Back in the day, not many people had numerous connected devices in their home. There was no ubiquitous internet. There were no online banking facilities for consumers.
There was, however, no shortage of intelligent nefarious crooks who discovered computers were excellent tools for committing fraud, as well as dangerously vulnerable to fraud.
One day in 1963, accountant Eldon Royce sat down at his computer console, drew a deep breath and set in motion his plan to steal a million dollars from his firm.
Royce’s case was one of the first to expose the incalculable vulnerabilities of the burgeoning computer system, which today employs 2.2 million people to tend an estimated 184,000 full-size computers.
Thus, Royce became a pioneer in what has developed into our most expensive white-collar crime.
Royce felt that his company had broken a promise to share its profits with him. In retaliation, he decided to attack it by computer. A big wholesaler of fruits and vegetables, the firm bought hundreds of different types of produce from hundreds of growers and sold them to scores of dealers, with thousands of truck, storage and packing service transactions in between.
Prices changed almost hourly, and only a high-speed computer could track of all the transactions. Vouchers, invoices and other documents that previously provided an audit trail became only squiggles on an electronic tape. In this complexity, Royce saw his chance.
Like thousands of subsequent computer thefts, Royce’s scheme involved no crude removal of cash from the till. Instead, at his instruction, the computer automatically padded thousands of cost items and reduced income items by carefully calculated fractions of a cent, then distributed the differences across the various accounts so that figures under each heading agreed with normal operating experience. It was as if prisoners-of-war were digging a tunnel and spreading the dirt so widely that it wouldn’t be noticed. Every week or so, Royce drained off his secret surplus by writing a cheque to one of 17 dummy companies that he established.
In six years, Royce smoothly stole more than $1 million. There was only one hitch: he found that he couldn’t let go. Any abrupt halt would produce a suspicious jump in net profit and a dangerous question: why was the company suddenly doing so much better? Bone-tired and near collapse, he decided to trigger his own exposure. In court he pleaded nolo contendere, claimed he’d spent all the money and drew a ten-year sentence.
Today, estimates Edward Bride, vice president of Computerworld Magazine, computer-theft losses in the United States runs into the billions each year. And for every computer crime that is uncovered, ten are thought to go undetected.
Unfortunately, the opportunities for crime by computer are mounting. The practice of ‘time-sharing’, by which numerous clients share the services of a single large computer, and the increasing ease of access, by telephone dial, to remotely controlled computers have expanded the vulnerability to manipulation. Learning the secret passwords of time-sharers is simple when people are careless, and with this information and a typewriter-like device attached to an ordinary telephone, crooks can ‘call up’ a computer and give it orders.
A further hazard is the growth of the ‘cashless and chequeless society’, with banks installing computer terminals and cash-dispensing machines in shopping centres, and magnetic-code plastic cards taking the place of tellers. Criminals counterfeit the cards and plug in.
The most prevalent computer thefts fall into three main classes:
1. Theft by insider
Employee breaching-of-trust is involved in perhaps 80 per cent of all computer-assisted frauds.
And some of the most spectacular deceptions are committed by computer programmers. Says Donn Parker of California’s Stanford Research Institute, who helps develop countermeasures to stop computer thievery: “Programmers can do almost anything they want with their company’s data processing, and nobody will know – except by accident.”
Computers work by taking thousands of tiny steps that have to be spelled out in enormously complicated programs. Errors creep in, and must be continuously corrected. So, while many users can be restricted to certain data only, the programmer, like the man who changes the combination of a bank vault, must have constant access to the whole system. These insiders have been known to instruct a computer to ignore a withdrawal from their own accounts and then erase all record of that instruction – like a mechanical post-hypnotic suggestion!
Increasingly, hundreds of thousands of people other than programmers also have access to computers. Bank tellers, for instance, used to be able to steal only the cash in their cage. Now they can use keys on teller terminals connected by telephone lines to a computer. In 1974, a single cashier with a computer’s help stole $1.5 million from the Union Dime Savings Bank in New York. The teller instructed the computer to deduct various sums from hundreds of accounts and credit the money to him under false names.
In Washington, D.C., an Internal Revenue Service employee programmed a computer to list unclaimed tax-refund cheques, and had them sent to relatives. New York cops investigating an illegally parked car found a bundle of Youth Corps cheques in it. Some Youth Corps employees had the agency’s computer run off 100 extra cheques drawn to fictitious names, and in nine months made off with $2,750,000.
2. Attack from outside
Computers can also be raided by outsiders.
One of the simplest, most direct attacks was made by a man who walked in to a Washington, D.C., bank and opened an account.
He took advantage of the fact that the bank’s computerised bookkeeping system identified a depositor by symbols printed in magnetic ink on his individualised deposit slips rather than by his signature.
Once he obtained his own magnetised deposit slips, the thief stealthily substituted them one day for the bank deposit slips left on desks in the bank lobby for the convenience of customers who didn’t have their personalised deposit slips with them.
For the next several days, every deposit made by customers who filled out the lobby deposit slips by penning their own name and number was automatically deposited by the computer to the crook’s account. After three days the crook withdrew the $100,000 or so that had accumulated in his account – and vanished.
In Detroit, two engineers misdialled their own time-sharing code by one digit and accidentally broke into the secret file of the president of the time-sharing service.
They stole a top-secret program from the service and used the computer for three years free of charge until another operator noticed the heavy activity on that line late at night, and precipitated an investigation.
3. Theft by capture
Sometimes crooks capture a computer completely. They may buy one, or take over a company that uses one. In other cases, the management of a company may subvert the computer.
The $2 billion Equity Funding Corporation of America scandal, the largest computer-assisted fraud thus far uncovered, was a case of the latter sort. The computer aspect of the fraud started in 1970 when company sales began to lag.
To save their business, top officers began investing and selling totally fictitious life-insurance policies to several big reinsurance firms.
The reinsurance firms willingly paid the bargain prices offered for policies because they expected the policyholders to pay premiums for years to come.
The fictitious insurance policies, whose face value totalled $2 billion, were kept alive entirely by computer wizardry.
For more than two years, the computer was used to juggle every detail needed to make them look genuine: it recorded imaginary changes of address, loans against the policies, death claims and other events that conformed with insurance-industry statistics.
The money collected from the reinsurance firms was used to pay premiums on additional fake policies.
Ultimately, a federal grand jury indicted 18 company officials (who pleaded guilty) and three outside auditors (who were convicted in May 1975). Out of 97,000 policies, 63,000 issued and sold to reinsurers had been outright fakes.
Other crooked firms have used computers to bill their own customers. A brokerage firm in Texas, for example, stole $500,000 from numerous customers’ accounts by systematically overcharging them small amounts.
The standard reply when a customer noticed and complained was: “Whoops, our computers goofed.” Actually, the computer had been programmed to do so.
The problem of computer-assisted theft has prompted companies to pay big money for research into defensive counter measures. Already some computers are instructed to react to obvious efforts at intrusion. Often an interloper searching for the password to a program stored in a computer will keep probing – even using another computer to make trials for him – until he hits. Late-model-computers, however, will react to such probing. Some instantly turn mute and shut down, printing out a report of the incidents.
Identification procedures are being improved. For example, some manufacturers are working on systems that will identify a user by the televised shape of his hand. Others may use a laser fingerprint scanner, which converts a fingerprint into an identifiable code.
Until the new countermeasures catch up with the current possibilities for chicanery by computer, however, we remain in an extremely vulnerable stage of technological evolution. Computers today run entire industrial and chemical factories, measure minute-by-minute flow of materials and change proportions automatically to keep operations in balance.
Electric power flows through regional or national grids regulated by computers that adjust flow to fluctuating area demands. And computers control the targeting and launching of both US and Soviet intercontinental ballistic missiles. The possibilities for destructive sabotage via computer are staggering.
Obviously, there is more than just money at stake in the multimillion dollar race for computer security.