Sunday, June 28, 2009

Maintain appropriate password security

One of the most frustrating aspects of using a computer at work is the regular reminders to change your password. However, it is also a very important way of reducing the risk of fraud.

Cracking passwords can be an easy process if good protocols are not put in place.

There are three main ways people will attempt to crack a password – guessing, dictionary attack and brute force attack.

Some passwords can easily be guessed by someone who knows the password holder well. Examples of passwords that may easily be guessed include:
  • A password being written on a piece of paper and attached to the person’s monitor;
  • A password not being used at all;
  • Leaving the password as what was set by the system administration – regularly “password” or “admin”;
  • A password being the name of a spouse, child or pet;
  • A password being a person’s favourite type of car, favourite celebrity or band;
  • A password being a combination of the month and year; or
  • A password being the person’s name or using their actual login as their password as well.

Many people also use standards words. In this case a dictionary attack will not take long to determine what the password is.

The last option is a brute force attack which will try every combination of letters, numbers and symbols. The time taken to determine the password will depend on the number of characters and the combination of letters, numbers and symbols. By using a combination of letters, numbers and symbols, there are over 100 possible combinations for each character.

It has been estimated that the time taken to crack a password is as follows:

  • 4 characters = 10 seconds
  • 6 characters = 1,000 seconds
  • 7 characters = 1 day
  • 8 characters = 115 days
  • 9 characters = 31 years
  • 10 characters = 3,000 years

So what does this mean? For the best password security:

  • the greater the number of characters in the password, the better (at least 8);
  • use a combination of upper and lower case letters, numbers and symbols;
  • do not use common words;
  • do not give your password to anyone else;
  • regularly force users to change their password;
  • force users to use a minimum number of characters;
  • force users to use a combination of letters, numbers and characters; and
  • do not allow the password field to be left blank.

Sunday, June 21, 2009

Develop a robust employment screening process

One method of reducing the risk of fraud in your organisation is to ensure you do not employ a person who has previously been convicted of fraudulent activity. To do this, an organisation should undertake an appropriate employment screening process.

The process should be undertaken prior to the final acceptance of an offer of employment and also when an employee is promoted to a management position.

Examples of the type of screening that should be undertaken are as follows:

  • Conduct a criminal history check to determine if the person has a previous conviction for a fraud related offence. Consent will be needed by the potential employee to enable such a search to be undertaken;
  • Verify the potential employees previous work history. Before contacting referees, verify the contact telephone numbers of the referees to ensure you are making contact with the appropriate person;
  • Verify qualifications. Consent may need to be obtained from the potential employee to enable confirmation to be obtained from educational facilities and professional bodies;
  • Give the applicant an opportunity to provide reasons for gaps in employment;
  • Conduct an internet search such as a Google search. It’s amazing what can be found on the internet;
  • Check social networking sites such as Facebook and Twitter for postings by the potential employee.

Sunday, June 14, 2009

Understand what Beyond Reasonable Doubt means

I have conducted many fraud investigations as well as defending people who have been charged with fraud. Something I see on a regular basis is that a person conducting the investigation does not understand the level of proof they need to obtain. It must be proven “beyond reasonable doubt” that a person has committed fraud. Beyond reasonable doubt is the standard of proof that is used by a magistrate, judge or jury to decide if an accused is guilty or not guilty of a criminal charge.

There are different terms for beyond reasonable doubt depending on the country you are conducting the investigation in. However, the ultimate meaning is the same.

The meaning is the proposition that is being presented by the prosecution must be proven to the extent that there is no reasonable doubt that a reasonable person would, in their own mind, consider the defendant is guilty. To be able to provide this level of proof you should also consider if you need to disprove any possible reasons why a transaction, that is subject to the criminal charge, occurred.

Sunday, June 7, 2009

Control the Use of Petty Cash

What is the Risk?

The risk is that someone claims personal expenses through petty cash or makes fraudulent petty cash claims.

How to Mitigate the Risk

While petty cash may only be a small amount when compared to other assets, it is an easy target for a person contemplating committing fraud for the first time. If the person is able to easily defraud the organisation of petty cash, it may encourage the person to continue to commit fraud.

Steps to reduce the likelihood of petty cash fraud occurring includes:

  • Develop a policy that clearly sets out what can be claimed through petty cash with a limit on the monetary value able to be claimed;
  • All claims that are made should have source documents clearly stamped with “Paid” to ensure that they can not be used in a future claim;
  • All claims made should contain supporting documents (eg. receipts and invoices) of items that have been purchased;
  • Petty cash should have adequate physical security (eg. locked in a safe);
  • Put procedures in place to regularly reconcile cash, claims and source documents.