We had found the money mill; now we needed to find the millrace. If we found the millrace then we would be able to find the millwright.
The three of us were amazed at the boldness of the crime. What sort of person has the audacity to take on the world-banking infra-structure? A very powerful or very desperate person, that’s who. Either way, this was becoming very dangerous for amateur investigators such as ourselves. I turned to Lisa and Rudy and voiced my fears, but they would not hear of backing down.
“Hell, Carl. Now that we know we are going up against a first-rate hacker, I’ll be damned if I’m going to stop now,” Lisa exclaimed. The new found admiration she had for our adversary was still evident on her face. Rudy too was eager to enter the chase.
“Not only is my own professional reputation at stake, but I feel that our world economy has been put in a precarious position,” he said. “I feel it is my moral obligation to correct the current situation and remove the vulnerability that makes it possible… whatever that vulnerability might be.”
A little melodramatic for my taste, but that was Rudy. OK then, we were all in agreement to press on. The three of us set to work to determine how we might be able to find the man, woman, organization, or government that might be running the digital money mill. With the help of Rudy, we identified several EFT and account parameters relevant to financial activity. We then set to work trying to characterize suspicious activity in terms of these parameters. Rudy was especially helpful. He dug up a program the bank already had for doing essentially the same thing. This application was different only in the sort of activity that was deemed suspicious, and consequently the choice of parameters. Still, there was some overlap and we were able to borrow heavily from the designs.
We decided early on that we would evaluate and filter each account on an individual basis. We would do no traffic analysis. We wanted to avoid any complexities due to expensive searches in the EFT graph. Instead, we needed an efficient program, even if that meant that it would be only an approximate solution.
Our plan was to collect lists of suspicious EFT’s and search for two types of patterns. First, we hoped to be able to identify bank accounts with a large number of illegitimate EFT’s over an extended period of time. These accounts were prime candidates for accounts owned by the people running the money mill. For the mill to work, there had to be some collection accounts where large volumes of money flowed continuously. This would allow the crooks to maintain high balances using other people’s money. It would take a lot of pruning before the number of such accounts would be small enough to make manual review of each one practical. All evidence indicated that there was an appallingly large number of illegitimate EFT’s, to say nothing of the fact that it is next to impossible to characterize bogus EFT’s accurately. Nonetheless, we set out to design and implement a Balance Inspection Filter program — BIF for short — to do just this. The design made use of a rule-based architecture whereby we could easily modify the semantics to redefine a suspicious account. Lisa took the lead, explaining that she had developed several rule-based systems for the Macintosh in the course of her work at SoftTykes.
We had a backup plan as well; a second program, which would also be written by Lisa, would tackle the problem from an entirely different angle. Given a subgraph of the EFT graph, this program simply enumerated all paths that maintain a constant balance. This was the path enumeration program — the one with exponential complexity. We hoped that we could keep the size of the input small by only processing the output of the first program. We planned to pipe the output of BIF into this program and then analyze individual paths. In we found any cyclic paths that left the balances of all the accounts in the path unchanged, then either that path would be a decoy or else it would be part of the money mill and one of the accounts in the path would be an account that the millwright was using to collect interest on the flow.
Even better, if we found an acyclic path, then it seemed likely that we would have an example of an outright theft. Our theory was the the millwright probably used collection accounts with extremely high balances; otherwise the interest payments would not be large enough to warrant the risk of executing such an elaborate and bold scheme. Rudy, who was more knowledgeable in banking matters than Lisa and I, believed that the sum of the balances in all the collection accounts, however many there might be, was probably in the neighborhood of $1 million. Since it was unlikely that a crook would have this sort of capital available for an initial investment, the millwright probably had to steal the money used to seed these accounts. An acyclic path, if we could find one, might be an example of a theft used to seed an account. With luck (lots of luck), we might find an acyclic path and then it would be relatively easy to trace the path to its final destination, which would be an account owned by the crooks. From there the FBI could use more traditional techniques to find the account holder and apprehend him or her. Of course we would haev to be careful to avoid mistaking part of a cyclic path as an acyclic path.