a survey of the bis casebook
TRANSCRIPT
November 1990 Computer Fraud & Security Bulletin
l Usefully separated correctness and effectiveness,
l but also commented that ITSEC did not meet the specific needs of bankers. It was agreed that more work needs to be done here, preferably by the bankers themselves.
The morning finished with a presentation by Yves Le Roux on behalf of Eurobit, the European IT Manufacturers Association. Their principal concern was for the development of modular evaluation methodology. This would enable a system developed at different sites around the world to be assessed locally with consistency between evaluators.
The long-awaited session on international standards, for which so much had been promised, took place on the final afternoon. Notwithstanding a good briefing on international standards bodies by E. Humphries of BT, it proved to be a frustrating and disappointing session for the delegates. Despite continual and insistent questions on the future handling of the ITSEC criteria, the government background of the panel became obvious in its refusal to commit to any further action. Eventually M. Vincent-Carrefour admitted that the revised version of ITSEC may become available in about six months time. The repeated questioning from
the floor seemed to indicate a need for:
An outline on how current comments are
being handled and eventually a paper on which were chosen and which were rejected and the reasons behind this.
A more tangible organization for future input rather than simply four contact names.
A plan of action for making ITSEC on internationally accepted standard.
The ‘trust us, we’ll take care of it’ attitude was
not reassuring to the assembled businessmen
who had earlier been asked to commit time and
money to developing and extending the ITSEC criteria for their own sector needs. ITSEC will not
be accepted, much less developed by business,
if contributions disappear into the grey and
mysterious inner workings of government
agencies with no further comment or discussion.
It is to be hoped that, by the time the revised ITSEC criteria are published, a more detailed
framework for dialogue has been set up.
COMPUTER-RELATED FRAUD
A survey of the BIS casebook
Ken Wong B/S Applied Systems
At BIS Applied Systems Limited we have
collected a total of 232 cases of computer-related
fraud which took place in the UK over a number
of years. Where the information is available,
each individual case documents the following
details:
l type of abuse perpetrated
l when it took place
l identity of the perpetrator
l type of business of the victim company
l scheme of perpetration
l amount of loss attempted or lost
l how was the crime discovered
l penalty on the criminal.
Many of the details of individual cases have
been published in the BIS Computer Related
Fraud Casebook in 1987 and its update in 1988.
We shall review the general findings here.
Details on fraud control and detectation can be
found in the Elsevier publication ‘Managing
Information Security’ by Ken Wong and Steven
Watt.
01990 Elsevier Science Publishers Ltd 9
Computer Fraud & Security Bulletin November 1990
Losses
Figure 1 contrasts the 1983, 1986 and 1989
samples on the distribution of the amount
defrauded in each case over the corresponding
total of cases collected. All three graphs are
similar in shape, i.e. a large number of cases
recorded with losses of up to f 10 000, and then
gradually tailing off as the individual losses
escalated. Defraud has risen from f31 000 in
1983 to f 262 000 in 1986 and then f 483 000 in
1989. This represents a 15-fold increase in value
over the last six years, with most of the smaller loss cases being attributed to earlier cases which
are common in all the three samples taken. The
maximum loss recorded has also gone up from
f500 000 to f 10 million and then f27 million
over the three periods.
The majority of the high loss cases were
nearly all of the Electronic Funds Transfer (EFT)
nature and most were one-off attempts to effect
a chain of illegal transfers of funds, Eurobonds
or other securities overseas, ending up in
Switzerland for cash conversion.
No. of Cases
1001
60
With an ever increasing number of applications exploiting electronic systems for cash transfer in electronic data interchange, cash management or the trading of securities, one can safely predict that incidents of high value fraud on EFT systems will increase in the future. So far the EFT frauds failed mostly on their last leg when the criminals went to collect the money from the fraud encashment. The success rate is likely to improve in future as professional or organized criminals bring their cash laundering expertise to the party.
Modus operandi
Figure 2 shows the relative proportions of the various schemes of perpetration. This allows for rounding errors in the figures and occasionally applying a combination of several schemes to perpetrate a single fraud, e.g. using a terminal to effect a fraudulent data entry or tamper with any existing transactions and colluding with another
culprit to convert the financial gains on the
computer systems into cash.
Whereas hacking is mostly a favourite pastime of many outside computer hobbyists or
Average Loss =
S31,OOOin 83 C262,000in86 S483,000in89
10 - LossindilOO,OOO
FlGURE 7: Computer fraud losses.
10 01990 Elsevier Science Publishers Ltd
November 1990 Computer Fraud & Security Bulletin
Fraudulent input
Abuse Input and Output Abuse Output Illegal Program Code Abuse Computer Service Abuse Terminals Collusion
63% 14% 7% 7% 9%
26% 19%
FlGURE 2: Computer related fraud -
modus operandi.
investigative journalists attempting to intrude into public or corporate networks and systems for fun or malice, the majority of computer-related frauds were committed by trusted employees, sometimes in collusion with outsiders who are either trading partners to the company or simply the general public.
Motives for fraud were by and large attributed to greed or employees living beyond their means. In some cases the extra money was used for the affection of lovers who have since lost interest, to feed expensive hobbies or extravagant life styles or to balance the family budget when domestic circumstances or broken marriages have left the culprits living on hard times. In many cases, the culprit has stumbled on a system flaw or loophole which potentially could be exploited for private gains. He or she
would try to divert a small sum of money illegally as a means to test if the scheme would work. Then the fraud would be repeated with much bigger sums involved.
In 63% of the cases, the culprits tampered with the data entry and associated source documents (N.B. in an increasingly paperless environment, such source documents may no longer exist in future), to modify a business transaction or funds transfer instruction to result
in the money going to a different account or beneficiary, intercept customer payments, create bogus suppliers, ghost employees or phantom customers, claim cash refunds or delete debit instructions to escape debt repayments. Bona fide data transactions were delayed, intercepted, or removed with bogus
transactions being added, or the data contents being modified to result in financial gains.
For example, a seventeen-year old bank clerk successfu//y swindled nearly one million
pounds from a UK high street bank by
transferring a chegue for f984 252 into a friend’s account via the bank’s computer system. He a/so
paid f 12 000 into his own account. He simp/y
entered a debit for the amount and credited the
same amount to his friend’s giro account at another bank, giving a// his account details.
Because everything tallied, there was no query.
The culprit had worked at a London West-end branch of the bank for less than a year
and conceived the scheme short/y after he was a//owed access to the main computer system. Suspicion began when colleagues noticed he was spending vast sums of money on electrical
goods from Harrods in his lunch breaks. The culprit alleged that the bank regular/y wrote off large sums of money when the computer printouts of transactions failed to match up. This
was denied by the bank.
14% of the cases involved abuse of input transactions as well as destroying or suppressing the printed output or exception reports to eliminate any trace of wrongdoing. In some cases control totals were altered or the
audit trail temporarily switched off to hide the perpetrations. Some culprits have full knowledge of the built-in control checking mechanisms and were able to circumvent such automated system
controls in their fraud perpetrations. This is relatively easy to achieve in many PC business systems through exploiting known weaknesses in the operating systems.
For example, a 28-year old female banking officer working for the Dundee branch of a
savings bank admitted that she embezzled f22 864 from the bank. She opened a series of bogus accounts and gave them overdraft facilities which she then used to withdraw money.
She hadaccess to a security over-ride on the
computer, with which she was entrusted by her
01990 Elsevier Science Publishers Ltd 11
Computer Fraud & Security Bulletin November 1990
employers to carry out certain supervisory functions, To cover her fraud trail, on each of the bogus accounts she had opened she would use the computer over-ride to pre-date the opening balance to a date before the appointment of the branch manager, so that he would not become suspicious.
All the various bank documents relating to the bogus accounts appeared to have been completed by the culprit. The offences came to light when the branch manager conducted a review and found several accounts which he had no knowledge of, which led to the fraud discovery. The court criticized the bank for allowing the culprit, who was of a lowly staff status, to have access to the over-ride faci/ity.
All the money defrauded went towards paying off debts and paying for expensive hobbies persued by her husband. When the fami/y debt incurred from a house purchase started to rise and her husband threatened to leave her, she began perpetrating the fraud to buy her husband’s affection.
7% of the cases involved exploiting computer reports or storage media to obtain sensitive information to look for fraud or crime opportunities. This includes such details as a company’s planned acquisitions, product
recipes, elite customer lists, deceased debtors, cash rebates from standing orders, unclaimed welfare benefits or suspense-account write offs.
For instance burglary at a small town travel agency had the police perplexed on the motive of the burglar, since it appeared that nothing was missing. Cash and cheques were still in the safe. None of the technical office equipment went missing and there was no evidence of vandalism. A couple of months later, another burglary was reported af the travel agency.
Then a spate of burglaries occurred in the area, all of which were in wealthy homes while the occupants were away. The police inspector who conducted the burglary enquiry on the travel agent remembered that the company used a personal computer to store details of its
12 01990 Elsevier Science Publishers Ltd
customers, including their addresses and holiday bookings.
By comparing the list of burglaries compiled on wealthy homes against the travel agent’s customer file, he found all the burgled home owners had booked expensive holidays with the company. The customer database in this case had turned into a burglar’s guide. The thief obviously knew how to cover his tracks because the travel company found the PC and the printer were properly switched off the morning after the burglary and nothing was erased from the database. On the other hand there were no protection features, e.g. a physical key lock, boot protection, data encryption or access control installed on the computer system either.
Likewise the customer databases of investment advisors, expensive jewellers, accountants and home security companies (with details of alarms wiring) should be protected from the prying eyes of professional burglars.
7% of the cases involved technical staff exploiting their knowledge of operating systems, application programs and software utilities to introduce special error routines which automatically creamed off money or wrote off personal debts. Illegal coding was introduced to circumvent password checking, to control the use of sensitive system utilities in order to manipulate product pricing or discount facilities.
For example, cellular telephone retailers are being approached by criminals to buy a piece of special computer software designed to boost their customers’ bills illegally. The software was developed in the US and is being discretely hawked around cellular airtime operators.
The illegal program enables operators to increase the size of customer’s bills by allowing them to inflate the total usage of the most commonly used numbers. Quite often customers would not know how many times they have dialled these numbers. The software enabled the operator to increase the number of such calls. The risk of a customer challenge is remote. The software allows the operators to insert additional calls into the computer billing system.
November 1990 Computer Fraud & Security Bulletin
9% of the cases involved abuse of corporate computer service to sell computer time to private clients, using the employer’s computer to develop software for private sale, or taking bribes and commissions from contract programming agencies, service companies or equipment vendors in return for favourable considerations
in work tenders.
For example, a 46year assistant county treasurer and computer manager in the Midlands perpetrated a series of frauds over a period of
ten years. He stole a total of f 178 755 from the
local council by using a network of secret bank accounts and bogus computer invoices from his
friends, colleagues and the council.
He abused his close relationship with the
mainframe computer vendor and a local computer support services company, as well as his position as treasurer of the local government
user group in a computer users association. As a frequent visitor, the culprit stole headed notepaper from the computer vendor’s
Birmingham office and from the computer support service company, as well as the
computer user group invoicing stationery, and used these to send to his own department to
charge his employer for software, hardware and
services never received. He would mark each
invoice so that the cheques paid out would be
sent to him supposedly for forwarding. He would
then intercept the cheques and launder them through fake bank accounts in the names of the user group and the service company.
Surprising/y nobody at the council ever
questioned why a computer user group should be charging the council for software and services.
The culprit a/ways enjoyed a very good lifestyle. The f.23 000 a year manager spent f 19 000 on a f/at in Majorca, splashed out on
home improvements and stashed away f20 000 in building societies.
The police were called in to look into his
finances short/y after he and his wife returned from a fact-finding world tour of Australia, Malaysia, Canada and the US. Though no
irregularities were found there, police did spot one flaw in his scheme. Apparent/y he had
mistaken/y paid a f 16 500 council chegue into the genuine user group account instead of the phoney one which he had set up. This led to his arrest and eventual conviction. He was jailed for
three years.
26% of the cases involved the use of remote
terminals, VDU or cash dispenser terminals to initiate fraudulent transactions, employing powerful system commands such as the SYSTEST facility to access and manipulate
control data, or to introduce illegal coding into computer systems. Several of the EFT frauds were perpetrated in this way.
For example, one Swiss bank in London had f27 million’s worth of Swiss francs transferred via the bank’s private network into a
bank account in the small Swiss town of Nyon.
Apparent/y the fraud was perpetrated by introducing an i/legal telex into the EFT system
using unauthorized passwords. The payment
order went via the bank’s network to its Zurich branch and then via the SWIFT inter-bank
message switching network to the Nyon branch of another Swiss bank.
The input authorization had apparent/y been
correct/y compiled, so the telex operator saw no
reason for querying the transfer. At the receiving
bank, staff were surprised at the high value of the transfer which was not the amount they were used to deal with. They queried it with London
and the fraud was averted. On manual checking
staff could not trace the original authorization. The Swiss police was alerted and detectives were waiting when one of the men arrived to
collect the cash. Two men were arrested in Switzerland and a bank employee was arrested in London.
The problem with EFT systems is in the
speed of executing funds transfer instructions. Unless the fraud control procedures are effective
and fast, by the time normal banking procedures
are applied to balance the books and the discovery made, the money will be long gone.
01990 Elsevier Science Publishers Ltd 13
Computer Fraud & Security Bulletin November 1990
With automated teller machines (ATM) or cash dispensers, computer equipment for copying the details on the magnetic stripe card on to other blank magnetic cards can be easily obtained from a variety of sources. With some ATM cards, the personal identity number (PIN) is not recorded (normally stored in encrypted form) on the magnetic stripe. If someone were looking over the shoulders of another person withdrawing cash from an ATM, or using binoculars to note down the PIN entered, together with information on accoun t number and account name obtained from a discarded receip t, a number of blank cards can be encoded with the data obtained and then used to defraud the account holder of the maximum amount on each forged card, without having to gain physical access of the original genuine cash dispenser card.
With A TM cards storing encrypted PINS on the magnetic stripe the popular crime was to open a bogus account with a nominal sum of cash to obtain the bona fide cash card for that account, and then to wait for the opportune moment when the A TM terminal was offline from the central customer account database, to use in succession each of the forged cards with data copied from the master card, to withdraw the maximum amount allowed. Being off-line, the A TM terminal was unable to check the customer account status during the withdrawal which allo wed the account to be heavily overdrawn with the use of many bogus cards. In one case, over f 700 000 was lost to four culprits from the Midlands.
Fraud detection
Where details were available on how the
crime came to light, Figure 4 shows the
percentage breakdown of discovery from
different means:
16% of the cases were detected by internal
or external auditors’ audit reviews. Only 14% were detected by good management controls or
system controls built into procedures and
Audit Internal Control/Management Victim Complaint Management/System Change Chance Equiry Tip Off/Outside Query High living
Unknown
16% 14% 10%
7% 16% 16% 4%
17%
FIGURE 3: Computer related fraud - how detected.
computer systems. 10% were discovered
following complaints from victims who were
either customers or the general public. 7% came
to light as a result of change of management or
organization structure or of changes made to the
computer systems, e.g. in system conversion
during migration to another hardware platform.
Staff came across strange account codes or
exception conditions which they could not
comprehend and discovered the fraud on further
investigation.
Of the remaining cases, 16% were detected
by chance enquiries, especially while the culprit
was away on leave and the fraud trail became
exposed. 16% resulted from tip-off6 to the police
or to the culprit’s employer, mostly from jilted
lovers, disaffected neighbours or colleagues who
were not given a share of the takings.
Occasionally the outside organization or bank
receiving the funds transfer instruction became
Illegal Funds Transfer
Customer Payment Payroll/Expenses Supplier Payment
Fraudulent GoodsServcies Stock Control/Goods Delivery Pensions/Benefits Miscellaneous
19% 17% 18% 15%
9% 7% 5%
10%
FIGURE 4: shows the percentage breakdown of fraud targets in the sample of cases considered.
14 01990 Elsevfer Science Publishers Ltd
November 1990 Computer Fraud & Security Bulletin
suspicious and initiated an enquiry which
revealed the fraud.
3% were through colleagues or
management becoming intrigued by the high
living enjoyed by the culprit with relatively low
income which was incompatible with their
spending power, and either called in the police
or initiated an internal investigation which led to
the fraud discovery. Finally, Figure 5 shows the percentage breakdown of fraud targets in the
sample of cases considered.
SYSTEM QUALITY AND COMPUTER SECURITY
The importance of system reliability
Peter Sommer
Virtual City Associates
What is the most likely cause for a computer unexpectedly to stop working properly? What is the largest single source of business failure associated with computers? It is not hacking, nor malign acts of sabotage, nor even the activities of fraudsters and business spies, but straightforward, unintended computer failure.
Computer security specialists forget this at their peril. No computer security review is complete
unless the consultant pays some attention to the triggers for unplanned system failure. This is all
the more important in those cases where the client arrives announcing that they have a virus or have been hacked. The chances are that they haven’t.
And there’s one further argument for paying attention to the subject: repeated failures in a
computer system can provide a fraudster with a cloak of opportunities under which to carry out various manipulations knowing that there is now a predisposition to doubt that the computer is able to provide reliable information about the company’s assets and accounts.
It is for this reason that the 1990 Compsec Conference had a stream devoted to the subject with contributions from academics and consultants to describe ways in which system quality can be evaluated and improved.
With the growth in availability of insurance policies which give some cover for computer-related business interruption (where the insurer pays out the losses your business suffers rather than just what it takes to repair or replace your computer), it has become necessary to develop rapid techniques for assessing whether a specific computer system is more, or less likely to suffer an unexpected failure. (Other, more formal and rigorous methodologies were discussed at Compsec.) In
this article I will pass on an outline of some of the indicators those of us who carry out large numbers of insurance surveys have learnt to look out for.
Adequacy of original specification
Computers can fail because they are of an insufficient size or resilience to cope with the throughput of work. One under-specified element in a computer network can cause the whole system to fall over. Sometimes systems are inadequate from inception, sometimes they become inadequate because the rate of growth has been poorly forecasted. Again, the emphasis in a computer system’s workload can change; for
example, a decision to adopt more audit-trailing places greater strains on disk drives and their associated controllers. A change in emphasis can invalidate the original calculations upon
which the system was designed and the system resources become unbalanced.
Poor system development methods
The ‘back of a cigarette packet’ method of system design lives on. Sometimes it works, but it gives no comfort to the external surveyor. Modern system development methodologies are sometime trumpeted for their cost- and time-saving qualities, but one of their undoubted advantages is that they force the use of definite stages of specification, initial approval,
01990 Elsevier Science Publishers Ltd 15