GEN 110-10: Freshman Seminar: Computers and Society

Dr. R. M. Siegfried

Computer Crime

What is Computer Crime?

Generally, it is defined as a crime requiring the help of a computer.

The United States Department of Justice defines computer crime as "any illegal act for which knowledge of computer technology is essential for its penetration, investigation or prosecution." This includes:

Altering of data stored on or destined for a computer data base.
Destruction or manipulation of computer programs.
Illegal copying of computer software.
Theft of computer time for personal use.
Accessing of personal or confidential data for unauthorized purposes.
Theft of money by altering computer records.

The National Institute of Justice's report on "Dedicated Computer Crime Units" defines computer crime, as "any illegal act for which knowledge of computer technology is used to commit the offense."

According to Hugh Cornwall, most computer crime is ordinary crime that at one point involves a computer. Very few require a lot of technical expertise.

Examples of Computer Crime

Frans Noe transferred $8.4 Million and 6.7 Million from Lloyd's Bank in New York to Swiss Bank Corporation in Zurich via Electronic Funds Transfer. He was caught because the $6.7 Million transfer failed and bounced back to his Amsterdam Bank. He was sentenced to 18 months.
SRI International of California documented more than 3000 computer crimes in the past 20 years. Computer security breaches cost United Kingdom companies more than £530 Million per year.
Mafia and South American drug cartels used computers for record-keeping and money laundering respectively.
In 1992, Elaine Borg was charged with defrauding a City of London finance company out of £500,000.
ATM cards increased from 4000 in 1975 to 50,000 in 1985, with a tenfold increase in the value of their transactions. In 1987, the US Secret Service seized 7700 counterfeit ATM cards used to steal between $7,000,000 and $14,000,000.
In the UK, hundreds of customers have sued banks for ATM debits that they did not make. Banks lost £166,000,000 in 1991 from ATM fraud.
Phone card fraud cost between $1-5 billion per year. Access codes stolen and resold have come from the UN, New York City Council, NASA, IBM, and the CIA.
Computer crime also includes credit card fraud, EFT fraud, mobile phone fraud, even hacking into credit card reporting bureaus such as TRW.
Bogus chips have been used to steal cable TV services. Many have been disabled with an "electronic bullet" which disabled the bogus chips (but not the real ones), allowing them to catch the people using them.
Telemarketing scams have gotten either credit card numbers or checking account numbers, allowing the perpetrator to either use the credit card or to print bogus check and clean out the victim's account.
Desktop publishing has led to forgery of ID cards, passports, drivers' licenses, birth certificates, purchase orders, railroad tickets, letters of reference, checks and even currency.
New scams have come up as well: there have been cases of people hacking into American Airlines computer system to create account that can fraudulently accrue frequent flyer miles.
Computer crime should also include circumstances where companies and organization abuse customers and systematically overcharge using them. Continental Can used a program to reduce pension benefits for employees. Litton Industries rigged its computer systems to overcharge the US Government over $25,000,000 on hundreds of defense contracts.
An operations manager at Well Fargo Bank produced bogus deposits. Estimated losses: over $20 million.

J. Thomas McEwen classifies computer crime into five categories:

Internal computer crimes (e.g., viruses, logic bombs, etc.)
Telecommunications crimes (i.e., misuse and theft of telecommunications services)
Computer manipulation crimes (e.g., embezzlement, fraud)
Support of criminal enterprises (e.g., databases for criminal activities, illegal sale of client information)
Hardware/software thefts

Stacey Edgar adds cyberterrorism.

Extent of Computer Crime

It is very difficult to say the extent of computer crime:

ABA survey of 300 US companies showed losses ranging from $2,000,000 to $10,000,000.
Ernst and Whinney (a Cleveland accounting firm) estimated total losses at around $3 to 5 billion per year.
Survey by Hoffer and Straub showed one in 5 organizations suffered a loss due to computer crime.
British surveys shows that at least 2 in 3 computers crimes go undetected.
Other surveys shows that the annual losses in the UK can total £40 million and France $1.1 billion, with 40% due to fraud, hackers or disgruntled employees with the rest due to accidents and human error.
They largely go unreported because there is little benefit to the victim in the reporting. The targets are usually banks and other large financial institutions.
According to Ernst and Young's 1989 Computer Survey, 23% of 285 firms surveyed reported financial losses resulting from malicious acts. Almost 3/4 reported that security risks had increased over the past five years, an increasing of 21% over the previous survey.
The FBI estimates that 2% of all computer is detected, 7% of detected crimes are reported to the police and that 3% result in a jail sentence for the accused.

Crimes Against Computers

Usually involves damage to computer or computer data:

In Olympia, WA, in 1968, shots were fired at an IBM 1401 computer. Similar incidents took place in Johannesburg, South Africa (1972) and Charlotte, NC (1974).
In New York, an Irving Trust Company employee used a sharp instrument to destroyed data tapes containing GE account data. Similar incidents took place at Girl Scout headquarters and at a New York trucking firm, destroying $2 million in billings.
Volkswagen lost $259 million due to foreign exchange contract fraud in 1987, with the perpetrator pocketing the "float" (short-term interest on large amounts of money).
Dalton School (Manhattan) students used their classroom computers to break into a Canadian data communications network in 1980 and destroyed files of two customers.

Terrorist attacks on computer systems have happened, although the usual target is the data, not the machines. These have included:

The Committee for the Liquidation or Deterrence of Computers (CLODO) set computer centers on fire that belong to Philips Data Systems and CII-Honeywell-Bull.
Protestors against the Vietnam War bombed computer centers at the University of Wisconsin, NYU, and Fresno State University.
In 1976, three armed women set a computer on fire in a Rome university computer center.

Software theft and industrial espionage is "big business"; in the early 1980s, the FBI and IBM caught Hitachi in a "sting" " Hitachi was trying to steal designs of IBM's 308X computer.

Computers themselves are frequently stolen:

$70,000 worth of Gulf War computers were on sale in Ventura County, CA.
Notebook computers are a frequent and tempting target.

Crimes Using Computers

The computer is less often the target and more often a tool in committing crime. This can take many forms:

Embezzlement By Computer

Officers of Equity Funding created phony insurance policies. It was discovered in 1973 that over 64,000 of the company's 97,000 policies (allegedly worth $2.1 billion) were fictitious.
Stanley Mark Rifkin posed as a branch manager at a Los Angeles bank and wired $10.2 million to a New York bank and then to a Swiss bank. He eventually was convicted of wire fraud and served 3 years in prison; he was caught only because he had bragged about it.
A chief teller at Union Dime Bank (New York) embezzled $1.5 million by skimming money from new accounts. He was caught because he gambled frequently at an establishment that the police investigated and raised their suspicions.
One man replaced the bank's blank deposit slips with slips with his account number encoded in magnetic ink. The computer read the MICR encoding instead of the handwritten encoding.

Theft of Services

People have stolen telephone calling cards and credit card numbers, tapped into telephone lines, used computers to break into switching systems and PBXs (private branch exchanges). Large companies have lost hundreds of thousands of dollars from these calls.

Theft of Information

Sometimes the lost of information is more devastating than loss of material assets.

A former law enforcement officer used data from 3 different agencies to track down a former girlfriend and kill her.

Computer disks with telemetry data for the America's Cup race were stolen andheld for ransom; they were recovered without payment.

Fifteen auto salesmen in Newark were charged with using 450 fake credit records to steal millions of dollars.

Phony "credit doctors" used credit data taken from the Credit Bureau of Greater Houston to clients use other people's credit histories.

Fraud

Although fraud doesn't require a computer, a computer makes it much easier:

Three men working at a travel agency created fictitious "frequent flyer" accounts and credited them with miles belonging to clients who were not members of the frequent-flyer programs. They sold or gave away the airline tickets obtained from the frequent-flyer miles, defrauding American Airlines of $1.3 million.

Four college students bought $100,000 worth of merchandise using stolen credit card numbers.

A computer program called Credit Master was available online. Credit Master can create potentially valid credit card numbers.

A dairy and produce store removed $17.1 million in sales to avoid paying taxes on them.

Are stores cheating or merely careless when they have an inaccurate price stored in the computer associated with a UPC (Universal Product Code)?

Can elections be won fraudulently? Ask Al Gore! (Gore v. Bush, 2000)

Doctored Documents

Computers have made the doctoring of photographs and moving pictures relatively easy. Have does this affect their use as evidence? How does it our ability to rely on them as proof of what someone says?

Phishing and Identity Theft

Identity theft occurs when someone takes information about you and uses it to pass themselves as you. They can be done by filing false Change of Address Forms or through getting access to copies of your personal data (e.g., your wallet, you bank passbook, etc.). Their goal is to get their hands on available information about you.

Phishing is another methods to acquire information about potential victim. Phishing involves conning a potential; victim to reveal information about themselves under false pretense. This can involve an e-mail designed to make the user believe that it came from a reliable source (e.g., American Express, your local bank, PayPal). Most tell you that you need to confirm basic personal information such as account numbers, passwords, PINs, etc. Once they have this information, they withdraw funds from your account or charge purchases to your account.

Real businesses will never actively ask for this kind of information over the phone or by e-mail.

The Nigerian Bank Scam is a basic variation on phishing. There are many forms of the Nigerian Bank scam (e.g., Mr. John Doe died leaving his widow and children a large fortune that they need to have smuggled out of the country and they want to wire it to you; you are promised a commission for helping in this regard. All they need is your bank information¹.

Cyberstalking

Cyberstalking can be defined as threatening behavior or unwanted advances directed at another using the Internet and other forms of online and computer communications¹.

Cyberstalking is a relatively new phenomenon. With the decreasing expense and thereby increased availability of computers and online services, more individuals are purchasing computers and "logging onto" the Internet, making another form of communication vulnerable to abuse by stalkers.

Cyberstalkers target their victims through chat rooms, message boards, discussion forums, and e-mail. Cyberstalking takes many forms such as: threatening or obscene e-mail; spamming (in which a stalker sends a victim a multitude of junk e-mail); live chat harassment or flaming (online verbal abuse); leaving improper messages on message boards or in guest books; sending electronic viruses; sending unsolicited e-mail; tracing another person's computer and Internet activity, and electronic identity theft.

Similar to stalking off-line, online stalking can be a terrifying experience for victims, placing them at risk of psychological trauma, and possible physical harm. Many cyberstalking situations do evolve into off-line stalking, and a victim may experience abusive and excessive phone calls, vandalism, threatening or obscene mail, trespassing, and physical assault.

With personal information becoming readily available to an increasing number of people through the Internet and other advanced technology, state legislators are addressing the problem of stalkers who harass and threaten their victims over the World Wide Web. Stalking laws and other statutes criminalizing harassment behavior currently in effect in many states may already address this issue by making it a crime to communicate by any means with the intent to harass or alarm the victim.

States have begun to address the use of computer equipment for stalking purposes by including provisions prohibiting such activity in both harassment and anti-stalking legislation.

Organized Computer Crime

Organized computer crime takes several different forms:

Adults use computers to develop online relationships with children for purposes of sexual abuse.
Computers are used in connections with prostitution, pornography, fencing, money laundering, and loansharking.

Counterfeiting

Counterfeiting no longer requires great skill and special equipment; anyone with a scanner, a computer and a laser printer (or a high-quality copier) can do high-quality forgery. This forgery can include:

U. S. (and foreign) currency
Stock certificates
Tickets
Cashier's checks
Money orders, credit-card receipts
Credit cards
University degrees (and transcripts)
ATM cards

Many governmental agencies and privates businesses are taking measures to prevent their documents from being forged:

U. S. currency has the basic design of currency and is doing so again.
The U. S. Postal Services changed the design of their money order to incorporate special fibers that glow in ultraviolet light.
Mastercard and Visa placed holograms on their credit cards.
Newer check designs use complex patterns that are harder to reproduce by xerography.

Profile of a Typical Computer Criminal

The typical computer criminal is a young, talented employee working in a position of trust within the company. Most regard themselves as modern-day "Robin Hoods." The median age is 25. Most work alone unless it become crucial to gain the assistance of another.

Only 3% of computer breaches are by outsiders, according to R. J. Milford Associates. 13% are by dishonest employees, 6% by disgruntled employees and 65% are by mistake.

Types of computer criminal

Hacker - Attempts to trespass for achievement.
Prankster - Attempts to trespass to defy authority.
Amateur - Steal computer time for personal use.
Pro - Makes living from computer crime.
Spy - Commits computer crime to gain an advantage.
Terrorist - Commits computer crime to advocate extreme position.

¹ http://www.ncvc.org/ncvc/main.aspx?dbName=DocumentViewer&DocumentID=32458

[Back to the Notes Index]