UK: Fraud And Money Laundering On The Internet

This Article Was First Presented In June 1997 At An International Conference In Milan

Fraud using technology is not a new occurrence Over the centuries, it has been called by many names - cheating, false accounting, confidence tricks, forgery, impersonation - all are examples of fraud in the widest sense.

Fraud is merely the deliberate creation of a false impression in order to secure a benefit which would not otherwise be gained.

The essence of an effective fraud is the formation of an imaginary set of circumstances, a mirage, so that the victim is convinced of one set of facts when another is the truth.

Fraudsters often hide their identity but it is not necessary. Often a fraudster will make enough truth to make it difficult for him to be prosecuted. He will use ambiguity and innuendo rather than express lies, wherever possible.

There is a very common type of fraud - that of calling on an elderly person and convincing the victim that expensive work needs to be done to the house. In one variant, the work does not have to be done. In this case, the fraudster simply lies and may or may not actually do the work before collecting payment and scurrying off to his next victim.

In another variant, the work - or some part of it - can be justified. However, the fraudster emphasises a danger to passers by or residents and recommends that the work be done urgently. He quotes - and is paid - an exorbitant amount for the work. In this case, the fraudster will often be able to avoid criminal prosecution because he has done work but merely charged too high a price for it.

This is the basis of one of the most common frauds prevalent on the Internet.

"Send up $5.00 for a report that will show you how to make $$$$", shout the junk e-mails that clog up the ‘net. Mailing programmes send out enormous numbers of mails and they log onto, send mail via, and log off from listservs. Some mailers can send millions of mails an hour. Junk mailers download the entire mailing lists of account holders with huge service providers such as AoL and mail to every one of them. In the case of AoL this is several millions world-wide. In the case of CompuServe, with about 4 million users around the globe, the fact that user IDs are based on numbers rather than on names means that simple programs can create lists of user numbers and send messages to them. Those numbers which are not in use simply reject mail.

You may say that the rejected mail would clog up the mailbox of the sender. You may think that the ease of pressing "reply", typing "bugger off" or some such into the message and sending it would mean that hundreds of thousands of messages would make the sender’s service provider grind to a halt. You would think that. And you would be wrong.

Junk -mailer programs - and the companies that operate them, have a way out of this problem. They create a single use domain name and remove it from the server after sending the messages. So any bounced mail or mail-bombing by the recipient actually goes to an address which is, by that time, non-existent.

So, how does the criminal get his hands on the $5? In fact, he includes, deep in the body of the message - beyond the point at which he thinks the disinterested reader will abandon reading due to the threshold of boredom - a real reply address.

It is to this address the reader is invited to send his credit card details to purchase the report.

Alarm bells should ring. You have no idea who will get their hands on your card details.

A few months ago, an officer from FinCEN learned that his credit card details had been used to make several thousand dollars worth of purchases in Finland. But he had not been in Finland for over two years. Someone had kept the card details and used it that much later. In South East Asia, there is a huge trade in credit card details from hotels. Clerks are paid large (for them) amounts of money to pass on telephone printouts because businessmen charge calls to charge cards and the entire number, including the PIN appears on the printout. These numbers can be used to run up huge international telephone bills before anyone notices because, of course, the card has never left the hands of the authorised user.

Scavengers raid the dustbins outside restaurants not for food but for the blue carbon from between old style credit card slips because the imprint of the card gives them all the information they need to use the card. A deal with a shopkeeper to pass the details for a ghost purchase and a card can be stripped of value within minutes of being presented to pay for drinks in a bar.

The Internet provides a fast way of distributing these numbers around the world so that a number of purchases can be made near simultaneously and before records hit the user’s bank. The credit card companies are aware of this problem and are trying to address it.

Coming to a conference is always a little daunting. For you. It’s not daunting for me. I know you will sit and stare and that it would take something very special to make you sit up straight, and something involving Regina and a snake to bring you to a form of animated attention.

But, wait! We can make this a little like television - like the children’s programmes where they make submarines out of washing up liquid bottles. Maybe a little more sophisticated. Maybe we can make this into a magic show. Yes, that’s it. I will teach you how to do a little magic trick so you can impress all your friends.

How many of you work in organisations that prepares its mail on notepaper stored in your computer? OK. How many create faxes in a word processing programme? Do you have a form of fax notepaper for doing this? Do you fax them from your computer?

Try this at home. You might need to practice so that your friends don’t see how to do the trick.

Prepare a letter in a word processor such as Word for Windows. It probably does not matter which program you use. Using a program such as Microsoft Fax - you got it free with Windows 95 - fax your letter to a colleague who has a fax receiver such as MS Fax or Winfax in his PC. These two are probably the market leaders in fax software under MS Windows.

When he gets it he will not get an image of the document. This is because the fax program has not converted it to an image. Instead it sends the file as an attachment. In this way, he does not get a fax as you know it - he gets an exact electronic duplicate of your document. If you had sent your company letter head with embedded graphics, he gets the letter head and merely has to change the contents to anything he pleases.

If you work in a bank, law firm or other business where your letterhead has any value in corrupt use, you are leaving un-audited stocks of letterhead all over the world when you send out computer generated letterheads in this way. I know one Insurance company which has completely done away with pre-printed letter head and computer generates it all. That company prints all its letters and sends faxes from an old fashioned fax machine.

Remember, sending a letter on computer generated letterhead via e-mail will also give the addressee a full electronic original of your letterhead. This will even include scanned and printed signatures.

Security measures are useless in this scenario. Last week at a Law Office technology exhibition in London, I saw a new product designed to overcome the fax problem. It was a proprietary fax program with a security system built in. The posters on the stand suggested that their product might have prevented the collapse of Barings Bank or the Sumitomo copper scandal. The system allows any user on the network to add outgoing faxes to a queue but only those with specific authority to release them can actually transmit the fax. An image of the file is burned into a Write Once, Read Many drive and cannot be altered after transmission. So far so good. But I asked two questions - how much? £3000 for first telephone line plus additional fees for each extra line. "If you prepare a fax in Word and fax it to a PC rather than a traditional fax machine, does it send an image or send the document as an attachment to the cover page it generates?"

The company representative smiled as if genuinely impressed and proclaimed that the program sends the document as an attachment. Oh dear. Once it is outside the system as an attachment, it is fully editable and there is no control over what the notepaper is used for. That seems like a good way to spend £3000. (9m Lire)

You might think that both e-mail and fax can be encrypted so this is all OK. Yes they can, no it’s not OK. Remember that for the addressee to read the document he has to un-encrypt it and his PC therefore has an entirely insecure copy of your letter head. Can you say, honestly, that you are entirely satisfied with the security arrangements of every single person you send an e-mail or fax to? What if his laptop is stolen? Not only the commercial information goes missing but a criminal now has the ability to print your letterheads at will.

There are some facilities to make documents un-editable but it is not considered that these are un-crackable by a determined criminal.

If someone stole a box of your notepaper from your offices, you might issue warnings in the professional journals or newspapers. But you have no idea who already has your notepaper - complete with graphics and signatures.

The Internet is not going to lead to new frauds. It is merely a facilitator, in the same way as faxes, letters and false moustaches have been facilitators. The difference is that the Internet greatly increases the scale of the fraud.

In the past, a fraudster was hampered by logistical issues: he would be able to send out maybe 100 letters a day asking people to send him money. At hundreds of thousands of e-mails every hour, the Internet provides a new way of sending direct mail. And of course, the cost per e-mail is a tiny fraction of the cost of using paper, envelope and stamps.

But the Internet can also be used to facilitate money laundering.

First a simple definition of money laundering: it is the process by which a criminal converts proceeds of crime into apparently legitimate wealth.

At some stage or other, all money ends up in the banking system. The criminal aims to get it into the banking system as soon as possible after the offence because it is concealed amongst all the other money already there. At this stage, the criminal is quite likely not to want the money in his own name. It may be in the name of an associate. It may be in the name of a company whose letterhead has been modified to give a false address.

But it is just as likely to be in the name of a company under his control. An ideal type of company is an IBC, an international business corporation with, in essence, no accountability and anonymous ownership. Now, where in the world can I get an IBC?

Easy, I can buy one over the Internet. I can even set up a bank account over the ‘net. In fact, with one offshore "institution", for a price of US$10 000 I can set up an IBC with its own bank account. The "institution" says that the banking regulation on its rock requires that the bank identifies its customers but that it is satisfied that its customers are identified by reason of being a local IBC. There is strict confidentiality about who is behind the IBC and banking secrecy is a major selling point of that rock’s offshore status.

The Internet is creating a borderless shopping complex and is open for international trading in shares, giving individuals access to brokers operating in stock exchanges all over the world. It also gives access to other trading markets in all sorts of commodities and other financial services products. As a result, from a desktop in this hall, we could access trading in a variety of types of financial markets twenty four hours a day in a range of countries including some with little of no financial regulation.

This provides the facility for criminals to pass money via brokers and for proceeds of the trades to be passed from the brokers’ bank to a bank account nominated by the criminal.

Money is, in simple terms, a non-existent commodity. It is given value only because two people agree to accept it as a medium of exchange and set a benchmark value for it. So, if you know that a chocolate bar costs one quarter of the price of a cup of coffee and a medium size family car costs the same as 9000 cups of coffee, then you can gauge the value of other goods and services against that knowledge of those prices. So a chocolate bar costing the same as three cups of coffee would seem expensive. If you could get a car for the price of 3000 cups of coffee then either the car is very cheap or you are buying coffee in Switzerland!

So it follows that the denomination of money is unimportant. It can be one of any number of types of dollar, one of several types of pounds, francs or any other currency. In fact, depending on the jurisdiction, it need not be currency at all - it can be cars, cigarettes, shares, drugs, guns and explosives. It need not even have physical form: it can be information or even merely the word of a dealer.

Once we get away from the concept of money being something you put in your wallet, we can begin to realise how the communication is the central issue upon which we must all focus.

You may not realise it but all US Dollar transactions in fact clear through the US, through Manhattan, in fact. Every time you write out a cheque in US Dollars, even on a bank outside the US, the money represented by that cheque passes through New York during the clearing process. It is this momentary presence in Manhattan which has allowed the US Courts to claim jurisdiction over all transactions made in US Dollars. And this is how they are beginning to bring under their jurisdiction all manner of offshore centres - and even financial centres which are offshore USA but not offshore in the usual sense of the word: in this sense, offshore includes London, Frankfurt, Hong Kong - indeed everywhere which is not in the USA.

Increasingly, therefore, US Dollars are going to be questioned more by banks who don’t want to find that their assets are frozen in the US as a result of an investigation there. This is not a nightmare - it is a reality. The US Authorities are quite prepared to require the presence in New York of any person they think is a suitable candidate to give them information and to apply to the Court for an order freezing all assets in the Jurisdiction if there is a lack of co-operation. In February 1997, they secured a conviction against a money laundering family who had laundered Dollars but never conducted any transactions in the USA.

So, Where Does The Internet Fit Into All Of This?

Any method of making transfers of money which are not accountable is going to be attractive to the criminal. If he can in some way set up a parallel banking system which will allow him to move money around and gain access to it will be attractive to him. And, the availability of offshore, relatively unpoliced accounts in less well regulated currencies will appeal to him. He can access his bank account from anywhere using Web technology. He can instruct his bank from anywhere using web technology and e-mail. He can spend his money anywhere in one of several ways.

The old ways are the best - it is entirely immaterial what currency his money is held in so long as he can spend it - and the easiest way of spending money in a currency you don’t hold is to use a credit or debit card. So, an offshore bank account in any currency he chooses is acceptable. For example - Visa operates the clearing system for both debit cards and credit cards. And allows cash withdrawals at any compatible ATM world-wide. I have used my debit card at a tiny hole in the wall at the top of a mountain, miles from any major town - or even decent size village. It worked perfectly, debiting sterling against my UK bank account and giving me lire.

As a result, criminals are able to use their IBC to make trades, to deposit currency in offshore banks by making funds transfers and then spend the money on consumables which can be bought with plastic or cash. And no one will ever pay any attention to the name of the issuing institution so long as the card carries, say, the Visa logo and clears when it is passed through a machine. There is no need to check the signature, no need to check the identity of the person holding the card.

Using the Internet for credit and debit card purchases, there is a ready facility to make payments of hundreds or the equivalent of thousands of dollars using a gold card, for example. So long as the receiver can accept payment by credit card, funds can be transferred across borders with little or no chance of being stopped. If both of the parties were handling the transfers through offshore accounts denominated in, say, Bhat, there would be little or no chance of the movement being spotted.

The growth of Internet banking is where there is the greatest opportunity for laundering - even though the banks are trying to prevent it, it is inevitable that criminals will find a way to defeat the checks. Where there are any.

Internet banking is a good business to be in. Overheads are minimal - a large web site costs a few dollars a month to host and provides a front door through which anyone from anywhere in the world can walk in. Compare the cost of that to maintaining a presence on the high street of every town and in the main thoroughfare of every suburb of every large city world-wide. Think of the savings in front office staff. Back office staff are of course going to be needed in similar number. But the software to run the Internet Bank is not dissimilar to that most banks already operate for telephone banking and, if they were honest, branches are becoming little more than shopfronts to sell to customers other services - the business of retail banking done face to face over a counter is, mainly, window dressing and is redundant from the operational perspective. But there is a recognition that, for the present at least, customers are real people and like to hand over their cash and cheques to a real person.

From the customer’s point of view, on line banking (the Internet is, in reality, merely a messaging system in this context) is more convenient and cheaper than personal banking (except for making deposits).

So, provided a way can be found to transfer money into the account without the need for personal attendance or entrusting cheques to the vagaries of the post, Internet banking is attractive to operators of even small accounts.

So, how is money passed into an Internet bank account?

In exactly the same way as paying into any offshore account. The person making the deposit can make it at any bank which is a member of the clearing system. So long as there is a valid sort code and account number, although charges will be incurred, it is possible to make this payment.

Then, as with any on line banking system, the money in the account can be paid out or transferred by the account holder.

This system is open to abuse in several ways - one of which is that the Internet bank need not be in any place which has any reasonable form of financial regulation. In fact, it may be in a place which specifically promotes itself as being free from regulation, operates anonymous accounts (which are in fact accounts held in false names) and which does not ask questions about the source of large deposits.

Where in the world could we find these things? Try Pakistan and Burma before looking at any of the little rocks in glittering seas which are the more typical bases of offshore banks.

Money laundering is here to stay. The UN has said that it estimates that there is a true billion (that is one million million) (the US has debased the term by inaccurately terming one thousand million a "billion") dollars of dirty money flowing through the world’s financial system every year - and that figure relates only to the proceeds of organised crime. There are all the other crimes - child prostitution, robberies, burglaries of houses, opportunistic theft and embezzlement from employers.

The UN Figure may be wrong. It may be far too small.

It is obvious, then, that all forms of banking will be open to abuse.

But Internet banks will have to give great priority to addressing problems such as identification of their customers and to suspicious transaction reporting.

If they do not, they will find that the traditional banking sector will, for reasons of their own protection, freeze out the newcomers. It is no doubt partly for this reason that the only currently effective Internet banking system, DigiCash, has chosen the partnership route. It set up its on-line bank using a made up currency and ran trials for eighteen months. It then formed an association with the Mark Twain Bank (apparently it is a real bank in the USA) and it can be used over the Internet. It has now formed a development project with Deutsche Bank giving the project some considerable credibility.

One development in on line banking is that offered by the Finnish bank, Marita. Their "SOLO" project - which claims over 3m users - is a clever way of producing an integrated ordering and self-billing system for purchasers of goods from its business customers. For example, a bookshop can open an account with Marita. The shop maintains its website with its normal stocklist. An order form (made up of a tick list) is prepared by the customer and when it is approved, a hotlink jumps from the bookshop’s page to Marita’s SOLO system and the invoice is prepared, a series of customer confirmations follows and the invoice is despatched by SOLO by e-mail, the bookshop gets a confirmation and sends out the book. SOLO debits the customer’s account and credits the bookshop’s. The ordering and confirmations are under the control of the customer, so providing, in effect, a one time direct debit. Or an automated cheque.

Incidentally, automated cheques are now available in the USA. A software program has been launched which allows a customer to tell his supplier his bank details and for the supplier to print out a cheque which - despite having no signature - is acceptable to banks. I look forward to that product being available in conjunction with the Nigerian Scam.

The reason the Internet is used by Marita is that it permits local call access by users to the Bank’s headquarters in Finland. The banking system is basically an on line system but the Internet, using the World Wide Web, provides easy and inexpensive access.

But once any account is opened, in any bank, the question will arise as to how best to monitor the account for unusual activity which might indicate that the customer is involved in money laundering and as a result trigger the need to make a suspicion based report.

It is the question of suspicion which will be the over-riding problem, in terms of money laundering compliance and banking regulation for the entire offshore banking and investment industry over the coming years. Failure to properly deal with this issue will lead to increasing pressure on offshore centres. Already both major political parties in the UK are lining up against offshore centres and are expected to make greater regulation of them a manifesto pledge for the coming general election. Already enforcement agencies from many developed countries are calling for the abolition of the offshore industry. Of course, it won’t happen. It will simply be driven to ever more shady places where corruption and crime are more rampant. Criminals already own banks.

And, in a final comment on Internet banking, it is this single point that I want to emphasise. Internet Banks set up on rocks around the world and in other unregulated centres will be created by criminals. The low cost of start-up and the simple maintenance will make the entire scheme attractive because - not least because the criminals will be able to conceal their own money amongst that of legitimate customers in the banks they own. This already happens - using low tech banking - in several jurisdictions, notably Russia and other parts of the FSU and the former Eastern Europe. These banks secure a degree of credibility by the simple expedient of joining the SWIFT system of money transfer. Of course, if you deposit your money in a bank set up by criminals, you should expect to lose it. If you don’t believe me, remember BCCI.

Pure Internet banks should be viewed as a cause for concern. Customers should at present consider their use only when they are, in essence, an online service provided by a bank with an existing good reputation.

And now away from Internet banking, the simplest way that the Internet can be used as a facilitator for money laundering. To understand this, you need to know about a parallel banking system called Hawalla. Hawalla is a system of money transfer which is common across the Indian Subcontinent and expatriates. It’s simple - a person, A, wishing to transfer money to another, B, goes to a Hawalla dealer and asks him the price of a transfer. Typically, this will be about 5%. A hands to his Hawalla dealer the amount to be transferred plus the fee. The Hawalla dealer contacts his associate near B’s home and arranges for him to pay B. A tells B where his local dealer is. The money does not move from A’s dealer to B’s dealer. B’s dealer pays B on the word - the honour or Hawalla - that A’s dealer will at some time in the future settle up with him. The Internet is a quick, reasonably secure, method of sending the messages upon which the system relies.

Hawalla is a long established and honourable method of money transfer, often used to repatriate money from children sent to the city or overseas to support their families. It is also used to transfer money for drugs and arms deals. The Internet can be used to give instant response to transfers of sums of money both within a country and internationally.

Mondex is a system of electronic cash. In November 1996, MasterCard took a 51% share of Mondex. There are two types of Mondex card: attributable and non-attributable. Attributable cards are used to debit sums against a specified account. These are loaded onto a rechargeable card. Non-attributable cards cannot debit or credit bank accounts but can accept transfers from other cards. Transfers can be made via computer link (including Internet) and telephone as well as by putting both cards into a special wallet which moves specified sums from one card to the other. There is limited accounting in that the cards hold details of the last few transactions - but where the transaction involved an non-attributable card, the record shows "Private".

As with actual cash, Mondex transfers are therefore totally anonymous. No data on transfers is held at the bank. Money can be held on cards or PCs and transferred so long as both parties have Mondex cards. The cards are issued by the participating banks - and so far Mondex has built up by far the most impressive list of associates institutions: NatWest and Midland Bank PLC (UK); The Hongkong and Shanghai Banking Corporation Limited (Hong Kong and 12 further Asia/Pacific territories); Canadian Imperial Bank of Commerce and Royal Bank of Canada (Canada); Australia and New Zealand Banking Group Limited, Commonwealth Bank of Australia, National Australia Bank Limited and Westpac Banking Corporation (Australia); ANZ Banking Group (New Zealand) Limited, Bank of New Zealand, Countrywide Banking Corporation Limited, the National Bank of New Zealand Limited, ASB Bank Limited and Westpac Banking Corporation (New Zealand); Wells Fargo Bank and AT&T, through a wholly owned subsidiary of AT&T Universal Card Services (USA). The Australia and New Zealand bloc is especially impressive as all the major banks in both countries have agreed on a joint trial operating across the region.

The only downside to all of this is that there will be a system of subsidiary licensing - each of the master franchise holders is expected to appoint sub-franchisees who will in turn appoint lesser institutions. Control of card issue will be in the hands of the banks holding customer accounts. When criminals own or control these lesser banks, where will this leave the security measures built into the system? What will there be to prevent cards with unlimited capacity being used?

Funds can be transferred from card to PC, from Card to card, from PC to PC all via the Internet. If there were to be no limit to how much can be stored on PC, huge transfers could be sent. The money never enters the banking system until someone decides to spend some of it. Such a system allows criminals to maintain a complete banking system, of their own, operating outside all jurisdictional concerns and outside the reach of enforcement agencies. DigiCash allocates serial numbers to its electronic coins but these are subject to audit only when the coins are transferred to a bank.

The technology to make an exact copy of the hard disk of a computer costs £7000. Thus electronic money stored on a PC can, in principle, be endlessly replicated.

And transferred anywhere world-wide by Internet transfer. Using encryption, the data will be safe from the prying eyes of enforcement agencies and, anyway, in order to identify the messages, the authorities will need to know where the terminals are in order to tap the lines - or rely on random checking of the billions (real billions!) of e-mail messages sent by Internet users. To do this, they need to identify the calling points. This is not easy.

Criminals are already using laptop computers plugged into GSM mobile phones. But they are not using their own phones - they are cloning those of other users and making calls between two points which are not traceable by any normal means. And because the phones are cloned, they give all the appearances of legitimate use and the frequencies are not being monitored by the authorities.

As usual, it seems, whether the enforcement agencies can catch the criminals is more a matter of luck than skill.