2. +
Introduction
Crime – crime never changes.
To paraphrase the opening sequence to the Fallout games.
While computers have enabled an awful lot of crime, very little
of it is truly new.
People trespassed before computers.
People made illegal copies of things before computers.
Even things like ‘rights management’ were in place long ago.
Map makers used to include identifying ‘mistakes’ to help police
copyright infringement.
What computers have mostly done is increase the scope and
scale of crime.
3. +
Waves of Computer Crime
1960s
Hacking began as exploration and problem solving.
Specialised fraud
Blackmail
1970S
Privacy violations
Salami slicing
Phone phreaking
Distribution of illegal materials.
4. +
Waves of Computer Crime
1980s
Software piracy
Copyright violations
Viruses
More phreaking
Commercialisation of illicit material distribution
1990s
IP spoofing
FTP abuse
Phantom nodes
Protocol flaws
5. +
Waves of Computer Crime
2000s
Automated hacking
Desktop forgery
International industrial espionage
Transnational organised crime
Terrorism
2010s
???
As computers evolve, so too does the sophistication of crimes
committed.
6. +
Early types of computer crimes -
Damage
Root access to a computer offers large scale access to the underlying
system.
Who watches the watchers?
Real risk when employees are terminated.
Hard to keep an angry sysadmin in line.
One of the reasons why IT employees are often escorted from the
premises as soon as they are dismissed.
Limits the danger of retaliation.
But doesn’t eliminate it entirely.
Systems can be highly tailored.
Systems can be full of valuable data.
Some types of computer damage cannot be repaired.
7. +
Blackmail
Value of data often more than the value of computers.
And the software on which they run.
Blackmail with computers often involves holding data ransom.
For example, one of the programmers working on Concorde
demanded £250,000 for the backups of the test data he destroyed.
Data can be costly or impossible to replace.
Nothing new in the crime, only new in the details.
And the ease with which it can be done.
8. +
Fraud
Small scale fraud commonly involves very specific, very
personal adjustments to computer code.
Slicing fractions of pennies off of thousands of transactions and
siphoning them off into another account.
A programmer coding an accounting system that ignores
withdrawals on a specific set of accounts.
A programmer writing a program that scans for ‘dead’ accounts and
then transfers the money elsewhere.
Losses usually too small for a large company to worry about.
Most banks have a threshold at which they say ‘We expect to lose
this amount to fraud every year’
Too costly for zero tolerance.
9. +
Equity Funding Corporation of
America
The Equity Funding Company of America (EFCA) was
responsible for one of the largest corporate frauds in American
History.
Something like an Enron of the 1970s
Dramatized in the BBC Horizon programme ‘the billion dollar bubble’
Functioned through investing in mutual funds.
Put money in a mutual fund.
A collective pot of money produced by investors clubbing
together.
This pot is then invested in a portfolio of stock managed by a
mutual fund company.
10. +
Equity Funding Corporation
The company took out life insurance policies which paid out if a
person died.
The premiums for this are paid annually.
The company borrowed against the mutual fund to pay the
annual premiums.
After ten years, the fund ‘matures’ and gives out the
accumulated incresed value.
This is used to pay back the loans that were taken out against the
fund.
11. +
Equity Funding Company
Mutual Fund
Life Insurance
Loan
PaymentonDeath
AnnualPremiums
Borrowagainststock
Investment
Value after 10 yearsPROFIT
12. +
So far, so good
The company started to expand by taking over new companies.
And they had a huge sales force.
The acquisitions cost lots of money.
Which were funded largely through Equity Funding’s stock price.
New companies were bought with stock in EFCA
To keep the value up, generating yearly earnings growth was
important.
This would allow for more acquisitions and more wealth.
13. +
But then…
A problem with their mainframe meant they couldn’t extract
yearly revenue details for 1964.
Oh no.
The annual report was not going to be ready on time.
During the delay, the company co-founded (Stanley Goldblum)
came up with an idea to use a creative accounting method to
‘temporarily’ increase sales figures.
He directed the company CFO to make fictitious ‘advance’ entries
with regards to income.
Essentially saying ‘Here’s money we’ll be getting in the future,
now’
14. +
Escalation
Now he needed to find real money to back up those ‘sales’
In order to pass the audit required by the Securities and Exchange
Commission.
Then came the idea…
Let’s take out real insurance policies on fictional people.
Originally done by a handful of trusted employees doing overtime.
The process worked through the value of ‘reinsurance’
A company sells a portion of its policies to another company.
This creates instant cash flow.
It also mitigates against future catastrophes.
15. +
Escalation
So
The company created fake insurance policies.
They then sold these faked policies as legitimate policies to
insurance companies.
They then used the income to pay a portion of the fake policies
premiums.
Making the sales seem credible to the auditors.
This created cash flow out of nowhere.
And also hugely jacked up the stock price for the EFCA
As of yet, this isn’t a computer crime.
16. +
Enter the Mainframe
Making up fake accounts had become too time consuming.
Time to introduce a computer.
At the time, auditors couldn’t audit computer systems.
Too specialised.
No auditing meant that program code never went examined.
This meant that the computer could be used to streamline the
process of defrauding the reinsurance companies.
Goldblum paid a programmer to write a program that created
fake policies.
Access to the program was restricted based on a secret password.
17. +
Scale of the Crime
This automation led to EFCA having $425M of life insurance
policies on their books in 1968.
With $100M in mutual funds sold.
From 1969 to 1973:
64k faked accounts were created.
Reported revenues of $1.8B
Every so often, a few policies would be ‘killed off’
Brining that money in from the reinsurers.
Plans were afoot to automate even that.
Killing off fake policy holders at a statistically appropriate rate.
18. +
Whistleblowers
It eventually came to light after an ex-employee blew the
whistle.
Ronal Secrist.
Securities analysts Ray Dirks also came forward with evidence.
And was later rewarded with insider trading charges being filed
against him.
He was eventually acquitted by the Supreme Court.
Fraud was unsustainable.
Eventually they would have had to be insuring the whole country.
19. +
Crime and Punishment
Goldblum and 18 others pleaded guilty to taking part in the
fraud.
Three others were convicted in a 1975 trial.
Goldblum served jail time for his part in the fraud.
He never learned his lesson.
At the age of 72, he was arrested for submitting false information to
obtain a $150k loan.
Crime remains one of the most significant in terms of scale.
Computers serve a role in managing scale.
20. +
Fooling the Auditors
One night, an auditor left an unlocked briefcase.
An EFCA executive, in full sight of others, opened the case and
got access to the confidential audit plan.
This allowed EFCA to have plans in place to deal with audit
requests.
One auditor wished to send out policy confirmations to a
sample of policyholders.
ECFA did the clerical work for the auditor.
Letters were instead addressed to branch managers and agents of
ECFA, who filled out the information for the fictional policyholders.
21. +
Why Did Nobody Notice?
Auditor responsibilities fell to the State Audit Office.
Responsible for identifying if businesses are acting according to the
law.
Auditors responsible for checking inputs and outputs.
Sales of insurance policies
Money coming in
Reported earnings
However, auditors couldn’t audit everything.
Accountants did not have the specialised knowledge required to
audit systems.
IBM protected proprietary secrets, and were the ones producing the
mainframes used to perpetuate the fraud.
22. +
Auditing Around a Company
Equity Funding Corporation
of America
INPUTSOUTPUTS
examine
examine
AUDITORS
23. + Auditing Through a Company
Equity Funding Corporation
of America
INPUTSOUTPUTS
examine
examine
examine
AUDITORS
24. +
Why did it happen?
Unchecked greed and territorialism of managers.
A lack of ethics and professional standards amongst
management and involved employees.
The philosophy of the management.
The independence of the auditors and their inability to audit
computer systems.
Lack of effective oversight by the auditors.
Letting the company do some of the work? Come on, guys.
25. +
Why did it happen?
The fraud was a massive scheme.
Concocted by management.
Supported by dozens of employees.
Each of which knew or suspected that something was going on.
Why did no-one report until so late into the scandal?
The management were intent at becoming a huge
conglomerate at all costs.
Without worrying about the risks of these activities.
Rampant territorialism drove much of the acquisitions.
26. +
Auditors
The auditors compromised their professional independence during
the investigations.
One was earning $130k to $150k, because they were contracted by
EFCA and were the largest quiet.
A second auditor was given shares in the funding, which he kept
under his wife’s former name until they were cashed in 1967.
Another auditor received a loan of $2,000 from the company.
All three auditors were later found guilty of fraudulent activities.
Some auditors were at least partially complicit in the incident.
Allowing for the company to take a direct hand in auditing violated
accountability.
27. +
Class Exercise
In groups of 3-4
Imagine yourself in a similar kind of company in the modern day.
How would you use computers to perpetuate economic fraud?
Outline a company structure, significant individuals who would be
involves, risks and points of weakness.
You’ll get some time to come up with this plan, and then:
Swap your plans with another group
Try to identify how you’d effectively audit their system.
Identify skillsets needed
Identify weakness in your auditing.
Identify ‘human factors’
28. +
Conclusion
This is not a new or especially novel crime.
It was in no way sophisticated, or only possible because of
computers.
There was no grand plan behind it all.
And no escape route – escalation was mandatory because of the
pyramidal nature of the acquisitions.
Crimes committed nowadays are usually far more organised
and significant.
We have a better idea of what people might do and how we should
counter it as a society.
That doesn’t mean that fraud is dead, of course.