The Best of Creative Computing Volume 1 (published 1976)
Waiting for the Great Computer Rip-Off (computer embezzlement)
Waiting for the Great Computer Rip-Off
by Susan Hastings
Computers have come to be deeply and pervasively
involved in the basic business functions of our society. Top
executives might die off, factories blow up, foreign
subsidiaries get nationalized, but if you really want to see a
company president blanch, ask him what he would do if the
magnetic tapes with his accounts receivable got erased. And
as sophisticated electronic and magnetic data replace
manually kept books, the dangers of almost undetectable
large scale crime being committed by unscrupulous
computer experts is becoming a serious problem for both
the manufacturers and the users of even the very most
secure systems now in existence.
Data stored in machines has not only replaced
old-fashioned accounting systems, but it has also gone a
long way toward replacing tangible assets. According to
Richard Mills, a vice-president of First National City Bank
in New York, "The base form of an asset is no longer
necessarily a 400-ounce gold bar; now assets are often
simply magnetic wiggles on a disk." For criminal purposes,
anyone familiar with computers may be able to manipulate
those wiggles so that funds are fraudulently credited to an
account, a bank balance is programmed never to fail, or the
record of ownership of very large sums is changed. One
expert has said that for a criminally-minded person with a
lot of skill, it's about as difficult as "solving a hard Sunday
crossword puzzle," to read, alter, and tamper with intricate
programs.
Computer crime has not yet been proven to be an
overwhelming source of loss, but no one really has any valid
statistics as to how much subversion is actually going on.
There are indications, however, that a lot more crime
occurs than is ever detected. One expert puts the ratio of
undiscovered to discovered crime on the order of one
hundred to one. Donn Parker, the leading expert on the
history of computer crime, admits that of the nearly 175
cases he has investigated, almost all were exposed
accidentally.
A classic case of embezzlement via computer was
uncovered accidentally last year when New York police
raided a bookie and found his best customer to be an
$11,000-a-year bank teller who for weeks at a time had
gambled up to $30,000 a day. The man who had access to
his bank's computer terminals, would simply pocket
customers' deposits and type in false information to the
machine, usually transferring money from long-unused
accounts. By combining such elementary computer
manipulations with workaday larceny, he managed to net
1.5 million dollars before he was caught.
Donn Parker has analyzed twelve cases of computer
embezzlement that occurred in 1971 and found that the
losses averaged $1.09 million apiece, or about ten times the
average embezzlement loss. With ever larger amounts of
credit and other assets moving into EDP systems it seems
inevitable that more criminally inclined people with more
elaborate resources will grab for the prizes so temptingly
exposed. "There are something like a million programmers
in the country right now," observes Willis Ware, a
computer-security expert, "and if only one per cent of
these were inclined to be dishonest, that's ten thousand
dishonest programmers." The fact that employee dishonesty
as a cause for computer related losses in business
jumped from fourth to second place in all losses in just
[image]
three years, may mean that it just takes time for dishonest
people to learn how to take advantage of their
opportunities. And even as computers themselves become
more sophisticated, the criminals who attempt to subvert
them become more cunning and less detectable.
With the advent of time-sharing and multi-access
systems, there is opportunity for more far-ranging crime
than was demonstrated in the comparatively elementary
manipulations of the embezzling bank teller. Years ago
college students began to exploit the possibilities of a
system's vulnerability when they used their computer
knowledge to read various instructors' stored exam
questions. When that wasn't enough, they even learned to
change their own grades. Nowadays few manufacturers or
users are unaware of the lack of total security in any
computer operations. Perhaps most disturbing in its
implications is the result of many attacks waged by The
Defense Department's "tiger teams", who try to penetrate
systems being considered for defense. So far, there is no
major system that has been able to withstand a dedicated
attack.
Manufacturers believe that their computers can be made
more crime-proof, but to do so will be expensive in both
hardware costs and user convenience. Alternatives to the
often laughably weak password defenses are being
considered: some companies are working on devices that
will only recognize a personal insignia such as the shape of a
hand. Wiretapping might be avoided through the development
of message scrambling devices, but the problem here
is that a really ambitious criminal could use his own
unscrambling computer to defeat such a device. However,
even as these and many other security devices are being
developed, experts are beginning to admit that a
sophisticated and highly motivated thief is not likely to be
deterred for long. Manufacturers say that it's pointless to
bring out new systems capable of resisting attack until their
customers adopt better physical security measures in their
own installations as well as better screening of computer
employees. Considering that it's the employees who not
only have the most access to computer data, but also know
the most about the intricacies and weaknesses of the
systems, one can understand Robert Jackson's suggestion
for preventing crime: he speculated that the first step might
be to "shoot the programmer."
[Adapted from "Waiting for the Great Computer Rip-off" by
Tom Alexander, Fortune, July 1974.]
