Guilty verdict in Hot Lotto scam, but game safe, official says

Soon after an Iowa jury returned a guilty verdict Monday in what may be the nation's first prosecution for rigging a computerized lottery drawing, the CEO of the Iowa Lottery expressed confidence that its games are secure and fair.

Jurors convicted Eddie Tipton, a 52-year-old former information security director for the Multi-State Lottery Association, on two counts of fraud on Monday morning after a weeklong trial.

He was accused of installing a self-deleting computer program, known as a rootkit, on a Hot Lotto drawing computer so he could orchestrate a winning ticket worth $14.3 million in a Dec. 29, 2010, draw.

Even as Tipton's defense lawyer was maintaining his client's innocence and predicting that he would win on appeal, Iowa Lottery CEO Terry Rich was crafting a statement saying the conviction proved security procedures in place ensured that a wrongdoer was caught.

"Our lottery has strong layers of security to protect lottery players, lottery games and lottery prizes," Rich said. "... This case has provided our lottery with an opportunity to better pinpoint potential security risks and update our procedures to protect against them."

But experts said the case also exposed security weaknesses that existed in 2010 at the Urbandale-based lottery association that may have helped Tipton cover his crime, experts said.

Lotteries should assume that if Tipton figured out how to rig a game, someone else will be able to as well, said Joey George, an Iowa State University professor of information systems.

"The next guy not only can figure out how to do it, but having seen what happened here, can figure out how to cover his tracks and not make the same mistakes this Tipton guy made," he said.

Rigging the draw

Tipton stared ahead with his hands folded as the verdict was read Monday morning. He showed no emotion.

Tipton left the courthouse without speaking to reporters and will remain free on bond ahead of his sentencing hearing Sept. 9. He faces up to 10 years in prison, although he could receive probation.

The conviction capped an investigation that ramped up in late 2011 after lawyers from Canada and New York made separate attempts to claim the prize money from the 2010 drawing. Neither was the original ticket purchaser, and the money was never paid out.

Assistant Attorney General Rob Sand told jurors that Tipton installed a program to rig the game on the lottery computers more than a month before the draw, changing the time on their clocks.

A surveillance camera monitoring the computers appeared to record only one second every minute — evidence of potential tampering, he said. After purchasing the winning ticket, Tipton helped filter it through a Texas friend and a network of lawyers in an attempt to claim the cash, Sand argued.

Tipton was identified as a suspect after video of the ticket purchase at a Des Moines QuikTrip was released to the public in October.

The hooded man

Through phone records, investigators tied Tipton to Robert Rhodes, a Texas man also facing two fraud charges in the case. Rhodes had already been given up as a conspirator by one of the lawyers allegedly hired to redeem the ticket, and Tipton and Rhodes had long been best friends, evidence at trial showed.

Several friends and former co-workers from the lottery association, which provides games such as Hot Lotto and Powerball to lotteries nationwide, testified at trial that Tipton's voice and mannerisms matched that of the hooded purchaser.

Jason Maher, the lottery association's IT director, testified that Tipton once told him he had access to a rootkit.

The prosecutor faced an uphill battle in getting a conviction, partly because of a lack of direct evidence that Tipton tampered with computers. The hard drives of the drawing computers in use in 2010 had long since been wiped, per the lottery association's security standards, along with any evidence that a rootkit ever infected them.

"This shows that modern juries today, people off the street, understand that the inner workings of technology are mostly proven through the circumstances around them, rather than what we see directly," Sand said. "I think that's a good indication that these kinds of crimes in the future are prosecutable."

A lack of evidence

But defense lawyer Dean Stowers said there was no direct evidence proving Tipton tampered with the computers and no phone or electronic records indicating that he was ever in contact with anybody who tried to redeem the ticket. Tipton's siblings testified they didn't think it was their brother on the video of the ticket purchase.

"I'm not particularly surprised by the verdict," Stowers said, "because in a case where a jury is allowed to speculate on what occurred without actual evidence of what occurred, a jury can engage in all sorts of leaps of logic."

Underlying the defense's case was an argument that procedural holes within the lottery association in 2010 undermined the integrity of evidence against Tipton.

Surveillance video that monitored the drawing room at the time was downloaded each quarter on DVDs that were kept in the basement of Ed Stefan, the lottery association's former chief security officer. The association had no written procedures or policies on how surveillance video should be kept, defense lawyers wrote in one pretrial motion.

While no organization has a perfect information security system, that practice has significant implications for the chain-of-custody of such evidence, said John Reed Stark, a Maryland cybersecurity consultant and former prosecutor.

"I don't blame the defense for arguing that, because that sounds like a very poor chain of custody," he said.

Will there be fallout?

Chuck Strutt, executive director of the lottery association, was at a conference Monday and did not return an email from a reporter.

It's not uncommon for companies such as Target that suffer from highly publicized data breaches to see a negative response from the public, said George, the ISU professor.

But because of the already low odds of winning a lottery jackpot, it seems likely that players will be largely unfazed by the possibility the game can be highjacked, he said.

"Most of the people who buy lottery tickets probably don't think a lot about security and safety and numbers," he said. "Because if they did, they wouldn't be buying lottery tickets in the first place."