From: utzoo!decvax!harpo!floyd!trb
Newsgroups: net.misc
Title: eft fraud
Article-I.D.: floyd.358
Posted: Wed Jul 14 18:01:26 1982
Received: Thu Jul 15 05:16:33 1982

There's a description of a cute EFT fraud scheme on the cover of
MISWeek this week (14-July).  The basic idea is that there is a company
called SWIFT (a real company) that does electronic funds transfer over
encrypted phone lines with bizzarro checksums.  The lines are
unencrypted at the bank sites, but it's not likely that a crook can
generate the coded checksums.

The scam is that a crook starts fiddling with transmitted messages by
altering a character here and there.  First a low percentage of the
messages, and over a course of days, a higher percentage.  Firms that
deal with the bank being enscammed start getting upset.  Eventually,
after our crook friend has created all this ruckus, he generates some
bogus transactions (with bad checksums) to his own account a few
minutes before closing time on Friday, the transactions go thru
(because the brass at the bank is under huge pressure), the money is
re-EFT'd far away, and the crook is home free.

The MISWeek story explains that the key is the violation of a basic
rule of the SWIFT system:

	"Do not pay the money if the message fails to authenticate."

As we all well know, it doesn't always seem to be in your best interests
to play by the rules.

The story in MISWeek is more detailed and it seems quite possible and
scary.  By the way, MISWeek is free, and not bad for the money.

	Andy Tannenbaum   Bell Labs  Whippany, NJ   (201) 386-6491