ATG 383 - Chapter 10 - Fraud Spring 2002 Many Views of Fraud • • • • Fraud Process Kiting and lapping Various computer frauds Matching controls to frauds Fraud Process Pressure • Table 10.1 Opportunity • Table 10.2 Ability to rationalize Fraud Kiting Bank A Bank B Bank C Lapping Mon C.R. 300 250 500 700 100 400 2,250 Tu C.R. 200 150 500 300 300 900 2,350 Wed C.R. 500 350 500 600 200 250 2,400 Th C.R. 200 400 100 700 100 400 1,900 Fri C.R. 200 250 500 600 100 150 1,800 Computer Fraud Summary of Computer Frauds Alter Input False Input Unauthorized Modify Processing Computer Instructions Alter, Damage, or Copy Files Steal Output Trojan Horse A destructive program that masquerades as a benign application. Does not duplicate itself. Example: Antigen.exe • Fake virus scanner • Scans data files • Sends private info out as e-mail Round-down Technique Truncate interest calculations & divert to programmer’s account Salami Technique Tiny slices of money stolen over long period of time. Example: Hopkins Park, IL • Personal charges to village-issued credit cards Trap Door Create a way to enter a system without normal controls. http://www.bradley.edu/academics/ehs/dean/dean_index.html http://www.bradley.edu/academics/ehs/dean/ Data Diddling & Leakage Change data before, during, or after it has entered the system. Unauthorized copying of data. Software Piracy Copy software without publisher’s permission. http://www.siia.net/piracy/default.htm http://www.bsa.org/usa/antipiracy/ Logic Time Bomb Program or instructions that lies idle until a specified time. Scavenging Searching corporate records for confidential information. Example: John Freeman • Temporary typist working for brokerage firms • Used inside information for profit. • Full story: www.sec.gov/divisions/enforce/extra/freecomp.htm Eaves Dropping Listening to private conservation through wiretapping or other means Examples • Intercept e-mail • Plant a listening device http://www.greatsouthernsecurity.com/instruc.htm E-mail Bombs Overload an ISP’s e-mail server. Also, send numerous requests to web site. Examples • Yahoo • E-bay • Amazon.com Computer Virus Computer program that replicates itself and carries out some predetermined mission. http://www.DataFellows.com/virus-info/v-pics/ Matching Controls to Frauds Controls related to multiple frauds • Proper hiring and firing practices. • Managing disgruntled employees. • Train employees in security and fraud prevention. • Develop strong internal controls. • Segregation of duties. • Required vacations and rotate jobs. Controls related to multiple frauds • • • • • • • Monitor hacker information Conduct frequent audits. Use a computer security officer. Use computer consultants. Use forensic accountants. Maintain adequate insurance. Develop a contingency plan for fraud occurrences. Alter Input & False Input • Use fraud detection software • Various input controls discussed in Chapter 9. Unauthorized Processing • Restrict access to computers equipment and data files. • Protect the system from viruses. • Monitor system activities. • Use software to monitor system activity and recover from fraud. Modify Computer Instructions • Restrict access to computers equipment and data files. • Monitor system activities. • Store backup copies of program and data files in a secure off-site location. • Use software to monitor system activity and recover from fraud. • Protect the system from viruses. Alter, Damage, or Copy Files • Manage and track software licenses. • Require signed confidentiality agreements. • Restrict access to computers equipment and data files. • Encrypt data and programs. • Control sensitive data. • Control laptop computers. Alter, Damage, or Copy Files • Monitor system activities. • Store backup copies of program and data files in a secure off-site location. • Use software to monitor system activity and recover from fraud. Steal Output • • • • Require signed confidentiality agreements. Encrypt data and programs. Protect phone lines. Control sensitive data.