With Software, Till Tampering Is Hard to Find – NYTimes.com
Thanks to a software program called a zapper, even technologically illiterate restaurant and store owners can siphon cash from computer cash registers and cheat tax officials.
One of the first reported zapper cases in the United States was Stew Leonard’s dairy, whose owner was convicted in 1993 of skimming $17 million over 10 years. The theft was uncovered after Mr. Leonard tried to board a plane to St. Martin with an unreported $50,000.
While zappers are most likely to be used by medium and small businesses, the take is anything but small change. A 12-store restaurant chain in Detroit used a zapper to skim more than $20 million over four years, federal prosecutors say.
Zappers — also known as automated sales suppression devices — are a new twist on an old fraud. “The technology is new and getting newer, but the concept is as old as having two sets of books,” said Verenda Smith of the Federation of Tax Administrators, the association of state tax administrators.
Zappers alter the electronic sales records in a cash register. To satisfy tax collectors, the tally of food orders, for example, must match the register’s final cash total. To hide the removal of cash from the till, a crooked business owner has to erase the record of food orders equal to the amount of cash taken; otherwise, the imbalance is obvious to any auditor.
With paper, one keeps two sets of books. Or throws away the paper receipts. Because cash registers make automated records, hiding the theft requires getting into the machine’s memory and changing that record. With no physical paper trail, it is easier to hide tampering. And it is easiest for businesses that handle untraceable cash, like restaurants, grocery stores and hair salons.
While merchants, security experts and government agencies know of these devices, they exist in such a shadowy realm that it is difficult to assess how big the problem may be or how to address it.
“We can’t get our arms around how much this is in use,” Ms. Smith said. The Internal Revenue Service said it did not track the use of zappers.
Zappers are a worldwide phenomenon. They have been found in Germany, Sweden, Brazil, Australia, France and the Netherlands.
But the Canadian province of Quebec may be the world leader in prosecuting zapper cases. Since 1997, zappers have figured in more than 230 investigations, according to the tax collecting body Revenu Québec, which has found an active market for the software. In making 713 searches of merchants, Revenu Québec found 31 zapper programs that worked on 13 cash register systems.
Only two known zapper cases have been prosecuted in the United States, which leads Richard T. Ainsworth, a Boston University law professor specializing in taxes, to ask, “Why aren’t cases being identified in the United States?” Mr. Ainsworth, who has published several academic papers on zappers, said, “We should be finding more here.”
In older cash registers, adjustments left tracks for those who knew where to look. The latest zappers cover their tracks more efficiently. Thieves put a zapping program onto a portable flash drive so it can be run and then removed from the machine, leaving no trace.
“If someone comes in and audits your books, it all looks O.K.,” said Ms. Smith of the tax collectors association.
The more sophisticated zappers are easy to use, according to several experts. A dialogue box, which shows the day’s tally, pops up on the register’s screen.
In a second dialogue box, the thief chooses to take a dollar amount or percentage of the till. The program then calculates which orders to erase to get close to the amount of cash the person wants to remove. Then it suggests how much cash to take, and it erases the entries from the books and a corresponding amount in orders, so the register balances.
The cash register security industry is focused on protecting patrons and owners from theft by employees, which may be one reason so few zappers are uncovered in the United States. No one hires security experts to protect the government from devious businesses.
The use of zappers may also be less publicized here, tax collectors say, because if a business is caught using one to avoid taxes but pays its back taxes and penalties, the case will not become public.
Canada has taken a slightly different tack. In several cases, it has found the zapper maker, which led to businesses that used the zapper. According to Revenu Québec, in 2000, Réjean Turcotte admitted to providing his zapper software to Nickels — a 39-store restaurant chain created by the singer Celine Dion — and three other restaurant groups. The Dutch equivalent of the I.R.S. followed a zapper maker’s client list to 1,200 stores, according to a Dutch newspaper report.
One of the first reported zapper cases in the United States was Stew Leonard’s dairy, whose owner was convicted in 1993 of skimming $17 million over 10 years. The theft was uncovered after Mr. Leonard tried to board a plane to St. Martin with an unreported $50,000.
In the Detroit case, I.R.S. investigators in 2006 said that Talal Chahine, owner of 12 Lebanese restaurants called La Shish, had used a zapper to hide more than $20 million in cash, according to federal court documents filed by a United States attorney in Detroit. The cash has not been recovered, and at least part of the money was sent to Lebanon as cashiers’ checks, the prosecutors say.
Mr. Chahine was indicted on income tax evasion charges, but the Department of Justice believes that he is a fugitive in Lebanon, where he has connections to Hezbollah, a terrorist organization. Authorities declined to comment on how the reported crime was discovered, but according to court records, Mr. Chahine failed to file a tax return in 2003.
As hard as zapper software is to detect, it is easy to make, said Jeff Moss, organizer of the annual hacker convention Def Con. “If it runs on a Windows system and you are a competent Windows administrator, you can do it,” he said.
According to analysts at the consulting firm Frost & Sullivan, 85 percent of all point-of-sale systems, as cash registers are called, run on the Windows operating system, although other systems are also vulnerable.
Foreign countries are moving to secure cash registers and shut down zappers. The European Union has formed a committee to address cash register fraud, including zappers. The German Cash Registers Project Group has proposed legislation to make cash registers tamperproof. And Quebec has drafted legislation to mandate the use of secure registers.
Mr. Ainsworth said the United States should at least take up a study of the problem. “The later you get into this game, the more likely criminals have moved on to the next technology,” he said. “This is my tax money. It makes me mad.”