Background Image
Table of Contents Table of Contents
Previous Page  55 / 76 Next Page
Show Menu
Previous Page 55 / 76 Next Page
Page Background



ditionally, electronic draw systems offer more capabilities, such as the

support for more types of games, the ability to have more frequent

draws, and the capability to manage draw outcomes. Such systems

are also much less costly because the games can all reside on one

system and require much less human involvement to manage them.

Misconception 2:

Electronic draw systems are most secure when

they are isolated from other systems or networks and protected us-

ing physical measures.


Isolating draw systems does not protect from insider

attacks, as demonstrated by the recently discovered fraud cases.

Additionally, committing to stand-alone offline draw systems in-

troduce limitations on draw capabilities which may limit lottery

growth and require manual procedures that are more prone to error

than automated ways of communicating data; they require more

human effort, and have higher operational costs.



To provide some guidance, we identify a checklist of 7 critical

security measures which help protect the integrity of the RNG. (1)

–(5) are elements that improve on traditional methods of assuring

integrity and are best practices provided by third-party vendors.

Fraud detection and independent verification, (6) and (7), are de-

ployed by some lotteries for enhanced security.

1 Draw systems should be provided by an independent third party.

To avoid potential conflict of interest: (a) lotteries should not

develop their own draw systems and (b) lottery gaming systems

vendors should not provide their own draw systems.

2 Security of the RNG must include state-of-the-art protective

security which should include: strong password protection, re-

strictions on access, and read-only use of the RNG program,

configurations, and reports. Also, lotteries should set procedures

to restrict user access and define role separation, including users

from different groups or organizations to perform draw, audit

and other functions.

3 Independent certification of randomness and code review is nec-

essary. This certification may not detect a hidden code or prevent

injection of fraudulent code in the future.

4 Another important method requires verification of RNG soft-

ware code checksums, or hashes, to detect any changes in code

or configuration since certification. This verification may be cir-

cumvented by a fraudulent software.

5 Additional security certifications can be performed to increase

confidence in the system. These certifications may include scan-

ning of the RNG system delivered to the lottery to detect mali-

cious code and system vulnerabilities. A system snapshot can be

taken at the time of delivery and used later for comparison to

detect unauthorized changes.

6 The RNG includes fraud-detection capabilities: each time a draw

occurs, the system creates a tamperproof log file corresponding to

the draw; if any changes are made to the log file, an independent

audit would identify these changes. By building a tamperproof

log file, the draw provides non-refutable/undeniable proof of

draw integrity. To clarify the principle of logs and audit:

a. If log files are not tamperproof, fraud-detection is not certain.

b. A tamperproof electronic log file is distinct from activity log

and draw reports; computerized attacks may be ‘invisible’ and

they may create fraudulent logs.

c. Proof of integrity of a draw system should not require sharing

of privileged or secret information, as this can involve poten-

tial collusion and fraud.

d. Digitally signing already generated data does not provide un-

deniable proof, as the data may have already been modified

when signed. In fact, draw reports generated in the recently

publicized RNG fraud case were digitally signed.

7 A draw system should be accompanied by an independent audit sys-

tem. The audit system must be independent from the number gen-

eration process, so that it can detect any fraud to the draw system.

a. Audit system should be able to analyze tamperproof logs (6)

to prove the integrity of each individual draw, its time and

numbers drawn.

b. Audit should not rely solely on scanning of draw systems as

these procedures are not fully reliable: some evidence may not

be recoverable through the scans. A skilled programmer will not

leave traces of attack or make them extremely difficult to find.


We recommend that lottery directors and top management un-

derstand how alternative RNG solutions solve various security risks

including insider fraud. We provide some guidelines in identifying

a secure RNG solution. We also recommend that when choosing a

RNG system, lotteries make a broad cost analysis that takes into ac-

count the level of RNG security offered, whether fraud detection is

included, and how these factors impact fraud susceptibility. Lotter-

ies can obtain impartial comparative analysis of different offerings

from third party experts, familiar with the technology used and

without financial interest in selling or promoting specific RNG so-

lutions. Our hope is that in the future the industry will help lotter-

ies by regulating RNG security, but in the meantime lotteries need

to fully understand the security risks for RNG products offered.

The recent fraud in the US illustrates many of the points we dis-

cuss: the security solution of the defrauded RNG was stronger than

that of RNG solutions used currently by many lotteries. It is alleged

that the fraudulent code was designed to only run at a specific time

and date—at the actual draw time. It is hard to defend against such

an attack, as this dynamic code may reside outside of the RNG

code, could be replaced by a script running in the background, and

could even erase all traces of fraud after running. The investigators

deserve credit for detecting this fraud. It may have gone undetect-

ed, as we suspect can be the case for other fraudulent events. Right

now, this should alert us all to the potential of RNG fraud and to

finding a reliable solution for detecting fraud.