1. Theft by insider
Employee breaching-of-trust is involved in perhaps 80 per cent of all computer-assisted frauds.
And some of the most spectacular deceptions are committed by computer programmers. Says Donn Parker of California’s Stanford Research Institute, who helps develop countermeasures to stop computer thievery: “Programmers can do almost anything they want with their company’s data processing, and nobody will know – except by accident.”
Computers work by taking thousands of tiny steps that have to be spelled out in enormously complicated programs. Errors creep in, and must be continuously corrected. So, while many users can be restricted to certain data only, the programmer, like the man who changes the combination of a bank vault, must have constant access to the whole system. These insiders have been known to instruct a computer to ignore a withdrawal from their own accounts and then erase all record of that instruction – like a mechanical post-hypnotic suggestion!
Increasingly, hundreds of thousands of people other than programmers also have access to computers. Bank tellers, for instance, used to be able to steal only the cash in their cage. Now they can use keys on teller terminals connected by telephone lines to a computer. In 1974, a single cashier with a computer’s help stole $1.5 million from the Union Dime Savings Bank in New York. The teller instructed the computer to deduct various sums from hundreds of accounts and credit the money to him under false names.
In Washington, D.C., an Internal Revenue Service employee programmed a computer to list unclaimed tax-refund cheques, and had them sent to relatives. New York cops investigating an illegally parked car found a bundle of Youth Corps cheques in it. Some Youth Corps employees had the agency’s computer run off 100 extra cheques drawn to fictitious names, and in nine months made off with $2,750,000.
2. Attack from outside
Computers can also be raided by outsiders.
One of the simplest, most direct attacks was made by a man who walked in to a Washington, D.C., bank and opened an account.
He took advantage of the fact that the bank’s computerised bookkeeping system identified a depositor by symbols printed in magnetic ink on his individualised deposit slips rather than by his signature.
Once he obtained his own magnetised deposit slips, the thief stealthily substituted them one day for the bank deposit slips left on desks in the bank lobby for the convenience of customers who didn’t have their personalised deposit slips with them.
For the next several days, every deposit made by customers who filled out the lobby deposit slips by penning their own name and number was automatically deposited by the computer to the crook’s account. After three days the crook withdrew the $100,000 or so that had accumulated in his account – and vanished.
In Detroit, two engineers misdialled their own time-sharing code by one digit and accidentally broke into the secret file of the president of the time-sharing service.
They stole a top-secret program from the service and used the computer for three years free of charge until another operator noticed the heavy activity on that line late at night, and precipitated an investigation.
3. Theft by capture
Sometimes crooks capture a computer completely. They may buy one, or take over a company that uses one. In other cases, the management of a company may subvert the computer.
The $2 billion Equity Funding Corporation of America scandal, the largest computer-assisted fraud thus far uncovered, was a case of the latter sort. The computer aspect of the fraud started in 1970 when company sales began to lag.
To save their business, top officers began investing and selling totally fictitious life-insurance policies to several big reinsurance firms.
The reinsurance firms willingly paid the bargain prices offered for policies because they expected the policyholders to pay premiums for years to come.
The fictitious insurance policies, whose face value totalled $2 billion, were kept alive entirely by computer wizardry.
For more than two years, the computer was used to juggle every detail needed to make them look genuine: it recorded imaginary changes of address, loans against the policies, death claims and other events that conformed with insurance-industry statistics.
The money collected from the reinsurance firms was used to pay premiums on additional fake policies.
Ultimately, a federal grand jury indicted 18 company officials (who pleaded guilty) and three outside auditors (who were convicted in May 1975). Out of 97,000 policies, 63,000 issued and sold to reinsurers had been outright fakes.
Other crooked firms have used computers to bill their own customers. A brokerage firm in Texas, for example, stole $500,000 from numerous customers’ accounts by systematically overcharging them small amounts.
The standard reply when a customer noticed and complained was: “Whoops, our computers goofed.” Actually, the computer had been programmed to do so.
The problem of computer-assisted theft has prompted companies to pay big money for research into defensive counter measures. Already some computers are instructed to react to obvious efforts at intrusion. Often an interloper searching for the password to a program stored in a computer will keep probing – even using another computer to make trials for him – until he hits. Late-model-computers, however, will react to such probing. Some instantly turn mute and shut down, printing out a report of the incidents.
Identification procedures are being improved. For example, some manufacturers are working on systems that will identify a user by the televised shape of his hand. Others may use a laser fingerprint scanner, which converts a fingerprint into an identifiable code.
Until the new countermeasures catch up with the current possibilities for chicanery by computer, however, we remain in an extremely vulnerable stage of technological evolution. Computers today run entire industrial and chemical factories, measure minute-by-minute flow of materials and change proportions automatically to keep operations in balance.
Electric power flows through regional or national grids regulated by computers that adjust flow to fluctuating area demands. And computers control the targeting and launching of both US and Soviet intercontinental ballistic missiles. The possibilities for destructive sabotage via computer are staggering.
Obviously, there is more than just money at stake in the multimillion dollar race for computer security.