1 / 12

A Secure Online Second Chance Drawing System

A Secure Online Second Chance Drawing System. Presented by: Patrick Maroney, Director of Security & Investigations, Colorado Lottery Ken Sabey, Director of Sales, HostWorks, Inc. Dan Baughman, Developer, HostWorks, Inc. 2009 Fall NASPL Security Subcommittee Meeting Colorado Springs, Colorado.

shamara-amena
Download Presentation

A Secure Online Second Chance Drawing System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Secure Online Second Chance Drawing System Presented by: Patrick Maroney, Director of Security & Investigations, Colorado Lottery Ken Sabey, Director of Sales, HostWorks, Inc. Dan Baughman, Developer, HostWorks, Inc. 2009 Fall NASPL Security Subcommittee Meeting Colorado Springs, Colorado

  2. Reason for Security Integrity of any drawing No longer just a promotional tool Now in the prize structure…. Is additional security needed??

  3. Overview Data Center Security Server Security Receiving HASH Data Testing Entry Process Drawing Process

  4. Secure Environment Data center security Manned 24/7 SAS70 Controlled Security Procedures Locked cabinets Security cameras Colorado Department of Revenue personnel background checks Yearly security audits

  5. Secure Environment (cont.) Server security Follow the manufacturer’s security standards for the operating system and development platform Dedicated firewall Server and database access via VPN tunnels only Access controlled at user level Secure Socket Layers (SSL) used to encrypt data Robust suite of anti-virus tools Pro-active monitoring of the servers

  6. Drawing Setup Receiving the HASH data Data is transmitted via an encrypted SFTP protocol (must have key to connect) Access limited to authorized personnel Encrypted files uploaded to web server, then unencrypted with the key HASH data uploaded into database for specific game over encrypted connection HASH = plug a string into it, outputs a 32 character string back

  7. Drawing Setup(cont.) Testing Developer does initial test with non-active VIRN numbers to verify it works Lottery personnel conduct second level of testing prior to sign-off on the game Test entries are tracked and stored separately from actual entries

  8. Entry Process Entering the Ticket Number Player enters 2CD section of Lottery’s web site Enters VIRN number from non-winning scratch ticket System does one-way encryption to HASH algorithm to determine validity If non-valid, user is presented with immediate feedback on reason If valid, entry is stored in entry table Numerous failed attempts result in entry form access being temporarily disabled for player

  9. Entry Process(cont.) Entry Submission • Upon successful submission, player is provided option to enter another ticket number • MyLottery player has option to review their 2CD history when logged in or to opt-in to a weekly email summary • All drawing entrants will receive an email notification revealing the winner of the drawing.

  10. Drawing Process Acquiring Entrants Authorized Lottery personnel login into Admin section of web site Second level of dual logins required to access Drawing system Drawing team chooses a 2CD game from list of available games, system provides output of total number of entrants Automated security audit performed on data to scrub for possible duplicate entries Lottery security performs data integrity check

  11. Drawing Process(cont.) Winner Selection • Drawing team runs the drawing on a separate stand alone automatic draw machine • Drawing team logs back into drawing system and inputs the winning entrant’s number; system outputs that entrant’s contact information • Drawing team now downloads copy of the entrants database • Winner is contacted by Lottery personnel • Winner has to physically present the scratch game ticket

  12. Summary • Multiple solutions: secure your current environment, outsource the 2CD system to a secure third party, hybrid. • Test, Test, Test • Continually audit and evaluate options • Listen to your players

More Related