Fraud Warning about the List Randomizer

Is RANDOM.ORG's List Randomizer safe for video giveaways?

Unfortunately, the short answer to this question is really a resounding ‘no.’

This page explains why and what you can do about it.

What Fraud Looks Like

We have seen a great many people use our List Randomizer for running video giveaways. While it's exciting that people come up with inventive uses for our services, the List Randomizer was never intended for this purpose and it isn't really suited for it.

In those videos, someone (we'll call them the ‘broadcaster’ since most of these videos are live-streamed) typically shows himself or herself copying a list from somewhere (e.g., Facebook) and pasting it into our List Randomizer. The list is then randomized a predetermined number of times, and whoever comes out on top in the final round is the winner.

If you watch this as a live stream, you might think that you can trust that what you see is really happening, i.e., someone is really using RANDOM.ORG to randomize a list. Even if you're watching a recording after the giveaway happened, you might feel the recording gives the giveaway some legitimacy. After all, you're seeing it with your own eyes, right?

The problem is that what you see in a live stream or a video might not be what you think. It might not be the real RANDOM.ORG at all.

Sounds paranoid? Consider the following two videos. (Thanks to Dimitri Livshin for letting us include them here.) In one, you're seeing an authentic giveaway where the broadcaster uses the real RANDOM.ORG to randomize a list. In the other video, you're seeing someone using what looks a lot like RANDOM.ORG, but which in fact isn't. It is a fake lookalike, an impostor web site, constructed to look exactly like the real RANDOM.ORG, but which the broadcaster has rigged to pick the winner he wants.

Authentic Giveaway (Real RANDOM.ORG)
Rigged Giveaway (Not the real RANDOM.ORG)

Can you tell the difference? Probably not. But you probably heard the person who made the recording of the rigged giveaway expressing his skepticism at the result.

When we here at RANDOM.ORG first examined these videos, we couldn't tell the difference either. The rigged giveaway looked completely authentic, until we checked our server logs and saw that no browser requests were made to our servers that matched what is happening in the rigged giveaway. For the authentic giveaway, we had records that matched up perfectly. This is hard evidence that the site shown in the rigged giveaway video isn't the real RANDOM.ORG, even though it looks like it. The cheater in the video was exposed and a lot of drama ensued.

How is this possible?

Please bear with us if this gets a little bit technical, but we'll try to be as clear as possible. If it's still not clear at the end, you'll find an email address there, so you can get in touch.

When you watch a giveaway via live stream, everything you're seeing is going on in the broadcaster's browser—their Facebook page, their use of RANDOM.ORG, etc. Unfortunately, it is possible (and not particularly difficult for a tech savvy person) for the broadcaster to configure their computer to show something else than the real RANDOM.ORG when they type in ‘www.random.org’ in their URL bar. Even the green URL bar can be faked in this manner, because the broadcaster has full control of their own computer.

If someone rigs their computer in this fashion, they can show a service that is made to look like the real RANDOM.ORG but which isn't, and when you watch the video, you wouldn't be able to tell the difference. As in the rigged video above, what you see is not the real RANDOM.ORG but a fake lookalike under the broadcaster's control, and which picks the winners the broadcaster has configured it to pick before the video streaming begins. It is an impostor site built for the specific purpose of fooling the viewers into thinking it's the real RANDOM.ORG. However, in fact the site has nothing to do with us.

We know for sure this has happened and also that it has been used to defraud people, such as in the rigged giveaway shown above.

Here is another video of someone using a fake lookalike in this fashion, although in this case it appears to be for demonstration purposes, rather than as a live giveaway:

Fake Lookalike (Not the real RANDOM.ORG)

Just to make it completely clear: What you're seeing in the video is not the real RANDOM.ORG, but an impostor site. It is not a hack of our service, but a replica made to look exactly like ours.

We don't know who made this video and we don't have access to the code that drives the impostor site you see in it, but we have verified (using our server logs) that it is not the real RANDOM.ORG you're seeing. Using a fake lookalike of our site to run rigged giveaways is of course in violation of our Terms and Conditions in a whole bunch of ways, not to mention illegal.

The crucial thing to understand is that someone must go out of their way to rig their computer in this fashion and—very importantly—they can only rig their own computer. In particular, it is not possible for them to change what you see when you enter ‘www.random.org’ in your own browser. If you use your own browser (and you see the green URL bar), you can be sure that you're seeing the real RANDOM.ORG.

What can you do about it?

Consider the following: Imagine that someone promises to transfer money to you via their bank. They show you a video of them using their bank's web site to transfer the money. After watching the video, will you trust the money really was transferred? It probably depends on how well you trust the person in question. The safe thing to do is to go to your own bank's web site and check whether a matching payment has come in to your account. The problem with the List Randomizer is that it doesn't let you do that.

The solution we have produced is very similar to the bank example. We have designed a new service called the Multi-Round Giveaway Service, which allows you to go to a source you know to be the real deal (the actual RANDOM.ORG, opened in your own browser) and verify that what you saw in the video really happened. The Multi-Round Giveaway Service does this by generating a verification code at the end of every giveaway, a code that cannot be faked and which you can use to check that the result of the giveaway was in fact generated by the real RANDOM.ORG.

What the verification codes do is link what you're seeing in the videos with the real RANDOM.ORG. When a video giveaway has been completed, any of the viewers can write down the verification code, open www.random.org in their own browser (which they know will take them to the real RANDOM.ORG) and enter the verification code. If the broadcaster used a fake lookalike in his giveaway, the real RANDOM.ORG will either tell you the verification code does not exist or that it refers to a different giveaway. If this happens, then you know the giveaway was rigged and you can alert the other people who participated. Ideally, at least one viewer should check the code after each giveaway, and they should do it in their own browser (not, for example, a browser running on the broadcaster's computer), so they know it's the real RANDOM.ORG that's doing the verification.

Without the verification codes, there is unfortunately no way for viewers to make sure that it's the real RANDOM.ORG they're seeing in video giveaways. Fortunately, the verification codes make it easy to be sure.

Questions?

Thank you for reading this fraud warning—we hope it was helpful. If you have questions that weren't answered here, you might want to head over to our FAQ for the Multi-Round Giveaway Service. If your question isn't answered in the FAQ, you are of course also drop us an email.