share
SkepticsHas a programmer ever embezzled money by shaving fractions of a cent from many bank transactions?
[+56] [2] Bart Silverstrim
[2013-02-06 20:10:34]
[ computers criminology programming ]
[ https://skeptics.stackexchange.com/questions/14925/has-a-programmer-ever-embezzled-money-by-shaving-fractions-of-a-cent-from-many-b ]

There's a popular story that describes a programmer having altered a program at a bank so it diverted fractions of a cent from every transaction to another account (or some variation like multiple accounts) so he could collect it later.

The story has been so popular that variations have been referenced in a Superman movie [1] and Office Space [2].

Was this based on an actual story, or is it simply a myth? If it did happen, what happened to the programmer?

(4) Difficult to get a real proof, because no Bank will ever recognize that kind of internal fraud. - Dr. belisarius
(2) I live in a "Banker's Town" and, as such, I have numerous friends who work in the industry. I recall having a conversation with a friend about 4-5 years ago on this "exploit". What I recall is that once this was discovered by the banks, the banks wised up. Banks now do this on their own. This may seem like banker fraud. But, the difference is they take all values, positive and negative. This keeps the account value at a running average of 0, but the movement is traceable. - RLH
(6) This is called salami slicing - Sam I Am
I read the story about a banking employee that embezzled around US $2 million on the East Coast of America. The story appeared in an old edition of Readers Digest in Australia, so it was at least 20 years ago. The man was caught and later went on to work for the good guys in the field of security. You may be able to find the original article through Reader's Digest in America. Good luck! - user23412
Coinbase does this whenever anyone buys bitcoins from them. Say you buy $100 in bitcoin. If you do the math, they are actually sending something like $99.995 dollars worth of bitcoin, which rounds up to 100 dollars, but is definitely not exact. A half penny per thousands of transactions every day adds up fast. Worse though, they don't list the price per coin in the downloadable transaction history. Virtually everything else to do with the transaction is shown. They don't want users to know about this. - Julian
(1) What definitively is a very common attack in retail is to collect bonus points that are not claimed by customers. Like cashiers that will just scan their own bonus card every time a customer hasn't got a card of their own. Definitively illegal and at least with digital systems usually easily traceable. But depending on the amounts this can go on for years without being noticed. I used to work in a team programming cash boxes if we would have wanted to commit fraud we could have done something like this on a bigger scale: secret bonus cards in the code that would have been scanned randomly. - Gellweiler
[+46] [2013-02-07 05:13:57] KutuluMike [ACCEPTED]

There is a significant amount of anecdotal evidence that supports the claim that, not only did this happen once, but that it happens rather frequently. Unfortunately, most of these claims appear to come from members of the security industry, which may have a vested interest in convincing people that this type of activity is taking place.

The type of theft you're talking about is called salami slicing [1]. There have been a number of papers published on this attack by security researchers (not peer reviewed, mind you), such as this one [2] and this one [3]. This second paper repeats a variation of what is probably the most famous claim: a former bank employee in Canada who stole $70,000 using this type of attack. Unfortunately, the papers are lacking in details, and the references don't match the contents.

The most often quoted (and not cited) source for these claims seems to be this Network World article [4], which recites a list of supposed convictions based on salami-slicing techniques. Again, it's lacking in details, though it does give dates and jurisdictions for several purported cases of salami slicing.

Overall, my intuition tells me that micro-theft of this sort has certainly occurred at some point in the past. It's really nothing more than a modernized version of clipping coins, which certainly happened on a regular basis. However, I cannot find any evidence of any single, famous, and verifiable case of salami slicing that matches the circumstances usually supplied in the anecdotes you mentioned.

On a related note, there's much better evidence regarding similar kinds of salami attacks, just not ones involving bank employees. For example, this Wired article [5] describes a man who allegedly defrauded E*Trade using a variation of a salami attack (related to how the brokerage firm verified that it could deposit money into your account), including links to a Dept. of Justice affidavit describing the attack. There was also a case in Florida [6] of a rental car firm overcharging customer for tiny amounts of gasoline on returns.

[1] http://en.wikipedia.org/wiki/Salami_slicing
[2] http://www.all.net/CID/Attack/papers/Salami.html
[3] http://all.net/CID/Attack/papers/Salami2.html
[4] https://web.archive.org/web/20080226121616/http://www.networkworld.com/newsletters/sec/2002/01467137.html
[5] http://www.wired.com/threatlevel/2008/05/man-allegedly-b/
[6] http://www.nytimes.com/1993/01/10/us/car-rental-company-s-ex-owners-charged-with-cheating-customers.html

The key reason this hasn't happened at a bank, at least in recent times, is the extensive series of checks carried out. If any totals fail to match, an investigation is triggered - doesn't matter how big the discrepancy is - there should be none, so a difference means either an accidental or deliberate problem that needs to be fixed. - Rory Alsop
(7) @RoryAlsop unless they use floating point ;-) - gerrit
(6) @gerrit Mostly they used fixed-point decimal values since they are more accurate when doing calculations in base-10; we typically do the math out to ~8 decimal places then round to 4 (a SQL MONEY type, for example). - KutuluMike
(1) @gerrit - Or if they are using a Pentium processor. - rjzii
(3) @gerrit: as long as the money is "moved" in each transaction (I know financial systems do this but I don't the exact name), using float point calculation is fine. By "moving" I mean decrease certain amount from one account and increase exactly the same amount on the another account. A example would be calculation can come up with an interest of $0.55555... but it will be rounded to either $0.55 or $0.56. In either cases, one account will be credited while the other account will be debited at the same amount. You never get one extra cent from such a transaction. - Codism
(16) @Codism I'm afraid that's not true. You're wrongly assuming that it's always possible to, given an amount, add exactly this amount to a particular balance, or subtract it. When X and Y are valid floats, X+Y often isn't representable and you end up with X+Y±ε, probably with different ε at debited and credited account. Floats + money = no. - Kos
@Kos: In my example, a float number is rounded to a fixed-point number before it's added or subtracted. If a float number (before rounded) is used to credit or debit an account, the double-entry bookkeeping system will detect the bug before anyone can use it. - Codism
(2) "It's really nothing more than a modernized version of clipping coins, which certainly happened on a regular basis." Doing something with fractions of a cent in a computer system seems plausible, but transferring it to your own personal account without getting caught doesn't seem trivial. Also, I'm skeptical that banking systems use floating point math. That's why things like docs.python.org/2/library/decimal.html exist - endolith
(2) @endolith Most bank systems are around for a long time now, and, since they are super-critical, are rarely updated. They are a few of the worst softwares in the world in terms of maintenance. I speak from my experience - don't assume that banking software is rational to any extent. They were first created when the software industry was just blooming, and several banks still use those original systems! My bank provider, for example, must run it's software inside DosBox because newer OSs can't run it properly. - T. Sar
@T.Sar but that's even more of a reason to suspect that floating points aren't used, as early on almost all calculations were done in fixed point. - Cubic
@Cubic even today most financial calculations are done with fixed point arithmetic, using a number of digits large enough that any rounding errors don't affect the outcome in actual cents. - jwenting
(1) @jwenting I know, what I'm saying is that 'back in the day' you'd usually not do FP at all if you could help it, because there was no way to do it quickly. - Cubic
@Cubic You're assuming that banking systems were made by people like you and me - that look at good practices and think about what they're going to do and how it would impact performance. That's true for newer systems, but older ones were made by a few guys in a shack somewhere in South Carolina or by a lone sweddish that didn't drink anything non-alcoholic since he was 12. Old banking systems were made out of mud, spit and hope, not good practices. - T. Sar
1
[+9] [2013-02-07 05:05:49] Max

The Snopes entry on the "Salami Technique" calls it a "legend," which doesn't say whether it's true or false. http://www.snopes.com/business/bank/salami.asp

It references stories from the 1978 book Computer Capers, whose description says it's "incredible but true." http://www.snopes.com/sources/business/computer.htm

One story is about a "programmer working at a mail-order sales company" who was caught and fired.


2