Correction to This Article
D.C. official Ben Lorigo's name was misspelled in an earlier version of this article.

D.C. Lottery Thefts Tied to Lax Security Processes

By Brian Krebs Staff Writer
Friday, December 21, 2007; 12:06 PM

D.C. officials learned last year that lax enforcement of security procedures made it possible for a handful of contract employees to steal tens of thousands of dollars in lottery tickets and prize money, according to records released this week in response to a Freedom of Information Act request filed with the District of Columbia Lottery & Charitable Games Control Board.

An investigation conducted by Battelle Memorial Institute in August 2006 determined the ticket thefts were most likely committed by field service technicians employed by Lottery Technology Enterprises, a District-based joint venture between GTECH Corp., New Game Technologies and Opportunity Systems Incorporated.

Lottery officials were first made aware of questionable ticket sales in December 2005, when several retail locations around the District began complaining about unauthorized ticket sales charged to their accounts. In nearly every case, the sales were recorded as occurring after the retailer's business hours. Surveillance footage and audits of ticket stock showed that no one was at the retailers' lottery terminals when the tickets were recorded as being sold.

Battelle, a technology consultancy, concluded that LTE technicians likely created the unauthorized tickets by manipulating the radio communications technology used to transmit ticket purchases from retail terminals to the D.C. lottery's central system. Battelle determined encryption security measures were not activated on some retailers's lottery terminals. LTE technicians thus were able to intercept the retailers' logon credentials, allowing them to gain remote access to some of these unsecured machines. Using spare lottery terminals, the thieves were then able to print genuine lottery tickets without having to pay for them, Battelle found.

In roughly 5,600 separate transactions over a seven-month period, the perpetrators tricked the system into thinking the purchases had been made by one of more than three dozen lottery terminals at authorized lottery retail locations throughout the District.

All told, the LTE technicians created $86,000 in phantom D.C. Lucky Numbers, D.C. 4, Keno and Powerball tickets, earning prize money totaling more than $70,000.

LTE officials did not return repeated calls for comment. A spokesperson for GTECH, a lottery hardware and software vendor based in Providence, R.I., declined to comment.

Jay Young, chief operating officer for the D.C. Lottery, said the board worked with the FBI to identify at least three LTE employees suspected of committing the fraud. LTE later fired the employees, but investigators could not gather enough hard evidence of wrongdoing to bring criminal charges against them.

LTE has since repaid the DC government the purchase price of the stolen tickets, but not the prize money earned by those tickets. Ben Lorigo, executive director of the District's Office of Integrity and Oversight, said the DC government is seeking to recoup the lost winnings as well as punitive damages from LTE, though he declined to saw how much.

"We're just looking to be made whole here," Lorigo said.

The Battelle report found that the "radio communications being used by the [lottery] system had a previously-undiscovered vulnerability. This vulnerability permitted an unauthorized lottery terminal to enter 'rogue' transactions into the system, producing apparently legitimate tickets that could be cashed as winners."

According to Battelle, GTECH has since put in place a technological fix that should prevent unregistered lottery terminals from being used on the network. The rogue lottery terminals used to print the stolen tickets were never found.

The Battelle audit also faulted LTE's management processes, from a failure to conduct thorough background checks on employees to the lack of strict controls over who had access to lottery terminals (see sidebar).

News of the phantom tickets comes at a sensitive time for GTECH and LTE; the D.C. government is soliciting requests for proposals to rebuild the city's aging gaming system. Installed in 1985 - with minor upgrades a decade later -- the technology that powers the District's lottery system remains the among the oldest in all of North America. The city is expected to award the new contract early next year.

The D.C. Lottery retailers affected by the scam were never told how the thefts were carried out. The D.C. government simply refunded to retailers the money it gained from the sale of the phantom tickets. The stores were allowed to keep the commissions they made on the bogus tickets.

Last year, the D.C. Lottery sold more than $266 million in tickets, generating nearly $74 million for the city government.

Highlights From the Battelle Audit

* Lottery technicians' "terminal security control was weak. There was no sign-on/off procedure, and no existence of a lottery terminal paper inventory accounting routine before the incidents."

* "Approximately 190 retailers' terminal encryption was turned off despite a system-wide default to turn on the encryption."

* "Anomalies in a suspect LTE's employee's background check prior to employment were ignored. We are not aware that LTE performs annual financial and other background checks on LTE employees in sensitive positions."

* "LTE's control over lottery terminals is weak. There were no strict controls over terminals -- technicians could take the terminals out for a period of time without accounting for them."

* "LTE's security over lottery ticket stock was weak. There was no lottery paper inventory accounting routine before the incidents."

* Technicians' "terminal intrusion attempts are not monitored, logged or reported."

© 2007 The Washington Post Company