Inspection and IT audit of draws in Kazakhstan
Digital methods of determining winners, which are under the control of lottery and lottery organizers, have significant drawbacks, which in a number of cases do not guarantee the true randomness of the choice. Random number generators used for lotteries in Kyrgyzstan, Kazakhstan, Tajikistan or Uzbekistan are usually developed independently by the lottery organizer or are borrowed. And even if the lottery provides the use of an external random number generator, which is connected to the Internet, then such results can be easily substituted in the network of the organizer. The most popular random.org, lisaonair.com, giveawation.com, randstuff.ru, fanpagekarma.com, giveaways.ru, online-generators.ru and many others can be referred to remote generators.
Ways to cheat a random number generator
There are several basic ways to cheat random number generators used by unscrupulous lottery or raffle organizers. Local and remote (external) random number generators are used for this purpose. Even conscientious organizers may entrust the technical side of summing up the lottery results to unscrupulous technical executors, who can easily implement one of the methods described below.
- Pseudo random number generator. The software or hardware-software solution developed by the organizer or at his request to determine the winner of the lottery has a special functionality, which allows the organizer to determine the necessary winner in advance. In this case, all other results of selection, if the choice is made, for example, according to the list of the top ten, can really be random, but the main prize will go to a fake person to reduce the cost of the lottery.
- Interception of the message. When organizing the final draw with the usage of any external random number generator, the dishonest organizers still have a technical possibility of interception and substitution of the results, returned as a random number or sequence. The capturing and swapping is done according to the MitM (Man in the Middle) model within the network controlled by the organizer, or just on the computer or notebook of the organizer. The presence of such a substitution mechanism is absolutely impossible to determine by external signs – for any outside observers, the results of the draw will look absolutely reliable.
- Clipboard spoofing. Rarely used, but nevertheless sometimes used, the method by which a long list of winners is substituted after it has been copied from the output of a real random number generator. In this case, it will also be the task of the unscrupulous technician to prevent the video recording of this process or to ensure the presence of his videographer, so that no one can subsequently discover the difference between the list of winners determined by the generator and the list published by the lottery organizer. In some cases, the technician responsible for transferring the list of winners from the online generator to a local table only imitates the copying process, because the list of dummy winners was already preloaded onto the clipboard before the drawing started. In the absence of video recording, only a very attentive outside observer can notice such a substitution.
- Pseudo-broadcast or recorded broadcasts. Less technically trained lottery organizers may record multiple takes, trying to ensure that the winner they want is determined by a real random number generator, subsequently passing off such a recording as a live broadcast. Such a recording may also be shown as a live broadcast to independent observers under the pretext that personal presence in the lottery room is prohibited due to security requirements to restrict the admission of unauthorized persons.
- Service spoofing. In other cases, unscrupulous lottery organizers can completely spoof an external random number generation service – that is, completely recreate their website, which will not differ in appearance from the real one. The peculiarities of the Internet are such that even the domain name of the real generator site can be easily obtained by the organizer within the network under his control or within the boundaries of the computer used for the drawing. As in the case of communication hijacking, external observers will not be able to recognize the service substitution and will trust any lottery results obtained this way. Below you can see a video demonstration of this cheating method, prepared by our experts.
How to check the honesty of the results of a lottery or raffle
The only way to obtain a high degree of confidence in the transparency and integrity of determining the winners of a lottery, promotional lottery or mass voting conducted using new information technology is to conduct an IT audit by an independent auditing firm, whose employees are in no way connected with the organizers or technical executors of the lottery, and are properly qualified to timely identify possible facts of fraud or interference in the selection of winners.
Baker Tilly’s qualified experts provide services for the inspection and IT audit of lotteries, incentive lotteries or mass voting conducted using new information and communication methods or digital random number generators. Inspection and support of draws or lotteries is performed on the basis of a contract and includes the IT audit of technical means, software and network infrastructure used for the lottery, as well as the formulation and monitoring of the implementation of recommendations aimed at eliminating possible risks associated with the impact on the process of determining the winners of the lottery.