Jan 15 2009

Social Welfare Fraud

Category: SecurityTeknovis @ 10:42 pm

I read a really interesting news story today about an employee of the Irish national postal company. This employee’s job was to process social welfare recipients’ claims when they came into the post office. This consisted of scanning a date stamped voucher that covered the current time period (week or month I presume), and then paying out the correct amount of cash.

However, the employee discovered that she could also scan another voucher representing a future period from the recipients’ voucher books and that the system would allow her to make that payment. She simply pocketed this second payment :) The post office only kept records of payments for 21 days, so after that period the voucher could be used again!

This raises some very important security issues:

  • The system designers should have built a check into the system to ensure that the vouchers were valid at the time they were being redeemed. This validity should consist of a valid from date and a valid to date.
  • The system designers should have built a check into the system to ensure that the vouchers were not previously redeemed. This is substantially easier to do when the system checks the validity of the dates.
  • For bonus marks the system designers could allow vouchers to be revoked, and consequently they would need to include a check in the system to ensure that the vouchers were not revoked. Again this is substantially easier to do when the system checks the validity of the dates.

The full article is Quirk in An Post system used in fraud, although I would not call it a quirk!

Tags: