Salami Fraud (1)
by M. E. Kabay, PhD, CISSP
Associate Professor, Computer Information Systems
Norwich University, Northfield VT
The recent disclosure that WorldCom concealed almost $4 billion of expenses as if they were asset acquisitions and thus falsified its accounting reminds me of the very opposite kind of fraud – one that involves lots of little thefts instead of one gigantic theft. In the _salami fraud_, criminals steal money or resources a tiny bit at a time. Two different etymologies are circulating about the origins of this term. Some claim that it refers to slicing the data thin – like a salami. Others argue that it means building up a significant object or amount from tiny scraps – like a salami.
The classic story about a salami attack is the old “collect-the-roundoff” trick. In this scam, a programmer modifies the arithmetic routines such as interest computations. Typically, the calculations are carried out to several decimal places beyond the customary 2 or 3 kept for financial records. For example, when currency is in dollars, the roundoff goes up to the nearest penny about half the time and down the rest of the time. If the programmer arranges to collect the discarded fractions of pennies in a separate account, a sizable fund can grow with no warning to the financial institution.
More daring salamis slice off larger amounts. The security literature includes case studies in which an embezzler removed $0.20 to $0.30 from hundreds of accounts two or three times a year. These thefts were not discovered or reported: most victims wouldn't bother finding the reasons for such small discrepancies. Other salamis have used bank service charges – increasing the cost of a check by $0.05, for example.
Credit card thieves with thousands of stolen account numbers sometimes steal only a little from each card, on the theory that most people won’t even notice or won’t bother reporting a minor expense that they don’t recognize.
A specific example of salami...
Please join StudyMode to read the full document