Why is the second part of:
Take the money and run so difficult for these people?
A sister and brother have admitted over-ordering hundreds of new MacBooks for "a private university" in Silicon Valley to steal and sell the expensive gear for millions of dollars. Patricia Castaneda, 37, of San Carlos, California, worked at the university’s School of Humanities and Sciences, and was responsible for ordering …
My thoughts too. I imagine it's a bit like gambling. Have a win, think you can make even more. Maybe win a bit more and become confident it's sustainable, or you've found a working system. And then your luck runs out.
And when I say 'a bit', I really mean 'exactly'.
«Take the money and run» happens in films. Reality is, you try is once, maybe for the thrills. You get away with it. Scale up. Repeat until busted.
None of the cases of fraudulent staff that I came across started big enough to take the money and run. Even though some of the schemes ran into the seven and few in the low eight (€) figures.
Of course, I cannot exclude this happening but it is different than survivor bias.
How did they got caught? In each and every case it boiled down to: the sums didn't add up (often quite literally). This is irrespective of running or not. But most of them were still employed at the time of finding out - including the cases with a posh villa in sunny Southern Europe or a whole hotel (!) in North America.
Doing the big score at once increases the chance of getting busted quicker. Simply because the sums not adding up happens quicker.
No, it's pretty much the same.
Like the World War 2 plane investigation that looked to up-armour planes that came back full of holes in particular areas where those holes were. Until it was pointed out, that it'd be better where the holes weren't since those ones didn't make it back.
In this respect, we just assume that the scams always work the same way and that the crims get caught because that's what we hear and want to happen. The reality is more likely that the smart ones walk away and never get caught or the error is never reported (because it's embarrassing, leads to awkward questions etc.etc).
Obviously, you are right: the cases that never surface are neither investigated and no one will ever know about them (except for the lucky one) - pretty much the same as survivor bias.
My partial disagreement stems from the fact that we (certainly limited to my own experience) put in quite some effort to discover precisely those cases that did get unnoticed - so to speak to recover crashed planes when we don't know if there are any (with the planes, at least, it was known that some went missing).
A large part goes into fraud prevention with implementing robust controls over several levels which limits the possibility for a culprit to pull something off successfully and also limits the number of possible culprits. Then still trying to discover "shot down planes" which reach from random checks, data analyses, to thorough investigations of business conduct whenever a higher manager (being the ones most likely in the position of circumventing/overruling controls) leaves the organisation.
It's not PayPal's job to validate each transaction to determine whether the sale is valid or not. They just move the money. As long as they do the checking to determine that it's not money laundering, they're in the clear. How should they know if the laptops are stolen or not? In fact, they won't even know the exchanged items are laptops.
PayPal is perfectly happy to assume the roll when they figure they can hang onto the money for themselves, or at least put it to work for a while on the short term money market while they "investigate".
BTW why shouldn't they suspect fraud in some rando selling job lots of brand new second hand laptops? They claim to have found it in an online haberdasher doubling their sales during the pandemic.
The thing is, if you have paypal account where the income suddenly doubles, they might notice because a sudden increase would likely trip some sort of security mechanism. They can do this because they already have an average value of the transactions for that account, so any change would stick out like a sore thumb.
If you set up an account, and every transaction is worth thousands, the average will be in the thousands, so another transaction in the thousands won’t stand out.
They likely do have limits where transactions above a certain value do trip the security alert, but these are likely in the tens, if not hundreds of thousands of dollars.
As long as they stick below those limits, their transactions would appear exactly the same as millions of others, so likely wouldn’t be noticed.
Its not implausible. I know of several multi - billion dollar companies which don't maintain a 'proper' Asset Register.
Not seen one that don't manage Servers - but end points, that's different.
Oh, they might seem to maintain the AR to freak out junior techs setting up devices, and stop sticky fingers - but it doesn't necessarily join up to the management.
It also depends on who is monitoring the asset register (if there is one), and if anyone was cross-examining orders with the asset register. Assuming it was the culprits who added the laptops, it's probably not too difficult for them to order 23 laptops, stick 20 in the asset register and siphon off the other three.
Or of course to order 23 laptops, hand 20 over to whoever does add them to the register, etc. etc. It's sad, but all it takes is a gap in the process that can be exploited and an employee who is unscrupulous enough to do so.
Also not improbable to over order for spares and replacements, and just have them sat on a shelf waiting for a drinks spill, the look on peoples faces when they get the exact same model of laptop they thought they had engineered an upgrade too is priceless.
University i worked at i think the rule was +1 per 10 or 15 ordered for mobile kit, so depending on how many empty boxes were on the shelf with a 3 year refresh quite easy to get away with
I've seen it too.
And for monetary values that would literally make you go "WTF". I mean monetary values that, when I first heard about it, made me think my hearing was going.
Companies failing to control their spending and auditing is probably more widespread than its commonly believed.
Something similar happened with our employer; guess who was responsible for ordering new kit, and updating the spreadsheet of asset tags.
There was a particularly bad combination of:
An IT department boss who was attached to the collective senior management like the back of a human centipede, and ensured their every wish was granted, whatever the expense "What do you mean their iPhones aren't the latest? Order some!".
...and who blatantly cultivated favoritism. Flattery and doing his lunch run were enough to deflect any and all valid criticism of the person concerned.
The result was that large amounts of kit being ordered, with nothing to show in general use, didn't attract any attention. I don't know how it was eventually discovered, but someone was able to roll back the actual spreadsheet to see all the deleted rows, and the username responsible, which is when management actually realized how much brown stuff was heading fanwards.
There were rumors of container loads of Apple stuff heading to the subcontinent, but there hasn't even been a trial, just arrests, so none of us plebs know the details yet.
Heh. Y'all have never, umm, 'associated', with the right people. One place I worked at, the guys in Stores were _notorious_. One gentleman had what appeared to be company utility poles (it was an electric utility) and company street lights and even company pole-mounted transformer casings in his house. The company fired him and started criminal proceedings. The problem was... they could not prove that any of the items had actually ever been company property; none had any company ID numbers, and, more important, nothing was, officially, missing from Stores. They had to give him his job back. Everyone _knew_ that he was stealing the place blind. Proving it was a whole separate thing.
The most spectacular thing that the pirates in Stores ever did was when 12 new company cars, for very senior management, arrived.. but only ten were checked in and no-one ever saw the other two again. Senior management was Extremely Annoyed(tm).
My department was sited next door to Stores. The nearest company canteen was at Stores, and we'd sometimes go over there for lunch. We would keep a hand on our wallets when we did...
This happens frequently in stores departments where the people doing the work are paid the minimum wage and abused by management and then expected to faithfully manage millions of quids worth of stuff going through their hands without any "shrinkage" occurring.
Alternately, paying the staff enough to put a roof over their heads legitimately with them knowing that they could get fired if caught doing something dodgy can work wonders with reducing shrinkage.
This post has been deleted by its author
Pity the poor people who ended up buying the stolen Macbooks with the butterfly keyboards. They were just trying to get a 5 finger discount, but typing with some of those fingers just didn't work.
BTW, what is Apple's policy on repairing stolen laptops? Do you still get warranty repairs?
I've never seen GSX flag a Mac as stolen, I don't think it has the capability.
So, as long as it's in the warranty period, yes.
(Now, if it's a T2 or M1 Mac you're going to have a problem if it's got Find My Mac turned on, but that's only going to happen once it's been used.)
At one place I worked at, there was a whole room stacked and packed with obsolete computers and servers that would never be used again. Apparently they couldn't be thrown out as they still had "book value". i.e. they were still showing as having monetary value in the company's accounts and for whatever reason, the accounts dept was reluctant to write them off. I suspect it might have had something to do with them wanting to inflate the value of assets owned by the company making the company seem more valuable than it actually was. The company went to the wall in the end.
When I worked at a university they had a 'surplus' department you could send your stuff to when you didn't want it any longer. They offered it first internally and then it would be made available to external buyers. I knew some people who went there every week when the new batch of "public" stuff was made available, and picked up some valuable stuff for cheap they'd turn around and sell on in the early days of eBay.
The system worked fine except when I got a trade-in deal from HP, it was a big pain getting those off the asset list since that was normally something only surplus could do. I got it done, and it was easier the second time, but I'm sure my replacement in that position had to re-learn that whole process again...
The company I worked for sold off stuff that would otherwise get skipped/trashed.
Back in the day, I got an un-needed copy of NT Server (free), an actual HP server (£20) that had been replaced and was going to landfill, a laboratory top-pan balance (£5), and all kinds of other stuff. All covered by an official chit to carry off site. I also got a Commodore PET from somewhere for free (and legitimately), but can't remember where now - it might have been from Uni when they were upgrading. At one time, you just had to ask.
They also sold off product that wasn't fit for the retail stores - wonky labels and that kind of thing. Beer kits, shampoos, soap, even some high-end stuff occasionally. It used to be fairly ad hoc and priced in pennies. You could wander in and look around the store area. But as the years went by it was made much more strict - orders by order form only - and the prices went up to near-retail levels.
"At one time, you just had to ask."
These days, the seller or giver is still liable for things like electrical safety etc., so it#s often cheaper to dispose of kit via a company who will either buy it for next to nothing or "take it away for free", saving the costs of WEEE displosal. And when it comes to anything with a hard disk/SSD in it, many organisations, especialy local councils or Govt. depeartments, will take the drives out first and shred them or pay an "authorised" disposal company to do it for them, significantly reducing any re-sale value.
All this also makes it much harder and potentilly expensive to donate kit to schools or charities.
my imagination: pages upon pages upon pages of "Security policy, rev. XX'
reality: no security, no control, no accountability (but surely a relatively low-key, scapegoat must have been identified to 'show clear message' and 'demonstrate robust response'. And this shit happens anywhere, just take any large (enough) organization, public or private. Why do people jump red lights? Because they can.
Because that'll not sound suspicious at all, and will definitely not arouse the interest of the cops...... genius.
Choose a common everyday thing that people buy all the time like ingots, as opposed to some rare super valuable item...
Can imagine someone sitting in a cell thinking "damn! if only we'd called them toasters!".
I feel a bit sorry for them. Victimless crime an' all that...
However, I am more outraged by the fact the police had hold of their private txt messages. Seems like there is absolutely no private place away from surveillance; especially from the cops; and most especially from American cops.
...most especially from American cops...
I'm sure that the police do it here too. They are probably more discreet about it
As for your quote, I doubt many people have accused the US police, FBI, spooks or many other criminals of being gentlemen since Henry Stimson actually made that comment!
I am more outraged by the fact the police had hold of their private txt messages. Seems like there is absolutely no private place away from surveillance
At first read, I figured the police just obtained their phones in a classic search for evidence. You're probably right, though. I imagine the investigation took a while to gather evidence, and the police may well have gotten a court order to access the suspects' text messages through the telco.
I'm sometimes outraged by surveillance, but this isn't one of those times.
Police surveillance is bad ... when the police don't have a warrant. This was a situation where they almost certainly had one. They accessed a specific person's records because they had probable cause to suspect that person of committing a crime. That's clear and justified use. Also, this line:
"I feel a bit sorry for them. Victimless crime an' all that..."
That's stupid. It's not a victimless crime. The employer who spent extra money is out millions of dollars from their crime. That's a victim. It's a university, meaning most of their money comes from student tuition payments and grants. Those payments probably went up to handle their increased budget. That's more victims. These aren't even secondary victims who lost a potential benefit. They lost money directly. You need to learn that.
I feel a new verse for Folsom Blues is appropriate here....
I bet there's rich folk typing on a brand new MacBook Pro.
They don't know where it came from, but I bet it's snatch and go.
The Casteneda's had it coming,
It wasn't hard to see.
The ones they haven't caught yet,
That's what tortures me.
This has made me recall a situation very early in what I laughingly refer to as my''çareer'. Administering an old VAX system, as well as a few Macs, including one linked to multiple modems at the same time for journalists overseas to submit their articles.
Anyway, long story short, two Powermac 8100s were ordered for the designers, and about ten 6100s for journos, Can't find the GBP price for the 8100s, but they started at US$4,500 at the time. So getting on for US$8k or more today.
When the pallet arrived I noted that there were two extra 8100s on there. Mentioned it to the boss, who excitedly confided in me that the sales rep had 'given' him them for free as a thank you. and he then took them home. Knowing now that there wasn't exactly a huge profit in the machines for resellers I am suddenly thinking that old mate was even more dodgy than he seemed at the time. Also, glad he didn't try to involve me more in this, or frame me for it.
Biting the hand that feeds IT © 1998–2021