After lunch Jonny and I met with several managers, each on an individual basis. To each manager Jonny posed the same two questions:
- How closely does Bendix adhere to the bank’s security policy?
- What do you estimate the probability of failure to be?
These questions were familiar to me, as he had asked the same questions in one form or another of each of the employees we had interviewed in the morning.
All of the managers were in agreement in their responses. Every one stated that he was sure that policy was followed to the letter. Two of the managers gave long and condescending answers, explaining to us the importance of security to Bendix and the need to follow the official corporate security policy.
The estimates by the managers for the probability of failure ranged from 10-6 to 10-15. The manager that claimed 10-15 explained his estimate by claiming that the only point of vulnerability in the entire system was DES and that the best cryptanalytic attacks he knew of for DES required on the order of 1015 operations. I bit my tongue and did not comment on his oversight of numerous other points of vulnerability, nor on his flawed reasoning.
On one occasion when a middle manager was especially vocal in asserting that he saw to it that procedures were followed rigidly, Jonny informed him of our morning interviews and, without naming names or giving too many details, explained that we had learned of four different security procedures that were ignored in his branch office alone.
“And this isn’t an isolated example,” Jonny added. He then explained how the probability of failure estimates provided by the operations personnel, the people in the trenches, was many orders of magnitude more pessimistic. I myself was shocked not only at the disparity between the views of management and the views of the lower-level employees, but also at the consistency with which the two groups adhered to their differences. I was reminded of the situation at NASA following the space shuttle explosion. Another example I had heard involved a government minister in Britain. This man was responsible for all of Britain’s banking industry a short time ago. He was claiming an error rate of 1 in 1.5 million when most others quoted something closer to 1 in 20,000.
I did not say much in the interviews, not even when the one manager gave his estimates for vulnerability based entirely on the number of operations in a brute-force attack on DES. Instead I let Jonny do his job without interference. I was impressed with the efficiency with which he was able to pull information out of people. He had certain questions which he asked every person we interviewed. He did not follow a script and the prepared questions came out at different points in the different interviews, seemingly fresh and spontaneous each time. He never let the conversation wander, remaining in control at all times. It was a long process — we spoke to fourteen people that day — but Jonny knew how to obtain the maximum (useful) information in the minimum time.
Despite the fact that both Jonny and I were exhausted after a full day of interviews, we went back to Tony’s office to do more investigative work. We found Tony hunched over his keyboard. Jonny explained that he and I were booked on a flight for the following morning. Since this meant that we had the rest of the day and the evening free, he suggested that he, Tony, and I pool our wits and see if we could figure out how the money mill forgeries were being made. Tony enthusiastically agreed and we set to work.
Using the whiteboard on the wall of his office, Tony walked us through a full EFT session between Bendix and First Chicago. Each step of the way, both Jonny and I interrupted with many questions as we tried to find weak points in the protocol and in the business policies of both banks. Things got a little complicated when we reached the point where the Chicago bank executed the delay scam, as this muddied the picture. I suggested that we leave out that aspect of the scenario, since it was unrelated to the money mill attack, but Jonny was reluctant to change any aspect of the timeline of July 11th.
Several hours later we reached the end of the timeline with no new insights into the forgeries. The end of the work-day had long since passed and everybody else had left. The halls outside Tony’s office were now quiet. The silence was eery, especially in comparison to the earlier chaos.
“Yeah,” Tony replied when I commented on the sudden solitude. “This place has been like a zoo the last couple of days. Did you notice the new lights and cameras in the parking lot?”
Tony loosened his tie, a red one with a brown paisley print. He left it around his neck but loose enough that he was able to unbutton his collar button as well. He then excused himself to go to the restroom.