ACCT341, Chapter 11 Computer Crime, Ethics, and Privacy Introduction Computer Crime, Abuse, and Fraud Examples of Computer Crimes Mitigating Computer Crime and Fraud Ethical Issues, Privacy, and Identity Theft

Computer Crime involvement of the computer in a criminal act directly, or indirectly. definition important it affects how statistics are accumulated It said “ hit any key to continue, so I did, just with a hammer.” Is smashing a computer with a sledge hammer considered computer crime? only a small proportion of computer crime gets detected

Computer Crime & Abuse - the Difference Computer crime involves the manipulation of a computer or computer data to dishonestly obtain money, acquire property, or get some other advantage of value, or to cause a loss. Computer abuse is when someone’s computer is used or accessed in a mischievous manner with a motive of revenge or challenge is punishable in extreme cases Should Adrian Lamo have been arrested? Case 11.1, p.343

Examples of Computer Crimes. A computer dating service was sued because referrals for dates were few and inappropriate. The owner eventually admitted that no computer was used to match dates, even though the use of a computer was advertised. Case 11.2, p.344: Donald Burleson, a disgruntled programmer, created a logic bomb that erased 168k of data records and held up paychecks for a month. Would have been more serious if not discovered early. [Logic bombs are programs that remain dormant until a circumstance or date triggers the fuse.]

Common Types of Computer Crime and Abuse

Federal Legislation three are described as misappropriation The Computer Fraud and Abuse Act (CFAA) of 1986 which was amended in 1994 and 1996 Defines computer fraud as an illegal act for which computer technology is essential for its perpetration, investigation, or prosecution. Defines 7 fraudulent acts; the first three are described as misappropriation of assets and the last four as “other” crimes

CFAA Fraudulent Acts Unauthorized theft, use, access, modification, copying, or destruction of software or data. King Soopers p. 345 Theft of money by altering computer records or the theft of computer time. Salami technique, P#14 (salami is made from many small pieces of meat, salt, beef, garlic). Intent to illegally obtain information or tangible property through the use of computers. Send office supplies invoices, Case 11.7, p. 357.

CFAA Fraudulent Acts Use or the conspiracy to use computer resources to commit a felony. Sjiem-Fat created bogus cashier checks to buy cptr equip. for resale in Caribbean, p. 345-6 Theft, vandalism, destruction of computer hardware. Disgruntled taxpayer shoots IRS cptrs, p. 346 Trafficking in passwords or other login information for accessing a computer. Extortion that uses a computer system as a target. Disgruntled employee steals data for ransom, p. 34679

Federal Legislation Affecting the Use of Computers Fair Credit Reporting Act of 1970 Freedom of Information Act of 1970 Federal Privacy Act of 1974 Small Business Computer Security and Education Act of 1984 Computer Fraud and Abuse Act of 1986

Federal Legislation Affecting the Use of Computers (cont.) Computer Fraud and Abuse Act (1996 amendment) Computer Security Act of 1987 USA Patriot Act of 2001 Cyber Security Enhancement Act of 2002 CAN-SPAM Act of 2003

The Lack of Computer-Crime Statistics Data not available because private companies handle abuse internally to prevent embarrassment surveys of computer abuse are often ambiguous most computer abuse is probably not discovered (FBI estimates only 1% detected)

The Growth of Computer Crime Computer crime is growing because of Exponential growth in computer resources Internet gives step-by-step instructions on how to perpetrate computer crime Continuing lax security (in one test, only 3 out of 2200 websites knew they were being targeted -see Case 11.3. p.347)

Importance for Accountants Computer crime and abuse important to accountants because AISs help control an organization’s financial resources are favored targets of disgruntled employees seeking financial gain or revenge because they are responsible for designing, implementing, and monitoring the control procedures for AISs. because firms suffer millions of dollars in computer-related losses due to viruses, unauthorized access, and denial of service attacks Avg cost to target co. of computer abuse per incident is $500k

Computer Crime Cases Compromising Valuable Information: The TRW Credit Data Case: Selling credit scores, data diddling Computer Hacking: Kevin Mitnick and social engineering Reasons to hack: financial gain, revenge, challenge, curiosity, pranks, industrial espionage Max. penalty is 5 years prison + $250k fine. Denial of service: The 2003 Internet Crash A very speedy computer worm, the Slammer worm (cost > $1b and we don’t know who did it) Note: unlike a virus, a worm doesn’t destroy data, just reproduces until system is overloaded

Robert T. Morris and the Internet Virus created one of the world’s most famous computer viruses became first person to be indicted under the Computer Fraud and Abuse Act of 1986 The case illustrated vulnerability of networks to virus infections.

Computer Viruses Computer VIRUS is a program that disrupts normal data processing and that can usually replicates itself onto other files, computer systems or networks. WORM - In contrast to most viruses, a worm doesn’t destroy data but it replicate itself until the user runs out of memory or disk space.

Computer Virus Programs Trojan Horse programs reside in legitimate computer programs. Logic Bomb programs remain dormant until the computer system encounters a specific condition. A virus may be stored in an applet, which is a small program stored on a WWW server.

Methods for Thwarting Computer Abuse Enlist top management support Increase employee awareness and education and have a hotline Conduct security inventory Protect passwords Social engineering, phishing, smishing posing as bona fide when actually fake Prevented by: Lock-out systems Disconnecting users after a set number of unsuccessful login attempts Dial-back systems disconnecting all login users, reconnecting legitimate users after checking their passwords

Methods for Thwarting Computer Abuse Occupation of Ctpr Abusers Implement controls Identify computer criminals Look at technical backgrounds, morals, gender and age Physical security -- secure location -- backup -- proper disposal (>1/3 of used hard drives for sale contained personal info – see Case 11.9)

Methods for Thwarting Computer Abuse Recognize symptoms of employee fraud Five symptoms of employee fraud (Case 11.10, p. 360) Accounting irregularities such as forged, altered or destroyed input documents Internal control weaknesses Unreasonable anomalies that go unchallenged Lifestyle changes in an employee Behavioral changes in an employee

Methods for Thwarting Computer Abuse Employ forensic accountants Special training (>27k CFEs) Special sleuthing tools One of fastest growing professions

Methods Used to Obtain Your Personal Data – ID Theft Shoulder surfing Dumpster diving for documents & old cptr hard drives Scanning credit card at restaurant Fake apps for “preapproved” credit cards Key logging software Spam and other e-mails Phishing & smishing

Privacy Issues Have a privacy policy for your website Have an audit done by professionals who provide a privacy seal Truste BBB Online Webtrust Dispose of old computers with care Have laptops password protected Use encrypted USB drives only