Detect Online Credit Card Fraud by htv91369

VIEWS: 21 PAGES: 66

More Info
									Computer Fraud and Security

        Merle P. Martin
      College of Business
       CSU Sacramento

             7/11/02
    Agenda
 Extent of Fraud
 Process of fraud
 Why fraud occurs
 Approaches and techniques
  used to commit computer
  fraud
 How to deter and detect
  computer fraud
E-Commerce Fraud
 Worldwide E-Commerce
  Fraud Prevention Network, 2000
 50% e-retailers: online fraud
  significant problem
 50% reported online losses
  of $1000 - $10,000 1st quarter
 19% lost over $100,000
E-Commerce Fraud
 Overall fraud rate is
  7 cents per $100 in sales
 Rate thought to be 3 to 4 times
  higher for E-Commerce transactions
 Measures used to prevent fraud

    address verification – 70%
    customer follow-up – 54%
    after-the-fact fraud handling – 43%
E-Commerce Fraud
 Gartner Group survey, 7/00
 On-line retailers suffer 12
  times as many incidents of
  fraud as off-line retailers
 Especially common with product
  that can be downloaded
Internet Fraud
 Internet Fraud Complaint
  Center (IFCC) – federal agency
 2001 Internet Fraud Report

 Top 10 complaint categories

 Dollar loss

 Perpetrator characteristics
Types Internet Fraud
  Auction fraud – 42.8%
 Non-delivery – 20.3%

 Credit Card fraud – 9.4%

 Business fraud – 1.4%

 Identity theft – 1.3%

 Check fraud – 0.6%
Average Dollars Lost
 Auction fraud - $395
 Non-delivery - $325

 Credit card - $450

 Business fraud - $160

 Identity theft - $3000

 Check fraud - $910
Perpetrators
 76% individuals,
  as opposed to businesses
 81% in 5 states

 Highest per capita states (per 100K):

    Nevada 11.9
    California 4th
 81.3% male
Extent of Fraud
 “Fraud: The Unmanaged
  Risk”
 Ernst & Young, 2000

 739 responses (companies)

 Key findings

 What is computer fraud?

 What isn’t computer fraud?
Key Findings
 More than two thirds of
  respondents have
  suffered from fraud loss
  during last 12 months
 One in 10 suffered more
  than 50 frauds
 Worst frauds: only 29% of total
  value recovered to date
Who Does It?
 82% by employees
 one third of these by
  management
 half had been in organization
  more than 5 years
 one quarter had been in
  organization more than 10 years
Potential
 80% concerned significant
  fraud could occur within
  organization
 Four out of 10 who were
  concerned had no explicit
  policy for fraud reporting
Resulting Actions
 Worst Frauds:
    38% prosecuted
    28% dismissed
    2% no action
    Other 32%?
 Rare headline: “Stockbroker
  jailed in fraud case.” (Australian
  Financial Review, 3/4/2000)
Computer Fraud
 Respondents asked to
  consider nine examples
  of computer related fraud
 High agreement on only four types:

    manipulation of data records
     held on computer to disguise
     true nature of transaction (97%)
Computer Fraud
  hacking  into organization’s
   computer system to steal or
   manipulate organizational
   information (97%)
  manipulation of computer
   programs to disguise true nature
   of transaction (97%)
  unauthorized transfer of funds
   electronically (96%)
Not Computer Fraud?
   Use of organizational
    hardware and software for
    personal use
     only 26% considered as
      computer fraud
     86% believed this was happening
     “organizations turning a blind eye
      to this use”
Not Computer Fraud?
 Only 40% respondents
  considered improper access
  to Internet as a fraud
 But two-thirds of high-tech
  firms considered it fraud
 No substantial costs to organization
Insider Fraud
 Joint 2002 study by FBI and
  Computer Security Institute
 Only 38% respondents detected
  insider attacks during preceding
  12 months
 Down from:

    71% in 2000
    49% in 2001
Insider Fraud
  Reduction in insider threat
  or not being caught as often?
 Insider threats have become
  more cunning and sophisticated
 “I don’t believe that many
  corporations know that the majority
  of attacks occur behind the firewall.”
    Mike Hager, VP Network Security, OppenheimerFunds
    Agenda
 Extent of Fraud
 Process of fraud
 Why fraud occurs
 Approaches and techniques
  used to commit computer
  fraud
 How to deter and detect
  computer fraud
The Fraud Process
      Most frauds involve three steps.

The theft of
something

               The conversion
                   to cash

                                    The
                                concealment
The Fraud Process
 Common way to hide
  theft
   • charge stolen item to
     an expense account
 Payroll example
   • add a fictitious name to
     company’s payroll
The Fraud Process
 Lapping
 Perpetrator steals cash
  received from customer A
  to pay its accounts receivable
 Funds received at a later date from
  customer B are used to pay off
  customer A balance, etc
The Fraud Process
 Kiting
 Perpetrator covers up
  theft by creating cash
  through transfer of money
  between banks
 Perpetrator deposits check from
  bank A to bank B and then withdraws
  money
Kiting (cont.)
 Since insufficient funds
  in bank A to cover check,
  perpetrator deposits check
  from bank C to bank A before
  check to bank B clears
 Since bank C also has insufficient
  funds, money deposited to bank C
  before check to bank A clears.
 Scheme continues to keep checks
  from bouncing
    Agenda
 Extent of Fraud
 Process of fraud
 Why fraud occurs
 Approaches and techniques
  used to commit computer
  fraud
 How to deter and detect
  computer fraud
Why Fraud Occurs
   Common characteristics
    of fraud perpetrators
     Most spend their illegal
       income rather than invest
       or save it
     Once they begin the fraud,
       very hard for them to stop
     They usually begin to rely
       on the extra income
Why Fraud Occurs
 Perpetrators of computer
  fraud tend to be younger
  and possess more computer
  knowledge, experience, and skills
 Some computer fraud perpetrators
  are more motivated by curiosity and
  challenge of “beating the system”
 Others commit fraud to gain stature
  among others in computer
  community
Why Fraud Occurs
   Three conditions
    necessary
    for fraud to occur:
     • pressure or
       motive
     • opportunity
     • rationalization
Pressures
   Some financial pressures
    • living beyond means
    • high personal debt
    • “inadequate” income
    • poor credit ratings
    • heavy financial losses
    • large gambling debts
Pressures
   Some work-related
    pressures:
    – low salary
    – non-recognition of
      performance
    – job dissatisfaction
    – fear of losing job
    – overaggressive bonus
      plans
Pressures
   Other pressures
    – challenge
    – family/peer pressure
    – emotional instability
    – need for power or control
    – excessive pride or ambition
Opportunities
 Opportunity is condition
  or situation that allows
  person to commit and
  conceal dishonest act
 Opportunities often stem from
  lack of internal controls
 Most prevalent opportunity for
  fraud results from company’s
  failure to enforce its system
  of internal controls
Rationalizations
 Most perpetrators have
  excuse (rationalization)
  allowing them to justify
  their illegal behavior
 Some rationalizations
    just “borrowing” stolen assets
    not hurting real person,
     just computer system
                               Greatest
                             Frequency of
Fraud Tendencies                Fraud



              Top-
              Level
             Managers
           Middle-Level
            Managers

         Operational-Level
            Managers
    Agenda
 Extent of Fraud
 Process of fraud
 Why fraud occurs
 Approaches and techniques
  used to commit computer
  fraud
 How to deter and detect
  computer fraud
Definitions
   Data Integrity:
    “. . requirement that
    information and programs are
    changed only in a specified
    and authorized manner.”
            Computers at Risk; pg. 54
          National Academy Press, 1991
Definitions
   System Integrity:
    “ . . requirement that a
       system performs its intended
       function in an unimpaired manner,
       free from deliberate or inadvertent
       unauthorized manipulation of the
       system.”
           National Computer Security Center
           Pub. NCSC-TG-004-88
Definitions
   Availability:
    “ . . requirement intended
       to assure that systems work
       promptly and service is not
       denied to authorized users.”
             Computers at Risk, pg. 54
Computer Fraud
   U.S. Department of
    Justice defines computer
    fraud as:
    “. . . any illegal act for which
    knowledge of computer technology
    is essential for its perpetration,
    investigation, or prosecution”
Computer Fraud Types
 Unauthorized use, access,
  modification, copying, and
  destruction of software or
  data
 Theft of money by altering computer
  records or theft of computer time
 Theft or destruction of computer
  hardware
Computer Fraud Types
–   Use or conspiracy to use
    computer resources to
    commit a felony
–   Intent to illegally obtain
    information or tangible property
    through use of computers
Rise in Computer Fraud
 Organizations that track
  computer fraud estimate
  that 80% of U.S. businesses
  have been victimized by at least
  one incident of computer fraud
 However, no one knows for sure
  exactly how much companies lose
  to computer fraud
 Why?
Rise in Computer Fraud
 Disagreement on what
  computer fraud is
 Many computer frauds go
  undetected, or unreported
 Most networks have low level
  of security
 Many Internet pages tell how
  to perpetrate computer crimes
 Law enforcement is unable to
  keep up with fraud
Malicious Code
  Virus: code segment that
  replicates itself by attaching
  copies to existing executables
 Trojan Horse: Program that performs
  desired task, but also includes
  unexpected (undesired) functions
 Worm: Self-replicating program
  that is self-contained – does not
  require host program
       NIST Special Publications 800-5
Computer Fraud and
Abuse Techniques
 Textbook list 26 abuse
  techniques
 Four of special interest
  to accountants
Fraud Techniques
   Round-down:
     interest calculations
      to 2 decimal places
     fractions posted to
      bogus account
     books balance
Fraud Techniques
   Salami:
     tiny slices of money
      stolen over period
      of time
     e.g., increase all production
      costs by fraction of percent
     post to bogus account
Fraud Techniques
   Trojan Horse:
     unauthorized computer
      instructions in authorized
      program
     performs illegal operation at
        predetermined time
        predetermined set of conditions
     aka “time bomb”
Fraud Techniques
   Data diddling: change
    data before, during, or
    after entering
    Agenda
 Extent of Fraud
 Process of fraud
 Why fraud occurs
 Approaches and techniques
  used to commit computer
  fraud
 How to deter and detect
  computer fraud
Loss / Fraud Conditions
 Threat: potential adverse
  or unwanted event that can
  be injurious to AIS
 Exposure: potential maximum
  $ loss if event occurs
 Risk: likelihood that event will occur

 Expected Loss: Risk * Exposure
                            Decreasing Fraud
       Potential Fraud            Control
                                  Culture
            Motivation
    Probable Fraud                Internal
            Difficulty            Controls

   Actual Fraud
                                   Internal
Detection                           Audits
                         Unde-
    Detected             tected
                                      Prosecution
                Undetected Fraud
 H


                               Internal Control
                                   Costs =
                               Expected Fraud
                                    Losses

 L
     0      Percent Fraud    100
              Detected

Similar to Auditor’s “Threshold Value”
Preventing / Deterring Fraud

      Make Less Likely to Occur
          Increase Difficulty
          Improve Detection
            Reduce Losses
  Prosecute / Incarcerate Perpetrators
Emphasis
 From the Aggie handbook:
 “An ounce of preventive
  is worth a pound of detective
  or corrective”
 “A good, advertised detective
  control can be a deterrent to crime.”
Deter and Detect
   Make fraud less likely
    to occur:
     • Proper hiring / firing
     • Manage disgruntled employees
     • Train employees in security and
       fraud prevention
     • Manage and track software
       licenses
     • Require signed confidentiality
       agreements
Deter and Detect
   Increase difficulty of
    committing fraud:
      Develop strong system
       of internal controls
      Segregate duties
      Require vacations and
       rotate duties
      Restrict access to computer
       equipment and data files
      Encrypt data and programs
Deter and Detect
   Improve detection
    methods
     • Protect telephone lines
       and system from viruses
     • Control sensitive data
     • Control laptop computers
     • Monitor hacker
       information
Deter and Detect
   Reduce fraud losses:
     Maintain adequate
      insurance
     Store backup copies of programs
      and data files in secure, off-site
      location
     Develop contingency plan for
      fraud occurrences
     Use software to monitor system
      activity and recover from fraud
Deter and Detect
 Prosecute and incarcerate
  fraud perpetrators:
 Most fraud cases go
  unreported and are not
  prosecuted
    Many cases of computer
     fraud are as yet undetected
    Companies are reluctant
     to report computer crimes
Why No Prosecution?
 Law enforcement officials,
  courts so busy with violent
  crimes
    little time for fraud cases
 Difficult, costly, and time
  consuming to investigate
 Many law enforcement officials,
  lawyers, judges lack computer
  skills needed to prosecute
  computer crimes
Fraud Case Study
 Georgia Bureau of
  Investigation spent 18
  months investigating an alleged
  corporate computer criminal
 Oct 01: charged him with 8 felony
  counts under Georgia computer
  crime law
 Each count could carry $50K fine and
  15 years in prison
Fraud Case Study
 Result?: Jan 02, plea bargain
   $2100 in fines
   one year probation
   80 hours community service
 Deterrent or incentive?

 Why a plea bargain?
    Topics Covered
 Process of fraud
 Why fraud occurs

 Approaches and techniques
  used to commit computer
  fraud
 How to deter and detect
  computer fraud

								
To top