Académique Documents
Professionnel Documents
Culture Documents
ECTURE 4
Romney/Steinbart
1 of 175
INTRODUCTION
Information systems are becoming increasingly more complex and society is becoming increasingly more dependent on these systems.
Companies also face a growing risk of these systems being compromised. Recent surveys indicate 67% of companies suffered a security breach in the last year with almost 60% reporting financial losses.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 2 of 175
INTRODUCTION
Include: Fire or excessive heat Companies face four types of threats to Floods Earthquakes High winds Natural and political disasters War and terrorist attack When a natural or political disaster strikes, many companies can be affected at the same time. Example: Bombing of the World Trade Center in NY. The Defense Science Board has predicted that attacks on information systems by foreign countries, espionage agents, and terrorists will soon be widespread.
Romney/Steinbart
3 of 175
Include: Hardware or software failures Software errors or bugs Operating system crashes Companies face four types of threats to Power outages and fluctuations Natural and political disasters Undetected data transmission errors Software errors and equipment annual economic Estimated malfunction losses due to software bugs = $60 billion. 60% of companies studied had significant software errors in previous year.
INTRODUCTION
Romney/Steinbart
4 of 175
INTRODUCTION
Include Accidents of threats Companies face four types caused by: to Human carelessness Failure to follow established procedures Natural and political disasters Poorly trained or supervised Software errors and equipment malfunction personnel Unintentional acts Innocent errors or omissions Lost, destroyed, or misplaced data Logic errors Systems that do not meet needs or are incapable of performing intended tasks Information Systems Security Assn. estimates 65% of security problems are caused by human error. 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 5 of 175
INTRODUCTION Include:
Sabotage Computer fraud Companies face four types of threatsuse, or Misrepresentation, false to unauthorized disclosure of data Misappropriation of assets Natural and political Financial statement fraud disasters Information systems are increasingly Software errors and equipment malfunction vulnerable to these malicious attacks.
Romney/Steinbart
6 of 175
INTRODUCTION
In this chapter well discuss:
The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud
Romney/Steinbart
7 of 175
INTRODUCTION
In this chapter well discuss:
The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud
Romney/Steinbart
8 of 175
The definition is the same whether it is a criminal or civil fraud case. The only difference is the burden of proof required. Criminal case: beyond a Fraud is any and all means a person uses to reasonable doubt. gain an unfair advantage over another person.the Civil case: preponderance of evidence OR clear and convincing In most cases, to be considered fraudulent, an evidence.
Income tax fraud (the difference between what taxpayers owe and what they pay to the government) is estimated to be over $200 billion per year. Fraud in the healthcare industry is estimated to exceed $100 billion a year.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 10 of 175
Organizations must utilize controls to make it difficult for both insiders and outsiders to steal from the company.
Romney/Steinbart
11 of 175
Romney/Steinbart
12 of 175
Romney/Steinbart
14 of 175
Romney/Steinbart
15 of 175
Romney/Steinbart
18 of 175
Romney/Steinbart
19 of 175
Romney/Steinbart
20 of 175
Romney/Steinbart
21 of 175
Romney/Steinbart
22 of 175
Romney/Steinbart
23 of 175
Romney/Steinbart
24 of 175
The audit team must gather evidence about the existence of fraud by: Looking for fraud risk factors Testing company records A Asking management, the audit committee,issued in if they revision to SAS-82, SAS-99, was and others Decemberany past or current fraud or of fraud risks the know of 2002. SAS-99 requires auditors to: organization faces. Understand fraud Discuss the risks of material fraudulent misstatements Special care needs to be exercised in examining revenue accounts, since they are particularly popular fraud targets.
Obtain information
Romney/Steinbart
25 of 175
Use the gathered information to identify, assess, and respond to risks. Auditors can respond by varying the nature, timing, and extent of auditing procedures they perform. They should also carefully evaluate risks related to management override of controls.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 26 of 175
Romney/Steinbart
27 of 175
Romney/Steinbart
30 of 175
INTRODUCTION
In this chapter well discuss:
The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud
Romney/Steinbart
31 of 175
They found:
Significant differences between violent and white-collar criminals. Few differences between white-collar criminals and the general public.
Romney/Steinbart
32 of 175
Romney/Steinbart
33 of 175
Romney/Steinbart
34 of 175
Romney/Steinbart
36 of 175
Rationalization
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 38 of 175
Rationalization
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 39 of 175
Romney/Steinbart
40 of 175
Romney/Steinbart
41 of 175
Romney/Steinbart
42 of 175
Romney/Steinbart
43 of 175
Romney/Steinbart
44 of 175
Romney/Steinbart
45 of 175
Romney/Steinbart
46 of 175
Romney/Steinbart
47 of 175
Romney/Steinbart
48 of 175
Pressures
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 49 of 175
Rationalization
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 51 of 175
Romney/Steinbart
52 of 175
Romney/Steinbart
53 of 175
Romney/Steinbart
54 of 175
Romney/Steinbart
55 of 175
Romney/Steinbart
56 of 175
Romney/Steinbart
57 of 175
Steal a payment from Charge a stolen asset to Customer A. account or to an an expense Apply Customer Bs account receivable that payment to Customer As account so is about to be written off. Customer A wont get a late notice. Create a ghost employee who receives an extra Apply Customer Cs payment to Customer Bs account, so paycheck. Customer B wont get a late notice, etc. Lapping.
Romney/Steinbart
58 of 175
Romney/Steinbart
59 of 175
Romney/Steinbart
60 of 175
Romney/Steinbart
62 of 175
One control feature that many companies lack is a background check on all potential employees.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 68 of 175
Romney/Steinbart
69 of 175
Rationalization
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 70 of 175
Romney/Steinbart
73 of 175
Unfortunately, there is usually a mixture of these forces in play, and it can be very difficult to determine the pressures that may apply to an individual and the rationalizations he/she may be able to produce.
Romney/Steinbart
74 of 175
INTRODUCTION
In this chapter well discuss:
The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud
Romney/Steinbart
75 of 175
Romney/Steinbart
76 of 175
They may also leave very little evidence, which can make these crimes more difficult to detect.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 78 of 175
Romney/Steinbart
81 of 175
Romney/Steinbart
82 of 175
There are a growing number of competent computer users, and they are aided by easier access to remote computers through the Internet and other data networks.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 84 of 175
Romney/Steinbart
86 of 175
Romney/Steinbart
87 of 175
Input Fraud
Processor Fraud
Output Fraud
Input Fraud
Processor Fraud
Output Fraud
Romney/Steinbart
90 of 175
Romney/Steinbart
91 of 175
Romney/Steinbart
92 of 175
Romney/Steinbart
93 of 175
Romney/Steinbart
94 of 175
Input Fraud
Processor Fraud
Output Fraud
Romney/Steinbart
96 of 175
Romney/Steinbart
97 of 175
Input Fraud
Processor Fraud
Output Fraud
Also might include developing a software program or module to carry out an unauthorized activity.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 99 of 175
Romney/Steinbart
100 of 175
Input Fraud
Processor Fraud
Output Fraud
In many cases, disgruntled employees have scrambled, altered, or destroyed data files. Theft of data often occurs so that perpetrators can sell the data.
Most identity thefts occur when insiders in financial institutions, credit agencies, etc., steal and sell financial information about individuals from their employers database.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 102 of 175
Input Fraud
Processor Fraud
Output Fraud
INTRODUCTION
In this chapter well discuss:
The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud
Romney/Steinbart
105 of 175
Changing data before, during, or after it is entered into the system. Can involve adding, deleting, or altering key system data.
Romney/Steinbart
106 of 175
Romney/Steinbart
107 of 175
Romney/Steinbart
108 of 175
Carried out as follows: The attacker infects dozens of computers that have broadband TECHNIQUES with denial-of-service Internet access programs. These infected computers Perpetrators have devised are the zombies. to commit many methods The attacker then computer fraud and abuse. These include:activates the denial-of-service programs, and the Data diddling zombies send pings (emails or Data leakage requests for data) to the target server. Denial of service attacks The victim responds to each, not realizing they have fictitious return addresses, and waits for responses that dont come. While the victim waits, system performance degrades until the system freezes up or crashes. The attacker terminates the program after an hour or two to limit the victims ability to trace the source.
Romney/Steinbart
109 of 175
Romney/Steinbart
110 of 175
Romney/Steinbart
111 of 175
COMPUTER FRAUD AND ABUSE A threatening message is sent to a victim to induce the victim to TECHNIQUES do something that would make it possible to be defrauded.
Several banks in the Midwest were contacted by an overseas Perpetrators who indicated that: methods to commit perpetrator have devised many computer fraud and abuse. computer system and obtained He had broken into their These include: personal Data diddlingand banking information about all of the banks customers. Data leakage He of service attacks Denialwould notify the banks customers of this breach if he was not paid a specified sum of money. Eavesdropping Email threats
Romney/Steinbart
112 of 175
appears to have come from someone other than the actual sender. Perpetrators have devised many methods to commit Email spoofers may: computer fraud and abuse. These include: Claim to be system administrators Data diddling and ask users to change their Data leakage passwords to specific values. Denial of service attacks Pretend to be management and request a copy of some sensitive Eavesdropping information. Email threats Email forgery (aka, spoofing)
COMPUTER FRAUD AND ABUSE Involves sending TECHNIQUES an email message that
Romney/Steinbart
113 of 175
Romney/Steinbart
114 of 175
Romney/Steinbart
115 of 175
Assuming someones identity, typically for economic gain, by illegally have devised many methods to commit Perpetratorsobtaining and using confidential information such as the persons social security number, bank computer fraud and abuse. These include: account number, or credit card number. Data diddling Identity thieves benefit financially by: Data leakage Taking funds out of the victims bank account. Denial of service attacks Taking out mortgages or other loans under the victims Eavesdropping identity. Email Taking out credit cards and running up large balances. threats Email forgery (aka, spoofing) If the thief is careful and ensures that bills and notices are Hackingto an address he controls, the scheme may be sent prolonged until such time as the victim attempts to buy a Phreaking home Hijackingor car and finds out that his credit is destroyed. Identity theft
Romney/Steinbart
117 of 175
Romney/Steinbart
118 of 175
Identity thieves can steal corporate or individual identities by: Shoulder surfing
COMPUTER FRAUD AND ABUSE Watching people enter telephone calling card numbers or credit card TECHNIQUES numbers or listening to communications as they provide this
information to sales clerks or others.
company information. Data diddling May also look for personal information such as checks, credit card Data leakage statements, bank statements, tax returns, discarded applications for Denial of service attacks pre-approved credit cards, or other records that contain social security Eavesdropping numbers, names, addresses, phone numbers, and other data that allow them to assume an identity. Email threats Email forgery Redirecting mail (aka, spoofing) Hacking Intercepting mail and having it delivered to a location where others can access it. Phreaking Using Internet, email, and other technology in spoofing, phishing, Hijacking eavesdropping, impersonating, social engineering, and data Identity theft leakage schemes.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 119 of 175
communal trash bins, and city dumps for documents with confidential
Romney/Steinbart
120 of 175
Another common form of Internet misinformation is the spreading of urban legendsoften by innocently forwarding emails. TECHNIQUES Urban legends may often include damaging implications about company products, such as a recent email suggesting that certain Perpetrators have devised many methods to commit lipsticks contain lead or that using plastic cookware in the computer fraud and abuse. These include: microwave can cause cancer. Internet misinformation Before forwarding any emails with negative information about individuals, companies, or their products, its a good idea to check the veracity of the information first. Emails with urban legends often attribute their facts to credible sources, such as the federal government, Stanford University researchers, the FBI, etc. There are several Websites that attempt to verify the truth of emails that are circulated. One such Website is www.snopes.com. You can easily locate the email you received on these Websites, by searching under a key term in the email, such as lipstick. You are likely to find that most emails you were getting ready to forward are either false or only partially true.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 122 of 175
Romney/Steinbart
123 of 175
The perpetrator gains access to the system by pretending to be an authorized user. The perpetrator must know the legitimate users ID and password. Once in the system, he enjoys the same privileges as the legitimate user.
Romney/Steinbart
125 of 175
Programs that capture data from information packets as they travel over the Internet or company networks. Confidential information and access information can be gleaned from the captured datasome of which is later sold.
Romney/Steinbart
126 of 175
An intruder penetrates a systems defenses, steals the file of valid passwords, decrypts them, and then uses them to gain access to almost any system resources.
Romney/Steinbart
127 of 175
Romney/Steinbart
128 of 175
COMPUTER FRAUD AND ABUSE TECHNIQUES One newly graduated college student recently took a job in
California and deposited his first paycheck of approximately $5,000 Perpetrators have devised many methods to commit in the bank. computer night, he received anThesefrom the bank, inviting him That same fraud and abuse. email include: Internet the link in the to click on misinformation email to set up online banking for his new bank account. Internet terrorism He Logic timedirections and provided the requested information to followed bombs set Masquerading or impersonation up online banking. Two hourssniffers was nervous and called the bankonly to find Packet later, he out that his bank account had been cleaned out and closed. Password cracking Phishing
Romney/Steinbart
129 of 175
COMPUTER FRAUD AND ABUSE As a rule of thumb, it is a good idea not to click on any link TECHNIQUES provided in an email and to go directly to the Website instead.
PayPal, whose email address is commonly spoofed for phishing Perpetrators the following advice: methods to commit scams, offers have devised many computer fraud and abuse. Thesethey will include your first If PayPal ever sends you an email, include: and last name in the salutation of the email. Internet misinformation If you need to enter PayPals Website, type https: in the URL Internet terrorism instead of http: Logic time bombs in order to enter on the companys secured server. Masquerading or impersonation If you sniffers Packetreceive a suspicious email, get out of your browser and go back in before proceeding directly to a company Website. Password cracking Phishing
Romney/Steinbart
130 of 175
Romney/Steinbart
131 of 175
Romney/Steinbart
132 of 175
Romney/Steinbart
133 of 175
Romney/Steinbart
134 of 175
Perpetrators trick employees into giving them information they need to get into the system. A perpetrator might call an employee and indicate he is the systems administrator and needs to get the employees password.
Romney/Steinbart
137 of 175
Romney/Steinbart
138 of 175
Romney/Steinbart
139 of 175
Spammers use creative means to find valid email addresses: Scanning the Internet for addresses posted online. Hacking into company databases and stealing mailing lists. Staging dictionary (aka direct harvesting) attacks. These attacks use special software to guess addresses at a particular company and send blank emails. Messages not returned are usually valid. These attacks are very burdensome to corporate email systems. 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 140 of 175
Companies may use filtering software to detect dictionary attacks, search mail for competitive leaks, and block inappropriate attachments, such TECHNIQUES as pornography and illegal MP3 files. Filtering is not always to commit Perpetrators have devised many methods viable. The director of internal audit at a major computer fraud and abuse. These include: healthcare company changes email addresses Social engineering frequently because of the volume of spam Software piracy email in his inbox. When asked why his company did not filter the spam, he Spamming replied, Because were a healthcare company, we cannot filter out any references to body parts or prescription medications. There is increasing public clamor for laws to clamp down on spamming. In December 2004, a federal judge awarded over $1 billion to a small Midwestern Internet service provider in an action against three spammers.
Romney/Steinbart
141 of 175
Romney/Steinbart
142 of 175
Usually comes bundled with COMPUTER FRAUD AND ABUSE freeware and shareware TECHNIQUES from the Internet. downloaded
May be disclosed in the Perpetrators have devised many methods to commit licensing agreement, but users computer fraud and abuse. are unlikely to read it. These include: Reputable adware companies Social engineering claim they dont collect Software piracy sensitive or identifying data. Spamming But there is no way for users to Spyware control or limit the activity.
It is not illegal, but many find it objectionable.
Software has been developed to detect and eliminate spyware, but it may also impair the downloaded software.
Some is intentionally difficult to uninstall.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 143 of 175
COMPUTER FRAUD AND ABUSE A keystroke users TECHNIQUESlogger records ato or keystrokes and emails them
saves them for the party that planted Perpetrators have devisedthe logger. These arecommit many methods to sometimes used computer fraud and abuse. These include: by: Parents to monitor their childrens Social engineering computer usage. Software piracy Businesses to monitor employee Spamming activity. Spyware Fraudsters to capture passwords, Keystroke loggers credit card numbers, etc. A keystroke logger can be a hardware device attached to a computer or can be downloaded on an individuals computer in the same way that any Trojan horse might be downloaded.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 144 of 175
Unauthorized use of special system programs to bypass regular system controls and perform illegal acts. The name is derived from an IBM software utility called Superzap that was used to restored crashed systems.
Romney/Steinbart
146 of 175
Romney/Steinbart
147 of 175
Romney/Steinbart
151 of 175
COMPUTER may take many forms:ABUSE FRAUD AND Damage TECHNIQUES Send email with the victims name as the alleged
source. Perpetrators have devisedalter data or programs. Destroy or many methods to commit computer fraud and abuse. of the computer. Take control These include: Virus Destroy or alter file allocation tables. Delete or rename files or directories. Reformat the hard drive. Change file content. Prevent users from booting. Intercept and change transmissions. Print disruptive images or messages on the screen. Change screen appearance. As viruses spread, they take up much space, clog communications, and hinder system performance.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 152 of 175
Romney/Steinbart
153 of 175
Romney/Steinbart
154 of 175
Virus protections include: COMPUTER FRAUD AND ABUSE for, Install reliable virus software that scans identifies, and destroys TECHNIQUES viruses. Keep the antivirus program up to date. devised many methods server level, Perpetrators haveScan incoming email at the to commit rather than computer fraud and abuse. when it include: These hits the desktops. Certify all software as virus-free before Virus loading it. Software from unknown sources may be virus bait, especially if it seems too good to be true. Deal with trusted software retailers. Use electronic techniques to make tampering evident. Check new software on an isolated machine. Have two backups of all files. Do not put diskettes or CDs in strange machines, or let others put unscanned disks in your machine.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 155 of 175
Romney/Steinbart
156 of 175
Virus segment of code hidden in a host program or executable file. Worms will replicate itself automatically, while a virus A worm requires a human to do something like open a file. Worms often reproduce by mailing themselves to the recipients mailing list. They are not confined to PCs and have infected cell phones in Japan. A worm typically has a short but very destructive life. It takes little technical knowledge to create worms or viruses; several Websites provide instructions. Most exploit known software vulnerabilities that can be corrected with a software patch, making it important to install all patches as soon as they are Accounting 2008 Prentice Hall Business Publishing available. Information Systems, 11/e Romney/Steinbart 157 of 175
he/she has previously sent you an email that was infected with a Virus virus. Worms The friends email gives you instructions to look for and remove The low-tech, do-it-yourself attack the offending virus. You delete the file from your hard drive. The only problem is that the file you just deleted was part of your operating system. Your friend was well-intended and has done the same thing to his/her computer. REMEDY: Before even considering following instructions of this sort, check the list of hoaxes that are available on any virus protection Website, such as:
www.norton.com www.mcafee.com
Romney/Steinbart
158 of 175
INTRODUCTION
In this chapter well discuss:
The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud
Romney/Steinbart
159 of 175
Romney/Steinbart
160 of 175
Romney/Steinbart
161 of 175
Romney/Steinbart
163 of 175
Romney/Steinbart
164 of 175
Romney/Steinbart
165 of 175
Implement a program segregation of duties between systems functions Restrict physical and remote access to system resources to authorized personnel
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 166 of 175
Romney/Steinbart
167 of 175
Romney/Steinbart
168 of 175
Romney/Steinbart
169 of 175
Romney/Steinbart
170 of 175
Romney/Steinbart
171 of 175
Romney/Steinbart
172 of 175
SUMMARY
In this chapter, youve learned what fraud is, who commits fraud, and how its perpetrated. Youve learned about the many variations of computer fraud, and youve learned about techniques to reduce an organizations vulnerability to these types of fraud.
Romney/Steinbart
174 of 175