Lottery security chief found guilty of hacking Hot Lotto to win $14.3 million

If you’re hired as the head of IT security for an association that runs lotteries, chances are that the requirement to stop people hacking your lottery is pretty high in the job description.

What is much less likely to appear in the list of duties you’re expected to fulfil is installing a malicious rootkit via a USB stick onto the lottery random-number-generating computer in order to fix the draw in such a way that you walk away with the multi-million dollar prize.

And yet, that’s what 52-year-old Eddie Tipton did at the Multi-State Lottery Association (MUSL), which runs major lotteries across the United States, including Hot Lotto, Mega Millions and Powerball.

This week a court decided that Tipton planted malware onto the lottery computer that he was supposed to be protecting, allowing him to calculate the winning numbers for Iowa’s Hot Lotto draws in advance.

As we previously reported on Hot for Security, on December 23 2010 a hooded figure walked into the Quick Trip store on East 13th Street, off Interstate Highway 80 in Des Moines, Iowa, and bought what turned out to be the lottery ticket.

When, after almost a year, the ticket which had won $14.3 million was finally claimed anonymously, investigators’ suspicion was aroused.

CCTV footage of the lottery ticket’s purchase was released by the authorities, ultimately bringing Tipton’s name to the attention of the authorities after a co-worker identified him.

There is one piece of digital evidence that can hurt the defense and Tipton’s credibility: his cell phone records. They show he was in Iowa when the tickets were purchased and not in Texas, where he claims to have been instead.

Despite attempts to receive the lottery wins via a complex network of lawyers and intermediaries, the money was never paid out, and Tipton was charged with fraud.

In his defense, Tipton claimed he had been in Texas at the time the winning lottery ticket had been purchased in Des Moines, Iowa, but his cell phone records told a different story.

As one of only four or five staff with security clearance to the lottery’s so-called “draw room”, a self-declared fascination with rootkits, and video evidence that Tipton entered the room on November 20, 2010 as cameras recorded only one second every minute rather than running continously, things were never looking great for the chief of IT security.

After a week-long trial, Tipton was found guilty of two counts of fraud. He is due to be sentenced at a hearing on September 9th, and could face up to 10 years in prison.

Iowa Lottery CEO Terry Rich released a statement, reported by The Des Monines Register, attempting to reassure members of the public that the lottery could be trusted:

“Our lottery has strong layers of security to protect lottery players, lottery games and lottery prizes,” Rich said. “This case has provided our lottery with an opportunity to better pinpoint potential security risks and update our procedures to protect against them.”

However, there seems to be no denying – even if the ill-gotten lottery winnings were never paid out – that security at the lottery *had* failed.

An individual was able to make unauthorised changes to the computer generating the supposedly random numbers for the lottery – changes which went unnoticed for some time.

It was only red tape involving the pay-out of the large cash prize that prevented the fraud from succeeding.

And, as with the high profile hacks of Ashley Madison and Hacking Team, it seems that once again the thing to worry about may have been the insider threat of rogue employees or contractors rather than the risk of being breached by strangers.

Leave a Reply