Computers, Science, Technology, Xen Virtualization, Hosting, Photography, The Internet, Geekdom And More

The science of insider fraud

Posted on | November 7, 2007 | No Comments

IT Wire is running something neat today, researchers in Australia have combined efforts to automate the process of detecting (internal) employee fraud.

This research is of particular interest to any company that enjoys a decentralized structure that enables employees to work from home via the Internet.

To explain why this sort of research is so neat, I’ll put it in the context of the web hosting industry, which most people reading this should be at least vaguely familiar.

It used to be that the biggest ancillary cost of running a web hosting company was payment fraud (credit card / Paypal) fueled by a never ending river of phishing schemes. Internal fraud is just as (if not more) expensive and twice as difficult to detect, ask any large web host.

The chronic success of on-line scammers (phishers) taught us that average computer users do not pay very much attention to whats on their screen when they complete an electronic financial transaction or volunteer sensitive information.

This means, if someone working for an on-line company is able to gain access to certain databases, customers of the on-line company might end up paying an employee of the company (thinking that they are paying an official invoice) without ever realizing that they just paid a billing clerk’s personal Paypal account. The crooked clerk marks the bill as satisfied, cleans up any evidence of manual queries and the company remains oblivious to any wrong doing. This would (typically) go undetected unless large amounts of money was anticipated and not received, sparking an audit, which isn’t likely to reveal the crooked clerk. The company would chalk the loss up to ‘some hacker, somewhere’ and move on.

When I was dealing with outsourcing more or less as a living, part of my job was to take a look at the structure of decentralized companies and think about how to exploit their framework before introducing new risks, such as outsourced back office staff.

When companies ship positions overseas that involve potentially sensitive access, they often request an organizational and procedural audit. Prosecuting a crime as a victim that was committed by someone in another country is often more expensive than the loss itself. Prevention remains the key.

Often, I quickly found holes that might allow new sign-ups to be redirected to an employees personal Paypal or merchant account, affiliate systems that featured holes allowing employees to insert themselves as bogus partners and get extra paychecks, all kinds of potential holes. Broadly, this was because companies used many stand alone applications that offered no accountability trail or means of audit.

Forget web hosting, look at companies that sell actual goods, such as electronics or computers via some kind of on-line shopping cart and customer relations system. The same possibilities exist for employees to become a man in the middle of the company and their receivables.

I’ve seen cases where employees managed to inject fictitious workers into databases that received a monthly salary. You’d be amazed at what people will do for quick money when they feel confident that their activities can’t be linked to them if discovered.

Detecting and stopping this as it happens is nearly impossible, unless you make heavy modifications to the relational database services themselves. Its just too easy to run queries once you have access to any given table. Taking away the employee’s ability to update some fields in that table prevents them from doing their job. Giving them alter access (potentially) lets them steal.

I wished, many times for some kind of a solution to offer that just ‘dropped in’ without requiring companies to change their structure and procedures in order to operate safely at the internal level. I often wished for “something that can watch all of those no no fields on all of those high priority tables”. A company with 2000 clients and 5 employees can be diligent via manual oversight. A company with 20,000 clients and 50 employees has a much harder time.

My explanation of the need for something like what is being researched is quite basic, but does illustrate the need. There is a big push in the direction of decentralized offices by not just small business, larger companies are catching on to the savings and enhanced employee productivity as well.

It will be interesting to see what they come up with during this research, and the price tag of solutions incorporating the results.


Leave a Reply

  • Monkey Plus Typewriter
  • Stack Overflow

  • Me According To Ohloh

  • Meta