Attacking the lottery

This is purely a theoretical attack on a lottery system. No magic combinations or generators, no syndicates or reading the stars, just a plain attack on the system.

First of all, there are some perquisites. One will need an insider or more in order to carry out the attack, but this should not be a problem based on the fact that a lot of attacks come from the inside. The second matter would be to get access to the central machine taking care of the database. Again, if not well protected, an insider should be able to provide enough data to gain access.

Let’s choose a lottery, 6/49 for instance. You choose 6 numbers, mark them on a ticket and pass it to the lottery guy. The lottery guy place the ticket in a machine that reads the marked numbers, prints them on the side of the ticket and cuts off a part of the ticket. This is the magic part, as the machine keeps a part of the ticket for validation in case you win.


Lottery ticket format
Lottery ticket format

The system is closing hours before the drawing so the machines does not accept any new ticket after a specific hour. The insider would place a bogus ticket with random numbers, it really doesn’t matter what this would be, preferably the last ticket on the machine. This ticket has a unique serial number that will be printed on it and on the part that will remain in the machine and also registered in the central database, so it’s imperative that this ticket is issued via the standard procedure before the deadline.

After the drawing, some official from the lottery must enter the results into the system to check the winners. Using the previously gained access to the database, the attacker will modify the record corresponding to the bogus ticket (based on the unique serial number) with the correct numbers, preferably in real time so when the checking is made, the correct values are already in the database. Lotteries are usually broadcasting live the drawings so this step would be feasible. Otherwise another insider must be in the room when the drawing takes place.

The last step would be for the insider to replace the cut part of the bogus ticket with one that is printed with the same unique serial but with the winning numbers instead of the bogus ones. The other part of the ticket must be printed as well with the correct numbers. This would require some hardware work, but I saw people doing crazy things for pennies.


I don’t say it’s feasible. It’s more of a “James Bond”-like fantasy. There are a lot of ifs, and here are some good measures that the lottery can implement to prevent this from happening:

  • copy the final database before the drawing to a safe off-line location and check the results in this copy (then again it’s important who can access and how can this database be accessed)
  • implement hardware protection on the machines who are printing the tickets
  • implement strong security policy and do regular checks on the staff, maybe rotating them from one station to another