55 / 76
July/August 2016 // PUBLIC GAMING INTERNATIONAL //
55
ditionally, electronic draw systems offer more capabilities, such as the
support for more types of games, the ability to have more frequent
draws, and the capability to manage draw outcomes. Such systems
are also much less costly because the games can all reside on one
system and require much less human involvement to manage them.
Misconception 2:
Electronic draw systems are most secure when
they are isolated from other systems or networks and protected us-
ing physical measures.
Explanation:
Isolating draw systems does not protect from insider
attacks, as demonstrated by the recently discovered fraud cases.
Additionally, committing to stand-alone offline draw systems in-
troduce limitations on draw capabilities which may limit lottery
growth and require manual procedures that are more prone to error
than automated ways of communicating data; they require more
human effort, and have higher operational costs.
WHAT SECURITY MEASURES ARE PROVIDED
BY RNG VENDORS?
To provide some guidance, we identify a checklist of 7 critical
security measures which help protect the integrity of the RNG. (1)
–(5) are elements that improve on traditional methods of assuring
integrity and are best practices provided by third-party vendors.
Fraud detection and independent verification, (6) and (7), are de-
ployed by some lotteries for enhanced security.
1 Draw systems should be provided by an independent third party.
To avoid potential conflict of interest: (a) lotteries should not
develop their own draw systems and (b) lottery gaming systems
vendors should not provide their own draw systems.
2 Security of the RNG must include state-of-the-art protective
security which should include: strong password protection, re-
strictions on access, and read-only use of the RNG program,
configurations, and reports. Also, lotteries should set procedures
to restrict user access and define role separation, including users
from different groups or organizations to perform draw, audit
and other functions.
3 Independent certification of randomness and code review is nec-
essary. This certification may not detect a hidden code or prevent
injection of fraudulent code in the future.
4 Another important method requires verification of RNG soft-
ware code checksums, or hashes, to detect any changes in code
or configuration since certification. This verification may be cir-
cumvented by a fraudulent software.
5 Additional security certifications can be performed to increase
confidence in the system. These certifications may include scan-
ning of the RNG system delivered to the lottery to detect mali-
cious code and system vulnerabilities. A system snapshot can be
taken at the time of delivery and used later for comparison to
detect unauthorized changes.
6 The RNG includes fraud-detection capabilities: each time a draw
occurs, the system creates a tamperproof log file corresponding to
the draw; if any changes are made to the log file, an independent
audit would identify these changes. By building a tamperproof
log file, the draw provides non-refutable/undeniable proof of
draw integrity. To clarify the principle of logs and audit:
a. If log files are not tamperproof, fraud-detection is not certain.
b. A tamperproof electronic log file is distinct from activity log
and draw reports; computerized attacks may be ‘invisible’ and
they may create fraudulent logs.
c. Proof of integrity of a draw system should not require sharing
of privileged or secret information, as this can involve poten-
tial collusion and fraud.
d. Digitally signing already generated data does not provide un-
deniable proof, as the data may have already been modified
when signed. In fact, draw reports generated in the recently
publicized RNG fraud case were digitally signed.
7 A draw system should be accompanied by an independent audit sys-
tem. The audit system must be independent from the number gen-
eration process, so that it can detect any fraud to the draw system.
a. Audit system should be able to analyze tamperproof logs (6)
to prove the integrity of each individual draw, its time and
numbers drawn.
b. Audit should not rely solely on scanning of draw systems as
these procedures are not fully reliable: some evidence may not
be recoverable through the scans. A skilled programmer will not
leave traces of attack or make them extremely difficult to find.
CONCLUSION
We recommend that lottery directors and top management un-
derstand how alternative RNG solutions solve various security risks
including insider fraud. We provide some guidelines in identifying
a secure RNG solution. We also recommend that when choosing a
RNG system, lotteries make a broad cost analysis that takes into ac-
count the level of RNG security offered, whether fraud detection is
included, and how these factors impact fraud susceptibility. Lotter-
ies can obtain impartial comparative analysis of different offerings
from third party experts, familiar with the technology used and
without financial interest in selling or promoting specific RNG so-
lutions. Our hope is that in the future the industry will help lotter-
ies by regulating RNG security, but in the meantime lotteries need
to fully understand the security risks for RNG products offered.
The recent fraud in the US illustrates many of the points we dis-
cuss: the security solution of the defrauded RNG was stronger than
that of RNG solutions used currently by many lotteries. It is alleged
that the fraudulent code was designed to only run at a specific time
and date—at the actual draw time. It is hard to defend against such
an attack, as this dynamic code may reside outside of the RNG
code, could be replaced by a script running in the background, and
could even erase all traces of fraud after running. The investigators
deserve credit for detecting this fraud. It may have gone undetect-
ed, as we suspect can be the case for other fraudulent events. Right
now, this should alert us all to the potential of RNG fraud and to
finding a reliable solution for detecting fraud.
■