SALAMI SLICING ATTACK: All you need to know about your financial and technical security

Say, just for fun, a kid takes out a Rs. 5 note from your pant’s pocket daily after you return from the office. No what how big financial position you hold in the outside world or how renowned personality you are outside, you are just a parent to your kid!! Say he does this daily, I bet you will not notice it until you actually catch him in the act!!

Ok, this seems funny as the sum here is Rs. 5 note and the character involved is your own kid and the asset is your pant with petty cash!!. But the situation will turn worrisome instantly if that’s pant is replaced by your savings bank account or your organization's important info containing pen drive or your organizational important document and the kid is replaced by some unknown cybercriminal/perpetrator.

Introduction:

A “salami-slicing attack” or “salami fraud” is a technique by which cyber-criminals steal money or resources a bit at a time so that there’s no noticeable difference in overall size. The perpetrator gets away with these little pieces from a large number of resources and thus accumulates a considerable amount over a period of time.

The essence of this method is the failure to detect misappropriation. The most classic approach is the “collect-the-roundoff” technique.

Stealing money electronically is the most common use of the salami-slicing technique, but it’s not restricted to money laundering. The salami technique can also be applied to gather little bits of information over a period of time to deduce an overall picture of an organization. This act of distributed information gathering may be against an individual or an organization. Data can be collected from web sites, advertisements, documents collected from trash cans, and the like, gradually building up a whole database of factual intelligence about the target.

There are two major types of Salami attacks:

A. Internal attacks:

This is the most common type of Salami attack which occurs when an individual working in the organization who knows about the security system within the organization try to steal from the organization and causes serious damage. For example, when an accountant of a particular bank who engaged with the bank customers on a daily basis, try to insert a program into the bank server that will divert one rupee from each customer that makes a transaction from his work station to his account, at the end of the day after transacting with five thousand customers he will get a sum of 5,000 rupees into his account.

B. External attacks:

As the name implies, the external attack is a kind of Salami attack that occurs outside the organization. A situation where the attacker leaves outside the organization but tries to steal information from the organization causing serious damage to the organization is known as an external attack.

History of Use of Salami Slicing Attacks:

This system is not new although the term may seem fancy. A search in Wikipedia will show the following past instances of the use of Salami Slicing Technique to siphon funds illegally:

• In January 1993, four executives of a rental-car franchise in Florida were charged with defrauding at least 47,000 customers using a salami technique.

• In Los Angeles, in October 1998, district attorneys charged four men with fraud for allegedly installing computer chips in gasoline pumps that cheated consumers by overstating the amounts pumped.

• In 2008, a man was arrested for fraudulently creating 58,000 accounts which he used to collect money through verification deposits from online brokerage firms a few cents at a time.

• In 1996, an Edmonton fare box serviceman was found guilty of stealing from the city's transit agency by stealing coins from the farebox. Over 13 years, he walked away with 37 tonnes of coins with a face value of nearly CDN$2.4 million, having used a magnet to lift the coins one at a time out of the fare boxes. He was sentenced to 4 years in prison and was eligible for parole after 18 months.

• In Buffalo, New York, another fare box serviceman stole more than US$200,000 in quarters from the local transit agency over an eight-year period (2003 through 2011). Blaming a gambling addiction for his crime, he was sentenced to 2.5 years in prison.

Salami Slicing Attacks as a subject for Movies and TV Series:

Salami slicing has played a key role in the plots of several films including 1995’s Hackers, 1983’s Superman III, and 1999’s Office Space. 

Detection & Mitigation OF SALAMI ATTACK:

A. Detection:

 There may be different software to verify the authentication of information in an organization but the most efficient and effective way to detect a Salami attack according to researchers is to check each and every line of code and each and every process and transaction (also known as white-box testing).

B. Mitigations procedures:

• The organization should establish a security policy that contains different privileges of who can access certain information at a certain level and who to deny such access. This will reduce the internal attack on organizational assets.

• The organization should also frequently update its security systems in order to avoid any ongoing attack on the organization.

• The banking system should initiate both SMS and email message to alert their customers on any transaction that occurs and also advise the customers to immediately report any unaware money reduction no matter how small it is, so the bank can update their security system.

• Individuals should avoid using their date of birth, surname, mother's name, or cell phone number as the password of their phone, ATMs, or e-banking as it can be easily determined by the attackers.

• The most important one is bank should advise their customer to avoid saving their bank details inside their cell phone or on any of their social media.

Conclusion:

In a nutshell, Salami attack is the stealing of information from numerous sources where the victims remain unaware, this may occur internally within an organization or externally outside the organization and maybe intentional or accidental. The most efficient way to avoid Salami attack is to define efficient and robust user and security policy, which may involve keeping every sensitive information within an organization confidential or use of multi-step security authentication.

This does not dissolve the responsibility of the account owners of remaining vigilant and keeping regular updates of one's accounts and finances. The account owners should also behave responsibly while using online banking, apps, social media, pen drives or any other IT resources. Even one should keep track of sim cards/ numbers provided in e-banking for OTPs and alerts and check that they are under one’s control and authority.

Rs. 250-500 annual charge for SMS alerts and other online banking facilities needs to slowly be accepted as our own annual financial security charge say like an active anti-virus subscription rather than as a bank charge. You can cover those annual charges from the bank interest at least over a year!!

Finally, STAY VIGILANT, STAY SAFE-  BOTH PHYSICALLY AND DIGITALLY!!

-CA Ayush Khetan

(ayushkhetan2007@gmail.com)