Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
CHAPTER 6
COMPUTER FRAUD AND ABUSE TECHNIQUES
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
6.1 When U.S. Leasing (USL) computers began acting sluggishly, computer operators
were relieved when a software troubleshooter from IBM called. When he offered to
correct the problem they were having, he was given a log-on ID and password. The
next morning, the computers were worse. A call to IBM confirmed USL’s suspicion:
Someone had impersonated an IBM repairman to gain unauthorized access to the
system and destroy the database. USL was also concerned that the intruder had
devised a program that would let him get back into the system even after all the
passwords were changed.
What techniques might the impostor have employed to breach USL’s internal
security?
The perpetrator may have been an external hacker or he may have been an employee with
knowledge of the system.
It seems likely that the perpetrator was responsible for the sluggishness, as he called soon
after it started. To cause the sluggishness, the perpetrator may have:
To break into the system, the perpetrator may have:
Used pretexting, which is creating and using an invented scenario (the pretext) to
Used masquerading or impersonation, which is pretending to be an authorized user to
6-1
©2018 Pearson Education, Inc.
Ch. 6: Computer Fraud and Abuse Techniques
What could USL do to avoid these types of incidents in the future?
Determine how the perpetrator caused the sluggishness and implement the controls
need to prevent it from happening again.
Other control considerations that could reduce the incidence of unauthorized access
include:
6.2 What motives do people have for hacking? Why has hacking become so popular in
recent years? Do you regard it as a crime? Explain your position.
Hacking is the unauthorized access, modification, or use of an electronic device or some
element of a computer system. Hacking represents illegal trespassing and is punishable as a
federal crime under the 1986 Computer Fraud and Abuse Act.
Some hackers are motivated by the challenge of breaking and entering a system and many
6-2
©2018 Pearson Education, Inc.
Accounting Information Systems
6.3 The UCLA computer lab was filled to capacity when the system slowed and crashed,
disrupting the lives of students who could no longer log into the system or access data
to prepare for finals. IT initially suspected a cable break or an operating system
failure, but diagnostics revealed nothing. After several frustrating hours, a staff
member ran a virus detection program and uncovered a virus on the lab’s main
server. The virus was eventually traced to the computers of unsuspecting UCLA
students. Later that evening, the system was brought back online after infected files
were replaced with backup copies.
What conditions made the UCLA system a potential breeding ground for the virus?
Many computers, providing numerous potential hosts.
What symptoms indicated that a virus was present?
Destroyed or altered data and programs.
The inability to boot the system or to access data on a hard drive.
6-3
©2018 Pearson Education, Inc.
Ch. 6: Computer Fraud and Abuse Techniques
SUGGESTED ANSWERS TO THE PROBLEMS
6.1 A few years ago, news began circulating about a computer virus named Michelangelo
that was set to “ignite” on March 6, the birthday of the famous Italian artist. The
virus attached itself to the computer’s operating system boot sector. On the magical
date, the virus would release itself, destroying all of the computer’s data. When March
6 arrived, the virus did minimal damage. Preventive techniques limited the damage to
isolated personal and business computers. Though the excitement surrounding the
virus was largely illusory, Michelangelo helped the computer-using public realize its
systems’ vulnerability to outside attack.
a. What is a computer virus? Cite at least three reasons why no system is
completely safe from a computer virus.
A computer virus is a segment of executable code that attaches itself to an application
program or some other executable component. When the hidden program is triggered,
it makes unauthorized alterations in the way a system operates.
There are a number of reasons why no one is completely safe from a virus:
Viruses are contagious and are easily spread from one system to another. A virus
Viruses can spread very quickly. In a network environment, a virus can spread to
Many viruses lie dormant for extended periods without doing any specific damage
Many computer viruses have long lives because they can create copies of
b. Why do viruses represent a serious threat to information systems? What damage
can a virus do to a computer system?
Viruses are a significant threat to information systems because they make
c. How does a virus resemble a Trojan horse?
A virus is like a Trojan horse in that it can lie dormant for extended periods,
undetected until triggered by an event or condition.
6-4
©2018 Pearson Education, Inc.
Accounting Information Systems
d. What steps can be taken to prevent the spread of a computer virus?
Focus 6-1 lists the following steps individuals can take to keep their computers virus
free:
Install reputable and reliable antivirus software that scans for, identifies, and
destroys viruses. Only use one antivirus program, as multiple programs conflict
with each other.
Do not fall for ads touting free anti-virus software, as much of it is fake and
Do not fall for pop-up notices that warn of horrible threats and offer a free scan of
Make sure that the latest versions of the antivirus programs are used. National
Scan all incoming e-mail for viruses at the server level as well as when it hits
users’ desktops.
Do not download anything from an email that uses noticeably bad English, such
All software should be certified as virus-free before loading it into the system. Be
6-5
©2018 Pearson Education, Inc.
Accounting Information Systems
6.2 The controller of a small business received the following e-mail with an
authentic-looking e-mail address and logo:
From: Big Bank [antifraud@bigbank.com]
To: Justin Lewis, Controller, Small Business USA
Subject: Official Notice for all users of Big Bank!
Due to the increased incidence of fraud and identity theft, we are asking all bank
customers to verify their account information on the following Web page:
www.antifraudbigbank.com
Please confirm your account information as soon as possible. Failure to confirm
your account information will require us to suspend your account until confirmation
is made.
A week later, the following e-mail was delivered to the controller:
From: Big Bank [antifraud@bigbank.com]
To: Justin Lewis, Controller, Small Business USA
Subject: Official Notice for all users of Big Bank!
Dear Client of Big Bank,
Technical services at Big Bank is currently updating our software. Therefore, we
kindly ask that you access the website shown below to confirm your data. Otherwise,
your access to the system may be blocked.
web.da-us.bigbank.com/signin/scripts/login2/user_setup.jsp
We are grateful for your cooperation.
a. What should Justin do about these e-mails?
This is an attempt to acquire confidential information so that it can be used for illicit
purposes such as identity theft. Since the email looks authentic and appears
authoritative, unsuspecting and naïve employees are likely to follow the emails
instructions.
Justin should:
Notify all employees and management that the email is fraudulent and that no
6-6
©2018 Pearson Education, Inc.
Accounting Information Systems
b. What should Big Bank do about these e-mails?
Immediately alert all customers about the email and ask them to forward any
Establish a quick and convenient method that encourages customers and
The warnings received by customers and employees should be investigated and
Notify and cooperate with law enforcement agencies so the perpetrator can be
Notify the ISP from which the email originated, demanding that the perpetrator’s
c. Identify the computer fraud and abuse technique illustrated.
This computer fraud and abuse technique is called phishing. Its purpose is to get the
6.3 A purchasing department received the following e-mail.
Dear Accounts Payable Clerk,
You can purchase everything you need online—including peace of mind—when you
shop using Random Account Numbers (RAN). RAN is a free service for Big Credit Card
customers that substitutes a random credit card number in place of your normal credit
card number when you make online purchases and payments. This random number
provides you with additional security. Before every online purchase, simply get a new
number from RAN to use at each new vendor. Sign up for an account at
www.bigcreditcard.com. Also, take advantage of the following features:
Automatic Form automatically completes a vendor’s order form with the RAN, its
expiration date, and your shipping and billing addresses.
Set the spending limit and expiration date for each new RAN.
Use RAN once or use it for recurring payments for up to one year.
Explain which computer fraud and abuse techniques could be prevented using a
random account number that links to your corporate credit card.
Banks actually offer a service like this. For example, Citi Bank offers a program called
Virtual Account Numbers.
6-7
©2018 Pearson Education, Inc.
Accounting Information Systems
Using RAN can help prevent identity fraud. Since the card is only linked to the actual
customer at the bank, the identity of the customer is shielded to anyone who steals the card
Also, RAN can frustrate those who capture card numbers through packet sniffing, spyware,
and eavesdropping. These techniques may capture the card number, but once the thieves
have it, their ability to exploit the card for monetary gain is severely restricted.
PERHAPS MORE IMPORTANT: even though banks offer these types of services, this
6-8
©2018 Pearson Education, Inc.
Accounting Information Systems
6.4 Match the internet related computer fraud and abuse technique in the left column
with the scenario in the right column. Terms may be used once, more than once, or
not at all.
2. Botnet o. A network of hijacked computers.
4. Click fraud u. Inflating advertising revenue by clicking online ads numerous times.
6. E-mail threats c. Sending an e-mail instructing the recipient to do something or they
will suffer adverse consequences.
17. Typosquatting f. Creating Web sites with names similar to real Web sites so users
making errors while entering a Web site name are sent to a hacker’s site.
6-9
©2018 Pearson Education, Inc.
Accounting Information Systems
6. 5 Match the data communications-related computer fraud and abuse technique in the
left column with the scenario in the right column. Terms may be used once, more
than once, or not at all.
1. Bluebugging i. Making phone calls and sending text messages using another user’s
2. Bluesnarfing k. Capturing data from devices that use Bluetooth technology.
10. War driving c. Searching for unprotected wireless networks in a vehicle.
6.6 Match the data related computer fraud and abuse technique in the left column with
the scenario in the right column. Terms may be used once, more than once, or not at
all.
1. Chipping e. Inserting a chip that captures financial data in a legitimate credit card
reader.
7. Scavenging b. Searching through garbage for confidential data.
6-10
©2018 Pearson Education, Inc.
