
Cracking the Scratch Lottery Code - karzeem
http://www.wired.com/magazine/2011/01/ff_lottery/all/1
======
nagrom
My favourite line in the whole article was about the way he alerted the
lottery board:

"The package was sent at 10 am. Two hours later, he received a call from
Zufelt. Srivastava had correctly predicted 19 out of the 20 tickets. The next
day, the tic-tac-toe game was pulled from stores."

I know that we're supposed to be fascinated by the statistical work done
cracking the code, but my real sympathy is for the head of security that
received that package. How do you react in such a situation?

As an aside, the statistician seems really cool too - it's a very forthright
interview and the article's much better than I expected. Both the statistician
and the author seem to be very surprised by the lack of concern shown for the
apparent evidence of security breaches. This, of course, has a direct analogue
with the way large multi-nationals treat computer security. I was only
surprised to get to the end of the article and not find that the statistician
had been threatened with prosecution or similar.

~~~
andyv
The last thing the lottery people want is a lot of attention to the flaws in
their games. Threatening the whistleblower would cause that.

~~~
patio11
The cynical bastard in me thinks that There Is A Chance To Beat The Lottery is
the best headline a lottery PR team could ever hope for. It is like card
counting in Vegas: a problem if and only if you can do it _well_.

~~~
SoftwareMaven
Except "counting the cards" in the lottery version is trivial compared to
doing it for real. Like the article said, he taught it to his eight year old
daughter.

~~~
patio11
Right: that is the perfect target for the math abilities of the average
lottery player. Do a controlled loss on one game, receive PR bonanza and watch
as millions of lottery winners learn how to "outsmart" the lottery, introduce
Game 2 with the same mechanic and cards which are countable in a fashion which
is not exploitable, and watch as ticket sales soar.

This would be evil, of course, but if you're running a lottery your entire
business is stealing money from poor people.

~~~
JacobAldridge
Not just poor people. The stoopid as well.

~~~
alttab
Now maybe smart poor people. This vision doesn't inspire.

------
notyourwork
Summary: If you are smart enough to crack the scratch off lottery you already
make enough income that cracking the scratch off lottery is not justifiable.

~~~
sethg
...but you can teach the technique to someone who is not so smart. Or you can
use the technique to launder money.

~~~
patio11
Or you could write a Beat The Lottery iPhone app. (OCR plus counting... I
somehow think they can make it work.) There are a variety of business models
available at that point.

~~~
bvi
Oh dear. Why do I sense an impending deluge of iPhone apps in this domain?

------
Xk
_In some states, the lottery accounts for more than 5 percent of education
funding._

Am I the only one who finds this ironic?

Edit: Except, of course, for those who learn to predict 19 of 20 tickets
correctly.

~~~
nfriedly
To make matters worse, my understanding is that when the state receives money
from the lottery for the schools, that money does in fact go to the schools...
and then an equivalent amount of money comes out of the school's budget and
goes into the state's general budget.

So, for example: if the school budget for the year is $5 million, and lottery
brings in $1 million for the school, the school doesn't get $6 million the way
a lot of people seem to think. The school gets $1 million from the lottery and
the state only has to pay $4 million out of the general budget.

~~~
ajju
Ha! So the lottery is paying for everything _but_ education.

------
lkozma
I find it strange that they don't use some true random source in generating
the tickets. I'm also surprised the article finds this obvious.

"Of course, it would be really nice if the computer could just spit out random
digits. But that’s not possible, since the lottery corporation needs to
control the number of winning tickets"

Surely the lottery could quantify uncertainties and set up a system where the
probability of them losing money would be arbitrarily small. Interesting
interview, btw.

~~~
BoppreH
I think that "arbitrarily small" is not enough, especially if you are running
a business for decades.

Try convincing your boss that the chance of all tickets be winners (which
would bring the business down) is "small enough".

~~~
harryh
> I think that "arbitrarily small" is not enough, especially > if you are
> running a business for decades.

Sure it is. How do you think casinos work?

------
bobds
> "I’d have to travel from store to store and spend 45 seconds cracking each
> card. I estimated that I could expect to make about $600 a day."

Or you could make an app for your smartphone that uses OCR to instantly tell
you whether you are looking at a winning ticket.

~~~
VMG
or buy them directly in bulk

~~~
bobds
Wouldn't you want that app even more if you were buying them in bulk?

------
tgandrews
Why do they need a non random code to generate these? If they want to
guarantee the number of winners, they can just ensure that they only release
so many winners. This would require them "solving" all the tickets they were
to release and holding/deleting/regenerating the ticket if they have enough
winners already.

This may not be the most efficient system but it guarantees it isn't crackable
with a couple of caveats:

1\. They weren't always releasing a winner at a fixed time - i.e. they had to
have x win per week, and they released a winner at regular intervals to
guarantee separation. You don't want all the winners for a month produced in
the first hour. Although this would be random and should be a possibility.

2\. The random number generator was actually random.

~~~
ars
It might work, but you lose some randomness by doing this. You'd need to check
the statistics carefully.

------
MichaelApproved
It seems that a large part of the problem (aside from flawed algorithm) is
that they allow people to pick the tickets they want to purchase. If they
required people to buy the tickets in order they're dispensed from the roll it
would bring the abuse down dramatically.

Even if you were able to crack the code you'd have to wait for others to buy
the losers before a winning ticket would show up. The flaw in this would be if
the store selling the tickets was be in on the scam. They'd be able to sell a
bunch of losers and pull any winners as soon as it was their turn to dispense.
But as with most crimes, the more people involved in it, the harder it is to
keep quiet about it and pull it off.

~~~
chopsueyar
The only way this could work in the US was if the store was in on it.
Returning unused tickets for a refund would not be succesful.

------
Confusion
I wouldn't have been surprised if they had known about the 'flaw', but didn't
mind it, because, as Srivastava said "it wasn't worth the time to abuse the
flaw". In similar vein, I once randomly generated 2 million out of 40 million
possible codes. Consumers would buy products, obtain a code and it would allow
them to 'buy one, get one free' for some other product. The code being short
and without the usual mixup candidates (I, 1, O, 0, etc.) was much more
important than people 'cracking' the system. Even at half the price, the other
product still sold at a profit and nobody saw room for mass
purchase/reselling.

Of course, later in the article it appeared that people were abusing cracks in
the system and reaping the benefits, so it doesn't apply to this case. I just
wanted to note that sometimes business concerns trump all actually interesting
parts of a problem :/

~~~
ahlatimer
It wasn't economical for the statistician, since he was making more than he
could possibly make doing this. It would likely be economical for many other
people, however.

He said he could make $600/day doing this. Even if you only do this 5 days a
week and give yourself 2 weeks of vacation, you still end up making
$150,000/yr ($600/day * 50 weeks/yr * 5 days/week). That's well above the
national average for both the US and Canada.

~~~
ultrasaurus
Another key advantage is tax arbitrage. If you can make $800/day, that's
because you have a certain skill set, you can't send a random college student
in your place to collect your earnings for one month and pay almost no taxes.
You have to pay your taxes on one $150k income.

With progressive taxation, if you get 12 students to redeem 1/12th of your
winnings (for say 5%), you're paying taxes at the lowest level (likely even
0%) rather than the 35+% you would be if you had to claim 150k on a single tax
return.

------
nowarninglabel
Great article, though, I take issue with this tangent:

"James “Whitey” Bulger, a notorious South Boston mob boss currently on the
FBI’s 10 Most Wanted Fugitives list—he’s thought to be the inspiration for the
Frank Costello character in The Departed"

The inspiration for that character is the original movie, Infernal Affairs,
which The Departed is a remake of. They may have bleneded some features of
Bulger into that character, but that doesn't make him the inspiration.

------
autarch
I wish the article had talked about the legality of doing this. Assuming I'm
not doing this to launder money and that I report all my earnings, is this
legal?

~~~
sdkmvx
Not a lawyer, but I would be very surprised if the law that creates and
regulates the lottery doesn't include a clause to make buying tickets by an
algorithm illegal or something like it.

~~~
ajays
Why? The law says that you can buy tickets, and return unused ones. So just
buy a bunch, scratch the winning ones, and return the rest.

There's no law which says that "if you can figure out how the lottery works,
it is illegal". Their recourse is to only pull the lottery and discontinue it;
they can't accuse you of fraud if you somehow figured out how to pick the
right tickets.

------
chalkhed
Can someone describe the statistical analysis that would be required to
discover something like this? Is it along the lines of guessing different
parts of an algorithm till you find something that agrees with the data (IE
He'd have to guess that only "singletons" could form winning entries and go
from there)? Or, are there some more general approaches here to draw out
correlations between the structure of visible numbers and any hidden
structure?

More generally, other than saying "statistics," what specific fields of math
are applicable to a problem like this? I'd guess there's some relation here
with cryptographic attacks and attacks against pseudo random generators, but
what specifically would one study to understand these types of problems?

~~~
ajays
My guess is the following. Lets say that the numbers in the game are in the
range [1..N]. Lets further assume that there are M slots (or squares where
numbers are placed). Suppose M is about 3*N. So, on average, you'd expect each
number to occur 3 times. If you see that number occur only once in the
(visible) column on the right, then you are pretty sure that it'll occur at
least once or twice in the (hidden) column on the left. So if you see 3
numbers in a row (or column) that each occur only once in the right hand side,
then you can be fairly certain that they'll occur at least once in the left
side; so you're pretty sure to win the prize.

All you need is some basic knowledge of statistics, uniform distribution, etc.
I don't see a need for high-falutin' cryptographic analysis and higher order
math.

If you're dealing with online stuff, then some knowledge of PRNGs can help. I
remember (a long time ago) hearing about some online poker algorithm which was
just calling rand(), and had been seeded with unix time. That leaves a really
small number of possibilities to try, and you can reconstruct the stream of
random numbers it would generate.

~~~
chalkhed
That makes sense, but theres still the problem that, even if you have 3 in a
row that you think have a higher probability of occurring in the hidden part,
they can still be X or O, not necessarily winning. Maybe theres a statistical
edge in knowing that, but I doubt that would give you an edge of 90%.

Also, that seems to indicate the issue is due to the overall structure of the
problem of choosing numbers for a game like this, while I got the sense from
the article that the problem was more due to the algorithm the company used to
control winners and losers (maybe I'm wrong on that). If it is due to how the
company controls wins in some way, I could see how observing 3 in a row of
singles more often than expected by a random distribution (whatever the
distribution is for choice of number and choice of spot on the board) is a
giveaway to some nonrandomness introduced by their algorithm. But if you were
to approach it by finding divergences from this distribution, wouldn't you
need a lot of tickets before you could infer this?

In any case - any guess on the expected number of tickets you'd have to have
to discover a flaw like this?

------
asr
I excitedly went to the Virginia lottery website, thinking maybe I could find
a game or two possibly vulnerable to something like this and then buy a few
tickets for the fun of seeing if this can still be done...

But manufacturers appear to have dealt with this by getting rid of "baited
hooks"--every number on a card is under a surface that has to be scratched
off.

I guess they lose the allure of letting people say "I want to buy a card with
lots of 7s because that's my lucky number" but it's a simple and effective
fix. Oh well, guess I'll have to get rich through hard work :)

------
groaner
This story sounded familiar -- it turns out that some of our own HN'ers have
done this too:

<http://news.ycombinator.com/item?id=1823191>

------
Duff
I'll open myself up to scorn by admitting that I buy these things often. You
don't get to select your tickets in NY, they are ripped off one at a time on a
roll that is in a locked container.

The most obvious vulnerability here is clerks and convenience store owners who
unroll the tickets and hand out the loser tickets to customers. That risk is
mitigated by the craziness of lotto addicts, who won't accept a ticket that
doesn't come off of the roll.

------
golgo13
In Canada, are you able to say, "I don't want this one" until you get a
potential winner? Here in Texas, you cannot pick your ticket. When you buy a
ticket, you get whatever the cashier gives you or whatever the machine spits
out. Or is the guy simply not wasting time scratching off the losers? I still
don't see how this could be profitable since most games have 1:5 odds,
including break even prizes.

~~~
alokt_
yes, but if you work at/own a gas station, you can pretty much pick the
winners and sell the losing tickets.

~~~
eftpotrm
Not in the UK lottery; all the tickets get dispensed from clear containers and
have to be the next one on the roll (which comes out at the back so you can't
see what the next one will be). They've tried educating their customers* about
not buying tickets that aren't on the roll.

This to me seemed to be the core of the problem; not that the cards were
crackable, but that it was possible for a user to select what card to purchase
rather than just what game to play. Remove that and the problem largely goes
away through simple education about valid play procedures as I suggested.

(* I say educated, but there's the infamous 'Winter temperatures' scratchcard
which rather undermines that concept -
[http://menmedia.co.uk/manchestereveningnews/news/s/1022757_c...](http://menmedia.co.uk/manchestereveningnews/news/s/1022757_cool_cash_card_confusion))

~~~
dhyasama
Exactly. Force players to buy the next ticket on the roll (without seeing it)
and don't allow unused tickets to be returned. Problem solved.

I grew up in Maine and tickets are dispensed this way. Not sure about
returning tickets, but knowing Mainers, I'd be surprised if they would take
them back. It doesn't pass the straight-face test.

~~~
BrandonM
Problem not solved. A savvy attendant just checks the tickets on the end of
each roll. If it's a winner, go ahead and buy it. Otherwise, wait until a
customer buys the loser first.

~~~
Luyt
Disallow attendants to buy tickets while they're on the job. [However, they
could signal accomplices to buy it for them. It would take a team, then.]

~~~
rtghnyhjm
Most lottery tickets are sold from small convenience stores, either family
owned or with just a couple of staff - hard to enforce this.

There is a crackdown on relatives of store owners winning the lottery - but is
normally them defrauding winners who come in to check the ticket.

------
Luc
I checked my national lottery (Belgium), but sadly none of the 15 scratch card
types they sell have 'baited hooks' or other unique numbers, as far as I can
see ( <http://lotto.be/NL/Spelen_en_Winnen/Krasspelen/default.aspx> \- in
Dutch). I would laugh SO hard if we found some exploitable lottery...

------
BoppreH
Why the hell didn't he hire people to find tickets for him?

If you are worried about people doing this without you, just make an app to
calculate the values. Make the calculations server side, and only after
checking if the phone is registered.

Just don't hire too many people, or the clerks may start to get suspicious.

~~~
daeken
Why not bring the clerks into it? The corner-store I go to near-daily knows me
well, and they sell lots of lottery tickets. It'd be trivial for me to go in
there and say "listen, I'll give you an X% cut in exchange for your silence
and first pick of the tickets."

However, if they're knowingly selling losers, could that be construed as
fraud? Then again, the lottery does that already...

~~~
pbhjpbhj
>However, if they're knowingly selling losers, could that be construed as
fraud?

Yes, it's also clearly immoral.

------
iamchmod
I wish I were smart enough to figure out cool statistical problems like he is.

------
rottyguy
Even though he knew the formula, at least where I buy lottery tickets, the
person behind the counter gives you the ticket. Assuming there are many more
losers then winners, without being able to select the tickets yourself, it
would seem as though it'd be a losing proposition. Now, if you were the store
owner and had access to the tickets yourself, that would be a different story.

~~~
alcarter
It's not only an issue of rarely having control over which scratch-off card
you'd like to pick, there's also the issue of most states having the majority
of their games almost entirely hidden. Very few games allow you to see numbers
or letters plainly - most require to you to scratch off "your" numbers and
then scratch off the "board" as well.

------
hoag
Haha funny I just tried to post this and got directed here: looks like someone
beat me to it! Pretty cool read.

------
maeon3
The lottery system can now confidently continue to extracting money out of
idiots who don't know better. Somehow this whole story leaves me feeling that
nothing good has happened.

The whole story just feels like a good Samaritan helping a schoolyard bully
steal change out of the back pockets of unwitting classmates.

A happy ending would be the lottery system managers getting thrown out after
suffering unexpected sustained losses.

~~~
almost
These are scratch cards, so they already have a set payout for the number they
produce. So unless the cards are getting returned to the lotteries and
refunded (this might even happen in some cases, I'm not sure) they aren't
losing any money. It's just the other people who play the lottery who will
have a far lesser chance of winning (as they are sold all the losing tickets
rejected by the cheaters)

