Computer Fraud:Analyzing Perpetrators and Methods
By Harold E. Davis and Robert L. BraunRobust economic growth carries with it the potential for corruption. Evidence that this potential has become reality for many businesses can be found in a 2003 survey by the Computer Security Institute, which showed that 56% of businesses reported some form of unauthorized use of their computer system. The same technology that is driving greater productivity is also facilitating large-scale fraud. The increasing number of technologically skilled individuals accessing a company’s computer system increases the system’s vulnerability to attack from within and without.
General federal laws have been used to prosecute many computer-related crimes; however, these laws are difficult to apply to some computer-related offenses. The most notable antifraud law specifically addressing computer crime is the Computer Fraud and Abuse Act (CFAA). The original focus of the CFAA, enacted in 1984, was to provide a legal recourse against hackers who accessed government and financial-industry electronic data without authorization. Subsequent amendments up to and including the 1996 amendment have, however, broadened the CFAA’s scope to include computers “used in interstate or foreign commerce or communication.” Penalties provided in the CFAA include fines and imprisonment up to a maximum of 20 years.
Analyzing cases tried under the federal laws presents an opportunity to learn about the perpetrators of computer fraud and their methods of operation. Press releases regarding completed and ongoing cases of computer fraud can be found at the Department of Justice website (www.cybercrime.gov/cccases.html). A total of 50 cases between 1999 and 2002 were analyzed.
Perpetrators. Exhibit 1 presents information regarding the perpetrators involved in the cases. The perpetrators are subdivided into two main types: unauthorized users and authorized users. Authorized users are those who, at the time of the fraud, had been granted authorization to use the system for some legitimate purpose. Unauthorized users are those who had not received such authorization or had had such authorization revoked but were still able to gain access.
As Exhibit 1 shows, unauthorized users represented the largest group. Approximately two-thirds were hackers that preyed on weaknesses in security to gain unauthorized access and commit fraud. The “former employees” category refers to cases where the actual crime took place after the employee was released from the company. Often, being laid off or terminated from a company serves as the motivation for computer crime. In general, former employees perpetrated their fraudulent acts by entering the computer system with authentication information (e.g., username and password) that they had used as an employee, that was given to them by a current employee, or that was used by a current employee and also known by the perpetrator without the current employee’s knowledge. A “logic bomb” is another tool used by employees that realize that they are about to be fired. Destructive computer code is inserted in the employer’s software and lies dormant until some event or a period of time passes. Once activated, the code is malicious, and may delete software or data.
Authorized users made up more than one-quarter of all fraud perpetrators. Employees formed the major portion of this group. In these cases, employees either exceeded or abused their authorized level of system access and committed some form of fraud. Half of these employee-related cases involved the copying of sensitive internal information about a customer or client (e.g., credit card or other financial information).
Fraud classification. The article “Computer Fraud—What Can Be Done About It?” (The CPA Journal, May 1995) presented a taxonomy that identified the following five types of computer fraud:
Based on the taxonomy presented above, all of the cases were analyzed to see which type or types of computer fraud were perpetrated, and which areas of the computer system may be more at risk for fraudulent activity. Exhibit 2 shows the cases organized by fraud category.
Data fraud was the most common type of fraud, and copying or modification of data was the most common subcomponent of this category. Within this subcomponent, credit card numbers, other financial information, and system access information were the most common types of data that were copied. The second most common type of fraud was software fraud; the installation or modification of software was the most prevalent subcomponent. It should be noted that this subcomponent requires a relatively high level of technical expertise. As a result, those with technical expertise (e.g., hackers and systems administrators) formed the perpetrators in this group, hackers being the most prevalent. Some of the effects of the unauthorized modification or installation of software included the copying of usernames and passwords, the deletion of data or software, the storage and use of files by hackers, and the activation of a virus that caused a system to become inoperative for several days.
The remaining types of computer fraud were theft of computer time, input fraud, and output fraud. Theft of computer time involved denial-of-service attacks and the unauthorized use of processor resources in order to run hacker programs. Input fraud activities included creating false documents and using keylogging software to record the input keyed into a system. Output fraud was the least common type of fraud found in the cases reviewed. Sending unauthorized e-mails with intentionally false information was the method most used in the prosecuted output cases.
Other results. Exhibit 3 presents other information related to the cases. The average age of a perpetrator was 29; the average time between the initial perpetration of the fraud and the time the perpetrator was charged with a crime was 14 months. Second, the vast majority of the cases involved a guilty plea (81%) rather than a guilty verdict as the result of a trial. This may reflect the increased efforts and expertise of the FBI and the Computer Crime and Intellectual Property Section of the Department of Justice in combating these activities. Third, the average prison time was 23 months. Additionally, some of the punishment given at sentencing included a 36-month supervised release following the prison sentence or, to a lesser extent, some type of home confinement that lasted between three and 24 months. Only a few cases involved a probationary period in lieu of prison time. The range of fines associated with sentencing was wide, from $4,000 to $7.9 million. The average fine imposed was $401,000; the median fine was $46,000. Many sentences also included a restriction on computer use, effectively increasing the financial penalty by restricting employment alternatives.
Recent Changes in Federal Legislation
The USA Patriot Act in 2001 amended the CFAA to provide a broader scope for prosecutors in the process of fraud litigation. While this amendment became law in October 2001, the effects of the amendment in actual court cases will take time to become evident.
Changes attributable to the act include the following:
Most potential solutions start with improving the control environment. The control environment is the tone of the organization; it influences the attitude of its people toward controls and risk. The control environment affects computer security in a myriad of ways. For example, proper assignment of authority and responsibility can reduce the opportunity and ability to rationalize fraud. Corporate attitude toward personnel management issues can have a direct effect on the control activities over hiring and firing of employees—activities closely associated with computer system vulnerability. Perhaps the most important control environment factor is the attitude toward integrity and ethics throughout the organization. An organization that communicates and supports its commitment to integrity will create an environment hostile to fraud.
Another way organizations can create an environment hostile to computer fraud is to prosecute fraud perpetrators. Prosecution, however, may not be the first choice for many businesses. Common reasons why organizations do not take legal action include a fear of bad publicity, high legal costs, and the desire for a timelier resolution than can be provided through the courts. Even so, businesses must weigh the costs and benefits of prosecution, specifically, the deterrent effect of prosecuting perpetrators and the impact on the control environment.
Unauthorized users. Under the umbrella of the control environment, more-specific control procedures can and should be put in place to combat the particular types of fraud identified above. For threats arising from unauthorized users, quality access controls over software and hardware are paramount. A key consideration in developing such controls is to grant access to system resources only to those who need it to fulfill their job responsibilities. Another key is to prohibit access by unauthorized individuals through effective authentication policies, firewalls, and antivirus software. Additionally, general awareness of system vulnerability and reporting of concerns should be the responsibility of all employees. One or more specific employees, however, should have the responsibility to continuously monitor security flaws in software or hardware and take appropriate action.
Controls over hiring and firing practices can also help prevent unauthorized access by former employees. Improvements in hiring practices can be a cost-effective means of preventing losses attributable to former employees and reducing the need for involuntary termination. While background checks are valuable for all new hires, they are crucial for employees with access to sensitive information and information technology resources. Furthermore, as employees are promoted to new levels of responsibility, additional background checks should be considered. In the event that termination is necessary, companies should immediately delete all the access information of the affected employee, consider requiring that coworkers of the terminated employee change access information, and make efforts to inform all current employees of the termination. Additionally, companies should consider evaluating prior to their departure the activities of employees that have positions that require technical computer expertise and a high level of system access (e.g., systems administrators, software developers). In a few of the analyzed cases, these types of employees inserted or modified the system so that files would be deleted after their departure. Companies or government agencies that hire consultants should ensure that the consulting firm has similar controls over hiring and firing their employees with system access privileges. The consultant’s control procedures should include the immediate deletion of access information to the client’s system and the notification to the client and other employees that the person is no longer associated with the firm.
Authorized users. Better control over authorized access can be achieved through enhanced system access monitoring. Most software packages allow monitoring of access to sensitive files. It can track when a file was accessed, who accessed it, and what type of activity was performed. Abnormal access patterns may be indicative of fraudulent behavior (e.g., an employee on vacation who accesses a file). Additionally, this information could be a valuable source of evidence if fraud occurred and the company decides to prosecute the perpetrator.
Harold E. Davis, DBA, CPA, is an assistant professor and Robert L. Braun, PhD, CIA, is an associate professor of accounting, both at Southeastern Louisiana University.