51

There's a popular story that describes a programmer having altered a program at a bank so it diverted fractions of a cent from every transaction to another account (or some variation like multiple accounts) so he could collect it later.

The story has been so popular that variations have been referenced in a Superman movie and Office Space.

Was this based on an actual story, or is it simply a myth? If it did happen, what happened to the programmer?

Nick Stauner
  • 521
  • 2
  • 15
Bart Silverstrim
  • 993
  • 3
  • 9
  • 11
  • 4
    Difficult to get a real proof, because no Bank will ever recognize that kind of internal fraud. – Dr. belisarius Feb 06 '13 at 22:41
  • 1
    I live in a "Banker's Town" and, as such, I have numerous friends who work in the industry. I recall having a conversation with a friend about 4-5 years ago on this "exploit". What I recall is that once this was discovered by the banks, the banks wised up. Banks now do this on their own. This may seem like banker fraud. But, the difference is they take all values, positive and negative. This keeps the account value at a running average of 0, but the movement is traceable. – RLH Feb 07 '13 at 13:26
  • 4
    This is called [salami slicing](http://en.wikipedia.org/wiki/Salami_slicing) – Sam I Am Feb 07 '13 at 15:41
  • 1
    Wasn't that the plot to Superman III? – Lucas Wiman Feb 13 '13 at 19:28
  • I read the story about a banking employee that embezzled around US $2 million on the East Coast of America. The story appeared in an old edition of Readers Digest in Australia, so it was at least 20 years ago. The man was caught and later went on to work for the good guys in the field of security. You may be able to find the original article through Reader's Digest in America. Good luck! –  Dec 22 '14 at 00:11
  • Salami slicing is related to crowdsourcing. By causing each individual person to work for you for a few seconds, something they cannot reasonably expect to be compensated for, you may skim a lot of manhours for whatever is your labour need. Google did this with human-powered OCR http://arstechnica.com/tech-policy/2016/02/judge-tosses-proposed-class-action-accusing-google-of-captcha-fraud/ – user7610 Feb 14 '16 at 09:34
  • Coinbase does this whenever anyone buys bitcoins from them. Say you buy $100 in bitcoin. If you do the math, they are actually sending something like $99.995 dollars worth of bitcoin, which rounds up to 100 dollars, but is definitely not exact. A half penny per thousands of transactions every day adds up fast. Worse though, they don't list the price per coin in the downloadable transaction history. Virtually everything else to do with the transaction is shown. They don't want users to know about this. – Julian Jun 27 '17 at 01:01

2 Answers2

42

There is a significant amount of anecdotal evidence that supports the claim that, not only did this happen once, but that it happens rather frequently. Unfortunately, most of these claims appear to come from members of the security industry, which may have a vested interest in convincing people that this type of activity is taking place.

The type of theft you're talking about is called salami slicing. There have been a number of papers published on this attack by security researchers (not peer reviewed, mind you), such as this one and this one. This second paper repeats a variation of what is probably the most famous claim: a former bank employee in Canada who stole $70,000 using this type of attack. Unfortunately, the papers are lacking in details, and the references don't match the contents.

The most often quoted (and not cited) source for these claims seems to be this Network World article, which recites a list of supposed convictions based on salami-slicing techniques. Again, it's lacking in details, though it does give dates and jurisdictions for several purported cases of salami slicing.

Overall, my intuition tells me that micro-theft of this sort has certainly occurred at some point in the past. It's really nothing more than a modernized version of clipping coins, which certainly happened on a regular basis. However, I cannot find any evidence of any single, famous, and verifiable case of salami slicing that matches the circumstances usually supplied in the anecdotes you mentioned.

On a related note, there's much better evidence regarding similar kinds of salami attacks, just not ones involving bank employees. For example, this Wired article describes a man who allegedly defrauded E*Trade using a variation of a salami attack (related to how the brokerage firm verified that it could deposit money into your account), including links to a Dept. of Justice affidavit describing the attack. There was also a case in Florida of a rental car firm overcharging customer for tiny amounts of gasoline on returns.

KutuluMike
  • 2,160
  • 1
  • 22
  • 22
  • The key reason this hasn't happened at a bank, at least in recent times, is the extensive series of checks carried out. If **any** totals fail to match, an investigation is triggered - doesn't matter how big the discrepancy is - there should be none, so a difference means either an accidental or deliberate problem that needs to be fixed. – Rory Alsop Feb 07 '13 at 09:25
  • 6
    @RoryAlsop unless they use floating point ;-) – gerrit Feb 07 '13 at 12:43
  • 4
    @gerrit Mostly they used fixed-point decimal values since they are more accurate when doing calculations in base-10; we typically do the math out to ~8 decimal places then round to 4 (a SQL MONEY type, for example). – KutuluMike Feb 07 '13 at 13:31
  • 1
    @gerrit - Or if they are using a [Pentium processor](http://en.wikipedia.org/wiki/Pentium_FDIV_bug). – rjzii Feb 07 '13 at 17:12
  • 3
    @gerrit: as long as the money is "moved" in each transaction (I know financial systems do this but I don't the exact name), using float point calculation is fine. By "moving" I mean decrease certain amount from one account and increase exactly the same amount on the another account. A example would be calculation can come up with an interest of $0.55555... but it will be rounded to either $0.55 or $0.56. In either cases, one account will be credited while the other account will be debited at the same amount. You never get one extra cent from such a transaction. – Codism Feb 07 '13 at 19:12
  • 13
    @Codism I'm afraid that's not true. You're wrongly assuming that it's always possible to, given an amount, add exactly this amount to a particular balance, or subtract it. When X and Y are valid floats, X+Y often isn't representable and you end up with X+Y±ε, probably with different ε at debited and credited account. Floats + money = no. – Kos Feb 09 '13 at 11:15
  • @Kos: In my example, a float number is rounded to a fixed-point number before it's added or subtracted. If a float number (before rounded) is used to credit or debit an account, the double-entry bookkeeping system will detect the bug before anyone can use it. – Codism Feb 11 '13 at 16:09
  • "It's really nothing more than a modernized version of clipping coins, which certainly happened on a regular basis." Doing *something* with fractions of a cent in a computer system seems plausible, but transferring it to your own personal account without getting caught doesn't seem trivial. Also, I'm skeptical that banking systems use floating point math. That's why things like http://docs.python.org/2/library/decimal.html exist – endolith Feb 28 '13 at 22:44
  • @endolith Most bank systems are around for a _long time_ now, and, since they are super-critical, are rarely updated. They are a few of the worst softwares in the world in terms of maintenance. I speak from my experience - don't assume that banking software is rational _to any extent_. They were first created when the software industry was just blooming, and several banks still use those original systems! My bank provider, for example, must run it's software inside _DosBox_ because newer OSs can't run it properly. – T. Sar Feb 11 '15 at 09:37
8

The Snopes entry on the "Salami Technique" calls it a "legend," which doesn't say whether it's true or false. http://www.snopes.com/business/bank/salami.asp

It references stories from the 1978 book Computer Capers, whose description says it's "incredible but true." http://www.snopes.com/sources/business/computer.htm

One story is about a "programmer working at a mail-order sales company" who was caught and fired.

Max
  • 1,144
  • 1
  • 8
  • 12