Chapter 11 Computer Crime, Fraud, Ethics and Privacy

Submitted by:
Group 4 Queennie CATALUA Mhelizza CORPUS Lhezel CUADRA Mary Joy DE LEON Erika DE TORRES John Ray DEL MUNDO Harold DELA FUENTE Erly Mae DESCALZO Angelo DULDULAO Lady ESPIRITU Jerome ESPINA

Case 1. Ashley Company (Diskless PC System and Security Threats) To address the need for tighter data controls and lower support costs, the Ashley Company has adopted a new dislikes Pc system. It is little more than a mutilated personal computer described as a gutless wonder. The basic concept behind thediskless PC is simple: LAN server-based file system of highpowered diskless workstation is spread throughout a company and connected with a central repository or mainframe. The network improves control by limiting user access to a company data previously stored on a desktop hard disks. Since, the user can destroy or delete only the information currently on the screen, an organizations financial data are protected from user-instigated catastrophes. The diskless, computer also saves money in user support costs by distributing application and upgrades automatically, and by offering online help. 1. What threats in the information processing and storage system do diskless PCs minimize? Diskless PCs minimize the threat of a virus entering the system from a floppy disk, the theft of company data or software by copying it on a floppy disk, the installation and use of unauthorized software, data being downloaded from the system, changed, and never re-entered into the centralized system because it is stored on the user's hard disk. Thus two versions of the data now exist and all other users who access the data from the main system use a different version than the one stored on the hard disk. 2. Do the security advantage of the new system outweigh potential limitations? Discuss. These security advantages have to be weighed against the risks of storing all information in one location (If the mainframe or the network goes down, no one can use their computers since there is no data to work with), and the lack of flexibility that arises from the inability to use the microcomputer to enter data, store it locally, and process it. (In essence, it takes away some of the advantages of end-user computing.) There is no way to know whether the security advantages outweigh the disadvantages, inasmuch as it will depend on the company and the specific circumstances.

Case 2. Mark Goodwin Resort (Valuable-Information Computer Offense) The Mark Goodwin Resort is an elegant summer resort located in a remote mountain setting. Guests visiting the resort can fish, hike, go horseback riding, swim in one of three hotel pools, or simply sit in one of the many lounge chairs located around the property and enjoy the spectacular scenery. There are also three dinning rooms, card rooms, nightly movies, and live weekend entertainment. The resort uses a computerized system to make room reservations and bill customers. Following standard policy for the industry, the resort also offers authorized travel agents a 10 percent commission on room bookings. Each week, the resort prints an exception report of bookings made by unrecognized travel agents. However, the managers usually pay the commission anyway, partly because they dont want to anger the travel agencies and partly because the computer file that maintains the list of authorized agents is not kept up to date. Although management has not discovered it, several employees now exploit these fact to their own advantage. As often as possible, they call the resort from outside phones, pose as travel agents, book rooms for friends and relatives, and collect the commissions. The incentive is obvious: room costing as little as $100 per day result in payments of $10 per day to the travel agencies that book them. The scam has been going on for years, and several guests now book their rooms exclusively through these employees, findings these people particularly courteous and helpful.

1. Would you say this a computer crime? Why or why not? Computer crime involves the manipulation of a computer or computer data, by whatever method, to dishonestly obtain money, property, or some other advantage of value, or cause a loss. Several employees now exploit these facts to their own advantage. As often as possible, they call the resort from outside phones, pose as travel agents, book rooms for friends and relatives, and collect the commissions. The employees gain an illegal financial advantage and causes measurable loss to the company. 2. What controls would you recommend that would enable the resorts managers to thwart such offenses? To prevent the crime, the computer security should begin with the top management and security policies. This would help to employee (a) compliance with security procedures (b) sensitivity to potential problems (c) awareness of why computer abuse is important. First, for compliance with security procedures, the manager should justify the correctness and accuracy of their exception report to detect exceptions to the bookings made by unrecognized travel agents. Also, they must update the computer file that maintains the list of authorized agents. Sensitivity to potential problems and awareness why computer abuse is important can be resolve through employee education. Informing employees of the significance of computer crime and abuse, the amount it costs, and the work disruption it creates help employees understand why computer offenses are a serious matter. Also, the management should allow employees to report any suspicious activity anonymously to the management. This would help to detect fraud and embezzlement. 3. How does the matter of accountability (tracing transactions to specific agencies) affect the problem? Accountability is one of the major factors that that cause the problem, by allowing exception to the rule (e.g paying commissions to the unrecognized agents) making the check and balance of the company become weak. Case 3. The Department of Taxation (Data Confidentiality) The Department of Taxation of one state is developing a new computer system for processing state income tax returns of individuals and corporations. The new system features direct data input and inquiry capabilities. Identification of taxpayers is provided by using the Social Security numbers of individuals and federal identification numbers for corporations. The new system should be fully implemented in time for the next tax season. The new system will serve three primary purposes: Data will be input into the system directly from tax returns through CRT terminals located at the central headquarters of the Department of Taxation. The returns will be processed using the main computer facilities at central headquarters. The processing includes (1) verifying mathematical accuracy; (2) auditing the reasonableness of deductions, tax due, and so forth, through the use of edit routines; these routine also include a comparison of the current years data with prior years data; (3) identifying returns that should be considered for audit by revenue agents of the department; and (4) issuing refund checks to taxpayers. Inquiry service will be provided to taxpayers on request through the assistance of Tax Department personnel at five regional offices. A total of 50 CRT terminals will be placed at the regional offices.

A taxpayer will be able to determine the status of his or her return or to get information from the last three years returns by calling or visiting one of the department s regional offices. The stat commi ssioner of taxation is concerned about data security during input and processing over and above protection against natural hazards such as fires or floods. This includes protection against the loss or damage or data during data. In addition, the tax commissioner and the state attorney general have discussed the general problem of data confidentiality that may arise from the nature and operation of the new system. Both individuals want to have all potential problems identified before the system is fully developed and implemented so that the proper controls can be incorporated into the new system. 1. Describe the potential confidentiality problems that could arise in each of the following three areas of processing and recommend the corrective action(s) to solve the problems: (a) data input, (b) processing returns, (c) data inquiry. a. Confidentiality problems which could arise in the processing of input data, and recommended corrective actions, are as follows:

Problem Unauthorized user of terminal.

Controls Limit physical access to terminal room used for data input and/or require data input personnel to wear color-coded badges for identification. Use different passwords for each operator and change them frequently. Prohibit program modification from input or inquiry terminals. Secure the documentation that indicates how to perform operations other than input of tax returns. User and terminal passwords that limit access to only that part of the system needed for input of current tax data. Secure the documentation that indicates how to perform operations other than input of tax returns.

On-line modification of program by operator to bypass controls.

Use of equipment for unauthorized processing or searching through files.

b. Confidentiality problems which could arise in the processing of returns, and recommended corrective actions, are as follows:

Problem Operator intervention to input data or to gain output from files.

Controls Limit operator access to only that part of the documentation needed for equipment operation. Prohibit operators from writing programs and designing the system. Daily review of console log messages and/or run times. Institute programming controls such that there is a definite sequence to creating or maintaining programs. This sequence should contain reviews at general levels and complete trial runs.

There might be attempts to screen individual returns on the basis of surname, sex, race, etc., rather than tax liability.

c.

Confidentiality problems which could arise in the inquiry of data, and recommended corrective actions, are as follows:

Problem Unauthorized user with a valid taxpayer ID using the system. Taxpayer or regional state employee use of equipment for unauthorized processing or searching through files.

Controls Use a sign-in/sign-out register for persons using the system. Require users to show some form of identification. Use a programmed sequence of questions which only valid users are likely to be able to answer. Prohibit phone responses. User and terminal passwords to limit terminals to output of tax information. Secure the documentation that indicates how to perform other than taxpayer inquiries. Have the terminals lock out for repeated errors or attempts to break security. Have a code system that logs each entry and data inquiry by user. Daily activity reporting to supervisors and/or auditors showing terminal numbers, user numbers, type of processing, name of files accessed, and unacceptable requests.

2. The State Tax Commission wants to incorporate controls to provide data security against the loss, damage, or improper input or use of data during data input and processing. Identify the potential problem (outside of natural hazards such as fire or floods) for which the Department of Taxation should develop controls, and recommend possible control procedures for each problem identified.

Potential problems and possible controls to provide data security against loss, damage, and improper input or use of data are as follows:

Problem Loss of tax return data before any file updates.

Controls Keep copies of tax returns in a safe location and (temporarily) organized in a fashion for reprocessing if necessary. Maintain a transaction log on magnetic tape for possible recall. Verify data entry or enter twice by different operators. Prohibit data entry through inquiry terminals. Process routine items at specified times thus preventing unauthorized runs of vital information. Computer prompting of terminal operators for appropriate input. Balancing of computer processing at each stage back to input and run control totals. Prohibit programming from input or inquiry terminals; log all such attempts on console log for immediate supervisory action. Periodic checks of all packages so that any illegal modifications can be detected.

Improper input or use of data during processing.

Incomplete processing of tax returns. Fraudulent program modifications entered from input or inquiry terminals.