This article was originally published April 25, 2018. Joseph Whit Moody was officially added to the Nevada Black Book on August 23, 2018 by action of the Nevada Gaming Commission.
On March 22, 2018, the Nevada Gaming Control Board held a hearing to determine whether Joseph Whit Moody (shown below) will become the 32nd person to have the dubious honor of being included in Nevada’s 
infamous “Black Book”, the List of Excluded Persons. To my knowledge, if added, he will be the first to be added due to a TITO (ticket in / ticket out) related crime. More accurately, Moody would distract guests, generally elderly women, at ticket redemption kiosks or ATMs, and steal their cash as it came out of the dispenser. He got away with this scam for some time because seldom would a tourist to Las Vegas want to return to the state to testify in a criminal trial. However, his inclusion in “the book” would assure that he’ll be removed from any casino he tries to visit in the future. While not officially sanctioned, anyone in Nevada’s Black Book is pretty much banned in casinos across the country.
I only wish most of the potential scams associated with ticketing, and the closely related world of “free play,” were as simple, and as unsophisticated, as Moody’s “grab and go” scam. Sadly, today’s potential damage from either one of these two categories can run to six figures or more, especially if you fail to put in place some basic safeguards.
In the past, whenever I had an aspiring slot executive join the team, one of my first bits of advice was to CYA. I assume that the acronym is well known in business, but in slots you must keep your hands moving or you’re liable to leave a portion of your backside vulnerable. As recently as five years ago, Number One on the list of things that could get you fired was the “phony jackpot.” These were almost always inside jobs, or perhaps a combination of inside and outside collaborators. Today, with improved password controls, biometric logins and vigilant analytic systems, paying phantom jackpots is less frequent but still possible. Unless you’ve totally removed yourself from all news and social media, you’re aware that today’s #1 misstep is sexual harassment. That’s not my area of expertise, but I’ll wager that if you don’t already know how to avoid this firestorm, you’re probably on someone’s #MeToo list. I also seriously doubt you’ll have enough time left on the job to finish reading this article. For those still here, that leaves TITO and free play scams as a major area in which we can actively work to prevent, or at least mitigate, our losses, with good practices.
Let’s begin with phony free play. If you don’t think you’ve ever been hit with some form of this fraud, you probably also think that your Facebook profile is completely private. These scams range from ultra-sophisticated to downright stupid. Beginning with the latter, let’s talk about “spitballs.” You’re probably are aware of these from junior high. Inserting a small one into a player card reader can jam the rear contact switch. If successful, the bad folks can then remove their card, thus tricking the machine into thinking they are still playing. If another unsuspecting guest arrives soon at the machine and inserts their card, all rewards earned will go to the spitballer instead of the current player. One obvious solution to the problem is to make sure that the time out setting on your system is short (but not too short for today’s extended bonus rounds), thus cancelling out the first card. However, this still leaves a stuck switch and a future maintenance issue for your tech team. On a busy weekend evening, particularly in high limit areas, this scam can, and does, work. What puts this low-tech crime in the stupid category is that the perpetrator has essentially signed in by first inserting his/her card and then creating the spitball jam. It’s dumb, and it’s easy to catch with minimal investigation. Every time your slot tech finds a jammed switch (it’s easy to notice, with the “card in” light ON with no card inserted), the culprit will have left his name, address and phone number in your club database.
DEFENSE: Strong observation of CARD IN signals with no card inserted and slot techs reporting jams for further database interrogation will stop this quick. A variation of this crime involves using multiple cards and sticking them into other folk’s machines without their specific knowledge. The defense for that is to use your system to limit the number of cards allowed at one time, generally no more than three, and to not allow more than one card at a given time if they are being used on different bank locations. This latter option may require a custom stored-procedure report, as it is not a standard option on all systems.
Phony tickets are easy to detect. One-time bar codes prevent cashing more than a single copy of any ticket; thieves were extremely disappointed to learn that their Xeroxed tickets didn’t work. But there is a variation of this that can, and does, work, if your team fails to follow procedures. It only takes a minute or two to find dozens of abandoned tickets for penny amounts littering the casino floor. Using a valid discarded ticket, one can replace the 1¢ and One Cent designations with computer-generated $100 and One Hundred Dollars captions. Sticking these on and generating a clean duplicated ticket will give you a valid document that will work in any kiosk, handheld reader or cashier terminal, but only for one cent. Unfortunately, many change attendants and cashiers who look only at the face value on the ticket, and skim the system verification, have been victimized. The key is to carefully compare the amount… and the IDs. This latter check prevents the most common tactic of credit card duping and the use of free play credits in gift shops or other retail outlets. With basic equipment, it is easy to dupe the mag stripe and make a phony player’s card or credit card. The crook then substitutes another name that matches his or her ID, and buys a watch or other merchandise with free play points, accumulated from a legitimate guest, at the gift shop after showing ID. This ID matches the phony players card and has the right amount of credits, leading the cashier to be victimized. Careful examination of the system POS terminal in a situation like this would show that the name in the system doesn’t match the name on the players’ card or the ID presented.
DEFENSE – All of these scams can be stopped cold if redeemers carefully compare all system info to the physical cards, tickets, IDs or other documents presented. Failure to provide this training, and ensure compliance on a consistent basis, could cost you dearly.
One of the first free play scams had to do with “hacking” passwords. Early system programmers tried to make passwords simple to improve ease of use. Usually, they made the birth year of the patron the default four-digit password. Several southern California casinos became wise to this when the security team at Pala Casino found some bad guys in a van filled with computers and player cards in their parking lot. They also found lists from various casinos of customers’ names and their corresponding birth years. It turns out that this team in the van was collecting abandoned cards from the top tier levels from the floor and then running internet searches to determine the player’s birth years. Sure enough, there were hundreds of names on their lists targeting Pala and other nearby casinos. The gang simply used the legitimate cards, punched in the birth year from the list, and downloaded the accumulated free play. We reported this promptly to Bally, and they fixed the problem by prohibiting the use of birth years, the last four numbers of a Social Security account or any string of repeated or sequential numbers as default passwords.
DEFENSE: While your system probably has this same fix in place by now, it’s worth checking. The only downside is that you’ll have more guests forgetting their passwords than ever before. One small remedy for this is to provide telephone-like keypads and screens so guests can enter four letter words instead of random numbers. It’s easier to remember “CATS” than it is “2287.”
While the scam above was somewhat minor league, three folks at Mohegan Sun Poconos made the big time for almost a full year. Before they were busted, this team hit the casino for $478,350 in free play, which they converted to $418,793 in cash, from May 2014 to April 2015. Perhaps most surprising was that one of the perpetrators was a VP-level executive in charge of Player Development (Robert Pellegrini, shown below).
The operation involved a cocktail waitress who noted players’ card numbers from VIP guests. She passed the info to Pellegrini, who then created duplicate cards and loaded them with credits. A male “customer” working with them would then gamble the free play, and they’d split any profits. Unfortunately for them, there was also a little love triangle element involved with the male “customer.” He was two-timing both the cocktail waitress and a non-participating female dealer. Out of jealously, the dealer spilled the beans to regulators. Pellegrini was sentenced to 32 months in prison last June, the cocktail waitress pled guilty with a plea agreement and $2k in fines, and the cheating (in more ways than one) “customer” went to jail for 18 months on money laundering. And, yes, the casino was fined $1 million by Pennsylvania regulators. (Image: Pete J. Wilcox/Times Leader)
DEFENSE: This one has multiple elements, some of which are also described in the next incident. The keys to eliminating the possibility of incidents like this are strong audit controls and separation of duties on who can add free play to an account. The process should involve at least two or three authorizations from different areas. (Example: the slot manager may make a request in writing or email to add free play to mitigate a slot beef. The request must be approved by a manager or higher in the marketing or finance department, and the final execution can only be added by a manager level or higher in the promo/club area.) An audit trail should be examined monthly for any anomalies. In the case of Mohegan Poconos, the team spread the amounts around to multiple high rollers, which made it somewhat difficult to spot, but the fact that a single VP added over $400k in a single year with no other approvals should have been a red flag. More on that below.
A similar crime, but on a much smaller scale, has occurred at casinos nationwide. It is simply the unauthorized changing of passwords by the promotional staff. Given their necessary access to the data, it is easy for these employees to spot guests who visit infrequently but have large credit balances. They then recruit an “outside customer” to visit the club desk and say they forgot their passwords and need a new card. This is quite common for legitimate guests, and it is mandatory to check IDs before complying. But a crooked employee can bypass this step. The outsider then simply downloads the credit and cashes out after playing. Much later, and often way too late to gather evidence, the club desk gets complaints about missing credits or free play.
DEFENSE – This can be difficult to detect if the incidents are small and infrequent. Fortunately, greed generally drives these incidents, which makes it easier to spot them. Your IT team can easily create a simple stored procedure or a batch process that runs daily to spot the following patterns: 1. – excessive password changes by a single employee or issued at a single terminal; 2. – a pattern of password changes based on date, tier level, or demographic groupings. 3. – any guest with an excessive number of password changes.
Before I retired from Pechanga, a very sharp security manager spotted a pattern of password changes issued to small groups of customers that were in exact alphabetical order off the master player list. Busted! This use of exception reports (stored procedures, batch process or SQL queries) is a great defense for many of the scams described herein. It’s also critical to prevent future attempts at new scams, even if “Murphy’s Law” is usually the main culprit.
“Anything that can go wrong, will go wrong.” I have validated this credo numerous times in my career, but the most recent case was with a roulette ETG. Due to an obscure bug in the software, a married couple inadvertently discovered that by using a pattern of downloading credits and well-timed betting, they could receive free play that would not be subtracted from their system account balance. In other words, they were getting unlimited credits to play, and earning even more free play at the same time. They tried to hide their crime by cashing out often to prevent large hand pays, and then washing these small tickets through several other machines to confuse the audit trail. “Washing,” in this context, means putting the tickets into other machines, playing just a credit or two, and then cashing out the resulting tickets at kiosks. The amount of this fraud was thousands of dollars. Some was recovered from the crooks, and the roulette machine manufacturer also made a major restitution. But the most valuable outcome was the lesson learned below:
DEFENSE: A daily report (similar to the daily batch processes mentioned above) can be created to show 1. – Excessive amounts of Free play downloaded at any machine. 2. – High levels of Coin In by individual guests with no cash play. 3. – Excessive amounts of free play issued to any guest. 4. – Excessive numbers of tickets dispensed by a single machine. 5. – Excessive numbers of tickets cashed out at a kiosk by any individual guest. 6. – Excessively high point balances on individual customers.
Using these reports, we quickly spotted and stopped dozens of small scams almost before they began. There were some false positives on good guests that wasted investigative time, but that was a small price to pay for the greater security. At a recent seminar, someone asked how we defined “excessive.” The answer is to look at your current and past patterns for “normal” behavior. Some anomalies are common, but most are not.
Since Murphy is a common denominator with many slot frauds, I’ll finish with an example from my early career. 
The ticket reproduced here magically came out of an older Aristocrat machine. Thankfully, this guest was very understanding, and, instead of calling an attorney, they graciously accepted the $9 which was the correct amount of the cash out. When I’ve related this story to some, they claim it couldn’t happen to them since their TITO is only $3,000. What they didn’t understand is that Murphy doesn’t respect limits, settings, policies, guidelines, defaults, fail safes or stern edicts from gaming regulators. Let me repeat: “Anything that can go wrong, will go wrong.”
Printers, monitors, meters and CRTs to LEDs are all electronic and/or digital. Given the right stream of wild and out-of-control bits of data, they can display anything at any time. Last summer in New York, Katrina Bookman was excited when the machine she was playing at Resorts World lit up and declared “printing cash ticket $42,949,672.76.” Of course, it was not legit, just another example of why every machine is required to have the “Malfunction Void All Pays” warning. However, this case wound up in court and all over the news with the headline “Casino Sued for Downgrading Jackpot to Steak Dinner.” While the malfunction argument almost always wins in court, the negative press or PR is hard to undo.
DEFENSE: Avoiding Murphy’s Law is impossible, but minimizing the PR impact is critical. One of the best ways to keep these cases out of court and off the Internet is to be proactive. I highly recommend that on any excessive payout malfunction, once the Regulators have ruled on what amount the guest is legally entitled to, that a compensation be made for the maximum jackpot offered by the machine, assuming this is not a WAP or large progressive. While this has some extra costs (in the long run, they’re minimal, since this is not really an everyday occurrence), it is far cheaper than the dollar amount of negative and enduring PR. This technique works: it is easy to defend in court and dramatically shrinks the pool of headline-grabbing attorneys willing to take on these clients.
In summary, while Murphy and future crimes are unpredictable, the proactive practice of creating automated daily exception reports is the major key to minimizing and sometimes preventing these types of fraud, and a great tool to CYA. To my knowledge, none of these are standard “alerts” in any of the major slot systems, but they are easy for you or your IT team to create from the data the systems do supply. The scams, after all, keep coming. Good luck and keep an eye on any vans full of bad guys in your parking lot.
