Internet and Computer Fraud

Fundamentals of Computer and Internet Fraud

WORLD HEADQUARTERS • THE GREGOR BUILDING 716 WEST AVE • AUSTIN, TX 78701-2727 • USA FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

TABLE OF CONTENTS

I. INTRODUCTION What Is Computer Crime? ...... 3 Computer Fraud Versus Computer Crime ...... 3 Computer Fraud ...... 4 Computer Crime ...... 5 The Extent Question: How Much Computer Fraud Is There? ...... 6 A Few Statistics ...... 6 How Vulnerable Are We? ...... 7 The Internet ...... 8 The Perpetrators of Computer Fraud ...... 9 The Necessary Skills ...... 9 Inside or Outside ...... 9 Securing Information Resources ...... 11 Categories of Computer Fraud ...... 12

II. THE USE OF COMPUTERS IN OCCUPATIONAL FRAUD Asset Misappropriation ...... 14 Cash Schemes ...... 14 Non-Cash Schemes ...... 19 Control Weaknesses ...... 20 Internal Control Weaknesses ...... 21 Control Activities ...... 24 Review Questions...... 25

III. DATA MANIPULATION AND DESTRUCTION Data Manipulation ...... 27 Fraud by Input Manipulation ...... 27 Fraud by Program Manipulation ...... 27 Fraud by Output Manipulation ...... 27 Computer Forgery ...... 27 Data Destruction ...... 28 Malware ...... 29 Drive-by Downloads ...... 30 Types of Malware ...... 31 Malware Carriers ...... 42 Malware Symptoms ...... 42 Preventing Infection ...... 43 What to Do If Infected ...... 44 Antivirus and Other Security Software ...... 45 Investigating Malware Infections ...... 45 Malware Information Resources ...... 45 Laws Used to Combat the Manipulation and Destruction of Data ...... 46 The Computer Fraud and Abuse Act ...... 46 The Electronic Communications Privacy Act ...... 49

Fundamentals of Computer and Internet Fraud i FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

III. DATA MANIPULATION AND DESTRUCTION (CONT.) Wire Fraud ...... 51 Review Questions...... 52

IV. UNAUTHORIZED ACCESS TO COMPUTER SYSTEMS AND SERVICES Categories of Security Attacks ...... 56 Passive and Active Attacks ...... 57 Common Methods of Attack...... 61 Anti-Intrusion Legislation ...... 68 Preventing Unauthorized Access ...... 68 Hacker Publications and Communications ...... 73 Review Questions...... 74

V. SOFTWARE PIRACY AND THE THEFT OF TRADE SECRETS Introduction ...... 76 Software Piracy ...... 76 The Effects of Software Piracy ...... 76 Anti-Piracy Measures ...... 77 Trends in Software Piracy ...... 77 Costs of Software Piracy ...... 77 Types of Software Piracy ...... 78 Copyright Laws ...... 80 Anti-Piracy Resources ...... 81 Theft of Trade Secrets ...... 81 Digital Data ...... 82 Economic Espionage ...... 83 Identifying and Protecting Proprietary Information ...... 84 Sample Designations of Confidentiality ...... 86 Sample Employee Manual Information ...... 88 Legislation Used to Protect Proprietary Information ...... 89 Economic Espionage Act of 1996 (18, U.S.C., §§ 1831–1839) ...... 90 Disclosing Government Trade Secrets (18, U.S.C., § 1905) ...... 93 Interstate Transportation of Stolen Property (18, U.S.C., § 2314) ...... 93 The Wire Fraud Statute (18, U.S.C., § 1343) ...... 93 The Computer Fraud and Abuse Act (18, U.S.C., 1030) ...... 93 The Uniform Trade Secrets Act ...... 94 Review Questions...... 96

VI. INTERNET AND E-COMMERCE FRAUD Introduction ...... 98 Internet Fraud Scams ...... 98 Identity Theft ...... 99 E-mail Abuse ...... 109 Phishing ...... 111 Foreign Trust Schemes ...... 114 Investment Schemes ...... 114 Investment Securities ...... 119 Combating Internet Fraud ...... 120

ii Fundamentals of Computer and Internet Fraud FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

VI. INTERNET AND E-COMMERCE FRAUD (CONT.) Encryption ...... 120 Customer Validation ...... 121 Internal Network Security ...... 121 Firewalls ...... 121 Auditing and Intrusion Detection ...... 121 Electronic Commerce ...... 122 Types of E-Commerce ...... 122 Mobile Commerce ...... 123 Types of E-Commerce Scams...... 123 Electronic Commerce and Information Security ...... 123 Information Security Goals ...... 123 Consumer Confidence ...... 126 Guidelines for E-Commerce Transactions ...... 126 Smart Cards and E-Commerce ...... 127 Review Questions...... 130

VII. COMPUTER SECURITY CONSIDERATIONS Computer Security ...... 133 Risk Analysis ...... 133 Computer Security Controls ...... 135 Frameworks and Standards ...... 136 ISO/IEC 27002:2005 ...... 136 COBIT ...... 138 Payment Card Industry’s Data Security Standard ...... 139 Physical Security and Controls ...... 140 Physical Threats ...... 140 Physical Controls ...... 142 Detective Physical Controls ...... 147 Technical and Administrative Controls ...... 148 Security Policies and Awareness Training ...... 149 Logical Access Controls ...... 150 Network Security ...... 153 Operating System Security ...... 157 Encryption ...... 159 Application Security ...... 159 Data Classification ...... 162 Review Questions...... 164

VIII. SECURITY AUDITING AND TESTING Introduction ...... 167 Log Management and Analysis ...... 167 Journal Contents ...... 168 Event Logs ...... 168 Dynamic Monitoring ...... 171 Log Analysis and Reporting ...... 171 Incident Response Plan ...... 172 Security Auditing ...... 178

Fundamentals of Computer and Internet Fraud iii FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

VIII. SECURITY AUDITING AND TESTING (CONT.) Event Logs ...... 178 Security Audits and Reporting ...... 179 External Security Audits ...... 179 Penetration Testing ...... 180 Review Questions...... 182

IX. LEGAL ISSUES REGARDING COMPUTER AND INTERNET FRAUD INVESTIGATIONS Avoiding Liability when Conducting Investigations ...... 184 Defamation ...... 184 Invasion of Privacy ...... 186 False Imprisonment ...... 188 Malicious Prosecution ...... 189 Wrongful Termination ...... 189 Employees’ Duties and Rights ...... 189 Employees’ Duty to Cooperate ...... 190 Employees’ Rights During an Investigation ...... 191 Restrictions on Employee Interviews ...... 198 Monitoring and Surveillance ...... 198 Surreptitious Recording ...... 204 Employee Protection from Polygraph Examinations ...... 205 Discharging an Employee ...... 206 Review Questions...... 209

X. DIGITAL FORENSICS Introduction ...... 212 Hiring a Forensic Expert ...... 213 Conducting Investigations Involving Computers ...... 215 Preliminary Investigation ...... 215 Digital Evidence ...... 218 Computer Investigations and Computer Forensics ...... 224 Preparation ...... 224 Five Phases ...... 227 Review Questions...... 235

XI. CRIMINAL AND CIVIL ACTIONS Introduction ...... 238 Criminal Prosecution of Computer Crimes ...... 239 Prosecutorial Discretion ...... 239 Sentencing ...... 240 Fines, Restitution, and Probation ...... 240 Criminal Convictions Can Benefit Civil Complaints ...... 242 Civil Litigation ...... 242 Civil Remedies ...... 242 Bringing a Civil Action ...... 244 Will a Judgment Be Collectible?...... 245

iv Fundamentals of Computer and Internet Fraud FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

XI. CRIMINAL AND CIVIL ACTIONS (CONT.) Assuring Recovery of Property or Damages ...... 245 Enforcement of Money Judgments ...... 247 Filing for Bankruptcy ...... 248 Review Questions...... 249

XII. CONCLUSION ...... 251

XIV. PRACTICAL PROBLEMS ...... 252

XV. SOLUTIONS TO REVIEW QUESTIONS ...... 262

XVI. SOLUTIONS TO PRACTICAL PROBLEMS ...... 312

PRACTICAL PROBLEM EPILOGUE ...... 321

APPENDIX ...... 322

FINAL EXAMINATION ...... E-1

Fundamentals of Computer and Internet Fraud v