Avoiding Another Breeders' Cup Fiasco

19 November 2002

In the wake of the biggest scandal to hit the pari-mutuel betting industry, online operators and suppliers are addressing security issues to ensure they're not victims of a similar attack.

Last week, three former fraternity brothers were charged with using an automated telephone betting account with Catskill OTB and a computer to manipulate a serious of bets that produced a $3 million prize from a Breeders' Cup Pick 6 bet placed Oct. 29.

Derrick Davis, Chris Harn and Glen DeSilva surrendered to authorities in New York Tuesday morning and after subsequent court appearances were released on a bond of $200,000.

Harn, who was employed by Autotote, is accused of breaking into the computer system and entering the winners for each of the first four races of a Pick 6 bet after the races had been run and before the wagering information had been passed on from Catskill OTB, where the bet originated, to the host pool at Arlington Park.

The Pick 6, like the Win 4 and the Superfecta, is a "scan bet," in which wagers are not recorded until after the next-to-last leg is run. Thus, the transfer from the OTB was not made until after the fifth of six races was complete. Davis then selected all the runners in the final two legs of the bet, guaranteeing a winning ticket.

The incident has many online gaming operators questioning whether their systems are vulnerable to a similar attack. Most agree that no e-commerce system is truly 100 percent hacker-proof.

Although systems can be safeguarded against intrusions from outside parties, little can be done to prevent someone within the company from tampering with the system.

As was the case with the Breeders' Cup incident, inside intrusions are often the easiest to detect.

In August, what was described as a "disgruntled" programmer manipulated the random number generator of Toronto-based software supplier CryptoLogic, his employer.

After only a couple of hours of "winning" with the fixed games, CryptoLogic detected the intrusion and halted all gaming activity. The company suffered a black eye in the industry and had nearly 24 hours of down time while the situation was investigated.

Jeff Niblack, the chief Information officer for Interactive Gaming & Wagering, a software supplier for sports books, casinos and horse racing sites, feels protecting the code that runs a system is an easy, yet important step to take in securing gaming systems.

"The introduction of code should never take a direct route from a developer to a production environment," he said. "At a minimum, the path should include two additional steps; a quality assurance check and a release step. The quality check is to verify the code performs as expected. The release step is to ensure that what is being released is what was actually tested."

Despite high-profile attacks, like the Breeders' Cup and Crypto incidents, making headlines, Niblack doesn't feel intrusions from inside parties are an epidemic for I-gaming.

"I'm not sure these recent lapses in security for some operators or software suppliers provide any insight into the overall interactive gaming industry," he said. "As with most industries, there are folks that follow prescribed standards or approaches and those that don't. Consumers, whether it be operators or players, should feel comfortable in speaking with their provider to ensure that appropriate checks and balances are in place."

Niblack feels operators who best know the inner-workings of their systems will be able to provide the highest level of security, both internally and externally.

"For those operators that are using third party software, they have to get plugged into the 'process' that the software provider follows," he said. "They should ask questions about the processes-- what they do, what they don't do. The process should not be a technical maze."

Niblack said processes are usually easy for non-technical operators to understand and that once an operator has a basic understanding of the process, he should ask "what if" questions to ensure the appropriate bases are covered.

One offshore sports book operator, who spoke to IGN on the condition of anonymity, said internal security issues aren't just a concern to one section of the e-gaming sector.

"The bottom line here is there should be secure access internal controls to ensure employees are not conspiring with players to post past wagers, etc.," he said. "But that concern is not specific to horse racing in our (non pari-mutuel, online) industry. It is also not specific to our industry, as the Breeders Cup scandal shows."

Niblack said a good rule of thumb for operators and suppliers looking to get the highest level of protection for their systems is to treat every transaction the same way banks and financial institutions treat transactions within their systems.

Nobody knows where Kevin Smith came from. He simply showed up one day and started writing articles for IGN. We liked him, so we decided to keep him. We think you'll like him too. Kevin can be reached at kevin@igamingnews.com.