This report was prepared by Nicholas
Bohm, edited by E. Gerck
Published by the MCG, May 10, 1997
DISCLAIMER: The MCG does not endorse third-party reports nor
their conclusions, herein provided for informational purposes only. The
present extracts also indicate the difficulties of achieving reliable knowledge
on the subject of the use of the Internet for fraud. The purpose of this
publication is to provide support and references to the work in progress
on Meta-Certificates and to unify references, concepts and terminology.
Readers must form their own view about the conclusions.
Source: Edupage, 24 April 1997
FRAUD AND THE NET A Deloitte & Touche report commissioned by the European Union says that cross-border fraud involving Internet abuse, banking and investment frauds, and smuggling is costing society $77 billion a year. The report suggests that perhaps the largest single threat comes from fraud through the Internet, because encryption technology remains vulnerable to sophisticated computer vandals. (Financial Times 24 Apr 97)
International fraud is a major threat to the economic and social welfare of the Member States of the European Union.
1.1 This report sets out our findings on the subject of international fraud as it affects the private and commercial interests of the citizens and businesses of the European Union.
The problem of fraud
Most types of fraud are found in every European Union Member State. The majority of threats of international fraud are considered to come from within the European Union itself.
Fraud threats are also perceived to come from West Africa, from the countries to the East of the European Union, and from the former Soviet Union states. The use of "havens of secrecy" is a factor in many international frauds, and any point of entry for fraud into the EU puts all Member States at risk. The level of fraud is likely to rise with increases in economic activity and as fraudsters overcome existing defences. Fraud distorts the operation of the single market and damages international reputations and trade.
1.17 Fraudsters have shown that they are able to develop new techniques to overcome new controls and technology, leading to an "arms race" between them and their victims. The increasing rate of technological advance will make this a key battleground in the continuing fight against international fraud
Turning the tide against international fraud
Important initiatives, to reduce the advantages enjoyed by the international fraudster, that should be encouraged or introduced include:
- harmonising national laws with the emphasis on coherent anti-fraud measures;
- increasing the speed and effectiveness of international co-operation;
- breaking down barriers to communication;
- confiscating the proceeds of fraud;
- increasing the anti-fraud culture of commercial organisations; and
- making individuals and businesses less susceptible to the threats posed by international fraud.
1.26 Of all of the measures which have been presented to us as being essential to the fight against fraud, the one which appears to be the most likely to be both effective and practical is the breaking down of barriers to communication between nations and economic sectors by encouraging the exchange of information and techniques at all levels of organisations involved in the fight against fraud.
1.27 Both the private and public sectors have begun to make themselves a harder target for fraudsters. The most effective measures involve sharing information and educating staff and management about fraud risks. Any initiatives which can speed up the communication of best practice is likely to have a major beneficial effect.
3.3 We have organised this section into the major types of fraud which have been identified to us:
- advance fee fraud;
- investment fraud;
- banking fraud;
- computer and information technology abuse;
- counterfeiting of branded products/copyright abuse;
- fraudulent bankruptcy/exploitation of cross border corporate structures;
- insurance fraud;
- fraud against the public sector;
- smuggling; and
- money laundering.
3.33 The introduction of Smart-chips into credit cards, coupled with magnetic stripes, signatures and holographic labels has achieved a dramatic reduction in the level of credit card fraud following its introduction in France. In 1995, the fraud rate on French smart-card operations was 0.03 per cent, but 0.3 per cent for other types of cards.
3.37 There have been a number of frauds involving international transfers of money from banks in Sweden with the help of computers or forged bills of exchange, fraudulent withdrawals and altered cheques. The Swedish Financial Supervisory Authority states that banking frauds committed by insiders manipulating the computerised transfer systems are growing in number.
3.40 In the United Kingdom the Association for Payment Clearance Services ("APACS") has found that about 25 per cent of the annual total fraud against United Kingdom issued cards is international. Overall levels of fraud losses to plastic cards issuers have halved between 1991 and 1995 which APACS believes is a result of shared information, the enforcement of better controls and advances in technology.
3.42 Banks face a dilemma between the need to avoid fraud and the need to maintain satisfactory customer service levels. Measures such as identification requirements for personal customers are difficult to implement whilst maintaining customer goodwill. It is also difficult for banks to provide detailed technical training to enable operational staff to detect counterfeit notes and fraudulent financial instruments and documents. This is because the range of different financial instruments is vast and the quality of many of the forgeries is very high.
3.43 There are a number of reasons why some attempted frauds succeed against the banking industry:
the volume of banking transactions means that the relatively small number of fraudulent transactions are difficult to spot;
- as with any profit making industry, the overall prevention strategy must be cost-effective even if individual prevention measures are expensive;
fraudsters have an increasing knowledge of systems;
the banking industry is at present "downsizing", so fewer staff handle the same volume of business; and
the emergence of "professional" organised crime syndicates who are well versed in international banking practices.
Computer and information technology abuse
3.45 Computer abuse involves the predominant use of a computer system (rather than the incidental use, such as making a false accounting record to disguise a theft). Types of loss include:
- malicious destruction of information in the course of a fraud;
- theft of information; and
- industrial espionage by, for example, telephone network tapping or facsimile interception.
3.46 This overall category also includes electronic postal abuse and telecommunications abuse.
The latter is a growing international threat, whose variants include:
- theft of customer billing information so that others can charge their calls to that (genuine) customer. This category also includes theft and cloning of mobile telephones; and
- auto-dialling programs for foreign premium-rate services such as sex or lottery lines.
3.47 In France, the Union des Fabricants has a specialist unit which is involved in monitoring the Internet for international advertisements showing counterfeit products, which shows that technology is often involved in many other types of fraud.
3.48 According to the Club de la Sécurite Informatique en France ("CLUSIF"), computer damage is increasingly due to malevolence, rather than a desire for financial gain. See Table 3e.
3.49 Computer and information technology abuse also interacts with banking fraud, in cases where the fraud utilises an electronic payment mechanism such as SWIFT. German police criminal statistics shows the rapid growth of such crimes in recent years. See Table 3f.
3.50 A particular case of technology fraud involves the mobile phone industry. Fraudsters take advantage of mobile telephone technology to make expensive international phone calls from outside Germany without paying for them. Net providers located in foreign countries inform the German mobile telephone companies about suspiciously high bills of German customers only after it is too late to prevent major losses. An industry representative estimated the damage resulting from such abuse in 1994 to be between ECU 27 and 55 million.
3.51 In Germany, Deutsche Telekom has reported losses of more than ECU 950,000 a year to pay-phone fraud. Fraud involving pay phone smart cards was first reported two years ago in Germany, when hackers were able to tap calling card information by inserting cables in card slots and manipulating the information with laptops. Deutsche Telekom responded by installing slots that automatically close after cards are inserted. More recently, hackers have programmed smart card chips so that credit is automatically restored to full value, allowing unlimited usage.
3.52 Mobile phone fraud is common. It is known as "cloning", whereby the identity of one phone is programmed into another in order to charge the costs to another person's account. These costs are most frequently for long international calls. One major European supplier fears that one call in a hundred on its network is lost to cloned phones. Cloning is soaring by 40 per cent a year and is thought by the Federation of Communication Services ("FCS") to cost up to ECU 121 million in the United Kingdom alone, much of it from international calls.
3.53 It was widely reported in the United Kingdom earlier this year that British Telecom ("BT") suffered from pay-phone fraud caused by a software problem in its 130,000 pay-phones. This enabled callers to receive a full refund for any international calls they made.
3.54 A number of computer 'hackers' were arrested in the United Kingdom in April 1995 in connection with attempting to defraud a bank of ECU 2.2 million. The attempted transfers from the bank's corporate client account to accounts in Finland, Israel and the USA were detected and monitored which resulted in the perpetrators being caught.
3.92 In France the Service Central de Prévention de la Corruption ("SCPC"), a French administrative service created in 1992 to centralise information on corruption in order to understand its mechanisms and suggest appropriate measures against it, believes that risks of public sector fraud will be higher in the future due to:
- the extension of the public sector into new areas of risk; and
- the growing exposure of public sector commercial and financial networks that can be penetrated by fraudsters.
3.96 The Bundeskriminalamt, the German agency which compiles national statistics, said that 8,447 cases last year involved crimes by public officials which ranged from accepting bribes to passing on official secrets.
3.99 In order to improve the defences of the public sector against fraud, HM Treasury in the United Kingdom now publishes an annual report on the size, mechanism, and failed controls for every fraud over £25,000 committed by, or involving directly, any public servant. It is felt that by advising potential victims of the risks better controls and security can be developed. The report does not, however, clearly distinguish between national and international frauds, nor does it reveal significant cases that are still subject to judicial process. The most recently available report indicates that the amount of fraud reported was ECU 2.6 million in 1994/5, which was fairly consistent with the previous year but an increase from ECU 2.1 million in 1992/93. Little or none of this fraud is international.
3.100 In the United Kingdom, the audit commission, the body responsible for monitoring fraud against local government, has reported that for the financial year ended 5 April 1996 losses of ECU 82 million were incurred through fraud in 166,000 cases against these bodies. The most significant part of this is against the benefits system, which includes an international element. Of these frauds, 99 per cent were against the public sector and only 1 per cent involved public officials.
3.124 Some private individuals suffer directly from international fraud. Everyone suffers indirectly from the effects of fraud which raises the level of taxation, insurance premiums and the prices of many goods and services.
3.125 Private individuals are the most common target for the following types of fraud:
- investment fraud;
- advance fee fraud; and
3.126 Fraudsters target individuals for these types of fraud because consumers generally lack the resources or, frequently, desire to investigate the products which are offered to them.
3.127 Not only do commercial interests suffer from all of the imposed losses and costs associated with fraud that are experienced, but they face significant intangible losses as well.
3.128 One common assertion is that corruption is profitable to companies as they can obtain markets. In fact, corruption kills competition and reduces employment. Besides it is an additional cost and can cause the margin on a contract to narrow or disappear for the company that gives the money.
3.129 Commercial organisations are most frequently targeted by:
- advanced fee fraud;
- computer abuse;
- cross-border corporate fraud; and
- market manipulation.
3.130 Clearly, the banking and financial sector is particularly prone to:
- fraud involving forged financial instruments;
- credit card fraud;
- insurance fraud; and
- money laundering.
3.131 Companies are targeted by external fraudsters in a variety of ways:
- exploiting weak controls;
- corrupting key employees; and
3.132 Companies are also frequently the victims of their own staff and management, who are often ideally placed to override or evade internal controls and supervision.
3.134 Organised criminals throughout Europe are known to target state benefits, education grants, housing subsidies and other payments. These criminals have the ability to create false identities, duplicate official documents and to send in many thousands of applications for public funds. Even when only a small proportion of these succeed, the profits are enormous. The Nigerian "419 gang", as they are known in the UK, is particularly active in this way.
3.137 Throughout Europe, public servants work under severe financial and resource constraints, and the additional resources required to prevent, detect and investigate fraud have not traditionally received the priority which they may now appear to deserve. Against this background, there has been no financial reward or penalty to provide the incentive necessary to motivate public servants to detect and prevent fraud.
3.138 Corruption of public servants has remained a relatively inexpensive and low-risk mechanism by which fraudsters can obtain public funds, contracts and other public assets. Public servants are generally remunerated at a level which makes the inducements offered by fraudsters very attractive. The desire to avoid public scandal, and the wide range of mechanisms by which corrupt gains can be hidden has resulted in a low rate of detection of corruption by traditional control and audit methods.
3.142 The success of the domestic "smart" card in France at curbing fraud in that country has led to an increase in fraud involving the use of French credit cards outside France where the "smart" system is not in operation.
3.143 In 1983 Europay/Visa introduced coded information in a magnetic strip on the backs of credit cards. The absolute rates of loss fell dramatically in those countries which introduced this, but remained high where it was not introduced. Now, however, fraudsters are known to be able to defeat the magnetic strips, and fraud against these cards is rising.
3.144 The smart chip introduced to credit cards in 1995 resulted in a substantial reduction in domestic credit card fraud in France but is already said to be under threat from new technologies which can break its security.
3.145 IFPI statistics show that, when CD recordings first became available, the rate of piracy was very low. This was at a time when other recording formats including audio cassette were under very great pressure from piracy. As time has passed, fraudsters have gained the experience and equipment to manufacture CDs in huge numbers now using similar technologies for CD-Rom piracy.
3.158 The Association of Chief Police Officers, Police Superintendents' Association and Police Federation has stated:
"A key feature of organised crime is the application of accountancy, taxation and legal skills in support of illegal behaviour."12
3.159 INTERPOL has stated:
"Developments in the past few years seem to indicate that international economic crime is more and more pervaded with criminal "professionalism": use of computers and advanced telecommunication facilities, sophistication of cover-ups, internationalisation, setting up of infrastructures, increase in the respective number of criminals involved, etc."13
Problems of location (e.g. computer/Internet fraud)
3.177 There is a growing concern that advances in technology require corresponding advances in control systems. For example, a growing area of concern is financial transactions conducted via the Internet and how banks should protect themselves. One of the key issues is going to be defining in which jurisdiction acts of fraud undertaken using the Internet or similar technology have actually occurred.
5.57 All activity on the Internet is, by definition, international. The technical basis of the Internet is a distributed system with no fixed routing of information. A simple e-mail message from France to Italy may well be sent in parts via the USA, the United Kingdom, Japan and Germany before being reassembled in Italy.
5.58 The Internet is frequently vilified as a haven for a range of criminal enterprises from drugs selling to child abuse. Fraudsters are widely feared to be operating on the Internet, and much has been written about the threat they pose to any commercial activity on the Internet.
5.59 Leaving aside the issues as to whether the Internet is encouraging fraud or whether it passively suffers fraud in the same way as the postal or telephone systems, there are some novel forms of well tried fraud emerging on the Internet as fraudsters adapt to the technology.
5.60 These "new" types of fraud include:
- theft of credit information from digital communications;
- fraudulent electronic banking;
- electronic gambling/lottery frauds; and
- e-mail pyramid sales frauds.
5.61 At is simplest, the Internet allows a fraudster to set out a site on the World Wide Web ("WWW") which claims to be the site of a reputable company or organisation. Victims are then induced to part with funds via credit card payments, or induced to reveal valuable information. At least one major international bank is known, confidentially, to have suffered from this although details of losses are not available.
5.62 Unless the organisation being impersonated is told of the site, it may never find out. The individual victims may not realise their loss for several weeks or months. By this time the fraudster will have deleted all surface traces of this activity and moved on to a new scheme.
5.63 A WWW site may be held in pieces on a large number of computers, and only reassembled on the victim's computer. Deciding where and whether any offence occurred is very difficult in these circumstances.
5.64 The theft of credit information is also possible by intercepting messages from customers to sellers using software tools. Although this is known to be theoretically possible, we are not aware of any proven and quantified losses from this.
5.65 A fraudster can also set up a "business" which does not exist outside the Internet. Recent examples in the press include the creation of "banks" in fiscal paradises, unlicensed and uncontrolled gambling and lottery sites, and pyramid sales schemes which utilise the ease through which people can be contacted by e-mail. In each case the victims are induced to part with funds which will not be used to purchase anything of equivalent value.
Use of encryption
5.66 Encryption is a double edged sword. On one side it provides a secure means of commerce, a way to identify both parties in a deal and ways to protect the copyright of artistic works. On the other side it permits fraudsters to conceal their activities, may lend a false sense of security to unwitting victims and can provide openings into many systems for a variety of frauds.
5.67 There is considerable political debate as to the future of encryption in Europe. At one extreme, France applies laws restricting cryptographic tools as if they were munitions. At the other extreme most Scandinavian countries allow free use of encryption.
5.68 The Council of Europe Draft Recommendation on Criminal Procedural Law connected with information technology contains proposals suggesting that law enforcement requirements are such that the use of cryptography should be restricted. In the United Kingdom the Department of Trade and Industry is proposing a less restricted regime using trusted intermediaries. In Germany the Bundesampt für Sicherheit in der Informations Technik ("BSI") recommend all business users to encrypt electronic transfers and messages.
5.69 Whatever the regime adopted, encryption forms a vital part of all systems of electronic commerce, and the needs for security and privacy have to be balanced with law enforcement requirements.
5.70 Fraudsters are able to defeat many current encryption methods, at least in theory. Recent press reports have indicated that current 'smart chips' can be defeated using simple equipment and a powerful computer. The encryption used by many Internet users in Netscape (a common piece of software) was broken in 1995, and again in 1996. Even very "hard" encryption (the 128 bit RSA key) is expected by some commentators to be defeated within commercial timescales.
5.71 All of these observations point in one direction: that of a continually escalating 'arms-race' between consumers and fraudsters as an increasing amount of commerce is conducted electronically.
5.72 The growth in fraud, and claims of fraud, on the Internet and against electronic commerce in general is driven by a range of factors. The principal ones are the opportunity to reach new victims before they have 'hardened' themselves against fraud, and the effect of electronic commerce displacing the cash economy from certain areas.
5.73 The latter effect will provide a huge incentive for fraudsters to target these new areas. At present somewhat less than 20 per cent of all European Union consumer payments are made on credit and payment cards. However, the use of plastic is growing at 25 per cent per annum. Even more dramatic growth is expected on the Internet, where the market is claimed to be growing at a compound rate of over 110 per cent per annum. This amazing growth can be seen in the value of annual advertising spend on the Internet, which is expected by some commentators to grow from ECU 230 million today to ECU 4 billion by 2001.
Increasing incidence of non-physical fraud
5.74 As fraudsters move from the paper based to the electronic arena, the challenges posed to law enforcement and civil agencies will be huge. The traditional sources of forensic and other evidence will become rarer, and a range of new types of evidence will need to be acceptable to the courts.
5.75 Even if he can be identified, the fraudster can still protect himself by:
- encrypting vital evidence using near military strength tools such as Pretty Good Privacy and Blowfish;
- completely erasing electronic records, either using multiple deletions or physically destroying the computer and all storage media; or
- hiding electronic records in a jurisdiction that allows a high level of anonymity or has powerful data protection laws.
5.76 The attraction of electronic commerce to the international criminal should not be under- estimated. In the United Kingdom a recent case showed that criminals can and do move from physical theft to electronic fraud, when an alleged gold bullion thief was allegedly involved in a fraud against automated telling machines.
5.77 The responses needed to investigate the fraud, secure a conviction and to allow the recovery of losses are likely to become increasingly international, as electronic communications allow fraudsters across Europe to co-operate in criminal activities. In many cases the fraudsters will be able to attack targets across borders without travelling or sending physical material across any border. At least one attack against a US bank is known to have been attempted.
5.78 The challenges posed by this form of "remote control" fraud are high. Traditional defences, such as border inspection, surveillance and interception of communications will not be effective against this threat.
Europay and Visa
6.25 Europay and Visa are separate commercial organisations of credit card issuers which represent their banking members.
6.26 Currently the level of card holders and credit card use is increasing at up to 25 per cent per annum. However, the organisations are succeeding in keeping the absolute level of fraud fairly stable by reducing the relative percentage of fraud.
6.27 This reduction in the level of fraud is being achieved by advances in technology and improved user controls. These controls have a limited life before the fraudsters catch up. The organisations are also working to place the cost of fraud more closely with those responsible for its prevention (such as those who accept cards without proper controls over fraud). Europay and Visa are seeking harmonisation of legislative treatment, co-ordination between the public authorities across Europe and more effective legislation on fraud involving non-cash means of payment.
6.33 All plastic related fraud in the United Kingdom has fallen dramatically due to advances in technology and the formation of the Plastic Fraud Forum in 1990 which has led to a unified approach to the problem. Despite the overall reduction in this type of fraud, the amount of cross-border fraud is increasing partly due to increased numbers of people taking European holidays. This relative increase in the proportion of international fraud is consistent with the experience of Europay and Visa.
6.34 Both associations are seeking complete statistics on the extent of international fraud, and would like fraud to have a higher profile with the authorities, similar to that of drugs trafficking and terrorism. They also seek an increased budget and powers for fraud bodies, a harmonisation of legislation and increased co-operation between organisations.
Corporate reactions to fraud
6.62 Businesses have always been managed against the threats posed by fraud. They have evolved methods of defence against fraudsters, ranging from the very simplest methods of book keeping and segregation of duties, to the use of complex technology.
6.63 In recent years two factors have tended to increase the vulnerability of business to fraud. The first is the rapid increase in the use of modern technology, which is often not understood by managers. The second, and related, topic is the substantial reduction in the number of employees and the consequent reduction in the strength of internal controls in an organisation.
4.20 The formation of the Plastic Fraud Prevention Forum in 1990 evidenced a commitment by the Card Industry to treat fraud as a serious non-competitive issue and provide a unified approach. The results have been promising (in the UK alone 1991 ECU 200 million - 1995 ECU 160 million) and the proposed trial of "Smart" cards in 1997 reflects the on-going co-operation. It has also been a sponsor of a project known as "VIS". VIS is a computerised database recording serial numbers of lost, stolen or invalid identity and other documents. It is a joint venture between the Netherlands National Criminal Division (CRI) and the Credit Registration Bureau. Other organisations participating in this scheme include the Netherlands Home Office, Ministry of Justice, the Association of Netherlands Municipalities, and the Netherlands Bankers Association. At this moment a similar system is under consideration for the UK and matters are being progressed by the Metropolitan Police Company Fraud Squad.
Deloitte & Touche Tohmatsu International is one of the world’s leading accounting and auditing, management consulting and tax services firms. Deloitte & Touche's national practices serve multinational and large national enterprises, public institutions, and tens of thousands of fast growing small businesses. Deloitte & Touche's practices audit over 700 companies with sales or assets in excess of US$1 billion, with more than 63,400 people in 126 countries.
Contact: David J. Bailey
Nicholas Bohm MA (Cantab), Solicitor of the Supreme Court of Judicature in England and Wales