Fake Vendor Invoices || Is it ok for cops to install spyware on phones without consent?
CyberInsights #102 - Invoice Fraud 101 || The case for digital surveillance and why you should get involved
$10 million stolen from Amazon by creating fake vendors
Or, why Segregation of Duties is such an important control
How do you steal money from a large corporation? By invoicing them.
This article speaks of a lady who misused her position in the finance function at Amazon to get nearly 10 million dollars.
This is invoice fraud 101. Any garden variety auditor can tell you that one of the first controls to check in the procure to pay cycle of finance (the entire process from the purchase of something in an organisation to the delivery of goods / services and the vendor being paid) is the control of Segregation of Duties (SoD). Can a person who adds a vendor to the system create an invoice as well? What is the chance of collusion between the person who has the rights to create a vendor in the system and the person who makes the invoices and the person who makes the payment?
Take Action:
Most infosec professionals leave the segregation of duties in finance applications to the finance guys. Segregation of Duties in a very important control for the organisation. Don’t leave it to finance auditors. Ensure that you understand the finance processes and either own the SoD checks or assist the finance auditors in checking if the controls are properly implemented.
France allows cop to snoop on phones without consent
Every crisis moves the Privacy vs. Security debate towards more surveillance
Nineteen Eighty Four is a novel by George Orwell. It talks about a dystopian world where there is surveillance totalitarianism. If you are in the cybersecurity profession and have ever been in the privacy vs. security debate, read this novel. It is available here. Every individuals public and private life is monitored and, hence, controlled. It does not end well for the protagonist, or the world.
Meanwhile, closer in time, France faced severe rioting after police shot a teenager. This led to the French government to pass a bill that allows police to snoop on suspects without their knowledge or consent.
The article reads:
Under the provision, French police will have the right to activate cameras and microphones remotely, as well as gathering location data from devices belonging to suspects accused of committing crimes that are punishable by at least five years in jail. Police can gather data in that manner for up to six months, and any connected device – smartphones, laptops and even automobiles – can be used for surveillance.
The French justice minister Éric Dupond-Moretti said “We're far away from the totalitarianism of 1984”. Gulp!
Take Action:
As cyber professionals it is our job to find the balance between security and privacy. It is out job to ensure that security does not mean complete lack of privacy. Read up on the whole security vs. privacy debate. Read 1984.
We are responsible to make the discussion about ‘Security AND Privacy’ and not ‘Security OR Privacy’.