Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Open Source Businesses Government

Norway Tax Auditors Want To Open Source Cash Registers To Combat Fraud 161

Posted by Soulskill
from the open-source-the-cashiers-while-you're-at-it dept.
Qedward writes "The Norwegian Ministry of Finance seems to be taking a bit of stick at the moment. It wants all the existing cash registers in the country thrown out and replaced with new ones. Not surprisingly, this massive upgrade is not popular. But it is apparently being pushed through in an attempt to prevent cash registers' figures being massaged downwards in use so as to reduce tax. The Norwegian association of tax auditors said: 'The source code must be opened.' 'Without source code it is not possible to determine whether or "hidden" functionality exists or not. Just knowing that the tax authorities have access to the source code of the application, will reduce the effort to implement hidden functionality in the software.'"
This discussion has been archived. No new comments can be posted.

Norway Tax Auditors Want To Open Source Cash Registers To Combat Fraud

Comments Filter:
  • by phaunt (1079975) * on Saturday January 12, 2013 @03:55PM (#42569717)
    Releasing the source doesn't guarantee that a specific cash register is also running that code. So will this be all that helpful?
    • Re: (Score:2, Insightful)

      by larry bagina (561269)
      and it doesn't guarantee that the compiler doesn't have a backdoor [bell-labs.com] of it's own.
      • by rsagris (831741) on Saturday January 12, 2013 @04:29PM (#42569939)
        Would people quit using this as an example of doubt? Show a real, honest to God, in the wild example of a widely used backdoor inserting compiler, or just STFU about it because while it might be possible it isn't in anyway practical or plausible enough to mention. If it was so easy to write a general use backdooring compiler, then it'd be actually seen, not fantasized about. -rs
        • by lingon (559576)
          To be honest, I have seen one or two proof of concepts of this. It's not that difficult to do, either (especially if there's money and tax avoidance in it). They should probably look into this as well as open sourcing the code, as a complement.
          • (especially if there's money and tax avoidance in it).

            They're not proposing this to combat "tax avoidance" (which is legal), but "tax evasion" (which is illegal).

        • by russotto (537200)

          Would people quit using this as an example of doubt? Show a real, honest to God, in the wild example of a widely used backdoor inserting compiler, or just STFU about it because while it might be possible it isn't in anyway practical or plausible enough to mention.

          Ken Thompson actually did that, it wasn't just a concept. So yes, it is both practical and plausible.

          • by tnk1 (899206)

            Plausible, yes. Practical, no.

            If you have the code, you can compile it. If the government has the code they can compile it, and obtain reference checksums of binaries. Adding backdoors will change the checksums because you can't add functionality to a binary without changing bits.

            Since these are manufactured devices, you can make sure the vendor is releasing binaries that match the checksums you get with your compilations at the government offices. They will need to synchronize compiling methods, sure,

            • by gmueckl (950314)

              Well, you could force everyone trying to compile your software to use your compiler, e.g. if you bootstrapped a custom, self-hosted programming language just for the cash register software. Then everyone trying to verify the binaries would have to use your compiler binary for the process, which automatically introduces the backdoor in every version of the software ever compiled.

              However, a compiler for a useful new programming language takes time and effort, so from an economic perspective this shouldn't mak

            • Please note that it's an open question whether it's practical or not.

              You could say the same about built-in kernel rootkits, they're very impractical to install on someone's machine. Yet we know about instances where machines were shipped with kernel rootkits installed.

              Besides, why so complex ? Open sourcing these programs will lead to "tax optimizers". Write a program that reads in all the data files of the program, and outputs a "tax optimized" version with all the little details changed to better suit the

    • by bloodhawk (813939) on Saturday January 12, 2013 @04:58PM (#42570107)
      Not to mention you can just not register the cash in the machine or have separate machines that don't report centrally or any number of other ways. The machine being auditable only works if every other part of the sales process is auditable and controllable and really this isn't possible in anything but the largest organisations.
      • by gl4ss (559668)

        then you don't get a receipt.
        anyhow, it's pretty easy for inspectors to go for a kebab and see if they get the receipt. or if there's multiple machines.
        and not to be a racist or anything.. but around here in another nordic country these are the places which prefer cash. they all take cc's too though.

        this just makes the inspections real simple to perform as there's no 20 different register providers. the point is that it's easy to check what has been put through the register and if it's running the code it s

        • then you don't get a receipt.

          With multiple cash registers then of course you get a receipt. If your sale is rung up on register A then you get a receipt and it's reported for the taxman. If your sale is rung up on register B then you get a receipt but it's never reported to the taxman.

          And there's nothing wrong with having multiple registers. Plenty of shops do. Any shop that has several cashiers for example.

          • by omglolbah (731566)

            And when the taxman comes back 3 days later and asks the shop owner for the matching receipt from their register what happens then?

            That -is- how they do it.
            They buy something, save the receipt and come back later for an audit. If the sale cannot be found in the accounting records for the shop, it was never registered for tax and is illegal.

            • And when the taxman comes back 3 days later and asks the shop owner for the matching receipt from their register what happens then?

              They supply it. and then know that that particular days sales of register B will need to be included in their tax return.

        • by johanw (1001493)
          gl4ss wrote: "then you don't get a receipt." Is getting a recepit common in shoarma/kebab restaurants in Norway? In The Netherlands I have gone to many, and almost none give receipts. They also have usually prices where you don't have to work with lots of change when you pay cash: most Dutch shops would charge 9,95, they just charge 10 Euro's. In one Chinese restaurant I frequently visit you couldn't pay by card until a few months ago. They would redirect you to the ATM just outside the restaurant.
          • by omglolbah (731566)

            You cannot really do business without a terminal here. Even the smallest and cheapest place has one.

            And they're required to keep records of all transactions which is fairly easy to verify. Any terminal spits out a receipt and they are required to give the customer this receipt. Dropping by for a kebab and coming back a week later to audit the records is easy enough to do.

    • by ilguido (1704434)
      Well, in that case a simple diff command could be enough to check if it's running the code it's supposed to run.
    • What is more important is to have a sha256sum of the Cash Register program. The sum can be compared to a master copy held in the government premises. Not only that, the executed code could have some tamper resistant software to protect itself from tampering.

      Do you want UEFI for cash registers?

      • Why fake the program when you could simply use the open source of that program to re-write the datafiles ?

      • by johanw (1001493)
        Then they should ban all cash register software running on windows, since win32 binaries include things like compile time, and two different compiles of the same source will poduce binaries with different checksums.
    • by mrmeval (662166)

      Just stick a PC there tied directly in to the government servers. Let the government figure the bill and the tax. Simple. ;)

      • by OeLeWaPpErKe (412765) on Saturday January 12, 2013 @11:32PM (#42572295) Homepage

        We're talking here about tax departments that cannot manage to keep spreadsheet software operational on their office systems, cannot keep their own tax databases accessible of backed up, and worse. Never mind the fact that hardly any business administration is ever really correct in the first place. Having them run a centralized online service for millions and millions of customers sounds like a spectacularly bad idea. Besides, what about businesses without internet connection ?

        I was amazed, when I first saw this, but cash registers never contain the amount of money their record claims they should at the end of the day. My jaw dropped to the floor for 20 minutes when I was told the same goes for ATMs. It tends to be a shortage because people are much more likely to complain when shortchanged (mostly accidentally), so it's expected to be a negative correction, up to 5% of the amount sold. This presents an obvious way to cheat that the taxman cannot (reasonably) attack businesses for.

        • by TheLink (130905)
          I know people who worked as cashiers and when they start their shift they have to count the cash in a cash register to make sure it agrees with the records. If it's short the person you're taking over from loses that amount of money. If you don't bother counting and the amount of cash is short at the end of your shift then the difference comes out of your pay. So there is a fair bit of motivation to not make mistakes.

          This procedure doesn't happen in all places of course. But if you're always losing money yo
          • by starblazer (49187)

            Whereas having more money just requires someone to forget to take the money within the time limit - the money then goes back into the machine (not sure if it goes back to the dispenser or a different compartment). Yes this is very rare but does actually happen. People don't take their money for all sorts of reasons.

            Not all machines are the "presenter" type. I have a machine which has a spray dispenser. It just spits the bills out into a holder for the user to pick up. If for some reason the bills stick together and make it through all the anti-theft/multiple bill detector measures, I just had an ATM shortage. In a perfect world, the stuck bills should go into the reject bin and the machine tries again with a fresh bill from the cassette, thus preventing any loss.

            However, any reliable ATM owner knows that they shou

          • by IrquiM (471313)
            Counting the money before you open is standard procedure when you're not the only person using the register. I do this every time I am tending bars. It is also not difficult to keep control of the change you give back. I have never had a negative difference in my register, and the positive is tips I leave in the register when we're short of any type of coins. By the way, we're one of those small businesses in Norway that would have to cash out for something we do not need.
            • by TheLink (130905)
              Yeah, that's why I find it strange the OP was saying that "cash registers never contain the amount of money their record claims they should at the end of the day."

              To me that shows something is wrong somewhere.
      • by plover (150551)

        I'm surprised nobody here has mentioned the "fiscal printers" that keep a total of all figures printed in the right hand column. (IBM was selling them to Italian businesses decades ago.) There's a port on the printer that a tax collector can plug a device into and download the total transaction amount since the last reading. The device computes the sales tax due, and the collector demands it from the business. It doesn't matter how shady your POS software is, if the amount is printed on the receipt, the

    • by tnk1 (899206)

      It could very well be helpful. The government could, in theory, generate checksums of binaries/firmware resulting from that code that are used in the registers and compare them with what they discover in audited machines. There might be some initial bumps in the road, depending on how they are generated/compiled, but you can be sure that the government will synchronize with the register vendor to make sure they know what they are looking for.

      Of course, the government isn't going to catch everyone, but rea

  • I code a Point of Sale, and while I could easily under report, even the most elementary audit would make it blatantly obvious that this was occurring, at least all the ways I would think to do it. I'm also curious how they plan to make 1 cash register program that covers the needs let alone desires of every business out there.
    • by Anonymous Coward

      How to make one program suit all businesses ? Simple! That solution is in the mind of the politicians, they drag the facts and numbers out of their ass, then in reality, it will take 10 times as long as they plan for, and in the end it will all be scrapped after wasting millions of dollars on consulting services.

    • by vlad30 (44644) on Saturday January 12, 2013 @05:15PM (#42570263)
      10-15 years ago I also wrote some POS software and it opened my eyes to the way many cash businesses operate. I was asked specifically to add by many of the businesses to add a "reduction feature" which I politely refused to do I would say 80% of potential sales were lost for this one reason. On competitor software they often demonstrated this feature would delete a percentage of completed cash transaction before the End of Month commit and rollover so auditing the data would show nothing this was so pervasive the owners of a franchise with at the time 350 + franchisees also requested it

      On the other hand business who bought and used my software found much of their income was being fudged by employees usually through cancelled transactions. When a customer pulls out cash and says no receipt necessary the transaction is cancelled an the cash pocketed.

      • I suppose that makes some sense, but must say the auditors are pretty easily deceived if that gets by them, at least in any place with a hard inventory. In a service industry when stock is non-existent of perishable that could work, although making a uber register doesn't help at all there as you can still easily just not input the sale into the register.
        • Not easily deceived, you just cannot prove it without being there when it happens. Shrinkage can easily be huge in a perishable business

          Posting as an IT auditor of ex big 4 and UK 10 who saw my colleagues pain.

      • by thegarbz (1787294)

        I have interesting experiences with a new cash register on both these points. The franchise I work for was essentially ordered to install a certain franchise approved cash register to combat exactly this kind of fraud (not at our store specifically, but the fraud was rampant business wide). With many hundred stores in the country it would have cost an absolute fortune to replace all the registers.

        One of the handy features of the new registers is the ability for it to automatically do analytics on sales perf

        • by Compaqt (1758360)

          >And naturally with all such modern things it has a web interface so we can quickly log in from anywhere

          Yeah, you, and any old hacker, too.

          • by thegarbz (1787294)

            Oh dear god someone can see the cash register numbers through a website. I'm sure someone somewhere is quaking in their boots.

      • by Compaqt (1758360)

        What was the normal percentage of desired reduction?

  • by Duncan J Murray (1678632) on Saturday January 12, 2013 @04:04PM (#42569785) Homepage

    These are the requirements from the article:

    Suppliers must be able to prove that the system can integrate with external software that allows changing the online journal.
    It shall not be possible to change the entries in retrospect or change preset text on goods and services at registration.
    It shall not be possible to record sales without a receipt is printed.
    It shall not be possible to drive out more than one copy of the receipt.
    It shall not be possible to mark some groups so that they are included in the reports.

    I can't remember who told me when I was much younger how to spot the people running cash businesses and not declaring all their tax - they wouldn't be able to get the mortgage for an expensive house, but the inside would be overly luxuriously appointed, and they'd often have a flash car bought outright.

    • by Belial6 (794905) on Saturday January 12, 2013 @04:17PM (#42569875)
      Not being possible to drive out more than one copy of the receipt would be a disaster. Receipt printers are notoriously temperamental. If I want a receipt the store needs to be able to print it. Maybe require that the copy number be printed on the reciept, sure. But not to print a copy at all is just unworkable.
      • Indeed. Not to mention customers coming back to your store and wanting to see a receipt for a sale that was on their account. Also, I'm puzzled by the notion of requiring a print out. What good is that going to do? If they want no printed version, a print out is pretty easy to destroy (you can also easily make a computer think it's printing a physical copy when it is only printing a virtual copy, or even to the big bit bucket in the sky). Then there is the whole issue if you lose power, most businesses
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Some Euro countries already use registers like this. The ones we sell and manage are basically small Linux boards bolted to various printers with memory card for sales journal files(signed to detect tampering), Eprom for company/store identification and daily sales/tax reports and various communication and peripheral ports.
        The register prints one original receipt - marked with small graphical logo. You can print as many copies as you want but they will be marked as such and lack the logo. For tax purposes y

    • by Anonymous Coward

      Project disaster warning sign: accountants are making engineering decisions.

    • Meh, the really successful ones will pay for the house in cash. Why have a mortgage when a briefcase full of cash is so much easier?
  • Misleading title is misleading.

  • by Animats (122034) on Saturday January 12, 2013 @04:25PM (#42569919) Homepage

    Nevada has rules like that for slot machines. [nv.gov] Only tougher. Stuff like:

    Provide a mechanism for keeping a record, in a form approved by the chairman, anytime a control program component is added, removed, or altered on any alterable media. The record must contain a minimum of the last 10 modifications to the media and each record must contain the date and time of the action, identification of the component affected, the reason for the modification and any pertinent authentication information.

    Provide, as a minimum, a two-stage mechanism for verifying all program components on demand via a communication port and protocol approved by the chairman. The mechanism must employ a hashing algorithm which produces a messages digest output of a least 128 bits and must be designed to accept a user selected authentication key or seed to be used as part of the mechanism (i.e. HMAC SHA-1). The first stage of this mechanism must allow for verification of all control components. The second stage must allow for the verification of all program components, including graphics and data components in a maximum of 20 minutes. The mechanism for extracting the verification information must be stored on a Conventional ROM Device. [Effective 11/1/2012] All gaming devices must also provide the same two-stage mechanism for verifying all program components on demand via a gaming device user interface where the results are displayed on the gaming device.

    That's just one item. There are lots of other logging and audit trail requirements. The Nevada Gaming Commission checks these regularly.

    • Re: (Score:3, Informative)

      by storkus (179708)

      I was a slot mechanic in the mid-late 90's in Nevada. Much of what was written in the parent message is new to me, but matches what we were doing back then with older tech. One thing to remember about selling a gaming machine in Nevada: the saying is, "If you can pass inspection in Nevada, you can pass anywhere." Nevada's Gaming requirements are simply the toughest in the world, and are why many machine manufacturers you might see at Indian casinos are not found in Nevada, and conversely why those that d

  • by Kottie (2799359) on Saturday January 12, 2013 @04:46PM (#42570043)
    Since a few years back all bussines are demanded to have a "black box" connected to the register that tracks all events. Tax authorities can come in any time and download the content to check for any irregularities. It logs everything including how many times and how often the drawer is opened.
    • My software has to speak to these things. The hardware is slow (serial) & shit.

      The government doesn't even know what information we should be sending to these boxes and their guidelines are constantly changing. We've wasted 100s of man hours. Our customers are pissed off because transaction speed has dropped and they can't even print more than 1 copy of an invoice.

      And at the end of the day they solve nothing.

    • by MeNeXT (200840)

      As all business owners will attest there is no technology which exists today that will prevent skimming. If you trust technology without constant supervision then you are on the road to bankruptcy. This only affects the honest business which now will pay an additional penalty when an employee goofs. This will not in any way slow down the thieves.

      I will ask one question and I am sure that all the bright minds here can add a few thousand. What stops a business from creating multiple items at identical price

  • by swschrad (312009) on Saturday January 12, 2013 @05:44PM (#42570451) Homepage Journal

    being, of course, the pocket of the clerk at the register.

  • Similar in Portugal (Score:3, Interesting)

    by danielmatos (1171429) on Saturday January 12, 2013 @05:48PM (#42570465)
    In Portugal, for the last couple of years it is already required for every business to have a "certified" software that enforce some similar rules. Even though the software doesn't need to be open source, every invoice or receipt must include part of an hash key that is automatically generated based on key data (VAT Nr, amount, date, value), an asymmetric key given to each software manufacturer *and* the hash from the previous document. This makes it impossible to change any document after it has been printed out without invalidating every document printed after it. There was a requirement that every software had to be able to export accounting details in a standard format (SAF-T), if requested from the tax authority. Since 1-Jan-2013 every business is now forced to send monthly detailed invoce data to the tax authority.
  • by Anonymous Coward

    Let us apply it at goverment level first.

  • Norway Tax Auditors Want To Open Source Cash Registers To Combat Fraud

    What they call "fraud", we call "free-market capitalism" here in the States.

    Thank God I live in a country where the inalienable right of a corporation to defraud you is enshrined in the Constitution.

  • Clearly, they can't be talking about open software the way we know it. If YOU had access to your cash register's software, you could hack it to underreport your transactions so as to evade tax. They only mean open to the government and it seems like there's no way to really accomplish their goal. What's to stop you from unloading the government-monitored software and making a version of it that they can't see and looks the same from their end but does something entirely different from your end?
    • Audits. Norway already has a department that checks measuring devices such as weights, [gas] pumps etc. Maybe they check cash registers as well. There are classes of devices that have to be certified periodically (a number of years) by law.

      I believe they check the software at the gas pumps, because obviously the numbers have to match with the output they claim was sold and delivered to the customer. I believe it would be a small matter to run checksums on cash register software.

      In fact I believe they might

  • No matter what they do, nothing prevents the clerk from hitting the No Sale button, or simply not hitting any button at all.
    • by PPH (736903)

      The register transaction time stamp synced to the surveillance camera above the cash register makes that a risky move.

  • I think it would be awesome for code to be published which has the functions (that Norway's government hates) commented out, with stern warnings "don't compile with this code removed from comments, or these functions could become present."

If you're not careful, you're going to catch something.

Working...