Hacker News new | past | comments | ask | show | jobs | submit login
How an Ex-Cop Rigged McDonald’s Monopoly Game and Stole Millions (thedailybeast.com)
638 points by DLay on July 29, 2018 | hide | past | favorite | 230 comments

My aunt worked for Simon Marketing for many years. She was a designer. My cousin was pictured on a fry box once. All of their drinking glasses were McDonald's promos, much like a software developer's swag t-shirt collection. They had these Mickey Mouse glasses I loved but that had a habit of shattering into a million pieces under the slightest thermal shock or bump. She had a full collection of the 101 Dalmatians Happy Meals toys. We were all sure that'd be worth a lot of money some day. Looks like it's worth 50-100 USD on ebay now.

She lost her job, since this racket destroyed Simon Marketing.

Too bad for Simon Marketing. It raises an interesting question from a business's point of view. Who can you trust in a situation like this. Personally I would only trust a security expert to provide expert guidance but not have them do any execution. They would seem to me to be the least trustworthy, simply because they have had a professional lifetime of temptation and rumination.

You setup internal controls to separate duties and have different organizational silos and discourage fraternization.

Then you audit the process and the work often.

Also, you force people to take a break. It's pretty common in finance to require a 2 week consecutive holiday every so often: one justification being that if someone was cooking the books, the person taking over their role would probably stumble across it.

Or for the Sarbanes Oxley rules. We often run into headaches at my office because our second check signer is a general manager based in Canada 75% of the time which ends up holding up any checks over $1k.

The complete lack of internal audits was something that struck me about this story. Million dollar game pieces constantly disappearing, and no one in the company was in a position to notice anything was wrong.

They didn't disappear, it appeared that he'd put them on the packages as expected and then people won the prizes as expected.

They were not security pros. Everything was left to trusted people. They didnt have people witness the opening of envelopes and installation of game pieces. So nobody saw that he was stealing. Today we know better.

Also, you fire people who're assholes.

this is correct. power corrupt, absolute power corrupt absolutely. simple fact. it's actually one of the most basic aspects of security. This is why you need to split up responsibilities, and in some cases even obfuscate an end-goal to someone in the middle. That helps them not to see opportunities to corrupt. you can be very ethical, and say you wouldn't go for those millions. but probarbly in that case, ou already have millions (perhaps gathered similarly) or no opportunity ever present itself to you in such fashion because your employers take good care to prevent that.

simple example: what if you are the person to take, process and finalize orders at a company? You can take all their money. If you split these into 3 separate tasks, none of them can do anything. (because social factors will have more chance to keep the 3 in normal working order, where only 1 is easily to corrupt without 2 other holding them steady.)

It's unbeleivable such large coorporations still have these kind of issues. over complicated structures in my opinion, where people stop seeing the forest through the trees so to speak, and lose sight of these important matters.

Yes! The really serious organizations are very diligent about dividing the responsibilities/opportunities.

While working at IBM, there was a bit of fanfare for someone in my dept who got a very big promotion (iirc, he skipped a couple levels up at once). The promotion was because he'd noticed a flaw in the system that could have allowed four people to collectively conspire and get away with maybe $6 million. He reported it and the managers were all suitably impressed. I never managed to get enough details to understand the potential scam, or the solution implemented.

Contrast this with the much larger amounts at stake with this sweepstakes & fast food org, and they aren't putting in any such multi-party controls. No surprise they were scammed.

This seems very dependent indeed on the top of the organization being absolutely trustworthy. And, uh, to say that's not the case is an understatement.

True about that org top being untrustworthy, but I think it is more about the specifically designed structure of the org,

Design the org so that power is separated, no one has the opportunity to steal at scale.

Power corrupts, absolute power corrupts absolutely. Divide the power and you remove the impetus for corruption. I don't think that cop would have done anything but an ordinary good job, had that multi-million dollar temptation not just showed up in his lap...

Similar stories happened to Bennie Beans on ebay. Everyone jumped on the tilip mania hoping to make good buck skyrocketing the price of beannies and making owner millionaire. Then it all crashed. You can still buy original beanies with very low serial number for less than $10, all the way from $4,000 people used to originally pay.

Artificial scarcity can be a fickle mistress.

We talking about beanie babies or bitcoin here?

BTC is north of $8000. Probably could choose a better "tulip" to make fun of.

>BTC is north of $8000.

currently. I hope for the sake of the investors that it stays so, but I have a feeling it will not.

(This feeling is not at all informed by my bitterness at not buying in when 1BTC was 20 bucks.)

People said the same things about their $4000 BB’s, until they were worthless. That’s sort of the point of an intrinsically worthless object of speculation and artificial scarcity, it seems like it can’t lose, until it loses.

This is not at all a fair comparison. For one thing, the scarcity of bitcoin is not really all that artificial. You can't forge BTC and there's no central organization that can suddenly print more.

The other thing is that bitcoin actually solves a need in the world - the ability to transfer wealth from one person to another anywhere in the world without intermediaries. Folks can argue about how necessary this is for the average person, but it's certainly something that beanie babies (or any other physical collectible good) cannot provide.

>The other thing is that bitcoin actually solves a need in the world - the ability to transfer wealth from one person to another anywhere in the world without intermediaries.

See, the only people for whom this is an actual “need” are crazy libertarians (questionable) and criminals (absolutely). Nobody else in the world considers this an unmet need.

What good is a solution in search of a problem?

Nobody else in the world considers this an unmet need.

Pretty much the entire population of Venezuela and Zimbabwe would beg to differ... and that's just recent history.

And most people here calling BTC a tulip don't have the balls to short it. Easy to say a lot of stuff with zero skin in the game.

And most people hyping BTC are bagholders who have a vested interest in shilling their useless product. How about you divest your cryptocurrencies before we believe anything you have to say about them?

Or those people understand that the market can remain irrational longer than you can remain solvent. That doesn’t change the inevitable result.

I have some awesome tulips in my garden that I’ll sell you for $8000 a pop. I’ll call it my Initial Cultivar Offering. It has massive appreciation potential.

I doubt you do. I also doubt you are short BTC at 8000, or at any price.

Do you want in on my Initial Cultivar Offering or not? It's gonna go to the moon!

do millions of people think they're worth $8000 each?

Do millions of suckers exist on Earth?

Last week 604 BTC were traded using Localbitcoin Venezuela, a country where the typical monthly salary is far less than 5 US dollars. If that's not enough to convince you that Bitcoin has a good use-case, I don't know what will.

Dystopian hyperinflation. So basically it’s electronic gold. Congrats.

This is beautifully written. Thank you.

> The colorful court case, held in Jacksonville, Florida, started September 10, 2001, the day before terrorists crashed planes into the World Trade Center, the Pentagon, and a field in Pennsylvania. The stunned news media quickly forgot about the McDonald’s trial, which explains why so few Americans remember the scandal, or how it ended.

In the months/years after 9/11 I remember that a recurring theme in longform stories was that their events took place shortly before or after 9/11 and had collectively been forgotten. One that I still remember is a Sports Illustrated feature about 8 Wyoming college cross-country runners who died in the worst vehicle crash in Wyoming history [0]. Though maybe in today's 24/7+ media cycle and attention deficits, plenty of interesting stories slip through the cracks on a more regular basis.

[0] https://www.si.com/vault/2001/11/26/314466/cross-road-after-...

Rainbow Farm. Never forget.


I have a friend who was there during this terrible incident.

There's a wonderful lesson in all of this to any current or future business owner: what is the minimum number of people in your organization that would need to secretly be dishonest to undermine what you do? And how much money is on the line encouraging those people to consider it?

In this case, the answer was one, and the amount of money was millions of dollars. Should we be surprised that it happened?

Though I'm speculating, I think this is where the use of Attack Trees would become a useful analysis tool [1]. As you mention, in a hierarchical setting, where does a connection need to be corrupted/vulnerable to become an issue. Looking into how different agents interact with each other, not only is the question what is the minimum number, but also how would the undermining occur.

[1] https://en.wikipedia.org/wiki/Attack_tree

This is not an academic question. How many dishonest Apple employes would it take to insert a secret back door into MacOS, iOS, or iCloud?

>This is not an academic question. How many dishonest Apple employes would it take to insert a secret back door into MacOS, iOS, or iCloud?

Back in the day, not many:


Where's the secret back door in that list?

A list of easter eggs wouldn't appear to tell us anything about how easy or hard it would be get a secret back door in.

No but it demonstrates that there is functionality absent scrutiny; ignorance notwithstanding, it's a condition necessary for the insertion of "secret" back doors.

It doesn't demonstrate that at all. For all we know, hundreds of people inside Apple knew about each of those.

I've worked on popular software (>10 million users) that had Easter eggs. Dozens of people in the company knew about each Easter egg that shipped, including managers. Not everyone is a soulless killjoy.

No it definitely does not. That's like saying movies with cameos can't control who walks on set.

Probably 2-3 - no code at Apple is getting checked in without another pair of eyes looking at it.

you're either severely underestimating how easy it is to insert a backdoor or overestimating how competent apple's code review practices are. remember that time you could bypass the root password prompt by putting in nothing?

> how competent apple's code review practices are.

Thousands of developers over a decade have touched code going into iOS & Mac OS and so far have a pretty good track record on internal espionage and back doors.

> remember that time you could bypass the root password

Pretty dumb mistake, but willing to put money on them that it won't happen again. I think you severely underestimate just how competent Apple (and Google, Facebook, or Microsoft) are at their job given the enormous complexity of the problems they solve.

> Thousands of developers over a decade have touched code going into iOS & Mac OS and so far have a pretty good track record on internal espionage and back doors.

Maybe. Or maybe they have an impeccable track record on not getting caught (at least publicly). It's essentially impossible to differentiate the two.

Between those companies developers have checked in tens or hundreds of thousands of exploitable bugs. It's not far-fetched to think that at least one of them might have been intentional.

> It's essentially impossible to differentiate the two.

This sounds like "guilty until proven innocent" logic - maybe we should drown people to prove they're not witches. I'm all for a healthy dose of skepticism, but there's a point it passes into fantasy.

Companies quietly fix problems all the time. Why would anyone disclose anything negative if they are not mandated to, by law? Remember when Uber paid off a hacker and kept the hack under wraps? That is just one example.

This is not guilty until proven innocent, this is just the way most businesses operate.

No, it means that making statements about the certainty of this in either direction is foolish and unsupported by evidence.

Can you back up your claims of this track record with anything, or are you just guessing?

Besides a quick search of critical OS-related security vulnerabilities over the years that were not related to 3rd party code?

You remember that time where a bug in the implementation of SSL went undetected in open source software for over a year?

Even if tomnipotent's estimate is correct, that's still a pretty small number considering what is potentially at stake. Access to iCloud would surely net you enough information to change the balance of power in the world.

Look how difficult it is getting two or more developers to agree on "small" things like code formatting conventions or serialization frameworks. Finding two or more people in such a position that would knowingly break the law by colluding together in some grande conspiracy with the necessary access and privileges to code/production process is the stuff of movies.

> Finding two or more people in such a position that would knowingly break the law by colluding together in some grande conspiracy

This is true only if we were to ignore the following:

organised crime; politicians; all secret services, both domestic and foreign; corporate espionage; opportunity getting the better of people, especially problem gamblers and drug addicts

You obviously have not been watching the news lately. If you had tried to sell the actual events of the last two years as a movie script it would be rejected as too outrageous to be believed. I mean, Donald Trump as President? Seriously?

I'm pretty sure the Chinese government would be capable of planting two or three sleepers in Apple's software division if they decided to.

> I'm pretty sure the Chinese government would be capable of planting two or three sleepers in Apple's software division if they decided to.

I'm not interested in conjecture. Like I said, the stuff of movies.

Is it?

The valley is a pretty incestuous place and people with specific skills are pretty small in number. It doesn’t seem wacky that someone with nation state budget wouldn’t have a network of influence to get someone hired somewhere.

People do it for their friends all of the time.

That’s like saying “we hired the getaway driver, we can rob the bank now, right?” You’ve identified the first step of the plan. There are about nineteen more, and the theoretical network of conspirators required to accomplish this Oscar-winning screenplay would be quite large, which always spells trouble.

To that end, I’m amazed it took that long for the FBI to take down the network in the article. The more people who are read in to criminal activity, the risk exponentially increases, as anybody who has been on either end of investigative leverage can tell you. I’m stunned one person in the early days of this scam, particularly when it started involving colorful people, didn’t flip as a bargaining tool for other things they were into.

It's not uncommon to plant your own puppet as a president/prime minister of a country to make that country's policies favourable to you (CIA has done it numberous times). Planting a software developer cannot be harder.

One of the largest and most secretive companies in the world, the same one obsessed with preventing all leaks from exiting the company, the same one who produces ubiquitous devices with occasional national security implications that interest foreign governments, the same one who deals with serious IP problems in the very example nation you just happened to choose, has no thinking or plans around the well-known threats of industrial espionage or sabotage, is what you’re essentially saying. Consider for a moment whether that could be remotely plausible, and I think you’ll see it isn’t.

As tomnipotent said, it’d make a cool movie.

It's also difficult to believe this same company isn't facing down multiple multi-pronged advanced persistent threats.

I didn't say they have no plans. Obviously they do. But unless you work for Apple, you don't know what they are.

Whatever their plans are, there is some number N of employees who could subvert those plans. It is legitimate to wonder how big that number is, and to note that there is no way for anyone outside of Apple to know.

There are plenty of clever ways to write security-compromising code that would pass any manual review. After all, such code is written by well-intentioned programmers on accident all the time, which is why we have bug bounty programs and a market for exploits.

a backdoor into a bitcoin app/wallet would be far more lucrative and easier to pull off (not that I am giving ideas). Icloud is mostly family pics and useless stuff like that. May as well go for where the money is.

but wasn't icloud where those people were stealing nudes from celebrity accounts?

Who says money is the only goal? Blackmail of some risqué pictures of a high profile celebrity, businessman, or politician could be the game.

The interesting thing was that theoretically it was more then one person here because the prizes were in the tamper proof bags, the thing that really enabled him to do it was that extra package of tamper resistant seals that were sent to him.

> Not long afterward, Jacobson opened a package sent to him by mistake from a supplier in Hong Kong. Inside he found a set of the anti-tamper seals for the game piece envelopes—the only thing he needed to steal game pieces en route to the factory.

While most people are focusing on the lack of human controls that allowed there to be a single person who could pull this off, I think an over looked issue was the over reliance on these tamper resistant seals. They had a single type of seal from a single supplier that was apparently used by itself to show tamper resistance.

This is actually less secure then the setup at the Starbucks I worked at where the tamper resistant bags had serial numbers on both the body of the bag and on a removable tag, so that if somebody was to open the bag (which you could only do by ripping it) and put it in a new bag, the serial number would no longer match.

Yeah and the fact that the supplier of the seals didn't contact Simon Marketing and say, "sorry, we seem to have mislaid a load of seals so we need to change the design/colour and send you some more".

This and the fact that one person was kept in charge of security for so long surprised me. Simon Marketing should have periodically swapped the role.

A well-written and well-sourced article. I found it quite interesting. It's amazing how people seem to find a way around any regulation or control to satisfy basic greed.

The game itself is basically a thinly veiled scam anyway: "McDonald’s makes one piece from each set of properties extremely rare, so while thousands have three of the four railroads, the odds of pulling the Short Line Railroad—and winning a PT Cruiser—were 1 in 150 million."

Sure, it's all written down in the rules somewhere but it's an elaborate effort to disguise the actual odds of winning to get people to buy more cheeseburgers. You think you are 3 quarters of the way to a PT Cruiser when you are in fact barely more likely to get it that you were before you got the first three.

Every season you would see classified ads (or, later on, Craigslist ads) with people that had Park Place and were willing to share the jackpot if they had Boardwalk...as if there were only 1 of each piece being printed.

In reality there were millions of Park Places tickets in circulation.

God, I remember a kid at day camp telling me he had Park Place.

Plus the internal rigging so that nobody in Canada could win. Why would they even do that? It sounds like everyone involved with this Monopoly thing, including the people running it, was crooked as a bag of snakes.

The idea of having a PT Cruiser as some kind of prize is hilarious.

it's like they went to consumer reports and picked the absolute worst cars in terms of reliability and satisfaction. prize or curse?

More likely that Chrysler offered the car to MCDonalds as a way to promote the car. I suspect Chrysler thought the car would be a hit for being unique and retro. But when it flopped they hat to scramble to make it into a hit or cancel it and take a big loss.

My family had a PT Cruiser and we loved it. Unusual looking car and was a comfortable ride.

1 in 50,000,000 is still better odds than “winning” a Harrier Jet.


It really grinds my gears that Pepsi won that case on the basis that no reasonable person would really believe you could get a jet. I believed you could get a jet. Granted, I was maybe ten years old, but so was the kid in the ad who won it.

Not that I thought I'd ever get the jet myself. It just didn't really stand out as ridiculous when a mere mountain bike required 2,750 points. A 24-pack of Pepsi was worth 4 points. So, you'd need to drink roughly 16,500 cans of Pepsi for the bike. Or 45 cans per day for a year. It all seemed effectively impossible to me.

But, somebody figured out how it could be achieved. That's amazing. I'd pefer they held Pepsi to their word on that one, but I would have settled for a big fine for marketing their product through lying to children.

There's a reason why most contests state that you have to be 18 to participate.

It's generally overlooked for free fries but for real prizes you need an adult to claim them. Like teenagers that sneak in to a casino - they can win a few hundred bucks but if they win a big prize there will be a demand for ID, they'll be kicked out, and no prize awarded.

Kids can't be encouraged to gamble because they aren't going to make mature decisions.

Seems like they should need to prevent kids from seeing the marketing or prevent kids from buying the products that are associated with the contest. If kids aren't mature enough to decide whether or not to participate in the contest, they also aren't mature enough to realize that they aren't allowed to participate.

In both cases it seems we're comfortable exposing children to harms of gaming but not to giving them the prizes they've won at gaming? And this is viewed as better for the children? Pull the other one.

When I was a kid Coke had this "red tab" contest where one of the prizes was tickets to a local amusement park. My parents did the math and discovered that it was cheaper to buy the coke cans for the tickets than to buy them directly. So for the summer we had a gigantic stack of cans in the middle of our entryway. In the end we had to pull the tabs off of full cans because there was no way we could drink that much soda in just a couple of months.

The amusement park was a lot of fun.

The entire soda and junk food industry makes its money by lying to children to instill bad habits as they grow into indults.

The odds of winning a free hashbrown, Big Mac, or Egg McMuffin were pretty decent. Most people with have a clue realized that they didn't really have a chance to win $1M.

This is very similar to Safeway's Monopoly game started 4 or 5 years ago. The first year I had every category on the board filled in all except for the final piece. After that I would get the tickets but I knew my chances of winning anything were slim to none & would often forget to open them.

One thing I think is interesting is they allow employees to play but they have a different color for their tickets, which for consumers are handed out at the cash register based on certain items bought. I'm guessing this is to keep employees from taking a huge stash of tickets home at the end of a shift.

I've played that game three times and ended up with tons of tickets each time because my wife shops their for her classes. I've never won so much as the $5 Safeway Gift Certificate from the board. I'm not entirely sure that game is on the up and up.

The coupons are sometimes alright. We've got a huge collection of small cans of tomato sauce and small boxes of tissues. The online second chance thing is mostly a scam too sadly. You basically win entries into a sweepstakes for movie/tickets or a cruise. You can win $5 Fandango tickets, but it's a royal hassle to redeem them. You can also win gas points, but I'm not sure they redeem properly. It takes hundreds of dollars of purchases to even get the single gas point on average.

The whole thing is mostly a waste of time. The other promotion they do where you can earn up points to buy cookware is a lot better. Got a decent pot and a usable knife out of that last time.

McDonald's isn't the size it is because it caters to the clueful.

At this point, I think it's fairly common knowledge that there are rare and common pieces.

Our grocery store chain also does Monopoly annually, and I generally just download the list of rare pieces off the Internet, and check for them before the contest expires. I figure there's no point in picking out the commons unless I find a rare one.

So in other words, it’s no different than state sanction gambling - ie the lottery.

Sure, but the odds for a lot of lottery games are much less opaque.

In theory yes - but I suspect if you draw a Venn Diagram of people who spend the most on lottery tickets and the most on McDonalds you would find a large overlap.

A lot of people think the lottery is the best way for them to achieve financial freedom.

A lot of people are correct about that.

The UK runs a scheme that's essentially an attempt to trick people into saving by turning it into a lottery.


Most state gaming commissions have rules against these "almost got it" jackpot combinations for slot machines. If the jackpot is 1-10^6, then each jackpot symbol should be weighted about 1-10^2 (assuming a 3 reel one line machine). You can't taunt the player with many non-paying combos like JP-JP-(one space from JP)

> barely more likely to get it that you were before you got the first three

exactly as likely

I mean if you need all four for a PT Cruiser, and you have three, it's more likely you'll win the prize than if you have none of them yet. But since that fourth one is so rare, you will vastly overestimate how "close" you are to winning.

There's a frequently recurring thread on askreddit about exploiting loopholes. You'll be surprised at human ingenuity when it comes to cheating at corporate promos!



It actually has a lot of key gaps (and a lot of typos).

The game style (shrouded game pieces used to make winning combinations with a smattering of instant winners) predated the Monopoly branding by years, maybe a decade. We had several such games in the McDonald's I worked at in the 1970s, none with Monopoly branding.

He got caught after only 5 years and kept none of the money, so it's not like the system completely failed...

It's mostly just shocking to me there isn't more separation of duties amongst a few people. The fact that one guy could pull this off suggests some major failure to consider single points of failure. He did allegedly have someone with him, but they didn't even sit in the same place on the plane!

The mark of a good security expert is that they will tell you the threat they themselves, potentially, are. (This is true for IT as well.)

There also seems to be zero analysis of the winners. Simple analytics would have raised concerns early on.

I guess the company just didn’t care, as long as someone won and the marketing worked.

I think McDonald's could have cared less. They made & continue to make $$$ hand over fist with these promotions. The marketing for sure worked, whether anyone won or not. I used to play these games & I never remember hearing about any real winners. Didn't keep me from the dream of pulling one of those instant winners. People get excited for games of chance and it drives large amounts of traffic into stores.

McDonald's counts those millions good as gone when they start the promotion, but it's worth it since they assuredly get a huge return on the investment. They assumed Simon marketing was doing their job, and we shouldn't be surprised they didn't care to look analyze the integrity of the game. They were selling truckloads of Big Macs & Mcnuggets and that all that really matters to them.

Any-who... great writing, and interesting look into to a "game" I'm sure most of us have a connection to. Pretty amazing it was hijacked by a few people for so long. Really enjoyed this read!

There is some irony in the criminals paying restitution to the company who was making so much money from the game to be incentivized to turn a blind eye.

Running the last game that was known ahead of time to be rigged seems indefensible. The article doesn’t challenge the position that catching the crooks is a good reason to defraud more people.

Do you mean could or couldn't ?

They cared about the outcome enough to prevent Canadians from winning.

Finally, a us multinational who recognized the danger of Canada. So actually, the article didn't explain why we wanted to cut them out. It just was. I thought they suggested it was the marketing company, not mackers, but it wasn't specified.

As far as I know, most US-based companies don't like doing chance-based giveaways with the potential to have a winner in Canada. Even though it's not that hard, it's still extra work.

In this case though, the allegation is that the chance-based giveaway was still operated and promoted in Canada, but the prize-distribution was skewed so that no prizes went there.

Which, from a regulatory point of view, seems strictly worse than running an honest game.

But couldn't McDonalds have simply stated, from the outset, that the contest was valid only in the US?

Why would that be a problem?

Generally, Canadian law doesn't allow games of pure chance to be run for profit, outside of a handful of exceptions like the government-run lotteries.

So to run this type of promotion in Canada, you need to set up a façade of presenting it as a game of skill or mixed skill/chance instead, which usually involves something like having a prospective winner answer a math question. Look up "skill-testing question Canada" for more info.

And Québec in particular has piles of extra rules on top of that, which often leads to "offer not valid in Québec" as part of the promotion.

I was reading the rules for the Google CTF


Quebec seems to stand out in that list. https://capturetheflag.withgoogle.com/rules.pdf

Great summary! I remember being young and seeing lottery tickets with simple math problems like “25 * 4 - 20 = ?” to get around the “no games of chance” laws.

My brother won a Sony Watchman (mini-TV) and we all double checked his math before redeeming.

That doesn't make sense as a motivation, though, because they followed those regulations anyways. They ran it in Canada every single year. Heck, last year they customized it by renaming all of the pieces after Canadian landmarks [1].

[1]: https://en.wikipedia.org/wiki/McDonald%27s_Monopoly#Rare_pie...

Quebec imposes a bunch of additional requirements and fees.


> It's mostly just shocking to me there isn't more separation of duties amongst a few people.

Most business folks I know are more concerned about getting things shipped that work than what their potential toxic combination impact can have.

He could also just go the the bathroom with the tickets out of sight of his partner.

There should have been 3 people, and the tickets should always have been in sight of 2 of them. That way one person can go the the bathroom while the other 2 keep watch over the tickets.

Two things had to fail: the ex-cop, and the seals for the envelopes.

He was already stealing in ‘89, six years before he got the accidental shipment of seals.

"Before each bi-annual game, Jacobson arrived at the drab Dittler Brothers’ office at 5 a.m to observe their Omega III supercomputer making the McDonald’s prize draw."

Does anyone know what the 'Omega III supercomputer' is?

It's a trickier one to find information on! Apparently it was made by Control Data Corp in 1979+. I'll edit this comment if I find more... I'm curious too!

Edit: It's pretty hard to find anything about it! Apparently the University of Georgia had one too, but I'm giving up now and getting back to work :)

Edit 2: Apparently it was IBM (360?) compatible: https://it.unt.edu/sites/default/files/benchmarks-01-1980.pd...

Great work! So I guess it's this CDC Omega / 480 Model III, as described in this March 1979 Computerworld?


(edit: and here's a manual I found for the Model I. Does indeed sound like a System/360 compatible. http://www.bitsavers.org/pdf/cdc/omega480/22291359A_OMEGA_48...)

There was a similar story a couple months ago about the insider who rigged the lottery. I'm sorry, I don't recall the source.

In any case, the ones who get caught are done in by carelessness, and over-confidence. You have to wonder how many are not getting caught if they can manage these two faults.

"You have to wonder how many are not getting caught if they can manage these two faults."

I wonder the same about leaks like the Snowden leaks. If Snowden could do this how many other people get access to the same data and use it for their own purposes be it financial, political or both ? My guess is a lot.

It's happened before:

* https://en.wikipedia.org/wiki/Aldrich_Ames

* https://en.wikipedia.org/wiki/Robert_Hanssen

There may very well be people who are getting away with doing it now, but the leaked data eventually winds up being used which is how you get caught.

Really interesting articles.

2 things that stood out

> Hanssen [...] is serving his sentence at the ADX Florence, a federal supermax prison near Florence, Colorado in solitary confinement for twenty-three hours a day.

The guy made a deal to avoid the death penalty, but from what I've read about solitary confinement this can't be much better.

and this:

> https://en.wikipedia.org/wiki/Aldrich_Ames

>U.S. mole hunters investigated 90 employees at WTC for almost a year and came up with ten suspects, although the lead investigator noted that "there are so many problem personalities that no one stands out"

Espacially since he was a low rank soldier with a sense of moral.

Now take a highly ranked powerful machiavellian person, and the scenario suddenly seems very likely.

Manichean or Machiavellian?

Machiavellian is indeed more appropriate.

The story of Michael Larson involves a smaller payout from a 1980s game show, but it's interesting because it's more due to a hacker mindset than fraud (though he was involved in the latter later in life) https://en.m.wikipedia.org/wiki/Michael_Larson

The "Press Your Luck" guy. Amazing what you can accomplish when you have nothing but television and time.

There’s a good write-up on this guy (IIRC this is how I discovered priceonomics):


A judge in NH recently ruled that the winner of the lottery doesn't need to come forward and be a part of lottery press and therefore their name does not need to be released. The reasoning is good on the surface that people who just won a life changing amount of money shouldn't have to have their personal details flashed on the news.

However, it seems like being named in public is the best way to prevent fraud. Many of these scams are through second counsins' friends and weird sources. Now an insider could just go through their best friend and no one would ever be able to connect the dots.

That's not what the case in NH was about. It was already possible to collect the winnings through an anonymous trust, but the winner didn't know about that before signing their own name on the ticket. The ruling let the winner do what they could have done without issue, had they known about it sooner.

Depends which kinds of fraud you care about. Being named in public as a lottery winner is a pretty good way of making someone the target of every fraudster, con artist and swindler in the area.

Indeed. Anonymous collection protects the winner, public collection protects the game.

The fact that a member of a crime family felt comfortable enough to appear on a McDonald's commercial as a winner seems to call into question the effectiveness of this strategy.

Except that major jackpots are chosen using physical apparatus and much harder to hack. There are multiple sets of balls, chosen randomly, the balls are regularly weighed to the thousandth of an ounce (gram? Can't remember), the balls are never handled alone and the drawings are supervised by independent auditors.

I'm not sure if I'm for or against winners staying anonymous. If they would require public identification, winners could simply change their name to smith. I'd happily change my name for a hundred million dollars.

It's not quite that simple for some of the games. This one was able to slip in codes for some rather significant games: https://www.desmoinesregister.com/story/news/investigations/...

He gave the tip to his brother. Being able to shield your identity would make fraud both more tempting and less likely to be caught.

The judge ruled that way because people who win lotteries tend to have a lot of life threatening bad luck after they win.

"The Lottery Hackers" by Jason Fagone [0]

HN Discussion Thread [1]

[0] https://highline.huffingtonpost.com/articles/en/lotto-winner...

[1] https://news.ycombinator.com/item?id=16494280

Sometimes it's easier if you don't go after something obvious like the lottery, but perhaps something equally or more profitable.

People were rigging the libor rate to make billions of dollars and nobody was caught for over 20 years


The people doing the rigging were looking to hit targets and get bigger bonuses. There was pressure up and down, depending on personal and corporate positions. There were also issues in terms of perceived stability of the reporting bank - didn't want to quote too high a number or else you looked injured and could be dead within days or weeks.

While the LIBOR (and similar) rate had a huge impact given how many products referenced it, the direct trading is rather smaller and the direct impact of misquoting was small. Rates were moved hundredths to at most tenths of a percent.

Using the billions figure is hyperbolic and doesn't reflect what the people involved did or were trying to do.

If you want to fix problems in important markets, just like in code, you need a clear, detailed, and nuanced understanding of what happened and the motivations of those involved.

Libor underpins USD 350 trillion (yes, trillion) worth of derivatives.

And when they were caught... you guessed it, none of those criminals went to jail or suffered any kind of personal responsibilities. The institutions received fines worth a fraction of their profits. Zero incenctives not to do this again. And the world keeps spinning, and we keep getting fucked.

From the wikipedia link above:

"On 27 July 2012, the Financial Times published an article by a former trader which stated that Libor manipulation had been common since at least 1991."

In other words, this came to light under the previous US POTUS and - much like the crash of 2007 / 2008 - __nothing__ happened. It's amazing how much power the MSM has over the narrative(s) and public perception.

Wasn’t the whole LIBOR thing mostly a Brittish scandal? What does this have to do with the POTUS?

Those companies are international - where is far less important than who. The Obama admin's decision to (effectively) pardon Wall Street (for crashing - and nearly crushing - the __world__ economy) looks even worse. Yeah. I get it. No one likes to hear that their liberal hero BHO screwed them over, in favor of WS, The City, etc.

The point being these financial companies get to operate without fear; without penalty. Which was the nature of the comment that comment was added to.

So now you blame Obama for not punishing people for a “Brittish scandal”? Your rant is s non sequiter.


as opposed to the Russian POTUS :)

Either way it's Wall Street's POTUS

Probably Tommy Tipton. The NY Times article is a good read and I believe was posted on HN..otherwise just look him up on Wikipedia.

The Man Who Cracked the Lottery https://nyti.ms/2Ksihm9

here is the story


it seems many of these cases involve insiders

In this case they were caught by a defector tipping off the FBI.

Bit of trivia: the monopoly character was said to be based on Samuel Insull who became Edison's private secretary and right hand man.



Having successfully argued for the creation of regulated utility monopolies, he assembled a huge empire which subsequently collapsed in the Great Crash of 1929, investors and indeed himself were wiped out...

Hmm, I had also heard the Monopoly Guy was based on JP Morgan (at least in looks), but I could be incorrect.

>Monopoly Guy

His name is Rich Uncle Pennybags

I would argue that he is more commonly known as Monopoly Guy - as this is the first I've heard "Rich Uncle Pennybags", and I first played Monopoly ~30 years ago.

you can be the citation on the wiki article! https://en.wikipedia.org/wiki/Rich_Uncle_Pennybags

Was it worth it though?

> "The camera crew listened patiently to his rambling story, silently recognizing the inconsequential details found in stories told by liars."

I'd love to learn more about this. How do you separate inconsequential details told by liars from inconsequential details told by excited people?

Liars provide more details because they get bogged down in the story, whereas truth-tellers give you a broad overview and can still provide a coherent story when pressed for details.

One study found this by analyzing insurance claims [0]

[0] http://www.dailymail.co.uk/sciencetech/article-1316234/How-s...

i just finished Never Split The Difference (https://www.amazon.com/Never-Split-Difference-Negotiating-De...) and they also tend use different pronouns (they do not use I as much, but use other pronouns more often)

This accords with a recent a high profile rape case in the UK involving rugby players where the defence barrister was questioning the alleged victim's account because she kept using 'you' rather than 'I' when describing her behaviour during the alleged rape. (The players were found not guilty in court but not on media and social media and were fired.)

Or perhaps she found the experience traumatic and wanted to disassociate herself when describing the events? It's dangerous to read too much into how people describe traumatic experiences.

I agree with you and yet people are convicted based on the basis of one person's word against another's all the time.

If you look into studies of lie detection training and efficiency, you will learn that it is mostly confirmation bias on the side of the lie detectors: humans cannot really be trained to be powerful lie detectors. There is some new research on using MRI's to detect the brain pattern of lies, but it is still nascent.

> When Jacobson revealed his scam, Hart, an honest businessman, found it too good to be true. But he agreed to try it, to “see if it worked,” recalled Jacobson.

I think I might have to revise my understanding of what it means to be an honest businessman.

It is depressing to me that greed so easily trumps morality.

Morality is easy to talk about. Being tested is hard.

It sleeps a bit like a shoe horn. Bit by bit shifting your perspective.

It's harder to be moral when you know you can do the wrong thing and get away with it.

> Jacobson’s $70,000 salary was six times his police officer’s pay

How is this possible?

The 80's. Minimum wage was around $2.65 or $5512/yr. He was making roughly twice minimum wage at the time.

Even then, in 1988, that $70,000 salary was pretty good. That's the equivalent of $149,000 today. (Or $52,000 in 1981 when he was a cop).

Perhaps the police pay is just the base, not including overtime or hazard pay that make up much of an officer’s total compensation.

Not to mention official and unofficial benefits; health care and a police pension obviously, but also running drugs on the side, free prostitutes, bribes, immunity from other police, and near absolute power over other individuals in the regular course of your job.

Not all of these still exist today, but many do.

Ha ha, I made $4/hr as a teenager in 1988. Then was given a big raise to $4.25, only because of a minimum wage hike.

Government employees had sweet benefits and awful pay in the 80s. Inflation really killed them in the 70s and early 80s.

As the benefits got more expensive, salaries came up.

I think you've got it backwards. Pay was good and benefits were shit. Increasing benefits and stagnant wages plagues public employees these days. Take the Houston Fire Department for example.

Inflation. The same way I can remember paying $0.79 for gas in the late 1990s.

Also, police officers are not paid well.

> $0.79 for gas in the late 1990s

Inflation only tells some of the story -- oil is marginally controlled by a cartel, OPEC. I seem to recall OPEC following a cheap oil strategy to drive smaller producers to close their wells.


Monthly salary?

That would mean a cop in 1980 is making $140,000 a year.

They rigged it against Canada? Can Canadians file a class-action lawsuit?

Yeah, for me - across the board of the entire story - the most alarming thing is that there seems to be little blowback against McDonalds for this. Considering how much that promotion was "worth" to them and how much business they got because of it, they lost almost nothing for misrepresenting the chances of winning to their customers (which they could have prevented if they were a little more careful). If I were a McDonalds exec, the unfortunate moral I would draw from this is to rig the game for myself next time, because it doesn't hurt the company at all, really.

They tried. From the closing paragraphs of the article:

"A group of Burger King restaurants tried to get a class act lawsuit together, so did a group of unhappy McDonald’s customers in Canada."

Wouldn't even surprise me if this was defacto behaviour for most large contests managed in the USA.

I am less-than-half-joking when I say this sort of cheating could be prevented by:

McDonald's Monopoly on a Blockchain

All the sweepstakes promotions I see now involve entering some unique ID code online, which makes them much less fun I think.

Yep, the last time I even cared about one of those games you had to text in the number to see if you won anything and twice in a row they came back as "already entered", think the employees were doing it in their spare time since it was just printed on the outside of the box.

Had I known the FBI cared about these things...

Yeah the last one of those I tried did the same thing.

I predict it'll be an app that reads QR codes, and shows you an AR version of what the piece 'really' is, instead.

Tickets can start as simply generic serial numbers, but a post-distribution cryptographically-audited process then upgrades some to winners.

I smell an ICO opportunity!

How was this promotion not regulated? Sounds a lot like lootcrates.

It's been a long time since I've looked into this, but things like this generally are regulated (in the US). The sweepstakes promoter generally must post the odds of winning, and can't actually require a purchase of a product to enter (though you might need to pay return postage and wait 2-4 weeks for the free entry option). Some states have stricter requirements and you'll often see nationally advertised sweepstakes specify that they're not offered to residents of those states.

To this point, one guy mailed ~100 letters to McDonalds asking for monopoly pieces. McDs had to reply with game pieces.

It was regulated in the sense that it gave the odds of winning, just as how lootboxes/gacha mobile games just now are giving drawing odds (since there is starting to be a crackdown on those).

>Sounds a lot like lootcrates

Which aren't (yet) regulated in the US.

I knew one winner. She won an Oldsmobile in 1988. Interesting enough, she was a Mormon so and had to ask permission from her elders to claim the prize. This was in Minnesota.

Mormon here. Hope your friend wasn’t connected to this Baker fellow ;). Seems a little odd to me though that she needed to ask permission from anyone in the Mormon church to claim a prize. Normaly the only person you would be expected to talk to is your Bishop and that is under the circumstances of a large enough sin. You can seek guidance and counsel from the Bishop, however this is not expected.

By the way random facts, but we prefer calling ourselves and being called members of the Church of Jesus Christ of Latter Day Saints (LDS Church) instead of Mormons. Mormon was the name of an ancient American prophet-historian who abridged records of other prophets into a book of scripture which would later be called The Book of Mormon. We by no means worship Mormon, but instead Christ that’s why we prefer the other name.

Unless I missed it, we never found out who the informant was.

I think it was implied to be the mob wife's angry in-laws.

It's implied at least here that it's Colombo's surviving family.

I found this funnier than I probably should have:

> a disgraced Ronald McDonald actor who was convicted of making harassing phone calls while posing as the clown

What was the source of the disgrace?

A fun-to-read-about (but not illegal) sweepstakes hack was done by a bunch of Caltech students in the 70s. Coincidentally, McDonald's was the target there, too. http://hoaxes.org/archive/permalink/the_caltech_sweepstakes_...

This type of scam can probably be much easier to spot with Facebook.

Any lottery game or house raffle with little transparency should be suspect.

I remember working on a Monopoly game knockoff for Buddig meat at one of my first dev jobs. I wish we had put in nearly the same effort to protect the game as MCDs did. We had some "situations" also. Not this bad though.

McDonalds was dumb for entrusting the security of this system to one person. This is like security 101. If you want good physical security, you can't trust it to a single person.

There was an auditor following him, except in the bathroom, where he was doing the switch.

Right but the auditor was only an observer, not part of the process. You need to have two people be active participants.

Jacobson sent a $1m winning ticket to a hospital, where the donations clerk immediately turned it in. Imagine what would have happened if she'd decided to keep it for herself? I wonder whether and how Jacobson would have taken steps to expose her, without exposing himself.

I often wonder with the McMonopoly prize thing how often they pay out, from my observation quite a number of people just threw out their tickets, so it seemed like there was a good chance they didn't have to payout

I am pretty sure the only way you -can- win the Monopoly game is to rig it in your favor. It's not a game anyone is meant to win. That's likely why so much is spent trying to figure out how someone won. The only prizes anyone is meant to win are maybe an Xbox and free chicken McNuggets. In some ways I sympathize with the idea of playing the unwinnable system against itself.

If you know which of the three or four tickets are scarce (something that could easily be determined by a few enthusiasts online by collating their ticket data), winning a grand prize is as simple as buying more McDonalds until you have the tickets to complete the set. The trick is that most people who receive the rare tickets won't know and will either bin them or not obtain the remaining tickets.

ripping off one big corporate via a game named to a big banker. classic. they should give this man a medal!

Good story, but man, I think this story sucked up like 30% of my battery, and the ads didn't even load half the time.

Now we know who orchestrated 9/11: it was McDonalds.

Great piece. I somehow missed all this too in the 9/11 aftermath.


I came across a situation where an asset protection head at a Walmart was looking the other way while an acquaintance would dress up in a suit, and put an expensive vacuum cleaner in a shopping cart and waltz out the car departments side door minutes after it opened each morning. An employee noticed this. Asked the person for a receipt and the scam came to an end. The employee, however, got wrote up by the asset protection head!He claimed he was just about to apprehend this fellow. But Walmart quickly ended their relationship with their asset protection head(Within weeks), while NOT GOING BACK TO THE SIMPLE EMPLOYEE and admitting any wrong in his being written up. This is why when people rob these huge corporations like this, nobody should care. They don't give 2 craps about honesty or integrity. They are more worried about a thief falling down, breaking an ankle, suing them for millions, than you helping them not lose assets.

I stopped reading the article as soon as they got to the part about him checking all the employees and even following them into the bathroom(Illegal BTW). This is why police departments have INTERNAL AFFAIRS DEPT. Just like pedophiles find a position of trust to prey upon kids, really accomplished scammers find one to take advantage of security. Where would a better position be than to head up the security! When they started giving examples of him check shoes, it reminded me that in my lifetime I realized the worse thieves are always worried about getting robbed! Because they figure if they thought of it, so haven't others. I was reading before that about all his ailments prior and thinking, the author hasn't figured out those were scams ..too!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact