Or does it?
A $16.5 million lottery jackpot won in 2010 appeared to be a typical case of such luck, but the win has led to an exhaustive investigation into at least a half dozen lottery scores.
The multiyear investigation into the HotLotto scandal resulted in the 2015 conviction of Eddie Tipton, the former security director of the Multi State Lottery Association (MUSL), who was found guilty of rigging the random number generator used by several state lotteries.
The investigation also uncovered several other questionable jackpots dating back to 2008. Tipton, his brother Tommy, and several other accomplices appear to have reaped the rewards of several rigged drawings over the years, and are now facing additional charges.
Most troubling of all, the rigged lottery occurred in a regulated environment. For this reason, the MUSL scandal should cause regulators in legal online gaming markets to take notice.
After all, if it can happen to a regulated lottery, what’s to stop a rogue programmer from doing the same in a state with regulated online gaming?
To be clear, New Jersey’s online gaming regulations and consumer protections have proven extremely effective.
Over the industry’s near 30-month existence, there hasn’t been a single confirmed case of an underage player gaining access to a licensed online gaming site. Nor has there been a confirmed case of a geolocation failure or money laundering.
By almost any metric, the regulations are not only working, they are working perfectly.
That being said, independent oversight only goes so far, and there is more to online security than geolocation and know-your-customer checks.
“When iGaming security is discussed at conferences and referenced by regulators, the most common subjects that come up are know-your-customer (KYC) and geolocation… It is something visible that politicians and other stakeholders can easily see,” Gus Fritschie, a CTO and gaming security expert explained.
“What is more difficult to grasp is how secure the servers, IT infrastructure, and gaming application itself are,” Fritschie, a cofounder of SeNet International, added.
Fritschie was clear that the New Jersey Division of Gaming Enforcement has done “an excellent job requiring more in-depth annual IT security testing and establishing some minimum guidelines,” but added that the costs can be prohibitive and overburden operators.
“Unfortunately, operators are only going to do so much before they push back,” Fritschie said.
While he doesn’t believe there is a security deficiency, he does feels there is a false sense of security.
“I can speak specifically about New Jersey as that is where we have performed most of our testing in a regulated environment,” Fritschie noted. “An item that does not seem to get examined (at least my firm has not been requested to perform it the past two years) is a security code audit.”
Using past examples from online poker and the ongoing the HotLotto scandal, Fritschie detailed how security audits could help prevent future incidents, and how such an audit would have likely uncovered the shenanigans occurring at the MUSL.
“We in the online poker industry know too well the story of UB and Absolute Poker and the super-user scandal,” Fritschie said. “Now if annual security code audits were required at that time (and now), there is a greater chance this would have been detected.”
“In the HotLotto case, an insider added code to the RNG software that allowed him to predict winning numbers in certain lotteries,” Fritschie continued. “These RNGs had been certified by one of the testing labs, however, they concentrated on review of the randomness and not a security code audit that would have detected the logic bomb that had been implanted.”
Fritschie’s firm was able to reverse engineer the application Tipton utilized, and it was their review that discovered how the back door was used and led to the additional charges.
As a security analyst, it’s Fritschie’s job to identify any legitimate threat, and he sees them everywhere.
“I don’t think this is limited to just iGaming,” Fritschie said. “eSports is another rising sector and has some of the same concerns and risks… [and] if we look at other industries and their regulations (i.e. government and FISMA, PCI and credit card, and HIPAA and health care) I think we see some of the same risks.”
“My concern is that a similar circumstance could happen in the iGaming sector with their RNGs or software,” he concluded. “I am always reminded of this statement: ‘being compliant does not equal security, but if you are secure you will be compliant’… This is the message that I preach and that I hope iGaming operators adopt.”
From Fritschie’s perspective, the solution is to educate stakeholders that compliance isn’t a matter of going through the motions.
“Specifically as it relates to iGaming, I believe that more tangible and specific security controls need to be established that operators are required to comply with and that can be audited by an independent third-party,” he said, citing some of the existing benchmarks, such as the National Institute of Standards and Technology’s Security and Privacy Controls for Federal Information Systems.
The key, according to Fritschie, “is ensuring that operators actually implement these controls and perform continuous monitoring to verify their effectiveness rather than just performing a paperwork exercise.”