Disruptive Frauds

The title may be a misnomer. It is not to imply that there are some frauds that do not disrupt any work or any lives. All frauds create damage. In that sense they are disruptive at least after they are discovered. The title has reference to the phrase of ‘Disruptive Innovations’. This term is used when the innovation radically changes lives or style of living. Electricity is one such example where we were literally brought out of darkness. Today, disruptive innovations may not be so dramatic but they have a significant impact. Take the example of Agro Refrigeration by solar energy. The bargaining power of the farmer increases as his stock does not deteriorate during negotiation period. We are all aware of the condition of power supply in India is not too dependable. This is therefore an invention epoch making innovation.

Frauds are accepted to be application of intelligence in the wrong direction. Their inspiration also comes from constructive approaches. One such approach is ‘Disruptive’. The ‘Disruptive’ action may be cause or effect. All frauds disrupt work or even lives of companies after discovery. Therefore, there is not much insight gained in its discussion. ‘Disruptive Action’ as a cause is the objective of this article.

Call Centre Logic

The perpetuators of the fraud base their schemes on the ‘Call Centre Logic’. All of us have experienced some call centers at some time of our life. If you received a supportive response easily, your question was one of the predicted ones. The operators may be trained to respond to ten or even fifty questions from customers. The predicted answers will be ranked according to frequency with the aim to reduce duration of each call. Every Call center aims at low MPI (Minutes per incident). If you ask them any question other than the commonly expected one, they are stumped.  As human beings they will respond either by escalating the issue to their superiors or assure you of a response by email after study. But what if this was a computer?

Computers are not human. If you ask them to do anything they are not programmed for, then they cannot respond like humans. Let us say a menu has 8 options and you press 9. The programmer should have written a logic to display ‘error’ on the screen and keep the application stuck at the menu level. If this is not done then the application will just go down the menu and activate the first lines it encounters. This is too basic today. Programmers do not commit such errors today. But later sections of the applications too need such care and this is where the fraudsters gain.

Let us see a few cases starkly exploiting the aspect of disruption.

E-Wallet payment case

A recent news reported on fraud perpetuated by engineering students. E-wallet payments were done but the Bank ended up paying instead of the account holder. The newspaper did not report the detailed modus operandi either by design or lack of understanding. I summarize it to fall under the category of ‘disruptive fraud’. The perpetuators disrupted the transaction at some point after the payment was done. The application was not robust enough to ensure recall of who the paying person was. In such a case if half a payment transaction is done, the Bank ended up paying. 

Why did it appear only in this case and not when you are paying via credit card or any other wallet application? The answer is unfortunately simple. The Quality Control or QC did not do any tolerance testing or view it strictly from the security angle. If there is disruption at any point of time, the application needs to cancel the whole transaction and not just a part of it.

These are intentional disruptions. The perpetuators locate the points of disruption usually by accident. Network disruption, power outage are some of the accidental disruptions. Sometimes the applications are timed out if the transaction time crosses the threshold time. The timing out can also cause a disruption sometime as I have experienced it. But those are inconvenience and not frauds.

ATM disruption fraud

All of us have used ATM by now. The operations are simple. Insert card, remove card, enter PIN number, enter amount to be withdrawn, pick up the cash. Just four steps. Where can the disruption take place? At any place is the answer. But which point of disruption works, will be found only by trial and error, assuming the programmers had forgotten to install the controls. In one case the ATM user took time to pick up the cash. After the pre-determined time the cash was forfeited by the machine and the account holder got his automatic credit. He then wondered what would happen if he took part of the money.  Would he get part credit? He tried but got full credit. So daily, he withdrew the maximum permitted, let remain in ATM only one low denomination note and slowly pulled the rest. He got full credit despite. He discovered the disruption point. Programmers assumed either the cash it taken or not. No-one assumed part cash to be picked up. Now this account holder was (to coin a new phrase) laughing his way from the Bank and not to the Bank as the old phrase would be coined.

Prevention is only alternative

After detection, any moron can remedy the situation. The challenge is to forecast and prevent it. When the disruption is to be responded by a human being, there is some leeway. However, when a computer driven has to do it, the programmer better have planned for it. There are 2 philosophical steps to ensure this.

Step 1: Design for 120% of the situations without restricting to the brief of the client.

Step 2: Assume some person will want to challenge the application for its intelligence. Make sure the application does not jump to any routine unless it goes through the proper checks. 

Based on these philosophical steps of application design, robustness of application is bound to increase minimizing disruptive frauds.

 ------/////-------