Professional Documents
Culture Documents
Ioana Vasiu
Babeş-Bolyai University
fraud, and this is only natural when we consider the Causing damage to a protected computer—
number of different kinds of conduct to which this word One such case is U.S. v. Brown [48]: the
is applied [46]. defendant knowingly caused the
The term "fraud" is defined in [17:124] as transmission of a program, information,
An act using deceit such as intentional distortion code or command, and as a result of such
of the truth of misrepresentation or concealment conduct, intentionally caused damage,
of a material fact to gain an unfair advantage without authorization, to a protected
over another in order to secure something of computer; or
value or deprive another of a right. Fraud is Trafficking passwords—One such case is
grounds for setting aside a transaction at the U.S. v. Patterson [48]: the defendant was
option of the party prejudiced by it or for charged with trafficking in passwords and
recovery of damages. similar information that would have
[8] argues that someone commits fraud if the following permitted others to gain unauthorized
four elements are proved beyond a reasonable doubt: access to an organization’s computer
Actus reus: The perpetrator communicates network, when he posted and maintained at
false statements to the victim; a Yahoo hacker group posting board the
Mens rea: The perpetrator communicates username and password combinations of
what she knows are false statements with the certain legitimate users together with
purpose of defrauding the victim; instructions on how to hack into the network
Attendant circumstances: The perpetrator's of the organization using those passwords.
statements are false; and While these offenses can be perpetrated in connection
Harm: The victim is defrauded out of with computer fraud, they should be regarded as distinct.
property or something of value. In the next section, we explain what is computer fraud.
Fraud is always intentional, intentional by appearance,
or intentional by inference from the act. Intent should not 4.2. What is computer fraud?
be confused with motive, which is what prompts a person
to act. Intent refers only to the state of mind with which For this paper purpose, we chose the U.S. Computer
the act is done. However, there is no scientific Fraud and Abuse Act criminalization of computer fraud
measurement or yardstick for gauging a person's intent. (18 U.S.C. § 1030 (a)(4)) as the guiding definition:
An inference has to be drawn from all available evidence Knowingly and with intent to defraud, accesses a
as to what was in the defendant’s mind at the material protected computer without, or exceeds
time (Justice Ackner in [19]). authorized access, and by means of such conduct
The element of the intent to defraud connotes the furthers the intended fraud and obtains anything
intention to produce a consequence that is in some sense of value, unless the object of the fraud and the
detrimental to a lawful right, interest, opportunity, or thing obtained consists only of the use of the
advantage of the person to be defrauded, and is an computer and the value of such use is not more
intention distinct from and additional to the intention to than $5,000 in any 1-year period.
use the forbidden means (King CJ in [50]). If there is no According to this definition, the legal elements of
evidence that the victim has been defrauded (i.e. deprived computer fraud consist of:
of something of value), than we cannot talk of computer Knowingly and with intent to defraud;
fraud. Accessing a protected computer without
authorization, or exceeding authorization;
4.2. What is not computer fraud? Thereby furthers a fraud and obtains
anything of value (other than minimal
Computer fraud is sometimes confused with other computer time).
offenses: Regarding the first element, the phrase means that the
Intentionally accessing a computer without offender is conscious of the natural consequences of his
authorization or exceeding authorized action (i.e. that someone will be defrauded), and intends
access, and thereby obtaining protected that [14]. The second and third elements should be
information—One such case is U.S. v. discussed together, as they show that more than mere
Czubinski (106 F.3d 1069 (1st Cir. 1997)): unauthorized access is required to quality the offense as
the court found that Czubinski has not computer fraud—the ‘thing obtained’ is not merely the
obtained valuable information in furtherance unauthorized use. Some additional end, to which the
of a fraudulent scheme; unauthorized access is a means, is required [14]. Merely
5.2. Methodology
Table 1. Taxonomy of computer fraud – were entered into the books and records of Allfirst
perpetration platform Bank. Defendant’s manipulation of the Bank's
computerized system for tracking trading activities
Guess allowed him to earn performance bonuses of over
Password $650,000 in addition to his salary when, in reality, his
Crack trades resulted in millions of dollars in losses [49].
Imperso- attacks
Masquerade nation Output fraud is concerned with dishonestly
Harvest
suppressing or amending data being output. It is often
WOA Password linked with input fraud (e.g. suppressing or changing
trafficking balance reports to hide misappropriated funds). The goal
Spoofing attacks with this type of scheme is to conceal bogus inputs or to
Software prevent or postpone detection of such input fraud.
Vulnerability Personnel Because computer output is normally accepted as being
exploitation Communications accurate and genuine, its authenticity is taken for granted.
Physical For devising our taxonomy with respect to perpetration
Exceeding authorization method, we adopt a different approach, and merge the
Input and Output categories into a new one—Data, while
maintaining the Program category. This approach allows
5.4. Perpetration method us to best observe the mutual exclusiveness property.
We subdivide the Data category into Insert, Improper
The perpetration methods are generally described as obtaining or use (e.g. read, copy, print, or disseminate—
Input, Program, and Output [47]. The greatest concern this must be done in close connection with the intent to
present the frauds that involve manipulation of data further a fraud—see the case below), Integrity attacks,
records or computer programs to disguise the true nature and Availability attacks. The Insert class is further
of transactions, cracking into an organization’s computer subdivided into Improper data and Data improperly. As
system to manipulate business information, and the integrity and availability attacks are generally known,
unauthorized transfers of funds electronically [5]. we did not consider necessary to subdivide.
Input fraud (“data diddling” or “number fudging”)
represents the major avenue through which computer In U.S. v. Turner, the defendants, while employed by
frauds take place [47]. In these frauds, the offender Chase Financial Corporation, knowingly and with
dishonestly enters improper data or data improperly, the intent to further a scheme to defraud, accessed
suppresses, appends, or otherwise changes data stored. It one or more Chase Manhattan Bank and Chase
is the most common computer crime [47], and can be Financial Corporation computer systems without
committed by anyone having access to normal authorization or in excess of their authorized access
data/processing functions at the input stage. on said computer systems, thereby obtaining credit
card account numbers and other information, which
A contractor working for a Commonwealth agency they were not authorized to access in connection
was convicted of defrauding the Commonwealth of with their duties at Chase Financial. That
$1.4 millions. The contractor, while performing his information was distributed and transmitted to one
regular duties, was able to access and alter system or more individuals who, in turn, used that
data-to change the status of rebate claims from 'paid' information to fraudulently obtain goods and
to 'unpaid' on the system, and transfer bogus rebate services [49].
payments into his own account. The contractor was
then able to delete the record of the illegal Moving to the Program category, we subdivided it
transaction and return the 'paid' status and dates to into Run, Integrity attacks, and Availability attacks. We
their original state [6]. further subdivided Run into Without authorization, In
excess of authorization, Improper parameters (we include
Program fraud involves either the creation of a program here changing the system date), and Transit attacks [44]
with a view to defraud, or the alteration or amendment of (arguably, this types of attacks, can also be in the Data
a program to such ends. It is difficult to discover and is category). This classification overcomes the inclusion
often not recognized [47]. It requires computer-specific dilemma when the fraud consists, for example, of a
knowledge and access to computer databases and/or combination of input and program attacks—such cases
software. One of the most notorious species of program should be included in the Run/Improper parameters
fraud is the so-called salami fraud. category. Table 2 presents out taxonomy of computer
In an effort to cover up trading losses, the defendant fraud with respect to perpetration method.
engaged in a series of fictitious currency trades that
Table 2. Taxonomy of computer fraud - used in connection with an encoding scheme to encode
perpetration method the incidents. Fourth, our taxonomy can be used to design
Improper data reporting forms and accompanying databases. Last, the
Insert
Data improperly taxonomy can provoke future research.
Data Improper obtaining or use This research can be continued in the following
Integrity attacks directions:
Availability attacks A taxonomy with respect to types of
Without authorization computer frauds and consequences for
In excess of authorization organizations;
The use of malware in perpetrating
Improper parameters
Run computer fraud; and
Interruption Information security strategies for the
attacks
Program Transit Interception prevention of computer fraud.
attacks Modification
Fabrication 7. References
Integrity attacks
Availability attacks [1] Albrecht, W. S., Howe, K. R., Romney, M. B. (1984)
Deterring Fraud: The Internal Auditor's Perspective, The
Institute of Internal Auditors Research Foundation, Almonte
6. Conclusions and future research Springs, Florida.
[2] Álvarez, G. and Petrović, S. (2003) ‘A new taxonomy of
When opportunities abound, and there is a potential Web attacks suitable for efficient encoding’, Computers &
supply of motivated offenders that perceive the chances Security, Vol. 22, No. 5, pp. 435-449.
of detection and prosecution as being very low [16], the
[3] Anderson, J. P. (1980) Computer Security Threat Monitoring
risk of computer fraud must be considered as being very and Surveillance, Technical Report Contract 79F296400, April
high. The very stealth of computer fraud often avoids 1980.
attention. However, as consequences of high-grade
attacks, such as financial fraud or theft of proprietary [4] AusCERT (2003) Australian computer crime & security
survey, Last accessed: 18 May, 2003, URL:
information, can be very high [12, 13] and far-reaching, http://www.auscert.org.au/render.html?it=2001&cid=1920.
they must not be overlooked in security planning [37].
As [1] remarks, no industry is left untouched by this [5] AusCERT (2002) Australian Computer Crime and Security
fast-growing phenomenon. The technical aspects of Survey, Last Accessed: 12 June, 2002, URL:
http://www.auscert.org/Information/Auscert_info/new.html.
electronic systems are designed to be fraud-proof,
however, human nature is such that fraud is likely to be a [6] Australian National Audit Office (2000) Australian Taxation
perennial problem [27]. Further, as [1] argues, there is no Office Internal Fraud Control Arrangements, Report No. 16.
such thing as small frauds—only large ones given [7] Bologna, J. and Shaw, P. (1996) Corporate Crime
insufficient time to grow (that is, detected). Investigation, Butterworth-Heinemann.
Although the computer fraud risk cannot be eliminated, [8] Brenner, S. W. (2001) ‘Is There Such a Thing as "Virtual
proactive steps can reduce it considerably. The risk of Crime"?’, 4 Cal. Crim. Law Rev. 1
loss is higher with strategies of detection because the
crime is on going or has just occurred, hence the ability to [9] Cohen, F. (2002) ‘Computer Fraud Scenarios: Robbing the
Rich to Feed the Poor’, Computer Fraud & Security, Vol. 2002,
stop or recover the loss is limited. Therefore, proactive Iss. 1, December, pp. 5-6.
measures should prevail, be appropriate to the level of
risk, and be reassessed regularly [6]. [10] Collier, P. A., Dixon, R and Marston, C. L. (1990) The
The contribution of this paper, written from a prevention and detection of Computer Fraud, The Chartered
Institute of Management Accountants.
prevention perspective, is twofold. First, it clearly
explained what computer fraud is and is not. Second, it [11] Council of Europe (2001) Final Draft Convention on
proposed a taxonomy of computer fraud with respect to Cyber-crime, Last Accessed: 1 August, 2002, URL:
perpetration platform, and to perpetration method. http://conventions.coe.int/Treaty/EN/projets/FinalCybercrime.ht
m.
The taxonomy presented in this paper, devised from a
prevention perspective, can be used in the several ways. [12] Dhillon, G. and Moores, S. (2001) ‘Computer crimes:
First, the taxonomy can be used as an awareness and theorizing about the enemy within’, Computers & Security, Vol.
education tool. Second, it can assist those charged with 20, No. 8, pp. 715-723.
combating computer fraud to design and implement
policies that address the risk. Third, the taxonomy can be
[13] Dhillon, G. (1999) ‘Managing and controlling computer Privacy, Oakland, California, USA, May 4-7, IEEE Computer
misuse’, Information Management & Computer Security, 7/4, Society Press, 154–163.
pp. 171-175.
[33] Lough, L. D. (2001) A taxonomy of computer attacks with
[14] Doyle, C. (2002) Computer fraud and abuse laws: An applications to wireless networks, PhD dissertation, Faculty of
overview of federal criminal laws, Novinka, New York. the Virginia Polytechnic Institute and State University,
Blacksburg, Virginia.
[15] Ellingson, J. F. (1998) ‘Devising an Information Based
Strategy for Fighting Fraud’, Journal of Internet Security, Vol. [34] McPhee, W. S. (1974) ‘Operating System Integrity in
1, No. 1, September. OS/VS2’, IBM System Journal, 13(3), pp. 230-252.
[16] Etter, B. (2001) ‘The forensic challenges of e-crime’, 7th [35] Neumann, P. G. (1995) Computer related risks, ACM
Indo-Pacific Congress on Legal Medicine and Forensic Press.
Sciences, Melbourne, Australia.
[36] Neumann, P. G. and Parker, D. B. (1989) ‘A Summary of
[17] Gilbert (1997), Law Dictionary, Harcourt Brace Legal and Computer Misuse Techniques’, 12th National Computer
Professional Publications. Security Conference, pp. 396-407.
[18] Gillies, P. (1993) Criminal Law, Law Book Co., North [37] Panko, R. R. (2002) Corporate Computer and Network
Ryde, N.S.W., Australia. Security, Prentice Hall.
[19] Goldstein, J., Dershowitz, A. M. and Swartz, R. D. (1974) [38] Parker, D.B. (1998) Fighting computer crime: A new
Criminal law: Theory and process, The Free Press, New York. framework for protecting information, New York, John Wiley
and Sons.
[20] Graycar, A. and Smith, R. (2002) Identifying and
Responding to Corporate Fraud in the 21st Century, speech to [39] Perry, T. S. and Wallich, P. (1984) ‘Can Computer Crime
the Australian Institute of Management (20 March 2002). Be Stopped?’, IEEE Spectrum, 21(5), pp. 34-45, May 1984.
[21] Greenspan, A. (2002) Monetary Policy Report to the [40] Podgor, ES (1999) ‘'Criminal Fraud’, American University
Congress, July 16, 2002. Law Review, Vol. 48, No. 4.
[22] Howard, J. D. and Longstaff, T. A. (1998) A Common [41] Schultz, E. E. (2002) ‘A framework for understanding and
Language for Computer Security Incidents, Sandia Report predicting insider attacks’, Computers & Security, Vol. 21, No.
SAND98-8667. 6, pp. 526-531.
[23] Howard, J. D. (1997) An Analysis of Security Incidents on [42] Shover, N. and Wright, J. P. (2001) Crimes of privilege:
the Internet, Ph.D. dissertation, Carnegie Mellon University, readings in white-collar crime, Oxford University Press.
Pittsburgh, Pennsylvania.
[43] Smedinghoff, T. J. (1996) Online Law, The SPA’s Legal
[24] Jayaram, N. D. and Morse, P. L. R. (1997) Network Guide to Doing Business on the Internet, Addison-Wesley
Security - A Taxonomic View, European Conference on Security Developers Press.
and Detection, School of Computer Science, University of
[44] Stallings, W. (1995) Network and Internetwork Security
Westmister, UK, 28-30 April 1997.
Principles and Practice, Prentice Hall, Englewood Cliffs, NJ.
[25] Knight, E. (2000) Computer Vulnerabilities,
[45] Stevenson, G. (2000) ‘Computer Fraud: Detection and
www.securityparadigm.com, March 2000.
Prevention’, Computer Fraud & Security, vol. 2000, no. 11, pp.
[26] Krauss, L. I. and MacGaham, A. (1979) Computer Fraud 13-15.
and Countermeasures, Prentice-Hall, New Jersey.
[46] Stephen, J. F. (1883) A history of the Criminal Law of
[27] Kreltszheim, D. (1999) ‘Identifying the proceeds of England, Vols. I-III, Macmillan and Co. (reprinted by William
electronic money fraud’, Information Management & Computer S. Hein & Co., Inc., Buffalo, New York).
Security, 7/5, pp. 223-231.
[47] United Nations (1994) ‘Manual on the prevention and
[28] Krsul, I. V. (1998) Software Vulnerability Analysis, Ph.D. control of computer-related crimes’, International review of
dissertation, Purdue University, May 1998. criminal policy, Nos. 43 and 44.
[29] Landwehr, C. E., Bull, A. R., McDermott, J. P. and Choi, [48] U.S. Department of Justice (2003) Computer Intrusion
W. S. (1994) ‘A Taxonomy of Computer Program Security Cases, Last accessed: 21 May, 2003, URL:
Flaws, with examples’, ACM Computing Surveys 26, 3 (Sept.). http://www.usdoj.gov/criminal/cybercrime/cccases.html.
[30] Landwehr, C. E. (1981) ‘Formal models for computer [49] U.S. Department of Justice (2002) Last accessed: 21 May,
security’, Computing Surveys, Vol. 13, No. 3, September. 2003, URL:
http://www.usdoj.gov/usao/md/press_releases/press02/john_m_r
[31] Lanham, D., Weinberg, M., Brown, K. E. and Ryan, G. W.
usnak_pleads_guilty.htm.
(1987) Criminal fraud, The Law Book Company Limited,
Sydney. [50] Waller, L. and Williams, C. R. (2001) Criminal law: Text
and cases, 9th Ed., Butterworths.
[32] Lindqvist, U. and Jonsson, E. (1997) ‘How to
Systematically Classify Computer Security Intrusions’,
Proceedings of the 1997 IEEE Symposium on Security &