Fundamentals of Computer and Internet Fraud

GLOBAL Headquarters • the gregor building 716 West Ave • Austin, TX 78701-2727 • USA FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

TABLE OF CONTENTS

I. INTRODUCTION What Is Computer Crime? ...... 2 Computer Fraud Versus Computer Crime ...... 3 Computer Fraud ...... 3 Computer Crime ...... 4 The Extent Question: How Much Computer Fraud Is There? ...... 5 A Few Statistics ...... 6 How Vulnerable Are We? ...... 6 The Internet ...... 7 The Perpetrators of Computer Fraud ...... 8 The Necessary Skills ...... 8 Inside or Outside ...... 8 Securing Information Resources ...... 10 Categories of Computer Fraud ...... 11 Content ...... 11

II. THE USE OF COMPUTERS IN OCCUPATIONAL FRAUD Asset Misappropriation ...... 13 Cash Schemes ...... 13 Non-Cash Schemes ...... 19 Control Weaknesses ...... 20 Internal Control Weaknesses ...... 21 Control Activities ...... 24 Review Questions ...... 25

III. DATA MANIPULATION AND DESTRUCTION Data Manipulation ...... 27 Fraud by Input Manipulation ...... 27 Fraud by Program Manipulation ...... 27 Fraud by Output Manipulation ...... 27 Computer Forgery ...... 27 Data Destruction ...... 28 Malware ...... 29 Drive-by Downloads ...... 29 Types of Malware ...... 30 Malware Carriers ...... 41 Malware Symptoms ...... 41 Preventing Infection ...... 42 What to Do If Infected ...... 43 Antivirus and Other Security Software ...... 44 Investigating Malware Infections ...... 44 Malware Information Resources ...... 45 Laws Used to Combat the Manipulation and Destruction of Data ...... 45 The Computer Fraud and Abuse Act ...... 45

Fundamentals of Computer and Internet Fraud i FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

III. DATA MANIPULATION AND DESTRUCTION (CONT.) The Electronic Communications Privacy Act ...... 49 Wire Fraud ...... 50 Review Questions ...... 52

IV. UNAUTHORIZED ACCESS TO COMPUTER SYSTEMS AND SERVICES Categories of Security Attacks ...... 56 Interception ...... 57 Interruption ...... 57 Modification ...... 57 Fabrication ...... 57 Passive and Active Attacks ...... 57 Passive Attacks ...... 57 Active Attacks ...... 58 Common Methods of Attack ...... 61 Social Engineering ...... 62 Reverse Social Engineering ...... 63 Hacking ...... 63 Anti-Intrusion Legislation ...... 68 Preventing Unauthorized Access ...... 68 Basic Prevention Measures ...... 68 Warning Screens ...... 69 Security Policies ...... 69 Firewalls ...... 69 Security Software ...... 69 Encryption...... 69 Protecting Wireless and Remote Access ...... 70 Wi-Fi Security ...... 71 Usernames ...... 72 Passwords ...... 72 Multifactor Authentication ...... 72 Hacker Publications and Communications ...... 73 Review Questions ...... 74

V. SOFTWARE PIRACY AND THE THEFT OF TRADE SECRETS Introduction ...... 77 Software Piracy ...... 77 The Effects of Software Piracy ...... 77 Anti-Piracy Measures ...... 78 Trends in Software Piracy ...... 78 Costs of Software Piracy ...... 78 Types of Software Piracy ...... 79 Copyright Laws ...... 80 Anti-Piracy Resources ...... 82 Theft of Trade Secrets ...... 82 Digital Data ...... 83 Economic Espionage ...... 83 Identifying and Protecting Proprietary Information ...... 84

ii Fundamentals of Computer and Internet Fraud FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

V. SOFTWARE PIRACY AND THE THEFT OF TRADE SECRETS (CONT.) Sample Designations of Confidentiality ...... 86 Sample Employee Manual Information ...... 88 Legislation Used to Protect Proprietary Information ...... 90 Economic Espionage Act of 1996 (18, U.S.C., §§ 1831–1839) ...... 90 Disclosing Government Trade Secrets (18, U.S.C., § 1905) ...... 94 Interstate Transportation of Stolen Property (18, U.S.C., § 2314) ...... 94 The Wire Fraud Statute (18, U.S.C., § 1343) ...... 94 The Computer Fraud and Abuse Act (18, U.S.C., 1030) ...... 94 The Uniform Trade Secrets Act...... 95 Review Questions ...... 97

VI. INTERNET AND E-COMMERCE FRAUD Introduction ...... 101 Internet Fraud Scams ...... 101 Identity Theft ...... 102 Email Abuse ...... 111 Phishing ...... 113 Foreign Trust Schemes ...... 116 Investment Schemes ...... 117 Investment Securities ...... 121 Combating Internet Fraud ...... 123 Encryption...... 123 Customer Validation ...... 123 Internal Network Security ...... 123 Firewalls ...... 123 Auditing and Intrusion Detection ...... 124 Electronic Commerce ...... 124 Types of E-Commerce ...... 124 Types of E-Commerce Scams ...... 125 Electronic Commerce and Information Security ...... 125 Information Security Goals ...... 126 Consumer Confidence ...... 128 Guidelines for E-Commerce Transactions ...... 129 Smart Cards and E-Commerce ...... 129 Review Questions ...... 132

VII. COMPUTER SECURITY CONSIDERATIONS Computer Security ...... 137 Computer Security Risk Analysis ...... 137 Computer Security Controls ...... 139 Frameworks and Standards ...... 140 ISO/IEC 27002:2005 ...... 140 COBIT ...... 142 Payment Card Industry’s Data Security Standard ...... 143 Standard of Good Practice ...... 144 Cloud Security Alliance ...... 144 Physical Security and Controls ...... 145

Fundamentals of Computer and Internet Fraud iii FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

VII. COMPUTER SECURITY CONSIDERATIONS (CONT.) Physical Threats ...... 146 Physical Controls ...... 147 Detective Physical Controls ...... 153 Technical and Administrative Controls ...... 154 Security Policies and Awareness Training ...... 154 Logical Access Controls ...... 155 Network Security ...... 159 Operating System Security ...... 163 Encryption...... 164 Application Security ...... 165 Data Classification ...... 168 Review Questions ...... 170

VIII. SECURITY AUDITING AND TESTING Introduction ...... 173 Log Management and Analysis ...... 173 Recommendations for Log Management ...... 174 Types of Event Logs ...... 175 Event Attributes ...... 177 Dynamic Monitoring ...... 178 Log Analysis and Reporting ...... 178 Incident Response Plan ...... 179 Security Audits ...... 184 Phases of Security Audits ...... 184 Information Examined in Security Audits ...... 185 Event Logs ...... 185 External Security Audits ...... 186 Penetration Testing ...... 187 Review Questions ...... 189

IX. LEGAL ISSUES REGARDING COMPUTER AND INTERNET FRAUD INVESTIGATIONS Avoiding Liability When Conducting Investigations ...... 191 Defamation ...... 192 Invasion of Privacy ...... 194 Good Faith and Fair Dealing ...... 197 Breach of Contract ...... 198 False Imprisonment ...... 198 Trespass ...... 199 Malicious Prosecution ...... 199 Wrongful Termination ...... 199 Employees’ Duties and Rights ...... 200 Employees’ Duty to Cooperate ...... 200 Employees’ Rights During an Investigation...... 201 Restrictions on Employee Interviews ...... 208 Monitoring and Surveillance ...... 208 Surreptitious Recording ...... 216

iv Fundamentals of Computer and Internet Fraud FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

IX. LEGAL ISSUES REGARDING COMPUTER AND INTERNET FRAUD INVESTIGATIONS (CONT.) Employee Protection from Polygraph Examinations ...... 217 Discharging an Employee ...... 217 Review Questions ...... 220

X. DIGITAL FORENSICS Introduction ...... 223 Hiring a Forensic Expert ...... 224 Conducting Investigations Involving Computers ...... 226 Preliminary Investigation ...... 226 Digital Evidence ...... 229 Computer Investigations and Computer Forensics ...... 236 Plan ...... 236 Seize the Data ...... 240 Acquire an Image ...... 244 Process the Data ...... 244 Analyze the Data ...... 246 Report and Testify ...... 246 Mobile Forensic Investigations ...... 246 Plan ...... 248 Seize ...... 248 Extract ...... 250 Analyze ...... 251 Document ...... 251 Report and Testify ...... 252 Review Questions ...... 253

XI. CRIMINAL AND CIVIL ACTIONS Introduction ...... 257 Criminal Prosecution of Computer Crimes ...... 258 Prosecutorial Discretion ...... 258 Sentencing ...... 260 Criminal Convictions Can Benefit Civil Complaints ...... 263 Civil Litigation ...... 263 Civil Remedies ...... 263 Bringing a Civil Action ...... 266 Enforcing Money Judgments ...... 271 Enforcement and Bankruptcy ...... 273 Recovery Under Insurance Policies ...... 274 Review Questions ...... 277

XII. CONCLUSION ...... 279

XIV. PRACTICAL PROBLEMS ...... 281

XV. SOLUTIONS TO REVIEW QUESTIONS ...... 291

Fundamentals of Computer and Internet Fraud v FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

XVI. SOLUTIONS TO PRACTICAL PROBLEMS ...... 345

XVII. APPENDIX ...... 355

XIX. FINAL EXAMINATION ...... E-1

XX. INDEX ...... I-1

vi Fundamentals of Computer and Internet Fraud