«Item type text; Dissertation-Reproduction (electronic) Authors DUNN, THURMAN STANLEY. Publisher The University of Arizona. Rights Copyright © is ...»
CASE 5. CONSPIRED BANK EMBEZZLEMENT, NEW JERSEYThe computer systems vice-president, senior computer operator, and three non-employees of a bank were charged with transferring money from infrequently used savings accounts to newly opened accounts. They were detected when conversion to a new computer disrupted their work.
CASE 6. COMPUTER SERVICE THEFT, DETROITTwo engineers accidentally discovered that a password one digit different than the~r own happened to belong to the president of the time-sharing firm. The president's password allowed access to privileged customer and accounting data. It allowed the engineers to use unlimited amounts of computer time and obtain customer information and proprietary program listings. Discovery was made by computer operators who noticed the password being used at unusual times. The engineers were fired and no other action taken.
CASE 7. PROGRAM THEFT, CALIFORNIA
CASE 8. CUSTOMER LIST THEFT, WHITE PLAINS, NEW YORKAn employee tried to sell listings of new customers to an outside buyer. He was caught when a potential buyer reported the offer to the pol ice. The 1ist was estimated to be worth $37,000 in the address list market. The case was dropped for lack of evidence.
CASE 9. INDUSTRIAL ESPIONAGE, WEST GERMANYA secret agent for East Germany is alleged to have copied confidential financial and production data of 3,000 West German firms onto tape and given the tape to the government of East Germany. The outcome of the case is not known.
CASE 10. SALARY ROUND-DOWN, FRANCE An employee was authorized to round salaries down to two decimal places, but when he did so he accrued the remainder amounts to his own salary.
The total salaries, of course balanced correctly. The disposition of the case is not known.
CASE 11. OVERSTATED ACCOUNTS PAYABLEAn account clerk at a catering service, in collusion with a grocery store owner submitted false account numbers and invoices for undelivered food to a computer system. Thefts amounted to $120,000 over eight years. Both conspirators were convicted.
CASE 12. COLLECTION AGENCY REBILLING, TEXASA computerized collection agency sent new bi lls to people who had paid their bills the previous year. They relied for profit on the reluctance of most people to fight computerized systems. Disposition of the case is not known.
CASE 13. PENSION FRAUD, CANADA An employee in an insurance company changed the account numbers of several deceased insured persons to his own to collect their pensions.
He was caught when a staple in a punch card forced manual handling, which revealed several cards with the same number.
CASE 14. PAYROLL FRAUD, WEST GERMANY An EDP operator pressed the "repeat" button on the printer to print 200 extra copies of his own paycheck.
He was caught when he cashed 37 checks all at the same bank.
CASE 15. SALES COMMISSION FRAUD, ENGLANDA programmer in a mail-order company created a sales commission account in the name of Zwana to be the last in order. He adjusted the commission program to collect commission round-downs in the last account. He was discovered after three years when Marketing happened to choose the first and last accounts for a public relations project.
CASE 16. THEFT OF COMPUTER TIME, LOS ANGELESThe manager of EDP and part of his staff were using the firm's computer to analyze racehorse handicaps, making several thousand dollars each week. Case disposition is not known.
CASE 17. INFORMATION THEFT, CALIFORNIA A Student copied 500 passwords from the system file by using a text editor program to gain access to a, presumably, protected file.
The password file is now kept in scrambled form; sanctions were privately imposed on the student.
CASE 18. THEFT OF PATENTABLE PROCESSESTwo employees scheduled for layoff took program listings describing secret processes to be patented. One employee was fired, the other died of a heart attack.
CASE 19. PHONY WELFARE GRANTS, CALIFORNIAIn Los Angeles County, welfare grants are paid from vouchers based on punch cards. Someone put extra cards in the computer to produce authorized grants. No suspects were identified.
CASE 20. THEFT OF COMPUTER SERVICES, TEXASA high school student found a privileged password of the computer service's analyst on a listing in a wastebasket. He also obtained detailed specifications of the system-presumably by merely ask i ng for them. He used 1arge amounts of computer time, played computer games and obtained other customer's data.
He was discovered when a computer operator noticed scratch tapes being read before being written. Restitution was made.
CASE 21. THEFT OF COMPUTER SERVICES, CALIFORNIAHigh school students were allowed to use free computer terminal services on one project. The computer system employee involved subsequently left. The students continued to use the services, using new passwords they found. They used $3,000 worth of services before being caught. Now a "poaching bit" is set to alert operators to suspected account activity.
Sanctions were imposed privately on the students.
CASE 22. BANK EMBEZZLEMENT, NEW YORK A bank teller manipulated hundreds of accounts through his teller terminal into the computer system.
The details of manipulation are omitted. He was caught when a raid on a bookie showed large bets placed by the suspect. He was prosecuted for embezzling $1.5 million by the Manhattan District Attorney's Office.
CASE 23. DIVIDENDS FRAUD A clerk adjusted a computer program used to prepare dividends, thereby generating dividend checks to former shareholders, but addressed to an accomplice.
The program then erased records of the check. The clerk was convicted for embezzling $33,000.
CASE 24. STOLEN PROGRAMS A programmer in Texas stole $5 million worth of programs he was maintaining and tried to sell them to one of his employer's customers.
He served five years in prison on charges of Grand Theft.
CASE 25. EQUITY FUNDING SCANDAL Phony life insurance policies were created and integrated with records of actual policies, then the mixture was resold to firms who bought the policies with the idea of collecting further premiums.
Equity purportedly created 56,000 insurance policies amounting to some $2 billion out of a total 91,000 policies reportedly worth $6.5 billion. To prevent discovery, computer personnel had to perpetuate the deceit by manipulating records so as to show changes in the phony policies, such as a reasonable number of lapses, cancellations, and deaths. The computer program also had to be designed to conceal the fictitious business from auditors and state insurance examiners.
In further efforts to outwit auditors and examiners, the firm installed electronic surveillance equipment in various rooms so that conversations about verification plans could be overheard.
The conspiracy fell apart in March of 1973, after a former employee of Equity reported details of it to the New York State Insurance Department and to a Wall Street insurance analyst who, in turn notified some of his commercial clients as well as New York Stock Exchange Officials.
Federal indictments were brought against 22 people by a Federal Grand Jury on 105 criminal counts.
Information on computer fraud is difficult to gather because cases are often not classified as such. Further, there is hesitance in organizations, particularly those which thrive on the confidence of customers and stockholders, to disclose their vulnerability to computer fraud (Randall 1978, Wong 1977, p. 60, Parker 1976, Alderman 1977, Allen 1971).
Additional limitations on obtaining computer fraud information result from the lack of federal laws covering this type of crime (Parker 1979, Schultz 1979, Boockholdt and Horvitz 1978). Future legislation, in conjunction with continued probing by researchers, will hopefully improve the availability of information on computer fraud over the next few years.
Wagner (1979), finding that library research did not reveal any "rich" reference resource -- bibliography, reference book, textbook, documentary, or trade or professional publication --for the citation of computer fraud cases, designed a survey to develop a network of He thought the following information resources for such material.
resources would offer the greatest potential for computer fraud cases
Selected accounting firms Selected consultants, educators and researchers Selected boards of public accountancy State societies of Certified Public Accountants Selected business and electronic data processing periodicals Selected information centers and regulatory agencies Selected business, commercial, industry, professional, and trade organizations/associations Selected computer vendors Selected insurance companies State officials having supervision of insurance activities Selection of survey recipients was made by Wagner on a judgmental basis since there was no way of determining the appropriate universe from which to draw a sample. Wagner received 132 replies of 371 survey recipients, for a 35 percent rate. Even though ~esponse
assigned to help unravel, after the fact, the Equity Funding "fraud maze. Two were consultants who headed up computer ll software firms. Another was Donn B. Parker of Stanford Research Institute. An EDP security consultant, who had actually been a former fraud perpetrator, indicated he would release such information only for a fee. Also among the firsthand (raw) data held by respondents were two apparently new computer fraud cases.
Several respondents were reluctant to release information which they had available. Only thirteen respondents indicated they would grant free and open access to any computer fraud materials. Although three insurance companies offering surety, fidelity, and professional liability insurance responded, none offered free access to relevant records.
Even more disturbing are the following statistics reprinted from Security World (Becker 1978) in a recent U.S. Department of Justice publication (1980): "--One percent of all computer crimes is detectedapprox imate ly 7 percent of the crimes that are detected are reported to the police--of those brought for prosecution, only 1 out of 33 results in a jail sentence--conclusion; 1 out of every 22,000 computer criminals is going to jail."
As a result of the numerous limitations on information available in the area of computer fraud, the extent of this type of crime is not really known. It has been estimated that only 15 percent of known crimes are recorded (Parker 1976). This is deduced by surveys of samples of the general public, counting the number of people who have been victims of crime. These statistics are then compared with police reports of crimes that are compiled by the FBI and published annually as the FBI Uniform Crime Report. Most of the crimes reported in this manner are of the more violent type, such as robberies, auto theft, and rape; far less is known about white-collar crime and even less is known about computer fraud.
H. Jeffrey Bayless, Chief Deputy District Attorney for Denver, estimates that only about 5 percent of computer crimes committed in the U.S. are ever reported because banks, insurance companies and other institutions would rather cover their losses than risk embarrassing publicity.
Although there is no way to accurately estimate the extent of computer fraud, most experts consider it an increasingly serious problem.. In one study, Parker (1975) noted that "in 42 computerrelated bank frauds and embezzlements in the period 1962 to 1975, the average loss per case is $430,000 (total $18 million, range $200 to $6.8 million)."
Leonard 1. Krauss, who is a computer security consultant with Ernst & Ernst estimates that half a billion dollars a year is stolen because of computer fraud.
Loss will probably exceed a billion dollars in the near future (Randall 1978).
The rapid expansion of minicomputers may give many more people an opportunity to perpetrate frauds. Timothy B. Braithwaite, a systems security manager at the Defense Computer Institute agreed in his recent statement that "distributed processing, micro and minis, remote terminals and integrated file struct\lres all place new complex security demands on ADP organizations that can barely secure traditional batch operation" (Randall 1978).
A problem which, according to August Bequai (1978), may be far more serious than the monetary losses is an antiquated and overbureaucratized legal apparatus for dealing with computer crime. He sees our very form of government as being at stake if we fail to adapt our legal system to the ever-growing computer technology. Detection is, of course, a necessary part of this adaptation.
Based on the research for this dissertation, it is evident that there is considerable concern regarding computer fraud. Several researchers have attempted to determine the extent of computer fraud and categorize it for analysis, (for example: Parker 1975, Parker 1976, Krauss and MacGahan 1979, Allen 1977, Allen 1979, Comptroller General of the United States 1976, and Auerbach 1978/79). The most extensive and most often referenced database on computer fraud is Donn Parker's (Wagner 1979).
Numerous researchers, many utilizing existing raw data, have attempted to provide insight into prevention and detection of computer fraud (Auerbach 1978/79, Lobel 1976, Horne 1974, Wagner 1979, Krauss and MacGahan 1979, Allen 1979, Parker 1979, Hsiao, Kerr and Madnick 1979, Bequai 1978, Leibhotz and Wilson 1974).