Computer Crime 

This lecture was produced several years ago by Kathy Hansen, a CIS instructor here at Shasta College. While most of what she says is still accurate, what's the biggest concern today . . . yes, identity theft.

Ways to keep from being a victim of computer crime include passwords, current anti-virus software, and backups in case a virus has wiped you out or you must format your disk to get rid of a deadly virus.  Additionally if you would like to avoid harassment for casual on-line activities, you can establish a free e-mail account at Yahoo or HotMail under an alias.  This can be a disposable identity.  If someone harasses or stalks you, simply close that account and adopt a new alias.  

There are two types of Computer Crime committed—maliciousness and financial gain.  Computer crimes usually: 

  1. Are clever
  2. Involve large amounts.
    1. $3,200—average bank robbery
    2. $23,500—average bank fraud
    3. Half million to $600,000—average computer crime.
  3. Possess a fascination with “beating the system.”  White-collar crime—no one physically hurt.
  4. Have a connotation of “Robinhood complex”—taking from the rich and giving to the poor. 

 

Computer crimes are aggravated by the rapid growth in numbers of PCs and the increased access through communications.  The very fact that there are so many PCs now, makes item number 4 (Robinhood complex) almost outdated.  We feel computer crime more personally now that we are closely acquainted with our own computers.  Ten to fifteen years ago, it was still (for the majority of people) the “us and them” feeling.  Big corporations with BIG computers—so, “they’re rich, they can afford to lose the bucks.”  But whom did it really hurt in the long run?  Of course, it was you, the consumer.  That large corporation just raised your prices to cover the losses.  But, this Robinhood complex was one of the reasons it was very difficult to prosecute computer criminals.  Now that more individuals have computers, laws are being enacted and enforced to convict the computer criminal.

 

The profile of the computer criminal/crime is typically: 

  1. Young, fascinated with “beating the system.
  2. In a high trust position.
  3. No previous records
  4. Provides a challenge, but may be relatively easy to accomplish.
  5. Risk is fairly low. 

 

In years past, it was very difficult to prosecute for a computer crime.  First of all, a computer crime is very difficult to discover and is usually discovered by accident.  Then, when crimes are discovered, they are often NOT reported due to the black mark on a company name and compromising the company’s credibility.  In the not too distant past, computers were a new technology and computer crime was new to the courts, so there was no precedence set.  Attempts to make new Federal laws against computer criminals more often than not ended up being a law to protect the individual.  A few examples of these were:  Fair Credit Reporting Act of 1970 (protects against incorrect credit data), Freedom of Information Act (allowed individuals to access federal files), Privacy Act of 1974 (limited use of government data).  You can see from these trends that there was more concern over losing privacy due to large data banks than prosecuting the computer criminal.   It was not until the 1986 Computer Fraud and Abuse Act was passed that there was any firm Federal law against computer crime.  With this law it has become a misdemeanor just to access areas without having the authority.  And it is a fraud to access an area and make changes.  The penalty for fraud can be a fine and imprisonment.  There are harsher penalties now for computer crime.  The hackers that broke into the Bell South Laboratories received 21 months in jail as well as a $230,000 fine.  Up until tougher laws were made, hackers considered it great fun to get into a corporation’s computer and change all the passwords.  Great fun for them, but this could bankrupt a business if they were unable to access their own information, or it would at least cost a lot of man-hours to rectify the situation. 

 

I have a great article written by an ex-FBI man who now concentrates on computer crime.  I will just take short quotes from this article. 

 

“Last year, a financial institution here fired 20 employees in the first 10 months of the year for using the company computer system to steal money.  When asked why criminal charges had not been brought against the employees, the company said, we’ve handled it within.” 

  The reasons for not reporting crimes are the one mentioned above about protecting the company’s credibility and also the fact that companies dislike releasing sensitive information to the police.

Such secrecy is one of the reasons why more money does not go into developing computer crime expertise in police departments.  If businesses aren’t reporting the crimes, it is hard to justify spending money on training.  Law enforcement really needs full cooperation from a business reporting a computer crime.  FBI statistics revealed some bad news.  Only 1% of computer crimes are even detected, and of that number only 12% are reported to police departments.  Only 3% of the reported computer crimes end in conviction.  This means there is one chance in 27,000 that a computer criminal will go to jail. 

That last clip in no way means I am suggesting that you commit a computer crime because the risk is so low.  The risk is no longer so low (that article is about 10 years old), punishment is more severe, and successful prosecutions are on the rise.  Besides, no amount of money is worth not being able to get a good night’s sleep, being afraid every time someone knocks that your theft has been discovered, or KNOWING they are coming to get you every time you see that police car coming your way. 

There are several popular methods of computer crime. Data Diddling, Trojan Horse, Salami Method, and Time/Logic bombs.  An example of data diddling would simply be changing a line of data being processed by a computer.  This could mean assigning a large hourly pay increase to your salary data or even adding an extra employee record.  This would be especially unnoticeable in a large corporation with thousands of employees.  The salary program could even electronically deposit the “new person’s” salary to his/her checking account.  

The Trojan Horse method is including some lines of code in someone else’s program.  That’s the reason for it being called a Trojan Horse—the code is hidden in a program that may have thousands of lines of code.  This is also the method used for many viruses.  

The Salami Method is taking a tiny slice from millions of accounts.  For instance, when you receive your bank statement, do you REALLY know the bank has computed your interest correctly to the penny?  How can you, when it is compounded daily and often on a varying balance.  This is where the Salami Method comes in—taking just a small slice off each account every time the interest is compounded.  There was a famous case of this in a Washington Bank.  A young man (bank teller) had opened an account, in which the last name started with two letter Zs.  Then he enclosed some code in the interest program (so yes, this would also be a Trojan Horse) that would take a small slice off every account and place it in the LAST account.  Found by accident, of course, when the bank ran a “Trip to Hawaii” promotion for the account that had the most deposits over a period of time.  

The time bomb or the logic bomb would be code in a program (again, Trojan) that would execute on a specific date or when the data in a field changed (terminated?).  This method is often employed by disgruntled employees to cause destruction after they are gone or have been terminated.  Also used for viruses.  An example is the Michelangelo virus that was set to react on his March birthday. 

I just have to share one more example of computer crime discovered by accident.  A bunch of insurance employees in New Jersey decided they were going to data diddle—enter false claims into the computer as data records.The reason they were discovered was because they did such a good job.  A police officer got suspicious when one of the employees’ cars was impounded for illegal parking, and there were so many un-cashed checks in the back seat.  

Just a couple of more asides that are quite interesting.  A part-time college student used his touch-tone phone and personal computer to fool Pacific Telephone’s computer into ordering phone equipment to be delivered to him.  He started a business, hired several employees, and pilfered about a million dollars’ worth of equipment before he was turned in by a disgruntled employee.  (After serving two months in jail, he became a computer security consultant.) 

This happens quite often—being hired as a consultant after the theft is discovered.  A New York man that had a method of stealing money from ATM accounts was REALLY upset that the banks prosecuted him when he was caught.  He had really only done it so they would hire him to help with their security, since he knew how to breach it. 

Clerks in an upscale department store erased the accounts of major customers by listing those customers as bankrupt (data diddling).  The customers paid the clerks 10 percent of the $33 million they saved by not having to repay their debts.  Since the “bankruptcies” were listed only in the store’s computers, they didn’t hurt customers’ credit ratings.  

It is unbelievable to me that there are enough dishonest people in the world that fraudulent schemes can be set up that involve multiple individuals!  I guess naïve people prefer believing that the majority of the people in the world are honest.  Now didn’t I tell you this TOPIC was sometimes distressing, but fascinating?