THE NATURE OF COMPUTER FRAUD (STUDY OBJECTIVE 7)
In addition to the frauds described in previous sections, organizations must also attempt to prevent or detect fraudulent activities involving the computer. Again, there are so many different kinds of computer fraud that it is not feasible to describe all the possibilities in this chapter. In some cases, the computer is used as a tool to more quickly and efficiently conduct a fraud that could be conducted without a computer. For example, an individual could perpetrate industrial espionage, the theft of proprietary company information, by digging through the trash of the intended target company. However, it would probably be more efficient for a hacker to gain access to the information through the target company's computer system. In other cases, the fraud conducted is unique to computers. For example, a computer is required to accomplish software piracy, the unlawful copying of software programs.
Another characteristic of computer fraud is that it can be conducted by employees within the organization or unauthorized users outside the organization. We categorize these two sources of computer fraud into internal computer fraud and external computer fraud.
INTERNAL SOURCES OF COMPUTER FRAUD
When an employee of an organization attempts to conduct fraud through the misuse of a computer-based system, it is called internal computer fraud. Internal computer fraud concerns each of the following activities:
- Input manipulation
- Program manipulation
- Output manipulation
Input manipulation usually involves altering data that is input into the computer. For example, altering payroll time cards to be entered into a computerized payroll system is a type of input manipulation. Other examples of input manipulation would be creating false or fictitious data inputs, entering data without source documents, or altering payee addresses of vendors or employees.
Program manipulation occurs when a program is altered in some fashion to commit a fraud. Examples of program manipulation include the salami technique, Trojan horse programs, and trap door alterations.
A fraudster uses the salami technique to alter a program to slice a small amount from several accounts and then credit those small amounts to the perpetrator's benefit. For example, a program that calculates interest earned can be altered to round down to the lower ten-cent amount; that small excess of interest earned can be deposited to the perpetrator's account. Although it would take many transactions of this type to be of much benefit, the nature of interest calculation is such that it occurs frequently on many accounts; therefore, the amount of the fraud benefit could build quickly.
A Trojan horse program is a small, unauthorized program within a larger, legitimate program, used to manipulate the computer system to conduct a fraud. For example, the rogue program might cause a certain customer's account to be written off each time a batch of sales or customer payments are processed.
A trap door alteration is a valid programming tool that is misused to commit fraud. As programmers write software applications, they may allow for unusual or unique ways to enter the program to test small portions, or modules, of the system. These entranceways can be thought of as hidden entrances, or trap doors. Before the program is placed into regular service, the trap doors should be removed, but a programmer may leave a trap door in place in order to misuse it to commit fraud.
Computer systems generate many different kinds of output, including checks and reports. If a person alters the system's checks or reports to commit fraud, this is known as output manipulation. This kind of fraud is often successful simply because humans tend to trust the output of a computer and do not question its validity or accuracy as much as they might if the output were manually produced.
EXTERNAL SOURCES OF COMPUTER FRAUD
In most cases, external computer frauds are conducted by someone outside the company who has gained unauthorized access to the computer. These fraudsters are commonly known as hackers. However, it is possible that someone within the organization—essentially, anyone who can gain access to an organization's computer system—could attempt these frauds. Two common types of external computer fraud are hacking and spoofing.
Hacking
Hacking is the term commonly used for computer network break-ins. Hacking may be undertaken for various reasons, including industrial espionage, credit card theft from online databases, destruction or alteration of data, or merely thrill-seeking. Regardless of the purpose of the break-in, tremendous damage can be done to a company in terms of immediate financial loss or loss of customer confidence.
A computer hacking incident occurred at Data Processors International, a firm that processes credit card transactions for retailers, when a hacker broke into the computer system and gained access to approximately 8 million credit card numbers belonging to consumers.
A hacker usually gains access to a network through the various network connections that most businesses and organizations now have. Most companies are connected to networks for many reasons, such as to conduct Internet commerce, to connect various geographic locations of the same company, to allow telecommuting for employees who work at home, and to connect to the computer systems of vendors or customers. The existence of any of these types of network connections opens an opportunity for hackers to violate that connection. This is the paradox faced in today's computer world. To operate efficiently, organizations need to connect to networks, but such connections increase security risks exponentially.
DoS Attacks
A particular kind of hacking that has increased dramatically in recent years is denial of service (DoS) attacks. A denial of service attack is intended to overwhelm an intended target computer system with so much bogus network traffic that the system is unable to respond to valid network traffic. A hacker takes advantage of the automated, repetitive nature of computers to accomplish a DoS attack by taking control of one or more computers on a network and using those computers to continually send bogus network traffic to a target computer. If the hacker can take over several computers and force each of them to send bogus traffic to one targeted computer system, the targeted system becomes overwhelmed. Attacks such as these that use several computers to attack one computer are called distributed denial of service attacks, or DDoS attacks.
THE REAL WORLD
In February of 2000, several high-profile companies were the targets of DoS attacks. Companies including Yahoo, Inc., Turner Broadcasting System, Inc., eBay, Inc., and Amazon.com experienced DoS attacks that shut down their websites for hours as they worked to wipe out the harmful effects on their computer servers and network.
Such attacks continue today. In June 2011, the daily Internet publication American Thinker reported that a DoS attack took down its website for three hours.
Spoofing
Spoofing occurs when a person, through a computer system, pretends to be someone else. There are two kinds of spoofing that are currently prevalent: Internet spoofing and e-mail spoofing. Internet spoofing is the most dangerous to the accounting and control systems, because a spoofer fools a computer into thinking that the network traffic arriving is from a trusted source. Within the Internet, each computer server is identified by a unique Internet protocol (IP) address. Any network traffic between computers is broken into small “packets” of data. Each packet includes the IP addresses of both the sender and receiver of the packet. In spoofing, the originating IP address is intentionally changed to make it appear that the packet is coming from a different IP address. Many computer systems include a security system that accepts packets only from known and trusted sources—essentially, an address book of trusted IP addresses. A spoofer circumvents that system by pretending that the packet originates from a trusted source. These packets can contain malicious data such as viruses, or programs that capture passwords and log-in names.
While e-mail spoofing is not typically as problematic as Internet spoofing is to the direct financial interests of most business organizations, it is nevertheless a source of irritation and inconvenience at the workplace. E-mail spoofing might flood employees' e-mail boxes with junk mail but usually does not result in defrauding their company. E-mail spoofing is usually used in an attempt to scam consumers. For example, a bank customer might get an e-mail that looks as if it comes from the customer service department, asking recipients to provide confidential information such as their log-in and password. With these fake e-mails, the sender is hoping that unsuspecting customers will reply and divulge the confidential information that will allow the spoofer to commit fraud. This type of fraud must be controlled by the consumer and police authorities; internal control systems within a company can do little or nothing to prevent e-mail spoofing.