Video Poker Firmware Bug Yields Big Money, Federal Charges

JoeyRox writes "Over the course of playing $12 million worth of video poker, Las Vegas resident John Kane stumbled onto a firmware bug in IGT's 'Game King' machines that allowed him to cash out for 10x the amount of his winnings. John and his friends took advantage of the vulnerability to the tune of $429,945. John's friend was arrested by U.S. marshals and charged with violation of the Computer Fraud and Abuse Act, but a federal magistrate ruled that the law doesn't apply and recommended dismissal. The case is currently being argued in a U.S. District Court."

Can't cheat an honest man

[egcagrac0]

The point of the machines (from the player perspective) is to stick in money, push buttons, and make it dispense more money (vouchers) than you put in.

The house edge comes from the fact that pushing the buttons correctly in all situations is difficult.

This guy did it right. If the house wants to fix the "bug" that allowed him to take out more money than they thought he should, that's their right.

Prosecution on this one... very grey area.

But I'll forward the how-to on to my video poker friends, just in case they find a machine with those firmware revisions, so that they'll be sure not to expose themselves to prosecution in this manner.

Welp

[Anonymous Coward]

I work as a slot mechanic at a casino that has about 700 of these Game King video poker consoles installed.

This particular option can be set by anyone who can open the machine, including our change ladies. There is no log and no way to tell except to go to each machine and check them individually.

I am going to have a very bad day when I get back to work tomorrow.

Re:After RTFA

[tgeek]

Except the machine did not malfunction. It did as it was programmed to do. The fact that it didn't do what the casino expected it to do does not make it a malfunction. The casino should be addressing this with the vendor if they want their money back.

Re:Fraud is fraud

[Anonymous Coward]

This happens all of the time with ATM's in the US. It never makes it to court.

When the bank loads an ATM cassette, they know exactly how much money is in it and what denomination of bills it contains. The serial number of the cassette is recorded by the person loading the ATM as well as by the ATM itself, by way of an RFID chip in the cassette. This links back to a database of ATM cassettes and their current load status and contents. The bank knows exactly, down to the serial numbers on the bills, what is in that cassette. Modern ATM's even automate the configuration from that database. The problem is that older ATM's don't.

When you go to an ATM and ask it for $40 (common "fast cash" amount these days), and the ATM has been configured for $20 bills, it dispenses two bills. If it's configured for $10 bills, it dispenses 4 bills. In older ATM's, the configuration is done manually. If a $20 cassette is loaded but the ATM is configured for a $10 cassette, it dispenses the wrong number of bills. That $40 you ask for is 4 bills, but the bills are $20 now, and you get $80.

When this happens, the bank will discover it as soon as they change the ATM cassette. Then they will find EVERY transaction that ATM performed on the previous cassette and contact the account-holders, notifying them that due to an incorrect ATM configuration, they were given more than they requested, and that the account has been rectified to reflect the correct ATM payout. For this transaction, any overdraft fees are waived (by law), and the transaction is applied to the day that the correct is made, not to the day the ATM paid out incorrectly (again, by law).

That's when most people drag their sorry butts back to the bank to make an emergency deposit of some no-longer ill-gotten gains to shore up their account balance.

Re:Fraud is fraud

[geekoid]

"Intentionally abusing a process in bad faith can be a crime,"
no.

"and should be a crime"
never. If this is the case the consumer becomes responsible for every possible mistake. That is a path I don't want to travel.

Do you want a bill for a product you got charged the wrong price for? Do you want to be responsible for any possible mistake a store/corporation might do?

Re:Fraud is fraud

[geekoid]

wrong. The people who claimed it wouldn't make mistakes deceived the owner.

It's not a deception from the consumer by any definition.

Deception, beguilement, deceit, bluff, mystification and subterfuge are acts to propagate beliefs that are not true, or not the whole truth (as in half-truths or omission). Deception can involve dissimulation, propaganda, and sleight of hand, as well as distraction, camouflage, or concealment.

They didn't propagated a belief, they didn't tell a half truth.
Did they omit anything from anyone? If someone asked them what they were doing and the didn't tell the truth to that person, then it' s a deception to that person.

No deception, no fraud. Too bad So sad.

Plus, its a horrible business move to go after these people. the PR is bad.
Far better saying yeah, the machine had a bug, it's fix. I guess those guy were lucky!
Now people will come in and spend hundreds looking for a machine with a bug.