UNIT 4 - Computer Crime

TABLE OF CONTENTS
CONTENT .......................................................................................................................... 2

1. COMPUTER CRIME: A DEFINITION ........................................................................ 2

2. COMPUTER CRIME: A NOTORIOUS CASE............................................................. 2

3. FORMS OF COMPUTER CRIME ................................................................................ 2

3.1 COMPUTER THEFT ...................................................................................................... 2
3.2 UNAUTHORISED U SE / ACCESS / MODIFICATION .......................................................... 3
3.3 THE C OMPUTER MISUSE ACT, 1990 ............................................................................ 3
4. THE AMOUNT OF COMPUTER CRIME IS FAR GREATER THAN WE THINK.. 4

5. WHO ARE COMPUTER CRIMINALS? ...................................................................... 4

5.1 MOTIVATIONS THAT CAN LIE BEHIND COMPUTER CRIMES .......................................... 5
6. COMPUTER SECURITY .............................................................................................. 6
6.1 SECURING ELECTRONIC COMMERCE ............................................................................ 6
6.2 DIGITAL SIGNATURES ................................................................................................. 7
6.3 PASSWORDS ............................................................................................................... 7
6.4 ACCESS CONTROL SOFTWARE ..................................................................................... 7
6.5 FIREWALLS ................................................................................................................ 8
6.6 BIOMETRICS ............................................................................................................... 8
6.7 AUDIT CONTROL SOFTWARE PACKAGES ...................................................................... 8
7. SUMMARY..................................................................................................................... 9

BIS2061 1 Unit 4
Content

1. Computer Crime: A Definition

Computer crime has been defined broadly as a criminal act that has been committed
using a computer as the principal tool. Some have also talked in terms of a distinction
between computer related fraud and computer assisted fraud. In the former the
computer is purely coincidental. In the latter the computer is used to commit the
fraud. However, others have argued that a genuine computer fraud is one, which
would not take place without the use of a computer. If we accept this tight definition,
then the real computer fraud needs computer expertise and greater skills to perpetrate
than do computer assisted and computer related frauds. But when most people talk
about computer crime, they are usually referring to the fact that a computer has either
been the object, subject or instrument of a crime.

2. Computer Crime: A Notorious Case

‘On Christmas Eve, 1987, a 26 year old clerk at Lloyds Bank in Amsterdam, Frans
Noe, ordered that sums of $8.4m and $6.7m be transferred via the SWIFT
international funds transfer system from the Lloyds branch in New York to an account
he had opened with the Swiss Bank Corporation in Zurich. The young Dutchman then
flew to Switzerland to collect the money. But owing to an unforeseen computer
malfunction, the transfer of the $6.7m failed to go through. Returning after Christmas,
fellow employees saw the failed transaction on their screens and reported it. Noe was
subsequently arrested and returned to Amsterdam, where he then threatened to leak
the news of his security breach to the press unless the bank dropped all charges
against him. In May 1988 the 'flying' Dutchman was jailed for 18 months for breaking
into a computer system and his two accomplices got 12 months each.’
(Forestor and Morrison, 1990)

3. Forms of Computer Crime

3.1 Computer Theft

Computer crime can take the form of:

§ the theft of money, for example, the transfer of payments to the wrong accounts
§ the theft of information, for example, by tapping into data transmission lines or
databases at no cost
§ the theft of goods by their diversion to the wrong destination
§ the theft of computer time, for example, use of an employers computer resources
for personal work

Two techniques of computer theft are:

1. The Salami, which involves spreading the haul over large number of transactions
like slices of salami. For example, a bank clerk might shave a trivial sum off many
customer accounts to make up a large sum in his / her account

BIS2061 2 Unit 4
2. The Trojan Horse, which involves the insertion of false information into a
program in order to profit from the outcome. For example, a false instruction to
make payments to a bogus company

3.2 Unauthorised Use / Access / Modification

Computer crime can take the form of unauthorised use or access to information
systems, or the modification of programs to benefit the fraudster. Techniques include:

§ Piggybacking, which involves tapping into communication lines and riding into a
system behind a legitimate user with a password
§ Data Diddling, which entails swapping one piece of data for another

Computer crime can also take the form of hacking, sabotage and blackmail. Hacking
or computer burgling involves breaking into other people's systems for fun or with the
intent to blackmail or commit sabotage. Techniques include:

§ Scavenging for stray data or garbage for clues that might unlock the secrets of a
system
§ Zapping, which means penetrating a computer by unlocking the master key to its
program and then destroying it by activating its own emergency program
§ Worms or worm programs entail the deletion of portions of a computer's memory,
thus creating a hole of missing information
§ Time bombs or Logic bombs, which involve the insertion of routines that can be
triggered later by the computer's clock or a combination of events. When the
bomb goes off, the entire system, perhaps worth millions, will crash
§ Viruses are self-replicating programs which can have a similar effect to Time or
Logic bombs

3.3 The Computer Misuse Act, 1990

Computer crime that takes the form of unauthorised use or access to information
systems or the modification of programs to benefit the fraudster is covered under the
(UK) Computer Misuse Act, 1990. The Act introduces three new criminal offences:

§ Unauthorised access to computer material. Described as simple hacking - that is,

using a computer without permission. This now carries a penalty of up to six
months in prison or a £2000 fine, and is tried in a Magistrate's Court
§ Unauthorised access to computer material with the intent to commit or facilitate
the commission of further offences. This section of the Act covers actions such as
attempting to use the contents of an email message for blackmail. This is viewed
as a more serious offence; the penalty is up to five years' imprisonment and an
unlimited fine
§ Unauthorised modification of computer material. This section of the Act covers
distributing a computer virus, or malicious deletion of files, as well as direct
actions such as altering an account to obtain fraudulent credit

The later two offences are tried before a jury. The act also includes the offence of
conspiracy to commit and incitement to commit the three main offences. This aspect

BIS2061 3 Unit 4
of the Act makes even discussion of specific actions, which are in breach of the main
sections, questionable practice. It is sufficient to be associated with an offender in
planning the action, or to suggest carrying out an action which is illegal under the Act,
to be in a position to be charged.

Now do Review Question 1

4. The Amount of Computer Crime is far Greater Than We

Think
There are two main reasons why many experts believe that the amount of computer
crime is much greater than we currently estimate:
§ It is clear that many crimes go completely undetected because so many are
discovered by accident and because so many are, by their very nature, simply very
hard to detect
§ Very few computer frauds are made public because companies, especially banks
and other financial institutions, are loath to admit that their security systems are
fallible. Publicity of this nature is disastrous for public relations and it could lead
to the loss of customer confidence, so they prefer to cover matters up

Commentators list some reasons why non reporting of computer crime is so wide
spread:
‘There is very little benefit for the victim. The law is unlikely to be able to undo the
damage caused and the criminal is unlikely to be convicted. In addition, much staff
time is likely to be tied up assembling evidence (if it can be collected at all), and
wider knowledge of the crime is likely to harm the future prospects of the victim
organisation.’(Forestor and Morrison, 1990)

What is therefore clear is that nobody is very sure about the true extent of computer
crime, but most analysts who have researched the problem believe it is large and
growing. Data crime deserves to be as much a social issue as more traditional areas of
law and order such as crimes against the person, crimes against property and the
maintenance of public peace.

5. Who are Computer Criminals?

In a review of the major British studies of computer crime, researchers found that the
vast majority (80 percent) of crimes involving computers were carried out by
employees rather than outsiders.
Of all computer crimes committed:

§ 25 percent were carried out by managers or supervisors

§ 24 percent by computer staff
§ 31 percent by were committed by lowly clerks and cashiers who had little in the
way of technical skills

BIS2061 4 Unit 4
Moreover, nearly all computer criminals were first time offenders who were,
according to researchers, motivated by greed, pressing financial worries and other
personal problems such as alcohol or drug dependency.

There is a commonly held view that the typical computer criminal is something of a
whiz kid, with highly developed computing skills and a compulsive desire to beat the
system. But researchers showed that the substance for this image is absent:
‘Not many crimes demonstrate high technical ingenuity on the part of the perpetrator.
Most exhibit an opportunistic exploitation of an inherent weakness in the computer
system being used. Most computer criminals tend to be relatively honest and in a
position of trust; few would do anything to harm another human, and most do not
consider their crime to be truly dishonest.’

The theft of computer time, usually in the form of unauthorised use of an employer's
computer is a grey area in which there are no easy answers. Unauthorised use is
technically theft of processing and storage power yet most employers turn a blind eye
to employees using the company's computers in moderation for such purposes
‘As preparing individual tax returns or doing the mailing list for the local church.’
(Forestor and Morrison, 1990)

Using company computers for financial gain such as private consulting work is
clearly unethical, unless the employee's employment contract, for example, with a
university, specifically allows it. Sacking for this kind of computer abuse is not
unheard of, although managers usually tread warily for fear of destroying staff
morale.

5.1 Motivations That Can Lie Behind Computer Crimes

Jay Bloombecker (in Forestor and Morrison, 1990) has listed eight motivations that
can lie behind computer crimes. More often than not computer criminals see the
computer environment as:

§ A kind of playpen for their own enjoyment

§ A land of opportunity where crime is easy
§ A cookie jar which readily solves pressing financial or personal problems
§ A soapbox for political expression
§ A fairyland of unreality
§ A toolbox for tackling new crimes or modernising traditional crimes
§ A magic wand that can be made to do anything
§ A battle zone between management and alienated employees, the crime often
taking the form of sabotage

This latter perspective is supported by a US survey which found, for instance that 63
percent of accountants and 75 percent of computer professionals steal because:
‘They feel frustrated or dissatisfied about some aspect of their job. This could be an
accurate reflection on the lack of autonomy, minimal job variety and poor
management communications often endemic of computer work.’

Others have surmised that:

BIS2061 5 Unit 4
§ The intellectual challenge of fooling a system plays an important role in
motivating individuals to commit computer crime
§ Computer crime involves very little physical risk, as opposed to a bank hold up
§ That computer crimes can be committed alone, without talkative associates, thus
further reducing the risk of detection
§ As in Bloombecker's notion of fairyland, computer crimes can often appear not to
be a criminal act, shuffling numbers around in a remote and abstract way is not
quite the same as handling gold bars or huge piles of paper money

Now do Review Question 2

6. Computer Security

6.1 Securing Electronic Commerce

A costly problem that plagues corporations and on-line vendors arises when culprits
steal passwords and use phoney identifiers to make fraudulent purchases. Although
most e-commerce sites are secured adequately, there have been numerous security
lapses, which have sometimes put sensitive consumer data at risk.

Spinello (2000) argues that if vendors are to achieve a basic level of security for
commercial Web sites, they must address two problems:

§ Securing the Web server and the files that it contains

§ Guaranteeing the integrity of the information that travels between Web server and
the end user. This includes user names, passwords, credit card numbers, and so
forth

All sensitive information must be protected adequately from the risk of being
intercepted by hackers and computer criminals.

Securing the Web server itself can usually be accomplished by using standard
computer security techniques, such as authentication mechanisms and intrusion
protection devices. Gatekeepers and digital locks can also secure networks on which
these servers reside.

The more complicated problem is securing information in transit between the server
and the end user. The only sure way to secure this data is through encryption,
encoding the transmitted information so that only an authorised recipient can read it
with a proper key that decodes the information. Protocols such as SET (Secure
Electronic Transactions) standard are used to encrypt credit card information being
transmitted over the Internet. An alternative protocol is Netscape's Secure Socket
layer (SSL), which automatically encrypts information sent to Web sites and then
decrypts it before the recipient reads it.

BIS2061 6 Unit 4
6.2 Digital Signatures

The best way to verify identity is via the use of digital signatures. This technology
also relies on the use of encryption keys to encode and decode a message. In this case,
a private key is used to sign one's signature to some message or piece of data and a
public key is used to verify a signature after it has been sent. The public key might be
published in a directory or otherwise made available to other users. Spinello presents
a scenario to best describe the functioning of digital signatures:

Assume that John and Mary are exchanging e-mail, and Mary wants to verify John's
identity. Mary can send John a letter with a random number, requesting that he
digitally sign that number and send it back. John receives the letter, and digitally
signs the random number with his private key. When the letter is sent back to Mary,
she verifies that signature with her copy of John's public key. If the signature matches,
she knows that that she is communicating with John, assuming that John has been
careful with his private key.

These digital signatures will undoubtedly play a major role in preventing

impersonation during e-commerce transactions.

6.3 Passwords

Computer security can greatly be improved by the adoption of relatively simple,

common sense measures. Passwords allowing access to systems, for instance, can be
made less obvious and memorable by avoiding such passwords as partner's names.
Passwords should be issued only to the absolute minimum of people requiring access.
A survey by a British insurance broker found that words chosen for passwords were
mostly useless and very easy for colleagues to guess. Top of the list in the UK was
Fred followed by God, Pass and Genius, while many chose the names of their
spouses or family pets. In the US apparently the favourite password is Love, closely
followed by Sex.

6.4 Access Control Software

Access control software closes password loopholes. This software restricts users,
individually identified by password and codes, to only those files they are authorised
to use. Even then, the software permits the users to perform only authorised functions,
such as appending or deleting information, and they can no longer browse through
parts of the system which they are not entitle to enter. One obvious and major
limitation with access control software, however, is that it does not protect the
company against frauds committed by employees while going about their legitimate
tasks, and as illustrated above, a high proportion of computer crimes occurs this way.

Many companies have installed dial back or black box systems to protect their assets.
When a user dials into a computer, a black box intercepts the call and demands a
password. The unit then disconnects the call, looks up the password in the directory
and calls the user back at his / her listed telephone number: fraudsters dialling from
another telephone number will be screened out. A large mainframe may have

BIS2061 7 Unit 4
hundreds of ports of entry from remote stations and each one has to be protected by
these units.

Scrambling devices and encryption software are additional methods which scramble
messages for transmission so that only the legitimate recipient can decode and
understand them. Anyone tapping into, for example, a bank's communication line or
eavesdropping on the electromagnetic waves emitted from a computer or piece of
electronic equipment will pick up only the scrambled message. Encryption devices in
the form of DSPs (Digital Signal Processors) are being used increasingly to scramble
voice and data messages over telephone networks. Voice encryption is obviously vital
in the military and security agencies.

6.5 Firewalls

A firewall consists of hardware and / or software designed to insulate an organisations

internal network from the Internet. Firewall software gives access only to trusted
Internet addresses and scrutinises data for irregularities or signs of danger. Ideally
firewalls are configured so that all connections to an internal network go through
relatively few well-monitored locations. Firewalls can sometimes be used to protect
the Web server, but most companies set up public Web sites outside the firewall to
make them more easily accessible to those trying to buy their products.

6.6 Biometrics

Another weapon in the fight against computer crime is biometrics, or the digitising of
biological characteristics. These include:

§ Fingerprints
§ Voice recognition
§ The veins of the back of the hand
§ The pattern of blood vessels in the retina

These scanning devices are now being used to control access to computer rooms, bank
vaults and military bases.

6.7 Audit Control Software Packages

Audit control software packages are also available which can monitor transactions or
the use of a computer. These enable auditors to trace and identify any operator who
gains access to the system and when this occurred, such as after-hours. Audits can
also highlight any abnormal number of 'correction entries', which often indicates the
trial-and-error approach of fraudulent activity.

Computers are also being used increasingly in the fight against crime, both
conventional crime and computer based crime. UK-developed software enables a
computer to browse through vast amounts of financial data looking for possible
connections which might indicate insider trading or foreign exchange fraud. A similar
system is at work at the New York Stock Exchange.

BIS2061 8 Unit 4
 Activity 1 – Why e-companies should be motivated to implement security
techniques

Now do Review Question 3

7. Summary

This unit has introduced some of the key issues invoked by Computer Crime. You
have seen what Computer Crime is about and why it is important to be aware of it.
You have also been given an overview of computer security measures that can help
tackle the criminal and fraudulent activities related to computing and e-commerce.

BIS2061 9 Unit 4