Caught Stealing

And it’s all perfectly legal, because it’s all in the math.

A game with a windfall for a knowing few

Billy’s Beer and Wine sold exactly $47 worth of lottery tickets the day before Marjorie Selbee arrived, just another sleepy day for the liquor store in this tiny Western Massachusetts town. But from the moment the 70-something woman from Michigan entered the store early July 12, Billy’s wasn’t sleepy anymore.

Over the next three days, Selbee bought $307,000 worth of $2 tickets for a relatively obscure game called Cash WinFall, tying up the machine that spits out the pink tickets for hours at a time. Down the road at Jerry’s Place, a coffee shop in South Deerfield, Selbee’s husband, Gerald, was also spending $307,000 on Cash WinFall. Together, the couple bought more than 300,000 tickets for a game whose biggest prize – about $2 million – has been claimed exactly once in the game’s seven-year history.

But the Selbees, who run a gambling company called GS Investment Strategies, know a secret about the Massachusetts State Lottery: For a few days about every three months, Cash WinFall may be the most reliably lucrative lottery game in the country. Because of a quirk in the rules, when the jackpot reaches roughly $2 million and no one wins, payoffs for smaller prizes swell dramatically, which statisticians say practically assures a profit to anyone who buys at least $100,000 worth of tickets.

During these brief periods – “rolldown weeks’’ in gambling parlance – a tiny group of savvy bettors, among them highly trained computer scientists from MIT and Northeastern University, virtually take over the game. Just three groups, including the Selbees, claimed 1,105 of the 1,605 winning Cash WinFall tickets statewide after the rolldown week in May, according to lottery records. They also appear to have purchased about half the tickets, based on reports from the stores that the top gamblers frequent most.

See also:
Elderly Couple Games Lottery, Wins Millions
Elderly Couple Finds Loophole In Massachusetts Lottery
How to Win the Lottery: Couple Profited From Quirk in Massachusetts Cash WinFall Game
Beating the System: Couple Spends $600,000 to Win Lottery Millions
Talk about making your own luck! Elderly couple who spent $600,000 on lottery tickets to win millions in prizes
Massachusetts Lottery Loophole Virtually Guaranteed a Profit
Massachusetts Lottery Players Exploit Game for Profit
How three groups collected almost 70% of lottery winnings
Gamblers find loophole in Mass. lottery game
Lottery scheme appears to cause trouble for area outlets
Massachusetts restricts lottery ticket sales after couple cracks secret to winning millions
Lottery restricts high-level players
Broken Lotteries

How stupid is Massachusetts for not catching this after the first time? Limiting the amount of tickets an outlet can sell in a day now is a lot like closing the barn door after the horse is long gone.

/oh well, all good things must come to an end and the Selbees are laughing all the way to the bank

Advertisements

Let’s Play ATM Or Slot Machine?

Barnaby Jack is at it again.

Researcher Demonstrates ATM ‘Jackpotting’ at Black Hat Conference

In a city filled with slot machines spilling jackpots, it was a “jackpotted” ATM machine that got the most attention Wednesday at the Black Hat security conference, when researcher Barnaby Jack demonstrated two suave hacks against automated teller machines that allowed him to program them to spew out dozens of crisp bills.

The demonstration was greeted with hoots and applause.

In one of the attacks, Jack reprogrammed the ATM remotely over a network, without touching the machine; the second attack required he open the front panel and plug in a USB stick loaded with malware.

Jack, director of security research at IOActive Labs, focused his hack research on standalone and hole-in-the-wall ATMs — the kind installed in retail outlets and restaurants. He did not rule out that bank ATMs could have similar vulnerabilities, though he hasn’t yet examined them.

The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system’s remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the machine.

Tranax’s remote monitoring system is turned on by default, but Jack said the company has since begun advising customers to protect themselves from the attack by disabling the remote system.

To conduct the remote hack, an attacker would need to know an ATM’s Internet IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.

The Triton attack was made possible by a security flaw that allowed unauthorized programs to execute on the system. The company distributed a patch last November so that only digitally signed code can run on them.

Both the Triton and Tranax ATMs run on Windows CE.

Using a remote attack tool, dubbed Dillinger, Jack was able to exploit the authentication bypass vulnerability in Tranax’s remote monitoring feature and upload software or overwrite the entire firmware on the system. With that capability, he installed a malicious program he wrote, called Scrooge.

Scrooge lurks on the ATM quietly in the background until someone wakes it up in person. It can be initiated in two ways — either through a touch-sequence entered on the ATM’s keypad or by inserting a special control card. Both methods activate a hidden menu that allows the attacker to spew out money from the machine or print receipts. Scrooge will also capture track data embedded in bank cards inserted into the ATM by other users.

To demonstrate, Jack punched the keys on the typed to call up the menu, then instructed the machine to spit out 50 bills from one of four cassettes. The screen lit up with the word “Jackpot!” as the bills came flying out the front.

To hack the Triton, he used a key to open the machine’s front panel, then connected a USB stick containing his malware. The ATM uses a uniform lock on all of its systems — the kind used on filing cabinets — that can opened with a $10 key available on the web. The same key opens every Triton ATM.

Two Triton representatives said at a press conference after the presentation that its customers preferred a single lock on systems so they could easily manage fleets of machines without requiring numerous keys. But they said Triton offers a lock upgrade kit to customers who request it — the upgraded lock is a Medeco pick-resistant, high-security lock.

. . .

Jack said that so far he’s examined ATMs made by four manufacturers and all of them have vulnerabilities. “Every ATM I’ve looked at allows that ‘game over.’ I’m four for four,” he said at the press conference. He wouldn’t discuss the vulnerabilities in the two ATMs not attacked on Wednesday because he said his previous employer, Juniper Networks, owns that research.

Jack said his aim in demonstrating the hacks is to get people to look more closely at the security of systems that are presumed to be locked down and impenetrable.

See also:
Bunker-busting ATM attacks show security holes
Hacker breaks into ATMs, dispenses cash remotely
Security researcher demonstrates ATM hacking
Black Hat: Hacker Tricks ATMs Into Raining Cash
Researcher shows how to hack ATMs with “Dillinger” tool
Armed with exploits, ATM hacker hits the jackpot
Powered By Microsoft Windows
IOActive Labs
Tranax Technologies
Triton Systems

All your ATMs are belong to Barnaby Jack!

/I’ll bet Barnaby is really well paid and gets plenty of job offers from the Black Hats as well as the White Hats