back to article IT contractors convicted of UK casino hack scam

A pair of UK hackers who used false betting slips in a bid to con casinos into paying out on bogus gambles were undone by greed and a schoolboy maths error, a court heard. Andrew Ashley, 30, and Nimesh Bhagat, 31, were each handed a suspended jail sentence of one year after they pleaded guilty to theft over a plot involving …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      whose tax money?

      I expect the Casino generates more tax revenue than you or I do.

      1. Dan Herd

        Look where Casino businesses are usually registered

        Hint: it's not the UK.

        Try Gibraltar, or Malta.

  2. Andrew Newstead

    Usual story

    I see dumbing down is affecting most industries nowdays, can't even a decent level of criminal skills these days.

    1. Robin

      re: Usual story

      I can't even a decent irony detector.

    2. Anonymous Coward
      Anonymous Coward

      Re: Usual story

      We only hear about the dumb criminals because the smart ones generally don't get caught.... and the really smart ones rig things so nobody even realises a crime has taken place.

  3. Sooty

    they were complete morons

    not having the amount match the bet/odds. Even if it wasn't exact, it would be harder to spot than being completely off.

  4. Craig 12
    Stop

    hackers, hacking...

    They worked for the casino? That's not hacking surely, just boring old tampering/fraud/etc

  5. jon 72
    Pirate

    Hackers?

    IT contractors ? - or data entry monkeys cum script kiddies. I find it hard to believe a 'professional' hacker would of made such a dumb mistake. This was a sweet little scam, shame it's gone for ever now.

    1. Solomon Grundy

      Why?

      Why not? Hackers aren't some sort of super intelligent criminal you know.

      In fact I would argue that programmers as a whole are more prone to silly mistakes like this than just about any other profession. They get too wrapped up in technicalities and overlook the practicalities of the real world.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hackers?

      What kind have mistake would you believe a professional would of made?

      1. Anonymous Coward
        Headmaster

        Being professional

        He would not have written "would of made" for a start.......

        1. Anonymous Coward
          Anonymous Coward

          For a start

          Read the original post from jon 72

  6. Anonymous Coward
    Grenade

    I'm sorry...

    I'm sorry.. I don' t like casinos, but if they stole £16k each then why are they not in jail? The courts still seem to view computer crime as not "real crime". More custodial sentences might make people think twice.

    1. Blofeld's Cat
      Coat

      Real crime?

      Perhaps they were wise to choose a .uk casino given their lack of skill, and the likely penalties in other parts of the world.

      I'm thinking of penalties involving concrete, and casino owners who ... er ... mumble a lot here.

      It's the wooden overcoat.

  7. Red Bren
    WTF?

    Double standards?

    This pair of jokers commit actual, quantifiable and significant theft and they get little more than a wrist slap. But logging into insecure servers to look for evidence of aliens, where the only thing damaged was the Pentagon's ego and you face extradition and a 70 year stretch?

    1. Anonymous Coward
      Happy

      @Red Bren

      An important lesson in picking your targets sensibly methinks.

    2. This post has been deleted by its author

  8. Paul Smith

    Dumb and dumber

    "...was investigated by Scotland Yard's clubs and vice unit. Police used CCTV footage from roulette table terminals at the casino and computers seized from the mens' homes in unravelling the case"

    CCTV footage of the table terminals? Computers seized? WTF? The only thing that unravelled in this case was how thick everyone involved was. The Casino for paying out on unverifed slips. The thieves for such stupid mistakes - a tenner at 35 to 1 != 600, ffs! The cops for being unable to prosecute such an open and shut case without CCTV footage and seizure warrants. (I wonder how much overtime was involved?) And the Judge who ordered £32,000 restitution for a £33,000 theft.

    1. Anonymous Coward
      Anonymous Coward

      Umm...

      It's a crime involving computers, therefore it's perfectly reasonable to suspect that the criminals may have used (shock horror) their computers to help commit the crime.

      Surprisingly, criminals often keep records of their crimes, chat logs whilst collaborating with their partners in crime etc. so it's not exactly unreaosnable for the police to sieze them as evidence.

      In fact, it would have been bloody incompetent for the police not to sieze because the idiots committing the crime could have been doing this in other casinos that hadn't worked it out yet.

      As for the CCTV footage, same applies, if there's good evidence that supports the charges then you damn well use it to secure a conviction. It's not as if the casinos don't have the cameras already and keep very comprehensive records of everything that goes on. If you've never seen back of house at a casino then I suspect you're touchingly naive in that matter, whilst it may not be Ocean's thirteen, it's most definitely not low tech.

      I suspect the 'restitution' is either victim to a rounding error or there may have been reasonable doubt as to the total money stolen or, shock, it's just a mistake in the original article or source for the article.

  9. Anonymous Coward
    Anonymous Coward

    BooHoo....

    ...the casinos got robbed....waaaaaa.......life's not faaaaaaiiiiirrr.......

    Oh well.

  10. Graham Bartlett

    Interesting legalities here

    Under UK law, gambling has no legal basis. If you take a bet, you're under no obligation to pay out to the person who placed the bet. I spose the legality in this case is that the casinos didn't take the bets in the first place, but it's still a bit iffy - like going to Trading Standards and complaining that your dealer had sold you an Oxo cube instead of hash.

    1. David Neil
      Thumb Down

      Sorry Graham, but you are wrong

      Under the Gambling Act (2005), gambling debts are legally enforceable.

      In addition section 42 makes it a criminal offence to win by cheating

  11. jtwaldo
    Grenade

    This scam could have much wider implications

    I find it surprising that the only reason they were caught in this scam was because of the mis-matched payout amount. What controls are in place to identify ticket forgery?

    I have been to many casinos where all slot machines print this tickets with barcodes and payout amounts. What's in those barcodes? How easy would it be to trick a slot machine into reading a forged ticket with $10,000 in credit, play one round and collect your payout... on a brand new slot-machine generated and watermarked (if they do in fact watermark such things) ticket?

    Also, I'm surprised there haven't been more advanced slot machine hacks out there. You've got a room with thousands of embedded linux devices all networked together. Why hasn't anyone developed a hack that exploits a member benefits card reader vulnerability.

    1. A J Stiles
      Boffin

      Not that hard

      "I have been to many casinos where all slot machines print this tickets with barcodes and payout amounts. What's in those barcodes? How easy would it be to trick a slot machine into reading a forged ticket with $10,000 in credit, play one round and collect your payout... on a brand new slot-machine generated and watermarked (if they do in fact watermark such things) ticket?"

      I would guess it's just a database key. You then do something like

      SELECT * FROM winning_tickets WHERE barcode="whatever"

      A made-up barcode can be spotted by not having a matching record in the database. There probably will also be a field to indicate whether the amount has already been paid out or not.

      "Also, I'm surprised there haven't been more advanced slot machine hacks out there."

      I'm not. The adversarial relationship between users and operators keeps everything sweet. It's simple: Pay out too much and you become instantly unpopular with casino / amusement arcade / chip shop owners (therefore you don't sell so many machines); pay out too little and you become instantly unpopular with punters, leading to unpopularity with casino / amusement arcade / chip shop owners (therefore you don't sell so many machines). The only way to survive in that market is to pay out fairly, and be as secure as possible against any subversion attempt.

      1. jtwaldo
        Grenade

        maybe

        I have never seen a cashier scan a payout ticket with a barcode reader before handing me cash (at least at the casinos around here). Even if they do tie each ticket to a database key, there may still be holes in the process. i.e, you legitimately put a lot of money into a slot machine, play a couple rounds, cash out, take the ticket home, dupe it, and then have two people bring it to a cashier simultaneously. You just doubled your money.

        You would think that the adversarial relationship between users and operators would keep voting machines secure too!

        Even if the embedded linux devices/slot machines are relatively secured, there's a lot of complex infrastructure behind them that might not be. If banks and voting machines can get it wrong, I'm betting slot machines aren't 100% perfect either!

        1. A J Stiles
          Boffin

          What adversarial relationship

          "you legitimately put a lot of money into a slot machine, play a couple rounds, cash out, take the ticket home, dupe it, and then have two people bring it to a cashier simultaneously." -- er, nope. On serial data lines, there is no such thing as "simultaneously". One of the tickets will *always* be seen before the other one.

          "You would think that the adversarial relationship between users and operators would keep voting machines secure too!" -- except there *isn't* an adversarial relationship between voters and councils, which is part of the reason why voting machines are insecure.

          There *is*, however, an adversarial relationship between candidates in the election; which is why, in civilised countries, votes are counted by hand by the candidates. None of them trust any of the others, so the only way they can ever agree on a result is if it's true.

    2. Anonymous Coward
      Black Helicopters

      What's in the bar codes?

      "I have been to many casinos where all slot machines print this tickets with barcodes and payout amounts. What's in those barcodes?"

      Being as I work in the industry, I can answer that. When you cash out one of those machines, the machine sends the credit amount to a server, which enters it in a database and returns a large hashed number to be printed on the ticket. The ticket is usually redeemed in another machine, that sends the hashed number and receives an amount in return from the server. If not by machine, it gets scanned by an attendant, in which case if the server's amount differs from what's printed on the ticket there's trouble ahead for someone.

      However ... I was in a casino recently when the ticket server went down. The machines still issued a cash out ticket, but none could be redeemed except at the cage, where the attendants dealt with a long line of irritated and impatient people by paying out at face value. THAT would have been a good day to have a laptop and ticket printer in your car.

      I think I'll post AC in case anyone actually did that.

      1. jtwaldo
        Thumb Up

        good idea

        I figured there was a hash in the barcodes, but was wondering if it might be a very simple XOR hash or something...

        Good idea posting AC, I'm sure I'll be tackled at the door next time I walk into a casino for voicing my theories!

  12. Anonymous Coward
    Anonymous Coward

    working hard at mfuse

    had he done a scam like that at his current employer, they would have never realised those odds were wrong.

  13. Anonymous Coward
    FAIL

    And this on a system that would presumptively take security seriously...

    ...unlike, say, a voting machine.

  14. DavidK

    re: Usual story

    I hear they just accidentally the WHOLE casino.

  15. Anonymous Coward
    Paris Hilton

    and the moral is?

    Pay code monkeys peanuts and get ripped off short measure?

  16. Grumpy Fellow
    Thumb Up

    Nobody would have suspected a thing...

    if they had been losing money.

  17. BigJon
    FAIL

    Crime pays - AGAIN

    Have another try in 2 years time boys.

    British Justice System - FAIL

  18. jtwaldo
    WTF?

    your analogies don't make sense

    "On serial data lines, there is no such thing as "simultaneously". One of the tickets will *always* be seen before the other one."

    Serial data line? Are you assuming that there is only one cashier and that tickets are scanned before a payout is made? In the scenerio I'm describing, there are multiple cashiers and desks throughout the casino, and they all seem to put the tickets in a pile without entering them into the system. Unless there is a camera processing the barcodes... which is possible, then they are just reading the payout amount directly from the ticket and handing you the cash.

    "except there *isn't* an adversarial relationship between voters and councils"

    But there wouldn't be such a relationship between voting machine vendors? We're not talking about a method of counting votes (or gambling) we're talking about the competition for quality of products within that method. It sounds like your point is that slot machines are inherently secure because of the relationship between users and casinos and that voting machines are inherently not secure because of an analogous relationship between voters and election comissions. That doesn't make sense at all buddy. It assumes that all vulnerabilities and attack vectors are known or can be trivially remediated... and really that's the reason why casino's could be in trouble, because they think they understand all the attack vectors and vulnerabilities. They install camera's all overthe place and only keep cash in hardened locations within the building. That's a physical security control, not an integrity control.

  19. Uncle_Dave
    FAIL

    How the barcodes on tickets work

    I work for a company that sells a player tracking system to casinos. The barcode is a validation number. It, plus the date and time (down to the second) the ticket was generated, the amount plus other factors must match what's in the database for another slot machine to accept the ticket. Same thing happens when a ticket is taken the cage to be cashed where the cashier scans the barcode into her program. In short, it is pretty much impossible to create a fake ticket and have it cashed.

    ---

    "However ... I was in a casino recently when the ticket server went down. The machines still issued a cash out ticket, but none could be redeemed except at the cage, where the attendants dealt with a long line of irritated and impatient people by paying out at face value. THAT would have been a good day to have a laptop and ticket printer in your car."

    That sometimes happens, however... If the ticket is for a larger than specified amount a manager must approve it and if anything looks fishy, you'll have to wait until the system comes up. After it's up, then all the tickets are scanned and if a bogus one is found, the security tape is checked (you're recorded on multiple cameras throughout the casino starting when you step through the door) to find who brought it up. They'll find you.

This topic is closed for new posts.

Other stories you might like