COMPUTERPIiEIQ SECURITY BULLETIN Volume
Jay J Becker Assistant District Attorney, Los Angeles Andrew Chambers Leverhulme Business School, London
Associate Editor: ROBERT V JACOBSON President, International Security Technologylnc, New York
Senior Research Fellow in internal Auditing, City University
Peter Hamilton Managing Director, Zeuss Security Consultants Ltd London Jocelin Harris Lawyer and Banker, London Peter J Heims Fellow of the Institute of Professional Investigators, London Geoffrey Hotwitz Executive, Ned Equity Insurance Co Ltd. Johannesburg Norman Luker Security Manager,
Telecom Ltd, Montreal
Donn B Parker SeniorManagementSystemsConsultant,
Alec Rabarts Fellow of the Institute of Chartered Accountants, Timothy J Walsh President, Herris and Walsh Management Ray Ellison Manager,
Consultants, New York
Computer Security and Privacy, National Computing Centre, Manchester. UK
EDITORIAL ASSET-STRIPPING: The importance of physical security SPOTTING THE HIGH RISK JOBS Trying to make a conversion Cheque conversion fraud
1 5 7 8
computer security Risk management in practice: study course Observing computer fraud Technical note RACF overheads
10 11 11
The Bulletin has been going for just about a year and I would like to thank our readers for their support: also members of the Editorial Board and the companies and individuals who have helped us. Next year I hope we will be able to cover cases in more depth and we have a full time researcher on our staff for this purpose. I also hope that - having established some of the groundwork in commercial fraud generally - we can get into more technical aspects of computer abuse and counter measures. Finally, I would like to generate more response from our subscribers and perhaps have a regular bi-monthly page of readers' letters. If you have points to make or questions to ask send them to the Editorial Office.
In December ASSET-STRIPPING
1978, the US Treasury Department made a staggering more than $1 million of gold had disappeared from a Fort Knox type building in Manhattan. the Assay Office, Federal Investigators were called in but all that they could announcement:
Elsevier International Bulletins
0 1979 Elsevier Sequoia S.A. No part of this publication may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the publisher.
discover was that the gold disappeared sometime between 1973 and 1977. A more accurate statement was not possible because of "significant irregularities" in the accounting procedures! The Investigators questioned staff but in the end had to give up. "The bottom line," they said, "is that we just could not tell what happened." When we are devising controls - and particularly in computer systems - do we spend enough effort in looking after the related physical inventories? Maybe not, you say, but with micro- and minicomputers coming so cheap, in a few years they will control inventories processes, and just about everything else, for us. But will that help? The Argent Corporation which runs four casinos in Las Vegas "Stardust", "Freemont", "Hacienda" and "Marina" - is currently under investigation by the Nevada Gambling Commission for an alleged inventory fraud beside which the US Treasury case pales into insignificance. At least $7 million in US quarters, weighing 150 tons, has disappeared, or, more correctly, has been misappropriated in an 18 month period, between 1974 and 1976.
machine aZZeged to be fixed
The coinage, takings from the casino's fruit machines, has been skimmed off through a sophisticated fraud based on a computerised weighing machine. A further $3.5 million has been paid out to supposed gamblers, without a shred of documentation, and further millions have been lost as a result of kickbacks and "soft counts" in winnings at the gaming tables. The total amount of the fraud could be as high as $20 million. The section of this fraud that should be of most interest to computer users is that involving the skimming of cash takings from one armed bandits and fruit machines. The meters in the machines were rigged to register a payout a third greater than actual. When the contents of the cash drawers were emptied out, they were put into a Toledo model 8130 electronic weighing machine, manufactured by the Reliance Electric Co. However, one of the engineers, Richard Marie , who designed the Toledo, had in the meantime been recruited by Argent and it is alleged that he altered the circuitry so that it underweighed all cash boxes by an amount sufficient to hide the extra quarters. Richard Marie has been interviewed by the Gaming Board, but so far has refused to talk. Quarters taken or skimmed from the cash drawers were allegedly converted into large denomination bills by George Jay Vandermark and Leland Northey, two employees at the casino. Embezzlement indictments are outstanding against them, while in the background, Alan Glick, the owner of Argent, is vehemently denying any wrongdoing. The Nevada gaming authorities seem to be taking a stern line: they initially demanded $11.8 million from the corporation and required Glick to sell his sole interest. A computer analysis put the odds of the casinos actually having to make the payouts they claimed to have done at one chance in 3,875,000,000,000,000,000,000,000,000,000,0~,000,000,000,000,000. Long odds, to anyone familiar with gaming!
Vol2 No1 COMPUTBEIFBAfJD&SNUEITTBlUETIB
It The case is unusual and we will try to follow its progress. does demonstrate a possible vulnerability in plug-compatible microcomputers, where logic and other circuits can be switched There is perhaps a security lesson here for with relative ease. designers and users of chipbased control machinery and, judging by the frauds that have involved their mechanical and electrical we can make a shrewd quess as to what the future counterparts, will hold.
It is likely that chip-based control machinery will follow similar patterns to the first generation electrical/mechanical This equipment is usually divided into: equipment. Sensory
This element is the initial measuring equipment in the processor (weighbridge, scale, thermometer, flow meter) that transmits its findings through a mechanical or electrical linkage to a control device. Control This may consist of a plug-in processor that governs the operation of the equipment, transmits data for storage in temporary or permanent memory, and controls print out and internal operation. Adjuster
Most control equipment has to have adjustment devices (like the screw on the back of domestic scales that brings the pointer back to zero). Computer-based control equipment is not likely to be an exception. Individual
A meter or print-out that relates delivery, for example). Totaliser
to a specific
A meter or register that retains for reconciliation purposes. communication Electronical
links or mechanical
The object of fraud involving control machinery is usually to gain a false reading on the individual recorder and on the accumulator. For example, a contractor defrauding through overweights on a "goods in" truck will certainly have to obtain false weighbridge tickets for individual loads and may also have to ensure that the accumulated total does not reveal the fraud. The object can be achieved by interfering with the sensory device, totalisers or the communications links. the adjuster, Most control machinery is designed to operate in an honest environment and may not withstand the pressure of criminal interference. With chipbased processors, all that may be necessary to achieve fraud is to plug in a new board; the other elements of the equipment may then give the appearance of functioning properly and may indeed do so, except for the special circumstances decided by the thief.
Supermrke t check-out fraud
One of the first cases of abuse of microprocessors (although at a very low level) concerned one of the UK's leading grocery zu+rmarkets. They installed quite sophisticated cash tills at their check-out points. Goods purchased by customers were cashed up on the till (sensor) and were printed out on a receipt. The accumulated value of sales for the day were retained in a register inside the machine and at the end of each day's business the cashier was required to press a special button which would 'print out the total cash that had passed through the cash point during the day (accumulated total). This printed slip was then used by the financial accounting department as a means of reconciling bankings and cash takings. Thus if a cashier stole cash from the till, the difference would show up as a cash shortage and enquiries would be made. The designers of the equipment realized that if the total held in the accumulator register could be "wound back", then cash could be stolen from the till without that fact becoming obvious. Thus mechanical and electrical locks were built into the system to make sure the accumulator could not be interfered with. But no one thought the fraud possibilities through; no one, that is, except for a group of dishonest employees who made over E30 000 before they were caught. Sales would be recorded on the cash tills as and when they took place. At the end of the day, when all customers had left the shop the dishonest employees would make a note of the accumulated total in their machines without pressing the final print button. Say the figure was E689.56. They would then start "ringing up" fictitious sales on their machines and since the capacity of the register was only four digits and two decimal places long, when they reached 10 000 the left hand digit "1" would spill from the register which would now read "000.00". The employees would continue to "ring up" fictitious sales until they reached, say, f400.50 and then press the button to print out the accumulated total. The difference between E689.56 and E400.50 would be their profit for the day.
Cash shortage appeared as stock zoss
The loss, of course, would show up, but as a shortage of inventory rather than a shortage of cash. The management put the inventory losses down to shoplifting. The fraud came to light when the husband of one of the women involved in the scheme, assumed quite incorrectly, as it happened - that her late nights at work were the result of an illicit love affair with a fellow employee. He reported his suspicions to the management and the nocturnal till manipulation came to light. Another case, where the capacity of internal registers was at the centre of a fraud, concerned a retail service station group that had recently introduced automated petrol pumps. You have probably used the type in question - they have LED or similar figures to show the number of gallons taken and the cost, instead of the old fashioned mechanical dials. When the pumps were first introduced, prior to the oil crisis, the price of petrol was such that the designers of the machinery never throught that any one customer would take more than E9.99's worth of petrol. The machinery and its internal storage registers were set to record up to this figure.
COPPUTEEL%WJB& SECURITTBULLETXM Vol2 No1
Registers too smal2 for prices
Then the price of petrol shot through the roof, and no one thought For three or four of adjusting the capacity of the machines. months, customers who bought El1 and El2 of petrol would be charged the full amount (because the forecourt staff knew the score:) but in reconciling the company's accounts only fl and E2 The forecourt staff were thus able to retain would be entered. El0 per sale. - whether computer-based or So in designing control machinery and objectives of fraud. not - consider the opportunities Remember also that if new equipment is introduced into an environment where fraud is established, it will not take too long before someone attempts a new fraud. Look for symptoms of interference, the most common of which is repeated breakdowns: after all, the easiest way to overcome control devices is to break them.
SPOTTING THEHIGHWe have often made the point that anticipation and prevention of fraud can be more important than detection. With this in mind, RISKJOBS it is a good idea to examine fraud possibilities in a company from the position of a would-be thief. Consider what assets can be stolen, how the loss can be concealed or records manipulated and how conversion to a financial benefit can best take place. In this way, fraud opportunities can be catalogued, critical points monitored to detect past frauds and controls concentrated in the areas that really matter. This philosophy applies to all corporate risks. There are, however, some jobs in many companies which are more vulnerable to fraud - and these are not only those of the payroll clerk or cashier. Without wishing to malign any particular group, the vulnerable positions are often characterised by a natural professional or technical break between an employee and the next level of supervision. For example, there may be a technical gap between the head of data processing and the Financial Director to whom he reports. There may be a professional gap between the Purchasing Manager and his boss. Where the supervisor does not possess the technical skills of his subordinate, he must, by the very nature of things, place more reliance on what his subordinate tells him than where the professional link between subordinate and manager is strong. Where a technical or professional break occurs, the manager has to take more on trust. In a truly integrated line structure the manager is better able to make an individual assessment of recommendations made by his subordinate and he has an independent "feel" of what is right and wrong. Also the manager in this position meets the customers, suppliers and other employees with whom his subordinate deals and has the chance of hearing if things are going wrong. Where natural breaks are deeply entrenched in the company organisation (for example where the Data Processing Manager would never be a candidate for the Financial Director's job) the subordinate may have a genuine feeling of frustration. Believing that he has reached the ceiling in his company and lacking any direct control from above, he may be more likely to be tempted into theft, fraud, disloyalty or poor performance than an employee who sees a career progression ahead of him. Emile Durkheim, whose work is summarized in a book by Gwynn Nettler, "Explaining Crime" (McGraw Hill), put forward an interesting theory that may fit situations where there is a