Schneier on Security

I remember reading about this a few months ago. I too was very surprised at how easy it was to steal.

Back when Sir Isac Newton (who invented the milling on coins) was in charge of the Royal Mint in England, they had an interesting set of rules to deal with theaft etc.

1, An employee who was caught stealing got executed the most painfull way (Hang drawing and quatering) which was usually reserved for trators.

2, The employee's supervisor was publicly Gelded and Gouged, a delightfull little punishment that involved having one's testiculs pulled (not cut) off and one's eye's pulled (again not cut) out. This was the punishment usually reserved for stealing the King's deer, very suprisingly a number of people did survive it...

Ah the old days where best...

"...I would like to think those working at the other mint factory printing $100 notes might be subject to a better system of security..."

Another great example of the law of great numbers through the small numbers.

FWIW : Back on 6th of march I blogged about the mint at Stolberg in Germany, 500 years old, and some of the security measures taken even then. If you are interested, the URL is
http://www.savory.de/blog_mar_06.htm#20060306

$600 a day? That's a hell of a slice of Salami. At the US coin Mints, they warn employees not to carry change into the mint, because they won't leave with it -- there are very sensitive metal detectors that all employees pass through on the way out, and if you have so much as a penny on you, you'll give it up to the mint.

And that's just what they show you on the tour...

http://digg.com/security/Security_Breaches_Pandemic_-_Deloitte_Touche_2006_Global_Security_Survey
says
** 78% of the world's top 100 financial institutions reported a security breach in the prior year from the outside, 49% from the inside
** top 2 insider beaches were: insider fraud (28%); and leakage of customer data (18%).
* 70% of movies released illegally to file sharing networks were done by insiders at the companies.

It's not that surprising, though it should be.

Note that from the story it appears that the mint never actually woke up to the problem themselves; local businesses became suspicious. I guess it would seem odd to be buying a new TV or putting 100$ of petrol into your car with the sole method of payment being freshly minted $2 coins.

As for internal verses external threats generally - it wouldnt surprise me if instances of the former exceed the latter by an order of magnitude for a number of reasons - generally employees arent trained on what is appropriate behaviour and what is not; are trusted; have freedom of movement; arent audited or searched; arent monitored and most of all their super's/managers arent prepared to take part of the blame when holes/events are exposed. You'd also imagine employees are the most likely group to have a motivation for wrongdoing that extends beyond the financial dimension, as was the case in this story. Obviously there are exceptions to these where security is taken seriously. You'd think a mint would be one of them.

One of the impediments to implementing real security is that the bosses don't trust themselves (or each other) not to steal small stuff -- office supplies and such.

50 years ago my grandmother used to work at a Cailler (now Nestle) chocolate factory in France that had better security! One woman was caught stealing chocolates by hanging a bag under her skirt.

You mean, the mint is less secure than the mint chocolate?

He missed an obvious trick: the loot could have been easily laundered through casino poker machines. This turns new coins into old (with the casino taking a cut) and then the casino will not question you exchanging a couple of thousand dollars of used coins for paper money.

(For that matter, I've deposited over $3000 in quarters at one go, with no question from the teller other than an anguished "why me?". It was, however, into a non-personal account.)

The judge is probably good at his job, but I am glad that he is not in charge of security of the currency, since he does not know how or where it is produced. $100 notes are produced in Victoria by Note Printing Australia, which is owned and run by the Reserve Bank of Australia, which is a (mostly) autonomous body. Coins, on the other hand, are produced in Canberra at the Royal Australian Mint, which is operated by the Federal Government (via the Department of the Treasury, I believe). So the security measures are completely different. It does not suprise me that the one operated by the politicians had the poorer security. And NPA does at least have "dual custody" rules in place, although I have no idea how well they are enforced.

@Richard:

I'm suprised the chocolate factory were your grandmother worked even tried to prevent theft. I have a friend who works in a chocolate factory and the policy there is that an employee may _eat_ as much chocolate as they want, but not take it out of the factory. As a result, all new employees spend their first day on the job stuffing themselves with chocolate and making themselves sick. After the first day they never want to eat chocolate again, and guess what? this factory has very little problem with theft.

But security is a trade-off between the cost of the security breach and the cost of the security measures.

Perhaps the mint did a thorough threat analysis, taking into account the number of employees with access to the coins, the maximum weight/volume of coins they could carry out in a day, and the expected proportion of dishonest employees. They did the maths and it worked out the expected "leakage" was less than the cost of the security measures (buying metal detectors, having security guards to staff them etc)...

@MartinBuden

Bruce wrote about a similar subject in his book "Secrets and Lies", concerning Iran's state-of-the-art, made-in-USA bill-printing machine. Looks like the ayatollahs decided it would be more profitable to print $100 bills than their own currency. Some people in the US were alarmed because Iran's prints could make virtually perfect US bills. But someone calculated just how many bills Iran could print, and decided that it would not threaten economic stability.

Both are good examples of "security through inaction". That is, if it's broke but takes more money to fix it than not, just leave it alone. The banking industry has long learned that. They know that the prize of securing credit-card transactions are much higher (both in terms of lost money and of lost credibility), so they don't try hard.

Of course, that is easier to implement in the private sector, where income and expenses have to be taken into account. No government official could say something like "yeah, we should put more security measures in that metro station, but it would be cheaper to rebuild it should something go wrong"

I wasn't seriously suggesting that the Australian mint actually did this threat analysis. I almost added a statement "Or perhaps they were just stupid" to my comment, but I thought it more humourous without the qualifier. Of course, Occam's razor tells us that they were just stupid.

I worked at a chocolate factory too one summer. We were not allowed to eat it on the line, but were able to eat the duds. As for getting sick of chocolate, forget it! I loved it and even bought huge quantities from the company store (at cut rate prices) at the end of the summer to keep me going over the next year in university.

I used to ride the bus with a couple folks that worked at the Denver Mint. If they brought more than a certain amount of currency with them (I think it was about $20), they had to leave it with a supervisor, who had to fill out paperwork and lock it up outside the working area. Even with all that, at least once per year, someone got busted trying to smuggle cash out, sometimes using hollowed out radio/mp3 players.

"The employee's supervisor was publicly Gelded and Gouged"

This sounds like strong encouragement for a supervisor to collude with guilty employees or suppress evidence of their crimes.

Regrettably the Australian Government has a long history of not taking security seriously. Project Venona showed that Australia was one of the GRU's favourite shopping places, not because we had any of the really good secrets but because we leaked the ones did have.

And now Australia is trying to insist that the US share stealth technology if we are going to buy some JSFs. Note to US: don't tell us. We will leak it.

U really need to have when the money first got printed!!!!! >:(

i am doing a project about money can you help me with some questions.

how do you get a job with the australian mint?
how much money does it take the government to make money?

How much is Australian money worth in other countries e.g Africa china Italy?

suk mE! MWHAHAHAH!

how much $1.00 Australian is worth in French currency

Bruce, can you supply me with information regarding Iran allegedly purchasing a US-made state-of-the-art paper currency printing machine? Is this fact or myth? If fact, how can I get the all the infornmation pertaining to that purchase? This is quite urgent. I need it for a proposed ink article and op-ed piece.

Regards,
yousef_salem@juno.com

CAN YOU KINDLY REPLY TO MY REQUEST? THANX

Bruce, can you supply me with information regarding Iran allegedly purchasing a US-made state-of-the-art paper currency printing machine? Is this fact or myth? If fact, how can I get the all the infornmation pertaining to that purchase? This is quite urgent. I need it for a proposed ink article and op-ed piece.

Regards,
yousef_salem@juno.com

Posted by: Yousef Salem at October 31, 2007 12:22 PM