borrowing from Kaiser Sousay (XXXXX XXXXXX) in Usual Suspects

      Doh, and thanks for spoiling the movie for anyone who might not have seen it.
  • This guy had better be very careful in the next few years, no matter what happens in court - the sort of folks who are involved in gambling are not known for taking such matters lying down.

    He may very well wake up one morning with a horse's head in his bed.

    Or more probably, wake up to that particular clammy feeling one gets from freshly mixed cement around one's body....
  • by voice of unreason ( 231784 ) on Friday November 01, 2002 @02:18PM (#4579837)
    In other news, shortly after being dismissed the former employee had an unfortunate accident resulting in the breaking of both his kneecaps.
  • by kelleher ( 29528 ) on Friday November 01, 2002 @02:19PM (#4579844) Homepage
    Two relavent bits of info:
    1) They fired the QA department due to cutbacks over a year ago.
    2) There is no "Production Control" group. The same people who develop the apps support them (with little to no oversight). They have never had a way of preventing this type of fix.
  • by bshroyer ( 21524 ) <bret AT bretshroyer DOT org> on Friday November 01, 2002 @02:30PM (#4579933)
    It's organized crime that's going to get him. Revenge.

    I see evidence that this guy is pretty lame - he's dumb enough to screw up a good scam his first time out by shooting for the moon. We can't assume that a novice is the first person to find this scam, but AutoTote indicates he's the first to be caught.

    I'll wager dollars to doughnuts that he's just closed the loop on a lucrative betting system being utilized by any number of "organized" gamblers, and will be hearing from a guy named Vito in the near future.
  • It was not a matter of just getting one lucky bet right.

    In the Pick-6 scheme, you get a jumbo prize if you pick all 6 winners correctly.

    What this guy did was buy a number of bets - each for $12 (that's probably all he had available). In each of the bets, the winners of the first 4 races were the same and he chose every possible combination for the winners of the last 2 races. Sounds like he knew who was winning the first 4 races and bet on every possible outcome for the last 2.
  • So from the article we can deduce there is a disconnect between the actual placing of the bet to the actual determination of a payoff. What they need is a chain-of-evidence system, so that bet's are placed (stored securely), once the race is closed for betting, the records should be posted to a new server (stored securely), then finally at payoff, the two records should be verified to have have been tampered with. Of course, this Engineer could have known both databases, but in this case you could insure no one person has rights to both databases. Of course a conspiracy of two is possible. My final problem with this is what about a one-way hash on these things: hasn't Kumar in India ever read about database encryption, why should an Engineer be allowed to see the plain-text record anyway? Otherwise you set HORSE_NBR = 5 (High Chapperal).
  • handicapping is a lot like the game of Go. Its all about pattern recognition. What the patterns translate to.Computers have a hell of a time being good at it.
  • This reminds me of a similar story [wired.com] about a programmer for GameTech rigged their bingo machines to let him cheat.

    Is there some development methodology or practice a company can implement to protect itself from "rogue" programmers like this? The NSA / CIA / FBI / Pentagon must have software that they want to guarantee is uncompromised. How do they do it?

He has not acquired a fortune; the fortune has acquired him. -- Bion

Working...