Download - z 02570000120154005 p 05
Course : Z0257 – Accounting Information System And Internal Control (2/2)Effective Period : September 2015
Computer Fraud
Session 5
These slides have been adapted from:
Romney B. Marshall and Steibart J. Paul. (2012). Accounting Information System. 12th edition.
Pearson Education. London. ISBN:9780273754374.
Chapter 5 and Chapter 6
Acknowledgement
Learning Objectives
Explain the threats faced by modern information systems.
Define fraud and describe the process one follows to perpetuate a fraud.
Discuss who perpetrates fraud and why it occurs, including: the pressures, opportunities, and rationalizations that
are present in most frauds.
Define computer fraud and discuss the different computer fraud classifications.
Explain how to prevent and detect computer fraud and abuse.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-3
Learning Objectives
Compare and contrast computer attack and abuse tactics.
Explain how social engineering techniques are used to gain physical or logical access to computer resources.
Describe the different types of malware used to harm computers.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 6-4
Common Threats to AIS
Natural Disasters and Terrorist Threats
Software Errors and/or Equipment Malfunction
Unintentional Acts (Human Error)
Intentional Acts (Computer Crimes)
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-5
What Is Fraud?
Gaining an unfair advantage over another person A false statement, representation, or disclosure A material fact that induces a person to act An intent to deceive A justifiable reliance on the fraudulent fact in which a
person takes action An injury or loss suffered by the victim
Individuals who commit fraud are referred to as white-collar criminals.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-6
Forms of Fraud
Misappropriation of assets Theft of a companies assets. Largest factors for theft of assets:
Absence of internal control system Failure to enforce internal control system
Fraudulent financial reporting “…intentional or reckless conduct, whether by act or
omission, that results in materially misleading financial statements” (The Treadway Commission).
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-7
Reasons for Fraudulent Financial Statements
1. Deceive investors or creditors
2. Increase a company’s stock price
3. Meet cash flow needs
4. Hide company losses or other problems
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-8
Treadway Commission Actions to Reduce Fraud
1. Establish environment which supports the integrity of the financial reporting process.
2. Identification of factors that lead to fraud.
3. Assess the risk of fraud within the company.
4. Design and implement internal controls to provide assurance that fraud is being prevented.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-9
SAS #99
Auditors responsibility to detect fraud Understand fraud Discuss risks of material fraudulent statements
Among members of audit team Obtain information
Look for fraud risk factors Identify, assess, and respond to risk Evaluate the results of audit tests
Determine impact of fraud on financial statements Document and communicate findings
See Chapter 3 Incorporate a technological focus
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-10
The Fraud Triangle
Pressure
Opportunity
Rationalization
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-11
Pressure
Employee
Financial
Emotional Lifest
yle
• Motivation or incentive to commit fraud
•Types:
1.Employee• Financial• Emotional• Lifestyle
2.Financial• Industry conditions• Management
characteristics
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-12
Financial Reportin
g
Industry Conditio
ns
Mgmt Characteristics
Opportunity
Opportunity
Commit
Conceal Conv
ert• Condition or situation that allows a person or organization to:
1.Commit the fraud
2.Conceal the fraud• Lapping• Kiting
3.Convert the theft or misrepresentation to personal gain
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-13
Rationalizations
Rationalizati
on
Justification
Attitude
Lack of Peronal Integrity
•Justification of illegal behavior
1.Justification• I am not being
dishonest.2.Attitude
• I don’t need to be honest.
3.Lack of personal integrity• Theft is valued
higher than honesty or integrity.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-14
Computer Fraud
Any illegal act in which knowledge of computer technology is necessary for: Perpetration Investigation Prosecution
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-15
Rise of Computer Fraud
1. Definition is not agreed on
2. Many go undetected
3. High percentage is not reported
4. Lack of network security
5. Step-by-step guides are easily available
6. Law enforcement is overburdened
7. Difficulty calculating loss
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-16
Computer Fraud Classifications
Input Fraud Alteration or falsifying input
Processor Fraud Unauthorized system use
Computer Instructions Fraud Modifying software, illegal copying of software, using software in an
unauthorized manner, creating software to undergo unauthorized activities
Data Fraud Illegally using, copying, browsing, searching, or harming company
data
Output Fraud Stealing, copying, or misusing computer printouts or displayed
information
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 5-17
Computer Attacks and Abuse
Hacking Unauthorized access, modification, or use of a computer
system or other electronic device
Social Engineering Techniques, usually psychological tricks, to gain access to
sensitive data or information Used to gain access to secure systems or locations
Malware Any software which can be used to do harm
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 6-18
Types of Computer Attacks
Botnet—Robot Network Network of hijacked computers Hijacked computers carry out processes without users
knowledge Zombie—hijacked computer
Denial-of-Service (DoS) Attack Constant stream of requests made to a Web-server
(usually via a Botnet) that overwhelms and shuts down service
Spoofing Making an electronic communication look as if it comes
from a trusted official source to lure the recipient into providing information
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 6-19
Types of Spoofing
E-mail E-mail sender appears as if
it comes from a different source
Caller-ID Incorrect number is
displayed
IP address Forged IP address to
conceal identity of sender of data over the Internet or to impersonate another computer system
Address Resolution Protocol (ARP) Allows a computer on a LAN
to intercept traffic meant for any other computer on the LAN
SMS Incorrect number or name
appears, similar to caller-ID but for text messaging
Web page Phishing (see below)
DNS Intercepting a request for a
Web service and sending the request to a false service
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 6-20
Hacking Attacks
Cross-Site Scripting (XSS) Unwanted code is sent via dynamic Web pages disguised
as user input.
Buffer Overflow Data is sent that exceeds computer capacity causing
program instructions to be lost and replaced with attacker instructions.
SQL Injection (Insertion) Malicious code is inserted in the place of query to a
database system.
Man-in-the-Middle Hacker places themselves between client and host.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 6-21
Additional Hacking Attacks
Password Cracking Penetrating system security to steal passwords
War Dialing Computer automatically dials phone numbers looking for
modems.
Phreaking Attacks on phone systems to obtain free phone service.
Data Diddling Making changes to data before, during, or after it is entered
into a system.
Data Leakage Unauthorized copying of company data.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 6-22
Hacking Embezzlement Schemes
Salami Technique Taking small amounts from many different accounts.
Economic Espionage Theft of information, trade secrets, and intellectual property.
Cyber-Bullying Internet, cell phones, or other communication technologies to
support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person.
Internet Terrorism Act of disrupting electronic commerce and harming
computers and communications.
Internet Misinformation
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 6-23
Hacking for Fraud
Internet Misinformation Using the Internet to spread false or misleading
information
Internet Auction Using an Internet auction site to defraud another person
Unfairly drive up bidding Seller delivers inferior merchandise or fails to deliver at
all Buyer fails to make payment
Internet Pump-and-Dump Using the Internet to pump up the price of a stock and
then selling it
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 6-24
Social Engineering Techniques
Identity Theft Assuming someone else’s identity
Pretexting Inventing a scenario that will lull
someone into divulging sensitive information
Posing Using a fake business to acquire
sensitive information
Phishing Posing as a legitimate company
asking for verification type information: passwords, accounts, usernames
Pharming Redirecting Web site traffic to a
spoofed Web site.
Typesquatting Typographical errors when
entering a Web site name cause an invalid site to be accessed
Tabnapping Changing an already open
browser tab
Scavenging Looking for sensitive information
in items thrown away
Shoulder Surfing Snooping over someone’s
shoulder for sensitive information
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 6-25
More Social Engineering
Lebanese Loping Capturing ATM pin and card numbers
Skimming Double-swiping a credit card
Chipping Planting a device to read credit card information in a
credit card reader
Eavesdropping Listening to private communications
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 6-26
Type of Malware
Spyware Secretly monitors and collects personal information about users and
sends it to someone else Adware
Pops banner ads on a monitor, collects information about the user’s Web-surfing, and spending habits, and forward it to the adware creator
Key logging Records computer activity, such as a user’s keystrokes, e-mails sent
and received, Web sites visited, and chat session participation
Trojan Horse Malicious computer instructions in an authorized and otherwise
properly functioning program Time bombs/logic bombs
Idle until triggered by a specified date or time, by a change in the system, by a message sent to the system, or by an event that does not occur
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 6-27
More Malware
Trap Door/Back Door A way into a system that bypasses normal authorization and
authentication controls
Packet Sniffers Capture data from information packets as they travel over
networks Rootkit
Used to hide the presence of trap doors, sniffers, and key loggers; conceal software that originates a denial-of-service or an e-mail spam attack; and access user names and log-in information
Superzapping Unauthorized use of special system programs to bypass
regular system controls and perform illegal acts, all without leaving an audit trail
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 6-28
Thank You
Copyright 2012 © Pearson Education, Inc. publishing as Prentice Hall 5-29