Restaurant Owners Use Zapper To Cook the Books

Hugh Pickens passes along a NYTimes report on software programs called "zappers," which allow even technologically illiterate restaurant and store owners to siphon cash from computer cash registers to cheat tax officials. In the old days, restaurant owners who wanted to cheat kept two sets of books. But because cash registers make automated records, hiding the theft requires getting into the machine's memory and changing that record. "...the Canadian province of Quebec may be the world leader in prosecuting zapper cases. Since 1997, zappers have figured in more than 230 investigations, according to the tax collecting body Revenu Québec... In making 713 searches of merchants, Revenu Québec found 31 zapper programs that worked on 13 cash register systems. Only two known zapper cases have been prosecuted in the United States... The cash register security industry is focused on protecting patrons and owners from theft by employees, which may be one reason so few zappers are uncovered in the United States. No one hires security experts to protect the government from devious businesses... As hard as zapper software is to detect, it is easy to make, said Jeff Moss, organizer of the annual hacker convention Def Con. 'If it runs on a Windows system and you are a competent Windows administrator, you can do it,' he said."

Re:Windows?

[anss123]

Most POS hardware I've seen run Windows. Before that it was OS/2 IIRC.

Re:Everyone cheats on income tax

[samcan]

While an income tax was created during the Civil War, and various income taxes were created after the Civil War, this stopped after 1895, when income taxes were essentially ruled unconstitutional.

The constitutional amendment allowing income taxes was the 16th amendment, ratified in 1913. So, it's technically Taft's fault.

Note: Basically all information in this post comes from Wikipedia.

Re:Windows?

[betterunixthanunix]

I have yet to see a modern, touch screen cash register not running Windows. Frankly, I don't understand why they wouldn't be running QNX or Minix, but whatever, I guess the people who deal with these things are too concerned...actually, according to TFA, they are probably glad it is not running a secure OS with tamper evident hardware.

I've had requests to do this

[Rupert]

I've been asked by two retailers to reduce the amount reported by the point of sale software I was writing. One of them tried to tell me that because he owned the business it wasn't illegal. I told him that I'd just finished writing an enforcement system for Customs and Excise and would he like me to have them contact him to explain the situation?

Some insights why Québec is the "leader"...

[Pig Hogger]

Until about 20 years ago, Québec had no sales tax on restaurant meals under a given amount (something on the order of $3.50 -- often, waitresses made two invoices below the cuttoff amount so the client would not be charged taxes). So, light lunches eaten by little worker bees would not be taxed but heavy business lunches eaten by fat executives would be.

Eventually, some very senior bureaucrat very high up in the revenue department became pissed that his premium restaurant food would be taxed and not the lowlives below him in the civil service food chain, so he rescinded the tax exemption for cheaper proletarian meals, which actually failed to bring significant additional revenue, given the extra administrative costs.

This put a bigger burden on smaller restaurants, effectively throwing some out of business, and the non-touristic restauration industry has yet to recover from that downset. So the zapper software came into existence.

Those programs would simply slog through the transactions of the day, discarding most who were paid cash, and had no alcohol (because alcohol sales also have to be tallied precisely).

Re:Physical access = carte blanche

[Pig Hogger]

The government must act quickly to stop this reprehensive tax evasion. I see only one solution: federally-mandated DRM on all cash-registers.

Don't laugh: it's already been done [lavalnews.ca]:

The government's latest anti-zapper effort would oblige restaurants to connect an independent computerized device to their cash registers, making it more difficult to conceal or alter sales data.

Easier to track fraud

The machine records sales information, then stores it in a secure independent environment. Every sales transaction that is completed will have a unique digital signature, which will be printed on a bill with a bar code. It is hoped the measure will make it easier for Revenue Quebec to analyze sales data for tell-tale evidence of tax fraud. The government plans to implement the recorders as a pilot project with volunteer restaurant operators throughout the province, including Quebec City and Montreal, in November 2009 to determine that they work properly.
The following year, the device would then gradually be phased in over a 12-month period, following which all restaurant operators would be required to have it connected up. The government will be shouldering the cost of the machine itself, as well as for its installation. Revenue Quebec says the measures are being taken with the cooperation of the Quebec Restauranteurs Association, the Conseil des chaînes de restaurants du Québec, the Association of Hoteliers of Quebec and the Canadian Federation of Independent Business.

And the alteration of the computer records is also prohibited [gouv.qc.ca].

Re:Windows?

[Anonymous Coward]

I used to work with a Windows NT based touch-screen restaurant cash register. I only left that job at the beginning of this year, so I doubt anything has changed. Friends still employed there have informed me that this was still possible as of last week.

While the POS software is running, any presses which might have an effect on system functioning were disabled. Maximize, Minimize, Close, Resize, anything like that was verboten. The lockout, however, was not quite infallibe.

If you rubbed your finger in the lower left hand corner for a few minutes, the start menu would inevitably pop up. It happened very infrequently by accident as well, which was how we happened to discover it.

Once you've got the start menu, things get wonky---you can interact with the start menu in any way requiring a single left click, including starting programs. Once you'd started a program, you could interact with it in the same manner; but the safeguards to prevent you from closing the POS software would also prevent you from closing whatever you'd opened.

More than once, the entire restaurant's transaction processing was shut down when someone either out of curiosity or malice opened, (and I have no idea why they left it installed,) Solitaire.

Management would come in, and find themselves unable to do anything but move cards around on stacks. They couldn't minimize or close it. These registers don't have keyboards or mice, so your only means of interaction is the touch screen. To compound the idiocy, one of the store's four registers was also the server, necessitating that if it were rebooted, every other register would have to be turned off, and only booted up again after the server had finished its boot process.

Which was about fifteen minutes long. And almost invariably involved a panicked call from the home office wanting to know what had gone wrong.

The final nail in the coffin was that the main-server-register, this all-mighty one which must not go down, was in the take-out room---open to customers and utterly ignored by management unless there was a complaint.

Since I'm posting AC, what the Hell: The systems in question were by POSitouch. They're in use in virtually every chain sit-down restaurant I've ever been to in the US, and a solid majority of the sit-down indepedents.

And they're practically a text-book case of what's wrong with using a full version of Windows as the OS on POS equipment.

Re:To cut fraud, cut taxes.

[bcrowell]

Erm, you don't need to pay taxes to all the states -- only to yours.

Currently the retailer does need to pay sales taxes to any state where they have a physical presence, or "nexus." [nysscpa.org]

Use tax is at your own state's rate.

Use tax is paid at the rate of the purchaser's home state. [wikipedia.org]

The only tax laws you need to know are those for your location, since that's where an internet sale is considered to be taking place.

If you have a "nexus" in the customer's state, you pay the rate in the customer's state [nysscpa.org].

Re:Warren Buffet pay 25%, his gardener pays 35%

[Miseph]

"That's probably the most ridiculous thing I've ever read on slashdot"

GP is perhaps less crazy than you think. Warren Buffet (the 2nd wealthiest man in the world, in case you didn't know) has frequently claimed that he pays, if not a lower dollar amount, a significantly lower percentage of his income in taxes than his secretary and other employees because of a major discrepancy between capital gains and income taxes; to his credit, he believes this to be wrong and advocates serious tax law reforms to at least fix glaring holes like that one.

By and large, tax fraud is a crime of wealth because the poor simply don't have enough money to either accomplish it or seriously gain from it.

Re:Warren Buffet pay 25%, his gardener pays 35%

[NonSequor]

The rich pay for over 80% of our taxes.

Yes, that's a consequence of the distribution of wealth following a Pareto distribution.

Re:Physical access = carte blanche

[pla]

I see only one solution: federally-mandated DRM on all cash-registers.

Of course, merchants still have every right to use hand-written sales slips and only accept cash, making the whole issue moot.

A famous zapper-er

[QuietLagoon]

Stew Leonard, the famous grocier in Connecticut was convicted of tax evasion because he skimmed the receipts with zapper software [typepad.com].
.

"Zappers," or automated sales suppression devices, have brought unheard of efficiencies and economies of scale to a very simple tax fraud - skimming cash sales at point of sale (POS) terminals (electronic cash registers). Until recently the largest tax fraud case in Connecticut, also the "largest computer driven tax-evasion case in the nation," was a zapper case. Stew Leonard's Dairy in Norwalk Connecticut skimmed $17 million in receipts and hid the cash in St. Martin (a Caribbean island).

Re:Physical access = carte blanche

[plover]

It's been real for twenty years or more. IBM has long made a special cash register printer called the Fiscal Printer to meet with Italian sales tax regulations. (Other countries have since adopted the Fiscal Printer standards, but I think Italy was the first.) You can read the programming guide here: ftp://ftp.software.ibm.com/software/retail/pubs/hw/4610/3station/fiscal/italy/fit90n16.pdf [ibm.com]

At its heart the Fiscal Printer has flash RAM that keeps totals of the amounts being printed by the cash register program. Every single line printed that represents money is added to the appropriate accumulators. When the tax collector shows up at a store, he has the printer dump the accumulators so he knows how much the merchant sold and how much sales tax he collected.

It's a clever approach. You can try cooking the books all you want, but in the end the official receipts have to come through the register printer, and that's what the tax man reads.