|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Australian Federal Police - Platypus Journal/Magazine |
Electronic Benefit Transfer fraud: The challenge for federal law enforcement
Electronic Benefit Transfer (EBT) delivers social security benefits through a plastic card capable of use in Automatic Teller Machines (ATMs). Through the use of an EBT card, social security recipients can access their benefits in the same way they access their savings or cheque accounts.
Northern Region's 1, right, says EBT fraud poses potential challenges for Australian law enforcement authorities, and failing to meet these challenges could lead to community losses. He believes, however, that the infancy of EBT in Australia presents a unique opportunity to identify potential fraud risks.
In the following paper, Federal Agent Warton addresses issues surrounding the abuse of payments through EBT. The delivery of social security benefits through EBT is new to Australia, and as such, his paper is based on the American experience with EBT. He also outlines the investigation and prosecution of Australia's first recorded cases of EBT fraud.
Following the global acceptance of credit cards, the last decade has been witness to the introduction of debit cards allowing consumers to electronically purchase goods and services by accessing funds directly from their personal accounts.
Relevant to this paper is the advent of Electronic Funds Transfer Point Of Sale (EFTPOS), introduced to Australia in 1984 with the installation of Westpac Handycard terminals in selected retail outlets.2 Both the EBT and EFTPOS payment systems are captured under the umbrella of Electronic Funds Transfer (EFT), defined as "a process whereby messages about financial transactions are sent from one computer to another".3
According to the Australian Payments Clearing Association, the number of EFTPOS terminals in Australia has risen from 43,950 in 1994 to 218,330 in 1998. During the same period, the value of payments made by cheque have fallen from $24.8 billion to $14.6 billion per day.4 For police organisations and other agencies involved in the investigation of fraud, statistics of this kind suggest the need to rethink their long-term strategies.
Fraud associated with electronic payment systems is becoming increasingly complex and resource intensive both to investigate and prosecute. As we approach the 21st century, the ability to investigate emerging forms of technology-based crime will play a key role in the stability of our future cashless society.
It is argued that EBT fraud poses potential challenges for Australian law enforcement authorities and that a failure to address these challenges will inevitably result in losses to society. On this basis a number of general recommendations will be made with a specific view to fraud prevention.
The provision of social welfare programs is a paramount consideration for governments in developed countries. As is the case in the United States, the development of social welfare in Australia has led to the inevitable emergence of social security fraud. Since its inception, the delivery of social security benefits has been subjected to abuse by a fraudulent component of society who continuously invent new methods of exploiting old systems.
In its broadest sense, EBT is defined as "the electronic transfer of government benefits, be they in the form of funds or information, to individuals through the use of Internet-based technologies such as smart cards, automatic teller machines, and point of sale terminals".5 It is a specific application of EFT and is closest in practice to the use of debits cards in Australia.
In terms of physical appearance, EBT cards are the same dimensions as standard ATM or credit cards with a magnetic strip on one side and a unique 16 digit identification number with the letters ebt printed on the other.
Each card is issued with a four digit PIN which is handed to the recipient in a sealed envelope, similar to those used to issue PINs for standard ATM or credit cards.
The EBT concept was trialed by the US government in 1984 when its Department of Agriculture tested the viability of the system as a substitute for the delivery of paper food stamps. It is currently operable in most American States and pursuant to the American Welfare Reform Act 1996, all States will use EBT issuance by October 1, 2002.6
At present, the predominant use of EBT in the United States is to replace the paper-based food stamp and Temporary Aid to Needy Families (TANF) systems and in 1993, some 2 per cent of food stamps were nationally delivered through EBT. In 1997, this figure reached 16 per cent and as at December 1998, more than half of food stamp benefits were delivered through EBT.7 Abuses of EBT in the US fall under the jurisdiction of the US Secret Service and within the ambit of US Codes 1029 and 1030, relating to access device fraud and computer fraud respectively.
As governments are required to provide more efficient services using less resources, the use of technology provides a fiscally prudent way of delivering social security and other government services. Accordingly, the Australian Government has recognised a commitment to delivering "all appropriate Government services online by 2001."8
Consistent with this commitment, the use of EBT for delivering Australian social security benefits was trialed by Centrelink9 during 1997 in several major Australian cities. The system now operates on a national scale and assists in the electronic delivery of limited social security benefits in cases previously addressed using the traditional counter cheque.
On satisfying the Centrelink eligibility criteria, an appropriate level of benefit is determined and the recipient is issued with an EBT card and a PIN. On entry of the correct PIN, the client may redeem all or part of the card for cash at any approved ATM. Once the card's value is exhausted, the client is required to destroy both the card and the PIN, with the onus on the customer to ensure this occurs.
Unlike the US situation, EBT cards can only be used in Australia to redeem cash from ATMs. Under the present Australian system, there is no facility for using EBT as a conventional debit card through EFTPOS terminals in a retail environment. While Australian EBT is in its infancy, advances in the US provide a useful opportunity for the stakeholders of Australian EBT to identify relevant technical and policy issues.
As an original signatory to the Universal Declaration of Human Rights, Australian governments have consistently recognised that everyone has the right to security in circumstances where a lack of livelihood is beyond one's control.10 While history has demonstrated that the Australian social security system is open to abuse by various fraudulent means, the primary responsibility for investigating cases of serious fraud against the Commonwealth lies with the AFP.11
Like all forms of fraud, social security fraud involves the illegal obtaining of a benefit by way of deception. Government welfare systems exist with the objective of providing assistance to people in genuine need. Accordingly, perpetrators of fraud who misrepresent themselves and receive benefits to which they are not entitled commit the most immoral species of fraud by taking money from the most vulnerable element of society reliant on government support. For society itself, the dangers of social security fraud are twofold.
First, it causes financial loss to Australian taxpayers. In the financial year 1997–1998, there were 2768 convictions for welfare fraud involving $26.6 million.12 While this amount encompasses some larger instances of social security fraud, it predominantly comprises the aggregate of hundreds of minor frauds. Further to the cost of unrecovered funds is the cost of instituting prosecutions against social security offenders. In this sense, the cost of the fraud to the general public extends beyond the amount of the actual fraud.
Secondly, social security fraud constitutes an assault on the system of government. Those who violate Commonwealth systems damage the potential of a government to provide for the people of its country. Society itself carries the losses caused as a result of social security fraud.
From an investigative perspective, the social security fraudster traditionally leaves a trail of documentary evidence. Fraudulent misstatements as to eligibility may be proven by forensic methods such as handwriting or fingerprint analysis. Likewise, inferences may be drawn by a court from possession of relevant documents. Assumptions of false identities may be proven by the location of original documents and forensic proof of fraudulent modification. Finally, electronic debits of social security benefits may be proven through the systematic and methodic process of bank account reconstruction. Thus, the presence of a money or paper trail stands as an invaluable tool to any fraud investigator.
The policing of social security fraud to date has evolved with the introduction of new payment systems. For example, a large amount of social security investigations conducted by the AFP in the 1980s related to the fraudulent issue and use of welfare cheques.
The 1990s provision of direct debiting for social security payments forced investigators to place an increased emphasis on the paper trail and consequently led to the discovery and prosecution of suspects opening and operating bank accounts in false names.
Just as the transition from payment by cheque to payment by direct debit demanded an awareness on the part of investigators, so too will the introduction of social security payments by EBT. The year 2000 and beyond will mark the commencement of a new era in social security benefits with delivery by way of magnetic strip card. If the progression from counter cheques to direct debits was a stride for law enforcement in the fight against fraud, then the progression from direct credits to EBT will be a quantum leap.
The increased popularity of credit and debit cards, the routine use EFTPOS systems, and the advent of Internet shopping have caused members of society to question the role of cash. While the introduction of new payment systems present obvious advantages, they inevitably raise a plethora of issues for specific interest groups, governments, lawmakers, and law enforcement agencies. The establishment of the magnetic strip standard in 1971 brought with it the prospect of electronic counterfeiting. As new systems are developed and implemented, one pertinent fact remains:
Experience suggests that any successful plastic card system will eventually be targeted by fraudsters whose resourcefulness should never be under-estimated — nor the possibility of their getting help from insiders.13
The reference to insiders is particularly relevant in the examination of social security fraud and the use of EBT. The resourcefulness of both outsiders and insiders is unlimited by the advent of electronic commerce. Like the payment systems discussed thus far, the EBT system will inevitably be open to abuse. According to the Financial Crimes Division of the US Secret Service:
As with any recurring payment system, EBT is open to a wide variety of fraud, to include multiple false applications for benefits, counterfeiting of the EBT card and trafficking of non-cash benefits for cash or contraband.14
With Australia's first EBT prosecutions recently, it is the first of these abuses — namely multiple false applications for benefits — that has been adopted by those abusing the Australian EBT system. As with any electronic payment system, the potential exists for the issue of EBT cards based on the creation of fictitious identities. The challenge for investigators lies with the proof of intention in context of a limited documentary paper trail.
In July 1998, the author was responsible for conducting the first police investigations into EBT fraud in Australia. In order to identify future issues for law enforcement, it is appropriate to examine the modus operandi of the offenders in these cases. On the basis that all the offenders in these cases were government employees, it is appropriate to recognise the vulnerability of all electronic payment systems to internal fraud.
The risk of data manipulation as applicable to internal computer systems can be summarised into three possibilities — improper use of the normal computer application by an authorised person, unauthorised use of a normal computer application, and improper use of a special program designed to assist technical staff.15 While all three scenarios are possible in the administration of social security benefits, it is the unauthorised use of normal computer applications which has facilitated the recent Australian incidents of EBT fraud.
A study into organisational computer security conducted by the Office of Strategic Crime Assessments and the Victoria Police found that almost 90 per cent of organisations who experienced computer misuse "were able to trace the source of the problem to people who had legitimate access to their computer systems".16 The conduct leading to the first cases of Australian EBT fraud occurred in December 1997 and January 1998 and involved government employees accessing and fraudulently using the EBT computer system.
All cases involved the issue of EBT cards in fictitious names enabling the offenders to redeem the cards for cash at ATMs. In one case, the proceeds of the fraud were used to purchase heroin in the same street as the location of the ATM and within 10 minutes of the fraud occurring.
In all cases, the spent EBT cards were not located. Accordingly, there was no forensic evidence to link the suspects to the fraudulently issued cards. Likewise, there was no photographic evidence of the suspects using the EBT cards to withdraw money from ATMs.
While there was a computer audit trail, there was no direct proof that the suspect was the person who used the computer at the time the EBT cards were issued.
Had these cases involved the same modus operandi using handwritten forms, it may have been possible to obtain forensic evidence to link the suspect to the granting of the benefits. In these cases, it is therefore argued that that EBT technology has resulted in a more efficient and less detectable species of fraud.
The overriding implication for the fraud investigator apparent from the recent cases is the notable absence of a paper trail. Counter cheques are traceable both on presentment and on issue while direct debits facilitate the reconstruction of bank accounts. In the recent cases the identifiable money trail ceased when the EBT card was issued. In this context the development of EBT fraud will also have definite implications for the legal system, particularly those public prosecutors who are responsible for presenting cases of criminal fraud to the courts.
It is therefore concluded that investigators and prosecutors must be aware of the differences to conventional social security fraud EBT fraud presents. Ultimately, it is the courts who will be faced with the task of interpreting the current laws as they apply to EBT, and both state and federal parliaments who must recognise the nature of EBT fraud and enact any appropriate legislation.
It is essential that law enforcement agencies accept and understand EBT as a new payment system. At such an early stage of development it is difficult and impractical to make specific recommendations. However, a number of general recommendations can be made. As new payment systems emerge, the significance and use of cash will become less applicable. On the issue of cheque, credit card and EFTPOS payment systems, the Electronic Commerce Task Force in reporting to the Commonwealth Law Enforcement Board (CLEB) stated that:
As cash substitutes, these technologies, will share many of the features that concern law enforcers; secrecy, lack of accountability and lack of security. They may, however, potentially facilitate electronic transfers of money for illegal purposes.17
The following recommendations have been devised as a result of the EBT investigations discussed in this paper, and the research of the broader issues affecting electronic payment systems.
As EBT fraud becomes more prevalent, further recommendations will be necessary to control future abuses.18
As with all cards for use in ATMs, EBT cards require a party to enter a PIN before the system will allow a transaction. Difficulties may arise in the case where proof of the fraud turns on the fact that a particular accused physically used an EBT card to withdraw cash. In the absence of a witness to the transaction, or appropriate video surveillance, the investigator may be unable to prove that the party in question conducted the transaction in issue. In the domain of social security fraud, this is an issue unique to both ATM and EBT cards and there are several ways of addressing such a problem.
The Electronic Commerce Task Force identified one alternative legislative reform. While EBT was not a direct issue at the time of the task force's findings, the possibility exists of a reverse onus of proof in cases where the transaction in issue involves the use of a unique PIN or password. In discussing the implication of electronic transactions and the impact on evidence and proof, the task force noted:
Under such a provision, if a prosecutor or plaintiff could show that a transaction was conducted using a PIN or password, and could show that that number or word had been allocated to the defendant by a responsible government or commercial agency, there would be a rebuttable presumption that the defendant conducted the transaction. It would be open to the defendant to call evidence to show that he or she did not conduct the transaction, but the defendant would not be able to sit mute and let the case fail for want of supporting evidence.19
It is argued that this reverse onus may be usefully applied in the case of EBT transactions.
As EBT will inevitably evolve and develop new ways of delivering government services it is incumbent on federal law enforcement to understand and develop strategic intelligence relating to new payment systems. Unlike the US situation, Australia supports one nationally applicable EBT system. It is therefore logical that federal law enforcement agencies tactically record the means by which individuals or organisations abuse new payment systems.
The need for national statistics on fraud is an issue constantly raised by law enforcers and criminologists alike. It is argued by criminologist Russell Smith that Australia presently adopts a ‘fairly piecemeal approach' to fraud data collection.20 This has been attributed to a combination of factors encompassing different fraud laws within the federal criminal justice system, varying systems of intelligence, and the unreported or undetected incidents of fraud.
All these factors make the gathering of accurate fraud statistics difficult. As Smith notes, "knowledge of how offenders commit crimes may be used to detect similar offending patterns in the future and to prevent offenders from making use of criminal strategies employed in the past."21
It is argued from an intelligence perspective that the infancy of EBT fraud in Australia provides an unparalleled opportunity to examine the methods by which social security offenders defraud the system. Accordingly, the role of both strategic and tactical intelligence must not be overlooked.
The technological nature of EBT means that any future instances of EBT fraud will possibly involve the use or abuse of government computer systems. It is at the internal audit stage that EBT fraud is best prevented and detected. Accordingly, it is incumbent upon agencies delivering EBT services to maintain appropriate fraud control policies.
The Fraud Control Policy of the Commonwealth states its desired objective as the "elimination of cases of fraud on Commonwealth programs involving public sector employees and elimination, by all possible efforts, of frauds against Commonwealth programs generally".22 The advent of EBT and the potential for fraud increase the importance of such an objective in two ways.
First, EBT fraud will only be prevented by the maintenance of strict computer access controls. The ability to prove that a particular accused was using his or her computer terminal at a given time is the most crucial evidence in proving fraudulent internal EBT conduct. For this reason, identification and authentication controls within government departments must be monitored. Furthermore, the onus must rest on individual employees to secure their computer terminals when they are not in use.
Secondly, patterns of employee computer use could also assist in the detection of EBT fraud. Too many transactions, too few transactions, attempted access beyond authorisation level, repeated improper attempts to gain access, and deviations from accepted policies, procedures and practices have all been identified as key indicators in fraud risk assessment.23 It is argued that these indicators are of particular relevance to the detection of EBT fraud.
EBT is a developing technology and the modus operandi of each new incident of this species of fraud is of high relevance to the investigator. Australia must use such intelligence and combine this by turning to the US to examine potential ways of preventing and detecting EBT fraud.
Furthermore, it is essential that representatives from law enforcement agencies, particularly those involved in the policing of technological crimes be involved at the design stage of new payment systems. This will further assist with the development of fraud prevention policies.
If one accepts that all payment systems will be the subject of some fraudulent abuse, then risk minimisation strategies must be adopted. Limiting the maximum value attributed to EBT cards represents one possibility. For instance, if the maximum amount capable of being credited to one EBT card in a particular fortnight was capped at a realistic level, the ability for both government employees and external applicants to create fictitious claims would be limited to that value. The introduction of ‘use by' dates on EBT cards would further reduce instances of EBT fraud by requiring the holder of an expired EBT card to re-attend the social security agency and seek that the card be re-activated.
As new technological crimes emerge, it will be incumbent upon law enforcement agencies to provide the requisite levels of training and education. Law enforcement can ill afford to play catch up with those involved in exploiting new payment systems.
Investigating EBT fraud requires a detailed knowledge of social security computer systems and the EBT fraud investigator must be able to interpret various internal audit reports often produced in a non user-friendly format. In the absence of a complete paper trail, internal audit reports represent an essential component of any EBT investigation.
In Australia's first EBT fraud prosecutions, it has been the social security investigators who have been rigorously cross-examined as to the contents of such reports. However, in order to compile a professional brief of evidence, it is essential that police investigators also acquire a broad understanding of EBT systems.
It is recommended that social security agencies using the EBT system to deliver welfare benefits provide short courses to police and other government investigators involved in the policing of EBT fraud. Such courses would be of equal benefit to lawyers prosecuting cases of EBT fraud.
As with any new electronic payment system, the physical operation of the Australian EBT system is both technical and complicated. In terms of presenting a prosecution case, the importance of providing clear evidence as to the technical operation of the Australian EBT system is heightened by the absence of a conventional paper trail. It is argued that the infancy of the Australian EBT system may result in defence counsel attacking prosecution witnesses on the technical workings of the EBT system. The nature of the parties involved in EBT transactions, the contractual relationships between government service providers and financial institutions, and the technical processes involved with issuing EBT cards represent fertile ground on which the defence may sow the seeds of reasonable doubt.
This is coupled with the fact that the legislative provisions used to lay charges for most Australian EBT cases to date have not been challenged either at trial or on appeal.24 Finally, the technology underlying EBT is in a state of constant change — a further argument to support the development of EBT expert witnesses.
Adopting this recommendation will have advantages beyond the mere strengthening of prosecution cases. Importantly, it will provide uniformity in the way EBT fraud prosecutions are presented and will ultimately assist the courts with interpreting legislation relevant to the offences, and developing consistent approaches to deal with those charged with EBT fraud.
The main implications of EBT for federal law enforcement can be reduced to three broad conclusions. First, the investigation of EBT fraud entails several differences to traditional paper-based social security frauds. In a particular investigation all evidence may exist in the form of computer access times, computer audit trails and ATM transactions. A complete absence of paper based evidence is therefore possible and on this basis an investigator loses the ability to rely on forensic handwriting samples, fingerprinting, or DNA evidence.
Secondly, and building upon the evidential aspect, the investigation and subsequent proof of EBT fraud may ultimately turn upon the use of a computer terminal by a particular employee to issue a specific EBT card. Acknowledging the difficulty in proving that a particular employee transacted under his or her computer logon at a given time, it is here that the reverse onus of proof in relation to passwords and PINs may be considered.
Thirdly, it is apparent that criminals have developed the ability to counterfeit conventional magnetic debit and credit strip cards. Given that EBT card technology in Australia consists of the same technology as conventional credit cards, it is possible that EBT cards may also be the subject of criminal counterfeit operations. In the absence of the monetary limits suggested in this paper it is possible that EBT cards may be counterfeited and used as currency in narcotic related or other illegal enterprises. Thus, security measures with a view to minimising counterfeiting must be considered as the provision of social security moves towards total EBT delivery.
Like ATM and EFTPOS, EBT will inevitably become a standard term in the vocabulary of Australian society. While EBT will be utilised because of its inherent advantages, the future challenge for federal law enforcement lies in the prevention, detection, investigation and prosecution of EBT fraud. In acknowledging that all payment systems are susceptible to fraudulent abuse, EBT fraud has the potential to damage Australian society.
The issues raised in this paper present considerable scope for further debate and inquiry. For law enforcement agencies the most significant side-effect of EBT will be a continuation of social security fraud perpetrated by innovative means. In any event, the war against the criminal exploitation of technology will only be won in the presence of technologically aware, and technologically competent, law enforcement agencies.
1. BA(PolSt)(Mon.),L.LB(Hons)(Mon.), GradDipCrim(Melb.),GradDipLegPrac(ANU), M.A.I.P.I.O, Federal Agent, Australian Federal Police, Northern Region (Darwin). The views expressed in this paper are those of the author and do not necessarily reflect the position of the Australian Federal Police or the Australian Government.
2. Gordon Hughes (Ed), Essays on Computer Law, Logman Cheshire, Melbourne, 1990, p249.
3. Ibid,p248.
4. Australian Payments Clearing Association (APCA), Payment System Statistics, http://www.apca.com.au
5. University of Texas, Austin, LBJ School of Public Affairs, Policy Research Project on Electronic Benefits Transfer, http://www.utexas.edu/lbj/rhodesprp/prpteam.html
6. Jack D Doyle, Electronic Benefits Transfer Programs by State, Oregan Department of Human Services, http://dhrinfo.hr.state.or.us/intranet/tands/DebitCards.htm
7. Brian Robinson, "Searching for EBT Solutions", February 1998, http://civic.com/pubs/1998/february/cover.htm
8. News Release: Attorney-General, Agreement on National Laws for Electronic Commerce, 30 October 1998, http://www.law.gov.au/aghome/agnews/1998newsag/478a_98.htm.
9. Centrelink is a statutory authority and was officially launched on 24 September 1997. It was formed through the amalgamation of the Department of Social Security and parts of the Commonwealth Employment Service with a view to delivering more efficient and streamlined government services.
10. Article 25 of the Universal Declaration of Human Rights as adopted by the United Nations on 10 December 1948, http://www.un.org/rights/50/decla.htm
11. Commonwealth Law Enforcement Board, Best Practice for Fraud Control: Fraud Control Policy of the Commonwealth, AGPS, Canberra, 1994, clause 22, p4.
12. Centrelink 1997/1998 Annual Report, AGPS, p191.
13. Bryan Clough, "Plastic Fraud" in The Journal of International Security (INTERSEC), Volume 7, Issue 9, September 1997, p292.
14. United States Secret Service, Financial Crimes Information, http://www.treas.gov/usss/financial_crimes.htm#Electronic Benefits Transfer (EBT) Card
15. Ian Huntington, Fraud : Prevention and Detection, Butterworths, London, 1992, p177.
16. Computer Crime & Security Survey, Office of Strategic Crime Assessments & Victoria Police Force, 1997,p30.
17. Steering Group of the Electronic Commerce Taskforce, Report of the Electronic Commerce Taskforce to the Commonwealth Law Enforcement Board, AGPS, November 1996, p13.
18. The original version of this paper was written shortly after the first prosecutions for EBT fraud in 1999. Accordingly, many of the recommendations suggested in this paper may have been already been adopted. The providers of EBT services have shown an active commitment to the detection and prevention of EBT fraud.
19. Ibid,p71.
20. Russell G Smith, Measuring the Extent of Fraud in Australia, Trends & Issues in Crime and Criminal Justice No.74, Australian Institute of Criminology, November 1997, p1.
21. Ibid, p2.
22. Commonwealth Law Enforcement Board, Best Practice for Fraud Control: Fraud Control Policy of the Commonwealth, AGPS, 1994, p1.
23. Bologna, Jack G. and Lindquist, Robert J, Fraud Auditing and Forensic Accounting: New Tools and Techniques, 2nd Ed, John Wiley & Sons, Canada, 1995, p147.
24. Section 76 of the Crimes Act 1914 (Cth) provides for a range of offences relating to accessing and/or damaging data in Commonwealth computers. In order to prove an offence under the provisions the Crown must prove that the suspect had the requisite intention and dealt with the data in the absence of lawful authority or excuse.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/AUFPPlatypus/1999/35.html