At the end of this week you will be able to:
Define computer crime
List the forms of computer crime
Apply the Computer Misuse Act, 1990 and the Theft Act, 1968 to cases of computer crime
Describe the profile of a typical computer criminal
Explain the motivations that lie behind computer crimes
Describe why the amount of computer crime is far greater than commentators think
List the emerging threads in computer crime
List the methods for securing electronic commerce
Describe the types of scams on the Internet
According to Jennifer Davies there are three types of behaviour that warrant the term criminal offence:
The other branch of the law is civil law, where an action is brought by one
or more legal persons (the plaintiff) against another (the defendant). More
often than not it is a claim for damages. Jennifer Davies states that the onus
of proof is less in a civil case than in a criminal one.
Computer crime has been defined broadly as a criminal act
that has been committed using a computer as the principal tool. Some have also
talked in terms of a distinction between computer related fraud and
computer assisted fraud. In the former the computer is purely
coincidental. In the latter the computer is used to commit the fraud. However,
others have argued that a genuine computer fraud is one, which would not take
place without the use of a computer. If we accept this tight definition, then
the real computer fraud needs computer expertise and greater skills to
perpetrate than do computer assisted and computer related frauds. But when most
people talk about computer crime, they are usually referring to the fact that a
computer has either been the object, subject or instrument of a crime.
Computer crime can take the form of:
the theft of money, for example, the transfer of payments to the wrong accounts
the theft of information, for example, by tapping into data transmission lines or databases at no cost
the theft of goods by their diversion to the wrong destination
the theft of computer time, for example, use of an employers computer resources for personal work
Two techniques of computer theft are:
The Salami, which involves spreading the haul over large number of transactions like slices of salami. For example, a bank clerk might shave a trivial sum off many customer accounts to make up a large sum in his / her account
The Trojan Horse, which involves the insertion of false information into a program in order to profit from the outcome. For example, a false instruction to make payments to a bogus company
Computer crime can take the form of unauthorised use or access to information systems, or the modification of programs to benefit the fraudster. Techniques include:
Piggybacking, which involves tapping into communication lines and riding into a system behind a legitimate user with a password
Data Diddling, which entails swapping one piece of data for another
Computer crime can also take the form of hacking, sabotage and blackmail. Hacking or computer burgling involves breaking into other people's systems for fun or with the intent to blackmail or commit sabotage. Techniques include:
Scavenging for stray data or garbage for clues that might unlock the secrets of a system
Zapping, which means penetrating a computer by unlocking the master key to its program and then destroying it by activating its own emergency program
Worms or worm programs entail the deletion of portions of a computer's memory, thus creating a hole of missing information
Time bombs or Logic bombs, which involve the insertion of routines that can be triggered later by the computer's clock or a combination of events. When the bomb goes off, the entire system, perhaps worth millions, will crash
Viruses are self-replicating programs which can have a similar effect to Time or Logic bombs
Computer crime that takes the form of unauthorised use or access to information systems or the modification of programs to benefit the fraudster is covered under the (UK) Computer Misuse Act, 1990. The Act introduces three new criminal offences:
Unauthorised access to computer material. Described as simple hacking - that is, using a computer without permission. This now carries a penalty of up to six months in prison or a £2000 fine, and is tried in a Magistrate's Court
Unauthorised access to computer material with the intent to commit or facilitate the commission of further offences. This section of the Act covers actions such as attempting to use the contents of an email message for blackmail. This is viewed as a more serious offence; the penalty is up to five years' imprisonment and an unlimited fine
Unauthorised modification of computer material. This section of the Act covers distributing a computer virus, or malicious deletion of files, as well as direct actions such as altering an account to obtain fraudulent credit
The later two offences are tried before a jury. The act also includes the offence of conspiracy to commit and incitement to commit the three main offences. This aspect of the Act makes even discussion of specific actions, which are in breach of the main sections, questionable practice. It is sufficient to be associated with an offender in planning the action, or to suggest carrying out an action which is illegal under the Act, to be in a position to be charged.
A more comprehensive overview of the Act can be found at
the following website: http://www.ja.net/CERT/JANET-CERT/law/cma.html
Considering Section 1 of the Theft Act, 1968, theft is committed if a person dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it. Jennifer Davies cites the example of using a forged cash card to obtain cash from an ATM, so that the money has been stolen from someone's account. Theft is punishable by up to 10 years in prison.
However, the culprit could be charged under Section 15(1) of the Theft Act, 1968:
“A person who by any deception dishonestly obtains property belonging to another, with the intention of permanently depriving the other of it, shall on indictment on conviction be liable to imprisonment.”
However, until recently, in law deceit could only be practiced against the human mind and not against a machine and that is still the case in relation to the Theft Act, 1968. The Law Commission has concluded that there is a need to amend the law with regard to fraud.
In addition, hackers could have been charged under Section
13 of the Theft Act, 1968, stealing electricity. However, the charge was
artificial as the quantity of electricity involved was so small and indeed may
not have been measurable.
In a review of the major British studies of computer crime, researchers found that the vast majority (80 percent) of crimes involving computers were carried out by employees rather than outsiders.
Of all computer crimes committed:
25 percent were carried out by managers or supervisors
24 percent by computer staff
31 percent by were committed by lowly clerks and cashiers who had little in the way of technical skills
Moreover, nearly all computer criminals were first time offenders who were, according to researchers, motivated by greed, pressing financial worries and other personal problems such as alcohol or drug dependency.
There is a commonly held view that the typical computer criminal is something of a whiz kid, with highly developed computing skills and a compulsive desire to beat the system. But researchers showed that the substance for this image is absent:
“Not many crimes demonstrate high technical ingenuity on the part of the perpetrator. Most exhibit an opportunistic exploitation of an inherent weakness in the computer system being used. Most computer criminals tend to be relatively honest and in a position of trust; few would do anything to harm another human, and most do not consider their crime to be truly dishonest.”
The theft of computer time, usually in the form of unauthorised use of an employer's computer is a gray area in which there are no easy answers. Unauthorised use is technically theft of processing and storage power yet most employers turn a blind eye to employees using the company's computers in moderation for such purposes
“As preparing individual tax returns or doing the mailing list for the local church.” (Forestor and Morrison, 1990)
Using company computers for financial gain such as private
consulting work is clearly unethical, unless the employee's employment contract,
for example, with a university, specifically allows it. Sacking for this kind of
computer abuse is not unheard of, although managers usually tread warily for
fear of destroying staff morale. Generally, such behaviour should be dealt with
by internal disciplinary procedures, not the criminal law.
Jay Bloombecker (in Forestor and Morrison, 1990) has described motivations that can lie behind computer crimes. More often than not computer criminals see the computer environment as:
A kind of playpen for their own enjoyment
A land of opportunity where crime is easy
A cookie jar which readily solves pressing financial or personal problems
A soapbox for political expression
A fairyland of unreality
A toolbox for tackling new crimes or modernising traditional crimes
A magic wand that can be made to do anything
A battle zone between management and alienated employees, the crime often taking the form of sabotage
This latter perspective is supported by a US survey which found, for instance that 63 percent of accountants and 75 percent of computer professionals steal because:
“They feel frustrated or dissatisfied about some aspect of their job. This could be an accurate reflection on the lack of autonomy, minimal job variety and poor management communications often endemic of computer work.”
Others have surmised that:
The intellectual challenge of fooling a system plays an important role in motivating individuals to commit computer crime
Computer crime involves very little physical risk, as opposed to a bank hold up
That computer crimes can be committed alone, without talkative associates, thus further reducing the risk of detection
As in Bloombecker's notion of fairyland, computer
crimes can often appear not to be a criminal act, shuffling numbers around
in a remote and abstract way is not quite the same as handling gold bars or
huge piles of paper money
There are two main reasons why many experts believe that the amount of computer crime is much greater than we currently estimate:
It is clear that many crimes go completely undetected because so many are discovered by accident and because so many are, by their very nature, simply very hard to detect
Very few computer frauds are made public because companies, especially banks and other financial institutions, are loath to admit that their security systems are fallible. Publicity of this nature is disastrous for public relations and it could lead to the loss of customer confidence, so they prefer to cover matters up
Commentators list some reasons why non reporting of computer crime is so wide spread (Forestor and Morrison, 1990):
“There is very little benefit for the victim. The law is unlikely to be able to undo the damage caused and the criminal is unlikely to be convicted. In addition, much staff time is likely to be tied up assembling evidence (if it can be collected at all), and wider knowledge of the crime is likely to harm the future prospects of the victim organisation.”
What is therefore clear is that nobody is very sure about
the true extent of computer crime, but most analysts who have researched the
problem believe it is large and growing. Data crime deserves to be as much a
social issue as more traditional areas of law and order such as crimes against
the person, crimes against property and the maintenance of public peace.
Walsh argues that many of these will be aided or carried out by staff:
estimates of the number of computer crimes carried out by insiders range from
60% to 80%.
Thom Mrozek, Public Affairs Officer at the US Department of Justice describes a computer crime case (2002):
“A San Dimas man pleaded guilty this afternoon to illegally accessing the computer system of his former employer and reading the e-mail messages of company executives for the purpose of gaining a commercial advantage at his new job at a competitor. Richard Glenn Dopps, 35, pleaded guilty to one felony count of obtaining information from a protected computer. Until February 2001, Dopps was employed by The Bergman Companies (TBC), a contracting firm based in Chino. After leaving TBC to go work for a competitor, Dopps used his Internet connection to gain access to TBC’s computer systems on more than 20 occasions. Once Dopps was inside the TBC systems, he read e-mail messages of TBC executives to stay informed of TBC’s ongoing business and to obtain a commercial advantage for his new employer. Dopps’ unauthorized access into TBC’s computer system caused approximately $21,636 in damages and costs to TBC. Dopps is currently on bond pending his sentencing hearing before United States District Judge Margaret M. Morrow on December 2. At sentencing Dopps faces a maximum sentence of five years in prison and a $250,000 fine.”
The case was investigated by the Federal Bureau of Investigation
A list of press releases from recently prosecuted computer
crime cases can be found at the Computer
Crime and Intellectual Property Section of the Criminal Division of the US
Department of Justice: Computer Intrusion Cases website
A costly problem that plagues corporations and on-line vendors arises when culprits steal passwords and use bogus identifiers to make fraudulent purchases. Although most e-commerce sites are secured adequately, there have been numerous security lapses, which have sometimes put sensitive consumer data at risk.
Richard Spinello, pictured above, argues that if vendors are to achieve a basic level of security for commercial Web sites, they must address two problems (Spinello, 2000):
Securing the Web server and the files that it contains
Guaranteeing the integrity of the information that travels between Web server and the end user. This includes user names, passwords, credit card numbers, and so forth
All sensitive information must be protected adequately from the risk of being intercepted by hackers and computer criminals.
Securing the Web server itself can usually be accomplished by using standard computer security techniques, such as authentication mechanisms and intrusion protection devices. Gatekeepers and digital locks can also secure networks on which these servers reside.
The more complicated problem is securing information in
transit between the server and the end user. The only sure way to secure this
data is through encryption, encoding the transmitted information so that only an
authorised recipient can read it with a proper key that decodes the information.
Protocols such as SET (Secure Electronic Transactions) standard are used to
encrypt credit card information being transmitted over the Internet. An
alternative protocol is Netscape's Secure Socket
Layer (SSL), which
automatically encrypts information sent to Web sites and then decrypts it before
the recipient reads it.
The best way to verify identity is via the use of digital signatures. This technology also relies on the use of encryption keys to encode and decode a message. In this case, a private key is used to sign one's signature to some message or piece of data and a public key is used to verify a signature after it has been sent. The public key might be published in a directory or otherwise made available to other users. Spinello presents a scenario to best describe the functioning of digital signatures:
“Assume that John and Mary are exchanging e-mail, and Mary wants to verify John's identity. Mary can send John a letter with a random number, requesting that he digitally sign that number and send it back. John receives the letter, and digitally signs the random number with his private key. When the letter is sent back to Mary, she verifies that signature with her copy of John's public key. If the signature matches, she knows that that she is communicating with John, assuming that John has been careful with his private key.”
These digital signatures will undoubtedly play a major role
in preventing impersonation during e-commerce transactions.
Access control software closes password loopholes. This software restricts users, individually identified by password and codes, to only those files they are authorised to use. Even then, the software permits the users to perform only authorised functions, such as appending or deleting information, and they can no longer browse through parts of the system which they are not entitle to enter. One obvious and major limitation with access control software, however, is that it does not protect the company against frauds committed by employees while going about their legitimate tasks, and as illustrated above, a high proportion of computer crimes occurs this way.
Many companies have installed dial back or black box systems to protect their assets. When a user dials into a computer, a black box intercepts the call and demands a password. The unit then disconnects the call, looks up the password in the directory and calls the user back at his / her listed telephone number: fraudsters dialing from another telephone number will be screened out. A large mainframe may have hundreds of ports of entry from remote stations and each one has to be protected by these units.
Scrambling devices and encryption software are additional
methods which scramble messages for transmission so that only the legitimate
recipient can decode and understand them. Anyone tapping into, for example, a
bank's communication line or eavesdropping on the electromagnetic waves emitted
from a computer or piece of electronic equipment will pick up only the scrambled
message. Encryption devices in the form of DSPs (Digital Signal Processors) are
being used increasingly to scramble voice and data messages over telephone
networks. Voice encryption is obviously vital in the military and security
agencies.
A firewall consists of hardware and / or software designed to insulate an organisations internal network from the Internet. Firewall software gives access only to trusted Internet addresses and scrutinises data for irregularities or signs of danger. Ideally firewalls are configured so that all connections to an internal network go through relatively few well-monitored locations. Firewalls can sometimes be used to protect the Web server, but most companies set up public Web sites outside the firewall to make them more easily accessible to those trying to buy their products.
Firewall
Forum is a web forum for discussing Firewall and computer security issues
Another weapon in the fight against computer crime is biometrics, or the digitising of biological characteristics. These include:
Fingerprints
Voice recognition
The veins of the back of the hand
The pattern of blood vessels in the retina
These scanning devices are now being used to control access
to computer rooms, bank vaults and military bases.
Audit control software packages are also available which can monitor transactions or the use of a computer. These enable auditors to trace and identify any operator who gains access to the system and when this occurred, such as after-hours. Audits can also highlight any abnormal number of correction entries, which often indicates the trial-and-error approach of fraudulent activity.
Computers are also being used increasingly in the fight
against crime, both conventional crime and computer based crime. UK-developed
software enables a computer to browse through vast amounts of financial data
looking for possible connections which might indicate insider trading or foreign
exchange fraud. A similar system is at work at the New York Stock Exchange.
James Mackintosh (1997) details swindles that have appeared
on the Internet. Although these are centuries old they have found a new lease of
life on the worldwide web and are duping a new breed of innocents.
“The most common offer is only one step up from a chain letter, suggesting sending £1 to each of the names listed and adding your name to the end of the list. Such inducements often contain accounts of how a fiver was turned into thousands within weeks - but don't believe it.”
There are hundreds of variants of the pyramid scheme, but
common to all: the victim gets income mainly by recruiting new members. Such
schemes are doomed to failure when the supply of new members dries up. The US
Federal Trade Commission highlighted the prevalence of these schemes by identifying
more than 500 possible pyramid frauds when surfing the Internet in a 24 hour
period.
This swindle often induces investors by guaranteeing “200-600 percent annual returns - risk free”. However, Mackintosh warns
“Many of the supposed investments are either grossly overstated or simply do not exist.”
Other examples that would-be investors need to be aware of are:
Off-shore investment opportunities claiming to offer access to legal tax evasion, however charging extortionate fees for the service
Prime back guarantees, although “gold mines, eel
and shrimp farms” are also touted
Mackintosh observes that everyone on the Internet wants to reduce the cost of staying on-line, from page design to service provision, and fraudsters know this. He notes:
“Offering apparently cheap services from a well designed site, the crooks demand payment in advance and either disappear immediately or give holding replies before disappearing later.”
Mackintosh advices that web users ask for references and
make checks before signing up for any service.
Miracle products that claim to give the on-line consumer
free telephone calls, or free satellite decoders are familiar offers that most
on-line users have received at some time. Healthcare products are another
popular offer, many make the unlikely claims of having aphrodisiac powers.
Mackintosh argues that viruses have been common on the Internet for years but highlights a new phenomena that has emerged, which interacts with Quicken (financial software) and transfers money out of accounts listed on the computer. he concludes that:
“With the rise of Internet banking in the UK, this could become a serious problem, so avoid downloading software but, if you must, use a virus checker.”
There are several email lists and web sites, which offer advice for avoiding on-line fraud. However, a number of fraudulent mailing lists have been created under this guise. Mackintosh advices:
“Before sending any money, check with the regulators any advice given on the unknown mailing list. Beware also of giving out personal details.”
This week has introduced some of the key issues invoked by Computer Crime. You have seen what Computer Crime is about and why it is important to be aware of it. You have also been given an overview of computer security measures that can help tackle the criminal and fraudulent activities related to computing and e-commerce.
Forestor, T. and Morrison, P. (1990) Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing London: MIT Press
Mackintosh, J. (1997) Tricksters Cash In On Electronic Frontier Financial Times March 8, 1997
Mrozek, T. (2002) A San Gabriel Valley man pleads guilty to illegally accessing former employer's computers http://www.cybercrime.gov/doppsPlea.htm <accessed 17th September 2002>
Spinello, R. (2000) Cyber Ethics: Morality and Law in Cyberspace Jones & Bartlett Publishers
Walsh, A. (2000) Partner In Crime http://www.bcs.org.uk/publicat/ebull/may2000/article1.htm
<accessed 17th September 2002>
1. Visit the Computer Crime
and Intellectual Property Section of the Criminal Division of the US Department
of Justice: Computer Intrusion Cases website and select a case that pertain
to the issue of computer crime. Note the case details, i.e. who are the
protagonists in the case and what are their respective actions that have invoked
ethical and/or legal issues?
2. For the specific case you have identified above prosecute the main
protagonist by constructing rational arguments based on Ethics, Law and
Professionalism.
3. Discuss reasons as to why e-companies should be motivated to implement security techniques. Think of the following obligations (within the context of computer security and personal data):