This was written for one the courses I took, Security and Privacy, CS458 taught by Ian Goldberg. Unfortunately, in the original I didn’t explain why this issue is related to computer security, and the professor of the course rightly called me on it. I’ve included my response at the end.
Breaking Scratch Lottery Tickets
A geological statistician named Mohan Srivastava was able to find a pattern in tic-tac-toe scratch cards that when followed produced a winner 90% of the time.
Why is it important?
The North American lottery system is a $70 billion a year business, an industry bigger than movie tickets, music, and porn combined . If any of the tickets being produced and sold have flaws it can have a big impact on the lives of the people buying these scratch cards. Srivastava figured he could make 600 dollars a day working the system.
Who is affected?
The basis of who is affected is anyone who buys lottery tickets. In the states about half of Americans buy at least one lottery ticket in their lifetime, but it is the poorest 20% that buy the majority of tickets . Despite this there are a select few who appear to be the luckiest people alive. Joan Ginther has won more than 1 million from the Texas Lottery on four different occasions, as well 1$0 million from a $50 scratch ticket.
What impact might it have on people?
Potentially they could play to lottery at odds that are better than 50% and get a cash payout that could change their life. The example of Joan Ginther from above is a prime example.
How does it work?
To find a winner for the tic-tac-toe scratch card, with 90% accuracy, according to Srivastava, follow these steps :
- Look over the card. Look for numbers that only appear once on the whole card.
- Make a plot of the card marking the number of times each number appears. A number that appears once mark with a 1, a number that appears twice mark with a 2 and so forth.
- If any of the 1′s that you previously marked appear in a tic-tac-toe formation, then the ticket is likely a winner.
- Scratch the ticket.
A lot of what this technique comes down too is measuring the frequency of the numbers that appear on the card. This idea was applied to other scratch cards with varying success. Another technique found being used by store clerks was, sell all the losing cards that come in the stack, and then buy the winners .
How might similar problems be prevented in the future?
It is impossible to produce an arbitrarily long string of random digits and prove it is random . The problem with the tic-tac-toe game then comes from the fact that the numbers on the cards are not random, and a pattern is observed. Added on to this fact is that the companies making these cards want to regulate the number of winners and losers, and make the card appealing using bated hooks. Bated hooks force consumers to match up revealed numbers to numbers on the board, adding to the addictiveness of these cards. The best that can probably be done is an algorithm that creates pseudorandom numbers that appear random enough.
 Cracking the Scratch Lottery Code, http://www.wired.com/magazine/2011/01/ff_lottery/all/1
 Hacking Scratch Lottery Tickets, http://www.schneier.com/blog/archives/2011/02/hacking_scratch.html
 Random Number, http://mathworld.wolfram.com/RandomNumber.html
Professors comment: What’s the computer security or privacy issue here?
Response: Computers are used to create the scratch cards using an algorithm that was created by humans. Since there is a problem with the algorithm used, it could be the case that there are similiar algorithms being used for securing computer systems that also have flaws in them. While, directly flaws in the security of scratch cards do not affect computers, indirectly, this suggests that algorithms we write need to be checked thoroughly, for the sake of keeping our systems secure.
This was a neat aside for a course that was very interesting, but unfortunately did not have the time for.