Wednesday, August 20, 2014

The No Limit Attack

Occasionally, I will write specifically for the SNAP EBT forum and not publicize the post except in my linked-in page and the Food Stamp Benefits (EBT) Fraud Group.  This is one of those occasions.

Trafficking SNAP benefit is the sexiest attack, and attracts the most attention and the most law enforcement dollars. I think the attack is a quaint artifact, easily defeated, easily prosecuted, and no longer where big dollars are lost. I think the government loses big dollars from no limit attacks.

Recently thieves attacked a commercial payment system hub in India. The payment authorizing host was the victim. Essentially the attackers created a legitimate account and then attacked by increasing the spending limit of the account. I named the attack the no limit attack and poked a little fun at Indian authorizers, because the method for redemption of stolen funds had no disguise and thus easily detectable.  

If no limit attacks exist on the SNAP payment hub they are detectable by comparing aggregate dollars issued versus aggregate dollars redeemed over the lifespan of the EBT program. If there is a consistent ratio between aggregate SNAP dollars redeemed and issued (I know of no studies or evidence that this is true) then anecdotally the ratio is less than one. I suspect the actual ratio is quite different and that dollars redeemed exceed dollars issued over the lifespan of the average EBT system administered by states. If so, then state systems suffer from no limit attacks and there are no dollars budgeted for defense against it.

EBT systems generally receive SAS 70 audits but those audits look primarily at documented security procedures and actual security operations. The audits will not detect hidden attacks. Surely there is a little money out there just to detect if an attack exists and actual dollars lost from the attack so we can muster a defense warranted by the size of loss.

Next Blog: An exploration of the “lunch room attack”

No comments:

Post a Comment