Crackdown on Computer Capers

By Charles Alexander

Companies scramble to safeguard their electronic brains

For American businessmen, the computer has become both an indispensable tool and a constant source of trepidation. Wherever they turn, executives are warned how vulnerable their computer systems are to embezzlements or thefts of trade secrets. In an episode of the new TV series Simon & Simon, a 14-year-old boy connects his home computer to a telephone line, taps into the computer at his neighborhood bank and regularly transfers money into his personal account. In the current film Rollover, a New York banker pilfers secret information from the computer system of a rival bank. In scripts and on screens, a popular new mythology is fast growing up in which computer criminals are the Butch Cassidys of the electronic age.

These fictional tales of computer capers are far from being futuristic fantasies. They were inspired by scores of real-life cases. The Wells Fargo Bank discovered a year ago that an employee had used its computers to embezzle $21.3 million, the largest U.S. electronic bank fraud on record. Since then, stories of smaller swindles have surfaced with disturbing regularity. Seven workers at a state welfare office in Miami were convicted last year of stealing at least $300,000 worth of food stamps by falsifying data fed into the agency's computers. Two former employees of the Central Fidelity Bank in Lynchburg, Va., were convicted in December for obtaining a computer printout of that institution's securities customers and taking it to their new employer, the First National Exchange Bank in Roanoke. A clerk at the People's Savings Bank in Bridgeport, Conn., was arrested three weeks ago for filching $37,487. She allegedly used the bank's computer to credit the money to three of her own accounts.

What most alarms businessmen is that the prevalence of computer crime is unknown and probably unknowable. The U.S. Chamber of Commerce puts the annual loss from electronic theft at $100 million. But computer-crime specialists say that the true figure could be considerably higher. Much chicanery goes undetected, and even when culprits are caught, the victimized company often tries to hush up the scandal and absorb its losses rather than admit to having poor computer security. Says Charles Lecht, president of Advanced Computer Techniques Corp., which distributes computer equipment: "The crime you see is a fraction of what's going on." According to banking sources, a Washington, B.C., bank has yet to report publicly a huge fraud that occurred two months ago. One of its tellers transferred electronically $1.5 million to an account at a Swiss bank.

The FBI has geared up to meet the computer-security challenge. Nearly 500 of its agents have taken courses in electronic crime detection. Congress, however, has been slower to respond. Representative Bill Nelson of Florida introduced a bill last summer that would make computer tampering a federal crime, punishable by fines and imprisonment of up to five years, but the legislation has languished in committee as the lawmakers have concentrated on economic issues.

Computer manufacturers are now jumping to the defense of their machines. Computers do not commit crime, they say; people do. A recent IBM advertisement depicts a computer terminal in a police station lineup of suspects. The headline: THE COMPUTER DIDN'T DO IT. The ad argues that with proper precautions against human misuse, computers are safe places to keep information.

In addition, a whole new industry is springing up to help corporations protect the information stored inside computers. Hundreds of companies now sell advice on security, peddle gadgets that act as electronic watchdogs and even offer detectives who, like computer-wise Sam Spades, track down evidence of wrongdoing. An estimated $200 million was spent for safeguards last year, and the market is expected to grow by $100 million this year. The Security Pacific National Bank in Los Angeles, which suffered a $10 million electronic fraud in 1978, will this year use some 60 people and spend $1.5 million to protect its computers. Diamond Shamrock Corp., a Dallas-based oil, mineral and chemical producer, is investing almost $500,000 to overhaul its computer-security plan.

Perhaps the most common protective devices are special programs, or software, used to restrict access to the computer. In most systems, a computer user must type the proper password on the keyboard before the machine will answer his commands. But some passwords are changed so seldom that they become well known to employees not authorized to use the computer. Another problem is that a single password sometimes allows a staffer to probe into any part of the computer's memory, even into files that he is not supposed to see. In one case at a major corporation, a low-level computer technician got into the firm's most sensitive files and pulled out the secret personnel and salary records of all the top executives. His motive: to impress his girlfriend.

Several new programs have been devised to plug these holes in computer defenses. One bestseller is called ACF2. Introduced in 1978 by SKK, a small firm outside Chicago, ACF2 allows the computer to restrict each worker to only those parts of the system for which he has authorization. Moreover, when an employee with proper clearance uses the computer for the first time, he chooses his own password and types it into the computer. He can change that password frequently, and no one else knows what it is.

Such programs are no deterrent, though, when the criminal is a trusted employee with authorization to roam through the computer system. In that situation, a company can hope to catch the culprit only after his misdeed has taken place. Several companies have developed programs that enable auditors to probe the record of transactions on a computer for any irregularities. Such a program is designed, for example, to uncover any unusually large or frequent transfers of money. A leading producer of these audit programs is Cullinane Database Systems of Westwood, Mass. Its sales grew 66% last year to $29 million, and customers include the Chase Manhattan Bank, General Electric, Burger King and the American Bible Society. Computer audit programs are selling so swiftly that the leading accounting firms are moving into the business. Peat, Marwick, Mitchell & Co., for instance, now markets its own program, called System 2190. FBI experts like Agent Paul Nolan, however, contend that so far such programs have largely failed to detect frauds by sophisticated criminals.

Though computers are most vulnerable to crimes by employees inside a company, security specialists are increasingly concerned about threats from outsiders. Modern banks and other corporations use far-flung computer systems in which the machines communicate with each other over telephone lines between cities. It is possible for interlopers armed with home computers to call telephones hooked up to business computers and then give the machines the order, for example, to transfer money into their personal bank accounts.

The best defense against this type of computer wiretapping is the use of encryption devices, machines that turn electronic messages into gibberish. The armed forces in most countries have long used such equipment to protect their secrets. A few aggressive small firms like Datotek in Dallas are having success selling encryption devices to companies. Some of Datotek's best customers are oil firms, which fear that competitors will steal the results of oilfield tests that reveal promising drilling sites. Computer-security specialists predict that the demand for electronic scramblers will soon explode. Says Donn Parker of SRI International, a California research firm: "Encryption is the control of the future. During the '80s it will become very important."

Computer-security experts readily Computer-security experts readily admit that they do not offer fail-safe protection. As they toil at erecting new electronic fences around computers, astute crooks are just as busy finding ways to break them down. Research into computer security, now going on at numerous companies and universities, has become almost as supersecret as nuclear-weapons development or germ-warfare studies. Researchers at the University of California at Berkeley and at SRI International are studying a frightening flaw in the programming of many computer systems that could allow criminals who find it to get around standard security measures. For obvious reasons, the investigators refuse to disclose the nature of this chink in a computer's armor until companies have had a chance to solve the problem. Says Charles Wood, a member of SRI's computer-security research team: "It's the most serious widespread threat to computers that we've encountered."

Faced with such warnings, most businessmen realize that computer crime will be an ongoing challenge that will demand diligent attention. Admits an auditor for one of the Big Three automakers: "Maintaining computer security will be like trying to hold a sheet down in a high wind." For the companies, researchers and sleuths in the business of safeguarding computers, the 1980s will be a highly profitable decade.

--By Charles Alexander.

Reported by Michael Moritz/San Francisco and Bruce van Voorst/New York

With reporting by Michael Moritz/San Francisco, Bruce van Voorst/New York

This file is automatically generated by a robot program, so viewer discretion is required.