- Email: [email protected]
Hotel and travel agency fraud
Vol 8. No 9. Page 4. availability of the powerful and inexpensive microcomputer brings EDP within the grasp of many businesses with no previous experience of modern data systems. Of course, the undeniable benefits of an analytical capability can provide a powerful incentive to acquire the knowledge. Far less dependent upon specialized computer knowhow is the numerical approach to risk assessment, which necessitates as an initial step the valuation of all assets associated with the EDP system. This is plainly simple enough in terms of the hardware, and, to a slightly lesser extent, the software. Subjectivity problems can arise, though, in valuing the data itself and these must be overcome if the numerical method is to prove relevant to a particular company. The ability to do so will obviously depend largely on the type of business involved and the tangibility of the data. But assuming the valuation question can be resolved the next step is to identify fundamental risks and rank their occurrence probability in chronological terms. Naturally, this will be far simpler for an established firm than a newly formed one, which would first have to institute a relatively long-term survey of employee efficiency and the incidence of other threat-related events. None the less, the statistical probability of such events as a computer crime can offer a surprisingly sound basis for preventative action. Once these value and probability factors have been set, an analysis must then be made of the average likely cost of any single occurrence, related to individual aspects of the operation. By comparing the result with the projected occurrence rate it will be possible to produce a monetary loss assessment for any aspect of operations during any given time period. A basis for evolving and apportioning precautionary spending will then exist. At its best, the advantage of this numerical method lies in its ability to relate expenditure to threat val@e in percentage terms and to direct resources proportionally according to highly precise evaluations. In this way equal spending on unequal risks is prevented. No risk assessment can be totally positive, by definition, but even an imperfect science is far preferable to merely ignoring the existence of risk, as many companies appear to do, whether consciously or not. Whichever method is used, an active attempt to analyse potential threats can only have beneficial results. Doing so will almost certainly pin-point the areas of greatest danger, alert management to immediate problems, and set unambiguous priorities. .It will also increase security awareness and induce employee feedback, which are notable achievements in themselves. Even if the final result is less than perfect, it cannot fail to be an improvement and today, when corporate dependence on EDP is growing almost daily, such an improvement could mean the difference between survival and collapse. Roy Carter
HOTEL AND TRAVEL AGENCY FRAUD
A leading international hotel group recently discovered a computer-related fraud in its American operations. As usual, the first symptoms came to light by accident, but the follow-up was professional and impressive. In late 1985 a guest checking out of
Q 1986 Elsevier Science Publishers B.V. (Information&Business Division), Amsterdam.186/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, 01 transmitted by any form or by any means. electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.)
Vol 8. No 9. Page 5. one of the group's hotels noticed that the name of a Californian travel agency had been recorded on the bottom of his booking ’ portfolio. The chances of any guest seeing such a form at check-out time is negligible, but in this case the eagle-eyed guest objected. He said he always made the bookings himself and that he did not want some "flaky" agency to receive a commission to which it was not entitled. The guest was directed to the housephone where he discussed the problem with a member of the Accounting Department: fortunately not someone involved in the fraud that was later uncovered. Accounting discovered that the computerised booking portfolio had been changed by a simple modification routine. The travel agency's name and address had been added and a commission cheque generated. Prior to the discovery the travel agency had been considered to be reliable and was a member of both ASTA and IATA. The Internal Audit department was called and examined cancelled cheques drawn in favour of the agency, indicating an overpayment of $8674.32. The hotel's Director of Security informed the New York Police Department and began his own enquiries in Los Angeles, where the travel agency was based. The travel agent declined to provide detailed replies but instead contacted his attorney. Criminal proceedings are now underway. The suspicion created by this incident alerted auditors to the possibility of inflated commissions and conversion on a larger scale. A Credit Manager noticed that some room rates appeared suspicious and again involved large commission payments to travel agents. The portfolios of the guests concerned were withdrawn and when they were contacted (on the basis of a market research survey) they all stated that they had made their bookings in person at the front desk and had never retained the services of the travel agency concerned. The agent was interviewed by the Director of Security and admitted splitting commissions of approximately $7000 with a man later identified as the Front Desk supervisor. However, the agent stated that he was not aware that the Front Desk supervisor had acted improperly since it was common practice in the travel industry to appoint Field Agents on a commission-only basis. The Front Desk supervisor was interviewed and confessed to his part in the scheme. Another block of fradulent transactions was discovered by a computer audit test in which the addresses of the travel agencies to which commissions were paid were compared against the address of the guests concerned. Booking made by out-of-town agencies were followed up in detail and a further $10 000's worth of fraudulent transactions uncovered. The fourth group of fraudulent commissions was discovered by a straightforward audit test in which commissions in peak months were examined. Guests were again contacted on the pretext of a market survey and many denied that their bookings had been made through a travel agent, although in all cases the hotel had booked commssions. The travel agent was interviewd by the Director of Security and after the usual prevarication about lawyers confessed that he had been invited to join in the fraud by the hotel's Assistant Manager. The Assistant Manager was inverviewed and also confessed.
COHWTEBi sHuEITY-
$1$;;,‘?I,”,,&
o 1966 Elsevier Science Publishers B.V. (Information & Business Division), Amsterdam./66/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means. electronic, mechanical, photocopying. recording or otherwise. without the prior permission of the publishers. (Readers in the U.S.A. 2 please see special regulations listed on back cover.]
Vol 8. No 9. Page 6. The mechanics of the fraud were straightforward and classic. Firstly, the commission accounts for travel agents were loosely controlled or at least difficult to control. Commission might apply to all bookings or to none, and historical trends would be unreliable. Secondly, the conversion of the false credits in the travel agent's accounts was simple: by the issue of disbursement cheques. The terminals operated by front desk employees were used to enter detail of each guest on a portfolio and normally commissions due would be included at that time. There was little accountability for these entries after the event and no audit trail. It would be very rare for a guest to see what was recorded in his portfolio or to be in a position to query a travel agent's commissions. After the detections, the hotel reviewd its internal controls and made the following recommendations: f
Each guest should be asked on his or her registration card: "Was your booking made through a travel agent?"
*
These cards should be compared to the computerised entry
*
Updates of guests' portfolios should be printed on a management report, showing the name of the employee making the changes and the data and time of entry
*
Access to modification terminals should be controlled by a file security system and additonal passwords.
In addition, since one of the fraudsmen had a prior record of dishonesty, the hotel introduced a more effective method of pre-employment screening. Readers would be well advised to check the ways in which fraudulent commissions, agency fees and the like can be generated in their companies. There are possibilities in most businesses. Similarly, odd charges, such as demurrage, are exposed to fraudulent manipulation and should be carefully checked. Secondly, a review of all invoices from travel agents would be worthwhile. Many operate on the basis that an invoice is raised when an airline booking is made. The itinerary print-out and invoice usually come from the same computer ran. If the traveller cancels his plans, it is possible that the invoice (which may have already been.paid) will not be credited. The travel agent thus has a windfall in his books, which may be retained as a company profit. Alternatively a dishonest employee working for the agency may issue a disbursement cheque or ticket to an associate without the knowlege of the traveller concerned. The clues to this type of fraud are: l
extensive airline travel bills
*
itinerary and invoices prepared simultaneously by computer
l
Payment against invoices (in advance of travel)
*
Inadequate monitoring of cancellations and refunds as well as poor cost centre and budgetary controls.
0 1966 Elsevier Science Publishers B.V. (Information&Business Division), Amsterdam./86/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic. mechanical, photocopying, recording or otherwise. without the prior permission of the publishers [Readers in the U.S.A. - please see special regulations listed on back cover.)
Vol 8. No 9. Page 7. Other opportunities arise for dishonest employees working in Corporate Travel Departments. It is worth checking that commissions (which will undoubtedly be allowed) are credited to the company concerned, rather than to a fictitious accounts set up by dishonest employees.
US
COMPANY
LAUNCHES VERIFICATION SYSTEM
IDENTITY
Identix Incorporated of Palo Alto, California has introduced its newest identity verification system, the IDX-10, which provides a high level of security and ease of use. A network of IDX-10 terminals are linked to an IDX-Host computer and can be configured to meet a variety of physical and data access applications. Identix products utilize a unique biometric technology based on the recognized world standard, the fingerprint. The system can be used wherever access is restricted to specific individuals. This fast, non-intrusive, accurate method offers many advantages over traditional security techniques, such as cards and passwords, as well as other biometric technologies. The IDX-10 allows access when a user's fingerprint matches the "template" (a mathematical reduction of digitised information) of the fingerprint stored in the host computer's memory. Enrollment takes about one minute, when a user's fingerprint template and a short ID number are recorded. Thereafter, verification is accomplished in less than six seconds. The IDX-10 then unlocks a door or allows log-on to a computer terminal in the case of access control applications. The system will meet a variety of identity verification needs. These include controlling physical access to facilities, verifying identity before computer access is allowed, and augmenting existing security techniques such as guards or passwords. One special feature of the system is an "audit trail", in which a transaction log is maintained of all access attempts and the results. By attaching a printer, a forensic-quality, time-stamped fingerprint image can be generated of unauthorised individuals attempting to gain access. Remote diagnostics for IDX-10 terminals are supported through the host. The IDX-10 is a compact terminal that contains a patented fingerprint reader and "intelligent' hardware for fingerprint analysis. Up to 63 terminals can be connected to an Indentix host by a local area network; the host stores data and records transactions. The host is an IBM PC-XT personal computer that has been chanced with special printed circuit boards and proprietary software. It will store thousands of fingerprint templates. The host comes with a keyboard, 10 M-byte rigid disk drive and 360 K-byte flexible drive. The IDX-10 terminal is available now and priced at $7500. The host system also costs $7500. Identix will work with customers to develop personalised applications. A second product, the IDX-50, verifies identity by reading an individual's finderprint and comparing it to a fingerprint encoded on a plastic, microprocesor-embedded "smart card.' For more information, contact Identix, Inc 2452 Watson Court, Palo Alto, California.94303, USA: tel: 415-858-1001, telex: 361762.
a 1986 Elsevier Science Publishers B.V. (Information&Business Division), Amsterdam./86/$0.00 + 2.20 No part of this publication may he reproduced, stored in a retrieval system. or transmitted by any form or by any means. electronic, mechanical, photocopying. recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.]
HOTEL AND TRAVEL AGENCY FRAUD
A leading international hotel group recently discovered a computer-related fraud in its American operations. As usual, the first symptoms came to light by accident, but the follow-up was professional and impressive. In late 1985 a guest checking out of
Q 1986 Elsevier Science Publishers B.V. (Information&Business Division), Amsterdam.186/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, 01 transmitted by any form or by any means. electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.)
Vol 8. No 9. Page 5. one of the group's hotels noticed that the name of a Californian travel agency had been recorded on the bottom of his booking ’ portfolio. The chances of any guest seeing such a form at check-out time is negligible, but in this case the eagle-eyed guest objected. He said he always made the bookings himself and that he did not want some "flaky" agency to receive a commission to which it was not entitled. The guest was directed to the housephone where he discussed the problem with a member of the Accounting Department: fortunately not someone involved in the fraud that was later uncovered. Accounting discovered that the computerised booking portfolio had been changed by a simple modification routine. The travel agency's name and address had been added and a commission cheque generated. Prior to the discovery the travel agency had been considered to be reliable and was a member of both ASTA and IATA. The Internal Audit department was called and examined cancelled cheques drawn in favour of the agency, indicating an overpayment of $8674.32. The hotel's Director of Security informed the New York Police Department and began his own enquiries in Los Angeles, where the travel agency was based. The travel agent declined to provide detailed replies but instead contacted his attorney. Criminal proceedings are now underway. The suspicion created by this incident alerted auditors to the possibility of inflated commissions and conversion on a larger scale. A Credit Manager noticed that some room rates appeared suspicious and again involved large commission payments to travel agents. The portfolios of the guests concerned were withdrawn and when they were contacted (on the basis of a market research survey) they all stated that they had made their bookings in person at the front desk and had never retained the services of the travel agency concerned. The agent was interviewed by the Director of Security and admitted splitting commissions of approximately $7000 with a man later identified as the Front Desk supervisor. However, the agent stated that he was not aware that the Front Desk supervisor had acted improperly since it was common practice in the travel industry to appoint Field Agents on a commission-only basis. The Front Desk supervisor was interviewed and confessed to his part in the scheme. Another block of fradulent transactions was discovered by a computer audit test in which the addresses of the travel agencies to which commissions were paid were compared against the address of the guests concerned. Booking made by out-of-town agencies were followed up in detail and a further $10 000's worth of fraudulent transactions uncovered. The fourth group of fraudulent commissions was discovered by a straightforward audit test in which commissions in peak months were examined. Guests were again contacted on the pretext of a market survey and many denied that their bookings had been made through a travel agent, although in all cases the hotel had booked commssions. The travel agent was interviewd by the Director of Security and after the usual prevarication about lawyers confessed that he had been invited to join in the fraud by the hotel's Assistant Manager. The Assistant Manager was inverviewed and also confessed.
COHWTEBi sHuEITY-
$1$;;,‘?I,”,,&
o 1966 Elsevier Science Publishers B.V. (Information & Business Division), Amsterdam./66/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means. electronic, mechanical, photocopying. recording or otherwise. without the prior permission of the publishers. (Readers in the U.S.A. 2 please see special regulations listed on back cover.]
Vol 8. No 9. Page 6. The mechanics of the fraud were straightforward and classic. Firstly, the commission accounts for travel agents were loosely controlled or at least difficult to control. Commission might apply to all bookings or to none, and historical trends would be unreliable. Secondly, the conversion of the false credits in the travel agent's accounts was simple: by the issue of disbursement cheques. The terminals operated by front desk employees were used to enter detail of each guest on a portfolio and normally commissions due would be included at that time. There was little accountability for these entries after the event and no audit trail. It would be very rare for a guest to see what was recorded in his portfolio or to be in a position to query a travel agent's commissions. After the detections, the hotel reviewd its internal controls and made the following recommendations: f
Each guest should be asked on his or her registration card: "Was your booking made through a travel agent?"
*
These cards should be compared to the computerised entry
*
Updates of guests' portfolios should be printed on a management report, showing the name of the employee making the changes and the data and time of entry
*
Access to modification terminals should be controlled by a file security system and additonal passwords.
In addition, since one of the fraudsmen had a prior record of dishonesty, the hotel introduced a more effective method of pre-employment screening. Readers would be well advised to check the ways in which fraudulent commissions, agency fees and the like can be generated in their companies. There are possibilities in most businesses. Similarly, odd charges, such as demurrage, are exposed to fraudulent manipulation and should be carefully checked. Secondly, a review of all invoices from travel agents would be worthwhile. Many operate on the basis that an invoice is raised when an airline booking is made. The itinerary print-out and invoice usually come from the same computer ran. If the traveller cancels his plans, it is possible that the invoice (which may have already been.paid) will not be credited. The travel agent thus has a windfall in his books, which may be retained as a company profit. Alternatively a dishonest employee working for the agency may issue a disbursement cheque or ticket to an associate without the knowlege of the traveller concerned. The clues to this type of fraud are: l
extensive airline travel bills
*
itinerary and invoices prepared simultaneously by computer
l
Payment against invoices (in advance of travel)
*
Inadequate monitoring of cancellations and refunds as well as poor cost centre and budgetary controls.
0 1966 Elsevier Science Publishers B.V. (Information&Business Division), Amsterdam./86/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic. mechanical, photocopying, recording or otherwise. without the prior permission of the publishers [Readers in the U.S.A. - please see special regulations listed on back cover.)
Vol 8. No 9. Page 7. Other opportunities arise for dishonest employees working in Corporate Travel Departments. It is worth checking that commissions (which will undoubtedly be allowed) are credited to the company concerned, rather than to a fictitious accounts set up by dishonest employees.
US
COMPANY
LAUNCHES VERIFICATION SYSTEM
IDENTITY
Identix Incorporated of Palo Alto, California has introduced its newest identity verification system, the IDX-10, which provides a high level of security and ease of use. A network of IDX-10 terminals are linked to an IDX-Host computer and can be configured to meet a variety of physical and data access applications. Identix products utilize a unique biometric technology based on the recognized world standard, the fingerprint. The system can be used wherever access is restricted to specific individuals. This fast, non-intrusive, accurate method offers many advantages over traditional security techniques, such as cards and passwords, as well as other biometric technologies. The IDX-10 allows access when a user's fingerprint matches the "template" (a mathematical reduction of digitised information) of the fingerprint stored in the host computer's memory. Enrollment takes about one minute, when a user's fingerprint template and a short ID number are recorded. Thereafter, verification is accomplished in less than six seconds. The IDX-10 then unlocks a door or allows log-on to a computer terminal in the case of access control applications. The system will meet a variety of identity verification needs. These include controlling physical access to facilities, verifying identity before computer access is allowed, and augmenting existing security techniques such as guards or passwords. One special feature of the system is an "audit trail", in which a transaction log is maintained of all access attempts and the results. By attaching a printer, a forensic-quality, time-stamped fingerprint image can be generated of unauthorised individuals attempting to gain access. Remote diagnostics for IDX-10 terminals are supported through the host. The IDX-10 is a compact terminal that contains a patented fingerprint reader and "intelligent' hardware for fingerprint analysis. Up to 63 terminals can be connected to an Indentix host by a local area network; the host stores data and records transactions. The host is an IBM PC-XT personal computer that has been chanced with special printed circuit boards and proprietary software. It will store thousands of fingerprint templates. The host comes with a keyboard, 10 M-byte rigid disk drive and 360 K-byte flexible drive. The IDX-10 terminal is available now and priced at $7500. The host system also costs $7500. Identix will work with customers to develop personalised applications. A second product, the IDX-50, verifies identity by reading an individual's finderprint and comparing it to a fingerprint encoded on a plastic, microprocesor-embedded "smart card.' For more information, contact Identix, Inc 2452 Watson Court, Palo Alto, California.94303, USA: tel: 415-858-1001, telex: 361762.
a 1986 Elsevier Science Publishers B.V. (Information&Business Division), Amsterdam./86/$0.00 + 2.20 No part of this publication may he reproduced, stored in a retrieval system. or transmitted by any form or by any means. electronic, mechanical, photocopying. recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.]