a survey of the bis casebook

November 1990 Computer Fraud & Security Bulletin

l Usefully separated correctness and effectiveness,

l but also commented that ITSEC did not meet the specific needs of bankers. It was agreed that more work needs to be done here, preferably by the bankers themselves.

The morning finished with a presentation by Yves Le Roux on behalf of Eurobit, the European IT Manufacturers Association. Their principal concern was for the development of modular evaluation methodology. This would enable a system developed at different sites around the world to be assessed locally with consistency between evaluators.

The long-awaited session on international standards, for which so much had been promised, took place on the final afternoon. Notwithstanding a good briefing on international standards bodies by E. Humphries of BT, it proved to be a frustrating and disappointing session for the delegates. Despite continual and insistent questions on the future handling of the ITSEC criteria, the government background of the panel became obvious in its refusal to commit to any further action. Eventually M. Vincent-Carrefour admitted that the revised version of ITSEC may become available in about six months time. The repeated questioning from

the floor seemed to indicate a need for:

An outline on how current comments are

being handled and eventually a paper on which were chosen and which were rejected and the reasons behind this.

A more tangible organization for future input rather than simply four contact names.

A plan of action for making ITSEC on internationally accepted standard.

The ‘trust us, we’ll take care of it’ attitude was

not reassuring to the assembled businessmen

who had earlier been asked to commit time and

money to developing and extending the ITSEC criteria for their own sector needs. ITSEC will not

be accepted, much less developed by business,

if contributions disappear into the grey and

mysterious inner workings of government

agencies with no further comment or discussion.

It is to be hoped that, by the time the revised ITSEC criteria are published, a more detailed

framework for dialogue has been set up.

COMPUTER-RELATED FRAUD

A survey of the BIS casebook

Ken Wong B/S Applied Systems

At BIS Applied Systems Limited we have

collected a total of 232 cases of computer-related

fraud which took place in the UK over a number

of years. Where the information is available,

each individual case documents the following

details:

l type of abuse perpetrated

l when it took place

l identity of the perpetrator

l type of business of the victim company

l scheme of perpetration

l amount of loss attempted or lost

l how was the crime discovered

l penalty on the criminal.

Many of the details of individual cases have

been published in the BIS Computer Related

Fraud Casebook in 1987 and its update in 1988.

We shall review the general findings here.

Details on fraud control and detectation can be

found in the Elsevier publication ‘Managing

Information Security’ by Ken Wong and Steven

Watt.

01990 Elsevier Science Publishers Ltd 9

Computer Fraud & Security Bulletin November 1990

Losses

Figure 1 contrasts the 1983, 1986 and 1989

samples on the distribution of the amount

defrauded in each case over the corresponding

total of cases collected. All three graphs are

similar in shape, i.e. a large number of cases

recorded with losses of up to f 10 000, and then

gradually tailing off as the individual losses

escalated. Defraud has risen from f31 000 in

1983 to f 262 000 in 1986 and then f 483 000 in

1989. This represents a 15-fold increase in value

over the last six years, with most of the smaller loss cases being attributed to earlier cases which

are common in all the three samples taken. The

maximum loss recorded has also gone up from

f500 000 to f 10 million and then f27 million

over the three periods.

The majority of the high loss cases were

nearly all of the Electronic Funds Transfer (EFT)

nature and most were one-off attempts to effect

a chain of illegal transfers of funds, Eurobonds

or other securities overseas, ending up in

Switzerland for cash conversion.

No. of Cases

1001

60

With an ever increasing number of applications exploiting electronic systems for cash transfer in electronic data interchange, cash management or the trading of securities, one can safely predict that incidents of high value fraud on EFT systems will increase in the future. So far the EFT frauds failed mostly on their last leg when the criminals went to collect the money from the fraud encashment. The success rate is likely to improve in future as professional or organized criminals bring their cash laundering expertise to the party.

Modus operandi

Figure 2 shows the relative proportions of the various schemes of perpetration. This allows for rounding errors in the figures and occasionally applying a combination of several schemes to perpetrate a single fraud, e.g. using a terminal to effect a fraudulent data entry or tamper with any existing transactions and colluding with another

culprit to convert the financial gains on the

computer systems into cash.

Whereas hacking is mostly a favourite pastime of many outside computer hobbyists or

Average Loss =

S31,OOOin 83 C262,000in86 S483,000in89

10 - LossindilOO,OOO

FlGURE 7: Computer fraud losses.

10 01990 Elsevier Science Publishers Ltd


Fraudulent input

Abuse Input and Output Abuse Output Illegal Program Code Abuse Computer Service Abuse Terminals Collusion

63% 14% 7% 7% 9%

26% 19%

FlGURE 2: Computer related fraud -

modus operandi.

investigative journalists attempting to intrude into public or corporate networks and systems for fun or malice, the majority of computer-related frauds were committed by trusted employees, sometimes in collusion with outsiders who are either trading partners to the company or simply the general public.

Motives for fraud were by and large attributed to greed or employees living beyond their means. In some cases the extra money was used for the affection of lovers who have since lost interest, to feed expensive hobbies or extravagant life styles or to balance the family budget when domestic circumstances or broken marriages have left the culprits living on hard times. In many cases, the culprit has stumbled on a system flaw or loophole which potentially could be exploited for private gains. He or she

would try to divert a small sum of money illegally as a means to test if the scheme would work. Then the fraud would be repeated with much bigger sums involved.

In 63% of the cases, the culprits tampered with the data entry and associated source documents (N.B. in an increasingly paperless environment, such source documents may no longer exist in future), to modify a business transaction or funds transfer instruction to result

in the money going to a different account or beneficiary, intercept customer payments, create bogus suppliers, ghost employees or phantom customers, claim cash refunds or delete debit instructions to escape debt repayments. Bona fide data transactions were delayed, intercepted, or removed with bogus

transactions being added, or the data contents being modified to result in financial gains.

For example, a seventeen-year old bank clerk successfu//y swindled nearly one million

pounds from a UK high street bank by

transferring a chegue for f984 252 into a friend’s account via the bank’s computer system. He a/so

paid f 12 000 into his own account. He simp/y

entered a debit for the amount and credited the

same amount to his friend’s giro account at another bank, giving a// his account details.

Because everything tallied, there was no query.

The culprit had worked at a London West-end branch of the bank for less than a year

and conceived the scheme short/y after he was a//owed access to the main computer system. Suspicion began when colleagues noticed he was spending vast sums of money on electrical

goods from Harrods in his lunch breaks. The culprit alleged that the bank regular/y wrote off large sums of money when the computer printouts of transactions failed to match up. This

was denied by the bank.

14% of the cases involved abuse of input transactions as well as destroying or suppressing the printed output or exception reports to eliminate any trace of wrongdoing. In some cases control totals were altered or the

audit trail temporarily switched off to hide the perpetrations. Some culprits have full knowledge of the built-in control checking mechanisms and were able to circumvent such automated system

controls in their fraud perpetrations. This is relatively easy to achieve in many PC business systems through exploiting known weaknesses in the operating systems.

For example, a 28-year old female banking officer working for the Dundee branch of a

savings bank admitted that she embezzled f22 864 from the bank. She opened a series of bogus accounts and gave them overdraft facilities which she then used to withdraw money.

She hadaccess to a security over-ride on the

computer, with which she was entrusted by her



employers to carry out certain supervisory functions, To cover her fraud trail, on each of the bogus accounts she had opened she would use the computer over-ride to pre-date the opening balance to a date before the appointment of the branch manager, so that he would not become suspicious.

All the various bank documents relating to the bogus accounts appeared to have been completed by the culprit. The offences came to light when the branch manager conducted a review and found several accounts which he had no knowledge of, which led to the fraud discovery. The court criticized the bank for allowing the culprit, who was of a lowly staff status, to have access to the over-ride faci/ity.

All the money defrauded went towards paying off debts and paying for expensive hobbies persued by her husband. When the fami/y debt incurred from a house purchase started to rise and her husband threatened to leave her, she began perpetrating the fraud to buy her husband’s affection.

7% of the cases involved exploiting computer reports or storage media to obtain sensitive information to look for fraud or crime opportunities. This includes such details as a company’s planned acquisitions, product

recipes, elite customer lists, deceased debtors, cash rebates from standing orders, unclaimed welfare benefits or suspense-account write offs.

For instance burglary at a small town travel agency had the police perplexed on the motive of the burglar, since it appeared that nothing was missing. Cash and cheques were still in the safe. None of the technical office equipment went missing and there was no evidence of vandalism. A couple of months later, another burglary was reported af the travel agency.

Then a spate of burglaries occurred in the area, all of which were in wealthy homes while the occupants were away. The police inspector who conducted the burglary enquiry on the travel agent remembered that the company used a personal computer to store details of its

12 01990 Elsevier Science Publishers Ltd

customers, including their addresses and holiday bookings.

By comparing the list of burglaries compiled on wealthy homes against the travel agent’s customer file, he found all the burgled home owners had booked expensive holidays with the company. The customer database in this case had turned into a burglar’s guide. The thief obviously knew how to cover his tracks because the travel company found the PC and the printer were properly switched off the morning after the burglary and nothing was erased from the database. On the other hand there were no protection features, e.g. a physical key lock, boot protection, data encryption or access control installed on the computer system either.

Likewise the customer databases of investment advisors, expensive jewellers, accountants and home security companies (with details of alarms wiring) should be protected from the prying eyes of professional burglars.

7% of the cases involved technical staff exploiting their knowledge of operating systems, application programs and software utilities to introduce special error routines which automatically creamed off money or wrote off personal debts. Illegal coding was introduced to circumvent password checking, to control the use of sensitive system utilities in order to manipulate product pricing or discount facilities.

For example, cellular telephone retailers are being approached by criminals to buy a piece of special computer software designed to boost their customers’ bills illegally. The software was developed in the US and is being discretely hawked around cellular airtime operators.

The illegal program enables operators to increase the size of customer’s bills by allowing them to inflate the total usage of the most commonly used numbers. Quite often customers would not know how many times they have dialled these numbers. The software enabled the operator to increase the number of such calls. The risk of a customer challenge is remote. The software allows the operators to insert additional calls into the computer billing system.


9% of the cases involved abuse of corporate computer service to sell computer time to private clients, using the employer’s computer to develop software for private sale, or taking bribes and commissions from contract programming agencies, service companies or equipment vendors in return for favourable considerations

in work tenders.

For example, a 46year assistant county treasurer and computer manager in the Midlands perpetrated a series of frauds over a period of

ten years. He stole a total of f 178 755 from the

local council by using a network of secret bank accounts and bogus computer invoices from his

friends, colleagues and the council.

He abused his close relationship with the

mainframe computer vendor and a local computer support services company, as well as his position as treasurer of the local government

user group in a computer users association. As a frequent visitor, the culprit stole headed notepaper from the computer vendor’s

Birmingham office and from the computer support service company, as well as the

computer user group invoicing stationery, and used these to send to his own department to

charge his employer for software, hardware and

services never received. He would mark each

invoice so that the cheques paid out would be

sent to him supposedly for forwarding. He would

then intercept the cheques and launder them through fake bank accounts in the names of the user group and the service company.

Surprising/y nobody at the council ever

questioned why a computer user group should be charging the council for software and services.

The culprit a/ways enjoyed a very good lifestyle. The f.23 000 a year manager spent f 19 000 on a f/at in Majorca, splashed out on

home improvements and stashed away f20 000 in building societies.

The police were called in to look into his

finances short/y after he and his wife returned from a fact-finding world tour of Australia, Malaysia, Canada and the US. Though no

irregularities were found there, police did spot one flaw in his scheme. Apparent/y he had

mistaken/y paid a f 16 500 council chegue into the genuine user group account instead of the phoney one which he had set up. This led to his arrest and eventual conviction. He was jailed for

three years.

26% of the cases involved the use of remote

terminals, VDU or cash dispenser terminals to initiate fraudulent transactions, employing powerful system commands such as the SYSTEST facility to access and manipulate

control data, or to introduce illegal coding into computer systems. Several of the EFT frauds were perpetrated in this way.

For example, one Swiss bank in London had f27 million’s worth of Swiss francs transferred via the bank’s private network into a

bank account in the small Swiss town of Nyon.

Apparent/y the fraud was perpetrated by introducing an i/legal telex into the EFT system

using unauthorized passwords. The payment

order went via the bank’s network to its Zurich branch and then via the SWIFT inter-bank

message switching network to the Nyon branch of another Swiss bank.

The input authorization had apparent/y been

correct/y compiled, so the telex operator saw no

reason for querying the transfer. At the receiving

bank, staff were surprised at the high value of the transfer which was not the amount they were used to deal with. They queried it with London

and the fraud was averted. On manual checking

staff could not trace the original authorization. The Swiss police was alerted and detectives were waiting when one of the men arrived to

collect the cash. Two men were arrested in Switzerland and a bank employee was arrested in London.

The problem with EFT systems is in the

speed of executing funds transfer instructions. Unless the fraud control procedures are effective

and fast, by the time normal banking procedures

are applied to balance the books and the discovery made, the money will be long gone.



With automated teller machines (ATM) or cash dispensers, computer equipment for copying the details on the magnetic stripe card on to other blank magnetic cards can be easily obtained from a variety of sources. With some ATM cards, the personal identity number (PIN) is not recorded (normally stored in encrypted form) on the magnetic stripe. If someone were looking over the shoulders of another person withdrawing cash from an ATM, or using binoculars to note down the PIN entered, together with information on accoun t number and account name obtained from a discarded receip t, a number of blank cards can be encoded with the data obtained and then used to defraud the account holder of the maximum amount on each forged card, without having to gain physical access of the original genuine cash dispenser card.

With A TM cards storing encrypted PINS on the magnetic stripe the popular crime was to open a bogus account with a nominal sum of cash to obtain the bona fide cash card for that account, and then to wait for the opportune moment when the A TM terminal was offline from the central customer account database, to use in succession each of the forged cards with data copied from the master card, to withdraw the maximum amount allowed. Being off-line, the A TM terminal was unable to check the customer account status during the withdrawal which allo wed the account to be heavily overdrawn with the use of many bogus cards. In one case, over f 700 000 was lost to four culprits from the Midlands.

Fraud detection

Where details were available on how the

crime came to light, Figure 4 shows the

percentage breakdown of discovery from

different means:

16% of the cases were detected by internal

or external auditors’ audit reviews. Only 14% were detected by good management controls or

system controls built into procedures and

Audit Internal Control/Management Victim Complaint Management/System Change Chance Equiry Tip Off/Outside Query High living

Unknown

16% 14% 10%

7% 16% 16% 4%

17%

FIGURE 3: Computer related fraud - how detected.

computer systems. 10% were discovered

following complaints from victims who were

either customers or the general public. 7% came

to light as a result of change of management or

organization structure or of changes made to the

computer systems, e.g. in system conversion

during migration to another hardware platform.

Staff came across strange account codes or

exception conditions which they could not

comprehend and discovered the fraud on further

investigation.

Of the remaining cases, 16% were detected

by chance enquiries, especially while the culprit

was away on leave and the fraud trail became

exposed. 16% resulted from tip-off6 to the police

or to the culprit’s employer, mostly from jilted

lovers, disaffected neighbours or colleagues who

were not given a share of the takings.

Occasionally the outside organization or bank

receiving the funds transfer instruction became

Illegal Funds Transfer

Customer Payment Payroll/Expenses Supplier Payment

Fraudulent GoodsServcies Stock Control/Goods Delivery Pensions/Benefits Miscellaneous

19% 17% 18% 15%

9% 7% 5%

10%

FIGURE 4: shows the percentage breakdown of fraud targets in the sample of cases considered.

14 01990 Elsevfer Science Publishers Ltd


suspicious and initiated an enquiry which

revealed the fraud.

3% were through colleagues or

management becoming intrigued by the high

living enjoyed by the culprit with relatively low

income which was incompatible with their

spending power, and either called in the police

or initiated an internal investigation which led to

the fraud discovery. Finally, Figure 5 shows the percentage breakdown of fraud targets in the

sample of cases considered.

SYSTEM QUALITY AND COMPUTER SECURITY

The importance of system reliability

Peter Sommer

Virtual City Associates

What is the most likely cause for a computer unexpectedly to stop working properly? What is the largest single source of business failure associated with computers? It is not hacking, nor malign acts of sabotage, nor even the activities of fraudsters and business spies, but straightforward, unintended computer failure.

Computer security specialists forget this at their peril. No computer security review is complete

unless the consultant pays some attention to the triggers for unplanned system failure. This is all

the more important in those cases where the client arrives announcing that they have a virus or have been hacked. The chances are that they haven’t.

And there’s one further argument for paying attention to the subject: repeated failures in a

computer system can provide a fraudster with a cloak of opportunities under which to carry out various manipulations knowing that there is now a predisposition to doubt that the computer is able to provide reliable information about the company’s assets and accounts.

It is for this reason that the 1990 Compsec Conference had a stream devoted to the subject with contributions from academics and consultants to describe ways in which system quality can be evaluated and improved.

With the growth in availability of insurance policies which give some cover for computer-related business interruption (where the insurer pays out the losses your business suffers rather than just what it takes to repair or replace your computer), it has become necessary to develop rapid techniques for assessing whether a specific computer system is more, or less likely to suffer an unexpected failure. (Other, more formal and rigorous methodologies were discussed at Compsec.) In

this article I will pass on an outline of some of the indicators those of us who carry out large numbers of insurance surveys have learnt to look out for.

Adequacy of original specification

Computers can fail because they are of an insufficient size or resilience to cope with the throughput of work. One under-specified element in a computer network can cause the whole system to fall over. Sometimes systems are inadequate from inception, sometimes they become inadequate because the rate of growth has been poorly forecasted. Again, the emphasis in a computer system’s workload can change; for

example, a decision to adopt more audit-trailing places greater strains on disk drives and their associated controllers. A change in emphasis can invalidate the original calculations upon

which the system was designed and the system resources become unbalanced.

Poor system development methods

The ‘back of a cigarette packet’ method of system design lives on. Sometimes it works, but it gives no comfort to the external surveyor. Modern system development methodologies are sometime trumpeted for their cost- and time-saving qualities, but one of their undoubted advantages is that they force the use of definite stages of specification, initial approval,


a survey of the bis casebook

Documents