Schneier on Security
A blog covering security and security technology.
« Security ROI |
| Sucking Data off of Cell Phones »
September 2, 2008
Software to Facilitate Retail Tax Fraud
Thanks to a software program called a zapper, even technologically illiterate restaurant and store owners can siphon cash from computer cash registers and cheat tax officials.
Zappers alter the electronic sales records in a cash register. To satisfy tax collectors, the tally of food orders, for example, must match the register's final cash total. To hide the removal of cash from the till, a crooked business owner has to erase the record of food orders equal to the amount of cash taken; otherwise, the imbalance is obvious to any auditor.
The more sophisticated zappers are easy to use, according to several experts. A dialogue box, which shows the day's tally, pops up on the register's screen.
In a second dialogue box, the thief chooses to take a dollar amount or percentage of the till. The program then calculates which orders to erase to get close to the amount of cash the person wants to remove. Then it suggests how much cash to take, and it erases the entries from the books and a corresponding amount in orders, so the register balances.
Posted on September 2, 2008 at 12:24 PM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
You've made the point before that technology generally doesn't enable new kinds of crime, it just allows for new variants on old ideas. I think this is more of the same. Some of us who are old enough to remember the days of electro-mechanical cash registers also remember there were certain small restaurants (for example) where the cash register always seemed to be broken -- or, at least, it was never observed to ring up a sale.
Interesting. This trick is similar to what the "SOES-bandits" did to evade the $5,000 trading limit on the NASDAQ Short-order-entry terminals in the early 90's.
Of course the level of fraud by the SOES-Bandits was in the hundreds of millions.
key complaints summarized here
46. The post-trading allocation of trades was possible because the SOES system did not require an Order Entry Firm to identify a particular account to enter an order. Rather, Datek Securities merely had to identify itself as an Order Entry Firm. Datek Securities traders executed SOES trades without regard to any particular account, and routinely violated the rules regarding maximum size orders. Traders did not create or fill out contemporaneous order tickets.
47. From 1993 to 1994, Datek Securities employees manually allocated Datek Securities' trades among accounts after the close of the market. McCarty and Erik Maschler specifically taught employees how to allocate trades, and often performed the allocation themselves. After the close of the market, Datek Securities clerks reviewed a Nasdaq print-out of the day's trades and matched the closest chronological SOES buys and sells of the same security to free up the greatest amount of "buying power," which was the amount that could be purchased in a particular account based on margin requirements and the equity in the account. After trades had been matched, the clerks gave the list to back-office employees to determine which trades would be assigned to each account. Trades were allocated to particular accounts in a manner that gave the firm's records the appearance of compliance with NASD rules governing SOES. Other factors in the allocation process included the margin requirement for the account and the rate of return guaranteed to the account. In addition, Datek Securities employees also assigned numerous profitable trades to certain favored accounts.
48. After the trades had been allocated, they were entered into a computer system. The resulting computer file was transferred to Datek Securities' Brooklyn office, where the information was used to generate the firm's accounting records, including blotters, trial balances, and customer account statements. The proprietary trades were unlawfully executed and falsely recorded as those of individual retail customers. Consequently, Datek Securities' books and records were false and inaccurate.
Any good auditor would compare stock on hand to stock ordered/received to receipts. Does any of the software account for this? Or is the business owner expected to remember this little detail and fudge those records seperately. Seems like an opportunity for an end to end small business solution provider :)
My company has an office in Aachen, Germany and I used to go there a lot. It's a university town, and the pubs are full every night of the week (a nice change from workaholic Silicon Valley). But on one visit several of the bigger pubs by the main downtown square were closed, so many that a normally hopping area looked like a ghost town. My local colleagues told me that there'd been a raid, that the tax authorities counted the empty beer bottles and it turned out that they'd been selling about four times the volume of beer that they'd been paying taxes on. It's a cash business so they thought they could get away with it.
@Rev Matt: "Any good auditor would compare stock on hand to stock ordered/received to receipts. Does any of the software account for this? Or is the business owner expected to remember this little detail and fudge those records seperately."
That is easier to do in retail business, where you are selling discreet units. It's more difficult in a restaurant, where you are buying food product in bulk. In other words, it would be hard to get away with only reporting half of your sales in a restaurant. But reporting 98% of them would be difficult if not impossible to detect by looking at food purchased through the supply chain.
Bruce: A shop owner using such software could easily be proven too smart by half. In today's world there's so many ways for someone (your accountant, store manager or computer repairman) to make surrepticious records about the fraud and then snitch. Tax authorities pay a bounty to snitches, and the shop owner risks going to jail. Direct case in point: Steward J. Leonard, Sr. v. Commission of Revenue Services, out of Connecticut (Supreme Court 16735, June 10, 2003)--Ben http://hack-igations.blogspot.com/2007/12/...
Where was this tool when Benigans needed it so badly.
This is a bogus report and tool; smart restaurateurs have been doing it for ages. Those who don't do it go out of business in about a year.
Restaurants can cover the discrepancy between what's bought in bulk but sold piecemeal by insisting there was much spoilage -- and of course the auditor is welcome to head to the dump to go through the garbage to verify that claim.
A second cover for bought-much-sold-less is 'shrinkage' --- the business term for shoplifting, employee theft, and damage.
I lived in Paris for 20 years in the 80s & 90s. The French IRS (called the Fisc) would audit small restaurants and bars by, first sending the auditors once or twice just as normal clients to case the place.
The auditors would then show up ask to see the purchases for things like:
- amount of salt purchased in the year
- number of table napkins purchased
- number of bottles of ketchup purchased
These are used to estimate the number of meals served for the year.
They would then calculate the average amount spent on a meal (main course, desert, wine, ...) using the menu.
Using only these purchases and the average amount spent, they then calculated the gross sales of the establishment. People told me that they could come within one or two percent of the actual gross sales this way.
Only when they have this estimate, they ask for the sales declared by the owner on the tax return. If there is a difference, they investigate further
For instance, if the tax inspector estimated 900K gross revenue and owner declared 870K revenue, the inspectors would not audit them. But, with this example, if the owner declared only 700k revenue, they would spend a lot time inspecting the books.
The auditors were very good at this and very accurate. The saying goes that the French have been doing tax collection for more than 800 years so they are getting the hang of it,
As always, it's the greedy ones that get caught... If you avoid taxes on say 5% of sales, you can get away with saying it was spoiled or consummed by the staff.
The best way to discourage this is to pay by credit card / debit card since these systems essentially act as a double entry system with one half controlled by an external entity.
way back when I worked at a chicken joint, the cook kept track of what they received, what they cooked, and counted what was in the fridge at the end of the day. The front staff kept track of what they threw out, a count for staff food and the register tracked what was sold. In the end the managers compared all of the numbers to balance stock items.
It would take too much time to doctor all the books back to the ordering if there was more than an audit of the register tally.
Not worth the risk.
If the restaurateur or retailer is corrupt enough to be fiddling his tax, he will probably have a network of cronies who can provide him with input commodities from irregular sources and which also don't go through his books. This will blur the input/output>unity = profit equation. Experienced well trained auditors can smell a rotten operation quite quickly after a short period of observation.
In my neck of the woods I've yet to see an "ethnic take-out restaurant" even ring my order into the register if I'm paying cash. The glare I get when I flip out a card tells me all I need to know.
Back in the heady days of my youth I worked at several restaurants. Not one them was completely honest with their books/inventory/cash. From what I understand from insiders, it's even more prevalent in bars (with higher numbers). Skimming is easy and it's simple to juggle the accountings. This software sounds to me more like something the FBI or IRS would use a lure to bust idiots who bought it.
Old news in Canada..:
The original zapper software used to delete the transactions from electronic cash registers. Now cash registers are PCs running Windows. Much easier targets for the tax inspectors.
Restaurants are rife with tax fraud throughout. The reason that the staff won't rat out the owner skimming the till is because they're underreporting their tip income. And you can bet that their suppliers all work the same way, skimming their deliveries.
The only thing I fear at a restaurant is adulterated foodstuffs.
Tempest will easily betray you here, especially depending on how the system works.
Sophisticated attacks are simple today, especially when how to are published.
While courts might require real skill and accountability of methods, even a local cop could run a simple monitoring tempest against computers.
A simple scanner might be all needed.
The only small business I've worked in that didn't have this practice is the one I currently own -- we never have cash customers for computer consulting and product development -- and there is no need anyway. The more honest of the small business owners -- all I've worked for -- cut the employees in for perks whenever a large cash customer made a purchase -- and the customer also usually got a special discount for cash, despite threats by the card companies. Small business, small town, Visa's eyes and ears aren't everywhere.
One owner also got significant discounts by paying cash for the merchandise, particularly Sony when they were legally "price fixing" pre-Nader so I assume the practice went all the way up the chain.
I was once married to a waitress -- same deal -- who was "busted" for underreporting tips. But she wasn't - the IRS assumed a waitress in a kid's ice cream bar made out like a steak house hostess. Took a little convincing (took them to the place to see for themselves what tips were and so on) but no dice for the big bad IRS. Of course her boss was skimming and they never checked him at all.
Thank heavens for the "voluntary" tax system!
But only the dumb need to cheat. The tax laws are interesting at best, and it's hard to believe that in a year we grossed well over a million dollars, we paid tax on something like 38k (across 3 people) -- all legal as can be. Of course, our geeks had all the finest toys at the business expense and so on, and the working environment had all the nicest luxuries possible -- why not? It's where we spent 10-15 hours a day anyway. Hint -- a good, honest accountant is way worth what he costs.
Being off the power grid is another -- the aptly named power company is responsible for enforcing building permits in most localities. So, buy a piece of land, build a few "barns" and pay diddly taxes -- no "dwellings", little property tax, all legal. So what if you have to dig your own drainfield, and well (no permits needed if no licensed contractors used). Solar pays for itself every year under that unintended alternative energy subsidy. Could be worse. And even the locality tends to look the other way when you're creating jobs in a poor county.
"In a second dialogue box, the thief chooses to take a dollar amount or percentage of the till."
The author should not assume that only a thief would use this tool -- it could also be useful to the property owner himself.
COOL! I'm going to start erasing items from my tab!
"The glare I get when I flip out a card tells me all I need to know."
They lose a percentage on each credit transaction, since most non-chain restaurants are struggling, of course they don't like cards.
"The author should not assume that only a thief would use this tool -- it could also be useful to the property owner himself."
The author is probably just some pro-government journalism major, too stupid or lazy to get a real job actually doing something.
my favorite example of this sort of thing was at a grocery store in colorado, as mentioned here:
a programmer hired to write the point-of-sale (POS) software was paid a moderate wage, but during his contract he kept driving fancier and fancier sports cars to work.
eventually he showed up in another kind of POS, a dodge viper.
long story short, the cars led to an investigation. basic accounting revealed the grocery had irregularities in milk sales. some percentage went to the developer's personal fortune.
black hat had a presenter this year who spoke on similar examples from different industries. he referred to it all as "business logic flaws" and tried to highlight the novelty. however, i agree with the other comments above that it really is just fraud.
at least things like tax irregularities can be settled later with fines or end up in consent agreements (e.g. aurora dairy was handed 14 willful violations for trying to sell industrial milk as organic -- http://www.ams.usda.gov/AMSv1.0/getfile?...
tax fraud might seem like a problem, but when it comes to software fraud these days there will never be another 2000 us presidential election.
If I were running a restaurant, I'd be far more interested in the reverse: software to inflate my sales by a set amount in order to facilitate the money laundering operation I'd have running on the side.
Many of the comments here remind me of the old question about the difference between a businesman and a buracrat...
"A buracrat has a rule book and provided he never breaks the rules he is safe. A businesman however can only survive the competition by breaking the rules."
In reality to prosper both need to "bend the rules" it is to what degree and "where the buck stops" that realy matters.
As noted by others above a good accountant is worth the price they charge for two reasons. They knows the legitamate tax avodence systems and secondly and possibly more importantly they know what the current taxman "norms" are.
The "norms" are the real rules of the unstated game between the taxman and the businesman...
Put simply the "norms" are what the taxman thinks an "reasonably honest business" in a particular market sector should be showing. If your business fits in with the norms for that sector then it is unlikley to receive an investigation (unless evidence of dishonesty is presented). Go outside the norms in either direction or have unhappy staff with a grudge then expect an investigation.
As the old saying goes "if it looks like a duck, waddles like a duck, quacks like a duck, why would you think it was a goose?"
Of course these "norms" cannot distinquish between an honest and dishonest business only a "real full audit" can do that and the cost is usually enteirly disproportianate to any gain so the taxman needs the "norms" as a yardstick.
Setting what the "norms" are is the game, and it is by understanding this that the sometimes strange behaviour of the taxman should be viewed.
In an established sector the traders will by gently pushing the bounds, over time they will have moved the "norms" in their favour. Which is "obviously" not in the revenue or treasury serivces interests, nor their political lords and masters who need the taxes to do "worthy work / bribe the electors".
Which is why every so often the taxman will pick on a particular market sector and hit a few busineses with a real full audit, and then pillory anyone who cannot defend themselves up front.
A couple of public show trials against those who cannot defend themselves and the revenue service theory is the "norms" will move back in the their favour (and those above them either are disinterested or implicitly agree with this behaviour).
Unfortunatly for most revenue services this game nolonger works for multinationals etc who often pay considerably less than 3% on any real profits (as a token gesture only). This is simply because once a business is above a certain size it has the ability not only to defend it's self up front, it also knows that the revenue service has a number of significant weekneses which it can exploit if a word in the right ear does not remove the problem.
Unfortunatly the revenue services know this only to well, and when it comes to the draw they blink virtually every time. Usually this is because they know that their political lords and masters won't back them with the required resources.
Knowing the rules of the game can help you.
As an honest small business stay within the "norms", keep your staff happy and have the right accountants. When you get a normal revenue audit have a "little something" for them to find plead an honest mistake and make immediate restitution and ask the revenue auditor for advice on how to avoid making this mistake again. This is based on the theory that "to err is human" and if they don't find something they are going to keep looking as you are obviously not super human therefor you must be covering something up...
If you do get randomly selected for a "real full audit" they will probably find something serious (this is the consiquence of an overly complicated taxation system). If they do either negotiate with the taxman immediatly pleading an honest mistake or fold the business in a politicaly damaging way and start again in a new juresdiction.
As an independent entity you are out on your own and simply do not have the resources to spare to fight. The taxman knows this so will just use you as an "example" to be publicaly abused to keep others in line.
The exception to this is when they are usuing you as a "test case" to set their agender (over that intended by the law makers). They won't negotiate except to string you along to get more evidence, and if you chose to fight they will rack up the costs etc to frighten you into pleading guilty thereby setting their interpretation of the law.
There are three ways of dealing with this.
The first and simplest is not to be a worth while target in that you have no assets etc and you simply fold and walk away before they get started.
The second is to be part of trade associations etc who have the resources, legal contacts and can motivate the market sector in your favour with lobbying and media preasure on the revenue's political lords and masters.
The third and most difficult (for a small business) is what large businesses do which is be a source of revenue for the political party that is currently in office. A well placed "word in the ear" from a political lord and master usually stops problems well before they get going.
If you are a medium sized business then you have additional problems, in that not only are you a potential target for the authorities you are now a target for other businesses either to be taken over or to be forced from the market place.
The sensible stratagy especialy if you are in a "high tech" industry is to not have all your eggs in one basket.
There are many ways of doing this but the simplest is to have more than one legal entity.
The entity that trades has no viable assets (property and plant) and assumes all the liabilities. It only legaly trades via "one way" connections to other entities.
For instance it can raise capital by using it's IP assets (Patents etc) as security against a loan from an entity in another juresdiction, effectivly moving the asset away from potential preditors whilst also allowing for "tax efficient" trading. That is if the loaning entity is in say a tax haven or low tax zone, as the trading entity can lose all expected profit via repayment and interest on the loan.
Importantly though if both entities are effectivly owned by a parent organisation the trading entity can be used to take any hits. As such it is like the leaves on a tree the loss does not kill the host. How you do this is subject to what you find moraly acceptable.
In Europe for example you are almost positivly encoraged to trade in this way by the simple fact that although there is a "common market" amongst the member states taxation and development grants are a matter for each state.
So for instance one smallish country has high rates of VAT (sales tax) that it uses to provide business development grants. All sales from that country into the rest of Europe means that it effectivly gets a backdoor grant from the other member states, which is one of the reasons that software organisation have their trade entities based there.
Could you please clarify how small businesses modifing tax records relates to the 2000 election?
Please don't derail unrelated threads onto the subject of U.S. elections.
Yup, this is just what I meant to say, but you said it better and more completely. A good accountant (always an honest one!) is worth his weight in just about anything for all the reasons you describe, and more. (I'm not one, I write code, design hardware things and so on).
Beyond knowing the norms, which is highly important, he will also be able to give hints on "how to live" or how to structure things such that your various tax liabilities are minimized, and the costs of doing what you wanted to do is minimized, meaning you can do more of whatever those things are. In my case, this meant more cool toys for all, a buffed up workplace, and sending my workers home with a _lot_ more money in their pockets. And part of that was giving them access to the accountant, so they got to keep lots more of what I paid them. Needless to say, these workers were always "contractors" which helped them avoid taxes legally, and me to avoid unemployment insurance taxes and various other monetary drags associated with having "legal" employees.
The result of course is a much more highly motivated workforce, something you can't just go and buy with money. But it can sure make you a pile.
We're all retired now, only work when we want to -- we still like each other's jokes, and at ages from 45 to 53 when we retired a couple of years ago. Most of that was working so hard we didn't have much time for spending, and spending only on the right stuff -- keeping the money we EARNED in duh, the bank, and now the markets.
Life is good!
@understandably anon: The kind of "shell game" accounting you describe has been done to death -- of Enron and Worldcom, among others. Time will tell what new loophole appears to replace it, but using multiple entities with "one way" relationships will not protect you from the tax man. They will just blow right through the supposed wall between your entities, and put you in jail for fraud too.
Strange ECRs you seem to have. The ones around here -- even the ones that are actually Windows PCs (or sometimes, in fact, OS/2 or DOS) -- all still have little receipt printers to print a receipt for the customer. And the ECR receipt printers have a special feature: they print two copies of everything, one goes to the customer, and one gets coiled back up on a roll inside the machine for later use in reconciliation and auditing. While not impossible, it will be considerably harder to doctor the paper-based backup record.
Of course if the store owner is the one doing the stealing, he can burn all those receipts, but if more than a few are missing, the auditors will get suspicious and go over everything with a fine-toothed comb.
I remember watching a funny (Japanese) movie years ago called "A Taxing Woman." It showed a number of dodges that smaller businesses would do, as well as how the tax inspector (the title char) caught them.
@ John David Galt,
'The kind of "shell game" accounting you describe has been done to death'
That is partly true and because it is reasonably well known was the reason I described it.
But it is still very viable in most parts of the world for good reason (it simplifies things). And provided you do not set it up deliberatly to commit fraud is still a quite sensible method of operating an organisation for many reasons. An obvious one is in larger organisations is to maintain seperate trading groups for different markets and alow those to be easily divested when an organisations trading focus changes.
As you note Enron etc used it, if memory serves correctly it was originaly as an ordinary method of trading in different markets. However in the case of Enron they augmented the system mainly to hide losses to manipulate their shareprice, not specificaly as a tax avoidence system. Possibly their original intention was not to be "criminals" just to even out market variation, or perhaps they had to much faith in their own abilities to avoid the consiquences of their actions. However whatever their original intent they did not set the "shells" up correctly if tax fraud was their original objective.
As I noted in my previous post, due to the complexity of the taxation system in most countries, it is not possible to say "we are doing everything correctly". Just that "we think we are", which means that you should sensibly limit your liability. For instance different companies within the organisation using different and unrelated accountants, providing the interfaces are correctly operated it is unlikley that different parts of the organisation will commit identical "accidental" transgretions.
Further there is an element of "twixt the devil and the deep blue sea" in that a lot countries have "company law" that requires the officers to withhold as much from the revenue service as is (legaly) possible as a primary duty to the share holders.
In a world where "reaching for your legal representative" is increasingly being used as a method of business, an appropriate organisational structure will reduce liability.
Further with Hi-tec companies based on primary invention and inovation the IP is often the primary asset. Also the organisational models are moving away from traditional "owned plant and property" to leased, rented or "outsourced". Thus making the organisation small and agile and as such not even based in any one place. This almost mandates the use of multiple limited liability companies to actually simplify the taxation burden on the organisation. For instance I am aware of a manufacturing organisation that has a company in the far east, in reality only the firm of accountants and the registered office is there. The actuall work is done from the other side of the world. Why simplification.
As I noted the way you set up such an organisation depends on your morals. If you care to put your mind to it you will come up with an organisational structure using appropriate methods to virtualy compleatly eliminate your tax burden without breaking the law. Further it will also protect IP and limit liability from civil action as well.
As an obvious starting point look at how some venture capital organisations work and how little they pay in tax.
Software to facilitate and legally exploit tax laws and income generation.
Tax fraud, with its forever guilty backwards in time, is STUPID as sitting on a timebomb with a large metal rod in a lighting storm. You just can not feel safe.
You just know that tax and money games are being structured like computer code, those who know who, what, why, when changes are made, rule the system.
Understandably Anon has made some interesting points for some who may know exceptionally little about business and tax laws.
Computers are just to insecure and problematic to be a frontal tool for fraud. Eventually you will get it, and it is easy for the storage data to be framed against you. Seems like trying to get rich at a casino, not going to happen, ever. Only the insiders win to convince the suckers of a dream.
I mentioned in my posts to this page above that it might be difficult for an organisation to be sure it is fully compliant with tax law and the requirments for company law with regard to taxation.
Some may think "yeah right it ain't that bad".
Well just released in the U.K. Is Tolley's guide to tax in the U.K. (This is a guide not an indepth nuts bolts bells and whistles document). Well it consists of a number of small print volumes on thin paper that on the bookshelf take up some 5 feet of space.
Speaking to somebody in the organisation that actually publishes it I was told that they needed to reduce the point size and margins otherwise it would have been atleast a couple of feet more on the book shelf, due to it almost doubeling in size over the past few years...
Now I don't know about you folks but I think if I start now as a full time task I might just have read half of it by the time of the next U.K. buget when a whole load of it will change...
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.