Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Fraud by computer

Fraud by computer Peter G. N e u m a n n IPRAUD BY COMPUTER authorization, which was no obstacle because the employee knew someone else's password. T h e first transaction was successful. T h e second one failed accidentally (due to a 'technical malfunction'), which was noted the next working day. Suspicions led to the arrest o f the employee (SEN 13, 2, Apr. 1988, 5). ¢ An A T M - c a r d - c o u n t e r feiting scam p l a n n e d to make bogus cards with a stolen card encoder, having obtained over 7,700 names (with personal identifiers, PINs) from a bank database. A n i n f o r m a n t t i p p e d off the Secret Service before the p l a n n e d mass cash-in, which could have netted millions o f dollars (SEN 14, 2, Apr. 1989, 16). C o m p u t e r - r e l a t e d financial fraud continues to be a problem. Here are a few cases from the Risks archives. Frauds ¢ Volkswagen lost almost $260 million as the result o f an insider scam that created phony currencyexchange transactions and then covered them with real transactions a few days later, pocketing the float as the exchange rate was changing. This is an example o f a salami att a c k - - a l b e i t with a lot of big slices (SEN 12, 2, Apr. 1987, 4). Four insiders and one outsider were subsequently convicted, with the maxim u m jail sentence being six years, so their efforts were not entirely successful! ¢ Losses from automatic teller machines (ATMs) are numerous. T h e archives include a $350,000 theft that bypassed both user authentication and withdrawal limits, $140,000 lost over a weekend due to a software bug, $86,000 stolen via fabricated cards and espied authentication n u m b e r s (PINs), $63,900 obtained via the combination o f a stolen card and an ATM p r o g r a m error, and o t h e r scams. ¢ O t h e r frauds include a collaborative scam that acquired 50 million frequent-flier miles, an individual effort that gained 1.7 million miles, a collaborative effort involving millions o f dollars worth o f bogus airline tickets, and a bank c o m p u t e r system employee who snuck in an o r d e r to Brinks to deliver 44 kilograms o f gold to a remote site, collected it, and then disappeared. ISSIDE ¢ First National Bank o f Chicago had $70 million in bogus transactions t r a n s f e r r e d out o f client accounts. One transaction exceeded permissible limits, but the insiders m a n a g e d to intercept the telephone request for manual authorization. However, that transaction then overdrew the Merrill-Lynch account, which resulted in the scare being detected. Seven men were indicted, and all o f the money was recovered (SEN 13, 3, July 1988, 10). ¢ T h e Union Bank o f Switzerland received a seemingly legitimate request to transfer $54.1 million (82 million Swiss francs). T h e automatic processing was serendipitously d i s r u p t e d by a c o m p u t e r system failure, requiring a manual check--which uncovered the bogosity. T h r e e men were arrested (SEN 13, 3, July 1988, 10). ¢ T h e Pennsylvania state lottery was presented with a winning lottery ticket worth $15.2 million that had been p r i n t e d after the drawing by someone who had browsed t h r o u g h the on-line file o f still-valid unclaimed winning combinations. T h e scare was detected because the ticket had been p r i n t e d on card stock that differed from that o f the legitimate ticket (SEN 13, 3, July 1988, 11). ¢ On Christmas Eve 1987, a Dutch bank employee m a d e two bogus c o m p u t e r - b a s e d transfers to a Swiss account, for $8.4 million and $6.7 million. Each required two-person RISKS Conclusions In general, c o m p u t e r misuse is getting m o r e sophisticated, keeping pace with improvements in comp u t e r security. Access controls can h i n d e r outsiders. F r a u d by insiders, however, remains a p r o b l e m in many commercial environments (often not even requiring technology, as in the U.S. savings and loan fiasco, now exceeding $1.5 trillion). High-tech insider fraud can be difficult to prevent if it blends in with legitimate transactions. ost o f the preceding thwarted attempts were foiled only by chance, which is not reassuring, particularly because m o r e cautious p e r p e t r a t o r s might have been successful. We do not know the extent of successful frauds. Financial institutions tend not to r e p o r t them, fearing losses in customer confidence and escalations in insurance premiums. This leaves us wondering how many successful cases have not been detected, or have been detected but not r e p o r t e d . Better system security, authentication (of users and systems), accountability, auditing, a n d real-time detectability would help somewhat. More honest r e p o r t i n g by corporations and gove r n m e n t a l bodies would help reveal the true extent of the problems, and would be beneficial to all in the long term. Otherwise, c o m p u t e r aided f r a u d will continue. [] M Thwarted Attempts ¢ T h e First Interstate Bank o f California came within a whisker of losing $70 million as the result o f a bogus request to transfer funds over the a u t o m a t e d clearinghouse network. T h e request came via c o m p u t e r tape, accompanied by p h o n y authorization forms. It was detected and cancelled only because it overdrew the debited account. T h e FBI is investigating (SEN 17, 3, July 1992). lS4 August 1992/Vol.35, No.8/COMMUNICATIONS OF T H E ACM http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Communications of the ACM Association for Computing Machinery

Fraud by computer

Communications of the ACM , Volume 35 (8) – Aug 1, 1992

Loading next page...
 
/lp/association-for-computing-machinery/fraud-by-computer-GVqGqwa2v4

References

References for this paper are not available at this time. We will be adding them shortly, thank you for your patience.

Publisher
Association for Computing Machinery
Copyright
Copyright © 1992 by ACM Inc.
ISSN
0001-0782
DOI
10.1145/135226.135238
Publisher site
See Article on Publisher Site

Abstract

Peter G. N e u m a n n IPRAUD BY COMPUTER authorization, which was no obstacle because the employee knew someone else's password. T h e first transaction was successful. T h e second one failed accidentally (due to a 'technical malfunction'), which was noted the next working day. Suspicions led to the arrest o f the employee (SEN 13, 2, Apr. 1988, 5). ¢ An A T M - c a r d - c o u n t e r feiting scam p l a n n e d to make bogus cards with a stolen card encoder, having obtained over 7,700 names (with personal identifiers, PINs) from a bank database. A n i n f o r m a n t t i p p e d off the Secret Service before the p l a n n e d mass cash-in, which could have netted millions o f dollars (SEN 14, 2, Apr. 1989, 16). C o m p u t e r - r e l a t e d financial fraud continues to be a problem. Here are a few cases from the Risks archives. Frauds ¢ Volkswagen lost almost $260 million as the result o f an insider scam that created phony currencyexchange transactions and then covered them with real transactions a few days later, pocketing the float as the exchange rate was changing. This is an example o f a salami att a c k - - a l b e i t with a lot of big slices (SEN 12, 2, Apr. 1987, 4). Four insiders and one outsider were subsequently convicted, with the maxim u m jail sentence being six years, so their efforts were not entirely successful! ¢ Losses from automatic teller machines (ATMs) are numerous. T h e archives include a $350,000 theft that bypassed both user authentication and withdrawal limits, $140,000 lost over a weekend due to a software bug, $86,000 stolen via fabricated cards and espied authentication n u m b e r s (PINs), $63,900 obtained via the combination o f a stolen card and an ATM p r o g r a m error, and o t h e r scams. ¢ O t h e r frauds include a collaborative scam that acquired 50 million frequent-flier miles, an individual effort that gained 1.7 million miles, a collaborative effort involving millions o f dollars worth o f bogus airline tickets, and a bank c o m p u t e r system employee who snuck in an o r d e r to Brinks to deliver 44 kilograms o f gold to a remote site, collected it, and then disappeared. ISSIDE ¢ First National Bank o f Chicago had $70 million in bogus transactions t r a n s f e r r e d out o f client accounts. One transaction exceeded permissible limits, but the insiders m a n a g e d to intercept the telephone request for manual authorization. However, that transaction then overdrew the Merrill-Lynch account, which resulted in the scare being detected. Seven men were indicted, and all o f the money was recovered (SEN 13, 3, July 1988, 10). ¢ T h e Union Bank o f Switzerland received a seemingly legitimate request to transfer $54.1 million (82 million Swiss francs). T h e automatic processing was serendipitously d i s r u p t e d by a c o m p u t e r system failure, requiring a manual check--which uncovered the bogosity. T h r e e men were arrested (SEN 13, 3, July 1988, 10). ¢ T h e Pennsylvania state lottery was presented with a winning lottery ticket worth $15.2 million that had been p r i n t e d after the drawing by someone who had browsed t h r o u g h the on-line file o f still-valid unclaimed winning combinations. T h e scare was detected because the ticket had been p r i n t e d on card stock that differed from that o f the legitimate ticket (SEN 13, 3, July 1988, 11). ¢ On Christmas Eve 1987, a Dutch bank employee m a d e two bogus c o m p u t e r - b a s e d transfers to a Swiss account, for $8.4 million and $6.7 million. Each required two-person RISKS Conclusions In general, c o m p u t e r misuse is getting m o r e sophisticated, keeping pace with improvements in comp u t e r security. Access controls can h i n d e r outsiders. F r a u d by insiders, however, remains a p r o b l e m in many commercial environments (often not even requiring technology, as in the U.S. savings and loan fiasco, now exceeding $1.5 trillion). High-tech insider fraud can be difficult to prevent if it blends in with legitimate transactions. ost o f the preceding thwarted attempts were foiled only by chance, which is not reassuring, particularly because m o r e cautious p e r p e t r a t o r s might have been successful. We do not know the extent of successful frauds. Financial institutions tend not to r e p o r t them, fearing losses in customer confidence and escalations in insurance premiums. This leaves us wondering how many successful cases have not been detected, or have been detected but not r e p o r t e d . Better system security, authentication (of users and systems), accountability, auditing, a n d real-time detectability would help somewhat. More honest r e p o r t i n g by corporations and gove r n m e n t a l bodies would help reveal the true extent of the problems, and would be beneficial to all in the long term. Otherwise, c o m p u t e r aided f r a u d will continue. [] M Thwarted Attempts ¢ T h e First Interstate Bank o f California came within a whisker of losing $70 million as the result o f a bogus request to transfer funds over the a u t o m a t e d clearinghouse network. T h e request came via c o m p u t e r tape, accompanied by p h o n y authorization forms. It was detected and cancelled only because it overdrew the debited account. T h e FBI is investigating (SEN 17, 3, July 1992). lS4 August 1992/Vol.35, No.8/COMMUNICATIONS OF T H E ACM

Journal

Communications of the ACMAssociation for Computing Machinery

Published: Aug 1, 1992

There are no references for this article.