Occasionally, I will write specifically for the SNAP EBT
forum and not publicize the post except in my linked-in page and the Food Stamp
Benefits (EBT) Fraud Group. This is one
of those occasions.
Trafficking SNAP benefit is the sexiest attack, and attracts
the most attention and the most law enforcement dollars. I think the attack is
a quaint artifact, easily defeated, easily prosecuted, and no longer where big
dollars are lost. I think the government loses big dollars from no limit
attacks.
Recently thieves attacked a commercial payment system hub in
India. The payment authorizing host was the victim. Essentially the attackers
created a legitimate account and then attacked by increasing the spending limit
of the account. I named the attack the no limit attack and poked a little fun
at Indian authorizers, because the method for redemption of stolen funds had no
disguise and thus easily detectable.
If no limit attacks exist on the SNAP payment hub they are
detectable by comparing aggregate dollars issued versus aggregate dollars
redeemed over the lifespan of the EBT program. If there is a consistent ratio
between aggregate SNAP dollars redeemed and issued (I know of no studies or
evidence that this is true) then anecdotally the ratio is less than one. I
suspect the actual ratio is quite different and that dollars redeemed exceed
dollars issued over the lifespan of the average EBT system administered by
states. If so, then state systems suffer from no limit attacks and there are no
dollars budgeted for defense against it.
EBT systems generally receive SAS 70 audits but those audits
look primarily at documented security procedures and actual security operations.
The audits will not detect hidden attacks. Surely there is a little money out
there just to detect if an attack exists and actual dollars lost from the
attack so we can muster a defense warranted by the size of loss.
No comments:
Post a Comment