> once someone knows the ins and outs of a system, sometimes there are very few barriers internally to check that an order/paperwork is legit.
It sounds to me like they are using security-by-obscurity, as well as easily forgeable proofs such as "signatures" or drivers licenses (they're only as secure as your ability to spot a forgery). Hence why anyone who is knowledgable and determined enough, can easily crack the system.
If you want to prevent such problems, you could either go really old-school. Require the person filing documents to show up in person, and be personally identified and recognized by someone in-house. Or go really new-school and only accept biometrics or digital paperwork that has been filed using a secure account accessible only by that person.
Using an in-between approach, like a signed paperwork that has been given to you by someone you don't recognize, is the worst possible solution.
The usual way to fix these sorts of things is to ensure there are multiple independent barriers to fraud. 2 factor authorization is an example. Double entry bookkeeping is another. Independent audits is another. Separate checks for unusual activity is another.
It sounds to me like they are using security-by-obscurity, as well as easily forgeable proofs such as "signatures" or drivers licenses (they're only as secure as your ability to spot a forgery). Hence why anyone who is knowledgable and determined enough, can easily crack the system.
If you want to prevent such problems, you could either go really old-school. Require the person filing documents to show up in person, and be personally identified and recognized by someone in-house. Or go really new-school and only accept biometrics or digital paperwork that has been filed using a secure account accessible only by that person.
Using an in-between approach, like a signed paperwork that has been given to you by someone you don't recognize, is the worst possible solution.