Computer Fraud and Security Merle P. Martin College of Business CSU Sacramento 7/11/02

Agenda  Extent of Fraud  Process of fraud  Why fraud occurs  Approaches and techniques used to commit computer fraud  How to deter and detect computer fraud

E-Commerce Fraud t Worldwide E-Commerce Fraud Prevention Network, 2000 t 50% e-retailers: online fraud significant problem t 50% reported online losses of $ $10,000 1 st quarter t 19% lost over $100,000

E-Commerce Fraud t Overall fraud rate is 7 cents per $100 in sales t Rate thought to be 3 to 4 times higher for E-Commerce transactions t Measures used to prevent fraud u address verification – 70% u customer follow-up – 54% u after-the-fact fraud handling – 43%

E-Commerce Fraud t Gartner Group survey, 7/00 t On-line retailers suffer 12 times as many incidents of fraud as off-line retailers t Especially common with product that can be downloaded

Internet Fraud t Internet Fraud Complaint Center (IFCC) – federal agency t 2001 Internet Fraud Report t Top 10 complaint categories t Dollar loss t Perpetrator characteristics

Types Internet Fraud t Auction fraud – 42.8% t Non-delivery – 20.3% t Credit Card fraud – 9.4% t Business fraud – 1.4% t Identity theft – 1.3% t Check fraud – 0.6%

Average Dollars Lost t Auction fraud - $395 t Non-delivery - $325 t Credit card - $450 t Business fraud - $160 t Identity theft - $3000 t Check fraud - $910

Perpetrators t 76% individuals, as opposed to businesses t 81% in 5 states t Highest per capita states (per 100K): u Nevada 11.9 u California 4 th t 81.3% male

Extent of Fraud t “Fraud: The Unmanaged Risk” t Ernst & Young, 2000 t 739 responses (companies) t Key findings t What is computer fraud? t What isn’t computer fraud?

Key Findings t More than two thirds of respondents have suffered from fraud loss during last 12 months t One in 10 suffered more than 50 frauds t Worst frauds: only 29% of total value recovered to date

Who Does It? t 82% by employees t one third of these by management t half had been in organization more than 5 years t one quarter had been in organization more than 10 years

Potential t 80% concerned significant fraud could occur within organization t Four out of 10 who were concerned had no explicit policy for fraud reporting

Resulting Actions t Worst Frauds: u 38% prosecuted u 28% dismissed u 2% no action u Other 32%? t Rare headline: “Stockbroker jailed in fraud case.” (Australian Financial Review, 3/4/2000)

Computer Fraud t Respondents asked to consider nine examples of computer related fraud t High agreement on only four types: u manipulation of data records held on computer to disguise true nature of transaction (97%)

Computer Fraud u hacking into organization’s computer system to steal or manipulate organizational information (97%) u manipulation of computer programs to disguise true nature of transaction (97%) u unauthorized transfer of funds electronically (96%)

Not Computer Fraud? t Use of organizational hardware and software for personal use u only 26% considered as computer fraud u 86% believed this was happening u “organizations turning a blind eye to this use”

Not Computer Fraud? t Only 40% respondents considered improper access to Internet as a fraud t But two-thirds of high-tech firms considered it fraud t No substantial costs to organization

Insider Fraud t Joint 2002 study by FBI and Computer Security Institute t Only 38% respondents detected insider attacks during preceding 12 months t Down from: u 71% in 2000 u 49% in 2001

Insider Fraud t Reduction in insider threat or not being caught as often? t Insider threats have become more cunning and sophisticated t “I don’t believe that many corporations know that the majority of attacks occur behind the firewall.” Mike Hager, VP Network Security, OppenheimerFunds

Agenda  Extent of Fraud  Process of fraud  Why fraud occurs  Approaches and techniques used to commit computer fraud  How to deter and detect computer fraud

The Fraud Process Most frauds involve three steps. The theft of something The conversion to cash The concealment

The Fraud Process t Common way to hide theft charge stolen item to an expense account charge stolen item to an expense account t Payroll example add a fictitious name to company’s payroll add a fictitious name to company’s payroll

The Fraud Process t Lapping t Perpetrator steals cash received from customer A to pay its accounts receivable t Funds received at a later date from customer B are used to pay off customer A balance, etc

The Fraud Process t Kiting t Perpetrator covers up theft by creating cash through transfer of money between banks t Perpetrator deposits check from bank A to bank B and then withdraws money

Kiting (cont.) t Since insufficient funds in bank A to cover check, perpetrator deposits check from bank C to bank A before check to bank B clears t Since bank C also has insufficient funds, money deposited to bank C before check to bank A clears. t Scheme continues to keep checks from bouncing

Agenda  Extent of Fraud  Process of fraud  Why fraud occurs  Approaches and techniques used to commit computer fraud  How to deter and detect computer fraud

Why Fraud Occurs t Common characteristics of fraud perpetrators u Most spend their illegal income rather than invest or save it u Once they begin the fraud, very hard for them to stop u They usually begin to rely on the extra income

Why Fraud Occurs t Perpetrators of computer fraud tend to be younger and possess more computer knowledge, experience, and skills t Some computer fraud perpetrators are more motivated by curiosity and challenge of “beating the system” t Others commit fraud to gain stature among others in computer community

Why Fraud Occurs t Three conditions necessary for fraud to occur: pressure or motive pressure or motive opportunity opportunity rationalization rationalization

Pressures t Some financial pressures living beyond means living beyond means high personal debt high personal debt “inadequate” income “inadequate” income poor credit ratings poor credit ratings heavy financial losses heavy financial losses large gambling debts large gambling debts

Pressures t Some work-related pressures: – low salary – non-recognition of performance – job dissatisfaction – fear of losing job – overaggressive bonus plans

Pressures t Other pressures – challenge – family/peer pressure – emotional instability – need for power or control – excessive pride or ambition

Opportunities t Opportunity is condition or situation that allows person to commit and conceal dishonest act t Opportunities often stem from lack of internal controls t Most prevalent opportunity for fraud results from company’s failure to enforce its system of internal controls

Rationalizations t Most perpetrators have excuse (rationalization) allowing them to justify their illegal behavior t Some rationalizations u just “borrowing” stolen assets u not hurting real person, just computer system

Fraud Tendencies Top- Level LevelManagers Top- Level LevelManagers Middle-Level Managers ManagersMiddle-Level Operational-Level Operational-Level Increasing ability to override controls mechanisms Increasing ability to override controls mechanisms Strongest Control Mechanisms Strongest Control Mechanisms Greatest Frequency of Fraud Greatest Frequency of Fraud

Agenda  Extent of Fraud  Process of fraud  Why fraud occurs  Approaches and techniques used to commit computer fraud  How to deter and detect computer fraud

Definitions t Data Integrity: “.. requirement that information and programs are changed only in a specified and authorized manner.” “.. requirement that information and programs are changed only in a specified and authorized manner.” Computers at Risk; pg. 54 Computers at Risk; pg. 54 National Academy Press, 1991

Definitions t System Integrity: “.. requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.” National Computer Security Center National Computer Security Center Pub. NCSC-TG Pub. NCSC-TG

Definitions t Availability: “.. requirement intended to assure that systems work promptly and service is not denied to authorized users.” Computers at Risk, pg. 54 Computers at Risk, pg. 54

Computer Fraud t U.S. Department of Justice defines computer fraud as: “... any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution ”

Computer Fraud Types  Unauthorized use, access, modification, copying, and destruction of software or data  Theft of money by altering computer records or theft of computer time  Theft or destruction of computer hardware

Computer Fraud Types – Use or conspiracy to use computer resources to commit a felony – Intent to illegally obtain information or tangible property through use of computers

Rise in Computer Fraud t Organizations that track computer fraud estimate that 80% of U.S. businesses have been victimized by at least one incident of computer fraud t However, no one knows for sure exactly how much companies lose to computer fraud t Why?

Rise in Computer Fraud t Disagreement on what computer fraud is t Many computer frauds go undetected, or unreported t Most networks have low level of security t Many Internet pages tell how to perpetrate computer crimes t Law enforcement is unable to keep up with fraud

Malicious Code t Virus: code segment that replicates itself by attaching copies to existing executables t Trojan Horse: Program that performs desired task, but also includes unexpected (undesired) functions t Worm: Self-replicating program that is self-contained – does not require host program NIST Special Publications NIST Special Publications 800-5

Computer Fraud and Abuse Techniques t Textbook list 26 abuse techniques t Four of special interest to accountants

Fraud Techniques t Round-down: u interest calculations to 2 decimal places u fractions posted to bogus account u books balance

Fraud Techniques t Salami: u tiny slices of money stolen over period of time u e.g., increase all production costs by fraction of percent u post to bogus account

Fraud Techniques t Trojan Horse: u unauthorized computer instructions in authorized program u performs illegal operation at v predetermined time v predetermined set of conditions u aka “time bomb”

Fraud Techniques t Data diddling : change data before, during, or after entering

Agenda  Extent of Fraud  Process of fraud  Why fraud occurs  Approaches and techniques used to commit computer fraud  How to deter and detect computer fraud

Loss / Fraud Conditions t Threat : potential adverse or unwanted event that can be injurious to AIS t Exposure : potential maximum $ loss if event occurs t Risk : likelihood that event will occur t Expected Loss: Risk * Exposure

Decreasing Fraud Potential Fraud Probable Fraud Motivation Actual Fraud Difficulty Detected Detection Control Culture Control Culture Internal Controls Internal Controls Internal Audits Internal Audits Unde- tected Unde- tected Prosecution

Undetected Fraud Percent Fraud Detected Percent Fraud Detected Internal Control Costs Internal Control Costs L L H H Internal Control Costs = Expected Fraud Losses Internal Control Costs = Expected Fraud Losses Similar to Auditor’s “Threshold Value” Similar to Auditor’s “Threshold Value”

Preventing / Deterring Fraud Make Less Likely to Occur Increase Difficulty Improve Detection Reduce Losses Prosecute / Incarcerate Perpetrators

Emphasis t From the Aggie handbook: t “An ounce of preventive is worth a pound of detective or corrective” t “A good, advertised detective control can be a deterrent to crime.”

Deter and Detect  Make fraud less likely to occur: Proper hiring / firing Proper hiring / firing Manage disgruntled employees Manage disgruntled employees Train employees in security and fraud prevention Train employees in security and fraud prevention Manage and track software licenses Manage and track software licenses Require signed confidentiality agreements Require signed confidentiality agreements

Deter and Detect  Increase difficulty of committing fraud: u Develop strong system of internal controls u Segregate duties u Require vacations and rotate duties u Restrict access to computer equipment and data files u Encrypt data and programs

Deter and Detect  Improve detection methods Protect telephone lines and system from viruses Protect telephone lines and system from viruses Control sensitive data Control sensitive data Control laptop computers Control laptop computers Monitor hacker information Monitor hacker information

Deter and Detect  Reduce fraud losses: u Maintain adequate insurance u Store backup copies of programs and data files in secure, off-site location u Develop contingency plan for fraud occurrences u Use software to monitor system activity and recover from fraud

Deter and Detect  Prosecute and incarcerate fraud perpetrators: t Most fraud cases go unreported and are not prosecuted u Many cases of computer fraud are as yet undetected u Companies are reluctant to report computer crimes

Why No Prosecution? t Law enforcement officials, courts so busy with violent crimes u little time for fraud cases t Difficult, costly, and time consuming to investigate t Many law enforcement officials, lawyers, judges lack computer skills needed to prosecute computer crimes

Fraud Case Study t Georgia Bureau of Investigation spent 18 months investigating an alleged corporate computer criminal t Oct 01: charged him with 8 felony counts under Georgia computer crime law t Each count could carry $50K fine and 15 years in prison

Fraud Case Study t Result?: Jan 02, plea bargain u $2100 in fines u one year probation u 80 hours community service t Deterrent or incentive? t Why a plea bargain?

Topics Covered  Process of fraud  Why fraud occurs  Approaches and techniques used to commit computer fraud  How to deter and detect computer fraud