For anyone who has seen Office Space, the question that is eventually asked is, “what are the chances that their money-skimming scheme could have worked,” and “could I do that?” For those that don’t know what I am talking about, the main characters in the film, faced with the prospect of being laid off and feeling vengeful, write a computer virus that implements a salami fraud scheme with the hope of accumulating vast amounts of money over a period of years that would go undetected by anyone watching. Unfortunately for Peter, Michael and Samir, their bug had a code and they ended up siphoning off $305,326.13 in one day.

Despite the apparent absurdity of their plan, salami frauds do exist. The basic idea behind a salami slicing scheme can be found in its name. If everyone in your city had a whole salami except you, and you asked each person to provide a slice of their salami that was small enough to be considered insignificant, you would have amassed a sizable amount of salami of your own, far more significant than any single salami. In terms of this technique’s application to financial fraud, one could imagine rounding down fractions of a cent that appear from interest accruals, and collecting the leftovers for yourself, which is exactly what the three in Office Space did.

It makes sense, from a CS322 standpoint, that this would work. Because of the way our monetary system works we have a minimum division of funds, the penny, and anything beyond that is considered insignificant. Since precision beyond a penny is pointless, any computations resulting in fractions of a cent (tax, interest, anything with a percentage) are rounded to the nearest penny. Since no one would miss 7/8 of a cent, why not force the resultant to always round down and accumulate all of the remainders from as many places as possible and watch your wealth build? The appeal of such a scheme is that it is inherently resistant to detection, since any discrepancy sits below the victims threshold to even notice the difference.

Here are some real world examples:

• Two programmers hacked their payroll software to increase federal withholdings by several cents per pay period for all employees in their company, crediting the excess values to their own accounts. The two subsequently received large refunds from the IRS the next tax year.
• In 1988, a Florida car-rental agency modified the billing algorithms by adding 5 gallons to the actual capacity of the gas tanks all of their vehicles. When a customer returned the car with an empty tank, they were charged for the inflated total of gas. The scam lasted 5 years and defrauded at least 47,000 customers, until the agency was charged with fraud by a federal grand jury.
• Willis Robinson reprogrammed his Taco Bell drive-thru window cash register to ring-up items costing $2.99 as only $0.01. He pocketed the remaining $2.98 nearly 1500 times before being caught by management.
• In 1998, four LA men were charged for installing modified gas pump computer chips that over-estimated the amount they pumped. They avoided detection from inspectors by forcing 5 and 10-gallon amounts to register correctly, the amount typically used by inspectors. They were eventually caught when customers started commenting that they were filling their vehicles with more gas than the capacity of the tank.
• A $0.75 discrepancy between the same account on different computers led Clifford Stoll to discover that a German hacker by the name of Markus Hess was stealing national secrets from the Lawrence Berkeley National Laboratory via Tymnet routing services and selling them to the Soviet KGB.

Notice that all of the examples listed above and most of those that I could find ended in prosecution or detection, and that in all of the examples listed above and most of those that I could find, the perpetrators were siphoning off more than the minimum detectable amount. The lesson to be learned then? If you are going to implement a salami fraud scheme, do it right. Take less then a cent during each transaction, and you can go unnoticed. There is a reason nobody hears of real world salami schemes where less than a cent has been siphoned: they haven’t been caught.

“ In the dead of night he’d access each depositor’s account
And from each of them he’d siphon off the teeniest amount.
And since no one ever noticed that there’d even been a crime
He stole forty million dollars — a penny at a time!“

~John Foster, ‘The Ballad of Silicon Slim’

http://www.imdb.com/title/tt0151804/

http://www.networkworld.com/newsletters/sec/2002/01467137.html

http://all.net/CID/Attack/papers/Salami2.html

http://en.wikipedia.org/wiki/Salami_slicing

http://www.cs.bgsu.edu/maner/ethicomp95/keynote3-THE.html#Heading15