Академический Документы
Профессиональный Документы
Культура Документы
TABLE OF CONTENTS
CONTENT .......................................................................................................................... 2
BIS2061 1 Unit 4
Content
§ the theft of money, for example, the transfer of payments to the wrong accounts
§ the theft of information, for example, by tapping into data transmission lines or
databases at no cost
§ the theft of goods by their diversion to the wrong destination
§ the theft of computer time, for example, use of an employers computer resources
for personal work
1. The Salami, which involves spreading the haul over large number of transactions
like slices of salami. For example, a bank clerk might shave a trivial sum off many
customer accounts to make up a large sum in his / her account
BIS2061 2 Unit 4
2. The Trojan Horse, which involves the insertion of false information into a
program in order to profit from the outcome. For example, a false instruction to
make payments to a bogus company
Computer crime can take the form of unauthorised use or access to information
systems, or the modification of programs to benefit the fraudster. Techniques include:
§ Piggybacking, which involves tapping into communication lines and riding into a
system behind a legitimate user with a password
§ Data Diddling, which entails swapping one piece of data for another
Computer crime can also take the form of hacking, sabotage and blackmail. Hacking
or computer burgling involves breaking into other people's systems for fun or with the
intent to blackmail or commit sabotage. Techniques include:
§ Scavenging for stray data or garbage for clues that might unlock the secrets of a
system
§ Zapping, which means penetrating a computer by unlocking the master key to its
program and then destroying it by activating its own emergency program
§ Worms or worm programs entail the deletion of portions of a computer's memory,
thus creating a hole of missing information
§ Time bombs or Logic bombs, which involve the insertion of routines that can be
triggered later by the computer's clock or a combination of events. When the
bomb goes off, the entire system, perhaps worth millions, will crash
§ Viruses are self-replicating programs which can have a similar effect to Time or
Logic bombs
Computer crime that takes the form of unauthorised use or access to information
systems or the modification of programs to benefit the fraudster is covered under the
(UK) Computer Misuse Act, 1990. The Act introduces three new criminal offences:
The later two offences are tried before a jury. The act also includes the offence of
conspiracy to commit and incitement to commit the three main offences. This aspect
BIS2061 3 Unit 4
of the Act makes even discussion of specific actions, which are in breach of the main
sections, questionable practice. It is sufficient to be associated with an offender in
planning the action, or to suggest carrying out an action which is illegal under the Act,
to be in a position to be charged.
Commentators list some reasons why non reporting of computer crime is so wide
spread:
‘There is very little benefit for the victim. The law is unlikely to be able to undo the
damage caused and the criminal is unlikely to be convicted. In addition, much staff
time is likely to be tied up assembling evidence (if it can be collected at all), and
wider knowledge of the crime is likely to harm the future prospects of the victim
organisation.’(Forestor and Morrison, 1990)
What is therefore clear is that nobody is very sure about the true extent of computer
crime, but most analysts who have researched the problem believe it is large and
growing. Data crime deserves to be as much a social issue as more traditional areas of
law and order such as crimes against the person, crimes against property and the
maintenance of public peace.
BIS2061 4 Unit 4
Moreover, nearly all computer criminals were first time offenders who were,
according to researchers, motivated by greed, pressing financial worries and other
personal problems such as alcohol or drug dependency.
There is a commonly held view that the typical computer criminal is something of a
whiz kid, with highly developed computing skills and a compulsive desire to beat the
system. But researchers showed that the substance for this image is absent:
‘Not many crimes demonstrate high technical ingenuity on the part of the perpetrator.
Most exhibit an opportunistic exploitation of an inherent weakness in the computer
system being used. Most computer criminals tend to be relatively honest and in a
position of trust; few would do anything to harm another human, and most do not
consider their crime to be truly dishonest.’
The theft of computer time, usually in the form of unauthorised use of an employer's
computer is a grey area in which there are no easy answers. Unauthorised use is
technically theft of processing and storage power yet most employers turn a blind eye
to employees using the company's computers in moderation for such purposes
‘As preparing individual tax returns or doing the mailing list for the local church.’
(Forestor and Morrison, 1990)
Using company computers for financial gain such as private consulting work is
clearly unethical, unless the employee's employment contract, for example, with a
university, specifically allows it. Sacking for this kind of computer abuse is not
unheard of, although managers usually tread warily for fear of destroying staff
morale.
Jay Bloombecker (in Forestor and Morrison, 1990) has listed eight motivations that
can lie behind computer crimes. More often than not computer criminals see the
computer environment as:
This latter perspective is supported by a US survey which found, for instance that 63
percent of accountants and 75 percent of computer professionals steal because:
‘They feel frustrated or dissatisfied about some aspect of their job. This could be an
accurate reflection on the lack of autonomy, minimal job variety and poor
management communications often endemic of computer work.’
BIS2061 5 Unit 4
§ The intellectual challenge of fooling a system plays an important role in
motivating individuals to commit computer crime
§ Computer crime involves very little physical risk, as opposed to a bank hold up
§ That computer crimes can be committed alone, without talkative associates, thus
further reducing the risk of detection
§ As in Bloombecker's notion of fairyland, computer crimes can often appear not to
be a criminal act, shuffling numbers around in a remote and abstract way is not
quite the same as handling gold bars or huge piles of paper money
6. Computer Security
A costly problem that plagues corporations and on-line vendors arises when culprits
steal passwords and use phoney identifiers to make fraudulent purchases. Although
most e-commerce sites are secured adequately, there have been numerous security
lapses, which have sometimes put sensitive consumer data at risk.
Spinello (2000) argues that if vendors are to achieve a basic level of security for
commercial Web sites, they must address two problems:
All sensitive information must be protected adequately from the risk of being
intercepted by hackers and computer criminals.
Securing the Web server itself can usually be accomplished by using standard
computer security techniques, such as authentication mechanisms and intrusion
protection devices. Gatekeepers and digital locks can also secure networks on which
these servers reside.
The more complicated problem is securing information in transit between the server
and the end user. The only sure way to secure this data is through encryption,
encoding the transmitted information so that only an authorised recipient can read it
with a proper key that decodes the information. Protocols such as SET (Secure
Electronic Transactions) standard are used to encrypt credit card information being
transmitted over the Internet. An alternative protocol is Netscape's Secure Socket
layer (SSL), which automatically encrypts information sent to Web sites and then
decrypts it before the recipient reads it.
BIS2061 6 Unit 4
6.2 Digital Signatures
The best way to verify identity is via the use of digital signatures. This technology
also relies on the use of encryption keys to encode and decode a message. In this case,
a private key is used to sign one's signature to some message or piece of data and a
public key is used to verify a signature after it has been sent. The public key might be
published in a directory or otherwise made available to other users. Spinello presents
a scenario to best describe the functioning of digital signatures:
Assume that John and Mary are exchanging e-mail, and Mary wants to verify John's
identity. Mary can send John a letter with a random number, requesting that he
digitally sign that number and send it back. John receives the letter, and digitally
signs the random number with his private key. When the letter is sent back to Mary,
she verifies that signature with her copy of John's public key. If the signature matches,
she knows that that she is communicating with John, assuming that John has been
careful with his private key.
6.3 Passwords
Access control software closes password loopholes. This software restricts users,
individually identified by password and codes, to only those files they are authorised
to use. Even then, the software permits the users to perform only authorised functions,
such as appending or deleting information, and they can no longer browse through
parts of the system which they are not entitle to enter. One obvious and major
limitation with access control software, however, is that it does not protect the
company against frauds committed by employees while going about their legitimate
tasks, and as illustrated above, a high proportion of computer crimes occurs this way.
Many companies have installed dial back or black box systems to protect their assets.
When a user dials into a computer, a black box intercepts the call and demands a
password. The unit then disconnects the call, looks up the password in the directory
and calls the user back at his / her listed telephone number: fraudsters dialling from
another telephone number will be screened out. A large mainframe may have
BIS2061 7 Unit 4
hundreds of ports of entry from remote stations and each one has to be protected by
these units.
Scrambling devices and encryption software are additional methods which scramble
messages for transmission so that only the legitimate recipient can decode and
understand them. Anyone tapping into, for example, a bank's communication line or
eavesdropping on the electromagnetic waves emitted from a computer or piece of
electronic equipment will pick up only the scrambled message. Encryption devices in
the form of DSPs (Digital Signal Processors) are being used increasingly to scramble
voice and data messages over telephone networks. Voice encryption is obviously vital
in the military and security agencies.
6.5 Firewalls
6.6 Biometrics
Another weapon in the fight against computer crime is biometrics, or the digitising of
biological characteristics. These include:
§ Fingerprints
§ Voice recognition
§ The veins of the back of the hand
§ The pattern of blood vessels in the retina
These scanning devices are now being used to control access to computer rooms, bank
vaults and military bases.
Audit control software packages are also available which can monitor transactions or
the use of a computer. These enable auditors to trace and identify any operator who
gains access to the system and when this occurred, such as after-hours. Audits can
also highlight any abnormal number of 'correction entries', which often indicates the
trial-and-error approach of fraudulent activity.
Computers are also being used increasingly in the fight against crime, both
conventional crime and computer based crime. UK-developed software enables a
computer to browse through vast amounts of financial data looking for possible
connections which might indicate insider trading or foreign exchange fraud. A similar
system is at work at the New York Stock Exchange.
BIS2061 8 Unit 4
Activity 1 – Why e-companies should be motivated to implement security
techniques
7. Summary
This unit has introduced some of the key issues invoked by Computer Crime. You
have seen what Computer Crime is about and why it is important to be aware of it.
You have also been given an overview of computer security measures that can help
tackle the criminal and fraudulent activities related to computing and e-commerce.
BIS2061 9 Unit 4