COMMENT ON THE VARIOUS CRIMES ASSOCIATED WITH I.T. HAS THE WHOLESALE ADOPTION OF I.T. IN THE WORKPLACE CREATED NEW
OPPORTUNITIES FOR CRIMINALS.
This
essay will discuss firstly, the crimes associated with IT, then how the
workplace has evolved as an area
whereby crime can pay huge rewards.
Whilst most crime is committed for monetary gain, sometimes personal
fame (or infamy) is the end result. Revenge can also create financial havoc
within a company as Martin (1995) shows: -
“A Company programmer might put onto the system a program
which periodically checks to see if his name is present on the electronic
payroll. If his name is not
present then the program would destroy
critical company data. That way, if the
employee were dismissed, the companies computer system would be destroyed in
revenge for the dismissal”
The
introduction of viruses onto the Internet, again in the mistaken belief that it
demonstrates the programmers skills can also cause untold havoc to office
systems. Because there is no monetary gain it is not seen by the
Judiciary as a loss (felonious act).
‘Worms’ and ‘Trojan Horses’ etc are other forms of interference with
normality, and can crash many company systems.
These ‘Whiz Kids’ are not, however
seen as criminals by the general public. We and the general media find
computer crime ‘sexy’ and even
romantic. (Its us against them etc.).
Forester (1994) says “That we tend to see these computer criminals as
‘usually bright, eager, highly motivated, courageous, adventuresome, and
intelligent (just the people computer
firms like to hire)”. Other authors such as Large (1994) look at it,
differently and say “That these crimes are mostly opportunistic exploitation of
an inherent weakness in the system being used at the time, and if they did not
exist, then most computer crimes would be more difficult” Rowe (1985) says that
70% of computer crime is not reported. Other authors such as Forester (1994)
and Martin (1995) do not agree and say that nowadays computer crime is always
reported and prosecutions sought for the offence.
If we ask why commuter crime has
grown, we must look at how electronic cash flows are possible without the use
of paper signatures of approval, as was the case before. Banks and financial institutions
electronically transfer promissory notes worth billions almost daily, but such
is the security that it is doubtful if this process could be hijacked in its
entirety. Rather than attempt to steal
the whole cake, which would bring the entire world knocking at their door,
nearly all computer criminals look at ways of stealing without attention from
others. The old concept of ‘skimming’ a
little of the cream off the milk each day is often the method used by computer
criminals these days.
One of the best-documented methods
of theft, is the ‘Salami’ technique.
Employers, to reduce computer time in calculating salaries round down
the halfpenny, or even all-odd pence.
An astute finance employee can create a program that can search out
these odd pence, collect them together and transfer them to a secret account.
Such tiny amounts (slices) are really never missed or bothered about. Usually
it is only the employee’s ostentatious life-style that betrays him to his
employers. Another common theft is to
quietly remove goods from a company’s central database, and then sell for
personal gain. Collinbridge (1988) says that “Because most items (i.e. stock
etc.) are stored in a general database, often of huge dimension, no-one really takes responsibility, or
even knows what should be there.”
Collinbridge points to the maintenance
manager employed at Crewe by British Rail who was able to remove entire, fully
working locomotives and rolling stock off the database and sell them to private
railway holdings. Nobody missed them,
as would have happened in the old days when managers came up in the ranks, knew
their loco stock, and would have driven most of the locomotives in their
region, (he was given away by a jealous ‘friend’).
Nick Leeson (Futures Trader, Barings Bank.) was able to hide
huge losses of many millions of pounds in his ‘Futures Trading’ operation in
Singapore using secret ‘dead’ accounts in his computer system for a
considerable time. Whilst the fault was
his in losing the money, the bank did not trust their own computers and
transferred more and more money to him.
There are simply thousands of stories of computer fraud involving
varying amounts from a few thousand to many millions. Forester (1990) however
says “Most averages are quite low”. He lists some of the gains made by
different groups of employees. Managers
average £35,000p.a. whilst clerks/cashiers average only £7,000p.a. Another interesting fact is that both groups
stole over many years making their monthly thefts very small, Managers = £1800 per
month over 19 years, and others = £600 per month over 11 years). Figures from
1985 Audit Commission Survey. Forester
goes on to note “That these people are considered, as staff of long duration
and therefore would be considered to be the most trustworthy employees of that
company”.
Following
computer fraud/crime by managers is that of computer staff. It is surprising that they come second at
all when you consider their privileged access to the innermost sections of
vital code. Even if they cannot get
into a program to alter it for direct gain, they are often aware of ‘trapdoors’
left in functioning software allegedly to allow development staff to access
crashed software inside servers.
Herbert Stoll (1990) in his biographical book ‘Cuckoo’s Egg’ describes
how he found that foreign hackers where using the natural ‘trapdoors’ in
Berkeley Universities Unix system in order to obtain ‘Privilege Users Status’
to connect out to military facilities.
Is this a criminal offence in the sense of monetary gain, (apart from
free telephone access) or just hacker/foreign agent penetration, (which is a
normal daily event)? However leaving aside the dramatic, many programmers do
leave trapdoors in their software and if others find these then computer fraud
is made that much easier.
The use of
electronic trading in shares and options allows astute ‘traders’ to commit
share-purchase fraud, by purchasing an odd number of shares on behalf of a
customer, bleed off the ‘odd’ share of a financial transaction to another share
folio. The use of ‘Sticky-Software’
automatically collects these ‘trades’ together, moves them into another folio,
which is traded immediately, cashed and the cash deposited into a numbered
account abroad. The whole event taking
only a microsecond from beginning to end. From this it is possible to realise,
that electronic fraud can be beneficial in the skilled hands. As the route is
not only long but also deliberately tortuous, detection is almost impossible at
least in the short term. This is a modern derivative of the ‘Salami’ fraud
technique. Whilst these stories often
make headlines, many computer literate workers in even small workplaces, can
find ways to steal small but regular sums of money.
One of these smaller methods is called
‘Over-spillage’ (which can occur with self contained computerised tills,
usually found in smaller petrol stations).
At the end of each days trading the staff start to sell masses of goods
off the shelves within the petrol station to such an extent that the top loaded
ram storage starts dropping its sales through the bottom. This ‘spillage’
continues, thus clearing out the till of any records of the day’s
transactions. The staff then re-enter
all the legitimate trades less say a £100, which is divided amongst them daily.
Large (1994) gives this as an example of small but persistent fraud. The above demonstrates that most computer
frauds are again perpetrated in a small way over a long period of time, to
lessen detection. Therefore computer
fraud is not a once only occurrence, but a carefully planned long term
deliberate computer fraud against an employer for monetary gain.
Whilst these
headline grabbing frauds make good news fodder, It is probable that minor crime
is still the biggest problem to the office.
How many of us are not guilty of borrowing a friend’s password, dialling
into his/her local branch office PBX, out through their server onto a leased
line to a central hub and then out onto the ‘World Wide Web’. We do this in order to pay only local phone
rates. The use of ‘Call-back’ systems has largely removed this, plus the
availability of free ISP’s such as ‘Freeserve,
X-Stream, and many others these days has removed the incentive. Small time phone theft is however still an
issue using these methods for long distance calls, (not 0800 numbers, because
trawler software can now highlight these numbers and alert management). Even accredited university students use
their computer rooms for all sorts of nefarious reasons unrelated to their
studies. Small time theft such as this
has become accepted by many of us as ‘perks of the job’ and in some cases
almost a ‘God given right’ (like photocopying knitting patterns and recipes
etc.).
The reasons why
we steal from our employers have given employment to many company specialists.
The excuses given by people caught using computers for fraud are various.
Forester (1990) has collected the following: -
1)
They feel they can get away with it and not be caught.
2)
They think stealing a little from a big company won’t hurt it.
3)
They feel ‘beating the company’ is a challenge, and not a matter of financial
gain.
4)
They feel frustrated or dissatisfied about some aspect of their job.
5)
They feel dissatisfied with their personal life and somehow blame the company
for it.
6)
Most employees are caught by accident rather than good audit trails. Therefore,
fear of being caught is not a deterrent to theft”
With the entire
‘downsizing’ and overwork of the remaining workforce, the frustration and
therefore company revenge syndrome must remain a general problem for the
foreseeable future. Many IT managers are flooding their company staff with
cheap computers, and ‘buggy’ software packages in order to reduce computer
overheads. Up and coming younger, and
much more computer literate staff are now entering the work place. These people are not phased by modern
technology and often spend any spare time exploiting any weaknesses in their
systems. The fact that many ‘package’
computers come with a floppy drive, is simply begging some computer literate to
load ‘trawler-software’ to seek out
hidden passwords to allow them access to higher platforms of authority. Access
to restricted ‘lease-lines’ allows them to probably access remote servers. From here the temptation to ‘crash’ systems
or make some financial gain becomes almost irresistible.
We all steal
paperclips and rubber bands from the workplace. Computer generated theft is really only a few steps above this in
skill. But we, who steal the paperclips, are no less thieves in our own way.
(We probably have smaller minds). To
many of us, the misuse of computers in the office is only a ‘big-boys’ version
of fiddling the ‘stamp-mailing’ book or using the office franking machines for
our own mail. A good IT manager however
can reduce the incidence of general small-time crime in his office with the
regular use of ‘audit trail’ software, and ‘keystroke recorders’ on sensitive
machines. The use of dumb terminals rather than fully functional computers will
reduce direct machine access through fitted disk drives. Forester (1990) says “That
IT managers should use the expertise of others, such as company auditors, to
assess the probable weaknesses in their financial systems. This would enable
‘audit trails’ to be installed”. Password protection from ring-in sites should
be changed to ‘ring-back’ systems even though this does raise internal
costs. The use of silly passwords (such
as ‘hotlips’, ‘stud’, or ‘sexy______’) by the younger staff should be
discouraged as it is so easy to use sequential or algorithmically generated
youth slang words to bypass such systems.
The use of centralised offices separated only by waist-level screens
quickly allows password leakage. However, whatever protection is set up, there
will always be someone who will try to beat the system, and one can be sure
that in some office somewhere, someone is doing it at this moment in time. There is a lot to be said of using paper
ledgers, although this would be seen as ‘Luddite’.
To conclude,
one must be aware that workplace theft went on before computers. With computers, the job is made much
quicker, easier to cover up and probably a lot more financially rewarding. Some younger office workers might add that
to be caught committing a computer fraud within your office raises you in the
esteem of your peer group, and gives you ’street-cred’. Will office crime ever stop? I doubt it, because of the very nature of
man to make a quick buck for himself/herself and to get one up on the system.
REFERENCES.
Collinbridge,D.(1980) Social Control of Technology. (Open Univ.
Milton Keynes.)
Large,P. (1984) Micro Revolution Re-visited. (Frances Pinter
Press, New Jersey.)
Martin, W. (1995) The Global Information Society. (Aslib-Gower
Press, Aldershot,)
McKenzie,D.(1985) Social Shaping of Technology. (Open Univ.
Milton Keynes.)
Rowe,C. (1992) People and Chips. (Blackwell Pubs. London.)
Wrench, W. (1996) Disconnecetd (Rutgers Univ. Press, New Jersey.)
Forester,T. (1989)
The Information Technology Revolution,(Blackwell,London)
Forester,T. (1990)
Computers in the Human Context. (Blackwell, London)
BIBLIOGRAPHY.
Boyle,C . People,
Science, and Technology. (Wheatsheaf Books, New Jersey. 1984)
Collinbridge,D. Social Control of Technology. (Open Univ.
Milton Keynes.1980)
Forester,T. The Information Technology Revolution,(Blackwell,London.
1989)
Forester,T. Computers in the Human Context.
(Blackwell, London. 1990)
Hoppen,T. Generations. (Clarendon Press, Oxford. 1998)
Kiesler,S. Culture of the
Internet. (Eribaum Assoc. New Jersey 1996)
Large,P. Micro Revolution Re-visited. (Frances Pinter
Press, New Jersey. 1984)
Martin,W. The Global Information Society. (Aslib-Gower
Press, Aldershot, 1995)
McKenzie,D. Social Shaping of Technology. (Open Univ.
Milton Keynes. 1985)
Mowshowitz,A Conquest of Will. (Addison-Wesley Press.
London. 1976)
Reader,A. Information Technology & Society. (Sage
Publishing. London 1995)
Rowe,C. People and Chips.
(Blackwell Pubs. London 1992)
Stole,H. Cuckoo’s Egg.
(Pan Books, London. 1990)
Wrench, W. Disconnecetd (Rutgers Univ. Press, New Jersey. 1996)
Wurman,R Information Anxiety. (Pan Books, London.
1991)