COMPUTER AND INTERNET FRAUD Flashcards
A general definition of computer fraud is:
Any defalcation or embezzlement accomplished by tampering with computer programs, data files, operations, equipment, or media, and resulting in losses sustained by the organisation whose computer system was manipulated.
Unlike traditional fraud cases, computer fraud can be difficult for the fraud examiner
because they:
• Lack a traditional paper audit trail.
• Require an understanding of the technology used to commit the crime.
• Usually require an understanding of the technology of the victim computer.
• Very often require the use of one or more specialists to assist the fraud examiner, even
when the fraud examiner is computer literate.
In Fighting Computer Crime, Mr. Parker describes how the computer serves as
an object, a subject, a tool, and a symbol.
Computer as an object
Computers and network systems are themselves often objects or targets of crime, subject to physical sabotage, theft, or destruction of information
Computer as a subject
According to Parker, computers are the direct subjects of crime “when they are the environment in which technologists commit crimes.” This category
includes virus attacks.
Computer as a tool
Obviously, computers are used as the means to commit crime, whether embezzlement, theft of proprietary information or hacking
Computer as a symbol
Computers lend fraudsters an air of credibility and are often used to deceive victims into investment and pyramid schemes.
common computer crimes include:
- Data alteration
- Unauthorised access and entry to systems and information
- Reading another’s e-mail without permission
- Data destruction and sabotage
- Internet consumer fraud
- Sale of proprietary data
- Desktop counterfeiting
- Data extortion
- Disclosure of confidential data
- Identity theft
- Electronic letter bombing
- Software piracy
- PBX fraud
- Voice mail fraud
- Cellular telephone fraud
- Stolen long-distance calling cards
Hacking is
basically breaking into computers and telecommunications systems by learning the
vulnerabilities of various hardware and software, and using a computer to systematically “guess” the user’s system identification and password.
Hacker Computer Manipulation Trojan Horse
A Trojan horse is the covert placement of instructions in a program that causes the
computer to perform unauthorised functions but usually still allows the program to perform
its intended purpose. This method is one of the most commonly used techniques in computer-based frauds and sabotage.
Hacker Computer Manipulation Trap Doors
When developing large programs, programmers insert instructions for additional code and
intermediate output capabilities. The design of computer operating systems attempts to
prevent this from happening. Therefore, programmers insert instructions that allow them to
circumvent these controls. Hackers take advantage of these trap doors.
Hacker Computer Manipulation Salami Techniques
Salami techniques involve the execution of unauthorised programs used to steal small
amounts of assets from a large number of sources without noticeably reducing the whole.
For example, in a banking system, the amount of interest to be credited to an account is
typically rounded off. A fraudster might set up the system so that instead of rounding off the
number, that fraction of it is credited to a special account owned by the perpetrator.
Hacker Computer Manipulation Logic Bombs
A logic bomb is a computer program executed at a specific time period or when a specific event occurs. For example, a programmer can write a program to instruct the computer to delete all personnel and payroll files if his name were ever removed from the file.
Hacker Computer Manipulation Data Diddling
Data diddling is the changing of data before or during entry into the computer system.
Examples include forging or counterfeiting documents used for data entry and exchanging
valid disks and tapes with modified replacements.
Hacker Computer Manipulation Scavenging and Dumpster Diving
Scavenging involves obtaining information left around a computer system, in the computer
room trash cans, and so on. Dumpster diving refers to gleaning sensitive information from an organisation’s trash receptacles and dumpsters.
Hacker Computer Manipulation Data Leakage
Data leakage is the removing of information by smuggling it out as part of a printed
document, encoding the information to look like something different, and removing it from
the facility.
Hacker Computer Manipulation Piggybacking/Impersonation
Piggybacking and impersonation are frequently used to gain access to restricted areas.
Examples include following someone in through a door with a badge reader, electronically
using another’s user identification and password to gain computer access, and tapping into
the terminal link of a user to cause the computer to believe that both terminals are the same
person.
Hacker Computer Manipulation Simulation and Modeling
Simulation and modeling is a computer manipulation technique using the computer as a tool or instrument to plan or control a criminal act.
Hacker Computer Manipulation Wire Tapping
Wire tapping into a computer’s communications links is another technique used by hackers.
This method enables perpetrators to read the information being transmitted between
computers, or between computers and terminals
Hacker Computer Manipulation Network Weaving
This technique, more commonly known as looping, involves using numerous networks in an
attempt to avoid detection
Hacker Computer Manipulation Altering the Way a System Generates Passwords
By learning how a certain system’s randomizer works, the hacker can imitate the generation
of valid passwords, or alter how the system operates
Hacker Computer Manipulation Buffer Overflow Exploits
If an attacker sends too much data into one of these buffers, the buffer overflows. The server
then executes the data that “overflowed” as a program. This program may do any number of
things, like sending passwords to Russia, altering system files, or installing backdoors, depending on what data the attacker sent to the buffer.
Hacker Computer Manipulation Privilege Escalation Exploits
Privilege escalation exploits grant administrator or root-level access to users who previously
did not have such access.
Hacker Computer Manipulation Backdoors
Backdoors allow attackers to remotely access a system again in the future
Hacker Computer Manipulation HTTP Exploits
HTTP traffic, used for web browsing, is almost always allowed to pass through firewalls
unhindered. Thus, attackers have a direct line to the web server.
Anti-Hacker Measures Welcome screens
To discourage unauthorised use, such a screen might be replaced with one that informs the
user that he is about to access a proprietary network. Additionally, the screen should warn
that unauthorised access is prohibited and will be prosecuted under the law. The screen
should not identify either the organisation or the network.
Anti-Hacker Measures Security policies
should be established and disseminated throughout the organisation. These policies should include training for all employees, customers (who will appreciate the additional security), and others who have a need to access the network
Anti-Hacker Measures Call-back modems
should be used wherever practical. These modems will answer an incoming call and require the sender to enter a password. Once the caller has identified
himself, the modem will terminate the connection, and dial a previously established phone number. When the prearranged number is called, the sender must again perform the sign-on procedure.
Anti-Hacker Measures Security software packages
should be secured to the highest level possible. Most major software companies today have to release updates and patches to their software every so often. Check your software vendor’s websites on a regular basis for new security patches
or use the new automated patching features that some companies offer.
Anti-Hacker Measures Passwords
should be used in accordance with sound security practices. For example:
− Passwords should be changed periodically (every 90 days is suggested).
− Passwords should be of sufficient length to deter guessing (a minimum of 8 characters is suggested).
− Passwords of transferred or terminated employees should be changed immediately
Anti-Hacker Measures purchased software
All packages should be audited to ensure that these default passwords (which are widely known) have been changed.
Anti-Hacker Measures Encryption
should be considered for sensitive data files, password files, and sensitive computer programs.
Anti-Hacker Measures Communications software
should terminate any connection (whether dial-in or direct connect) after:
− A reasonable number of unsuccessful attempts to enter a valid password (usually no more than three).
− A terminal (direct connect or dial-in) has been connected for a period of time with no activity. This is called “timing-out.”
Anti-Hacker Measures Hacker publications and communications
should be reviewed to learn the current jargon
and hacker “handles,” which are the names that hackers use for their online personas.
Hackers have used the Internet quite efficiently to communicate with each other, while
producing a significant amount of hacking documentation and programs. Almost any
hacker website will contain a large number of text files that explain “how to hack,” or how various systems operate. Many of these files will also explain the standard vulnerabilities of the systems, and the best methods to penetrate their security.
An adequate hacker detection program contains three primary components:
• Almost all communication systems maintain a log file that records all successful and
unsuccessful system access attempts. These also allow for the printing of reports containing sign-on and -off activity. These reports should be printed out regularly and reviewed by the data security officer. Where possible, special reports should be printed
on the number of unsuccessful access attempts. These attempts at logging in to the system should be followed up by data security to determine their cause.
• The data security function should have sufficient resources and staff to administer passwords, maintain the security software, review system activity reports, and follow up on all potential security violations.
• Finally, periodic reviews of telecommunications security should be performed by consultants and/or internal or external auditors, if the latter have the necessary experience and qualifications.
Electronic Mail Consider:
• Company employees now possess the ability to quickly disclose sensitive company
materials to outside parties, increasing the opportunity for corporate espionage.
• Companies that employ a company-wide e-mail system can now be held responsible for
any unethical or illegal activities conducted by employees on the e-mail system.
• Companies must now be concerned with the repercussions of the actions of any
disgruntled or rash employees. The speed with which an e-mail can be “fired off” creates
the opportunity for ill-advised communications.
• Once an e-mail message has left a company’s system, it may travel through any number
of “foreign” e-mail systems before reaching its destination. An e-mail transmission can
quite easily be intercepted or compromised without the use of encryption software.
• Without a security-enhanced e-mail system, the receiver of an e-mail message has little
assurance that the e-mail is authentic. E-mail addresses can be easily “spoofed” or cloned
by a knowledgeable user.
E-mail Ownership
In general, if the employee wrote the message as part of his duties for his employer (i.e., “in the scope of your employment”) the employer owns the copyright. If the e-mail was not part of the employee’s duties (something personal or related to another activity, whether permitted by the employer or not), then the user has copyright, but the employer, as owner of the system on which it
was created or passed through, may have some rights to the copy on the system.
As with any potential liability issue, employers must set guidelines for the proper internal and
external use of e-mail, just as they would for the proper use of the company telephone,
stationery and postage, vehicles, and so on. For instance, the organisation should have a
policy reminding employees in writing that e-mail must not be used to send inappropriate
and unprofessional messages, including:
• Harassing other users of the system
• Consuming unreasonable amounts of available resources
• Intentionally sending other users viruses
• Evading software licensing or copying mechanisms
• Crashing/disrupting system services
• Impersonating another user anywhere on the Internet
• Bypassing system security mechanisms
• Translating encrypted material without authorisation
• Eavesdropping on other e-mail interactions
• Using the system for any personal gain either monetarily or politically unless permitted
by the organisation
When the infected program is run, the virus executes an event which may be:
- Benign, by displaying a message on a certain date;
- Annoying, by slowing performance or altering the screen display; or
- Catastrophic, by erasing or destroying data or files, or crashing systems.
Hoaxes
Most of these fraudulent warnings urge recipients to “forward this to everyone you know.”
Before forwarding a questionable warning, it is wise to consult a few of the authorities who
track viruses.
Macro Virus
Macro viruses are macros that self-replicate. If a user accesses a document containing a viral macro and unwittingly executes this macro virus, it can then copy itself into that application’s startup files.
Boot Sector Viruses
These viruses use system BIOS, replace the
boot sector, and move the boot sector to another location. It then writes a copy of its own
program code that will run every time the system is booted or when programs are being run.
A boot sector cannot infect a computer if it is introduced after the machine is running the
operating system.
Parasitic Viruses
Parasitic viruses attach themselves to programs known as executables. When a user launches
a program that has a parasitic virus, the virus is surreptitiously launched first. To cloak its
presence from the user, the virus then triggers the original program to open. The parasitic virus, because the operating system understands it to be part of the program, is given the same rights as the program to which the virus is attached. These rights allow the virus to replicate, install itself into memory, or release its payload.
TSR Viruses
Terminate and Stay Resident (TSR) viruses usually hide in memory and cause system crashes,
depending on their memory location. The TSR takes control of the operating system by passing its request to DOS each time DOS is executed
Application Software Viruses
These types of viruses copy their virus code to a program file and modify the program so the
virus code gets executed first. The virus does this by writing over the existing code or
attaching itself to the program file. The more sophisticated types replicate themselves with a
.com extension each time the user accesses an executable program file.
Multi-Partite Viruses
Multi-partite viruses share some of the characteristics of boot sector viruses and file viruses, which increases its ability to spread. They can infect .com and .exe files, and the boot sector
of the computer’s hard drive.
On a computer booted up with an infected diskette, a typical multi-partite virus will first reside in memory and then infect the boot sector of the hard drive. From there the virus can infect a PC’s entire environment. This type of virus accounts for a large number of infections.
Polymorphic Viruses
olymorphic viruses create varied (though fully functional) copies of themselves as a way to
avoid detection by antivirus software. Some polymorphic viruses use different encryption
schemes and require different decryption routines. Thus, the same virus may look completely different on different systems or even within different files. Other polymorphic viruses vary instruction sequences and use false commands in the attempt to thwart antivirus software. One of the most advanced polymorphic viruses uses a mutation engine and random number generators to change the virus code and its decryption routine
Stealth Viruses
They constantly change their patterns in an
effort to blend into the system. They attempt to avoid detection by bypassing DOS interrupt
calls when they are installed, and remove their code from the infected files before the file is
accessed by the requesting program.
Mutation Engine Viruses
This modern day virus uses a special language-driven algorithm generator that enables it to
create an infinite variety of original encryption algorithms. It avoids the checksum detection method, like stealth viruses, by not changing the infected file size. Each time they replicate,
they produce a new and different code.
Network Viruses
The boot sector and partition table viruses infect the boot operation of the file server. This
virus does not spread from the workstation to the file server. However, if you are using
NetWare it can cause the software to lose the location of its partition table on the file server
if the file server is booted with an infected disk.
Viruses that infect programs seem to be limited to infecting files on the server. However,
because the files are continuously being accessed by workstations, this type of virus is
difficult to contain.
Worms
A worm is a self-replicating program that resides as a file on a system, executes an autonomous process, and deliberately moves from system to system. It looks for other nodes on the networks, copies itself to them, and causes the self-copy to execute on other nodes. These programs find network utilities showing node names, monitor network traffic, and randomly select network identification codes, as well as other mischief.
Some of the more common virus carriers are:
- Unknown or unchecked application software
- Software or media brought in by employees
- Programs downloaded from modem bulletin boards
- Unsolicited e-mail
- Vendors and suppliers with infected software
- Uncontrolled and shared program applications
- Demonstration software
- Freeware and shareware
The following are some of the indicators that a computer may exhibit suggesting that it
might be infected:
• A sudden and sometimes dramatic decrease of free space on your media.
• The system suddenly, and for no apparent reason, slows down its command-response
time.
• An increase in the size of some files.
• There has been a change in the length of executable files, a change in their content, or a
change in their file date/time stamp.
• An unexpected number of disk accesses, especially to particular file(s).
• The operating system and/or other programs suddenly begin behaving in unpredictable
ways. Sometimes disk files that should be there cannot be accessed or are suddenly
erased with no warning.
• Unusual messages and graphics.
• Unable to boot up the system.
• Unable to access files.
• Unexplained and repeated maintenance repairs.
• System or data files disappear or become fragmented.
• Unexplained changes in memory.
• Unexplained changes in program sizes.
• Resident antiviral software programs display messages that a virus has been encountered.
Note that until the source of the virus has been identified and removed from the system,
antiviral systems might continually inform the operator that a virus is being encountered
and removed.
Virus Protection
• Do not use a disk to boot your system.
• If you must boot your system from a disk, make sure it is properly labelled and continuously protected.
• Don’t install shareware or other untested programs on your system. If you must, don’t
put them in the root directory.
• In a network environment, don’t place untested programs on the server.
• If you are sharing information on disks, ensure they only contain information and no executable files.
• Use current antivirus software to detect potential viruses.
• Back up all programs and files.
• Write virus-free warranties and indemnities into your purchase orders and contracts.
• Always write-protect your systems and program disks.
• Teach computer users about computer viruses so that they can recognise them.
• Always use caution when opening e-mail attachments.
Conventional Disk Scanners
This is the standard virus check program. It is run when the user requests it, and it scans the
contents of the disk, directories, or files that the user wants, for any boot sectors and/or files
that contain viruses that it recognises based on the virus description information in its virus
definition files. Usually run manually by the user either as a preventative maintenance activity
or when a virus is suspected, scanning can also be automated through the use of a program
scheduler.
Heuristic Scanners
These scanners inspect executable files for code using algorithms to identify operations that
would indicate an unknown virus. They might also examine macros to detect virus-like behaviour
Behaviour-Based Detection Scanners
These applications run continuously, looking for behaviour that might indicate virus activity
(for example, instructions to format a hard drive.)
Change Detection Scanners
Change detection scanners generate a database of characteristics for executable files and
check for changes to these files that might signify a virus attack.
Inoculation
This is a totally different approach to virus detection. Instead of looking for the viruses themselves, this technique looks for the changes that the viruses make to files and boot sectors. Starting with a clean system, the software “inoculates” each boot sector and program file by storing a snapshot of information about it based on its content and size.
Then, periodically, it re-examines these files to see if anything has changed. If it has, then the
utility will inform the user; if the user hasn’t made the change, the virus may have.
The main advantage of this type of virus detection is that since it is looking at the effects of the virus, it doesn’t need to know what the virus itself is; this means it will detect even new viruses without requiring updated virus definition files all of the time. The disadvantage, and why it is not used that often, is that it generates a substantial amount of false positives.
Virus infections can be investigated by taking the following action:
• Isolate the system and all media
• Run antivirus software
• Document findings
• Interview the system custodian and all users, and determine:
− Symptoms
− Damage
− Prior clean-up conducted
− Access controls in place and working
− System malfunction
− Personal media used
− Unauthorised media used
− Virus identification
• Follow the audit trail of the infection
• Determine the source of the virus—person, system, or media
• Make users aware of protection policies and procedures
• Ensure countermeasures are in place and working
• Track costs of virus problems
Modem Hijacking
While users are online, their computer modems are secretly disconnected from their ISP and
reconnected to the Internet, only this time through an expensive international line. Victims
have usually downloaded a special “viewer” program from a website offering free computer
images. Once activated, the downloaded material begins the hijacking disconnection and
reconnection process. Long-distance charges continue to mount until victims shut down
their computers, even if their Internet connection had already been terminated.
Pyramid Schemes
The tried-and-true pyramid has found a new high-tech home on the Internet. As in most
pyramid schemes, the initial participants of the scheme are rewarded handsomely, while the
participants who join the scheme later are bilked out of their investment money.
Foreign Trusts
Information on this scheme is easily found on the Internet. The set-up caters to the desire to avoid taxes. For a fee, the company purports to be able to create a foreign trust to which taxpayers can transfer their assets. Since the trust is not within the taxpayer’s country, the logic goes, the assets are not subject to taxation.
The logic is faulty for several reasons. First, if the taxpayer derives use from the funds in the trust, according to law, those funds are considered taxable income. Thus, consumers who fall for this scam subject themselves to prosecution for tax evasion.
That is, of course, only if the trust is set up at all. Some of the operators of this scheme simply take consumers’ money and disappear. And sadly, those are the consumers who get off lightly. Others who have fallen for this pitch find that they have transferred all of their assets to a trust of which they are not the beneficiaries. Their assets then legally belong to another entity and getting them transferred back to their control is virtually impossible.
Chain Letters
The letter sent to unsuspecting targets generally forewarns of the grave
dangers that await the target should he or she not reply to the letter. The letter asks for a
small cash donation in exchange for the target’s piece of mind that no bad tidings will be
spread, providing examples of some of the unfortunates who did not heed the letter. The
money should be sent to a P.O. box, the e-mail often instructs
Investment and Securities Fraud
A fraudulent website will claim to have insider information about the value of a given stock,
suggesting that something unexpected will soon happen to that company. When the unknowing stock investor takes the advice of the supposedly knowledgeable investment advisor, the advisor manipulates the stock price to his advantage.
Spamming
Spamming involves sending e-mail to subscribers whose names appear on electronic versions
of the phone list and posting ads to the plethora of discussion and chat groups using the Internet. These postings are often disguised to look like tips from individual citizens who are supposedly engaged in a lawful enterprise, when in fact they are part of an Internet boiler room.
Counterfeit Cheque Scams
This scam has several variations but usually starts with the victim offering something for sale
on the Internet. Usually it is a big ticket item. Somehow the fraudster has obtained a
legitimate cheque from a person or company, scanned it, and altered it to support the
scheme. The fraudster then contracts with the victim to buy the item but must supply a
down payment first. The cheque is delivered by a highly recognised international carrier such
as FedEx, further adding to the false impression that this is a legitimate deal. The victim
deposits the cheque, but before it clears, the fraudster requests a refund and backs out of the
deal offering to let the victim keep a portion of the funds for his trouble. The victim
forwards part of the money back. Of course the victim later learns that his bank has reversed
the deposit amount because the cheque was no good. The fraudsters usually claim to be in
another country and must therefore use a “middle man” such as a lawyer to facilitate the
transaction on their behalf. This is designed to create a sense of false security for the victim.
Another variation on this scheme involves a seemingly chance meeting in a harmless chat
room. Once the chat relationship develops the fraudster explains that they are in a foreign
country and need some help. It seems that they are unable to cash certain traveller’s cheques
in their country and ask for the victim’s help to cash the cheques for them in the United
States and then send them a money order, less a small token of their appreciation. They
usually invent some unfortunate circumstance or urgency for the request. The first time it
occurs the cheques are good and everything works out. In a second request, they ask for the
victim’s help again, this time it’s a much larger amount and this time the cheques are
counterfeit. The victim unknowingly participates in a forgery by passing the counterfeit
cheques.
The definition of phishing is
to trick people into providing their personal and financial information by pretending to be from a legitimate company, agency, or organisation
SPEAR PHISHING
Spear phishing is a targeted attack generally focused on a corporate entity. The ruse is meant
to fool the corporate employee into believing that the phishing e-mail originated not from a bank or financial institution but from their own IT or HR department. The goal is to obtain the employee’s user name and password to access the corporate network.
VISHING
A vishing scheme is generally transmitted as an incoming recorded telephone message that
uses a spoofed (fraudulent) caller ID matching the identity of a misrepresented organisation.
The message uses an urgent pretext to direct unsuspecting users to another telephone
number. The victim is invited to punch their personal information on their telephone keypad. The criminals capture the key tones and convert them back to numerical format.
SMiShing or Tishing
SMiShing is a hybrid of phishing and short message service, commonly known as text
messaging. It uses much the same approach of phishing but delivers an alarming message via
SMS
ROCK PHISHING
Like most phishers, rock phishers use botnets to send massive amounts of phishing e-mails
to huge volumes of Internet users. The e-mails contain a message from a financial
institution, hopefully enticing users to click on a fraudulent URL. There is some indication
that they cycle through multiple e-mail lists and attempt to reach the Internet users most
likely to use the brands that they are targeting. Unlike most phishers, they don’t compromise
a Web server and install a phishing site. Instead, an elaborate process is implemented
whereby multiple domain names are registered at multiple registrars—often with less known
country-code based top-level domains. Multiple DNS (domain name system) servers are also
set up, which provide names to IP services for the pool of domain names. The IP addresses
used—and there may be upwards of 100 at a time—point to multiple compromised servers that simply forward Web connections to the real phish sites. These proxy servers typically
handle connections for multiple targets at a time.
Pharming is
an attack in which a user is fooled into entering sensitive data (such as a password
or credit card number) into a malicious website that impersonates a legitimate website
Combating Internet Fraud Encryption
Any confidential information or credit card numbers should be encrypted in their entirety. An encryption system is made up of a cryptographic function, which scrambles an electronic transmission, and an inverse decrypt function, which restores the
transmission to its original state. Encryption hardware and software can be used to scramble any communication by utilising a complex mathematical formula. The only way
to unscramble an encrypted message is to provide the unique answer key, thus unlocking
the message. Encryption is the best method to stymie would-be interceptors of company
transactions.
Combating Internet Fraud Customer validation
Because the Internet offers users an additional layer of anonymity,
businesses should install some form of a customer validation safeguard in their Internet
purchasing system. This may include a customer code or password that the customer can
identify himself with before purchasing a product. As well, the business should
distinguish itself to the customer, ensuring that no one else can falsely assume the
company’s identity.
Combating Internet Fraud Internal network security
—Organisations that conduct business on the Web should never, under any circumstances, keep their financial information database on their Web server.
A knowledgeable computer hacker can sometimes penetrate Internet websites, and financial information is the primary target of these hackers, for obvious reasons. Therefore, the database that maintains a company’s financial information should be a completely internal system, untouchable from the Internet. This safeguard will help ensure that the sensitive information is not compromised in any way.
Combating Internet Fraud Firewalls
Firewalls are advanced software programs that effectively “lock up” access to
an Internet site or e-mail transmission. Firewalls are designed to control the interface
between a network and the Internet. This technology surveys incoming and outgoing
transmissions between the network and the Internet, stopping any questionable
transmission attempt to access a sensitive area. While firewalls are not foolproof, they do
provide an additional layer of protection against Internet attacks or breaches of security.
here are a few that are more directly related to networked transactions,
which is exactly what e-commerce consists of:
• Authentication – This requirement addresses the problem of identifying the parties of an
e-commerce transaction to each other. We want to make sure that we can determine
with whom we (or our computers) are communicating.
• Non-repudiation – Non-repudiation can help ensure that no party to an e-commerce
transaction can later deny that the transaction occurred. We need some way to be able to
recognise a “signature” between e-commerce parties just as we rely on written signatures
on paper documents.
Depending on the type of the embedded chip, smart cards can be either memory cards or processor cards.
• Memory cards – Any plastic card is made “smart” by including an IC chip. But the chip
may simply be a memory storage device. Memory cards can hold thousands of times
more memory than a magnetic stripe card. Nevertheless, its functions are limited to basic
applications such as phone cards.
• Processor cards – Smart cards with a full-fledged microprocessor on board can function
as a processor device that offers multiple functions such as encryption, advanced security
mechanisms, local data processing, complex calculation, and other interactive processes.
Most stored-value cards integrated with identification, security, and information
purposes are processor cards. Only processor cards are truly smart enough to offer the
flexibility and multifunctionality desired in e-commerce.
The top three international markets in smart card production are
(1) miniature subscriber identity modules (SIMs) that fit inside mobile phones, (2) banking cards, and (3) identification cards, specifically those used by governments and large corporations.
The most prevalent method of committing computer fraud is probably alteration or falsification of input transactions (and/or documents), including:
- Alteration of input
- Alteration of output
- Data file manipulation
- Communications systems
- Operating systems
- Computer operations
The following are indicators of insider computer fraud:
- Access privileges exist beyond those required to perform assigned job functions.
- Exception reports are not reviewed and resolved.
- Access logs are not reviewed.
- Production programs are run at unusual hours.
- A lack of separation of duties exists in the data centre.
Effective computer security Key elements
are:
- Protecting data and programs from intentional or inadvertent unauthorised alteration or destruction.
- Maintaining the confidentiality, integrity, and availability of data.
- Protecting the data centre from physical threats such as fire, flood, and intentional destruction.
- Having the capability to restore data centre operations in case of complete destruction.
The most important step is to obtain management support for effective security. Without such support, any security plan will falter.
Conducting an Investigation Regarding Computer Crimes
1) Determine if indeed a crime has been committed. This is the critical step in the internal
investigation. The organisation must be careful to differentiate between inadvertent
computer misuse and deliberate criminal intent. The company’s internal auditors, physical and information security specialists, and senior management should be involved
in making this type of decision.
2) Determine the status of the crime. When did the incident begin? Where did the intrusion
come from? Internal or external? Is the incident still occurring? If not still occurring,
when did it stop?
3) Review the organisation security and audit policies and procedures to determine the best
method for continuing the investigation.
4) Determine the need for law enforcement assistance. The organisation will have to decide
if the violation is serious enough to call in the police or other law enforcement entities.
Most computer crimes are not reported to law enforcement due to several factors,
including the organisation’s desire to keep its flaws and weaknesses from being exposed
to its customers and stockholders. This is a difficult decision for the company to make.
However, as we also mentioned earlier, if companies don’t report computer crimes, then
law enforcement will be powerless to help prevent and solve them and computer
criminals will feel they have a free hand to continue their activities.
how does an organisation become aware
that its information resources have been compromised by someone—either inside or outside
of the organisation—with criminal intent? A few possibilities include:
• A strong set of policies and standards to define for employees and management what the
company deems as unacceptable or unauthorised activities.
• Strong physical security to thwart those intent upon the theft of physical assets of the
organisation.
• Central Systems access control and data object protection.
• Strong security for the organisation’s application programs.
• Intrusion detection hardware and software for network and communications resources.
• Auditing of system and violation logs.
Systems Maintenance
All program and system changes should be approved in writing. Programmers should not
have access to the production library, but only to “test” libraries. All programs that are to be
modified should be moved into a test library by someone other than a programmer. All
completed program changes should be tested and the results approved by both data centre
and user personnel before being placed into production. Adequate program documentation
should be approved for all program changes. User personnel should be notified when
modified programs will be placed into production.
Implementation Controls
mplementation controls are those controls over the development or purchase of a new
application. All new system requests should be made in writing. A system development life-
cycle methodology should be used for developing and implementing in-house or purchased
packages. All new systems requests should be approved by the appropriate management
level. Users should be involved in the project from design through final testing. All test
results should be approved by both data centre management and user personnel. There
should be an implementation plan for placing the new system into production.
Computer Operations
Computer operations controls are controls that govern the day-to-day operation of the
computer system. There should be an approved schedule for all production runs. All system
activity should be reviewed by data centre management. Any unusual program executions
should be investigated and resolved. A log of unusual events, such as abends (abnormal
terminations of a program execution) or reruns should be kept by operations staff and also
should be reviewed by data centre management. Access to the computer room should be
restricted to authorised personnel. All third parties, such as technicians, should be
accompanied by a data centre employee. Doors to the data centre should be secured.
System Software
Controls over system software include those that govern the installation of the computer
system, the communications software, and the security software. Data centre management
should approve the system software selection as well as the chosen options and parameters.
System software should be tested before implementation in a production environment.
(Note that this might not be possible for the operating system itself.)
Data Files
Controls over data files ensure that correct files are used for each production job and that
adequate backup files exist. Data file label bypass options should be disabled. A data-file
management system should be used to record and locate all data files. Data file backup
copies should be made and stored in a secure facility. Offsite backup file copies should be
maintained in case of a disaster in the data centre. Utilities that can modify data files should
be removed from the system and used only under management supervision. Live data files
should not be used for testing.
Access and telecommunications controls should achieve the following objectives:
- Provide physical security over equipment, users, and information
- Protect critical data from loss, damage, or unauthorised disclosure
- Ensure network reliability by using appropriate hardware and software
- Prevent unauthorised access and use of the network
- Ensure system availability
- Meet user requirements
Separation of Duties
Separation of duties is a key element in a well-designed internal control system. It is also
fundamental to detecting and preventing fraud. Programmers should not operate the
computer, have unsupervised access to production programs, or have access to production
data sets (data files). Users should not have access to the production program code.
Computer operators should not perform computer programming. Adequate supervision
should be provided by personnel who do not actually perform the work.
Logs and History Files
Computer systems maintain a variety of history files or logs. These logs record activity in the following areas: • Mainframe activity − Programs executed − Data files accessed − Date, time, and duration − User IDs that initiated a particular action − Error messages − Equipment malfunctions • Communications activity − User ID − Terminal identifier − Dial-in port identifier − Date, time, and duration − Error messages − Equipment malfunctions • Security software activity − User ID − Unsuccessful log-in attempts − Modifications to the password files and access capability
Many of the history
files have a limited capacity and can be forced into
wrapping if not printed periodically.
Wrapping forces the software to record at the beginning of the file if the file is full and not
printed out
Control techniques commonly used in computerised systems are listed below.
• One-for-one checking consists of checking each source document against a detailed list
processed by the computer. This technique is normally used for low-volume input
because of the cost and time involved.
• Batch/control totals involve manually grouping transactions at the input stage and manually
establishing a control total over the entire group. The methods used include document
counts, item or line counts, dollar totals, and cash totals.
• In computer sequence checking, the computer verifies the preassigned serial numbers of input
transactions and reports missing or duplicate numbers.
• Computer matching consists of the computer matching the input data to information held
on the master file or suspense files. Unmatched items are reported for investigation.
• Programmed edit checks are computer program procedures that edit data. Examples include:
− Reasonableness
− Dependency
− Existence
− Format
− Mathematical accuracy
− Range
− Digit verification
− Prior data matching
• Prerecorded input is used to reduce errors during data entry.
Input completeness control techniques are
one-for-one checking, batch control totals, computer
sequence check, and computer matching
Input accuracy controls ensure that
data is initially recorded correctly and converted correctly to machine-readable form
Input accuracy control techniques are
one-for-one checking, batch control totals, computer matching, programmed edits, and prerecorded input
Update accuracy ensures that
the correct master file account is updated correctly with the correct transaction.
Update accuracy control techniques are
one-for-one checking, batch control totals, computer matching, and programmed checks
Update control completeness ensures that
all data entered and accepted by the system updates the master file once and only once
Update control completeness techniques
are one-for-one checking, batch control totals, computer sequence checks, and computer matching.
Authorisation controls ensure that
only valid transactions are processed, that all transactions processed are authorised by management, and that transactions represent events that actually occurred.
Authorisation techniques used are
one-for-one checking and programmed checks
Maintenance controls provide that
data is kept up-to-date or identify unusual data requiring further action. They also ensure that data stored on file is not changed except through the
normal processing cycle.
Maintenance control techniques are
used for one-for-one checking, batch control totals, and programmed checks.
Evaluating Application Controls
Evaluating internal controls in an application system requires a thorough understanding of
the system. The first phase, information gathering, consists of collecting information about the industry and the risks associated with that industry; conducting ratio analysis and peer
comparisons to identify aberrations; understanding how management runs the business; and
determining if there are strong budget-to-actual controls in the organisation.
Evaluation is the second phase and consists of the use of questionnaires and/or matrices to
evaluate the internal controls and to identify internal control weaknesses. Analysing the
results is necessary to determine if a weakness exists and/or the extent of any weaknesses. A
results report should be prepared that includes recommendations.
Several new control concerns have been identified as a result of end-user computing.
• Data centre controls over the equipment itself (backups, access controls, local password
administration, etc.) might not be implemented by the end users.
• Locally developed spreadsheet or database applications might not have all the controls
typically found in mainframe systems.
• Access can be compromised by the end users by installing a modem and phone line
connected to a local area network or stand-alone PC and not informing data security
about the arrangement.
