American Greed – Phuong Truong

The “American Greed” episode on Phuong Truong was interesting.  He convinced casino dealers to do a “false shuffle”, pretending to shuffle.  He tracked the cards as they were dealt, remembered them, and used that information to profit after the false shuffle.  It was a pretty sophisticated scam involving a lot of people.

The trick that Truong used would not work anymore.  Casinos are much better at tracking cheaters.

The casino employees are not well paid.  This helped Truong entice them into stealing.

It is possible to rob a casino, if you bribe casino employees to behave dishonestly.

There is another way to steal, even more lucrative.  What prevents criminals from pretending to be financial software engineers, so they can steal?  Based on my experience, the answer is “almost nothing”.

At my last financial software engineer job, I suspected that a group of people were sabotaging their software, so they could steal and launder money.  They were as big as Truong’s organization, maybe even larger.  I suspected at least 6 people.

If you’re an honest software engineer, you get paid $X/hour.  If you’re a dishonest software engineer working at a big bank, your salary is $X/hour plus whatever you can steal.

Here is one example.  I was asked to troubleshoot suspicious mark-to-market data.  Table A had the summary information, which was viewed by users.  Table B had more detailed information, which was not normally viewed by users.

I was trying to reconcile the results in Table A and Table B.  I could not.  I concluded that someone had tampered with the data.  (By this time, I’d already seen a bunch of other suspicious things.)

In retrospect, it’s obvious what happened.  The people forging the data edited Table A but not Table B.  Paradoxically, I helped them improve their theft game, by pointing out a mistake they made.  Normally, nobody looks at Table B, so they didn’t bother forging the data in that table.

I told X, who wasn’t in on the scam, “This data looks suspicious.  It looks like someone tampered with the data.  You should file a Suspicious Activity Report (SAR).”

I never heard anything else about it.  At this point, I was already suspicious.  I followed up a few weeks later with X.  I asked “What happened about that suspicious data?”

He replied “I asked Y to look into it.  Y said that he explained the result to FSK, and everything is all right.”

Y never discussed the suspicious data with me.  He knew that he couldn’t fool me, so he didn’t try.

Instead, Y lied.  He told X that he looked into the suspicious data and explained to me it was OK.  If I didn’t know to confirm with X, I never would have known that Y lied.  I suspected that Y was one of the ringleaders, for the “sabotage my employers’ data” conspiracy.

This is a common psychopath social manipulation trick.  Y told X one thing, and FSK another.  If a criminal tells two different people two different things, he’ll usually get away with it.  The criminal only gets caught if the two victims compare notes, which they normally won’t do because they trust the criminal.  I’d been subjected to that scam too many times before, and I knew to doublecheck.

This is another rule of thumb.  If someone lies about something small like that, you know they’re dishonest and covering up something.

Y had suspicious phone calls with the production programmers/DBAs.  He had hushed whispered phone calls in a language other than English, at least once per day.  He was coordinating with the production programmers, making sure the data was forged properly so nobody would ever notice.

There were a ton of defects in their software.  They may have been put their intentionally, so they could steal.  Most of the other employees were either people who were in on the scam, or people who were too dumb to notice.

When you buy and sell stock, it’s just a number in a database.  If the sysadmin tampers with the database, nobody will ever know.  If the numbers don’t add up, the error is just rolled over to the next day.  It can continue indefinitely.

Once a few dishonest software engineers infiltrate a financial institution, it’s all over.  Whenever there is a job opening, they will recommend their co-conspirators for jobs, and help them get hired.  They also will force out the competent people.  The criminals need a lot of stupid people working there, so someone can be scapegoated whenever there’s a problem.

Conspiring with casino employees and working in a huge team, Phuong Truong robbed the casinos.  Similarly, I suspect that criminals are pretending to be software engineers, while robbing banks.  I gave one example here, but there were a ton of suspicious things.  My ex-employer’s software had a ton of exploitable defects.

2 Responses to American Greed – Phuong Truong

  1. I guess its a good thing that most engineers are good people in my experience. Since their job is grounded in reality. However a small conspiracy can cause large damage.

    • In the financial area, the parasitic/psychopathic personality type is more dominant. Even if you’re evil, you still can have some programming ability, such as Mark Zuckerberg.

      Superficially, you might think that financial software is awesome. Overall, it’s very lousy. I’ve been working on some key financial software infrastructure, and was disappointed with the lousy quality.

      At my last financial job, there were lots of exploitable bugs in their software. Was it lousy software? Was it defective on purpose? I suspected several people were in on the scam. They had all sorts of excuses for why those bugs were acceptable.

      The majority of people are good. The 1% really evil people can do a lot of damage, in the right situation. In the right environment, 10-20 criminals working together can steal a lot of money, both in casinos and with intentionally-defective financial software.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>