1% GST INCREASE IS A DOUBLE SALAMI ATTACK ON SINGAPOREANS

At a recent Xmas gathering of some old school chums, a friend reminisced about some pranks he did. He told of a certain teacher who used to have him order her fishball noodle from the tuck shop, an old local term for school canteen. The dish came with six fishballs. Enroute with dish to the Teachers' Room, he would pick two fishballs for himself. The teacher was none the wiser. It was an act of sheer teenage fun for a glutton he was not. Do rest assured he is currently not with Grab or other food delivery services.

I am reminded of a story I read in primary school days. A group of rats stole a cake and hid it offsite, intending to keep it for the coming winter. Till then, no one was allowed to touch it. One of the rats could not keep his mind off the cake. He thought to himself he just wanted to see and smell it. So he cooked up a story of wanting to visit a cousin in another part of town. Off he went to visit the cake instead. Over-powered by temptation, he thought a small bite would surely go unnoticed. And so he nibbled. One bite followed another, before he realised it, he had eaten a quarter of the cake. On returning home, folks enquired about his cousin. When asked what's his name, the rat mumbled "Quarter Gone". The next day, the urge was too strong, so the rat went to visit cousin number two. This time the cousin's name was "Half Gone". The third cousin's name was "Three-Quarters Gone". Finally, the fourth cousin's name was "All Gone".

In Godfather III, Michael Corleone wanted to transform the family mafia empire to legitimate business. First order of the day was to buy out a Las Vegas casino from Moe Greene. Michael's reason was Moe was making losses. An incensed Moe asked :"Do you think I'm skimming off the top, Mike?".

To "skim" is to take away something, a little at the time so that it is not noticed. It could be fishballs, a bite of a cake, casino takings, etc. The term "Salami Slicing" was used for acts like these. The term is credited to Hungarian dictator Matyas Rakosi in 1940s, who boasted how his Hungarian Communist Party destroyed opposition Smallholders' Party in a step by step manner he called "szalamitaktika", Hungarian for cutting the salami one thin slice at a time. The term "Salami Slicing" expends the idea of stealing assets stealthily in small amounts to non-assets such as personal information, or inconspicuous actions taken one step at a time towards a major objective. 

In the monetary world, salami slicing is as old as when metal coins appeared in the first millenium. When metals like gold, silver or nickel were used, people clipped tiny bits off the coins. Over time, coins are debased as they lost weight and intrinsic value of the metal became lower than the face value. To counter this, coins were minted with stripe etchings at the rims, which is still practiced today. 

In the nascent stage of computing some 50 years ago, I learnt about the problem of approximation errors. This goes into deep engineering science covering floating rates, differentiation, mantissa and other exotic terms. These topics drove me nuts and I am none the wiser after all these years.

As I understood it in layman terms, the problem is like this. In computing, data needs to be stored in certain field lengths. So sufficient size is allocated for each specific field. Where monetary value is concerned, it had to deal with 2 decimal places to account for the cents. The integers to the left is not a problem since adequate length size can be allowed. But the fractions to the right is set at 2 decimal places with 2 byte lengths to account for the cents. This becomes a problem with certain financial applications like interest and foreign exchange computations which deal with strings of decimal places of undefined lengths. The system has to truncate to 2 decimal places after rounding. But the truncated numbers to the right cannot simply disappear. They are placed in a holding account which statistically move towards levelling out because they can be positive or negative.

Technically, a programmer can code by rounding down the decimals. In a round down the bank looses and customers profit. The programmer routes the credits of the truncated parts to an account he controls. Each is a fraction of a cent, but over thousands of transactions and over time, the balance builds up.

While I have read about this decades ago, I have yet to see a real case event of this quintessential salami attack. Trust Hollywood to present art for real life to follow. "Superman III" has a sub-plot of a quite similar salami attack. Several films carried slight variations of salami attacks, such as in "Hacker" and "Office Space".

Almost all who have written of salami attacks describes one form where small amounts are transferred from many customers to a perpetrators accounts. The amounts are so small customers do not bother or notice. But none can refer to any actual case. They can't. because it cannot be done. These writers have no understanding of accounting processes. Accountants and auditors will tell you entries originate from transactions that come with reference or control numbers. The programmer may code-force the entries through but he has no transaction control numbers. All these entries absent control references will be easily exposed.

Many have written on the topic, from bloggers, serious writers, researchers, to academia, etc. I googled for examples of digital salami attacks and found four commonly quoted ones. But these all came from one single source, Thomas Whiteside in his 1978 book Computer Capers. Not to distract from the blog proper, these cases are described below for those who like to know more. My opinion on these is they are most likely concocted. Firstly, they lack specifics of name, time and place. Secondly, in those days, software development was using lower level generation languages, many were assembly driven, using huge libraries. Development is seldom a one-man show but a big team effort. Thirdly, to install a new or modified corporate system is no simple job. It requires machine shut down, code compilation, testing, authorisation process, before it can be put in live environment. It is difficult to contemplate such a complicated process can byass various operating and control levels.

The only authentic case I know of an insider who redesigned programs to embezzle small amounts at a time was at Taco Bell, Libertytown, Marryland in 1997. Willis Robertson was able to reprogramme his Taco Bell driveup-window cash register - causing it to ring up each $2.99 item internally as a 1-cent item, so that he could pocket $2.98 each time. He amassed $3,600 before he was caught when he bragged about his crime to co-workers. This is a limited scale, relatively simple technically, and all within the control of one man. Absolutely possible.

Many experts have written about the possibility of salami attacks in the Fintech sphere, especially in the ACH (automated clearing house) network. One such opportunity is in the practice of "micro deposits". When you open an online banking account, or wallet, such as Paypal, FX-crypto-stock exchange brokerages, etc, there are links to your banking account for onboarding or withdrawing into fiat money. Or use of some platforms with backend links to ACH, like Simplygo. All these online accounts or platforms may initiate a micro deposit of a few cents up to a couple of $ to your bank account. The purpose is to authenticate your account and test the complicated routing codes are working.

There is a celebrated micro deposit case of USA vs Michael Largent who was indicted in 2008. He opened 58,000 trading accounts with E*Trade and Charles Schwab under various fictitious names. The two brokerage houses sent him a total of US$50,000 in micro deposits. If you are wondering did he break his fingers opening 58,000 online accounts, well it seems he wrote a software to automate account creation. My question is why did the brokerage houses accept trading account names with different bank account names.

I tend to think salami attacks probably occur more outside computer domains. One that I was  personally acquainted was in 1970s. I was part of a team conducting an audit at Far Eastern Bank. When I was working on cheque books and stamp duties, it was narrated to me how an old messenger had embezzled funds. He was tasked to make payments for stamp duties on cheque books. I think at the time it was $15 per book. He would collect from petty cash, pay for lesser number of books each time and pocket the balance. It went undetected for decades. But he was very fortunate the bank was family run and the folks sympathetic to old employees. No police report, just a reprimand. I often wondered, would I have been able to detect that embezzlement.

By now, most readers would have gotten ahead of the blog and understand what GST is all about. In the preceding blog "What the fuss about a mere 1% increase in GST" I showed the math how it translates to a much higher tax revenue than the 1% suggests and how the rounding up profiteering tactic prospers vendors tremendously. So whilst gulping down fishballs may be schoolboy mischief, and quintessential salami attacks in computerised settings are not as prevalent as experts write about, the 1% increase in GST is true blue salami attack, with both IRAS and vendors slicing Singaporeans in broad daylight one purchase at a time. For IRAS it is fiscally legal, for vendors it is just capitalism in progress.

*************************

Extracts from Computer Capers (Thomas Whiteside 1978) :

(a)"The embezzler was evidently using the bank's computer to transfer twenty or thirty cents at a time, at random, from 300 checking accounts at the bank and diverting the money to a dummy account for his own use. The computer criminal was careful never to divert sums from any particular account more often than three times a year. Because a customer was unlikely to notice such a small discrepancy in his monthly bank statement — or, if he did notice it, to find it worth his while to go to the bank and argue over it — the embezzlement was likely to go on and on."

(b)"Two programmers who were employed by a big New York garment firm instructed the company's computer to increase by two cents the amount withheld from their fellow-employees' paychecks each week for federal taxes. They further programmed the computer to direct the two cents per employee per week to their own federal withholding accounts. The result was that at the end of the year they received the money in the form of refund checks from the Internal Revenue Service, which had been acting as an unwitting bagman for the embezzled sums."

(c)"One way in which the computer criminals might employ the salami technique is to round down any sums ending in fractions to the nearest whole number — for example, fractions of pennies as these are computed in interest-bearing accounts. In the meantime, the criminal has established a dummy account at the same bank, and he programs the computer to divert the surplus from the round-downs to this account. Quietly accumulating year in and year out, these fractional sums can mount handsomely, and usually neither the bank nor the depositors know what is going on."

(d)"A programmer working at a mail-order sales company had its computer round down odd cents in the company's sales-commission accounts and channel the round-downs into a dummy sales-commission account he had established under the name of Zwana. He had invented the name Zwana because he knew that the computer processed the company's accounts in alphabetical order, and he could easily program the computer to transfer all the round-downs into the last account in the computing sequence. The system worked perfectly for three years, and then it failed — not because of a logical error on the culprit's part, but because the company, as a public-relations exercise, decided to single out the holders of the first and last sales-commission accounts on its alphabetical list for ceremonial treatment. Thus Zwana was unmasked, and his creator fired."

This platform has withdrawn it's subscriber widget. If you like blogs like this and wish to know whenever there is a new post, click the button to my FB and follow me there. I usually intro my new blogs there. Thanks.