This situation involves a large bank that has recently installed a new software system for handling all transactions and account storage. An employee at the company developing the software programmed a “back door” into the system, and got another employee to unknowingly install it. Some weeks later, millions were stolen from a number of accounts at the bank. This situation was chosen to highlight the amount of trust that large corporations place in programmers of critical systems.
Programmers are quite capable of abusing extremely large and important systems without leaving a trace, and it is surprising that this sort of situation does not happen more often in today’s world. The paper provides an analysis of this type of cybercrime, possible ways in which such a crime could have been prevented, and the consequences of such crime in general. This paper shows that a complete reliance on a single computerized system makes it easier for such a cybercrime to occur. The focus of the Safebank investigation shifted back to the headquarters of Microsoft Corporation, reported the FBI .
The investigation had originally been conducted with the cooperation of international law agencies, in an attempt to track the location of the funds moving through accounts in Europe and the Caribbean. More recently the FBI reported, in a statement given Monday by case director Walter Navarre, that “Evidence has been collected linking the crimes to an employee of the Microsoft Corporation. ” The Safebank incident began last Wednesday, October 17, 2001, when the management at a Safebank branch in Boston was contacted by a customer of the bank reporting that his account suddenly contained no more money.
There was no record of any transaction carried out on the account, but when backup records were checked, it was determined that the account had indeed contained the specified amount. Safebank spokeswoman Alicia Delrey said, in an interview Monday that “Safebank had no indication that a transaction of any kind had taken place. The records showed a balance of approximately a half-million on one day, and the next day these funds were no longer present in the account. ” A comparison check conducted by the bank showed that similar actions had occurred on nearly two hundred other accounts.
All accounts affected in this way contained in the range of half a million to a million dollars. Problems were assumed to have been the cause of a bug in the new transaction software installed by Safebank two weeks earlier. The developer of the software, Microsoft Corporation, was contacted in relation to the problem. At this point, one of the Geneva branches of the Swiss banking giant UBS contacted Safebank with reports of fifty-two major transfers to unidentified accounts. These transfers consisted of amounts that matched exactly the amounts missing from certain Safebank accounts. An international alert was dispatched to banks worldwide.
Within hours, a listing of accounts in foreign banks had been assembled that exactly matched the amounts missing from Safebank. The FBI was called in to investigate the incident, while all accounts indicated were frozen. Initial investigations indicated that the accounts had been opened under a variety of assumed names, by a single individual. According to special investigator Shawn Murray, “although the accounts were not opened in person, we were able to determine, through reports given by bank employees and through bank terminal video recordings, that they were indeed opened by the same individual in all cases.
Investigations pointed to Wolfgang Schlitz, a former director of the Safebank transaction software project, as one suspect. According to FBI investigators, a current Microsloth employee, who is also a suspect, provided information pointing to Mr. Schlitz. Although Mr. Schlitz was unavailable for comment, the employee was identified as Bertrand Dupont, a senior programmer on the Safebank software project. Apparently, Mr. Dupont was, while programming, given a precompiled code object by Mr. Schlitz. The object was intended to be integrated into a specific part of the system handling transactions.
Mr. Dupont, in an interview yesterday, said “He told me it was a set of more optimized transaction classes that the optimizations team had produced. He was the boss, and the explanation sounded perfectly reasonable, so I didn’t suspect anything. The code worked fine, and I forgot all about it until now. ” The FBI investigation is currently centering on Mr. Dupont and Mr. Schlitz as possible suspects although, according to case director Walter Navarre, “We have not ruled out the possibility of other, as yet unidentified, collaborators. The scope of this crime is unprecedented; millions of dollars were taken without a trace.
If it were not for the size of the transactions involved, we may never have noticed anything,” commented industry analyst Lancolm Hayes. “We should take this as a strong argument for better security controls on safety-critical sectors of the development industry,” he added. The current level of reliance on computerized systems has always elicited concern from those who see this dependence as a security risk. As the recent Safebank incident demonstrates, there is indeed cause for alarm.
The fact that the bank used a completely computerized system allowed a single individual with malicious intent to steal millions. The average amount stolen through computerized means is more than twenty times higher than the average taken through more conventional, “physical,” crime [1]. Although it could be argued that banks implement safety measures such as a marker or alert for large or suspicious transactions, all these transactions are computerized. The program actually carrying out the transfer can be modified not to issue such an alert by the person who has carried out such modifications, as in the Safebank case.
A complete reliance on computers has created more opportunities for cybercrime, reduced the ability to prevent this crime, and made the potential consequences of these crimes more serious. In order to evaluate this statement, I will be discussing different aspects of computer crime, relating specifically to the idea of malicious programming in the banking sector. Although there are many different types of cybercrime, focusing on this issue relates more strongly to the Safebank case. In addition to this, the paper will cover methods of halting or preventing this crime, and possible consequences, in relation to the Safebank incident.
The crime at Safebank was a cybercrime. Money was stolen through the system itself, without any physical aspect to the crime. The crime was rendered even more effective as a result of the deliberate modification that prevented the system from recording the stolen money on its transaction records. As Mr. Hayes points out, “If it were not for the size of the transactions involved, we may never have noticed anything. ” If those committing this crime had decided to take very small amounts; a few dollars, from a large number of accounts, there may never have been an investigation.
The fact that the bank relied entirely on computerized records to keep track of transactions resulted in a reduced the ability to detect cybercrimes, and thereby makes them easier to commit. The crime is, in this case, an “inside job,” since it was an employee or employees at Microsloth responsible for the crime. This type of crime is, in the present day, growing less common in comparison with other types of cybercrime such as external attacks. Statistics used to show that over 80% of all cybercrime was the result of inside operatives [2].
At the current time, however, this is no longer true. Polls by the Computer Security Institute show that the number of businesses citing the internet as a frequent point of attack is “up from 59 per cent in 2000 to 70 per cent this year. The percentage of those reporting their internal systems as a frequent Achilles heel has dropped from 38 per cent to 31 per cent over the same period [2]. ” The survey reported that, in 2001, 70% of all cybercrime was initiated from outside, rather than inside, the target [6].
External attacks are significant because they are conducted by people who usually do not have intimate knowledge of a system. The fact that these types of crimes are becoming more common indicates that it is becoming easier for common criminals without specific links to a company to commit cybercrimes. Although Safebank received wide publicity due to the size and global reach of the theft involved, many other similar cases of fraud go unreported. In the UK, at least four large internet banks have been the subject of cybercrime attacks.
These attacks involved losses of hundreds of thousands of pounds, but were mostly not reported due to the banks’ worries that news coverage would damage their image. [5] These banks are, even more so than Safebank, completely dependent on computers for all aspects of their business. Whereas Safebank had employees and terminals, Internet banks operate almost entirely online. These banks are indeed more vulnerable than traditional banks; this vulnerability coming from their reliance on computers as a way of both carrying out transactions and storing funds.
How can these types of computer crimes be prevented? In the case of Safebank, how could the modification to the system have been detected before it was released? There are no methods to effectively ensure that this happens. Safebank has no way of verifying that the software they receive is free of malicious code, because Safebank was probably unable to view the code itself; it received compiled executables. The issue here is one of trust; Safebank assumes that software from Microsoft is free of defects, but has no way of verifying that this is indeed the case.
Microsoft could perform a final evaluation of the code itself once the program is completed, but this would be time-intensive and costly, especially for a system like Safebank’s, which likely consists of millions of lines of code. Such an evaluation would give no complete assurances of security, because employees conducting the tests could themselves insert the malicious code. Other, stricter, version-control options are available, but with each layer of protection there is additional cost and time involved.
As with almost anything, there is a point at which it no longer becomes profitable to add additional security. Building a three-meter high wall around some property will cost more than a two-meter wall, but will provide almost exactly the same security, since a determined criminal can scale a wall of almost any height. This analogy relates well to software development. Adding additional security costs money, yet determined hackers can break almost any amount of security. The goal in most projects is, therefore, to create enough security to discourage the majority of hackers from attempting to break in.
The security approach is also only effective in the specific case of Safebank. Most other types of attacks cannot be dealt with in this way. Prevention of cybercrime can be assisted through education. Training can increase awareness of the potential for cybercrimes to occur, and effective measures of eliminating or reducing losses incurred from these crimes. Safebank had no way of knowing that the program was faulty, but if its employees had been more alert to the possibility of cybercrime threats, they may have caught and reacted to the transactions more quickly.
The main disadvantage to these training courses is that they are not complete solutions, and are expensive; often costing several thousand dollars per wee[4]. Although it could have reduced losses, Safebank could not have prevented the crime through training. Another aspect of training is certification. At the current time, programmers are not required to have completed certification courses present in many other industries. [7] Programmers could be required to take courses relating to legal and ethical aspects of computers, in addition to certification for standard programming skills.
Although this would not deter a criminal set on a certain path of action, better knowledge of the potential consequences of cybercrime might make criminals think twice about committing this type of crime. Microsloth can operate with greater assurances of security if it knows that its employees are competent and informed in both the technical and ethical aspects of software creation. Insurance does not eliminate the threat of cybercrimes, but it does help cover damages. Cyberterrorism insurance is a relatively new concept.
Previously, insurance was designed to cover physical assets from damage in a fire or other similar event. Now, new forms of insurance protect specifically against cybercrime, and older insurance no longer covers digital damages. [3] Although the article does not indicate whether Safebank had cybercrime insurance, most large corporations vulnerable to cybercrimes have insurance policies that cover their losses. Again, although this method helps reduce losses for a corporation, it does nothing to prevent the attack itself. Cybercrime can mean huge losses in vital sectors such as banking and government.
The Safebank theft of several million dollars is nothing compared to the total cost of cybercrime. A survey conducted by the Computer Security Institute indicated total losses of $727 million. This represented only one-third of the interviewed; the others did not wish to reveal their losses. [6] These figures are for the United States only; cybercrime is just as prevalent in other countries worldwide. According to US Attorney-General John Ashcroft, “Although there are no exact figures on the costs of cybercrime in America, estimates run into the billions of dollars each year. 8]
A second consequence of attacks with relation to banking can be political instability. Groups with political motives may see banks as attractive targets for cyberterrorism. During the conflict between Israel and Palestine, “pro-Palestinian hackers have attacked the web sites of Israeli banking and financial institutions [9]. ” As indicated previously, the ability to hack into a system is now much more widely available than it used to be. The disruption of a country’s financial structures can be as devastating, if not more so, than a direct physical attack.
Cyberterrorism, with banks as targets, whether inside jobs like the Safebank case or external infiltrations, may become increasingly common. Other potential consequences of cybercrime are less quantifiable. Through the recent events, both Microsoft and Safebank have suffered disastrous consequences in terms of public relations. Customers will be less willing to use a bank that they know uses a faulty system. This is precisely the reason why the banks in the UK were reluctant to report their cybercrime losses. Customers of Microsoft will be less likely to purchase software that might contain such flaws.
This means a loss of revenue and potential losses of jobs at both Microsoft and Safebank. As the Safebank example shows, cybercrimes are now much easier to commit. The higher rate of outside attacks indicates that cybercrimes can now be performed those in the general public, without any insider knowledge. At the same time, dependence on computers has reduced the ability to prevent cybercrimes, because crimes can now no longer be detected as easily, and even when detected they are difficult to stop. Cybercrime causes billions of dollars in losses every year; a great cost to society. ]
This conclusion raises further questions about how much of this crime could be prevented. At what point to corporations decide that it is more profitable to invest in security than to suffer potential losses? Are the methods of combating cybercrime of this kind, as outlined in the body of this paper, sufficient? At the moment, the answer is no. As cybercrime becomes more prevalent, affects an increasingly large number of people, and causes increasingly larger amounts of damage, it is important to investigate ways of dealing with it, ways of reducing the risk associated with it, and ways of preventing it altogether.