A recent article by Brendan Koerner published on the website of Wired Magazine is an interesting look at how the laws of one country affect the security of proprietary information in other countries, and how that information can be exploited. This is a summary of the article and I would encourage everyone to check out the full article, which is linked at the end of this post.

In 2012 Austrian-made Novomatic slot machines in Europe began losing money consistently, even though nothing appeared to have been altered in the machines themselves. In 2014 Australian-made Aristocrat Mark VI slot machines in US casinos across the country started making excessive payouts with no sign of tampering. Casino security noticed that before a machine started losing money, an individual would play the machine while holding his phone unusually close to the machine. Later that individual would return to the machine, and with phone in hand, would start a winning streak, often stopping just short of winning a thousand dollars. Then he would go to another machine he had visited earlier and experience another thousand dollar winning streak. Then he would visit another machine, and another, each with the same result. At the end of the day he would leave the casino over $20,000 richer. Not bad for someone playing machines with random results each time a lever is pulled or a button is pressed.

Except that the results aren’t truly random. Human created software and logarithms have a hard time being truly random. In a slot machine, randomness is imitated using a logarithm, which starts with a number and then applies a predetermined formula that uses various inputs from the machines’ internal systems. For example if you start with the number 12 and multiply it by the number of seconds that have passed since midnight you will get a different number each second. To make the results appear random, add in more mathematical operations and some additional inputs from other systems, and then periodically change the number that the whole formula starts with. The result of the logarithm is used by the machine to determine where the reels stop and whether you win or lose.

To crack the code and be able to predict results, you would have to know what the formula is, what the inputs are, and what starting number is being used. This is impossible… unless you have unfettered access to one of the machines and a lot of technical skill.

In 2009 Russia implemented a series of laws that made gambling illegal and effectively shut down all casinos in Russia. The casinos limited their losses by auctioning off their equipment. Some of those machines we purchased by organizations that employed individuals with an abundance of technical skill. Soon those organizations were able to break the logarithms used by the machines, determine the pattern of starting numbers used, and figure out how often the starting number was changed. Shortly after that they started sending out operatives armed with cell phones. These individuals would use their phones to record the results of several spins on a select machine over a set period of time. The operative would then leave and send the recording to their base in Russia where the results were fed through a program designed to determine where the slot machine was in the pattern of starting numbers. Once the machines position in the starting number sequence was known, the individual could return to the machine and then hit the spin button each time the app made the phone vibrate.

The takeaway: It’s not enough to rely only on the built-in security measures provided by the products you use. Stay in touch with security breaches that affect your major suppliers, customers, and competitors, even if they are in other countries. Fraudsters don’t care about borders.

Link to the original article: Russians Engineer A Brilliant Slot Machine Cheat – and Casinos Have No Fix