Accounting Information Systems

Fourteenth Edition
Chapter 5
Computer Fraud

Threats to AIS • Computer fraud is classified as:

• Natural and Political disasters – Input
• Software errors and equipment malfunctions – Processor
• Unintentional acts – Computer instruction
• Intentional acts – Data
– Output
Fraud
• Any means a person uses to gain an unfair advantage Preventing and Detecting Fraud
over another person; includes: 1. Make Fraud Less Likely to Occur
– A false statement, representation, or Organizational
disclosure • Create a culture of integrity
– A material fact, which induces a victim to act • Adopt structure that minimizes fraud, create
– An intent to deceive governance (e.g., Board of Directors)
– Victim relied on the misrepresentation • Assign authority for business objectives and hold them
– Injury or loss was suffered by the victim accountable for achieving those objectives, effective
Fraud is white-collar crime supervision and monitoring of employees
• Communicate policies
Two Categories of Fraud Systems
• Misappropriation of assets • Develop security policies to guide and design specific
– Theft of company assets which can include control procedures
physical assets (e.g., cash, inventory) and • Implement change management controls and project
digital assets (e.g., intellectual property such development acquisition controls
as protected trade secrets, customer data)
• Fraudulent financial reporting 2. Make It Difficulty to Commit
– “cooking the books” (e.g., booking fictitious Organizational
revenue, overstating assets, etc.) • Develop strong internal controls
• Segregate accounting functions
Auditor’s Responsibility • Use properly designed forms
SAS No. 99 (AU-C Section 240) requires auditor’s to: • Require independent checks and reconciliations of data
• Understand fraud Systems
• Discuss the risks of material fraudulent misstatements • Restrict access
• Obtain information • System authentication
• Identify, assess, and respond to risks • Implement computer controls over input, processing,
• Evaluate the results of their audit tests storage and output of data
• Document and Communicate findings • Use encryption
• Incorporate a technology focus • Fix software bugs and update systems regularly
• Destroy hard drives when disposing of computers
Conditions for Fraud
These three conditions must be present for fraud to occur: 3. Improve Detection
• Pressure Organizational
– Employee • Assess fraud risk
▪ Financial • External and internal audits
▪ Lifestyle • Fraud hotline
▪ Emotional Systems
– Financial Statement • Audit trail of transactions through the system
▪ Financial • Install fraud detection software
▪ Management • Monitor system activities (user and error logs, intrusion
▪ Industry conditions detection)

• Opportunity to: 4. Reduce Fraud Losses

– Commit Organizational
– Conceal • Insurance
– Convert to personal gain • Business continuity and disaster recovery plan
• Rationalize Systems
– Justify behavior • Store backup copies of program and data files in secure,
– Attitude that rules don’t apply off-site location
– Lack personal integrity • Monitor system activity

Key Terms
Fraud Triangle • Sabotage - An intentional act where the intent is to de-
stroy a system or some of its components.
• Cookie - A text file created by a website and stored on a
visi-tor’s hard drive. Cookies store information about
who the user is and what the user has done on the site.
• Fraud - Any and all means a person uses to gain an
unfair advantage over another person.
• White-collar criminals - Typically, businesspeople who
commit fraud. White-collar criminals usually resort to
trickery or cun-ning, and their crimes usually involve a
violation of trust or confidence.
• Corruption - Dishonest conduct by those in power
which often involves actions that are illegitimate,
immoral, or incom-patible with ethical standards.
Examples include bribery and bid rigging.
• Investment fraud - Misrepresenting or leaving out facts
Computer Fraud in order to promote an investment that promises
• If a computer is used to commit fraud it is called fantastic profits with little or no risk. Examples include
computer fraud. Ponzi schemes and se-curities fraud.
• Misappropriation of assets - Theft of company assets by
employees.
 • Fraudulent financial reporting - Intentional or reckless
conduct, whether by act or omission, that results in
materially misleading financial statements.
• Pressure - A person’s incentive or motivation for
committing fraud.
• Opportunity - The condition or situation that allows a
person or organization to commit and conceal a
dishonest act and convert it to personal gain.
• Rationalization - The excuse that fraud perpetrators use
to justify their illegal behavior.
• Lapping - Concealing the theft of cash by means of a
series of delays in posting collections to accounts
receivable.
• Check kiting - Creating cash using the lag between the
time a check is deposited and the time it clears the
bank.
• Computer fraud - Any type of fraud that requires
computer technology to perpetrate.

Chapter 6
Computer Fraud and Abuse Techniques
Hacking Used for Embezzlement
Types of Attacks • Salami technique:
• Hacking – Unauthorized access, modification, or use of – Taking small amounts at a time
an electronic device or some element of a computer • ▪ Round-down fraud
system • Economic espionage
• Social Engineering – Techniques or tricks on people to – Theft of information, intellectual property, and
gain physical or logical access to confidential trade secrets
information • Cyber-extortion
• Malware – Software used to do harm – Threats to a person or business online through
e-mail or text messages unless money is paid
Hacking
– Hijacking Hacking Used for Fraud
▪ Gaining control of a computer to carry out illicit • Internet misinformation
activities • E-mail threats
– Botnet (robot network) • Internet auction
▪ Zombies • Internet pump and dump
▪ Bot herders • Click fraud
▪ Denial of Service (DoS) Attack • Web cramming
▪ Spamming • Software piracy
▪ Spoofing
– Makes the communication look as if someone else sent it so as Social Engineering Techniques
to gain confidential information. • Identity theft
– Assuming someone else’s identity
Forms of Spoofing • Pretexting
• E-mail spoofing – Using a scenario to trick victims to divulge
• Caller ID spoofing information or to gain access
• IP address spoofing • Posing
• Address Resolution (ARP) spoofing – Creating a fake business to get sensitive
• SMS spoofing information
• Web-page spoofing (phishing) • Phishing
• DNS spoofing – Sending an e-mail asking the victim to respond
to a link that appears legitimate that requests
Hacking with Computer Code sensitive data
• Cross-site scripting (XSS) • Pharming
– Uses vulnerability of Web application that – Redirects Web site to a spoofed Web site
allows the Web site to get injected with • URL hijacking
malicious code. When a user visits the Web – Takes advantage of typographical errors
site, that malicious code is able to collect data entered in for Web sites and user gets invalid
from the user. or wrong Web site
• Buffer overflow attack • Scavenging
– Large amount of data sent to overflow the – Searching trash for confidential information
input memory (buffer) of a program causing it • Shoulder surfing
to crash and replaced with attacker’s program – Snooping (either close behind the person) or
instructions. using technology to snoop and get confidential
• SQL injection (insertion) attack information
– Malicious code inserted in place of a query to • Skimming
get to the database information ▪ Double swiping credit card
• Eavesdropping
Other Types of Hacking
• Man in the middle (MITM) Why People Fall Victim
– Hacker is placed in between a client (user) and • Compassion
a host (server) to read, modify, or steal data. – Desire to help others
• Masquerading/impersonation • Greed
• Piggybacking – Want a good deal or something for free
• Sex appeal
– More cooperative with those that are flirtatious
• Password cracking or good looking
• War dialing and driving
• Phreaking • Sloth
• Data diddling – Lazy habits
• Data leakage • Trust
• Podslurping – Will cooperate if trust is gained
 • Urgency • Caller ID spoofing - Displaying an incorrect number on
– Cooperation occurs when there is a sense of the re-cipient’s caller ID display to hide the caller’s
immediate need identity.
• Vanity • IP address spoofing - Creating Internet Protocol packets
– More cooperation when appeal to vanity with a forged IP address to hide the sender’s identity or
Minimize the Threat of Social Engineering to impersonate another computer system.
• Never let people follow you into restricted areas • MAC address -
• Never log in for someone else on a computer • Address Resolution Protocol (ARP) spoofing
• Never give sensitive information over the phone or • SMS spoofing - Using short message service (sms) to
through e-mail change the name or number a text message appears to
• Never share passwords or user IDs come from.
• Be cautious of someone you don’t know who is trying to • Web-page spoofing - see phishing.
gain access through you • DNS spoofing -
• Zero day attack - An attack between the time a new soft-
Types of Malware ware vulnerability is discovered and “released into the
• Spyware wild” and the time a software devel-oper releases a
– Secretly monitors and collects information patch to fix the problem.
– Can hijack browser, search requests • Patch - Code released by software developers that fixes
– Adware, Scareware a particular software vulnerability.
• Ransomware • Cross-site scripting (XSS) - A vulnerability in dynamic
– Locks you out of all your programs and data web pages that allows an attacker to bypass a browser’s
using encryption security mechanisms and instruct the victim’s browser
• Keylogger to execute code, thinking it came from the desired
– Software that records user keystrokes website.
• Trojan Horse • Buffer overflow attack - When the amount of data
– Malicious computer instructions in an entered into a program is greater than the amount of the
authorized and properly functioning program input buffer. The input overflow overwrites the next
• Trap door computer instruction, caus-ing the system to crash.
– Set of instructions that allow the user to Hackers exploit this by crafting the input so that the
bypass normal system controls overflow contains code that tells the computer what to
• Packet sniffer do next. This code could open a back door into the
– Captures data as it travels over the Internet system.
• Virus • SQL injection (insertion) attack - Inserting a malicious
– A section of self-replicating code that attaches sqL query in input such that it is passed to and executed
to a program or file requiring a human to do by an application program. This allows a hacker to
something so it can replicate itself convince the application to run sqL code that it was not
• Worm intended to execute.
– Stand alone self replicating program • Man-in-the-middle (MITM) attack - A hacker placing
himself between a client and a host to intercept
Cellphone Bluetooth Vulnerabilities communications between them.
• Bluesnarfing • Masquerading/impersonation - Gaining access to a
– Stealing contact lists, data, pictures on system by pretending to be an authorized user. This
bluetooth compatible smartphones requires that the per-petrator know the legitimate user’s
• Bluebugging ID and passwords.
– Taking control of a phone to make or listen to • Piggybacking - 1) Tapping into a communications line
calls, send or read text messages and elec-tronically latching onto a le-gitimate user who
unknowingly carries the perpetrator into the system. (2)
Key Terms The clandestine use of a neighbor’s Wi-Fi network. (3)
• Hacking - Unauthorized access, modification, or use of An unauthorized person fol-lowing an authorized person
an elec-tronic device or some element of a computer through a secure door, bypass-ing physical security
system. controls
• Hijacking - Gaining control of someone else’s computer • Password cracking – recovering passwords by trying
to carry out illicit activities, such as sending spam every pos-sible combination of upper- and lower-case
without the com-puter user’s knowledge. letters, numbers, and special characters and com-
• Botnet - A network of powerful and dangerous hijacked paring them to a cryptographic hash of the password.
com-puters that are used to attack systems or spread • War dialing - Programming a computer to dial
malware. thousands of phone lines searching for dial-up modem
• Zombie - Hijacked computers, typically part of a botnet, lines. Hackers hack into the PC attached to the modem
that are used to launch a variety of Internet attacks and access the network to which it is connected.
• Bot herder - The person who creates a botnet by • War driving - Driving around looking for unprotected
installing software on PCs that responds to the bot home or corporate wireless networks.
herder’s electronic instructions. • War rocketing -
• Denial-of-service (DoS) attack - A computer attack in • Phreaking - Attacking phone systems to obtain free
which the attacker sends so many e-mail bombs or web phone line access; use phone lines to transmit
page requests, often from randomly generated false malware; and to ac-cess, steal, and destroy data.
addresses, that the Internet service provider’s e-mail • Data diddling -
server or the web server is overloaded and shuts down. • Data leakage
• Spamming - simultaneously sending the same • Podslurping - Using a small device with storage capacity
unsolicited message to many people, of-ten in an (iPod, flash drive) to download unau-thorized data from
attempt to sell them something. a computer.
• Dictionary attack - software that generates user ID and • Salami technique - stealing tiny slices of money from
password guesses using a dictionary of possible user many different accounts.
IDs and pass-words to reduce the number of guesses • Round-down fraud - Instructing the computer to round
required. down all interest calculations to two decimal places.
• Splog - The fraction of a cent rounded down on each
• Spoofing - Altering some part of an electronic calculation is put into the pro-grammer’s account.
communication to make it look as if someone else sent • Economic espionage - Theft of information, trade
the communication in order to gain the trust of the secrets, and intellectual property.
recipient. • Cyber-extortion
• E-mail spoofing - making a sender address and other • Cyber-bullying - Using computer technology to support
parts of an e-mail header appear as though the e-mail deliberate, repeated, and hostile behavior that
originated from a different source. torments, threatens, harasses, humiliates,
embarrasses, or otherwise harms another person.
• Sexting - Exchanging sexually explicit text messages and • Eavesdropping - Listening to private communications or
revealing pictures with other people, usually by means tap-ping into data transmissions intended for someone
of a phone. else. one way to intercept signals is by setting up a
• Internet terrorism wiretap.
• Internet misinformation - - Using the Internet to spread • Malware - Any software that is used to do harm.
false or misleading information. • Spyware - software that secretly monitors computer
• E-mail threats - Threats sent to victims by e-mail. The usage, collects personal information about users, and
threats usually require some follow-up action, often at sends it to someone else, often without the computer
great expense to the victim. user’s permission.
• Internet auction fraud - Using an Internet auction site to • Adware - spyware that causes banner ads to pop up on
defraud another person. a monitor, collects information about the user’s web-
• Internet pump-and-dump fraud - Using the Internet to surfing and spending habits, and for-wards it to the
pump up the price of a stock and then sell it. adware creator, often an advertising or media
• Click fraud - manipulating the number of times an ad is organization. Adware usually comes bundled with
clicked on to inflate advertising bills. freeware and shareware downloaded from the Internet.
• Web cramming - • Torpedo software – software that destroys competing
• Software piracy - The unauthorized copying or mal-ware. This sometimes results in “malware warfare”
distribution of copyrighted software. between competing malware developers.
• Social engineering - The techniques or psychological • Scareware - malicious software of no benefit that is sold
tricks used to get people to comply with the using scare tactics
perpetrator’s wishes in order to gain physical or logical • Ransomware - software that encrypts programs and
access to a building, computer, server, or network. It is data until a ransom is paid to remove it.
usually to get the information needed to obtain • Keylogger - software that records computer activity,
confidential data. such as a user’s keystrokes, e-mails sent and received,
• Identity theft – Assuming someone’s identity, usually for websites visited, and chat session participation.
economic gain, by illegally ob-taining confidential • Trojan horse - A set of unauthorized computer
information such as a social security num-ber or a bank instructions in an authorized and otherwise properly
account or credit card number. functioning program.
• Pretexting - Using an invented scenario (the pretext) that • Time bomb/logic bomb - A program that lies idle until
cre-ates legitimacy in the target’s mind in order to some specified circumstance or a particular time
increase the likelihood that a victim will divulge triggers it. once triggered, the program sabotages the
information or do something. system by destroying programs or data.
• Posing - Creating a seemingly legitimate business, • Trap door/back door - A set of computer instructions
collecting personal information while mak-ing a sale, that allows a user to bypass the system’s normal
and never delivering the product. controls.
• Phishing - sending an electronic message pretending to • Packet sniffers - Programs that capture data from
be a legitimate company, usually a financial institution, information packets as they travel over the Internet or
and requesting information or verification of information company networks. Captured data is sifted to find
and often warning of a consequence if it is not provided. confidential or proprietary information.
The request is bogus, and the information gathered is • Steganography program - A program that can merge
used to commit identity theft or to steal funds from the con-fidential information with a seemingly harmless
victim’s account. file, pass-word protect the file, and send it anywhere in
• vishing - Voice phishing; it is like phishing except the the world, where the file is unlocked and the
victim enters confidential data by phone. confidential information is reas-sembled. The host file
• Carding - Activities performed on stolen credit cards, can still be heard or viewed because hu-mans are not
including making a small online purchase to determine sensitive enough to pick up the slight decrease in image
whether the card is still valid and buying and sell-ing or sound quality.
stolen credit card numbers. • Rootkit - A means of concealing system components
• Pharming - redirecting website traffic to a spoofed and mal-ware from the operating system and other
website. programs; can also modify the operating system.
• Evil twin - A wireless network with the same name • Superzapping -
(Service Set Identifier) as a legitimate wireless access • Virus - A segment of executable code that attaches
point. Users are connected to the twin because it has a itself to a file, program, or some other executable
stronger wireless signal or the twin disrupts or disables system component. When the hidden program is
the legitimate access point. Users are unaware that triggered, it makes unauthor-ized alterations to the way
they connect to the evil twin and the perpetrator a system operates.
monitors the traffic looking for confidential information. • Worm - similar to a virus, except that it is a program
• Typosquatting/URL hijacking - setting up similarly rather than a code segment hidden in a host program. A
named websites so that users making typographical worm also copies itself automatically and actively
errors when entering a website name are sent to an transmits itself directly to other systems
invalid site. • Bluesnarfing - stealing (snarfing) contact lists, images,
• QR barcode replacements - and other data using flaws in bluetooth applications.
• Tabnapping • Bluebugging - Taking control of someone else’s phone
• Scavenging/dumpster diving - searching documents to make or listen to calls, send or read text messages,
and records to gain access to con-fidential information. connect to the Internet, forward the victim’s calls, and
scaveng-ing methods include searching garbage cans, call numbers that charge fees.
communal trash bins, and city dumps.
• Shoulder surfing - When perpetrators look over a
person’s shoulders in a public place to get information
such as Atm PIn numbers or user IDs and
• passwords.
• Lebanese looping - Inserting a sleeve into an ATm that
prevents it from ejecting the card. The perpetrator
pretends to help the victim, tricking the person into
entering the PInagain. once the victim gives up, the thief
removes the card and uses it and the PIn to withdraw
• Skimming - Double-swiping a credit card in a legitimate
termi-nal or covertly swiping a credit card in a small,
hidden, hand-held card reader that records credit card
data for later use
• Chipping - Planting a small chip that records
transaction data in a legitimate credit card reader. The
chip is later removed or electronically accessed to re-
trieve the data recorded on it.