Computer Fraud and Security Merle P. Martin College of Business CSU Sacramento 7/11/02.

Computer Fraud and SecurityComputer Fraud and Security

Merle P. MartinMerle P. MartinCollege of BusinessCollege of BusinessCSU SacramentoCSU Sacramento

7/11/027/11/02

AgendaAgenda Extent of FraudExtent of Fraud Process of fraudProcess of fraud Why fraud occursWhy fraud occurs Approaches and techniques Approaches and techniques

used to commit computer used to commit computer fraudfraud

How to deter and detect How to deter and detect computer fraudcomputer fraud

E-Commerce FraudE-Commerce Fraud Worldwide E-Commerce Worldwide E-Commerce

Fraud Prevention Network, 2000 Fraud Prevention Network, 2000 50% e-retailers: online fraud 50% e-retailers: online fraud

significant problemsignificant problem 50% reported online losses 50% reported online losses

of $1000 - $10,000 1 of $1000 - $10,000 1stst quarter quarter 19% lost over $100,00019% lost over $100,000

E-Commerce FraudE-Commerce Fraud Overall fraud rate is Overall fraud rate is

7 cents per $100 in sales7 cents per $100 in sales Rate thought to be 3 to 4 times Rate thought to be 3 to 4 times

higher for E-Commerce transactionshigher for E-Commerce transactions Measures used to prevent fraudMeasures used to prevent fraud

address verification – 70%address verification – 70% customer follow-up – 54%customer follow-up – 54% after-the-fact fraud handling – 43%after-the-fact fraud handling – 43%

E-Commerce FraudE-Commerce Fraud Gartner Group survey, 7/00Gartner Group survey, 7/00 On-line retailers suffer 12 On-line retailers suffer 12

times as many incidents of times as many incidents of fraud as off-line retailersfraud as off-line retailers

Especially common with product Especially common with product that can be downloadedthat can be downloaded

Internet FraudInternet Fraud Internet Fraud Complaint Internet Fraud Complaint

Center (IFCC) – federal agencyCenter (IFCC) – federal agency 2001 Internet Fraud Report2001 Internet Fraud Report Top 10 complaint categoriesTop 10 complaint categories Dollar lossDollar loss Perpetrator characteristicsPerpetrator characteristics

Types Internet FraudTypes Internet Fraud Auction fraud – 42.8%Auction fraud – 42.8% Non-delivery – 20.3%Non-delivery – 20.3% Credit Card fraud – 9.4%Credit Card fraud – 9.4% Business fraud – 1.4%Business fraud – 1.4% Identity theft – 1.3%Identity theft – 1.3% Check fraud – 0.6%Check fraud – 0.6%

Average Dollars LostAverage Dollars Lost Auction fraud - $395Auction fraud - $395 Non-delivery - $325Non-delivery - $325 Credit card - $450Credit card - $450 Business fraud - $160Business fraud - $160 Identity theft - $3000Identity theft - $3000 Check fraud - $910Check fraud - $910

PerpetratorsPerpetrators 76% individuals, 76% individuals,

as opposed to businessesas opposed to businesses 81% in 5 states81% in 5 states Highest per capita states (per 100K):Highest per capita states (per 100K):

Nevada 11.9Nevada 11.9 California 4California 4thth

81.3% male81.3% male

Extent of FraudExtent of Fraud ““Fraud: The Unmanaged Fraud: The Unmanaged

Risk”Risk” Ernst & Young, 2000Ernst & Young, 2000 739 responses (companies)739 responses (companies) Key findingsKey findings What is computer fraud?What is computer fraud? WhatWhat isn’tisn’t computer fraud?computer fraud?

Key FindingsKey Findings More than two thirds of More than two thirds of

respondents have respondents have suffered from fraud loss suffered from fraud loss during last 12 monthsduring last 12 months

One in 10 suffered more One in 10 suffered more than 50 fraudsthan 50 frauds

Worst fraudsWorst frauds: only 29% of total : only 29% of total value recovered to datevalue recovered to date

Who Does It?Who Does It? 82% by employees82% by employees one third of these by one third of these by

managementmanagement half had been in organization half had been in organization

more than 5 yearsmore than 5 years one quarter had been in one quarter had been in

organization more than 10 yearsorganization more than 10 years

PotentialPotential 80% concerned significant 80% concerned significant

fraud could occur within fraud could occur within organizationorganization

Four out of 10 who were Four out of 10 who were concerned had no explicit concerned had no explicit policy for fraud reportingpolicy for fraud reporting

Resulting ActionsResulting Actions Worst FraudsWorst Frauds::

38% prosecuted38% prosecuted 28% dismissed28% dismissed 2% no action2% no action Other 32%?Other 32%?

Rare headline: “Stockbroker Rare headline: “Stockbroker jailed in fraud case.” (Australian jailed in fraud case.” (Australian Financial Review, 3/4/2000)Financial Review, 3/4/2000)

Computer FraudComputer Fraud Respondents asked to Respondents asked to

consider nine examples consider nine examples of computer related fraud of computer related fraud

High agreement on only four types:High agreement on only four types: manipulation of data records manipulation of data records

held on computer to disguise held on computer to disguise true nature of transaction (97%)true nature of transaction (97%)

Computer FraudComputer Fraud hacking into organization’s hacking into organization’s

computer system to steal or computer system to steal or manipulate organizational manipulate organizational information (97%)information (97%)

manipulation of computer manipulation of computer programs to disguise true nature programs to disguise true nature of transaction (97%)of transaction (97%)

unauthorized transfer of funds unauthorized transfer of funds electronically (96%)electronically (96%)

Not Computer Fraud?Not Computer Fraud? Use of organizational Use of organizational

hardware and software for hardware and software for personal usepersonal use only 26% considered as only 26% considered as

computer fraudcomputer fraud 86% believed this was happening86% believed this was happening ““organizations turning a blind eye organizations turning a blind eye

to this use”to this use”

Not Computer Fraud?Not Computer Fraud? Only 40% respondents Only 40% respondents

considered improper access considered improper access to Internet as a fraudto Internet as a fraud

But two-thirds of high-tech But two-thirds of high-tech firms considered it fraudfirms considered it fraud

No substantial costs to organizationNo substantial costs to organization

Insider FraudInsider Fraud Joint 2002 study by FBI and Joint 2002 study by FBI and

Computer Security Institute Computer Security Institute Only 38% respondents detected Only 38% respondents detected

insider attacks during preceding insider attacks during preceding 12 months 12 months

Down from:Down from: 71% in 200071% in 2000 49% in 200149% in 2001

Insider FraudInsider Fraud Reduction in insider threat Reduction in insider threat

or not being caught as often? or not being caught as often? Insider threats have become Insider threats have become

more cunning and sophisticatedmore cunning and sophisticated ““I don’t believe that many I don’t believe that many

corporations know that the majority corporations know that the majority of attacks occur behind the firewall.” of attacks occur behind the firewall.” Mike Hager, VP Network Security, OppenheimerFundsMike Hager, VP Network Security, OppenheimerFunds




The Fraud ProcessThe Fraud ProcessMost frauds involve three steps.

The theft ofsomething

The conversionto cash

Theconcealment

The Fraud ProcessThe Fraud Process Common way to hide theftCommon way to hide theft

• charge stolen item to an expense charge stolen item to an expense accountaccount

Payroll examplePayroll example• add a fictitious name to company’s payrolladd a fictitious name to company’s payroll

The Fraud ProcessThe Fraud Process LappingLapping Perpetrator steals cash received from Perpetrator steals cash received from

customer A to pay its accounts receivablecustomer A to pay its accounts receivable Funds received at a later date from customer B are used Funds received at a later date from customer B are used

to pay off customer A balance, etcto pay off customer A balance, etc

The Fraud ProcessThe Fraud Process KitingKiting Perpetrator covers up theft by creating cash Perpetrator covers up theft by creating cash

through transfer of money between banks through transfer of money between banks Perpetrator deposits check from bank A to bank B and Perpetrator deposits check from bank A to bank B and

then withdraws moneythen withdraws money

Kiting (cont.)Kiting (cont.) Since insufficient funds in bank A to cover check, Since insufficient funds in bank A to cover check,

perpetrator deposits check from bank C to bank A perpetrator deposits check from bank C to bank A before check to bank B clearsbefore check to bank B clears

Since bank C also has insufficient funds, money deposited to Since bank C also has insufficient funds, money deposited to bank C before check to bank A clears.bank C before check to bank A clears.

Scheme continues to keep checks from bouncingScheme continues to keep checks from bouncing




Why Fraud OccursWhy Fraud Occurs Common characteristics of fraud perpetratorsCommon characteristics of fraud perpetrators

Most spend their illegal income rather than invest Most spend their illegal income rather than invest or save it or save it

Once they begin the fraud, very hard for them to stopOnce they begin the fraud, very hard for them to stop They usually begin to rely on the extra incomeThey usually begin to rely on the extra income

Why Fraud OccursWhy Fraud Occurs Perpetrators of computer fraud tend to be younger Perpetrators of computer fraud tend to be younger

and possess more computer knowledge, experience, and skills and possess more computer knowledge, experience, and skills Some computer fraud perpetrators are more motivated by curiosity Some computer fraud perpetrators are more motivated by curiosity

and challenge of “beating the system”and challenge of “beating the system” Others commit fraud to gain stature among others in computer Others commit fraud to gain stature among others in computer

communitycommunity

Why Fraud OccursWhy Fraud Occurs Three conditions necessary Three conditions necessary

for fraud to occur: for fraud to occur:• pressure or motivepressure or motive• opportunityopportunity• rationalizationrationalization

PressuresPressures Some Some financialfinancial pressurespressures

• living beyond meansliving beyond means• high personal debthigh personal debt• ““inadequate” incomeinadequate” income• poor credit ratingspoor credit ratings• heavy financial lossesheavy financial losses• large gambling debtslarge gambling debts

PressuresPressures Some Some work-related work-related pressures:pressures:

– low salarylow salary– non-recognition of performancenon-recognition of performance– job dissatisfactionjob dissatisfaction– fear of losing jobfear of losing job– overaggressive bonus plansoveraggressive bonus plans

PressuresPressures Other Other pressurespressures

– challengechallenge– family/peer pressurefamily/peer pressure– emotional instabilityemotional instability– need for power or controlneed for power or control– excessive pride or ambitionexcessive pride or ambition

OpportunitiesOpportunities Opportunity Opportunity is condition or situation that allows is condition or situation that allows

person to commit and conceal dishonest act person to commit and conceal dishonest act Opportunities often stem from lack of internal controlsOpportunities often stem from lack of internal controls Most prevalent opportunity for fraud results from company’s Most prevalent opportunity for fraud results from company’s

failure to failure to enforceenforce its system of internal controls its system of internal controls

RationalizationsRationalizations Most perpetrators have excuse Most perpetrators have excuse (rationalization)(rationalization)

allowing them to justify their illegal behavior allowing them to justify their illegal behavior Some rationalizationsSome rationalizations

just “borrowing” stolen assetsjust “borrowing” stolen assets not hurting real person, just computer systemnot hurting real person, just computer system

Fraud TendenciesFraud Tendencies

Top-Top- LevelLevelManagersManagers

Top-Top- LevelLevelManagersManagers

Middle-LevelMiddle-Level ManagersManagersMiddle-LevelMiddle-Level ManagersManagers

Operational-LevelOperational-Level ManagersManagersOperational-LevelOperational-Level ManagersManagers

Incr

easi

ng a

bilit

y to

ove

rride

con

trols

m

echa

nism

s

Incr

easi

ng a

bilit

y to

ove

rride

con

trols

m

echa

nism

sStrongest Control

Mechanism

s

Strongest Control

Mechanism

s

GreatestFrequency of

Fraud

GreatestFrequency of

Fraud




DefinitionsDefinitions Data Integrity:Data Integrity: ““. . requirement that . . requirement that

information and programs are information and programs are changed only in a specified changed only in a specified and authorized manner.”and authorized manner.”

Computers at Risk; pg. 54Computers at Risk; pg. 54 National Academy Press, 1991National Academy Press, 1991

DefinitionsDefinitions System IntegritySystem Integrity::

“ “ . . requirement that a . . requirement that a system performs its intended system performs its intended function in an unimpaired manner, function in an unimpaired manner, free from deliberate or inadvertent free from deliberate or inadvertent unauthorized manipulation of the unauthorized manipulation of the system.”system.”

National Computer Security CenterNational Computer Security Center Pub. NCSC-TG-004-88Pub. NCSC-TG-004-88

DefinitionsDefinitions AvailabilityAvailability::

“ “ . . requirement intended . . requirement intended to assure that systems work to assure that systems work promptly and service is not promptly and service is not denied to authorized users.”denied to authorized users.”

Computers at Risk, pg. 54Computers at Risk, pg. 54

Computer FraudComputer Fraud U.S. Department of Justice defines U.S. Department of Justice defines

computer fraud as: computer fraud as: “. . . “. . . any illegal act for which knowledge any illegal act for which knowledge of computer technology is essential for its of computer technology is essential for its perpetration, investigation, or prosecutionperpetration, investigation, or prosecution””

Computer Fraud TypesComputer Fraud Types Unauthorized use, access, modification, copying, and Unauthorized use, access, modification, copying, and

destruction of software or datadestruction of software or data Theft of money by altering computer records or theft Theft of money by altering computer records or theft

of computer timeof computer time Theft or destruction of computer hardwareTheft or destruction of computer hardware

Computer Fraud TypesComputer Fraud Types– Use or conspiracy to use Use or conspiracy to use

computer resources to computer resources to commit a felonycommit a felony

– Intent to illegally obtain Intent to illegally obtain information or tangible property information or tangible property through use of computersthrough use of computers

Rise in Computer FraudRise in Computer Fraud Organizations that track computer fraud estimate Organizations that track computer fraud estimate

that that 80%80% of U.S. businesses have been victimized by at of U.S. businesses have been victimized by at least one incident of computer fraudleast one incident of computer fraud

However, no one knows for sure exactly how much companies However, no one knows for sure exactly how much companies lose to computer fraudlose to computer fraud

Why?Why?

Rise in Computer FraudRise in Computer Fraud Disagreement on what computer fraud isDisagreement on what computer fraud is Many computer frauds go undetected, or unreportedMany computer frauds go undetected, or unreported Most networks have low level of securityMost networks have low level of security Many Internet pages tell how to perpetrate computer Many Internet pages tell how to perpetrate computer

crimescrimes Law enforcement is unable to keep up with fraudLaw enforcement is unable to keep up with fraud

Malicious CodeMalicious Code VirusVirus: code segment that : code segment that

replicates itself by attaching replicates itself by attaching copies to existing executablescopies to existing executables

Trojan HorseTrojan Horse: Program that performs : Program that performs desired task, but also includes desired task, but also includes unexpected (undesired) functions unexpected (undesired) functions

WormWorm: Self-replicating program : Self-replicating program that is self-contained – does not that is self-contained – does not require host programrequire host program

NIST Special Publications 800-5NIST Special Publications 800-5

Computer Fraud andComputer Fraud andAbuse TechniquesAbuse Techniques Textbook list 26 abuse techniques Textbook list 26 abuse techniques Four of special interest to Four of special interest to

accountantsaccountants

Fraud Techniques Fraud Techniques Round-down:Round-down:

interest calculations interest calculations to 2 decimal placesto 2 decimal places

fractions posted to fractions posted to bogus accountbogus account

books balancebooks balance

Fraud TechniquesFraud Techniques Salami:Salami:

tiny slices of money tiny slices of money stolen over period stolen over period of timeof time

e.g., increase all production e.g., increase all production costs by fraction of percentcosts by fraction of percent

post to bogus accountpost to bogus account

Fraud TechniquesFraud Techniques Trojan Horse:Trojan Horse:

unauthorized computer unauthorized computer instructions in authorized instructions in authorized programprogram

performs illegal operation atperforms illegal operation at predetermined timepredetermined time predetermined set of conditionspredetermined set of conditions

aka “time bomb”aka “time bomb”

Fraud TechniquesFraud Techniques Data diddlingData diddling: change : change

data before, during, or data before, during, or after enteringafter entering




Loss / Fraud ConditionsLoss / Fraud Conditions ThreatThreat: potential adverse : potential adverse

or unwanted event that can or unwanted event that can be injurious to AISbe injurious to AIS

ExposureExposure: potential maximum : potential maximum $ loss if event occurs$ loss if event occurs

RiskRisk: likelihood that event will occur: likelihood that event will occur Expected Loss:Expected Loss: Risk * Exposure Risk * Exposure

Decreasing FraudDecreasing Fraud

Potential FraudPotential Fraud

Probable FraudProbable Fraud

MotivationMotivation

Actual FraudActual Fraud

DifficultyDifficulty

DetectedDetected

DetectionDetection

ControlCultureControlCulture

InternalControlsInternalControls

InternalAudits

InternalAudits

Unde-tectedUnde-tected

ProsecutionProsecution

Undetected FraudUndetected Fraud

00 100100Percent Fraud DetectedPercent Fraud Detected

Inte

rnal

Con

trol

Cos

tsIn

tern

al C

ontr

ol

C

osts

LL

HH

Internal ControlInternal ControlCosts =Costs =

Expected FraudExpected FraudLossesLosses

Internal ControlInternal ControlCosts =Costs =

Expected FraudExpected FraudLossesLosses

Similar to Auditor’s “Threshold Value”Similar to Auditor’s “Threshold Value”

Preventing / Deterring FraudPreventing / Deterring Fraud

Make Less Likely to OccurMake Less Likely to Occur

Increase DifficultyIncrease Difficulty

Improve DetectionImprove Detection

Reduce LossesReduce Losses

Prosecute / Incarcerate PerpetratorsProsecute / Incarcerate Perpetrators

EmphasisEmphasis From the Aggie handbook:From the Aggie handbook: ““An ounce of preventive An ounce of preventive

is worth a pound of detective is worth a pound of detective or corrective” or corrective”

““A good, advertised detective A good, advertised detective control can be a deterrent to crime.”control can be a deterrent to crime.”

Deter and DetectDeter and Detect Make fraud less likely to occurMake fraud less likely to occur::

• Proper hiring / firing Proper hiring / firing • Manage disgruntled employeesManage disgruntled employees• Train employees in security and fraud preventionTrain employees in security and fraud prevention• Manage and track software licensesManage and track software licenses• Require signed confidentiality agreementsRequire signed confidentiality agreements

Deter and DetectDeter and Detect Increase difficulty of committing fraud:Increase difficulty of committing fraud:

Develop strong system of internal controlsDevelop strong system of internal controls Segregate dutiesSegregate duties Require vacations and rotate dutiesRequire vacations and rotate duties Restrict access to computer equipment and data filesRestrict access to computer equipment and data files Encrypt data and programsEncrypt data and programs

Deter and DetectDeter and Detect Improve detection methodsImprove detection methods

• Protect telephone lines and system from virusesProtect telephone lines and system from viruses• Control sensitive dataControl sensitive data• Control laptop computersControl laptop computers• Monitor hacker informationMonitor hacker information

Deter and DetectDeter and Detect Reduce fraud lossesReduce fraud losses::

Maintain adequate insuranceMaintain adequate insurance Store backup copies of programs and data files in secure, off-site Store backup copies of programs and data files in secure, off-site

location location Develop contingency plan for fraud occurrencesDevelop contingency plan for fraud occurrences Use software to monitor system activity and recover from fraudUse software to monitor system activity and recover from fraud

Deter and DetectDeter and Detect Prosecute and incarcerate fraud perpetrators:Prosecute and incarcerate fraud perpetrators: Most fraud cases go unreported and are not Most fraud cases go unreported and are not

prosecutedprosecuted Many cases of computer fraud are as yet Many cases of computer fraud are as yet

undetectedundetected Companies are reluctant to report computer Companies are reluctant to report computer

crimescrimes

Why No Prosecution?Why No Prosecution? Law enforcement officials, courts so busy with Law enforcement officials, courts so busy with

violent crimesviolent crimes little time for fraud caseslittle time for fraud cases

Difficult, costly, and time consuming to investigateDifficult, costly, and time consuming to investigate Many law enforcement officials, lawyers, judges lack Many law enforcement officials, lawyers, judges lack

computer skills needed to prosecute computer crimescomputer skills needed to prosecute computer crimes

Fraud Case StudyFraud Case Study Georgia Bureau of Georgia Bureau of

Investigation spent 18 Investigation spent 18 months investigating an alleged months investigating an alleged corporate computer criminalcorporate computer criminal

Oct 01: charged him with 8 felony Oct 01: charged him with 8 felony counts under Georgia computer counts under Georgia computer crime lawcrime law

EachEach count could carry $50K fine and count could carry $50K fine and 15 years in prison15 years in prison

Fraud Case StudyFraud Case Study Result?: Jan 02, plea bargainResult?: Jan 02, plea bargain

$2100 in fines$2100 in fines one year probationone year probation 80 hours community service80 hours community service

Deterrent or incentive?Deterrent or incentive? Why a plea bargain?Why a plea bargain?

Topics CoveredTopics Covered Process of fraudProcess of fraud Why fraud occursWhy fraud occurs Approaches and techniques Approaches and techniques



Computer Fraud and Security Merle P. Martin College of Business CSU Sacramento 7/11/02.

Documents