Vol. 9, No. 1, Page 3

COMPUTER FRAUD IN THE UK - THE 1986 PICTURE

problem in attempting to audit microcomputers as opposed to a company's traditional mainframe system is the sheer numbers in use. "The micro is typified by its single person management, operation, and, often, use. This heightens all the control problems that we normally put under the heading of segregation of duties." Mr Boddington felt the answer was not to increase the number of specialist computer auditors, but to give general auditors better training so they can audit the micros used in an organization. "In Shell UK, we are preparing a package of documentation and training which is designed to equip the general auditor with everything he needs to approach micros with confidence," Mr Boddington explained.

1. INTRODUCTION

BIS brought out the first edition of its Computer Related Fraud Casebook in March 1983, which contained 95 UK cases compiled by Ken Wong and Bill Farquhar. The second edition containing over 190 cases came out recently. As before, each case is analysed according to the following headings:

reference (i.e. source of information)

date

perpetrator

victim

scheme

amount

how discovered

penalty

comment (i.e. lessons learnt and suggestions for control improvement)

The casebook is priced at f50 and available from BIS Applied Systems, 20 Upper Ground, London SE1 9PN, UK.

The following is an analysis of the findings from 188 cases. As the casebook went to print, further cases came to light which were also included in the casebook.

2. LOSSES

Figure 1 contrasts the 1983 sample with the 1986 sample on the distribution of the amount defrauded in each case over the corresponding total of cases collected. Both graphs were similar in shape, i.e. a large number of cases recorded with losses of up to f10 000, and then graudal.ly tailing off as the individual losses escalated. The average amount defrauded had gone up from f331 000 in 1983 to f262 000 in 1986 - an eight fold increase.

o 1986 Elsevier Science Publishers B.V. (Information&Business Division), Amsterdam./tW$O.OO + 2.20 No part of this publication may be reproduced. stored in a retrieval system. or transmitted by any form or by any

swlBrrYBuLwnI

means, electronic, mechanical. photocopying. recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.)

Vol. 9, No. 1, Page 4

The maximum loss recorded had also gone up from f500 000 to f10 million. The majority of the high loss cases were of the Electronic Funds Transfer (EFT) nature and most were one-off attempts to effect a chain of illegal transactions overseas and to end up to Switzerland for final encashment.

100 -

80 -

20 -

COHPUTER FRAUD

Average loss: E31,OOll in 83

E262,DOO in 86

-R3 L 1 -86 I 0 .l .2 .5 1 2 5 10 20 50 100 200 500 1000

Loss in flOO,OOO

Figure 1: Distribution of computer fraud losses in UK

Electronic Funds Transfer frauds have drastically altered the characteristics of commercial fraud. The traditional approach was to operate within limits to milk small sums of money over a protracted period and to embed the fraudulent scheme in a host of legitimate transactions to escape detection. Often the culprit had to work hard over a number of years in order to build up a private nest-egg, even to the extent of never taking long holidays and regularly working late after office hours to push through the illegal transactions or to cover the fraud trail. With EFT systems, the fraud only required one high value transaction to be successfully diverted or initiated to result in substantial gains and the culprit could afford to retire immediately to South America or 'Costa de1 Crime' in Spain.

3. FRAUD PERPETRATOR

As with the 1983 cases, Figure 2 shows the male perpetrators outnumbered female culprits by the ratio 4:l and the former were bolder than the latter in their schemes which resulted in higher losses. Against such findings one obviously has to take into account the predominance of males against females employed in most organizations.

@ 1986 Elsevier Science Publishers B.V. (Information & Business Division), Amsterdam.i86/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means. electronic, mechanical, photocopying, recording or otherwise. without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.)

Vol. 9, No. 1, Page 5

r Male

FRAUD PERPETRATORS

Loss in flW,tlClO

Figure 2: Distribution of fraud losses by male and female culprits

50

40

3 30

s u

i 0

P 20

10

staff or outsiders FRAUD PERPETRATORS

0 .l .2 .> 1 2 5 10 20 50 100 200 500

Loss in flW,DCKl

Figure 3: Distribution of fraud losses by management and staff/external perpetrators

Figure 3 contrasts the relative loss distributions of cases perpetrated by culprits holding management or supervisory positions against junior employees or outsiders. This is a major

@ 1986 Elsevier Science Publishers B.V. (Information & Business Division), Amsterdam./86/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical. photocopying. recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover.)

Vol. 9, No. 1, Page 6

departure from the 1983 situation where junior staff concentrated on obtaining small amounts whilst management would set their sights higher and dominated the high value loss cases.

With the 1986 cases, junior staff or outsiders still accounted for a high proportion of small cases. Then management took over and were ahead in the mid-range losses. Finally junior staff or outsiders took the lead on high loss schemes as management decided to opt out for fear of detection. It would appear to reinforce the view that culprits holding management positions have mostly elected to stay with the organization whilst at the same time defrauding their employers in order to sustain their high living. Funds transfer systems on the other hand were mostly run by relatively young employees i.e. 24-35 years old, who were highly regarded and trusted by their employers, to effect hundreds of EFT transactions with typical amounts running to millions of pounds. The unscrupulous young executives were more willing to gamble on the consequences of being detected, given the many opportunities available in normal working conditions for a one-off killing to play on high stakes, and then go into hiding in another country.

Only 22% of the cases involved computer people working in isolation, with a further 6% working in collusion with business users or staff in their scheming. The rest were perpetrated by dishonest business users who spotted a weakness in their systems and were able to exploit the loophole to take money from employers, customers, or business associates.

Motives for fraud were by and large attributed to greed and culprits living beyond their means. In some cases domestic problems from broken marriages, extra-marital relationships, expensive hobbies or pursuits, as well as personal debts diverted the culprits' work efforts to look for short cuts to balance their books or to feed their habits. Once the fraud appeared to work successfully, greed and expectations rose sharply and the scheme was perpetuated.

4. FRAUD VICTIMS

Figure 4 shows the distribution of fraud victims in various public and private sectors. Comparison with the 1983 cases shower that the proportion of cases in the financial service sector had gone up from 29% to 37%. The general public had also fallen victim to bogus offers of computer-related products or service such as mail order software packages and hardware maintenance. Money was sent off following press advertisements for attractive low-cost software or cut-price service contracts. In return the mail order product never arrived and the bubble company burst out of existence, or the service personnel despatched were found to consist of inexperienced youngsters employed under the Youth Training Scheme.

0 1986 Elsevier Science Publishers B.V. (Information & Business Division), Amsterdam./86/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical. photocopying. recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.)

Vol. 9, No. 1, Page 7

VICTIMS

Figure 4: Distribution of fraud victims

5. MODUS OPERANDI

Figure 5 shows the relative proportions of the various schemes of perpetration were similar between the 1983 and the 1986 cases. This is allowing for rounding errors in the figures and occasionally applying a combination of several schemes to perpetrate a single fraud, e.g. using a terminal to effect an illegal transaction and employing an accomplice to obtain the ill-gotten gains. Nevertheless Figure 4 shows that abuse of terminals had gone up from 15% to 22%. This is in line with the growth of on-line systems against the previous predominantly batch processing environment. Unfortunately this suggests that simply having a strongly fortified data centre will not deter frauds from being successfully perpetrated from remote terminals. Protection must now be applied across the board to bridge any inherent weakness in the communications network, dial up access, or physical control of business terminals. The proportion of cases involving collusion with internal colleagues or outside criminals also went up from 13% to 18%, indicating that collusion probably rendered the scheme simpler and easier to execute. For funds transfer frauds, with few exceptions, outside criminals were implicated in the last leg of the crime to supply their expertise to collect and launder the cash defrauded.

'83 '86

- Fraudulent input 63% 63% - Abuse input and output 12% 12% - Abuse output 7% 7% - Illegal program code 5% 6% - Abuse terminals 15% 22% - Abuse computer service 7% 8% - Collusion 13% 18%

Figure 5: Schemes of perpetration

a 1986 Elsevier Science Publishers B.V. (Information & Business Division), Amsterdam./tW$O.OO + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover.)

Vol. 9, No. 1, Page 8

Unlike hacking, a favourite pastime of mischievous youngsters or investigative journalists intruding into public or corporate networks from the outside, the majority of computer-related frauds were found to be perpetrated by trusted employees or supervisors abusing their privileged positions to obtain personal gains at the expense of their employers.

In 63% of the cases, the culprits tampered with input transactions and associated source documents to transfer or divert payments from customer accounts to other beneficiaries, intercept customer payments, create bogus suppliers, ghost employees or phantom customers, claim cash refunds, or pay off outstanding debts. Bona fide input was delayed, intercepted, or removed with bogus transactions being added or the details of bona fide transactions being manipulated to result in personal gains. In one case an electronic bugging device was planted outside the office building in the junction box nearby, where the external communication lines terminate, to eavesdrop on user passwords to gain access to the computer system.

12% of the cases involved abuse of input transactions as well as destroying or suppressing the printed output or exception reporting to eliminate the fraud trail. In some cases, control balances were altered or the audit trail temporarily switched off to hide the illegal tampering or diverting of funds. Some culprits had gained in-depth knowledge of the automatic control checking built into their business systems and were able to circumvent such system controls in their fraud perpetration.

7% of the cases involved exploiting computer reports or accessing sensitive data, to use the information thus obtained to look for fraud opportunities. This includes details such as a company's planned acquisitions, document customer accounts, deceased debtors, cash rebates for standing orders, unclaimed benefits, or suspense account write-offs.

8% of the cases involved abuse of corporate computer services to sell computer time to private clients, using the firm's computer to develop software for private sale, or taking bribes and commissions from contract programmers, services companies, or equipment vendors in return for granting special favours.

Only 6% of the cases involved technical staff exploiting their knowledge of operating systems, application programs, and software utilities to introduce special error routines which automatically creamed off money or wrote off personal debts. For example, the powerful 'EDIT' system utility was employed to alter or manipulate stock positions as a means of covering up stock pilferage and short deliveries and there was no reporting of such abuse in the audit trail. Illegal coding was introduced to circumvent the password checking which controls the use of sensitive system functions, in order to manipulate product pricing, or to grant discounts. Logic bombs were implanted in applications programs as a means of exacting ransom demands from ex-employers or of providing constant demands for system maintenance from rogue contractors. The illegal code may be invoked by some action trigger based on meeting certain prescribed conditions or a preselected date, when the entire application will

0 1966 Elsevier Science Publishers B.V. [Information Pr Business Division), Amsterdam./86/$0.00 + 2.20

COMWTEB)~ia2:;'\\t,l~)& No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any

sHuErl7Buxurm

means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A.-please see special regulations listed on hack cover.)

Vol. 9, No. 1, Page 9

crash. Depending on circumstances the system may be repaired by removing the illegal coding or feeding in a special code to temporarily cure a recurring disorder.

22% of the cases involved the use of remote terminals or visual screen displays to initiate fraudulent transactions, employ powerful system commands to access and manipulate central data, or to introduce illegal coding into computer systems. There were several cases reported of staff abusing unattended office terminals or hackers obtaining property by deception from information providers on the Prestel network. This points to the inherent weakness of crude, simple password systems as well as the general lack of security awareness among office users to adopt good quality passwords, enforce regular renewal of security codes, or to heed the safe custody of sensitive data and passwords. Figure 6 shows the proportion of attacks on various types of business systems as fraud targets.

Illegal funds transfer Customer payment Payroll/expenses Supplier payment Fraudulent goods/service Stock control/goods delivery Pensions/benefits Miscellaneous

19% 17% 16% 14% 8% 7% 6%

13%

Figure 6: Targets for computer fraud.

6. FRAUD DETECTION

Where details were available on how the crime came to light, 15% of the cases were detected by vigilant internal or external auditors in their routine company audits and system reviews. 16% were detected by astute management using controls built into _ applications and clerical procedures. following complaints from victims e.g public. 7% came to light as a result reprogramming the application for new all fall into the'general category of which successfully spotted the crime.

Of the remaining cases, 15% were

iO% were discovered customers or the general

of management changes or computing equipment. These good management controls

detected by chance enquiries, especially in the culprit's absence which prevented him from attempting to cover up his trail. 15% resulted from tip-offs to the police or to the culprit's employer - mostly from jilted lovers, disaffected neighbours, or colleagues who were refused a share of the takings. Occasionally a public outcry would also lead to a rampant fraud being investigated and the culprits brought to justice.

3% were spotted by suspicious management or colleagues through the culprits being indiscreet with their sudden wealth, and openly flaunting their extravagant acquisitions e.g. sports cars and chic clothing. Others were seen in expensive restaurants and hotels, or taking luxury holidays and cruises. Soon eyebrows were raised and attention centred on their means of supporting their high living. Stories of sudden prosperity resulting from strokes of good fortune in horse racing or shares trading or a

B 1986 Elsevier Science Publishers B.V. (Information&Business Division), Amsterdam./86/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means. electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover.)

Vol. 9, No. 1, Page 10

rich inheritance from remote relations were carefully scrutinized and challenged to establish their true source of income.

7. PENALTIES FOR COMPUTER CRIMINALS

As with the 1983 cases, practically all the internal culprits were dismissed from their jobs. 25% of the known cases did not result in prosecution. In some cases employers felt the adverse publicity would damage the corporate image or the company's share price. There were also others who were deterred by their legal advisers saying that the evidence obtained would not effect successful prosecution. In any case, the culprit could not materially recompense for the losses even if the case was won. Furthermore, busy executives would have to find valuable time over a long period to assist the police with case enquiries. This would entail further monetary setbacks to the company. The case would then be quietly dropped.

For small loss cases, many perpetrators were put on probation or given suspended jail sentences, and either fined or asked to make restitutions to the victim. These were primarily first-time offenders, which accounted for the light punishments received. For those who opted to play for high stakes or who already held previous criminal records, the convicted were put behind bars for between six months to seven years, with an average span of 25 months.

8. FUTURE IMPLICATIONS

As the number of computer-related fraud cases grows in the financial service sector, with more high-value funds transfer frauds being reported, banks and insurance companies are increasingly concerned at the potential vulnerabilities lurking in their financial systems. We have seen a mushroom growth of encryption and authentication products from vendors to address such needs. Yet we are aware that authentication and dual control procedures are not always stipulated or followed, even in some major banking institutions. Several fraud cases have also highlighted the lax attitude of some users who choose to ignore corporate instructions to regularly renew their passwords, avoid sharing common passwords in the office, or enforce regular job rotation. The general quality of user passwords remains poor with common English words or names being regularly adopted to protect valuable data, Good security calls for a complete re-appraisal of the general level of security awareness of business users and the training requirements necessary to improve their attitude and working practice.

More and more banking institutions have recognized the need to obtain insurance cover from underwriters to protect against substantial losses from computer crime. BIS consultants have experienced a growing demand on their services to conduct computer crime surveys for insurance underwriters. Also requirements for reviewing the security provisions on communication networks have grown in the last two years - a general reflection of concerns from organizations exploiting corporate networks to support their business activities.

o 1966 Elsevier Science Publishers B.V. (Information & Business Division), Amsterdam.i66/$0.00 + 2.20 No part of this publication may he reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise. without the prior permission of the publishers (Readers in the U.S.A. ~ please see special regulations listed on back cover.)

Vol. 9, No. 1, Page 11

Recently BIS has witnessed a quest by many organizations adopt a formal risk analysis methodology to review the design

to

specification of new systems as well as the security requirements of existing systems. The need for a corporate security policy and strategy to embrace overall protection to host computers, networking and office systems is gaining ground, with calls for providing practical guidelines and procedures for end users to follow, and for system designers to build controls into new business systems. BIS has been active in this area for some time. Our experience in building risk analysis methodologies as well as in applying such techniques in practice to date have confirmed our views on the many advantages obtained from a systematic approach and a logical rationale in the selection of controls.

Serious security shortcomings in the current generation of personal computers per se have given anxiety to security management, not least because the security and controls can be easily circumvented by an increasingly computer-literate work force. User awareness on the safe custody of computerized corporate data in the office remains low. Increasing use of personal computers as workstations to access the corporate network could leave the organisation exposed to inadvertant compromises on host system security, e.g. by exploiting the local intelligence of workstations to effect unauthorized local printing or copying of central data, or even to forward the data to another workstation or clandestine communication channel, A number of security products are now available to address these issues. Several provide dynamic password checking to authenticate the host with the workstation in use to ensure proper handshaking. Others seek to control or disable local printing, disk copying, or forward communication to other workstations. Facilities for encryption of transmitted data and stored databases are also available to protect the confidential information.

Security responsibility for sensitive corporate information rests ultimately with the organization's board of directors. To institute security provisions following the discovery of a serious security breach or a spectacular fraud is tantamount to locking the stables after the horse has bolted. Perhaps the fraud casebook will provide some insight to senior executives on the nature and gravity of computer crime. The need for positive action should be reviewed with security managers to decide if additional preventive measures will be required to combat computer fraud. The recipe for success rests with management commitment, not least to provide the necessary funding on security provisions, but also to demonstrate to staff that security is given a high priority in the processing of corporate information.

Dr Ken Wong BIS Applied Systems Ltd

AUDITING FIDELITY Comparison of Policy Benefits AND COMPUTER CRIME POLICIES - PART 2 The coverage afforded by the various policies may be

evaluated using the Kepner Tregoe method. For example, a

0 1986 Elsevier Science Publishers B.V. (Information &Business Division), Amsterdam.l66/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system. or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover.]