21 August 2020
Broadcasted for the first time on Netflix in 2017, Ozark tells the story of Wendy and Marty Byrde, who, behind their appearance as a perfect couple, are actually laundering money for one of Mexico’s most dangerous drug cartels. In order to carry out this project, the couple bought a casino. The sums to be laundered being colossal, they must, in the third season, acquire a second one. But the owners of the establishment are reluctant to sell.
In order to get them to fold, Wendy, with the help of accomplices, decides to compromise their slot machines and thus force them into bankruptcy. And this is how she does it…
In the second episode of the third season, Wendy and her accomplices go to the casino she wants to acquire. They move closer to the slot machines to carry out their misdeed. The scene begins with a close-up of a woman’s cleavage. She places her mobile phone there, camera in front of the slot machine, which she triggers. An accomplice, in a truck not far from the casino, tells her, by phone, when she should press stop. The scam works like a charm, it’s a jackpot.
Soon, all of Wendy’s accomplices began to follow the same technique. Wendy gloats, as the noise of the slot machine winnings in the background becomes more and more intense.
But then, is it possible? Technically, compromising an old slot machine is possible, because they are coded in VB, a programming language that does not effectively simulate the generation of random numbers. A weakness that therefore makes the calculation of probabilities possible, especially if, as in the series, a cybercriminal has the idea of streaming the reel live and sending it to an accomplice.
And it happened in the United States a few years ago…
In 2014, the Casino Lumière in St. Louis, USA, fell victim to this attack, as reported in Wired magazine: “Accountants at the Lumiere Place Casino in St. Louis noticed that several of their slot machines had—just for a couple of days—gone haywire. The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long haul—say, 7.129 cents for every dollar played. But on June 2 and 3, a number of Lumiere’s machines had spit out far more money than they’d consumed, despite not awarding any major jackpots, an aberration known in industry parlance as a negative hold. Since code isn’t prone to sudden fits of madness, the only plausible explanation was that someone was cheating.
The article goes on to say: “Casino security pulled up the surveillance tapes and eventually spotted the culprit […] Unlike most slots cheats, he didn’t appear to tinker with any of the machines he targeted […]. Instead he’d simply play, pushing the buttons on a game like Star Drifter or Pelican Pete while furtively holding his iPhone close to the screen. He’d walk away after a few minutes, then return a bit later to give the game a second chance. That’s when he’d get lucky.
In two days, he had won over $21,000.
In 2009, Russia banned gambling. A decision that forced casinos to resell, among other things, their slot machines. Some of the buyers were cybercriminals, eager to analyze their source code to take advantage of it. Their work enabled them to find and successfully exploit the following vulnerability: Through targeted and prolonged observation of the individual game sequences as well as possibly recording individual games, it might be possible to allegedly identify a kind of ‘pattern’ in the game results.
Several establishments in the United States having suffered the same fate as the casino in Saint-Louis, an investigation has been opened. Here are the findings: “According to Willy Allison, a Las Vegas–based casino security consultant who has been tracking the Russian scam for years, the operatives use their phones to record about two dozen spins on a game they aim to cheat. They upload that footage to a technical staff in St. Petersburg, who analyze the video and calculate the machine’s pattern based on what they know about the model’s pseudorandom number generator. Finally, the St. Petersburg team transmits a list of timing markers to a custom app on the operative’s phone; those markers cause the handset to vibrate roughly 0.25 seconds before the operative should press the spin button".
Sarah, one of our experts in France is an ex-Casino dealer. Sarah, as well as Mathieu, a pentester, agreed to give us their point of view on the Ozark scene but also on the 2014 scam.
While they do not refute the technical vulnerabilities that can allow this kind of inconvenience, nor downplay the ingenuity of Russian cybercriminals, they do warn of one detail: every corner of a casino is equipped with a camera so that no blind spot is missed. At the slightest win, the people in charge of security are tasked with monitoring the winner.
In addition, photos and videos are now banned. The only technical way to potentially perpetuate this hack would be to use a hidden camera. The cheater would still need to use his smartphone to contact his accomplices, which could make his behaviour suspicious.
Today – or in 2019, when the third season comes out – this hack doesn’t really seem realistic anymore, although it was, less than ten years ago.