Chapter 3 Cybercrime, Fraud, and Ethics
Computer Worms
replicate themselves like a virus and it can consume internal memory, disk space, and Internet bandwidth. The Internet facilitates the spread of viruses and works from one system to another.
Data Diddling
Changing data before, during, or after they are entered into a computer system. The change can delete, alter, or add important system data, especially the data stored in corporate databases. 1. Data is often proprietary 2. May give a firm a competitive advantage 3. Sometimes an org. most valuable asset
Fraudulent Financial Reporting
(cooking the books) Occurs when corporate officials such as senior-ranking executives intentionally falsify accounting records to mislead analysts, creditors, or investors. The annual financial statements do not fairly represent the true financial condition of the firm.
TRW Case 2 Issues
1. Accuracy of the inputs used to update a specific AIS The importance of control procedures that safeguard the accuracy and completeness of info. 2. Protection of users of credit info and protection of the individuals whose credit info is gathered by a private company.
Growth of Cybercrime
1. Exponential growth in the use of computer resources (computer networks, Internet, smart devices, and cloud systems) The more knowledge about how to use, the better the position to compromise. 2. Continuing lax security (many computer users are unaware about computer security) 3. Websites give instructions about how to perpetrate cybercrimes.
Virus
Code that attaches itself to other innocent files or programs and replicates itself. The code activates and destroys computer files, disrupts operating system activities, damages software, or initiates denial of service attacks. Often reside on secondary storage media, where they hide until finding an opportunity to execute.
Failure to Implement Controls
1. Managers who have not suffered a cybercrime believe they have nothing to fear 2. Charities and not-for-profit org. often believe that their mission some how insulates them from crime 3. Businesses don't have a specific computer security officer to articulate concerns are argue for specific control procedures 4. Businesses do not feel that security measures are cost-effective-until they incur a problem!
Prevention of hackers tactics
1. be trained to not "loan" their passwords to others or tape them to their monitors 2. understand that most business will not ask for their passwords for security purposes 3. use strong passwords 4. install password-checking software in file servers that tests password for specific requirements 5. Require employees to change their passwords periodically
Microcomputer Users Antivirus Control Procedures
1. buying software from reputable sources 2. avoiding illegal software copying 3. not downloading suspicious files from the Internet 4. deleting email messages from unknown sources before opening them 5. maintaining complete backup files in the event you must rebuild your system from scratch.
Prevention of Computer Viruses
1. firewalls, which limit external access to company computers 2. antivirus software 3. antivirus control procedures
Hackers tactics to steal passwords
1. posing as a legitimate user and "borrowing" them from unsuspecting employees 2. creating phishing websites that ask users to input their passwords "for security purposes" 3. using simulation programs that tray all the words in a standard dictionary as potential passwords
Nontechnical Backgrounds
A company's own employees-not external hackers-perpetrate a significant amt of cybercrime and abuse. Almost as many computer offenses are perpetrated by clerical personnel, data-entry clerks, and similar individuals with limited technical skills. It is easier and safer to alter data before they enter a computer than midway through automated processing styles. Input data can often be changed anonymously, whereas most computerized data cannot.
KPMG
A global network of professional firms providing audit, tax, and advisory services, conducts surveys on fraud and business integrity. Participants are business professionals who work for one of the top 2,000 companies listed in Dun and Bradstreet.
Java applet
A small program stored in a web page file and designed to run by web browser software. Friendly applets animate web pages, allow users to play games, or perform processing tasks. Unfriendly applets contain viruses that can affect computers and cause damage.
Internal Control Weakness
All employees should be require to take vacations. Reports should be required. Lists of approved external parties/vendors.
Intrusion Testing/Penetration Testing/Red Teaming
Also referred to as ethical hacking.
Computer Fraud and Abuse Act of 1986 (CFAA)
Amended in 1994 and 1996. Defines cybercrime as any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution. Being evaluated for revision. Debates about effectiveness bc much of its language was developed before the Internet boom and the creation of modern communications devises. Many consider outdated and classifies non criminal activities as serious crimes.
Cookie (Privacy)
Commercial websites deposit these on your computer, a small text file that stores information about your browsing habits and interests, as well as other info that you may supply by logging onto the site.
Identity Theft
An act in which someone wrongfully obtains and uses another persons data for fraud or deception. Personal data may be one or a combination of the following pieces of information: Social Security number, your bank account, your debit card number, your credit card number, your birth date, or mailing address. In 1998 Congress passed legislation making Identity Theft a crime
Association of Certified Fraud Examiners (ACFE)
An international professional organization committed to detecting, deterring, and preventing fraud and white-collar crime-conducts a biannual survey and publishes the results in its Report to the Nation on Occupational Fraud and Abuse. Participants are its members, whom provide detailed info on one occupational fraud case he or she had personally investigated within the last 2 years.
Cybercrime
Any criminal activity that involves computers or networks. Also known as e-crime or computer crime. 1. Direct attacks on computers or networks (viruses or denial of service attacks) 2. Use of computers or networks to commit a crime (steal identities, harass an individual, or commit fraud)
Denial of Service (DOS)
Attacks can take multiple forms and often involve Malware.
Company Policies with Respect to Privacy
Company policies with respect to privacy should be developed and distributed do to the widespread use of computers in business and the use of portable devices. The Fair Employment Practices Guidelines suggest policies cover: 1. Who owns the computer and the data stored on the computer 2. How may the computer be used (primarily for business purposes) 3. What uses are unauthorized or prohibited Employers should specifically identify the types of acceptable and unacceptable uses with some examples.
Antivirus Software
Computer programs that scan inputs for malware and virus like coding, identify active malware already logged in computer systems, clean infected systems, or perform some combination of these activities. Provides less than complete protection due to individuals continuously writing new, more powerful malware that can avoid current detection schemes.
Computer Security Institute (CSI)
Conducts an annual survey to help determine the scope of cybercrime in the United States. Respondents are computer security practitioners in US corporations, government agencies, financial institutions, medical institutions, and universities.
Fair Credit Reporting Act
Congress passed in 1970. Requires that an individual be told why e or she is denied credit. The consumer also has the right to contest the info maintained by the credit-rating company.
Value Cards (Privacy)
Consumers freely give their name, address, phone number, and similar info to receive cards from grocery stores, shoe stores, sporting good stores and other retail establishments in order to receive discounts, points redeemable for goods or services, or advance info for upcoming sales before the general public.
Org. Effective Control Procedures against Viruses
Educate users about viruses and encouraging computer users to follow the virus prevention and detection techniques. 1. adopting polices that discourage externally acquired computer programs 2. requiring strong passwords that limit unauthorized access to computing resources 3. using antivirus filters on networks
Behavioral Changes
Employees who experience guilt or remorse related to their crimes, or who fear discovery, often express these feelings through unusual behavior.
Lifestyle Changes
Employees who miraculously solve pressing financial problems or suddenly begin living extravagant lifestyles are sometimes broadcasting fraud.
Ethical Issues, Privacy, and Identity Theft
Ethics is a set of moral principles or values. Ethical behavior involves making choices and judgments that are morally acceptable and acting accordingly. Underlying ethical principle that each individual in the org. has responsibility for the welfare of others within the org. as well as for the org itself. Managers should make decisions that are fair to the employees as well as beneficial to the org.
State Legislation
Every state has at lest one computer crime law. Most laws have provisions that: 1. define computer terms (vary from state to state) 2. define some acts as misdemeanors (minor crimes) 3. declare other acts as felonies (major crimes) Laws require willful intent for criminal convictions, must be established for a successful prosecution. Maliciously, intentionally, or recklessly often appear in the wording of computer-crime laws.
Internet Crime Complaint Center (IC3)
FBI in partnership with National White Collar Crime Center established to provide cybercrime victims a point of contact for reporting computer crime and abuses. (International money laundering, online extortion, intellectual property theft, identity theft, online scams and computer intrusions. (formerly Internet Fraud Complaint Center, IFCC)
Super User or Network Manager
Hackers elevate their system status to these security levels to gain access to password files, system control data, and other high-security info.
Forensic Accountants
Have passed the 2 day certified fraud examiner (CFE) examination administered by the ACFE. Have required technical and legal experience to research a given concern, follow leads, establish audit trails of questionable transactions, document their findings, organize evidence for external review and law enforcement bodies, and (if necessary), testify in court. Most use specialized software tools to help hem perform tasks such as Audit Control Language (ACL) for auditing tasks, and EnCase for file copying, custody documentation, and other forensic activities.
Boot-sector virus
Hide in the boot sectors of a disk, where the operating system accesses them every time it access the disk itself.
Cybercrime Statistics
Limited amount of data available describing how much is lost each year as a result of cybercrime. 1. A large portion takes place in private companies, where it is handled internally. No laws that require private orgs. to report all computer offenses 2. Most computer offenses are not discovered. FBI estimates only 1% is detected. Other estimates are 5-20%. Criminals are caught as a result of luck, chance, or accident.
User Education
Making potential hackers aware of the ethics of computer usage and the inconvenience, lost time, and costs incurred by victim organizations
Increase Employee Awareness and Education
Many computer abusers are the employees of the same companies at which the crimes take place. Informing employees of the significance of crime and abuse, the amount it costs, and the disruptions they create can help employees understand why computer offenses are a serious matter. 1. Informal discussions, periodic departmental memos, and formal guidelines are among the most popular educational tools for informing employees about crime and abuse. 2. Requiring new hires to sign security statements that they have received, read, and understand policy statements 3. Provide channels that employees can use to report suspicious activity
Malware
Many types of malicious or damaging software (viruses, worms, and Trojan horses)
Privacy Policy
Most commercial websites have this. A comprehensive list of information that is covered by the policy such as the info the cust. gives them, cookies they use, email communications, and info received about the cust. from other sources.
Noncriminal Backgrounds
Most of the convicted computer criminals had no prior criminal backgrounds. Most criminals view themselves as relatively honest, long-term borrowers rather than thieves, and have exercised great care to avoid harming individuals when they committed their computer offenses.
Ethical Hackers
Network and computer experts who purposely attack a secured system to help its owners find any vulnerabilities that could be exploited by a malicious hacker. Use same methods as malicious hackers but report findings to management. Certified Ethical Hacker certification available.
Accounting System Crimes
Often involve the falsification of data or unauthorized access to data and files.
Email threats
One of the most vulnerable areas for many firms and universities. Viruses can hide in emails from friends or colleagues. Antispam software in addition to antivirus software may elp.
Implement Controls
Org. should install control procedures to deter cybercrime, managers should enforce them, and both internal and external auditors should test them. Employee awareness of computer controls and the certainty of prosecution may also act as deterrents to cybercrime.
Assess Security Policies and Protect Passwords
Org. should regularly survey their computer security measures and assess potential areas of vulnerability. Org. should evaluate employee practices and educate users to protect their own computers.
Strong Passwords
Passwords that are difficult to guess. Long, nonsense words or words with embedded capitals or random numbers.
Maintain Physical Security
Physical safeguards can be even more important than logical ones in deterring computer crime and abuse. "a good hammer beats a strong password every time" Common security problem is theft especially with laptop computers and e-devices. Includes protecting servers and work stations, enforcing "clean-desk policies" for employees and protecting employee laptops and other portable e-devices against theft. (monitoring cameras, motion detectors, and insurance are important insurance measures) 1. Implement backup procedures 2. Develop and test a disaster recovery plan that enables a business to replace its critical computer systems in a timely fashion 3. Org. should be careful about how they dispose of outdated electronic devices and computers. Hard drives store sensitive data and even with reformatting the drive data may still be retrieved. A better approach is to use specialized file deletion software programs or to physically destroy the disks.
Ethic Committees
Professional accounting associations at both the national and state level have establish committees to assist practitioners in the self-regulation process. Provide members with continuing education courses, advice on ethical issues, investigations of possible ethics violations, and instructional booklets covering a variety of ethic case studies.
Encryption
Protects transmitted data that might be intercepted en route and also stored data, which is rendered useless to a a hacker even if they manage to gain access to files that are protected by other means.
Computer frauds
Refers specifically to the use of computers or networks to commit a fraudulent act. 1. the use of a computer to create an intentional, dishonest misrepresentation of fact 2. the intentional attempt to cause another person or business to do or refrain from doing something which cause loss.
Trojan Horse Programs
Reside in the disk space occupied by legitimate copies of computer programs (ex. spreadsheet programs)
Enlist Top-Management Support
Security safeguards are only effective if top management takes cybercrimes seriously and chooses to financially support and enforce control procedures to stop, or at least minimize, cybercrimes. Complaints are that they must be able to justify their funding requests for investments in appropriate levels of security for a firm.
Logic Bomb
Similar to Trojan horse programs, except that they remain dormant until the computer system encounters a specific condition, such as a particular day of the year or a particular Social Security number in a file.
Smishing
Similar to phishing but use text messages or cell phones.
Computer Abuse
Someone that does not have permission, uses or accesses someone else's computer or causes damage without intention to harm. Conducting unethical activities that do not violate criminal law or involve fraud. Motives maybe for revenge or challenge and inevitably violate criminal laws.
Accounting Related Fraud
Statement of Auditing Standards No. 99 1. fraudulent financial reporting 2. misappropriation of assets
Misappropriation of assets
Stealing assets from a company and is usually committed by employees within an organization or through collusion of employees and outside conspirators. ACFE call this occupational fraud and has developed a fraud tree o describe ways of misappropriating assets. Skimming, larceny, payroll tampering, and check tampering or examples.
Dumpster Diving
Stealing personal information from garbage cans. Other ways to steal identities are taking delivered or outgoing mail from house mail boxes, or making telephone solicitations that ask for personal info.
Integrated Computer-Assisted Surveillance System (ICASS)
System programmed to automatically search for anomalies and to print exception conditions on control reports. Computerized monitoring system are often superior to manual surveillance methods because they are automatic and can screen 100% of transactions and processes instead of merely a sample of the target population data.
Codes of Ethics
The Institute of Management Accountants (IMA), American Institute of Certified Public Accountants (AICPA), and the Institute of Internal Auditors (IIA), and the Information Systems Audit and Control Association (ISACA) that have had code of ethics or codes of professional conduct in force for a number of years. These codes are self-imposed and self-enforced rules of conduct. Aids professionals in selecting among alternatives that are not clear-cut. Rules pertaining to independence, technical competence, and proper practices during audits and consulting engagements involving information systems.
Query and Spreadsheet Skills (Data-Driven Techniques)
The ability to develop queries or spreadsheet manipulations to look for red flags is a valuable fraud detection tool.
Education
The average computer criminal often does not fit the profile of uniformly bright, motivated, talented, and college-educated individuals. Highly educated fraudsters do steal more when they do commit cybercrimes.
Anomalies
The presence of anomalies that somehow go unchallenged are an important clue that can reveal computer fraud. (common sense factors)
Accounting Irregularities
To embezzle funds successfully, employees commonly alter, forge, or destroy input documents, or perform suspicious accounting adjustments.
Data & Text Mining
Tools that allow for meaningful patterns to be detected in massive data sets. Big Data refers to the fact that many org now capture nearly endless quantities of data. Companies are losing the ability to interpret the data they have collected. Examples: 1. Software that is able to analyze corporate emails to identify language patterns that are indicative of employee intent to commit fraud 2. Identification of anomalies in accounting data, sales people whose history of phone GPS locations do not match info from travel reimbursement forms
Trojan Horses/Logic Bombs vs Viruses
Trojan Horses and Logic bomb are termed "programs" rather than "viruses" bc they sometimes contain code to defraud users, while viruses are more likely to destroy or disrupt computer resources.
Phishing scams
Use emails or websites that claim to be legitimate but that ask you to provide or update your personal info such as acct. number, credit card number, or password.
Social Engineering
Used to gain access to passwords. Posing as a bona fide employees and convincing network administrators to give them passwords over the phone. The social engineer poses as a new, helpless employee who appears desperate and "borrows" a password from a fellow worker in order to accommodate a fictitious "emergency" The practice of giving passwords to unknown employees should never be allowed.
Meeting Ethical Challenges
Ways that Org can encourage ethical behavior: 1. Inform employees that ethics are important 2. Formally expose employees to relevant cases that teach them how to act responsibly in specific situations 3. Teach by example, that is by managers acting responsibly 4. Use job promotions and other benefits to reward those employees who act responsibly
Hacking
Widespread problem due to the fact that many computer applications now involve cloud, local, and wide area networks, where computer files become accessible to unauthorized users. With the widespread use of cloud-based and Internet-based services, users are able to log onto a vast array of systems from remote sites.
Denial-of-service attacks
a single virus or worm program enlists the aid of innocent "zombie computers" which then send email messages to, or request services from, the target system. The barrage of incoming mail or service requests then overwhelms the target system, typically requiring its owners to disable it.