Episode 773: Slot Flaw Scofflaws

May 24, 2017
Originally published on May 25, 2017 10:14 am

A few years ago, a rumor started going around the casino world. There was a crew of Russians hitting up casinos across the U.S. They'd roll up, find their favorite slot machine, play for a couple hours, and walk out with thousands of dollars. They didn't lose.

All of it was caught on camera, but there was no evidence that these men ever physically tampered with the slot machines. There was, however, something unusual about the way the men played: They always kept one hand buried in their pockets or in the bags they carried with them.

In July of 2014, Ron Flores, who oversees surveillance at the Pechanga Casino in California, witnessed one of these men in action. He called the California Department of Justice to pick him up. But Ron was not the only one who wanted to get to the bottom of it. So many casinos had gotten hit that the FBI had opened its own investigation into the case. The trail takes investigators deep inside the slot machine itself, and into some of the core vulnerabilities in machines all around us.

Today on the show, how the Russians figured out how to never lose at slot machines. And how the FBI cracked the case. It's a crime caper wrapped in some hard core computer science wrapped in hundred dollar bills.

Here's the Wired article by Brendan Koerner that inspired this story.

Music: "Stinkin'," "Talk Is Cheap," and "Hangin'."Find us: Twitter/ Facebook.

Subscribe to our show on Apple Podcasts or PocketCast.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

KEITH ROMER, HOST:

Ron Flores overseas surveillance at the Pechanga Casino in Southern California. And if that, like, calls a picture to your mind of what this guy looks like - slicked-back hair, suit, earpiece - Ron is not that guy. He's got a long, black ponytail. He wears jeans to work. One forearm he's got a tattoo of a medicine wheel, the other forearm there's a tattoo of a shield with eagle feathers on it.

NICK FOUNTAIN, HOST:

Ron's job is to make sure that people are not ripping off his casino. And to do that, he spends a lot of his time in the casino's situation room.

RON FLORES: There's a monitor wall. There's monitors in front of the workers. And it's a really dark room.

ROMER: Like, how many screens are we talking about?

FLORES: Anywhere between 30 to 40.

ROMER: So people are just flipping through these screens, looking for bad dudes doing bad things.

FLORES: Correct.

FOUNTAIN: We wanted to talk to Ron about the specific crew of bad dudes that he dealt with back in 2014. That summer, he started hearing this rumor about this crew of Russian guys who would roll up, find their favorite slot machine, play it for a few hours and then walk out with thousands of dollars. Rumor had it they never lost.

ROMER: One day in July, Ron gets a call. It's a friend of his who also works in the casino security industry.

FLORES: He said, hey, bro, you got the Russian guys landing in LAX. One of them has a reservation at a hotel right up the street from you, so it looks like they're going to be at your place pretty soon.

ROMER: So when you get a call like that, like, what is your reaction?

FLORES: Let's get to work.

FOUNTAIN: First order of business? Keep an eye out. Ron's buddy sent some photographs of the Russian guys so they know who they're looking for. And sure enough, Ron gets a call from one of his agents.

FLORES: He said, we got him. He's here.

ROMER: By the time Ron gets to the situation room they've got four cameras watching this guy's every move. And at first, Ron says, he didn't notice anything unusual.

FLORES: He was wearing a jacket and he had a satchel. I think it was jeans. You know, just typical guy.

FOUNTAIN: Puts money in the machine, presses some buttons to decide how much to bet, and then presses another button to spin the reels.

ROMER: If the reels line up in a winning combination...

FOUNTAIN: Cherry, cherry, cherry, cherry, cherry.

ROMER: ...Or aces or whatever the guy wins. If they line up in some random order he loses. It's not something that you should be able to be good at.

FOUNTAIN: But Ron is watching this guy, and he's winning over and over and over. And Ron starts to notice two weird things about how the guy is playing. First, the way he's betting.

FLORES: He would play small money, and then he would put in large amount of money, and then he would play max bet.

ROMER: So he's, like, putting in, like, a penny, a penny, a penny and then all of a sudden he's betting $5?

FLORES: Correct. And then the machine would hit, he would pull the money out. And then he would start a penny, a penny, a penny, a penny, put in $100, play max, and then he would cash out. And so he was doing this over and over and over again. And that's typically not what patrons do.

ROMER: You sure he wasn't just really lucky?

FLORES: Positive.

FOUNTAIN: The second weird thing that Ron notices? The Russian guy keeps one of his hands buried in his bag.

FLORES: Yeah, every time he would put money in and he was spinning - hitting the bet button and spinning the reels his hand would be in his satchel. And then as soon as that was done both hands would come out and maybe get some more money and then start that process all over again.

ROMER: Ron is almost certain that this guy is cheating. But Ron is not a cop, so it's not like he can go down on the casino floor and just arrest the guy. Instead, he calls up the California Department of Justice and says, hey, I think I've got one of these Russian guys here. You want to come down and pick him up?

FOUNTAIN: It takes three whole hours for the California DOJ guy to show up.

ROMER: It's Southern California - traffic.

FOUNTAIN: There is a lot of traffic. But he finally gets there just as the Russian guy is about to leave with his thousands of dollars.

FLORES: DOJ walks up behind him, says, hey, man, how you doing? Come here. And the first thing is the DOJ reached into his pocket because he didn't want any type of device to be wiped.

FOUNTAIN: Ron, what were you thinking at that moment?

FLORES: (Laughter) I think expletive yeah. You know, we got him.

ROMER: Do you literally - in your mind, are you just saying expletive yeah when exciting things happen?

FLORES: I do. I don't curse. Or I just say expletive yeah.

FOUNTAIN: But the trouble is Ron Flores and the DOJ agent, they basically have no idea how the Russian guy is winning so much money or if he's even actually cheating.

ROMER: Winning money at a slot machine and being Russian turns out not to be quite enough evidence to charge the guy with a crime. The DOJ agent holds the guy for as long as he can, but then he has to let him go. The guy gets on the next plane to Russia.

FLORES: Leaves the country. This guy's gone.

FOUNTAIN: Expletive no.

(SOUNDBITE OF JAMES DRISCOLL, JOHN HUNTER JR. AND JONATHAN SLOTT'S "STINKIN'")

ROMER: Hello and welcome to PLANET MONEY. I'm Keith Romer.

FOUNTAIN: And I'm Nick Fountain. A slot machine is supposed to work on chance, luck. But the way a slot machine decides who wins and who loses is not completely random.

ROMER: Those Russians with their hands buried in their bags, they had figured out a way to take advantage of the difference between real, honest-to-goodness luck and what is actually happening inside those slot machines.

FOUNTAIN: Today on the show a crime caper wrapped in hardcore computer science wrapped in...

ROMER: Layers and layers of hundred dollar bills.

(SOUNDBITE OF JAMES DRISCOLL, JOHN HUNTER JR. AND JOHNATHAN SLOTT'S "STINKIN')

ROMER: Nick, I first heard about this story when you sent me an article from Wired magazine by a journalist named Brendan Koerner.

FOUNTAIN: It's a great article.

ROMER: And what was so interesting about this story was not just that somebody wanted to rip off a casino because of course somebody wanted to rip off a casino. What was so interesting was how genuinely clever these guys' way of ripping off a casino was.

FOUNTAIN: Yeah, when we talked to Ron Flores he said he had never seen anything like it. And he has seen a lot of cheats.

ROMER: In the old days, the cheats were a lot less sophisticated than what these Russian guys were doing.

FLORES: Well, it went from fast-feeding, stringing, monkey paw, then the light wand.

FOUNTAIN: With fast-feeding, you just put your quarters in the slot machine really fast and the machine gives you credit for more than you put in.

ROMER: Stringing - slightly more advanced version of the same idea.

FLORES: Stringing is where they would put the coin on the string and they would bounce it up and down inside the slot.

ROMER: You could also mess with the way the machines paid out.

FOUNTAIN: Monkey paw.

ROMER: The monkey paw. The monkey paw is this flexible little rod. You've got a claw on the end of it. And you slide the monkey paw up the payout chute, the claw lifts up a little lever that's supposed to keep track of how many quarters the machine has spit out, jackpot.

FOUNTAIN: So slot machine designers swap out that physical lever for an optical one, which brings the light wand.

ROMER: The light wand.

FOUNTAIN: Which is basically just a tiny little flashlight on a wand that they can shove up the coin chute to trick that new optical thingy.

ROMER: OK, so eventually we get to the modern era of slot machines. You get rid of all the coin slot nonsense and you replace the inside of the machine with a computer.

FOUNTAIN: Today, if you crack open a slot machine, it's basically like taking the top off your desktop computer.

ROMER: Which introduces this new way for cheaters to cheat.

FLORES: Popsicle Pete, where you would drill a hole into the machine.

FOUNTAIN: This one is maybe apocryphal, but Ron Flores says once you've drilled that hole in the machine, you take a can of freon. You turn it upside down, shoot it in the hole and basically just freeze the computer's brains until it starts malfunctioning and spitting out jackpots.

ROMER: So in his mind, Ron has this giant catalog of how to cheat a slot machine. But all those cheats involve physically tampering with the machine somehow.

FOUNTAIN: The Russian guy who got arrested at Pechanga - he didn't do that.

ROMER: To the extent that Ron has a theory about what's going on, it was something to do with the way the guy's hand was always hidden in his satchel, something to do with his phone. And he was not alone in thinking this.

FOUNTAIN: Yeah. So many casinos across the country had been hit that the FBI was now involved.

ROMER: The FBI does not like Russian hackers.

FOUNTAIN: No (laughter). No, they do not. And when they had heard that one of these Russians had been caught, they immediately put a call out to California DOJ and said, hey, do you mind sending us those phones so we can take a look?

ROMER: Richard Finneran is a federal prosecutor in Missouri. He says, that Russian guy in California - he was not working alone. This was a big operation.

RICHARD FINNERAN: I think our list of potential associates was probably, at one point, as large as about 25 or 30 people.

ROMER: Now, it's against the law in most states to use an electronic device to mess with the outcomes of a slot machine. But if Finneran can't figure out how the Russians are using their phones, it's not like he's going to be able to win in court.

FOUNTAIN: Dearest jury, these guys are winning a lot at slot machines. Also, they're touching their cellphones while they're doing it.

ROMER: Right. It's not the strongest case.

FOUNTAIN: Finneran had some guesses about what was actually going on. If a slot machine is just a computer, then maybe these guys were using their phones to somehow hack the programs on one of those computers.

ROMER: Which would explain why the Russians were always hitting the same slot machines.

FINNERAN: It was all the same make and model of slot machine game that were producing these results.

FOUNTAIN: What was that make and model?

FINNERAN: That was the Aristocrat Mark VI machine.

ROMER: Finneran has an FBI agent call up Aristocrat, the company that made the Mark VI. But Aristocrat says that Finneran's hacking theory - it's not possible.

FINNERAN: We learned that the software of this machine was basically too old to be hacked.

FOUNTAIN: There's no Wi-Fi or Bluetooth or anything like that on the Mark VI. So there isn't even a way for the Russian's phone to communicate with the slot machine's computer.

ROMER: So if no one was physically tampering with the machine and no one was hacking it, there was basically only one other possibility. Someone had figured out how to predict what the machine was going to do before it did it. Someone had reverse engineered the Mark VI.

FOUNTAIN: We weren't even sure if this was actually possible, so we called up an expert. His name is Leo Reyzin, and he teaches computer science at Boston University.

ROMER: Could you reverse engineer a slot machine?

LEO REYZIN: Me personally, no, but I could probably tell you...

ROMER: You know a guy?

REYZIN: ...Who to ask. I know a guy. No, I know many students who are really good at it. I know many people in the industry who are really good at it. And if you put a team together and you pay them enough money, they would certainly be able to do it.

FOUNTAIN: Leo says to understand why the Mark VI was ripe for reverse engineering, think about what computers are good at.

REYZIN: So at a core of a computer is a processor that takes one instruction at a time and executes it.

ROMER: Add one and zero, set the value of X to 17.

FOUNTAIN: The more of these instructions you string together, the more complicated a task you can perform. Move the cursor over a few spaces, show some cherries on the screen, land a probe on Mars.

REYZIN: We'll want a predictable outcome for a predictable sequence of instructions. Computers work...

FOUNTAIN: Like, we want it to do the same thing the same way every time.

REYZIN: We want it to do the same thing the same way every time so that when we simulate the probe landing on Mars and then we send the probe landing to Mars, it will do the same thing.

FOUNTAIN: But the computer in a slot machine has a very different job. It's supposed to be the opposite of predictable. I mean, think about it. If you could predict what a slot machine was going to do ahead of time, you would just bet right before you knew it was going to go cherry, cherry, cherry, cherry, cherry, and you would win a lot of money.

ROMER: Right. A slot machine is supposed to be random, but Leo says that task - being unpredictable, creating randomness - that is really hard for computers. It goes against their nature. In fact, it is impossible for a computer to generate true randomness all on its own.

FOUNTAIN: Instead, a computer creates what Leo calls pseudorandomness, and here's how it works. It has some starting number.

ROMER: Twenty-nine.

FOUNTAIN: No.

ROMER: Two thousand, four hundred and sixty-one.

FOUNTAIN: Longer than both of those numbers. And that number is called a seed. And the computer then runs the seed through a bunch of really complicated math problems until it spits out a new number. Rinse, repeat.

ROMER: The better your pseudorandom number generator is, the harder it is to predict what number it will spit out next. With the very best ones, even if you took all the computers in the world, it would take you a very long time to figure out the pattern.

REYZIN: Today, they take longer to crack than a few lifetimes of the universe.

FOUNTAIN: Yeah, like billions and billions of years.

ROMER: But not all pseudorandom number generators are that good.

REYZIN: If the random number generator is bad, then it could take you 10 observations, and then you figure out the entire sequence after that.

ROMER: Having a good pseudorandom number generator instead of a bad one turns out to matter for a lot more than just slot machines. So every time you send an email or you use your credit card on the Internet, it is encrypted using something called an encryption key, which is just - it's like a long string of numbers and letters and symbols. It's jibberish. And that key tells whoever's receiving the message - the computer on the other end - how to translate what it's getting. To keep that key a secret from the bad guys, you have to make it impossible to predict.

FOUNTAIN: And if something is impossible to predict, Leo says, that thing is random.

ROMER: Pseudorandom.

FOUNTAIN: Pseudorandom. The point is that without really sophisticated pseudorandom number generators, we would be super vulnerable to bad guys.

ROMER: Luckily, Leo says, computer scientists figured all this out decades ago.

REYZIN: People who are in the cryptography community have known about this work since the '80s and have understood how to build unbreakable pseudorandom number generators, but scientific research takes a long time to get disseminated into actual practice.

FOUNTAIN: Some companies took a while to catch up.

ROMER: Some slot machine companies.

(SOUNDBITE OF BRUCE MAGINNIS' "TALK IS CHEAP")

ROMER: After the break, we learned the Russians' secret. It turns out beating slot machines - there's an app for that.

(SOUNDBITE OF BRUCE MAGINNIS' "TALK IS CHEAP")

FOUNTAIN: Remember back at the beginning of the show there was that Russian guy who got arrested in Ron Flores's casino in California, and then they released him, and then he got on the next plane to Russia?

ROMER: Right. It turns out though the Russian guy was not all that important to the case. What was important were his phones. The Russian guy flees the country, but his phones get sent to an FBI lab for, like, the phone version of an interrogation.

FINNERAN: They were all iPhones, iPhone 5s.

ROMER: That's Richard Finneran again, the prosecutor from before who ran the investigation into the slot cheating. Finneran says when they analyze the phones, they find all the usual iPhone stuff, but then there is one app that they have never seen before.

FINNERAN: Severin.

ROMER: It sounds like a movie villain.

FOUNTAIN: Severin is not in the App Store, by the way. And when investigators start looking in its code, they find lots of clues that Severin probably has something to do with predicting a slot machine.

FINNERAN: There were log files that contained references to things that were taking place on these slot machine games, so phrases like strong seed, RNG threads done. So what the suspects would do is they would learn a series of swiping and tapping patterns that corresponded to the symbols they would see on the machine.

ROMER: Finneran actually emailed us a copy of the key. Different swipes on the iPhone screen correspond to different symbols on the slot machine. It's like Morse code or something. Nick, are you ready for your quiz?

FOUNTAIN: Yes.

ROMER: OK. Dot and then swipe right.

FOUNTAIN: Diamond.

ROMER: King. Swipe left twice.

FINNERAN: Cherry.

ROMER: Lion. Line swipe right, then swipe down.

FOUNTAIN: I don't know if I know any other symbols.

ROMER: It's a crystal. OK. Each time one of these Russian guys pushes the button to spin the reels on the slot machine, he enters on his phone whatever shows up on the screen. So if the screen shows lion, crystal, king, lion, crystal, he swipes in that code on his phone.

FOUNTAIN: And then all that information gets sent to a bunch of different servers in a bunch of different countries.

FINNERAN: And we traced the connections all the way from Washington state to London and ultimately to a server in St. Petersburg - Russia, not St. Petersburg, Fla.

ROMER: Finneran thinks the folks back in St. Petersburg had their own copy of an Aristocrat Mark IV, that they had opened it up, figured out what kind of pseudo random number generator it was running, and then just watched it spit out numbers.

FOUNTAIN: Yeah. That's how you would reverse engineer a pseudo random number generator slot machine. You just watch it for a while, record the stream of numbers it produces until you figure out the pattern.

ROMER: Or your computer figures out the pattern.

FOUNTAIN: Yeah, your computer. You're not smart enough.

ROMER: And then? Then you make an app.

FOUNTAIN: Severin.

ROMER: It's a scary name when you say it that way.

FOUNTAIN: So the app feeds all the data from all the spins on the American slot machines. It feeds that back to a server in Russia.

ROMER: The computer in Russia analyzes that data. And at some point, it starts to be able to predict when the slot machine is about to pay out.

FOUNTAIN: So it sends a signal back to the cheater's phone back in the U.S. - says bet now.

ROMER: Eventually, the FBI tracks two of the men on their list of suspects to a casino in Illinois. They let the men play slots just long enough to incriminate themselves, and then they pounce.

FOUNTAIN: Police searched their hotel rooms, arrest two more guys, find a whole mess of phones loaded up with the Severin app and almost $70,000 in cash.

ROMER: One of the men is released for lack of evidence. The other three, though, are charged with conspiracy and interstate and foreign travel in furtherance of unlawful activity.

FINNERAN: And then ultimately they all pled guilty and were sentenced to two years apiece in prison.

ROMER: Finneran thinks they sent a message. As far as he knows, there have not been any cases of slot cheating like this in the U.S. since the arrests in 2014.

FOUNTAIN: But last year in Singapore, police arrested a Czech man, Filipino woman and four Russians for using their phones to cheat at slot machines.

ROMER: To Leo Reyzin, the computer science professor we talked to earlier, this is not a story about people breaking the law. This is a story about how companies don't always take responsibility for the security of the technologies they sell.

FOUNTAIN: Yeah, the whole hacking angle? He doesn't buy it.

REYZIN: I would not call these machines hacked. I would call them watched. Hacked suggests that somebody changed the machine, did something to make its behavior not the way it's supposed to be. But it's behaving exactly as it's supposed to be. You push the button; it gives you a payout. You just need to know when to push the button to get a bigger payout.

FOUNTAIN: The Aristocrat Mark VI comes in all these different flavors. You've got "Star Drifter." There's one called "Pelican Pete."

ROMER: And you might think that when something like this happens, all the "Pelican Petes" get taken off of all the casino floors everywhere.

FOUNTAIN: We asked Ron Flores, the casino surveillance guy from the top of the show, can we still play a Mark VI at your casino?

FLORES: Maybe.

(LAUGHTER)

ROMER: If I want to play "Pelican Pete," can I play it at Pechanga Casino?

FLORES: That is a direct question, and I like it. However, I'm probably not going to answer that.

(LAUGHTER)

ROMER: Well-played, Ron Flores, well-played.

FOUNTAIN: We should say we reached out to Aristocrat, the company that manufactures the Mark VI.

ROMER: They declined a recorded interview but noted in a statement that while reports of cheats are rare, this issue is a challenge for all manufacturers, regulators and operators.

FOUNTAIN: They also noted that around the world, there are currently more than 100,000 Mark VIs is still in operation.

(SOUNDBITE OF JAMES DRISCOLL, JOHN HUNTER JR. AND JONATHAN SLOTT'S "HANGIN'")

FOUNTAIN: If you know how to hack a machine that has lots of money inside of it...

ROMER: Just write to me directly.

FOUNTAIN: ...(Laughter) Or you have any other story ideas, please send us an email - planetmoney@npr.org. Or we're on all the social medias (ph). I'm at @nickfountain on Twitter.

ROMER: I'm @realkeithromer. We want to thank today Bob Moncrief, Shein Lashkari, and Kerry Langan at the New Jersey Division of Gaming Enforcement.

FOUNTAIN: Also Willy Allison, Dave Ackley and Darrin Hoke.

ROMER: If you want to read the article that inspired our whole story, check out Brendan Koerner's excellent article in Wired magazine.

FOUNTAIN: Today's show was produced by Sally Helm. Thank you, Sally.

ROMER: On PLANET MONEY, Alex Goldmark is pure randomness, and Bryant Urstadt is our pseudorandom number generator.

FOUNTAIN: And if you're looking for something else to listen to, check out Wow In The World. It's a new podcast from one of our favorite podcasters Guy Raz. He's a prolific podcaster. Now he has one for children.

ROMER: For kids.

FOUNTAIN: Check it out at npr.org/podcasts or on the NPR One app. I'm Nick Fountain.

ROMER: And I'm Keith Romer. Thanks for listening.

(SOUNDBITE OF JAMES DRISCOLL, JOHN HUNTER JR. AND JONATHAN SLOTT'S "HANGIN'") Transcript provided by NPR, Copyright NPR.