whose tax money?
I expect the Casino generates more tax revenue than you or I do.
A pair of UK hackers who used false betting slips in a bid to con casinos into paying out on bogus gambles were undone by greed and a schoolboy maths error, a court heard. Andrew Ashley, 30, and Nimesh Bhagat, 31, were each handed a suspended jail sentence of one year after they pleaded guilty to theft over a plot involving …
This post has been deleted by its author
Why not? Hackers aren't some sort of super intelligent criminal you know.
In fact I would argue that programmers as a whole are more prone to silly mistakes like this than just about any other profession. They get too wrapped up in technicalities and overlook the practicalities of the real world.
This pair of jokers commit actual, quantifiable and significant theft and they get little more than a wrist slap. But logging into insecure servers to look for evidence of aliens, where the only thing damaged was the Pentagon's ego and you face extradition and a 70 year stretch?
This post has been deleted by its author
"...was investigated by Scotland Yard's clubs and vice unit. Police used CCTV footage from roulette table terminals at the casino and computers seized from the mens' homes in unravelling the case"
CCTV footage of the table terminals? Computers seized? WTF? The only thing that unravelled in this case was how thick everyone involved was. The Casino for paying out on unverifed slips. The thieves for such stupid mistakes - a tenner at 35 to 1 != 600, ffs! The cops for being unable to prosecute such an open and shut case without CCTV footage and seizure warrants. (I wonder how much overtime was involved?) And the Judge who ordered £32,000 restitution for a £33,000 theft.
It's a crime involving computers, therefore it's perfectly reasonable to suspect that the criminals may have used (shock horror) their computers to help commit the crime.
Surprisingly, criminals often keep records of their crimes, chat logs whilst collaborating with their partners in crime etc. so it's not exactly unreaosnable for the police to sieze them as evidence.
In fact, it would have been bloody incompetent for the police not to sieze because the idiots committing the crime could have been doing this in other casinos that hadn't worked it out yet.
As for the CCTV footage, same applies, if there's good evidence that supports the charges then you damn well use it to secure a conviction. It's not as if the casinos don't have the cameras already and keep very comprehensive records of everything that goes on. If you've never seen back of house at a casino then I suspect you're touchingly naive in that matter, whilst it may not be Ocean's thirteen, it's most definitely not low tech.
I suspect the 'restitution' is either victim to a rounding error or there may have been reasonable doubt as to the total money stolen or, shock, it's just a mistake in the original article or source for the article.
Under UK law, gambling has no legal basis. If you take a bet, you're under no obligation to pay out to the person who placed the bet. I spose the legality in this case is that the casinos didn't take the bets in the first place, but it's still a bit iffy - like going to Trading Standards and complaining that your dealer had sold you an Oxo cube instead of hash.
I find it surprising that the only reason they were caught in this scam was because of the mis-matched payout amount. What controls are in place to identify ticket forgery?
I have been to many casinos where all slot machines print this tickets with barcodes and payout amounts. What's in those barcodes? How easy would it be to trick a slot machine into reading a forged ticket with $10,000 in credit, play one round and collect your payout... on a brand new slot-machine generated and watermarked (if they do in fact watermark such things) ticket?
Also, I'm surprised there haven't been more advanced slot machine hacks out there. You've got a room with thousands of embedded linux devices all networked together. Why hasn't anyone developed a hack that exploits a member benefits card reader vulnerability.
"I have been to many casinos where all slot machines print this tickets with barcodes and payout amounts. What's in those barcodes? How easy would it be to trick a slot machine into reading a forged ticket with $10,000 in credit, play one round and collect your payout... on a brand new slot-machine generated and watermarked (if they do in fact watermark such things) ticket?"
I would guess it's just a database key. You then do something like
SELECT * FROM winning_tickets WHERE barcode="whatever"
A made-up barcode can be spotted by not having a matching record in the database. There probably will also be a field to indicate whether the amount has already been paid out or not.
"Also, I'm surprised there haven't been more advanced slot machine hacks out there."
I'm not. The adversarial relationship between users and operators keeps everything sweet. It's simple: Pay out too much and you become instantly unpopular with casino / amusement arcade / chip shop owners (therefore you don't sell so many machines); pay out too little and you become instantly unpopular with punters, leading to unpopularity with casino / amusement arcade / chip shop owners (therefore you don't sell so many machines). The only way to survive in that market is to pay out fairly, and be as secure as possible against any subversion attempt.
I have never seen a cashier scan a payout ticket with a barcode reader before handing me cash (at least at the casinos around here). Even if they do tie each ticket to a database key, there may still be holes in the process. i.e, you legitimately put a lot of money into a slot machine, play a couple rounds, cash out, take the ticket home, dupe it, and then have two people bring it to a cashier simultaneously. You just doubled your money.
You would think that the adversarial relationship between users and operators would keep voting machines secure too!
Even if the embedded linux devices/slot machines are relatively secured, there's a lot of complex infrastructure behind them that might not be. If banks and voting machines can get it wrong, I'm betting slot machines aren't 100% perfect either!
"you legitimately put a lot of money into a slot machine, play a couple rounds, cash out, take the ticket home, dupe it, and then have two people bring it to a cashier simultaneously." -- er, nope. On serial data lines, there is no such thing as "simultaneously". One of the tickets will *always* be seen before the other one.
"You would think that the adversarial relationship between users and operators would keep voting machines secure too!" -- except there *isn't* an adversarial relationship between voters and councils, which is part of the reason why voting machines are insecure.
There *is*, however, an adversarial relationship between candidates in the election; which is why, in civilised countries, votes are counted by hand by the candidates. None of them trust any of the others, so the only way they can ever agree on a result is if it's true.
"I have been to many casinos where all slot machines print this tickets with barcodes and payout amounts. What's in those barcodes?"
Being as I work in the industry, I can answer that. When you cash out one of those machines, the machine sends the credit amount to a server, which enters it in a database and returns a large hashed number to be printed on the ticket. The ticket is usually redeemed in another machine, that sends the hashed number and receives an amount in return from the server. If not by machine, it gets scanned by an attendant, in which case if the server's amount differs from what's printed on the ticket there's trouble ahead for someone.
However ... I was in a casino recently when the ticket server went down. The machines still issued a cash out ticket, but none could be redeemed except at the cage, where the attendants dealt with a long line of irritated and impatient people by paying out at face value. THAT would have been a good day to have a laptop and ticket printer in your car.
I think I'll post AC in case anyone actually did that.
"On serial data lines, there is no such thing as "simultaneously". One of the tickets will *always* be seen before the other one."
Serial data line? Are you assuming that there is only one cashier and that tickets are scanned before a payout is made? In the scenerio I'm describing, there are multiple cashiers and desks throughout the casino, and they all seem to put the tickets in a pile without entering them into the system. Unless there is a camera processing the barcodes... which is possible, then they are just reading the payout amount directly from the ticket and handing you the cash.
"except there *isn't* an adversarial relationship between voters and councils"
But there wouldn't be such a relationship between voting machine vendors? We're not talking about a method of counting votes (or gambling) we're talking about the competition for quality of products within that method. It sounds like your point is that slot machines are inherently secure because of the relationship between users and casinos and that voting machines are inherently not secure because of an analogous relationship between voters and election comissions. That doesn't make sense at all buddy. It assumes that all vulnerabilities and attack vectors are known or can be trivially remediated... and really that's the reason why casino's could be in trouble, because they think they understand all the attack vectors and vulnerabilities. They install camera's all overthe place and only keep cash in hardened locations within the building. That's a physical security control, not an integrity control.
I work for a company that sells a player tracking system to casinos. The barcode is a validation number. It, plus the date and time (down to the second) the ticket was generated, the amount plus other factors must match what's in the database for another slot machine to accept the ticket. Same thing happens when a ticket is taken the cage to be cashed where the cashier scans the barcode into her program. In short, it is pretty much impossible to create a fake ticket and have it cashed.
---
"However ... I was in a casino recently when the ticket server went down. The machines still issued a cash out ticket, but none could be redeemed except at the cage, where the attendants dealt with a long line of irritated and impatient people by paying out at face value. THAT would have been a good day to have a laptop and ticket printer in your car."
That sometimes happens, however... If the ticket is for a larger than specified amount a manager must approve it and if anything looks fishy, you'll have to wait until the system comes up. After it's up, then all the tickets are scanned and if a bogus one is found, the security tape is checked (you're recorded on multiple cameras throughout the casino starting when you step through the door) to find who brought it up. They'll find you.