- Email: [email protected]
Controlling white collar crime
-6-
could then alter. Those who have authorized access should not change the password while they are making authorized program alterations. The next module is called the SECCONS Error Control Evaluation Module, in which controls are evaluated as to whether the data is complete and accurate as it is entered into the computer and while it is there. Anyone wishing further information about this technique should contact Deloitte Haskins and Sells, 128 Queen Victoria Street, London, UK.
Other papers at Securicom covered the risks of transmitting information with reference to optical fibres, networks, and transborder flow regulations. Two pieces of equipment for coding communications were on display. The "FRC 768 M" from Thomson-CSF affects the analogic transformation of a word in the space/time frequency. The terminal LCT (Central Laboratory of Telecommunications) from CGCT is a piece of text processing equipment in an attached case. The message is composed by an alphanumeric keyboard, with a window displaying 128 characters. The text is kept in the memory and is first coded numerically, then transmitted in blocs, with validity control and the automatic repetition of wrong blocs. The numerical coding is more efficient and less expensive as analogical coding is not always possible and adversely affects the quality of the signals.
BOOK REVIEW: CONTROLLI NG WHITE COLLAR CRIME
Arguably the best overview of computer security risks ever written was by John M Carroll in the Encyclopedia of Security. Mr Carrolls textbook, called Computer Security and Confidential Information Sources: Public and Private is also an outstanding work. It is therefore doubly disappointing to have to say that Controlling White Collar Crime is superficial if not misleading in many respects: however, a close inspection of some parts of it can be rewarding. Mr Carroll is a professor in the Computer Science Department of University of Western Ontario, London, Canada and has an impressive background in computing, having advised the Royal Canadian Mounted Police on its own standards for computer security. Where Mr Carroll appears to be light on experience is in the field of investigation. Mr Carroll states that "the methodology presented has evolved from teaching third year university courses in systems and database design". The book is probably therefore a view of what an academic believes criminals would do rather than what they actually do. There is a classic phrase that summarises the sometimes naive approach to crime. Mr Carroll suggests that the Corporate Security Director (at whom the book is primarily aimed) should approach 'a smart alec or alienated person' with a question like "How do you think a person would go about stealing receipts, getting an unearned payroll check, or getting valuable merchandise out of the stock room?" In practice, this is more likely to result in a rebuke or a complaint of management harassment rather than success.
Volume 5 Number 5
CCElsevier
International
Bulletins.
-7-
Unfortunately, the text is scattered with gems like this and for the inexperienced investigator it could be extremely misleading and even damaging.
Good on technical aspects
A second failing in the book is that it mixes up levels of protection; one minute Mr Carroll addresses policy level tasks for the senior manager and the next he is down to detailed analysis of source listings and file formats. It really gives little practical action steps that the reader might follow. It is obvious that Mr Carroll is much happier writing about the technical aspects of computing rather than the broader areas of white collar crime that the book is meant to address. This is understandable: any publisher who asks a specialist on the medicinal aspects of prunes to write a book on tinned fruit should not be surprised to find that esoteric prune attributes dominate the work. The overriding impression given by the book is that white collar crime can be dealt with at the technical computer level and this is simply not true. Mr Carroll glosses over possible motives for committing fraud (other than a couple of brief paragraphs) and on the man/machine interface. He is content to apply controls to the machine rather than to consider what drives the man and how the dishonest man can be deterred. In fact he states that "the principal defence against white collar crime is control over systems". White collar crime is defined as "non voilent theft committed by persons of relatively high socio-economic status in the conduct of their usual and lawful occupations". This definition, which appears to result from that drawn by Edwin 0 Sutherland in the late 194os, is no longer applicable. First, if nothing else, computers have introduced an element of democracy into crime. Whereas, in the old days, the nominal ledger was kept by the office manager under lock and key it is now tucked into a system where the manager may be unable to access it unless aided by a computer technician.
Changing access to fraud opportunities
The access to fraud opportunities also used to vary directly with rank. Today opportunities can vary in inverse proportions and as a rule companies abdicate control over their most sensitive records to the most junior operator. The second reason why the definition is redundant is the fact that many crimes are committed by people outside the normal course of their job and their sphere of authority. Remote access to data over communications lines has expanded the opportunities for crime beyond the normal job access and authority constraints. Mr Carroll states that the "decision of whether or not to prosecute should rest with top management". Although this is true, it should be the sort of decision that is incorporated on tablets of stone in company policy rather than, as is implied, to be used on a one off basis. Selective prosecution is not a viable deterrent and companies that follow such a course are most volnerable to frauds with the maximum embarrassment factor: such as running off with the slush fund: Senior managers should set the standards and should not, of course, put themselves in a position where they can be blackmailed into not prosecuting. In fact, there is an interesting relationship between the levels of crime in an organisation and the ethics and honesty
Volume 5 Number 5
CC:Elsevier
International
Bulletins
-8-
of senior management. The whole aspect of management standards and ethics is ignored in "Controlling White Collar Crime". On the responsibilities of other employees, Mr Carroll correctly points out that auditors are not the primary defence against white collar crime. He says "Auditors, by the very nature of their work, tend to arrive on the scene after the crime has been committed". Probably the most useful chapter is that entitled 'How to Achieve Control' which lists 28 control techniques. These, for the reasons stated earlier, gloss over the more practical aspects of control, but are none the less useful. The controls include: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28.
Forms design Procedure manuals Training and supervision Preprint standard data Division of duties Establish a control group Use self checking digits Take advantage of computer editing Use manual editing techniques Make simultaneous entries of data Verify key punching make use of control totals Make sure hardware controls are working Keep transaction logs Use 'answer back' communications Keep up preventive maintenance Control the computer environment Establish data conversion standards Put external labels on files Make use of software controls Set up a library for media Control programming Take advantage of arithmetic and overflow tests Restrict access to sensitive areas and items Rotate operators Keep console logs Keep error logs Help users anticipate results.
This list is a mixture of high and low level controls and is typical of the book's structure as a whole. Other chapters analyse the risks of fraud in Payroll Systems as an outline of a more general method of risk analysis. Although it contains some good points it ignores the significance of adjustments, error corrections and transaction entry codes in bought-in packages through which the majority of payroll frauds have occurred. Neither does Mr Carroll fully explain how a criminal would convert his subversion of a system into a real world cash benefit. Mr Carroll is also a supporter of test decks in the detection of fraud and as this reviewer disagrees with this theory, perhaps it is why the book as a whole went down so badly. Test decks are useful and necessary in checking out programs, to make sure that they operate more or less as intended and score a few 'Brownie points' with senior management who may be convinced that this is But the hard fact of life is, all auditing through the computer.
-9as far as is known, that test packs have never detected one real fraud (we stand to be corrected!) and are highly unlikely to do so. Finally, in fairness to Mr Carroll it is likely that this book was rushed through to meet publishing deadlines set by Butterworth's in its new security series, of which 'Controlling White Collar Crime' forms a part. Overall the book does not appear to set out what it seeks to do. It certainly fails to provide details on controlling white collar crime, but it may have some use as general background reading,
OpM
FII\IALCHAPTER
~~MpU~~RS TERROR
I ST
AND THE
Myron S Goodman and Mordecai Weissman, the driving forces behind the now notorious $300 million OPM leasing fraud were sentenced to terms of 12 and 10 years in the US District Court. This may be the final chapter.
The bombing of IBM‘s facility at Harrison, New York on 16 December which caused extensive structural damage and disrupted the work of 500 employees may have been connected with another attack on South African Airways. FBI agents are examining the possibility that a terrorist or subversive group had targetted both organisations. The investigation company that assisted IBM in unravelling the Japscam thefts, has itself come under attack from a terrorist group. People allegedly connected with this group and the American politician, Lyndon LaRouche, have been making harassing telephone calls to associates and clients of the investigators, suggesting that its connection extends, in a massive conspiracy, from the Mafia to senior British politicians. The calls have culminated a number of libellous articles in publications sponsored by the ICLC. We suspect that the dangers of disruptive groups will continue and will be supported, from time to time, by others who are prepared to take extreme action. It is wise to consider emergency planning before the svent. This does not imply over-reaction, but it is important to consider what would happen if a bomb threat or extortive demand was received. How can emergency warnings be passed to employees without causing unnecessary panic? Have evacuation plans been considered and rehearsed? Have emergency communication channels (with police and bomb disposal personnel) been established? ft is wise to plan before the event: you never know when it can happen to you.
6~~~
Volume 5 Number 5
OElsevier
rnte~nationai Buiietins
could then alter. Those who have authorized access should not change the password while they are making authorized program alterations. The next module is called the SECCONS Error Control Evaluation Module, in which controls are evaluated as to whether the data is complete and accurate as it is entered into the computer and while it is there. Anyone wishing further information about this technique should contact Deloitte Haskins and Sells, 128 Queen Victoria Street, London, UK.
Other papers at Securicom covered the risks of transmitting information with reference to optical fibres, networks, and transborder flow regulations. Two pieces of equipment for coding communications were on display. The "FRC 768 M" from Thomson-CSF affects the analogic transformation of a word in the space/time frequency. The terminal LCT (Central Laboratory of Telecommunications) from CGCT is a piece of text processing equipment in an attached case. The message is composed by an alphanumeric keyboard, with a window displaying 128 characters. The text is kept in the memory and is first coded numerically, then transmitted in blocs, with validity control and the automatic repetition of wrong blocs. The numerical coding is more efficient and less expensive as analogical coding is not always possible and adversely affects the quality of the signals.
BOOK REVIEW: CONTROLLI NG WHITE COLLAR CRIME
Arguably the best overview of computer security risks ever written was by John M Carroll in the Encyclopedia of Security. Mr Carrolls textbook, called Computer Security and Confidential Information Sources: Public and Private is also an outstanding work. It is therefore doubly disappointing to have to say that Controlling White Collar Crime is superficial if not misleading in many respects: however, a close inspection of some parts of it can be rewarding. Mr Carroll is a professor in the Computer Science Department of University of Western Ontario, London, Canada and has an impressive background in computing, having advised the Royal Canadian Mounted Police on its own standards for computer security. Where Mr Carroll appears to be light on experience is in the field of investigation. Mr Carroll states that "the methodology presented has evolved from teaching third year university courses in systems and database design". The book is probably therefore a view of what an academic believes criminals would do rather than what they actually do. There is a classic phrase that summarises the sometimes naive approach to crime. Mr Carroll suggests that the Corporate Security Director (at whom the book is primarily aimed) should approach 'a smart alec or alienated person' with a question like "How do you think a person would go about stealing receipts, getting an unearned payroll check, or getting valuable merchandise out of the stock room?" In practice, this is more likely to result in a rebuke or a complaint of management harassment rather than success.
Volume 5 Number 5
CCElsevier
International
Bulletins.
-7-
Unfortunately, the text is scattered with gems like this and for the inexperienced investigator it could be extremely misleading and even damaging.
Good on technical aspects
A second failing in the book is that it mixes up levels of protection; one minute Mr Carroll addresses policy level tasks for the senior manager and the next he is down to detailed analysis of source listings and file formats. It really gives little practical action steps that the reader might follow. It is obvious that Mr Carroll is much happier writing about the technical aspects of computing rather than the broader areas of white collar crime that the book is meant to address. This is understandable: any publisher who asks a specialist on the medicinal aspects of prunes to write a book on tinned fruit should not be surprised to find that esoteric prune attributes dominate the work. The overriding impression given by the book is that white collar crime can be dealt with at the technical computer level and this is simply not true. Mr Carroll glosses over possible motives for committing fraud (other than a couple of brief paragraphs) and on the man/machine interface. He is content to apply controls to the machine rather than to consider what drives the man and how the dishonest man can be deterred. In fact he states that "the principal defence against white collar crime is control over systems". White collar crime is defined as "non voilent theft committed by persons of relatively high socio-economic status in the conduct of their usual and lawful occupations". This definition, which appears to result from that drawn by Edwin 0 Sutherland in the late 194os, is no longer applicable. First, if nothing else, computers have introduced an element of democracy into crime. Whereas, in the old days, the nominal ledger was kept by the office manager under lock and key it is now tucked into a system where the manager may be unable to access it unless aided by a computer technician.
Changing access to fraud opportunities
The access to fraud opportunities also used to vary directly with rank. Today opportunities can vary in inverse proportions and as a rule companies abdicate control over their most sensitive records to the most junior operator. The second reason why the definition is redundant is the fact that many crimes are committed by people outside the normal course of their job and their sphere of authority. Remote access to data over communications lines has expanded the opportunities for crime beyond the normal job access and authority constraints. Mr Carroll states that the "decision of whether or not to prosecute should rest with top management". Although this is true, it should be the sort of decision that is incorporated on tablets of stone in company policy rather than, as is implied, to be used on a one off basis. Selective prosecution is not a viable deterrent and companies that follow such a course are most volnerable to frauds with the maximum embarrassment factor: such as running off with the slush fund: Senior managers should set the standards and should not, of course, put themselves in a position where they can be blackmailed into not prosecuting. In fact, there is an interesting relationship between the levels of crime in an organisation and the ethics and honesty
Volume 5 Number 5
CC:Elsevier
International
Bulletins
-8-
of senior management. The whole aspect of management standards and ethics is ignored in "Controlling White Collar Crime". On the responsibilities of other employees, Mr Carroll correctly points out that auditors are not the primary defence against white collar crime. He says "Auditors, by the very nature of their work, tend to arrive on the scene after the crime has been committed". Probably the most useful chapter is that entitled 'How to Achieve Control' which lists 28 control techniques. These, for the reasons stated earlier, gloss over the more practical aspects of control, but are none the less useful. The controls include: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28.
Forms design Procedure manuals Training and supervision Preprint standard data Division of duties Establish a control group Use self checking digits Take advantage of computer editing Use manual editing techniques Make simultaneous entries of data Verify key punching make use of control totals Make sure hardware controls are working Keep transaction logs Use 'answer back' communications Keep up preventive maintenance Control the computer environment Establish data conversion standards Put external labels on files Make use of software controls Set up a library for media Control programming Take advantage of arithmetic and overflow tests Restrict access to sensitive areas and items Rotate operators Keep console logs Keep error logs Help users anticipate results.
This list is a mixture of high and low level controls and is typical of the book's structure as a whole. Other chapters analyse the risks of fraud in Payroll Systems as an outline of a more general method of risk analysis. Although it contains some good points it ignores the significance of adjustments, error corrections and transaction entry codes in bought-in packages through which the majority of payroll frauds have occurred. Neither does Mr Carroll fully explain how a criminal would convert his subversion of a system into a real world cash benefit. Mr Carroll is also a supporter of test decks in the detection of fraud and as this reviewer disagrees with this theory, perhaps it is why the book as a whole went down so badly. Test decks are useful and necessary in checking out programs, to make sure that they operate more or less as intended and score a few 'Brownie points' with senior management who may be convinced that this is But the hard fact of life is, all auditing through the computer.
-9as far as is known, that test packs have never detected one real fraud (we stand to be corrected!) and are highly unlikely to do so. Finally, in fairness to Mr Carroll it is likely that this book was rushed through to meet publishing deadlines set by Butterworth's in its new security series, of which 'Controlling White Collar Crime' forms a part. Overall the book does not appear to set out what it seeks to do. It certainly fails to provide details on controlling white collar crime, but it may have some use as general background reading,
OpM
FII\IALCHAPTER
~~MpU~~RS TERROR
I ST
AND THE
Myron S Goodman and Mordecai Weissman, the driving forces behind the now notorious $300 million OPM leasing fraud were sentenced to terms of 12 and 10 years in the US District Court. This may be the final chapter.
The bombing of IBM‘s facility at Harrison, New York on 16 December which caused extensive structural damage and disrupted the work of 500 employees may have been connected with another attack on South African Airways. FBI agents are examining the possibility that a terrorist or subversive group had targetted both organisations. The investigation company that assisted IBM in unravelling the Japscam thefts, has itself come under attack from a terrorist group. People allegedly connected with this group and the American politician, Lyndon LaRouche, have been making harassing telephone calls to associates and clients of the investigators, suggesting that its connection extends, in a massive conspiracy, from the Mafia to senior British politicians. The calls have culminated a number of libellous articles in publications sponsored by the ICLC. We suspect that the dangers of disruptive groups will continue and will be supported, from time to time, by others who are prepared to take extreme action. It is wise to consider emergency planning before the svent. This does not imply over-reaction, but it is important to consider what would happen if a bomb threat or extortive demand was received. How can emergency warnings be passed to employees without causing unnecessary panic? Have evacuation plans been considered and rehearsed? Have emergency communication channels (with police and bomb disposal personnel) been established? ft is wise to plan before the event: you never know when it can happen to you.
6~~~
Volume 5 Number 5
OElsevier
rnte~nationai Buiietins