Criminals con the computer — and make millions

Press, Volume CXIV, Issue 33665, 15 October 1974, Page 21

Criminals con the computer — and make millions

By

W. THOMAS PORTER,

jun., [or the New 1 ork Times Special Feature Service.

(The article comes through th N.Z.P.A.)

“If anything can go wrong, it will," says Murphy’s Law. In this computer age. the •■law" has been helped along by clever con men. They have increasingly taken advantage of sophisticated computer systems to steal substantial sums of money from unsuspecting customers, Among the nearly 175 cases so far discovered are these: In 1972, an engineering student at the University of California at Los Angeles was arrested on charges of stealing some $1 million worth of supplies from the Pacific Telephone and Telegraph co. over a two-year period. A set of system instructions found in the company’s rubbish tins gave him the entry code to the company’s computerised ordering sys-

tern. Using a Touch-Tone telephone and me coue. he would enter item numbers obtained from the system manual and vary his orders .by quantity and location. He had learned from the documents in the rubbish yield that the telephone company allowed for a certain amount of quarterly sales loss for each delivery location. The thief knew these amounts and the computer would tell him what was being legitimately ordered from each location, so that he was able to keep his orders within the loss allowance. A few summers ago, the Encyclopaedia Britannica accused three computer operators on the night shift of copying nearly three million names from a computer file containing the company’s "most valued” customer list. The employees then sold the list to a direct mail advertiser. Britannica claimed the list was|

worth $3 million sued the employees for: $4 million. An employee of a national time-sharing system penetrated the files of a competitor's system to extract a proprietary! programme valued at $25,000. This case caused worldwide publicity, in-! eluding 3-inch headlines] in the (Paris) “Inter-: national Herald Tribuna": “Computer Raped | by Telephone.” ; In early 1973, the chief teller at the Union Dime Sav-i ings Bank in New York ■ City was charged with' stealing in excess of $1.5 million. Apparently the teller was able to transfer “electronic money” from legitimate accounts in computer files to fraudulent accounts and then withdraw real money. In June, 1971. a clerk at the Morgan- Guaranty Trust Co. in New York was convicted of embezzling $33,000. The embezzle-■ ment was performed with ■ the aid of an accomplice who received dividend checks sent to him by the bank’s computer. The computer was instructed to issue dividend checks in the names of former shareholders who had sold their stock in companies for which Morgan Guaranty acted as transfer agent. After the issuance of the checks, the computer was instructed to erase all record of the dividend checks having been issued. Cases analysed In the work of the Stanford Research Institute (5.R.1.) directed by Donn Parker, the recorded cases have been analysed. The analysis indicates a growing sector of crime and unauthorised activities within computer-related occupations. Parker has identified five types of computerised crimes: (1) Financial crime where the thief takes money or negotiable instruments, as in the Union Dime Savings and Morgan Guaranty cases. (2) Property crime where merchandise or other property is taken for resale. the Pacific Telephone case illustrates this type. (3) Information crime, as in the Encyclopedia Britannica and the time-sharing cases, where “copies” of information (valuable files and programmes) are taken. (4) Theft of services, such as using computer time at company expense for personal benefit. Such a crime could be done most easily in a university or at a computer-service centre where use of the computer for research purposes is encouraged. (5) Vandalism involving intentional damage so as to deny the use of computer resources to others or to cause the organisation to spend time and money in dysfunctional ways. Security controls No-one really knows how much computer thievery goes on. but probably a lot more goes on than is ever detected. Donn Parker, after looking into the recorded cases of computer crime, concludes that hardly any were discovered through normal security precautions and accounting controls and that nearly all of them were uncovered by chance. Some experts estimate that the ratio of undiscovered to discovered crime may be on the order of 100 to 1.

Many companies use electronic data processing (E.D.P.) systems to process financial transactions, update and store financial data on computer records and produce negotiable documents. There are three significant differences from a control standpoint, between electronic systems and manual or punched-card systems. First of all, in electronic systems, many processing steps are combined and concentrated in a few computer programmes. In manual) j processing of accounting : information, each individual involved in the processing flow exercises a certain amount of control as docuI ments pass through various I accounting stages. In elecI tronic systems, the computer I performs the processing I steps, with the aid of a programmer. This programmer replaces the legion of accounting clerks, since he writes a series of instructions that, when stored in the memory of the computer, causes the computer to perform a series of operations at electronic speeds. With so much of the record-keeping centralised in the brain of the computer, a crooked programmer can perpetrate a major fraud armed with nothing but a few seconds’ access to a computer.

Another important charac-i tertistic of electronic systems, is the invisiblity of records.' Records are maintained on| magnetic tape or direct- ( access devices such as mag-' netic discs or drums. Maintaining records on these:

■machine-readable files elim- ■ inates or reduces the need ' for certain historical records and detailed transaction listings. Significant items Moreover. in electronic record-keeping, computers ■can be programmed to print ■out only items which are | truly significant — i.e., all orders over a certain dollar amount, all receivables that are delinquent or ail inventory items which have fallen below a quantity irequired to be in stock. Finally, controls can be stored in computer programmes — and this endemic characteristic of E.D.P. systems offers enormous potential for misuse. The use of programmed control shifts the review (editing) of transactions processed from people to the computer. Computer-edit routines may be used to detect unreasonable transactions, invalid ones, arithmetic errors and other improper processing.

However, since these con-1 trols are stored in the computer’s memory, they are also invisible and can be changed by the programmer to prevent their use in editing selected transactions. First U.S. case ' To illustrate how a pro-! grammer can take advantage of E.D.P. systems, let usi examine the first Federal! criminal case of computer- J ised crime. This case 1 occurred in 1966 when a 21-year-old programmer put a “patch” (a programme change which is very difficult to detect even by the trained specialist) in a programme used to process bank checks and to detect overdraft accounts. The patch caused the programme to check to see if his “invisible” bank account on magnetic tape was in overdraft. If it was, the computer was instructed to ignore his account when the computer overdraft -was prepared. The patch was in operation for three months before the programmer, who had overdrawn $l3OO, was done in by a computer breakdown. Hand calculations revealed the discrepancy. The programmer was convicted and received a suspended sentence. The $l3OO, however, was peanuts compared with the: millions lost in the Equity Funding case, currently in bankruptcy courts and under investigation by a variety of Federal and state agencies. Although the exact dollar amount of the fraud is uncertain, what appears certain is that management used the corporation’s computers to create false insurance policies and to inflate the financial status of the company. By maintaining an artificial picture of healthy I corporate revenue, some’ executives at Equity Funding: were able to secure loans.! continue an aggressive campaign of acquisition and make their stock the darling of Wall Street.

Discharged employee In this particular case, the scandal was revealed by neither an audit nor any control procedures but by a discharged employee who contacted Raymond Dirks, a recognised expert in insurance stocks. Dirks, through his influence with institutional brokers, started a large sale of Equity Funding’s stock until trading in it was suspended and an investigation was started. Donn Parker, who has studied the computer embezzler’s motives at 5.R.1., has developed some characteristics of that kind of criminal. First, he (and we really mean "he,” since hardly any women are found among the perpetrators) is highly motivated, bright, energetic and generally young —lB to 30 years old, accord-: ing to Parker. Moreover, he seems to obtain very easily all the relevant information he needs about the system—from the rubbish tin to interviews with key people in the guise of a magazine writer. In addition, the organisation’s claims about the security of the system have encouraged some programmers to look upon their work as an opportunity to pit their: minds against "them.” Some computer,thiefs are: (motivated by financial pay-! off. Often, the stealing begins! on a relatively small scale and increases as the embezzler finds he can get away with it. Parker has analysed 12 cases of computerised bank embezzlement that occurred in 1971. He found that the losses averaged $1,090,000 apiece, or about 10 times the average loss from all other types of embezzlement. Help needed In almost half the recorded cases studied by 5.R.1., the criminal colluded with someone else —a fact which suggests that theft via a computer often requires more; skills and knowledge than is possessed by any one person in the highly structured environment of a computer ’ facility. Unfortunately, many com- ; puterised environments do I not have strong deterrents to computer embezzlement. -Quite to the contrary, they are characterised by poor n hiring practices, sloppy

record-keeping, poor control techniques, easy access to the computer room and little or no auditing of computerised data files and programmed controls. Why have organisations provided environments which encourage thievery? Why have organisations waited for the crime to take place to do anything about control? One reason is that many E.D.P. projects are crash projects. In fact, another one of Murphy’s Laws on the development of computer systems might read; No major computer project is ever installed on time, within budget, and with the same staff that started it. Nor does the project do what it is supposed to do. The corollary to this “law” is that if a company's computer project is installed on time, within the budget, and with the staff that started it and does what it is supposed to do, it will be the first. Changing systems Within an environment of frenzied and changing systems development activity, it is no wonder that many companies do not impose rigid controls and security measures. Getting the programme to run at all is a major accomplishment. Also, the management of computer departments has sometimes been characterised as “management by isolation.” Time-honoured planning control techniques are not applied to the computer department in some companies.

Far more chilling than the potential for criminal manipulation for money is the prospect of a computertrained guerrilla group precipitating World War 111 or threatening the safety of a large portion of the world to obtain their demands by penetrating computerised missile systems. Out would come a computer-printed message to those who thought they were in command of the system. “This message is brought to you bv T.W.T.W.A. (Those Who Threaten World Annihilation). We now control your system. Your missiles are aimed to destroy you. Please respond immediately to our following demands. . . Security experts — I would like to believe — have already imagined such an event, have simulated such an attack and have therefore designed a foolproof system to prevent its take-over. If such an event, however, is beyond the experts’ wildest dreams, I would hope that they soon dream more wildly and that the budget of the Department of Defence will soon include an appropriation for a completely protected security system. (C) 1974 W. Thomas Porter —New York Times Special Feature Service.