|Daily Racing Form|
|Tuesday, November 5
|Concern rising over Autotote security in pick six probe|
By Matt Hegarty
Daily Racing Form
NEW YORK - Racing officials are becoming increasingly concerned that Autotote, the wagering systems company that fired an employee last week in connection with the Breeders' Cup pick six investigation, does not have adequate security controls to prevent someone from altering a pick six ticket.
The concerns are emerging as racing officials become more familiar with the investigation into the wager, which used one horse in each of the first four races and all the horses in the final two races of the Breeders' Cup pick six Oct. 26 at Arlington Park outside Chicago. Some officials have said they believe that Autotote has poor monitoring systems to track the movements of people who have access to the system, complicating the ability of investigators to gather evidence.
Last Thursday, Autotote fired Chris Harn, a 29-year-old software engineer based in Newark, Del., after the company conducted an internal review of the winning bet. Lorne Weil, chairman of Scientific Games, Autotote's parent company, did not name Harn at the time but said that the employee "had the password and capability to do what he did." Derrick Davis, a 29-year-old from Baltimore, placed the winning bet through a telephone account at Catskill Off-Track Betting Corporation in New York.
Investigators suspect that an insider altered Davis's bet sometime after four races in the pick six were run. Harn and Davis, who were fraternity brothers at Drexel University, have not been charged with a crime, and their lawyers have said they will be cleared of any wrongdoing.
Autotote officials declined to answer questions Tuesday about the company's security procedures, citing the ongoing investigation.
However, racing officials said this week that they were unclear whether Autotote's system was equipped to generate incident reports, which would show when a technician with privileged access to the computer system - called a "power user" or "super user" - had altered bets or other files. Incident reports are considered standard for computer systems that handle financial transactions, according to computer security experts.
"If the bets are in a database somewhere and they can be manipulated by a super user, then the key is putting checks and balances on your super users," said Alan Marzelli, the chief financial officer of the Jockey Club, who stressed that he was not speaking about the Autotote system specifically. "A good security system will create an incident report in real time whenever a super user changes anything." The Jockey Club maintains many of the industry's statistical data bases.
Investigators suspect that an insider gained access to Davis's wager after the fourth race in the pick six and changed the selections to the winning numbers. A skilled technician would be able to alter the bets, investigators said, because the information about which horses are used in a specific pick six wager is not immediately transmitted to the national hub. The delay is to minimize traffic on the tote network, which links hundreds of wagering sites.
Before the wager is sent, the information about which horses are used in the bet is stored on individual computers at the sites where the bet is placed. In this case, the bet was stored on Catskill's computers, which were linked to Autotote's headquarters in Delaware, where Harn worked. Investigators believed an Autotote insider could have altered the bet before it was sent to Arlington Park, the hub for Breeders' Cup wagers.
Tote and racing officials clarified on Tuesday the time frame in which pick six bets are sent to the national hub. The bets are sent after the fifth race has been run - not after the fourth race, as many racing officials have said since shortly after the investigation was launched Sunday by the New York State Racing and Wagering Board. Tote officials said the bets are sent immediately after the fifth race in the sequence is declared official, making it nearly impossible for someone to have enough time to alter the fifth-race winner.
Davis's winning ticket, which cost $1,152, was purchased in a $12 denomination and accounted for all six winning $2 pick six wagers. The $3.1 million payoff has been withheld pending the investigation.
Currently, three tote companies serve the country's parimutuel wagering outlets: Autotote, which has 65 percent of the market; AmTote, which handles Arlington Park's bets, and United Tote.
Churchill Downs Inc., the New York Racing Association, and Magna Entertainment - the country's three largest racing companies - were expected to meet with top officials from all three tote companies on Wednesday to discuss security issues and other topics underlying the investigation.
Some racing officials have said that profit margins at tote companies have been squeezed over the past decade as the companies undercut each other to keep existing contracts and gain new ones. The companies derive most of their revenue from a small share of the wagering handle, normally around 0.25 percent.
Bryan Krantz, the president of Fair Grounds, said last week that as investment dollars have shifted over the past 10 years to develop new ways to bet over the Internet, telephone, and through other remote devices, the money to develop new security measures dried up.
"Everybody had felt pretty confident with the level of security that we had out there," Krantz said. "But now, there are some reasons to question where we are, in light of the growth of account betting."
One high-ranking racing official characterized the tote companies' technology as "from the 70's."
Jonathan Glosser, the president of Systems Experts Inc., a Sudbury, Mass., company that specializes in computer security, said it was common for systems that are more than a decade old to lack protections from insider manipulation. Glosser said those systems were designed before the "hacker era," a time when requiring a password for entry was thought to be adequate protection against theft or manipulation.
"Most of the old applications don't tend to have good controls," Glosser said. "They looked at it with the idea that anyone who was here was supposed to be here. So if you have a password, you probably should have a password, and you should be able to do what you want."
Alex Corckran, the vice president and general manager of AmTote, declined Tuesday to answer specific questions about whether AmTote's system generates an incident report when a technician alters a file.
"Security is a very difficult subject to discuss, because too much detail compromises the system," Corckran said. "But I can tell you that we have controls in place that would prevent tampering with the system."Send this story to a friend | Most sent stories
Third person investigated in fishy Breeders' Cup bet
Covering its tracks, NYRA launches another Six investigation
Pair in horse betting probe reportedly frat brothers
Tote worker fired in connection to Pick Six
OTB parlor claims $3 million winning Pick Six ticket legit
Is Pick Six a potential hacker's paradise?