HAPTER 5
Romney/Steinbart
1 of 175
INTRODUCTION
Questions to be addressed in this chapter:
What is fraud, and how are frauds
perpetrated?
Who perpetrates fraud and why?
What is computer fraud, and what forms does
it take?
What approaches and techniques are used to
commit computer fraud?
Romney/Steinbart
2 of 175
INTRODUCTION
Information systems are becoming
increasingly more complex and society is
becoming increasingly more dependent on
these systems.
Companies also face a growing risk of these
systems being compromised.
Recent surveys indicate 67% of companies
suffered a security breach in the last year with
almost 60% reporting financial losses.
2008 Prentice Hall Business Publishing
Romney/Steinbart
3 of 175
INTRODUCTION
Include:
Fire or excessive heat
Companies face four types
of threats to
Floods
Earthquakes
High winds
Natural and political disasters
War and terrorist attack
When a natural or political disaster
strikes, many companies can be
affected at the same time.
Example: Bombing of the
World Trade Center in NY.
The Defense Science Board has
predicted that attacks on
information systems by foreign
countries, espionage agents, and
terrorists will soon be widespread.
Romney/Steinbart
4 of 175
Include:
Hardware or software
failures
Software errors or bugs
Operating system
Companies face four types ofcrashes
threats to
Power outages and
fluctuations
Natural and political disasters Undetected data
transmission errors
Software errors and equipment
Estimated annual economic
malfunction
losses due to software
bugs = $60 billion.
60% of companies studied
had significant software
errors in previous year.
INTRODUCTION
Romney/Steinbart
5 of 175
INTRODUCTION
Include
Accidents
by:
Companies face four
types caused
of threats
to
Human carelessness
Failure to follow established
procedures
Natural and political disasters
Poorly trained or supervised
Software errors and equipment
personnel malfunction
Unintentional acts Innocent errors or omissions
Lost, destroyed, or misplaced data
Logic errors
Systems that do not meet needs or
are incapable of performing intended
tasks
Information Systems Security Assn.
estimates 65% of security problems are
caused by human error.
2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
6 of 175
INTRODUCTION
Include:
Sabotage
Computer fraud
Companies face four
types of threats
to or
Misrepresentation,
false use,
unauthorized disclosure of data
Misappropriation of assets
Natural and political
disasters
Financial
statement fraud
Information
systems
are increasingly
Software errors and
equipment
malfunction
vulnerable to these malicious attacks.
Unintentional acts
Intentional acts (computer crime)
Romney/Steinbart
7 of 175
INTRODUCTION
In this chapter well discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit computer
fraud
Ways companies can deter and detect
computer fraud
Romney/Steinbart
8 of 175
INTRODUCTION
In this chapter well discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit computer
fraud
Ways companies can deter and detect
computer fraud
Romney/Steinbart
9 of 175
Romney/Steinbart
10 of 175
Romney/Steinbart
11 of 175
Romney/Steinbart
12 of 175
Romney/Steinbart
13 of 175
Romney/Steinbart
15 of 175
Romney/Steinbart
16 of 175
Romney/Steinbart
18 of 175
Romney/Steinbart
19 of 175
Romney/Steinbart
20 of 175
Romney/Steinbart
21 of 175
Romney/Steinbart
22 of 175
Romney/Steinbart
23 of 175
Romney/Steinbart
24 of 175
Romney/Steinbart
25 of 175
The audit team must gather evidence about the existence of fraud
by:
Looking for fraud risk factors
Testing company records
A revision
to SAS-82, SAS-99, was issued in
Asking management, the audit committee, and others if they
December
2002.
requires
auditors
to:
know of any
past orSAS-99
current fraud
or of fraud
risks the
organizationfraud
faces.
Understand
Special
carethe
needs
to of
bematerial
exercisedfraudulent
in examining
revenue
Discuss
risks
misstatements
accounts, since they are particularly popular fraud targets.
Obtain information
Romney/Steinbart
26 of 175
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Romney/Steinbart
27 of 175
Understand
When thefraud
audit is complete, they must evaluate whether
any identified
indicate the
presence of
Discuss
the risksmisstatements
of material fraudulent
misstatements
fraud.
Obtain
information
If so, they should determine the impact on the financial
Identify,
assess,
to risks
statements
andand
the respond
audit.
Evaluate the results of their audit tests
Romney/Steinbart
28 of 175
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Evaluate the results of their audit tests
Communicate findings
Auditors communicate their fraud
findings to management, the audit
committee, and others.
Romney/Steinbart
29 of 175
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Evaluate the results of their audit tests
Communicate findings
Document their audit work
Auditors must document their
compliance with SAS-99 requirements.
Romney/Steinbart
30 of 175
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Evaluate
results
of theirthat
audit
tests impacts fraud
the
SAS-99
recognizes
technology
risks and
notes opportunities that auditors have
Communicate
findings
to use technology-oriented tools and techniques
Documenttotheir
audit work
design fraud auditing procedures.
Incorporate a technology focus
Romney/Steinbart
31 of 175
INTRODUCTION
In this chapter well discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit computer
fraud
Ways companies can deter and detect
computer fraud
Romney/Steinbart
32 of 175
They found:
Significant differences between violent and white-collar
criminals.
Few differences between white-collar criminals and the general
public.
Romney/Steinbart
33 of 175
Education
Age
Religion
Marriage
Length of employment
Psychological makeup
Romney/Steinbart
34 of 175
Curiosity
A quest for knowledge
The desire to learn how things work
The challenge of beating the system
Romney/Steinbart
35 of 175
Spammers
Organized crime
Other hackers
The intelligence community
Romney/Steinbart
36 of 175
Romney/Steinbart
37 of 175
Romney/Steinbart
38 of 175
Rationalization
2008 Prentice Hall Business Publishing
Romney/Steinbart
39 of 175
Rationalization
2008 Prentice Hall Business Publishing
Romney/Steinbart
40 of 175
Romney/Steinbart
41 of 175
Romney/Steinbart
42 of 175
Romney/Steinbart
43 of 175
Romney/Steinbart
44 of 175
Romney/Steinbart
45 of 175
Romney/Steinbart
46 of 175
Romney/Steinbart
47 of 175
Romney/Steinbart
48 of 175
Romney/Steinbart
49 of 175
Pressures
2008 Prentice Hall Business Publishing
Romney/Steinbart
50 of 175
Rationalization
2008 Prentice Hall Business Publishing
Romney/Steinbart
52 of 175
Romney/Steinbart
53 of 175
Romney/Steinbart
54 of 175
Romney/Steinbart
55 of 175
Romney/Steinbart
56 of 175
Romney/Steinbart
57 of 175
Romney/Steinbart
58 of 175
Romney/Steinbart
59 of 175
Romney/Steinbart
60 of 175
Romney/Steinbart
61 of 175
Romney/Steinbart
62 of 175
Romney/Steinbart
63 of 175
Romney/Steinbart
64 of 175
Authorization procedures
Clear lines of authority
Adequate supervision
Adequate documents and records
A system to safeguard assets
Independent checks on performance
Separation of duties
Romney/Steinbart
69 of 175
Romney/Steinbart
70 of 175
Rationalization
2008 Prentice Hall Business Publishing
Romney/Steinbart
71 of 175
Romney/Steinbart
72 of 175
Romney/Steinbart
73 of 175
Romney/Steinbart
74 of 175
Romney/Steinbart
75 of 175
INTRODUCTION
In this chapter well discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit computer
fraud
Ways companies can deter and detect
computer fraud
Romney/Steinbart
76 of 175
Romney/Steinbart
77 of 175
Romney/Steinbart
78 of 175
Romney/Steinbart
79 of 175
Romney/Steinbart
80 of 175
Romney/Steinbart
81 of 175
Romney/Steinbart
82 of 175
Romney/Steinbart
83 of 175
Romney/Steinbart
84 of 175
Romney/Steinbart
85 of 175
Romney/Steinbart
86 of 175
Romney/Steinbart
87 of 175
Input
Processor
Computer instructions
Stored data
Output
Romney/Steinbart
88 of 175
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
2008 Prentice Hall Business Publishing
Romney/Steinbart
89 of 175
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
2008 Prentice Hall Business Publishing
Romney/Steinbart
90 of 175
Romney/Steinbart
91 of 175
Romney/Steinbart
92 of 175
Romney/Steinbart
93 of 175
Romney/Steinbart
94 of 175
Romney/Steinbart
95 of 175
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
2008 Prentice Hall Business Publishing
Romney/Steinbart
96 of 175
Romney/Steinbart
97 of 175
Romney/Steinbart
98 of 175
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
2008 Prentice Hall Business Publishing
Romney/Steinbart
99 of 175
Romney/Steinbart
100 of 175
Romney/Steinbart
101 of 175
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
2008 Prentice Hall Business Publishing
Romney/Steinbart
102 of 175
Romney/Steinbart
103 of 175
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
2008 Prentice Hall Business Publishing
Romney/Steinbart
104 of 175
Romney/Steinbart
105 of 175
INTRODUCTION
In this chapter well discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit
computer fraud
Ways companies can deter and detect
computer fraud
Romney/Steinbart
106 of 175
Romney/Steinbart
107 of 175
Romney/Steinbart
108 of 175
Romney/Steinbart
109 of 175
Romney/Steinbart
110 of 175
Romney/Steinbart
111 of 175
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
Perpetrators surreptitiously observe
private communications or transmission
of data.
Equipment to commit these electronic
wiretaps is readily available at
electronics stores.
Romney/Steinbart
112 of 175
Romney/Steinbart
113 of 175
Romney/Steinbart
114 of 175
Romney/Steinbart
115 of 175
Data diddling
Data leakage
Denial of service attacks
Hacking that attacks phone systems and
Eavesdropping
Email threats uses phone lines to transmit viruses and
to access,
steal, and destroy data.
Email forgery (aka,
spoofing)
They also steal telephone services and
Hacking
may break into voice mail systems.
Phreaking
Some hackers gain access to systems
through dial-up modem lines.
Romney/Steinbart
116 of 175
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
Email threats
Email forgery (aka, spoofing)
Hacking
Involves gaining control of someone
Phreaking
elses computer to carry out illicit
activities without the users knowledge.
Hijacking
The illicit activity is often the
perpetuation of spam emails.
Romney/Steinbart
117 of 175
Romney/Steinbart
118 of 175
Data diddling
Data leakage
Victims can usually clear their credit, but the effort requires a
Denial
of service
attacks
significant
amount
of time and expense.
Eavesdropping
Identity theft was made a federal offense in 1998, but it is a
Email
threats
growing
crime industry.
(aka, spoofing)
Email
Oneforgery
U.S. postal
inspector, whose job duties involved
investigation of identity thefts, was himself a victim. The thief
Hacking
ran up $80,000 in debt under the postal inspectors identity
Phreaking
before the inspector discovered the problem.
Hijacking
Identity theft
Romney/Steinbart
119 of 175
or have
dumpster
divingmany methods to commit
Scavenging
Perpetrators
devised
Searchingfraud
corporate
personalThese
recordsinclude:
by rifling garbage cans,
computer
andorabuse.
communal trash bins, and city dumps for documents with confidential
company
Data diddling
information.
May
Dataalso
leakage
look for personal information such as checks, credit card
bank statements,
tax returns, discarded applications for
statements,
Denial of service
attacks
credit cards, or other records that contain social security
pre-approved
Eavesdropping
numbers, names, addresses, phone numbers, and other data that allow
them
Emailtothreats
assume an identity.
Email forgery
Redirecting
mail (aka, spoofing)
Hacking
Intercepting
mail and having it delivered to a location where others can
it.
access
Phreaking
Using
Internet, email, and other technology in spoofing, phishing,
Hijacking
eavesdropping, impersonating, social engineering, and data
Identity theft
leakage schemes.
2008 Prentice Hall Business Publishing
Romney/Steinbart
120 of 175
Romney/Steinbart
121 of 175
Romney/Steinbart
123 of 175
Romney/Steinbart
124 of 175
Romney/Steinbart
125 of 175
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Romney/Steinbart
126 of 175
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Romney/Steinbart
127 of 175
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking
Romney/Steinbart
128 of 175
Romney/Steinbart
129 of 175
Romney/Steinbart
130 of 175
Romney/Steinbart
131 of 175
Romney/Steinbart
132 of 175
Romney/Steinbart
133 of 175
Romney/Steinbart
134 of 175
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking
Tapping into a telecommunications line and
latching onto a legitimate user before that
Phishing
user logs into a system.
Piggybacking
The legitimate user unknowingly carries the
perpetrator into the system.
Romney/Steinbart
135 of 175
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Made famous in the movie,
Office Space.
Packet sniffers
The programmer instructs the
Password cracking
computer to round interest
Phishing
calculations down to two
Piggybacking
decimal places and deposits
Round-down technique
the remaining fraction into the
account of a programmer or an
accomplice.
Romney/Steinbart
136 of 175
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking
Involves the theft of tiny
slices of money over a
Phishing
period of time.
Piggybacking
Round-down technique The round-down is just a
special form of a salami
Salami technique
technique.
Romney/Steinbart
137 of 175
Romney/Steinbart
138 of 175
Romney/Steinbart
139 of 175
Romney/Steinbart
140 of 175
Romney/Steinbart
142 of 175
Social engineering
as Web-surfing habits, and sends the data it
Software piracygathers to someone else, typically without the
users permission.
Spamming
One type, called adware (for advertisingSpyware
supported software) does two things:
Causes banner ads to pop up on your
monitor as you surf the net.
Collects information about your Websurfing and spending habits and forward
it to a company gathering the dataoften
an advertising or large media organization.
Romney/Steinbart
143 of 175
Usually
comesABUSE
bundled with
COMPUTER FRAUD
AND
freeware and shareware
TECHNIQUES
downloaded from the Internet.
May be disclosed in the
Perpetrators have devised many
methods
to commit
licensing
agreement,
but users
unlikely
to read it.
computer fraud and abuse. are
These
include:
Reputable adware companies
Social engineering
claim they dont collect
Software piracy
sensitive or identifying data.
Spamming
But there is no way for users to
Spyware
control or limit the activity.
It is not illegal, but many find it
objectionable.
Romney/Steinbart
144 of 175
Romney/Steinbart
145 of 175
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Romney/Steinbart
146 of 175
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Romney/Steinbart
147 of 175
Social engineering
Software piracy Also called back doors.
Programmers create trap doors to
Spamming
modify programs.
Spyware
The trap door is a way into the system
Keystroke loggersthat bypasses normal controls.
Superzapping The trap door should be removed
Trap doors
before the program is implemented.
If it is not, the programmer or others
may later gain unauthorized access to
the system.
Romney/Steinbart
148 of 175
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Trap doors
Trojan horse
Romney/Steinbart
149 of 175
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Hackers search for an idle modem by
Trap doors
programming their computers to dial
Trojan horse
thousands of phone lines.
War dialing Hackers enter through the idle modem
and gain access to the connected
network.
Romney/Steinbart
150 of 175
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Driving around in cars looking for
Trap doors
unprotected home or corporate
Trojan horse
wireless networks.
War dialing
If the hackers mark the sidewalk of
War driving
the susceptible wireless network, the
practice is referred to as warchalking.
Romney/Steinbart
151 of 175
Romney/Steinbart
152 of 175
COMPUTER
FRAUD
AND
ABUSE
Damage may take many forms:
TECHNIQUES
Send
email with the victims name as the alleged
source.
Perpetrators have
devised
many
methods
to commit
Destroy
or alter
data
or programs.
computer fraud and
These
include:
Takeabuse.
control of
the computer.
Virus
Destroy or alter file allocation tables.
Delete or rename files or directories.
Reformat the hard drive.
Change file content.
Prevent users from booting.
Intercept and change transmissions.
Print disruptive images or messages on the
screen.
Change screen appearance.
As viruses spread, they take up much space, clog
communications, and hinder system performance.
2008 Prentice Hall Business Publishing
Romney/Steinbart
153 of 175
Romney/Steinbart
154 of 175
Romney/Steinbart
155 of 175
Romney/Steinbart
156 of 175
Romney/Steinbart
157 of 175
Virus
segment of code hidden in a host program or executable file.
Worms
A worm will replicate itself automatically, while a virus
requires a human to do something like open a file.
Worms often reproduce by mailing themselves to the recipients
mailing list.
They are not confined to PCs and have infected cell phones in
Japan.
A worm typically has a short but very destructive life.
It takes little technical knowledge to create worms or viruses;
several Websites provide instructions.
Most exploit known software vulnerabilities that can be corrected
with a software patch, making it important to install all patches as
soon
as they
are available.
2008 Prentice
Hall Business
Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
158 of 175
he/she
Virus has previously sent you an email that was infected with a
virus.
Worms
friends
email
gives you instructions
to look for and remove
The
The
low-tech,
do-it-yourself
attack
the offending virus.
You delete the file from your hard drive. The only problem is that
the file you just deleted was part of your operating system.
Your friend was well-intended and has done the same thing to
his/her computer.
REMEDY: Before even considering following instructions of this
sort, check the list of hoaxes that are available on any virus
protection Website, such as:
www.norton.com
www.mcafee.com
Romney/Steinbart
159 of 175
INTRODUCTION
In this chapter well discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit computer
fraud
Ways companies can deter and detect
computer fraud
Romney/Steinbart
160 of 175
Romney/Steinbart
161 of 175
Romney/Steinbart
162 of 175
Romney/Steinbart
163 of 175
Romney/Steinbart
164 of 175
Romney/Steinbart
165 of 175
Romney/Steinbart
166 of 175
Romney/Steinbart
167 of 175
Romney/Steinbart
168 of 175
Romney/Steinbart
169 of 175
Romney/Steinbart
170 of 175
Romney/Steinbart
171 of 175
Romney/Steinbart
172 of 175
Romney/Steinbart
173 of 175
Romney/Steinbart
174 of 175
SUMMARY
In this chapter, youve learned what fraud
is, who commits fraud, and how its
perpetrated.
Youve learned about the many variations
of computer fraud, and youve learned
about techniques to reduce an
organizations vulnerability to these types
of fraud.
Romney/Steinbart
175 of 175