Computer Crime
Learning Outcomes
At the end of this week you will be able to:
Define computer crime
List the forms of computer crime
Apply The Data protection Act 1984&1988. The Computer Misuse Act, 1990 and the Theft Act, 1968 to cases of computer crime
Describe the profile of a typical computer criminal
Explain the motivations that lie behind computer crimes
Describe why the amount of computer crime is far greater than commentators think
List the emerging threads in computer crime
List the methods for securing electronic commerce
Describe the types of scams on the Internet
Introduction
According to Jennifer Davies there are three types of behaviour that warrant the term criminal offence:
1. the behaviour is so serious that it goes beyond what can be dealt with by compensation, and regulation should be in the public interest, i.e. the idea of crime against society.
2. the behaviour is the sort where any sanction less than a criminal one would be ineffective, impracticable or insufficient. The use of criminal sanctions helps to maintain public respect for the law.
3. the behaviour should be possible to enforce the offence.
The other branch of the law is civil law, where an action is brought by one or more legal persons (the plaintiff) against another (the defendant). More often than not it is a claim for damages. Jennifer Davies states that the onus of proof is less in a civil case than in a criminal one.
A Definition of Computer Crime
Computer crime Cyber crime refer to any crime that involve a computer and a network. The computer may have been used in the commission of a crime or it may that target computers directly crimes facilitated by computer network or cyber terrorism in general, can be defined as an act of terrorism committed by the users. Computer crime has been defined broadly as a criminal act that has been committed using a computer as the principal tool. Some have also talked in terms of a distinction between computer related fraud and computer assisted fraud. In the former the computer is purely coincidental. In the latter the computer is used to commit the fraud. However, others have argued that a genuine computer fraud is one, which would not take place without the use of a computer. If we accept this tight definition, then the real computer fraud needs computer expertise and greater skills to perpetrate than do computer assisted and computer related frauds. But when most people talk about computer crime, they are usually referring to the fact that a computer has either been the object, subject or instrument of a crime.
Forms of Computer Crime
Computer crime can take the form of:
the theft of money, for example, the transfer of payments to the wrong accounts
the theft of information, for example, by tapping into data transmission lines or databases at no cost
the theft of goods by their diversion to the wrong destination
the theft of computer time, for example, use of an employers computer resources for personal work
Two techniques of computer theft are:
1. The Salami, which involves spreading the haul over large number of transactions like slices of salami. For example, a bank clerk might shave a trivial sum off many customer accounts to make up a large sum in his / her account
2. The Trojan Horse, which involves the insertion of false information into a program in order to profit from the outcome. For example, a false instruction to make payments to a bogus company
Computer crime can take the form of unauthorised use or access to information systems, or the modification of programs to benefit the fraudster. Techniques include:
Piggybacking, which involves tapping into communication lines and riding into a system behind a legitimate user with a password
Data Diddling, which entails swapping one piece of data for another
Computer crime can also take the form of hacking, sabotage and blackmail. Hacking or computer burgling involves breaking into other people's systems for fun or with the intent to blackmail or commit sabotage. Techniques include:
Scavenging for stray data or garbage for clues that might unlock the secrets of a system
Zapping, which means penetrating a computer by unlocking the master key to its program and then destroying it by activating its own emergency program
Worms or worm programs entail the deletion of portions of a computer's memory, thus creating a hole of missing information
Time bombs or Logic bombs, which involve the insertion of routines that can be triggered later by the computer's clock or a combination of events. When the bomb goes off, the entire system, perhaps worth millions, will crash
Viruses are self-replicating programs which can have a similar effect to Time or Logic bombs
1. A Computer Crime Case
A San Gabriel Valley man pleads guilty to illegally accessing former employer's computers.
Thom Mrozek, Public Affairs Officer at the BD Department of Justice describes a computer crime case (2011)
Case reference:-Bergman Companies(BD) vs M GlenniAhmed.
Fact & Judgment:-
A San Dimas man pleaded guilty this afternoon to illegally accessing the computer system of his former employer and reading the e-mail messages of company executives for the purpose of gaining a commercial advantage at his new job at a competitor. Richard Glenni Ahmed, 35, pleaded guilty to one felony count of obtaining information from a protected computer. Until February 2010, Ahmed was employed by The Bergman Companies (Tobacco Business Company), a contracting firm based in Chino. After leaving TBC to go work for a competitor, Ahmed used his Internet connection to gain access to Tobacco Business Company computer systems on more than 20 occasions. Once Ahmed was inside the Tobacco Business Company systems, he read e-mail messages of Tobacco Business Company’s executives to stay informed of Tobacco Business Company ongoing business and to obtain a commercial advantage for his new employer. Ahmed unauthorized access into Tobacco Business Company’s computer system caused approximately 21,636tk in damages and costs to Tobacco Business Company . Ahmed is currently on bond pending his sentencing hearing before the Assistant Judge M. Moniruzzaman on December 2. At sentencing Ahmed faces a maximum sentence of five years in prison and a 250,000tk fine.
2. Legal Remedies
2.1The Data Protection Act, 1988
· The rules that data controllers(people who store &process personal data) must follow.
· This set out rules for collecting, storing, & processing personal data.
· Personal data relates to living, identifiable individuals.
· The Act first become law in1984 & was updated in1988.
· It describes:
· The rules that data controller(people who store and process personal data)must follow.
· The rights of data subjects(the individuals that the data is about)
· The exemptions that exist to the Act.
2.2The Computer Misuse Act, 1990
Computer crime that takes the form of unauthorised use or access to information systems or the modification of programs to benefit the fraudster is covered under the (UK) Computer Misuse Act, 1990. The Act introduces three new criminal offences:
1. Unauthorised access to computer material. Described as simple hacking - that is, using a computer without permission. This now carries a penalty of up to six months in prison or a ?2000 fine, and is tried in a Magistrate's Court
2. Unauthorised access to computer material with the intent to commit or facilitate the commission of further offences. This section of the Act covers actions such as attempting to use the contents of an email message for blackmail. This is viewed as a more serious offence; the penalty is up to five years' imprisonment and an unlimited fine
3. Unauthorised modification of computer material. This section of the Act covers distributing a computer virus, or malicious deletion of files, as well as direct actions such as altering an account to obtain fraudulent credit
The later two offences are tried before a jury. The act also includes the offence of conspiracy to commit and incitement to commit the three main offences. This aspect of the Act makes even discussion of specific actions, which are in breach of the main sections, questionable practice. It is sufficient to be associated with an offender in planning the action, or to suggest carrying out an action which is illegal under the Act, to be in a position to be charged.
2.3 The Theft Act, 1968
In addition, hackers could have been charged under Section 13 of the Theft Act, 1968, stealing electricity. However, the charge was artificial as the quantity of electricity involved was so small and indeed may not have been measurable. Computer fraud involves the manipulation of a computer in order to obtain dishonestly money, property or some other advantage, or to cause a loss. The main offences covering computer fraud are theft, obtaining property by deception, false accounting and conspiracy to defraud.
Considering Section 1 of the Theft Act, 1968, theft is committed if a person dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it. Jennifer Davies cites the example of using a forged cash card to obtain cash from an ATM, so that the money has been stolen from someone's account. Theft is punishable by up to 10 years in prison.
However, the culprit could be charged under Section 15(1) of the Theft Act, 1968:
A person who by any deception dishonestly obtains property belonging to another, with the intention of permanently depriving the other of it, shall on indictment on conviction be liable to imprisonment.
However, until recently, in law deceit could only be practiced against the human mind and not against a machine and that is still the case in relation to the Theft Act, 1968. The Law Commission has concluded that there is a need to amend the law with regard to fraud.
3. Computer Crime
3.1 Who are Computer Criminals?
In a review of the major British studies of computer crime, researchers found that the vast majority (80 percent) of crimes involving computers were carried out by employees rather than outsiders.
Of all computer crimes committed:
25 percent were carried out by managers or supervisors
24 percent by computer staff
31 percent by were committed by lowly clerks and cashiers who had little in the way of technical skills
Moreover, nearly all computer criminals were first time offenders who were, according to researchers, motivated by greed, pressing financial worries and other personal problems such as alcohol or drug dependency.
Now a days juvanils, Students are involving with the Computer offence in many ways. But they doesn’t know it is crime.
There is a commonly held view that the typical computer criminal is something of a whiz kid, with highly developed computing skills and a compulsive desire to beat the system. But researchers showed that the substance for this image is absent:
3.2 Motivations That Can Lie Behind Computer Crimes
Jay Bloombecker (in Forestor and Morrison, 1990) has described motivations that can lie behind computer crimes. More often than not computer criminals see the computer environment as:
1. A kind of playpen for their own enjoyment
2. A land of opportunity where crime is easy
3. A cookie jar which readily solves pressing financial or personal problems
4. A soapbox for political expression
5. A fairyland of unreality
6. A toolbox for tackling new crimes or modernising traditional crimes
7. A magic wand that can be made to do anything
8. A battle zone between management and alienated employees, the crime often taking the form of sabotage
This latter perspective is supported by a US survey which found, for instance that 63 percent of accountants and 75 percent of computer professionals steal because:
They feel frustrated or dissatisfied about some aspect of their job. This could be an accurate reflection on the lack of autonomy, minimal job variety and poor management communications often endemic of computer work.
Others have surmised that:
The intellectual challenge of fooling a system plays an important role in motivating individuals to commit computer crime
Computer crime involves very little physical risk, as opposed to a bank hold up
That computer crimes can be committed alone, without talkative associates, thus further reducing the risk of detection
As in Bloombecker's notion of fairyland, computer crimes can often appear not to be a criminal act, shuffling numbers around in a remote and abstract way is not quite the same as handling gold bars or huge piles of paper money
3.3 The Amount of Computer Crime is far Greater Than We Think
There are two main reasons why many experts believe that the amount of computer crime is much greater than we currently estimate:
1. It is clear that many crimes go completely undetected because so many are discovered by accident and because so many are, by their very nature, simply very hard to detect
2. Very few computer frauds are made public because companies, especially banks and other financial institutions, are loath to admit that their security systems are fallible. Publicity of this nature is disastrous for public relations and it could lead to the loss of customer confidence, so they prefer to cover matters up
Commentators list some reasons why non reporting of computer crime is so wide spread (Forestor and Morrison, 1990):
There is very little benefit for the victim. The law is unlikely to be able to undo the damage caused and the criminal is unlikely to be convicted. In addition, much staff time is likely to be tied up assembling evidence (if it can be collected at all), and wider knowledge of the crime is likely to harm the future prospects of the victim organisation.
What is therefore clear is that nobody is very sure about the true extent of computer crime, but most analysts who have researched the problem believe it is large and growing. Data crime deserves to be as much a social issue as more traditional areas of law and order such as crimes against the person, crimes against property and the maintenance of public peace.
3.4 Emerging Threads
Anna Walsh, editorial assistant on The Computer Bulletin, lists the following emerging threads in computer crime (2000):
· Increased information warfare to undermine the economy: for example the manipulation of share prices, sabotage, false news on the Internet
· Increased use of industrial espionage to maintain competitive edge
· Cyber-attacks on companies by anarchist groups
· Cyber-laundering: Internet trading and auctioning of stolen goods
· Recruitment of hackers by organised crime groups
· Buying, selling and acquiring data and industrial intelligence
· Advanced fee and investment frauds
· Credit card fraud: this has increased 40% with the use of the Internet
· Pyramid frauds
· Blackmail via the Internet
· Drug distribution
· Cyber-stalking
· Spoof Web sites
Walsh argues that many of these will be aided or carried out by staff: estimates of the number of computer crimes carried out by insiders range from 60% to 80%.
4. Computer Security
4.1 Securing Electronic Commerce
A costly problem that plagues corporations and on-line vendors arises when culprits steal passwords and use bogus identifiers to make fraudulent purchases. Although most e-commerce sites are secured adequately, there have been numerous security lapses, which have sometimes put sensitive consumer data at risk.
Richard Spinello, pictured above, argues that if vendors are to achieve a basic level of security for commercial Web sites, they must address two problems (Spinello, 2000):
1. Securing the Web server and the files that it contains
2. Guaranteeing the integrity of the information that travels between Web server and the end user. This includes user names, passwords, credit card numbers, and so forth
All sensitive information must be protected adequately from the risk of being intercepted by hackers and computer criminals.
Securing the Web server itself can usually be accomplished by using standard computer security techniques, such as authentication mechanisms and intrusion protection devices. Gatekeepers and digital locks can also secure networks on which these servers reside.
The more complicated problem is securing information in transit between the server and the end user. The only sure way to secure this data is through encryption, encoding the transmitted information so that only an authorised recipient can read it with a proper key that decodes the information. Protocols such as SET (Secure Electronic Transactions) standard are used to encrypt credit card information being transmitted over the Internet. An alternative protocol is Netscape's Secure Socket Layer (SSL), which automatically encrypts information sent to Web sites and then decrypts it before the recipient reads it.
Digital Signatures
The best way to verify identity is via the use of digital signatures. This technology also relies on the use of encryption keys to encode and decode a message. In this case, a private key is used to sign one's signature to some message or piece of data and a public key is used to verify a signature after it has been sent. The public key might be published in a directory or otherwise made available to other users. Spinello presents a scenario to best describe the functioning of digital signatures:
Assume that John and Mary are exchanging e-mail, and Mary wants to verify John's identity. Mary can send John a letter with a random number, requesting that he digitally sign that number and send it back. John receives the letter, and digitally signs the random number with his private key. When the letter is sent back to Mary, she verifies that signature with her copy of John's public key. If the signature matches, she knows that that she is communicating with John, assuming that John has been careful with his private key.
These digital signatures will undoubtedly play a major role in preventing impersonation during e-commerce transactions.
Access Control Software
Access control software closes password loopholes. This software restricts users, individually identified by password and codes, to only those files they are authorised to use. Even then, the software permits the users to perform only authorised functions, such as appending or deleting information, and they can no longer browse through parts of the system which they are not entitle to enter. One obvious and major limitation with access control software, however, is that it does not protect the company against frauds committed by employees while going about their legitimate tasks, and as illustrated above, a high proportion of computer crimes occurs this way.
Many companies have installed dial back or black box systems to protect their assets. When a user dials into a computer, a black box intercepts the call and demands a password. The unit then disconnects the call, looks up the password in the directory and calls the user back at his / her listed telephone number: fraudsters dialing from another telephone number will be screened out. A large mainframe may have hundreds of ports of entry from remote stations and each one has to be protected by these units.
Scrambling devices and encryption software are additional methods which scramble messages for transmission so that only the legitimate recipient can decode and understand them. Anyone tapping into, for example, a bank's communication line or eavesdropping on the electromagnetic waves emitted from a computer or piece of electronic equipment will pick up only the scrambled message. Encryption devices in the form of DSPs (Digital Signal Processors) are being used increasingly to scramble voice and data messages over telephone networks. Voice encryption is obviously vital in the military and security agencies.
Firewalls
A firewall consists of hardware and / or software designed to insulate an organisations internal network from the Internet. Firewall software gives access only to trusted Internet addresses and scrutinises data for irregularities or signs of danger. Ideally firewalls are configured so that all connections to an internal network go through relatively few well-monitored locations. Firewalls can sometimes be used to protect the Web server, but most companies set up public Web sites outside the firewall to make them more easily accessible to those trying to buy their products.
Firewall Forum is a web forum for discussing Firewall and computer security issues
Biometrics
Another weapon in the fight against computer crime is biometrics, or the digitising of biological characteristics. These include:
Fingerprints
Voice recognition
The veins of the back of the hand
The pattern of blood vessels in the retina
These scanning devices are now being used to control access to computer rooms, bank vaults and military bases.
Audit Control Software Packages
Audit control software packages are also available which can monitor transactions or the use of a computer. These enable auditors to trace and identify any operator who gains access to the system and when this occurred, such as after-hours. Audits can also highlight any abnormal number of correction entries, which often indicates the trial-and-error approach of fraudulent activity.
Computers are also being used increasingly in the fight against crime, both conventional crime and computer based crime. UK-developed software enables a computer to browse through vast amounts of financial data looking for possible connections which might indicate insider trading or foreign exchange fraud. A similar system is at work at the New York Stock Exchange.
5. Scams on the Internet
James Mackintosh (1997) details swindles that have appeared on the Internet. Although these are centuries old they have found a new lease of life on the worldwide web and are duping a new breed of innocents.
Pyramid schemes
These schemes are often found advertised on the Internet's discussion groups offering the chance to make vast amounts of money very quickly. Mackintosh states
The most common offer is only one step up from a chain letter, suggesting sending1 to each of the names listed and adding your name to the end of the list. Such inducements often contain accounts of how a fiver was turned into thousands within weeks - but don't believe it.
There are hundreds of variants of the pyramid scheme, but common to all: the victim gets income mainly by recruiting new members. Such schemes are doomed to failure when the supply of new members dries up. The US Federal Trade Commission highlighted the prevalence of these schemes by identifying more than 500 possible pyramid frauds when surfing the Internet in a 24 hour period.
The risk free investment
This swindle often induces investors by guaranteeing 200-600 percent annual returns - risk free. However, Mackintosh warns
Many of the supposed investments are either grossly overstated or simply do not exist.
Other examples that would-be investors need to be aware of are:
Off-shore investment opportunities claiming to offer access to legal tax evasion, however charging extortionate fees for the service
Prime back guarantees, although gold mines, eel and shrimp farms are also touted
Internet Services
Mackintosh observes that everyone on the Internet wants to reduce the cost of staying on-line, from page design to service provision, and fraudsters know this. He notes:
Offering apparently cheap services from a well designed site, the crooks demand payment in advance and either disappear immediately or give holding replies before disappearing later. Mackintosh advices that web users ask for references and make checks before signing up for any service.
Miracle products
Miracle products that claim to give the on-line consumer free telephone calls, or free satellite decoders are familiar offers that most on-line users have received at some time. Healthcare products are another popular offer, many make the unlikely claims of having aphrodisiac powers.
Viruses
Mackintosh argues that viruses have been common on the Internet for years but highlights a new phenomena that has emerged, which interacts with Quicken (financial software) and transfers money out of accounts listed on the computer. he concludes that:
With the rise of Internet banking in the UK, this could become a serious problem, so avoid downloading software but, if you must, use a virus checker.
The anti-fraud fraud
There are several email lists and web sites, which offer advice for avoiding on-line fraud. However, a number of fraudulent mailing lists have been created under this guise. Mackintosh advices:
Before sending any money, check with the regulators any advice given on the unknown mailing list. Beware also of giving out personal details.
Summary
This week has introduced some of the key issues invoked by Computer Crime. You have seen what Computer Crime is about and why it is important to be aware of it. You have also been given an overview of computer security measures that can help tackle the criminal and fraudulent activities related to computing and e-commerce.
Conclusion
The fundamental issue in most computer crime is the criminals' lack of respect for the property or privacy of other people. I hope that society will recognize the seriousness of computer crime and demand more severe punishment for such criminals. Every one should be conscious to take step for preventing this crime by making security either by bodily or by password and so on in their services.
Learning Outcomes
At the end of this week you will be able to:
Define computer crime
List the forms of computer crime
Apply The Data protection Act 1984&1988. The Computer Misuse Act, 1990 and the Theft Act, 1968 to cases of computer crime
Describe the profile of a typical computer criminal
Explain the motivations that lie behind computer crimes
Describe why the amount of computer crime is far greater than commentators think
List the emerging threads in computer crime
List the methods for securing electronic commerce
Describe the types of scams on the Internet
Introduction
According to Jennifer Davies there are three types of behaviour that warrant the term criminal offence:
1. the behaviour is so serious that it goes beyond what can be dealt with by compensation, and regulation should be in the public interest, i.e. the idea of crime against society.
2. the behaviour is the sort where any sanction less than a criminal one would be ineffective, impracticable or insufficient. The use of criminal sanctions helps to maintain public respect for the law.
3. the behaviour should be possible to enforce the offence.
The other branch of the law is civil law, where an action is brought by one or more legal persons (the plaintiff) against another (the defendant). More often than not it is a claim for damages. Jennifer Davies states that the onus of proof is less in a civil case than in a criminal one.
A Definition of Computer Crime
Computer crime Cyber crime refer to any crime that involve a computer and a network. The computer may have been used in the commission of a crime or it may that target computers directly crimes facilitated by computer network or cyber terrorism in general, can be defined as an act of terrorism committed by the users. Computer crime has been defined broadly as a criminal act that has been committed using a computer as the principal tool. Some have also talked in terms of a distinction between computer related fraud and computer assisted fraud. In the former the computer is purely coincidental. In the latter the computer is used to commit the fraud. However, others have argued that a genuine computer fraud is one, which would not take place without the use of a computer. If we accept this tight definition, then the real computer fraud needs computer expertise and greater skills to perpetrate than do computer assisted and computer related frauds. But when most people talk about computer crime, they are usually referring to the fact that a computer has either been the object, subject or instrument of a crime.
Forms of Computer Crime
Computer crime can take the form of:
the theft of money, for example, the transfer of payments to the wrong accounts
the theft of information, for example, by tapping into data transmission lines or databases at no cost
the theft of goods by their diversion to the wrong destination
the theft of computer time, for example, use of an employers computer resources for personal work
Two techniques of computer theft are:
1. The Salami, which involves spreading the haul over large number of transactions like slices of salami. For example, a bank clerk might shave a trivial sum off many customer accounts to make up a large sum in his / her account
2. The Trojan Horse, which involves the insertion of false information into a program in order to profit from the outcome. For example, a false instruction to make payments to a bogus company
Computer crime can take the form of unauthorised use or access to information systems, or the modification of programs to benefit the fraudster. Techniques include:
Piggybacking, which involves tapping into communication lines and riding into a system behind a legitimate user with a password
Data Diddling, which entails swapping one piece of data for another
Computer crime can also take the form of hacking, sabotage and blackmail. Hacking or computer burgling involves breaking into other people's systems for fun or with the intent to blackmail or commit sabotage. Techniques include:
Scavenging for stray data or garbage for clues that might unlock the secrets of a system
Zapping, which means penetrating a computer by unlocking the master key to its program and then destroying it by activating its own emergency program
Worms or worm programs entail the deletion of portions of a computer's memory, thus creating a hole of missing information
Time bombs or Logic bombs, which involve the insertion of routines that can be triggered later by the computer's clock or a combination of events. When the bomb goes off, the entire system, perhaps worth millions, will crash
Viruses are self-replicating programs which can have a similar effect to Time or Logic bombs
1. A Computer Crime Case
A San Gabriel Valley man pleads guilty to illegally accessing former employer's computers.
Thom Mrozek, Public Affairs Officer at the BD Department of Justice describes a computer crime case (2011)
Case reference:-Bergman Companies(BD) vs M GlenniAhmed.
Fact & Judgment:-
A San Dimas man pleaded guilty this afternoon to illegally accessing the computer system of his former employer and reading the e-mail messages of company executives for the purpose of gaining a commercial advantage at his new job at a competitor. Richard Glenni Ahmed, 35, pleaded guilty to one felony count of obtaining information from a protected computer. Until February 2010, Ahmed was employed by The Bergman Companies (Tobacco Business Company), a contracting firm based in Chino. After leaving TBC to go work for a competitor, Ahmed used his Internet connection to gain access to Tobacco Business Company computer systems on more than 20 occasions. Once Ahmed was inside the Tobacco Business Company systems, he read e-mail messages of Tobacco Business Company’s executives to stay informed of Tobacco Business Company ongoing business and to obtain a commercial advantage for his new employer. Ahmed unauthorized access into Tobacco Business Company’s computer system caused approximately 21,636tk in damages and costs to Tobacco Business Company . Ahmed is currently on bond pending his sentencing hearing before the Assistant Judge M. Moniruzzaman on December 2. At sentencing Ahmed faces a maximum sentence of five years in prison and a 250,000tk fine.
2. Legal Remedies
2.1The Data Protection Act, 1988
· The rules that data controllers(people who store &process personal data) must follow.
· This set out rules for collecting, storing, & processing personal data.
· Personal data relates to living, identifiable individuals.
· The Act first become law in1984 & was updated in1988.
· It describes:
· The rules that data controller(people who store and process personal data)must follow.
· The rights of data subjects(the individuals that the data is about)
· The exemptions that exist to the Act.
2.2The Computer Misuse Act, 1990
Computer crime that takes the form of unauthorised use or access to information systems or the modification of programs to benefit the fraudster is covered under the (UK) Computer Misuse Act, 1990. The Act introduces three new criminal offences:
1. Unauthorised access to computer material. Described as simple hacking - that is, using a computer without permission. This now carries a penalty of up to six months in prison or a ?2000 fine, and is tried in a Magistrate's Court
2. Unauthorised access to computer material with the intent to commit or facilitate the commission of further offences. This section of the Act covers actions such as attempting to use the contents of an email message for blackmail. This is viewed as a more serious offence; the penalty is up to five years' imprisonment and an unlimited fine
3. Unauthorised modification of computer material. This section of the Act covers distributing a computer virus, or malicious deletion of files, as well as direct actions such as altering an account to obtain fraudulent credit
The later two offences are tried before a jury. The act also includes the offence of conspiracy to commit and incitement to commit the three main offences. This aspect of the Act makes even discussion of specific actions, which are in breach of the main sections, questionable practice. It is sufficient to be associated with an offender in planning the action, or to suggest carrying out an action which is illegal under the Act, to be in a position to be charged.
2.3 The Theft Act, 1968
In addition, hackers could have been charged under Section 13 of the Theft Act, 1968, stealing electricity. However, the charge was artificial as the quantity of electricity involved was so small and indeed may not have been measurable. Computer fraud involves the manipulation of a computer in order to obtain dishonestly money, property or some other advantage, or to cause a loss. The main offences covering computer fraud are theft, obtaining property by deception, false accounting and conspiracy to defraud.
Considering Section 1 of the Theft Act, 1968, theft is committed if a person dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it. Jennifer Davies cites the example of using a forged cash card to obtain cash from an ATM, so that the money has been stolen from someone's account. Theft is punishable by up to 10 years in prison.
However, the culprit could be charged under Section 15(1) of the Theft Act, 1968:
A person who by any deception dishonestly obtains property belonging to another, with the intention of permanently depriving the other of it, shall on indictment on conviction be liable to imprisonment.
However, until recently, in law deceit could only be practiced against the human mind and not against a machine and that is still the case in relation to the Theft Act, 1968. The Law Commission has concluded that there is a need to amend the law with regard to fraud.
3. Computer Crime
3.1 Who are Computer Criminals?
In a review of the major British studies of computer crime, researchers found that the vast majority (80 percent) of crimes involving computers were carried out by employees rather than outsiders.
Of all computer crimes committed:
25 percent were carried out by managers or supervisors
24 percent by computer staff
31 percent by were committed by lowly clerks and cashiers who had little in the way of technical skills
Moreover, nearly all computer criminals were first time offenders who were, according to researchers, motivated by greed, pressing financial worries and other personal problems such as alcohol or drug dependency.
Now a days juvanils, Students are involving with the Computer offence in many ways. But they doesn’t know it is crime.
There is a commonly held view that the typical computer criminal is something of a whiz kid, with highly developed computing skills and a compulsive desire to beat the system. But researchers showed that the substance for this image is absent:
3.2 Motivations That Can Lie Behind Computer Crimes
Jay Bloombecker (in Forestor and Morrison, 1990) has described motivations that can lie behind computer crimes. More often than not computer criminals see the computer environment as:
1. A kind of playpen for their own enjoyment
2. A land of opportunity where crime is easy
3. A cookie jar which readily solves pressing financial or personal problems
4. A soapbox for political expression
5. A fairyland of unreality
6. A toolbox for tackling new crimes or modernising traditional crimes
7. A magic wand that can be made to do anything
8. A battle zone between management and alienated employees, the crime often taking the form of sabotage
This latter perspective is supported by a US survey which found, for instance that 63 percent of accountants and 75 percent of computer professionals steal because:
They feel frustrated or dissatisfied about some aspect of their job. This could be an accurate reflection on the lack of autonomy, minimal job variety and poor management communications often endemic of computer work.
Others have surmised that:
The intellectual challenge of fooling a system plays an important role in motivating individuals to commit computer crime
Computer crime involves very little physical risk, as opposed to a bank hold up
That computer crimes can be committed alone, without talkative associates, thus further reducing the risk of detection
As in Bloombecker's notion of fairyland, computer crimes can often appear not to be a criminal act, shuffling numbers around in a remote and abstract way is not quite the same as handling gold bars or huge piles of paper money
3.3 The Amount of Computer Crime is far Greater Than We Think
There are two main reasons why many experts believe that the amount of computer crime is much greater than we currently estimate:
1. It is clear that many crimes go completely undetected because so many are discovered by accident and because so many are, by their very nature, simply very hard to detect
2. Very few computer frauds are made public because companies, especially banks and other financial institutions, are loath to admit that their security systems are fallible. Publicity of this nature is disastrous for public relations and it could lead to the loss of customer confidence, so they prefer to cover matters up
Commentators list some reasons why non reporting of computer crime is so wide spread (Forestor and Morrison, 1990):
There is very little benefit for the victim. The law is unlikely to be able to undo the damage caused and the criminal is unlikely to be convicted. In addition, much staff time is likely to be tied up assembling evidence (if it can be collected at all), and wider knowledge of the crime is likely to harm the future prospects of the victim organisation.
What is therefore clear is that nobody is very sure about the true extent of computer crime, but most analysts who have researched the problem believe it is large and growing. Data crime deserves to be as much a social issue as more traditional areas of law and order such as crimes against the person, crimes against property and the maintenance of public peace.
3.4 Emerging Threads
Anna Walsh, editorial assistant on The Computer Bulletin, lists the following emerging threads in computer crime (2000):
· Increased information warfare to undermine the economy: for example the manipulation of share prices, sabotage, false news on the Internet
· Increased use of industrial espionage to maintain competitive edge
· Cyber-attacks on companies by anarchist groups
· Cyber-laundering: Internet trading and auctioning of stolen goods
· Recruitment of hackers by organised crime groups
· Buying, selling and acquiring data and industrial intelligence
· Advanced fee and investment frauds
· Credit card fraud: this has increased 40% with the use of the Internet
· Pyramid frauds
· Blackmail via the Internet
· Drug distribution
· Cyber-stalking
· Spoof Web sites
Walsh argues that many of these will be aided or carried out by staff: estimates of the number of computer crimes carried out by insiders range from 60% to 80%.
4. Computer Security
4.1 Securing Electronic Commerce
A costly problem that plagues corporations and on-line vendors arises when culprits steal passwords and use bogus identifiers to make fraudulent purchases. Although most e-commerce sites are secured adequately, there have been numerous security lapses, which have sometimes put sensitive consumer data at risk.
Richard Spinello, pictured above, argues that if vendors are to achieve a basic level of security for commercial Web sites, they must address two problems (Spinello, 2000):
1. Securing the Web server and the files that it contains
2. Guaranteeing the integrity of the information that travels between Web server and the end user. This includes user names, passwords, credit card numbers, and so forth
All sensitive information must be protected adequately from the risk of being intercepted by hackers and computer criminals.
Securing the Web server itself can usually be accomplished by using standard computer security techniques, such as authentication mechanisms and intrusion protection devices. Gatekeepers and digital locks can also secure networks on which these servers reside.
The more complicated problem is securing information in transit between the server and the end user. The only sure way to secure this data is through encryption, encoding the transmitted information so that only an authorised recipient can read it with a proper key that decodes the information. Protocols such as SET (Secure Electronic Transactions) standard are used to encrypt credit card information being transmitted over the Internet. An alternative protocol is Netscape's Secure Socket Layer (SSL), which automatically encrypts information sent to Web sites and then decrypts it before the recipient reads it.
Digital Signatures
The best way to verify identity is via the use of digital signatures. This technology also relies on the use of encryption keys to encode and decode a message. In this case, a private key is used to sign one's signature to some message or piece of data and a public key is used to verify a signature after it has been sent. The public key might be published in a directory or otherwise made available to other users. Spinello presents a scenario to best describe the functioning of digital signatures:
Assume that John and Mary are exchanging e-mail, and Mary wants to verify John's identity. Mary can send John a letter with a random number, requesting that he digitally sign that number and send it back. John receives the letter, and digitally signs the random number with his private key. When the letter is sent back to Mary, she verifies that signature with her copy of John's public key. If the signature matches, she knows that that she is communicating with John, assuming that John has been careful with his private key.
These digital signatures will undoubtedly play a major role in preventing impersonation during e-commerce transactions.
Access Control Software
Access control software closes password loopholes. This software restricts users, individually identified by password and codes, to only those files they are authorised to use. Even then, the software permits the users to perform only authorised functions, such as appending or deleting information, and they can no longer browse through parts of the system which they are not entitle to enter. One obvious and major limitation with access control software, however, is that it does not protect the company against frauds committed by employees while going about their legitimate tasks, and as illustrated above, a high proportion of computer crimes occurs this way.
Many companies have installed dial back or black box systems to protect their assets. When a user dials into a computer, a black box intercepts the call and demands a password. The unit then disconnects the call, looks up the password in the directory and calls the user back at his / her listed telephone number: fraudsters dialing from another telephone number will be screened out. A large mainframe may have hundreds of ports of entry from remote stations and each one has to be protected by these units.
Scrambling devices and encryption software are additional methods which scramble messages for transmission so that only the legitimate recipient can decode and understand them. Anyone tapping into, for example, a bank's communication line or eavesdropping on the electromagnetic waves emitted from a computer or piece of electronic equipment will pick up only the scrambled message. Encryption devices in the form of DSPs (Digital Signal Processors) are being used increasingly to scramble voice and data messages over telephone networks. Voice encryption is obviously vital in the military and security agencies.
Firewalls
A firewall consists of hardware and / or software designed to insulate an organisations internal network from the Internet. Firewall software gives access only to trusted Internet addresses and scrutinises data for irregularities or signs of danger. Ideally firewalls are configured so that all connections to an internal network go through relatively few well-monitored locations. Firewalls can sometimes be used to protect the Web server, but most companies set up public Web sites outside the firewall to make them more easily accessible to those trying to buy their products.
Firewall Forum is a web forum for discussing Firewall and computer security issues
Biometrics
Another weapon in the fight against computer crime is biometrics, or the digitising of biological characteristics. These include:
Fingerprints
Voice recognition
The veins of the back of the hand
The pattern of blood vessels in the retina
These scanning devices are now being used to control access to computer rooms, bank vaults and military bases.
Audit Control Software Packages
Audit control software packages are also available which can monitor transactions or the use of a computer. These enable auditors to trace and identify any operator who gains access to the system and when this occurred, such as after-hours. Audits can also highlight any abnormal number of correction entries, which often indicates the trial-and-error approach of fraudulent activity.
Computers are also being used increasingly in the fight against crime, both conventional crime and computer based crime. UK-developed software enables a computer to browse through vast amounts of financial data looking for possible connections which might indicate insider trading or foreign exchange fraud. A similar system is at work at the New York Stock Exchange.
5. Scams on the Internet
James Mackintosh (1997) details swindles that have appeared on the Internet. Although these are centuries old they have found a new lease of life on the worldwide web and are duping a new breed of innocents.
Pyramid schemes
These schemes are often found advertised on the Internet's discussion groups offering the chance to make vast amounts of money very quickly. Mackintosh states
The most common offer is only one step up from a chain letter, suggesting sending1 to each of the names listed and adding your name to the end of the list. Such inducements often contain accounts of how a fiver was turned into thousands within weeks - but don't believe it.
There are hundreds of variants of the pyramid scheme, but common to all: the victim gets income mainly by recruiting new members. Such schemes are doomed to failure when the supply of new members dries up. The US Federal Trade Commission highlighted the prevalence of these schemes by identifying more than 500 possible pyramid frauds when surfing the Internet in a 24 hour period.
The risk free investment
This swindle often induces investors by guaranteeing 200-600 percent annual returns - risk free. However, Mackintosh warns
Many of the supposed investments are either grossly overstated or simply do not exist.
Other examples that would-be investors need to be aware of are:
Off-shore investment opportunities claiming to offer access to legal tax evasion, however charging extortionate fees for the service
Prime back guarantees, although gold mines, eel and shrimp farms are also touted
Internet Services
Mackintosh observes that everyone on the Internet wants to reduce the cost of staying on-line, from page design to service provision, and fraudsters know this. He notes:
Offering apparently cheap services from a well designed site, the crooks demand payment in advance and either disappear immediately or give holding replies before disappearing later. Mackintosh advices that web users ask for references and make checks before signing up for any service.
Miracle products
Miracle products that claim to give the on-line consumer free telephone calls, or free satellite decoders are familiar offers that most on-line users have received at some time. Healthcare products are another popular offer, many make the unlikely claims of having aphrodisiac powers.
Viruses
Mackintosh argues that viruses have been common on the Internet for years but highlights a new phenomena that has emerged, which interacts with Quicken (financial software) and transfers money out of accounts listed on the computer. he concludes that:
With the rise of Internet banking in the UK, this could become a serious problem, so avoid downloading software but, if you must, use a virus checker.
The anti-fraud fraud
There are several email lists and web sites, which offer advice for avoiding on-line fraud. However, a number of fraudulent mailing lists have been created under this guise. Mackintosh advices:
Before sending any money, check with the regulators any advice given on the unknown mailing list. Beware also of giving out personal details.
Summary
This week has introduced some of the key issues invoked by Computer Crime. You have seen what Computer Crime is about and why it is important to be aware of it. You have also been given an overview of computer security measures that can help tackle the criminal and fraudulent activities related to computing and e-commerce.
Conclusion
The fundamental issue in most computer crime is the criminals' lack of respect for the property or privacy of other people. I hope that society will recognize the seriousness of computer crime and demand more severe punishment for such criminals. Every one should be conscious to take step for preventing this crime by making security either by bodily or by password and so on in their services.
* * *
No comments:
Post a Comment