Lottery Post alerted the industry to this possibility 11 years ago
The top threat to any lottery's integrity is its own information technology employees, a former lottery security chief told jurors in the trial for his coworker accused of rigging a Hot Lotto drawing to win a $14.3 million ticket.
Ed Stefan, a former chief security officer for the Multi-State Lottery organization, testified Wednesday that it's "sadly" possible his friend and former coworker, Eddie Tipton, installed a malicious self-deleting computer program onto a number-generating computer to rig a Dec. 29, 2010, drawing that produced the winning ticket. Tipton, 52, is on trial for two counts of fraud.
It's a historic case, believed to be the first trial for a person accused of manipulating a draw. Stefan's admission that it's possible to manipulate the lottery aligns with a theme underscoring the case since Tipton's January arrest: The greatest threat to any company's digital security comes from within.
The expertise IT employees have can make one with ill-intentions particularly dangerous, Stefan said.
"They have the knowledge, they have the background, they have the access, they have the understanding," he said. "They have the keys to the kingdom."
Stefan's testimony backed Assistant Iowa Attorney's General Rob Sand's case to jurors that Tipton attempted to pull off the ultimate "21st-century inside job" using a self-deleting rootkit. The prosecutor has said Tipton could have installed the program when he accessed the Hot Lotto drawing computers more than a month before the drawing to change the clocks.
After purchasing the ticket on Dec. 23, 2010, Tipton, legally barred from playing the lottery, allegedly filtered the ticket through a Texas friend to make a claim for the money. Tipton's defense contends there are no phone records or other evidence tying him to anybody who tried to redeem the ticket and no forensic evidence a rootkit was installed on the lottery association's comptuers.
Stefan told jurors he became physically ill last fall when he first saw publicly-released video footage from a Des Moines QuickTrip of a man purchasing the ticket at 3:24 p.m. Tipton and Stefan became friends in a college calculus class in Houston in the early 90s and have remained close, he said.
Tipton introduced Stefan to his now-wife, and Stefan helped Tipton get a job in 2003 at the Urbandale-based lottery association that provides games such as Hot Lotto to lotteries across the country, he testified. The two share a patent for a lottery technology idea. It felt like "finding out your mother is an ax murderer" when he saw the man in the video, he said.
"It looks just like Eddie, it sounds just like Eddie, it acts just like Eddie, the mannerisms are just like Eddie," he said. "As a disinterested third party, I would say, 'Oh, that's Eddie.' As someone who's known him half my life, it's incredibly difficult to believe that's Eddie Tipton."
Lottery Post warned about this
In August 2004, the Lottery Post website first alerted the industry to the issues surrounding computerized lottery drawings in the Petition for True Lottery Drawings.
In the petition, Lottery Post Founder Todd Northrop warned of the dangers of hacking, and specifically that a knowledgeable hacker could disguise even the fact that the drawing system was hacked. Northrop wrote:
Computer hacking is a term that has entered the daily lexicon because of its prevalence within every aspect of computers. Hackers can produce code that goes undetected for long periods of time, and causes unseen problems. Why do the state lotteries think that they are immune from hacking, when some of the most secure computers in the world have been hacked into? Worse, a state employee "on the take" could insert malicious computer code into the drawing process that could specify the exact numbers that are drawn. A crafty programmer could keep this secret for a long time.
Sadly enough, what Northrop wrote 11 years ago is is precisely what Tipton is accused of doing today.
Despite the fact that the petition was not promoted in social media or any common marketing method — it was only available as a small link — nearly 10,000 lottery players have found and signed it. Clearly, computerized drawings are a problem in theory, and now in actuality.