Slashdot Mirror

← Back to Stories (view on slashdot.org)

Norway Tax Auditors Want To Open Source Cash Registers To Combat Fraud

Posted by Soulskill on from the open-source-the-cashiers-while-you're-at-it dept.

Qedward writes "The Norwegian Ministry of Finance seems to be taking a bit of stick at the moment. It wants all the existing cash registers in the country thrown out and replaced with new ones. Not surprisingly, this massive upgrade is not popular. But it is apparently being pushed through in an attempt to prevent cash registers' figures being massaged downwards in use so as to reduce tax. The Norwegian association of tax auditors said: 'The source code must be opened.' 'Without source code it is not possible to determine whether or "hidden" functionality exists or not. Just knowing that the tax authorities have access to the source code of the application, will reduce the effort to implement hidden functionality in the software.'"

20 of 161 comments (clear)

  1. Just releasing the source may not fix it by phaunt · · Score: 5, Insightful

    Releasing the source doesn't guarantee that a specific cash register is also running that code. So will this be all that helpful?

    1. Re:Just releasing the source may not fix it by rsagris · · Score: 4, Insightful

      Would people quit using this as an example of doubt? Show a real, honest to God, in the wild example of a widely used backdoor inserting compiler, or just STFU about it because while it might be possible it isn't in anyway practical or plausible enough to mention. If it was so easy to write a general use backdooring compiler, then it'd be actually seen, not fantasized about. -rs

    2. Re:Just releasing the source may not fix it by bloodhawk · · Score: 4, Insightful

      Not to mention you can just not register the cash in the machine or have separate machines that don't report centrally or any number of other ways. The machine being auditable only works if every other part of the sales process is auditable and controllable and really this isn't possible in anything but the largest organisations.

    3. Re:Just releasing the source may not fix it by Anonymous Coward · · Score: 5, Informative

      Are there examples of cash registers which are running code which have illegal, hidden functionality?

      Oh yes; here in Sweden there was registers that had hidden features that could be activated in order to reduce the reported sums/amount of transactions by the users choice. Typically used in restaurants/bars. Since a couple of years all registers have to certified and connected to a 'black box' supplied by our equivalent to the IRS.
      There was also frequent manipulation of the meters in taxis.

    4. Re:Just releasing the source may not fix it by aurispector · · Score: 3, Interesting

      You don't need a crooked accountant. Just don't ring up cash sales and you're good to go, then write off the missing merchandise as shrink.

      All these tactics are characteristic of being on the wrong side of the Laffer curve. To quote Princess Leia: "The more you tighten your grip, the more star systems slip through your fingers".

      Pro Tip - if you have to resort to draconian measure to collect taxes you're probably taxing people too much.

      Spending reductions are the first and best measure - tax revenues go UP when rates go down.

      --
      I have mod points. The reign of terror begins now.
    5. Re:Just releasing the source may not fix it by OeLeWaPpErKe · · Score: 3, Funny

      If you think this is about efficient use of government money ... you've not been to these countries.

      This is about punishing "employers", finding an excuse to nail a few of them to the nearest cross (and then afterwards complaining that everybody is raising prices and only big companies that bribe government survive). And, more general, punishing anyone perceived as a capitalist. People who trade for a living in public places are of course straight in front of the leftist's gun barrel.

      It is not about money, beyond the level that is required for the state to survive (and given that the state has been living on >100% borrowed money for decades, ...)

    6. Re:Just releasing the source may not fix it by OeLeWaPpErKe · · Score: 3, Insightful

      We're talking here about tax departments that cannot manage to keep spreadsheet software operational on their office systems, cannot keep their own tax databases accessible of backed up, and worse. Never mind the fact that hardly any business administration is ever really correct in the first place. Having them run a centralized online service for millions and millions of customers sounds like a spectacularly bad idea. Besides, what about businesses without internet connection ?

      I was amazed, when I first saw this, but cash registers never contain the amount of money their record claims they should at the end of the day. My jaw dropped to the floor for 20 minutes when I was told the same goes for ATMs. It tends to be a shortage because people are much more likely to complain when shortchanged (mostly accidentally), so it's expected to be a negative correction, up to 5% of the amount sold. This presents an obvious way to cheat that the taxman cannot (reasonably) attack businesses for.

    7. Re:Just releasing the source may not fix it by bogjobber · · Score: 5, Insightful

      Where to begin......

      The Laffer curve, while an inarguable *concept*, doesn't actual help us in any way set tax policy because nobody knows where the tax rate that most efficiently produces revenue actually lies. Knowing that the graph is of a quadratic shape doesn't help at all if you don't know what the formula looks like.

      You'll notice that the Laffer curve is always used to argue for lower tax rates, not higher, but the US individual tax rate is actually significantly *lower* than the most optimal tax rates predicted by most academic studies. Most of those studies put it in the 65-70% range, and I don't see many people that love to use the Laffer curve in arguments saying we should raise tax rates.

      Secondly, this is talking about sales tax and VAT, *not* income tax. The Laffer curve has little to do with consumption taxes. Having a high taxation rate for different sorts of consumption taxes can actually have substantial benefits depending on what you're trying to do. Norway does have an extraordinarily high sales tax. AFAIK it is one of the highest in the world, which leads to lots of interesting behavior from their citizens as they try to avoid those taxes. It also leads to decreased consumption and more judicious use of resources.

      Either way, Norway is usually at or near the top of the list for everything from education, health care, income equality, poverty, corruption and most everything else by just about any sort of metric that measures the effectiveness of government, so they're obviously doing something right.

  2. Cracking down on cash... by Duncan+J+Murray · · Score: 3, Interesting

    These are the requirements from the article:

    Suppliers must be able to prove that the system can integrate with external software that allows changing the online journal.
    It shall not be possible to change the entries in retrospect or change preset text on goods and services at registration.
    It shall not be possible to record sales without a receipt is printed.
    It shall not be possible to drive out more than one copy of the receipt.
    It shall not be possible to mark some groups so that they are included in the reports.

    I can't remember who told me when I was much younger how to spot the people running cash businesses and not declaring all their tax - they wouldn't be able to get the mortgage for an expensive house, but the inside would be overly luxuriously appointed, and they'd often have a flash car bought outright.

    1. Re:Cracking down on cash... by Belial6 · · Score: 4, Insightful

      Not being possible to drive out more than one copy of the receipt would be a disaster. Receipt printers are notoriously temperamental. If I want a receipt the store needs to be able to print it. Maybe require that the copy number be printed on the reciept, sure. But not to print a copy at all is just unworkable.

  3. Like the Nevada rules for slot machines by Animats · · Score: 5, Interesting

    Nevada has rules like that for slot machines. Only tougher. Stuff like:

    Provide a mechanism for keeping a record, in a form approved by the chairman, anytime a control program component is added, removed, or altered on any alterable media. The record must contain a minimum of the last 10 modifications to the media and each record must contain the date and time of the action, identification of the component affected, the reason for the modification and any pertinent authentication information.

    Provide, as a minimum, a two-stage mechanism for verifying all program components on demand via a communication port and protocol approved by the chairman. The mechanism must employ a hashing algorithm which produces a messages digest output of a least 128 bits and must be designed to accept a user selected authentication key or seed to be used as part of the mechanism (i.e. HMAC SHA-1). The first stage of this mechanism must allow for verification of all control components. The second stage must allow for the verification of all program components, including graphics and data components in a maximum of 20 minutes. The mechanism for extracting the verification information must be stored on a Conventional ROM Device. [Effective 11/1/2012] All gaming devices must also provide the same two-stage mechanism for verifying all program components on demand via a gaming device user interface where the results are displayed on the gaming device.

    That's just one item. There are lots of other logging and audit trail requirements. The Nevada Gaming Commission checks these regularly.

    1. Re:Like the Nevada rules for slot machines by storkus · · Score: 3, Informative

      I was a slot mechanic in the mid-late 90's in Nevada. Much of what was written in the parent message is new to me, but matches what we were doing back then with older tech. One thing to remember about selling a gaming machine in Nevada: the saying is, "If you can pass inspection in Nevada, you can pass anywhere." Nevada's Gaming requirements are simply the toughest in the world, and are why many machine manufacturers you might see at Indian casinos are not found in Nevada, and conversely why those that do almost always have an office there.

      In the two casinos I worked for, we would keep "master" ROMs along with a dual-slot programmer in the vault. During inspections by the Nevada Gaming Commission (NGC), every time during large jackpots, or if a machine was paying out too much (percentage was too high), we would turn off the machine, open up mobo box (which was lockable, though this was only done at the casinos I worked at for Megabucks--this was an IGT and NGC requirement, and the only non-cash locks we didn't have keys for on the floor), pull the ROM out of the machine and do a direct compare to the master via the programmer--no PC needed. The master ROMs themselves could be compared to a master ROM that the manufacturer and NGC had; both also had the source code, as manufacturers have to give the source to NGC (but not the casinos).

      We got some newer machines later that didn't run on 8051's: Bally Game Makers were relatively new at the time I was working my first casinos, and VLC and Williams were just getting into it by the time I left; Odyssey came out in between, which was the first (AFAIK) platform based on a PC. With the former machines, if I remember right, we just checked CRC's printed on a screen. I'm sure there was a better way, but if there was, I don't remember it; with the Odyssey, I never knew what you would verify it with: I'm assuming comparing one drive to another since it didn't have a CD-ROM and was pre-USB and such. It really didn't matter because, despite being so over priced (IMHO), they were never connected to any progressives and only had standard jackpots (under the $1,200 IRS-reporting limit, if I remember correctly).

      WRT the cash machine problem, the issue is not whether you can open-source the software, but that the binaries are unaltered that are running on the machine. Most of you here on /. deal with this every day, and the method of simply running a hash on the ROM and comparing it to the "accepted" compile of the open software is all you need to prove it hasn't been tampered with. Sure, it can be replaced, but if the inspections are by surprise, they won't have time; alternately, you can do what they do with CB's here in the US and pot the shit out of the ROM--at that point, an inspection need not be more than visual.

  4. Re:Of course, It begs the question... by whoever57 · · Score: 4, Informative

    I had a friend who installed POS systems in small businesses for a living. At restaurants, the most important feature of any POS system was the ability to make a table disappear out of the records.

    --
    The real "Libtards" are the Libertarians!
  5. Allready done in Sweden by Kottie · · Score: 5, Interesting

    Since a few years back all bussines are demanded to have a "black box" connected to the register that tracks all events. Tax authorities can come in any time and download the content to check for any irregularities. It logs everything including how many times and how often the drawer is opened.

  6. Re:Of course, It begs the question... by Interfacer · · Score: 5, Informative

    Far from dodgy companies. This is a common feature in many (all?) cash registers used in small business, especially restaurants.
    I know people who work in restaurants, and they told me that this is a public secret.

    The way it works is that at the end of the day, you can make the register change the numbers by an amount or a percent. Ther register will then do the math to change the number of coffees served and muffins sold and things like that. It does this so that the numbers still make sense and correlate with expected ratios.
    At that point, the business day is closed, the register is printed, and you get some money out of the till under the table. If the inspectors should come in during the day, you can just print whatever the current status is, which will then be immutable at the end of the business day to avoid discrepancies.

    This functionality is not advertized in writing, but all sales persons know about it and know how they can explain this to the owners. All major registers have features like this, and I can understand why the inspectors would require open source. Because skimming money becomes an order of magnitude more difficult if you don't have a register to help you create a phony audit trail.

  7. Re:How exactly are the 'massaging' the numbers? by vlad30 · · Score: 4, Informative
    10-15 years ago I also wrote some POS software and it opened my eyes to the way many cash businesses operate. I was asked specifically to add by many of the businesses to add a "reduction feature" which I politely refused to do I would say 80% of potential sales were lost for this one reason. On competitor software they often demonstrated this feature would delete a percentage of completed cash transaction before the End of Month commit and rollover so auditing the data would show nothing this was so pervasive the owners of a franchise with at the time 350 + franchisees also requested it

    On the other hand business who bought and used my software found much of their income was being fudged by employees usually through cancelled transactions. When a customer pulls out cash and says no receipt necessary the transaction is cancelled an the cash pocketed.

    --
    Your'e all thinking it, I just said it for you
  8. Re:They seem to have missed the point by pipatron · · Score: 3, Interesting

    There's nothing in the article about FOSS. There's not even anything about "open source", just that the tax agency should have access to the source code.

    --
    c++; /* this makes c bigger but returns the old value */
  9. Similar in Portugal by danielmatos · · Score: 3, Interesting

    In Portugal, for the last couple of years it is already required for every business to have a "certified" software that enforce some similar rules. Even though the software doesn't need to be open source, every invoice or receipt must include part of an hash key that is automatically generated based on key data (VAT Nr, amount, date, value), an asymmetric key given to each software manufacturer *and* the hash from the previous document. This makes it impossible to change any document after it has been printed out without invalidating every document printed after it. There was a requirement that every software had to be able to export accounting details in a standard format (SAF-T), if requested from the tax authority. Since 1-Jan-2013 every business is now forced to send monthly detailed invoce data to the tax authority.

  10. Re:Of course, It begs the question... by Anonymous Coward · · Score: 5, Interesting

    I was an auditor for a state in the USA (posting anon). This is widely known among auditors. The hard part is proving that the place did that.

    The state has in the past (at least talk at the legislative level) talked about outlawing software with this feature, but the business burrow makes excuses, like for instance I think I heard these type of "features" are required for discounts, coupon type things, if someone isn't satisfied and get's a free meal, etc.

    I think it's a bunch of BS since the software does these things quietly without making an audit trail, but nothing ever happened past the initial talks that I'm aware of.

    And even if it did, you could say oh it was a 15% off day or some crap, so you could still hide it unless you could prove it wasn't.

    I worked in banking previously, and it was widely known that business's hide money. See small business's want it both ways. They bring their tax info to the Bank for loan or w/e then the bank denies or less then they wanted or unfavorable terms, and some people actually say well I actually make more then this. Our loan officer used to joke about it during training. You can't have it both ways.

    There are many things working in Auditing I've learned about. Some is very creative and some is just very simple.

  11. Re:Of course, It begs the question... by daem0n1x · · Score: 3, Informative

    Here in Portugal, the government has mandated all cash-registers to run certified programs that regularly upload transaction data to our Tax Authority.

    Tax evasion has always been blatantly huge in restaurants, bars and cafés. It's no wonder the restaurant associations are up in arms with this. They've declared war on card payments too, which is something that pisses me off. They claim the bank rates are too high, but guess what the real reason is?

    Just like the constructions business, they've had practically a licence to print money during the latest decades. Now with the economic crisis, they're going down the toilet. I'm not shedding a tear for them. I just pity their poor employees that will be out of work and are certainly not finding another anytime soon. They had shit-paid, stressful, long-hour jobs, but it's better than no job.