ACCT341, Chapter 11 Computer Crime, Ethics, and Privacy

ACCT341, Chapter 11ACCT341, Chapter 11Computer Crime, Ethics, and PrivacyComputer Crime, Ethics, and Privacy

IntroductionComputer Crime, Abuse, and FraudExamples of Computer CrimesMitigating Computer Crime and FraudEthical Issues, Privacy, and Identity Theft

Computer CrimeComputer Crime

involvement of the computer in a criminal act◦ directly, or indirectly.

definition important◦ it affects how statistics are accumulated◦ It said “ hit any key to continue, so I did, just with a hammer.”◦ Is smashing a computer with a sledge hammer considered

computer crime?

only a small proportion of computer crime gets detected

Computer Crime & Abuse - Computer Crime & Abuse - the Differencethe Difference

Computer crime involves the manipulation of a computer or computer data

◦ to dishonestly obtain money, acquire property, or get some other advantage of value, or to cause a loss.

Computer abuse is when someone’s computer is used or accessed in a mischievous manner with a motive of revenge or challenge

◦ is punishable in extreme cases◦ Should Adrian Lamo have been arrested? Case 11.1,

p.343

Examples of Computer Crimes.Examples of Computer Crimes.A computer dating service was sued because

referrals for dates were few and inappropriate. The owner eventually admitted that no computer was used to match dates, even though the use of a computer was advertised.

Case 11.2, p.344: Donald Burleson, a disgruntled programmer, created a logic bomb that erased 168k of data records and held up paychecks for a month. Would have been more serious if not discovered early. [Logic bombs are programs that remain dormant until a circumstance or date triggers the fuse.]

Common Types of Computer Common Types of Computer Crime and AbuseCrime and Abuse

Federal LegislationFederal Legislation

The Computer Fraud and Abuse Act (CFAA) of 1986 which was amended in 1994 and 1996

Defines computer fraud as an illegal act for which computer technology is essential for its perpetration, investigation, or prosecution.

Defines 7 fraudulent acts; the first three are described as misappropriation

of assets and the last four as “other” crimes

CFAA Fraudulent ActsCFAA Fraudulent Acts

1. Unauthorized theft, use, access, modification, copying, or destruction of software or data. King Soopers p. 345

2. Theft of money by altering computer records or the theft of computer time. Salami technique, P#14 (salami is made from many small pieces of meat, salt, beef, garlic).

3. Intent to illegally obtain information or tangible property through the use of computers. Send office supplies invoices, Case 11.7, p. 357.

CFAA Fraudulent ActsCFAA Fraudulent Acts

4. Use or the conspiracy to use computer resources to commit a felony. Sjiem-Fat created bogus cashier checks to buy cptr equip. for resale in Caribbean, p. 345-6

5. Theft, vandalism, destruction of computer hardware. Disgruntled taxpayer shoots IRS cptrs, p. 346

6. Trafficking in passwords or other login information for accessing a computer.

7. Extortion that uses a computer system as a target. Disgruntled employee steals data for ransom, p. 34679

Federal Legislation Affecting the Federal Legislation Affecting the Use of ComputersUse of Computers

Fair Credit Reporting Act of 1970Freedom of Information Act of 1970Federal Privacy Act of 1974Small Business Computer Security and

Education Act of 1984Computer Fraud and Abuse Act of 1986

Federal Legislation Affecting Federal Legislation Affecting the Use of Computers (cont.)the Use of Computers (cont.)

Computer Fraud and Abuse Act(1996 amendment)

Computer Security Act of 1987USA Patriot Act of 2001Cyber Security Enhancement Act of 2002CAN-SPAM Act of 2003

The Lack ofThe Lack ofComputer-Crime StatisticsComputer-Crime Statistics

Data not available because(1)private companies handle abuse

internally to prevent embarrassment(2)surveys of computer abuse are

often ambiguous(3)most computer abuse is probably not

discovered (FBI estimates only 1% detected)

The Growth of Computer CrimeThe Growth of Computer Crime

Computer crime is growing because of◦ Exponential growth in computer resources

◦ Internet gives step-by-step instructionson how to perpetrate computer crime

◦ Continuing lax security (in one test, only 3 out of 2200 websites knew theywere being targeted -seeCase 11.3. p.347)

Importance for AccountantsImportance for Accountants

Computer crime and abuse important toaccountants because AISshelp control an organization’s financial resources are favored targets of disgruntled employees seeking financial gain or revengebecause they are responsible for designing, implementing, and monitoring the control procedures for AISs.

because firms suffer millions of dollars incomputer-related losses

due to viruses, unauthorized access, and denial of service attacks Avg cost to target co. of computer abuse per incident is $500k

Computer Crime CasesComputer Crime Cases

Compromising Valuable Information: The TRW Credit Data Case: Selling credit scores, data diddling

Computer Hacking: Kevin Mitnick and social engineering Reasons to hack: financial gain, revenge, challenge,

curiosity, pranks, industrial espionageMax. penalty is 5 years prison + $250k fine.

Denial of service: The 2003 Internet Crash◦ A very speedy computer worm, the Slammer worm

(cost > $1b and we don’t know who did it) Note: unlike a virus, a worm doesn’t destroy data, just

reproduces until system is overloaded

Robert T. Morris and the Robert T. Morris and the Internet Virus Internet Virus

Robert T. Morriscreated one of the world’s most famous computer virusesbecame first person to be indicted under the Computer Fraud and Abuse Act of 1986

The case illustrated vulnerability of networks to virus infections.

Computer VirusesComputer Viruses

Computer VIRUS is a program that disrupts normal data processing and that can usually replicates itself onto other

files, computer systems or networks.

WORM - In contrast to most viruses, a worm doesn’t destroy data but it replicate itselfuntil the user runs out of memory or disk

space.

Computer Virus ProgramsComputer Virus Programs

Trojan Horse programs reside in legitimate

computer programs.

Logic Bomb programs remain dormant until the computer

system encounters a specific condition.

A virus may be stored in an applet, which is a small program stored on a WWW server.

Methods for Methods for Thwarting Computer AbuseThwarting Computer Abuse

1. Enlist top management support 2. Increase employee awareness and education

and have a hotline3. Conduct security inventory4. Protect passwords

◦ Social engineering, phishing, smishing posing as bona fide when actually fake

◦ Prevented by: Lock-out systems

◦ Disconnecting users after a set number of unsuccessful login attempts

Dial-back systems ◦ disconnecting all login users, ◦ reconnecting legitimate users after checking their passwords


5. Implement controls6. Identify computer

criminals◦ Look at technical

backgrounds, morals, gender and age

7. Physical security-- secure location-- backup-- proper disposal (>1/3 of used hard drives for sale containedpersonal info – see Case 11.9)

Occupation of Ctpr Abusers


8. Recognize symptoms of employeefraud

◦ Five symptoms of employee fraud (Case 11.10, p. 360)

Accounting irregularities such as forged, altered or destroyed input documents

Internal control weaknesses Unreasonable anomalies that go

unchallenged Lifestyle changes in an employee Behavioral changes in an employee


9. Employ forensic accountants◦ Special training (>27k CFEs)◦ Special sleuthing tools◦ One of fastest growing professions

Methods Used to Obtain Your Methods Used to Obtain Your Personal Data – ID TheftPersonal Data – ID Theft

Shoulder surfingDumpster diving for documents & old

cptr hard drivesScanning credit card at restaurantFake apps for “preapproved” credit

cardsKey logging softwareSpam and other e-mailsPhishing & smishing

Privacy IssuesPrivacy Issues

Have a privacy policy for your websiteHave an audit done by professionals who

provide a privacy seal◦Truste◦BBB Online◦Webtrust

Dispose of old computers with careHave laptops password protectedUse encrypted USB drives only

ACCT341, Chapter 11 Computer Crime, Ethics, and Privacy

Documents