Most computer fraud is committed by insiders, reports MONICA HORTEN.
FRAUD is said to cost the City of London as much as #600m a year. Many cases are small-time petty thefts and are never reported by the banks. Few reach the courts.
But computer fraud is different. The image of someone working stealthily to alter computer files and transfer money to a Swiss bank account, somehow captures the imagination. It is therefore the one type of fraud which will guarantee a high level of unwelcome publicity for the bank which has been hit. And it is the main reason why the banks spend millions of pounds on computer security systems.
Computer fraud usually entails larger sums of money than other types of theft - an average being a #1m per transaction, compared with a #10,000 average haul from an armed robbery. It also tends to involve people who go to great lengths to beat the system. However, computer fraud is a rare occurence, according to Mark Tantam, of Touche Ross management consultants. Mr Tantam is a barrister who previously spent three years at the serious fraud office. He believes that 'against other types of fraud, computer fraud is very small.'
Most computer fraud is committed by insiders, with legitimate access to the system, rather than by hackers getting in from the outside, says Mr Tantam. In his experience, hackers are technology enthusiasts who want the intellectual challenge of working through the system. They are a nuisance, but are unlikely to start moving money around the banking system.
The typical pattern is one of a disgruntled employee, with some knowledge of how to get into the system. He or she will work together with one or more outsiders, who may be organised criminals - 'we've known it to happen that people are approached in pubs, after they boasted that they could take their employer for a fortune,' says Detective Chief Inspector Ken Farrow, of the City of London police fraud department.
A recent case was that of Elaine Borg, a computer systems programmer at City firm Henderson Financial Investment services. Her plan was devised together with a male partner, who was a known criminal, based in Spain. She set up dummy accounts on the computer system, into which stock could be transferred and a fraudulent sale effected.
Elaine Borg was caught when police investigating her partner, discovered her relationship with him. The City of London fraud department monitored her telephone calls, and she was heard discussing the plan. She was convicted at Snaresbrook Crown Court on March 17 this year. The charges were conspiracy to steal, and unauthorised access to computer material with intent to commit further offence.
In most cases, however, frauds are spotted by the banks through ordinary banking procedures, such as reconciliation - 'accounting systems are supposed to balance. If a fraud has been committed, this would show up as an imbalance on the computer,' says Dr Paul Dorey, group information and security director at Barclays Bank.
In 1986, a fraud attempt at Prudential Bache was discovered by a back-office accounts clerk, attempting to reconcile international bonds transactions. A young Eurobond trader was later found out and brought to trial.
Another safety option is to regularly check the security log. According to Dr Dorey, the log would be checked for multiple attempts to access the system, or for access using genuine ID at odd times, such as in the evening.
Any unusual items could be pursued further, by checking the audit trail which shows details of all transactions that took place on the system - not only which ID and which terminal was used, but where the money was transferred.
The audit trail is part of the operating system, and is harder to tamper with than other files. If an attempt was made, that action triggers an alarm.
Mark Tantam says that monitoring systems can be set up to provide exception reports from the audit trail. For example, if it is normal for the bank to send #5,000 to a bank in the Lebanon, and suddenly #5m is transferred, the system would throw up an exception. The report could be checked to see if it was genuine.
However, fraudsters usually manage to cover their tracks, even if it is only to use someone else's ID and to walk to a terminal that is not their own. Where they have been identified, it was done by a combination of traditional police detection methods and 'borrowed' computer expertise.
Det. Chief Insp. Farrow says that his usual procedure is to bring in a crisis management team. The team would include someone with detailed knowledge of the computer system in question, but who could not have been in a position to commit the fraud.
In future, banks will increasingly use computer technology itself to track down fraudsters. Some are already moving in the direction of artificial intelligence systems, which can pinpoint un usual patterns in computer data.
In April this year, Barclays installed its Fraud 2000 system. Attached to the Barclaycard main computer, it watches for radical changes in spending patterns and raises the alarm at the point of sale.
If a purchase appears to be outside a card-holder's normal spending pattern, the store which is trying to put through the transaction is alerted. Barclays claims the system is detecting 20 frauds a day.
Artificial intelligence can also be used to 'drill down' into data produced by security logs. For example, if it could go from a bland statement - such as 'we had 20% more failed log-ons than usual' - to then ask where they occured and on which applications, the increased detail could lead to the identification of a potential fraud or hacking incident.