This guy found a vulnerability in lottery systems and won thousands of dollars without paying a single ticket

A hacker can attack in the most unexpected places. According to an IT security services firm, a man has been accused of having exploited an unknown vulnerability in various lottery ticket vending machines in the state of Arizona, US. As a result, the individual would have obtained thousands of dollars.

The defendant, Everado Logrono-Nava (also identified as Everado Najera-Nava), 40, discovered the flaw himself. After inserting a payment card into one of these vending machines, the individual canceled the payment; however, the flaw allowed that the machine did not recognize the cancellation and issued the lottery ticket without actually paying for it.

The defendant performed the same operation over two weeks on multiple different machines, obtaining free tickets for up to $54k USD. IT security services experts were unable to confirm whether any of the hundreds of tickets the individual stole were winners, although this is highly likely.

Although this seemed like the perfect fraud, Logrono-Nava never realized that all the cancelled transactions he made were registered in the systems of the selling machines he used. Upon detecting unusual activity, the company found a total of 289 cancelled purchases; as the defendant used the same card each time, it was easy for authorities to track him down using his bank information.

The lottery vending machine operators corrected the vulnerability with the help of an IT security services firm. The defendant continued to try to exploit the flaw a few more times after the company updated its systems. Eventually, Logrono-Nava was arrested and charged for crimes such as electronic fraud and misuse of computer resources.

The International Institute of Cyber Security (IICS) has reported multiple similar incidents occurring in various parts of the world, suggesting the limited safety measures that manufacturers include in these machines and on winner tickets. A couple of years ago, a UK individual was accused of cloning a winning lottery ticket multiple times; although he was initially successful, he was eventually detected and arrested.