The AFU and Urban Legend Archive Misc payroll interest fraud Select a topic - - - - - - - - Home Searches AFU FAQ - - - - - - - - AFU Animals Books Celebrities Classic Collegiate Death Disney Drugs Food GIF Language Legal Medical Misc Movies Politics Products Religion Science Sex Songs TV - - - - - - - - Other sites

From: linden@positive.eng.sun.com (Peter van der Linden)
Newsgroups: alt.folklore.urban
Subject: Re: Floating Point and Pennies: UL?
Date: 20 Sep 1994 18:55:38 GMT

>From prb@panix.com Tue Sep 20 11:33:36 PDT 1994
> I think Hugo Cornwall's "Hackers Handbook" describes the technique
> and may cite cases. I have certainly seen it described in other books.

I was very disappointed by Cornwall's "Hacker's Handbook" and his later rip-off attempt to cash in on the wave of publicity, the "New Hacker's Handbook"

Cornwall knows very little of hacking, and apparently even less about software. He seems a little more informed about nuisance-types activities (auto-dialling an exchange looking for lines with modems, etc). His best advice comes at the end of chapter 1: "never expect any hacking anecdote to be completely truthful".

Here is what Cornwall has to say, in full, about the Salami technique:

     "The salami technique for example, consists of extracting tiny sums of
      money from a large number of bank accounts and dumping the proceeds into
      an account owned by the fraudsman.  Typically there is an algorithm
      which monitors deposits which have as their last digit '8'; it then
      deducts '1' from that and the one pound or $1 is siphoned off."

There are no references, case studies, pointers to other literature, or any evidence of actual scholarship. What Cornwall says is inept, and completely wrong on the key point!

Here are my conjectures on the salami technique.

1. I too have often heard anecdotal stories about it.
2. I have never seen factual references that could be checked giving definite information about an actual occurrence.
3. It could have happened. Companies are often secretive about fraud losses.
4. The story commonly tells of a payroll program being rigged.
5. But in fact, it makes the most sense if it is an interest-crediting program being rigged, because then your total-paid will equal the interest calculation, so there's no imbalance to tip off an auditor. There is no corresponding simple cross-checking total with a payroll program.
6. But the "credited his account" makes the most sense with a payroll program, so perhaps that's how it got into the story.
7. I have heard the story with the climax that the programmer created a fake employee with a last name beginning with "Z" to receive the extra funds. He was caught when the personnel dept selected the first and last people on the payroll to interview at random about some totally unrelated matter.
8. I'd like to hear some solid references to the salami story. In the absence of evidence, it's just that: an entertaining morality story.

Peter

--
Peter van der Linden linden@Eng.sun.com "Thank you for your letter about the insecticidal properties of our beer"

• Anheuser-Busch, Sept 1994.