CHAPTER 9

Ch. 9: Computer Fraud and Security

Accounting Information Systems

CHAPTER 9

COMPUTER FRAUD AND SECURITY

I.INTRODUCTION

II.

THE FRAUD PROCESS

III.WHY FRAUD OCCURS

Pressures

Opportunities

Rationalizations

IV.

COMPUTER FRAUD

The Rise in Computer Fraud

Computer Fraud Classifications

Computer Fraud and Abuse Techniques

Computer Viruses

V.

PREVENTING AND DETECTING COMPUTER FRAUD

Make Fraud Less Likely to Occur

Increase the Difficulty of Committing Fraud

Improve Detection Methods

Reduce Fraud Losses

Prosecute and Incarcerate Fraud Perpetrators

CHAPTER 9

COMPUTER FRAUD AND SECURITY

LEARNING OBJECTIVES

After studying this chapter you should be able to:

Define fraud and describe the process one follows to perpetrate a fraud.

Discuss why fraud occurs, including the pressures, opportunities, and rationalizations that are present in most frauds.

Compare and contrast the approaches and techniques that are used to commit computer fraud.

Describe how to deter and detect computer fraud.

CHAPTER OUTLINE AND TEACHING NOTES

I. INTRODUCTION

A. Fraud - any means a person uses to gain unfair advantage over another person

1. A violation of trust or confidence relied upon by the other party

2. Economic losses due to fraud in U.S. are estimated to be $500 billion per year

3. Usually involves misrepresentation of facts and reliance upon those facts by the victim

a) Knowledgeable insiders much more likely to commit fraud than nonemployees

b) Fraud perpetrators are referred to as white-collar criminals

c) Misappropriation of assets - also called employee fraud, committed for personal financial gain

d) Fraudulent financial reporting - materially misleading financial statements designed to mislead investors and creditors; perpetrators receive indirect benefits like increased stock values

4. Treadway Commission recommended four actions to reduce fraudulent financial reporting

a) Establish organizational environment that contributes to the integrity of financial reporting process

b) Identify and understand the factors that lead to fraudulent financial reporting

c) Assess the risk of fraudulent financial reporting in the company

d) Design and implement internal controls for prevention

II. THE FRAUD PROCESS

A. Most frauds involve three steps:

1. Theft of something of value, i.e., cash, inventory, supplies

2. Conversion of stolen assets into cash

3. Concealment of the crime to avoid detection - when assets are stolen or inflated, the only way to conceal is to inflate other assets or decrease liabilities or equity

a) Charge stolen asset to expense accounts

b) Lapping misapply cash payments by one customer to another account and steal part of cash received

c) Kiting cover theft of cash by transfer of money between banks

Question 9.2 deals with kiting.

III. WHY FRAUD OCCURS

A. White-collar criminals - few differences with the general public

B. Fraud perpetrators characteristics

1. Spend their illegal proceeds rather than save it

2. Once they begin it is hard to stop

3. Rely on the income and want more as their greed increases

4. May become careless and overconfident as time goes on

5. Perpetrators of computer fraud tend to be younger and have more computer knowledge

a) Motivation may be curiosity or challenge of beating the system

(1) 32% were women (68% men) and 43% were minorities (57% majority)

(2) May be unhappy with employer or disgruntled with job

(3) May appear to be ideal employee, dedicated, hardworking

(4) Often no previous criminal record

C. Three conditions are necessary for fraud to occur:

1. Pressure may be a persons motivation to commit fraud (Table 9.1)

a) Financial, work-related, or other such as family/peer pressure, emotional instability, or challenge of beating the system

2. Opportunity is the condition that allows a person to commit and conceal the fraud

a) Lack of internal controls or failure to enforce controls, other factors such as excessive trust in key employees, incompetent supervisory personnel, inattention to details, inadequate staffing, etc.

3. Rationalization - justification of illegal behavior, just borrowing, intent to pay back, not really hurting a person, everyone else does it, or I'm just above the rules - all are common rationalizations

Figure 9.1 shows fraud as a result of interaction of three factors: pressures, opportunities, and rationalizations. Tables 9.1 and 9.2 provide a comprehensive listing of pressures and opportunities that lead to fraud.

Problems 9.1, 9.2, 9.4, 9.5, 9.6, and 9.8 deal with the concept of fraud, indicators or red flags of fraud, incidence of fraud, and embezzlement schemes. Case 9.2 provides a profile of a white-collar criminal, the ease with which fraud can be committed, and the lax law enforcement; is very educational.

IV. COMPUTER FRAUD

A. Computer fraud - any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution

1. Unauthorized use, access, modification, copying, or destruction of software

2. Theft of cash or other assets by altering computer records

3. Theft or destruction of computer hardware

4. Use or conspiracy to use a computer to commit a felony

5. Intent to illegally obtain information or property by use of a computer

B. Reasons for rise of computer fraud

1. Not everyone agrees on what constitutes computer fraud

2. Many computer frauds go undetected; estimates between 1 and 20% are detected

3. An estimated 80%-90% of the frauds that are uncovered are not reported

C. Computer fraud is large and growing

1. Dollar losses rose fifteen fold from 1997 to 1998, each incident now costs $2.81 million

2. Even Defense Department and Pentagon networks are not completely secure; 70% of friendly hacks are successful

3. Even thought there are a growing number of competent computer users, there is a belief that it just cant happen to us

4. Most networks have a low level of security

5. Many Internet sites provide guidance on how to commit computer crimes

6. Law enforcement is unable to keep up with the number of computer frauds

7. An especially rapidly growing type of fraud is economic espionage, which is the theft of information and intellectual property

D. Computer fraud classifications

1. Computer fraud can affect input, processor, computer instructions, stored data, and output (Figure 9.1)

a) Input - easy to commit, alteration of inputs to manipulate disbursements, inventory, payroll, or cash receipts

b) Processor - theft of computer time or employee goofing (Internet surfing)

c) Computer instructions - modifying software to carry out an unauthorized activity, making illegal copies

d) Data - alteration or damage to data files or by copying or using without authorization, stealing the data

e) Output - theft or misuse of outputs, even screen output can be read electronically by the use of some inexpensive electronic gear

E. Computer fraud and abuse techniques (Table 9.2)1. Trojan Horse - unauthorized code hidden in a legitimate program

2. Round-down technique - rounded off amounts from calculations, fraction deposited in perpetrator's account

3. Salami technique - small amounts sliced off and stolen from many projects over a period of time

4. Trap door - bypass of normal system controls

5. Superzapping - use of a special program to bypass regular controls

6. Software piracy - unauthorized copying of software, probably the most committed computer crime, losses between $15 and $18 billion per year

7. Data diddling - changing data in an unauthorized way

8. Data leakage - unauthorized copying of data files

9. Piggybacking - latching onto a legitimate user in data communications

10. Masquerading or Impersonation - the perpetrator gains access to the system by pretending to be an authorized user

11. Social engineering - a perpetrator tricks an employee into giving him the information he needs to get into the system

12. Logic time bomb - idle until some event or time triggers it

13. Hacking - unauthorized access and use of a computer system

14. Scavenging - gaining access to confidential data by searching corporate records in dumpsters or computer storage

15. Eavesdropping - observation of private communications by wiretapping or other surveillance techniques

16. E-mail threats - threatening legal action and asking for money via e-mail

17. E-mail forgery - removing message headers, using such anonymous e-mail for criminal activity

18. Denial of service attack - sending hundreds of e-mail messages from false addresses until the attacked server shuts down

19. Internet terrorism - crackers using the Internet to disrupt electronic commerce and communication lines

20. Internet misinformation - using the Internet to spread false or misleading information

21. War dialing - searching for idle modem by dialing thousands of telephones and intruding systems through idle modems

22. Spamming - e-mailing the same message to everyone on one or more Usenet groups

F. Computer viruses - a segment of executable code that attaches to software and is intended to replicate and do damage to computer systems and/or data

1. Computers can get infected in four ways:

a) Opening an e-mail attachment which carries the virus

b) Opening a file that contains the virus

c) By booting, or starting, using an infected diskette (boot sector virus)

d) By running a program that has been infected (program file virus)

2. Viruses are contagious and can easily spread from one system to another

a) E-mail containing hidden viruses is the fastest growing way to spread viruses

b) Viruses can replicate themselves faster than they can be destroyed, can have long lives

3. Worm - is like a virus, but a whole program rather than a code segment hidden in a host program replicates itself and can be quite destructive

Figure 9.1 categorizes computer frauds in the context of the data processing model. Table 9.2 provides a list of computer fraud and abuse techniques; however, this list is sorted alphabetically (but not so in the text). Focus 9.1 presents the case of a worm that crashed a substantial portion of the Internet. An interesting question is can such a feat be accomplished today? If yes, how much will it cost?

Questions 9.3 and 9.9 deal with hacking. Problem 9.3 is a descriptive question on various fraud methods. Problems 9.7 and 9.9 deal with computer viruses. Case 9.1 is a portrait of the infamous hacker Kevin Mitnick.

V. PREVENTING AND DETECTING COMPUTER FRAUD

A. Make fraud less likely to occur

1. Hiring and firing practices - thorough scrutiny, background checks, etc.

2. Managing disgruntled employees

3. Employee training - most important element in any security program

a) Security measures - take seriously

b) Telephone disclosures - dialing the caller back, verifying a persons identity, etc.

c) Fraud awareness - training concerning causes and prevention of fraud

d) Ethical considerations - ethical code or standards, tone set at the top

e) Punishment for unethical behavior - consequences should be spelled out

4. Manage and track software licenses

5. Confidentiality agreements - employees, vendors, and contractors should be made to sign and abide by it

B. Increase the difficulty of committing fraud

1. Develop a strong system of internal controls - this is managements responsibility

2. Segregate duties

3. Require vacations and rotation of duties

4. Restrict access to computer equipment and data

5. Encrypt data and programs

6. Protect telephone lines from hackers who attack through phone systems (phreakers)

a) Attach electronic lock and key to telephones

b) Control dial-up modems

7. Protect the system from viruses - use virus protection, detection, and identification programs

8. Control sensitive data - apply appropriate access restrictions

9. Control laptop computers

10. Monitor hacker/cracker sites about how to break into your systems

C. Improve detection methods

1. Conduct frequent audits and random surveillance

2. Use a computer security officer

3. Set up a fraud hot line

4. Use computer consultants

5. Monitor system activities

6. Use forensic accountants

7. Use fraud detection software for insurance claims etc.

D. Reduce fraud losses

1. Maintain adequate insurance

2. Keep current backup copies of all programs and data files in off-site location

3. Develop a contingency plan for fraud occurrence and other disasters

4. Use special software to monitor system activity

E. Prosecute and incarcerate fraud perpetrators

1. Most cases go undetected

2. Companies are reluctant to report computer fraud because of the embarrassment factor, probably only 10% are reported

3. Courts are very busy with violent crimes

4. Investigation of computer crimes is difficult, costly, and time consuming

a) Computer Fraud and Abuse Act of 1986 deals specifically with computer crimes and might be helpful

5. Many law enforcement officials, lawyers, and judges lack the computer skills to investigate, prosecute, or evaluate computer crimes

6. Convictions often result in only light sentences - often the perpetrators have been model citizens and not had previous criminal records

Focus 9.2 provides practical suggestions on keeping microcomputers free from viruses.

Questions 9.1, 9.4, 9.5, 9.6, 9.7, and 9.8 deal with the effects of hiring practices, diskless PCs, biometric devices, software sabotage, software licensing, and determined defrauders on internal controls. Case 9.3 poses questions on effects of strengths and weaknesses in controls on the management information and embezzlement risk. Case 9.4 presents gray areas in software licensing.

9-19-89-9