Last Updated Jan.7/99
Computer crimes can be classified into four broad categories: sabotage, theft of services, property crimes, and financial crimes. This section examines each of these categories and gives examples drawn from actual crimes.
SABOTAGE: Sabotage of computers results in destruction or damage of computer hardware. This type of computer crime often resembles traditional sabotage because the computer itself is not used to carry out the destruction. Sabotage may require some sophistication if computer-assisted security systems must be thwarted or if the system is manipulated to do harm to itself.
Computers are targets of sabotage and vandalism especially during times of political activism. Dissident political groups during the 1960s, for instance, conducted assaults on computer installations, often causing extensive damage. Other forms of physical violence have included flooding the computer room, shooting a computer with a revolver, and waving an electromagnet through the data storage area.
Obviously, these acts of violence do not require any special expertise on the part of the criminal. Sabotage may, however, be conducted by dissatisfied former employees who put to use some of their knowledge of company operations to gain access to and destroy hardware and software.
Another form of sabotage that has been used on microcomputers is a troublesome program that not only disrupts computer service, but also can destroy the contents of a hard-disk or a floppy disk. Such a program is a virus, so called because it can infect computer systems by replicating itself and attaching itself to other programs. Viruses can infect other systems from floppy disks or through networks. Once a virus is in a system and has replicated itself a predetermined number of times, it may attempt to erase or change the data on the hard disk or diskette. This can be extremely damaging to the unsuspecting user. Although viruses are very difficult to guard against, there are programs that can detect and counteract them. Floppy disks can be protected by engaging the write protect feature found on either type of disk.
One of the most publicized acts of computer sabotage occurred on November 2, 1988, when a virus traveled through Internet, an unclassified network used by government, business, and university researchers to exchange data and findings. Within hours, this particular virus (actually a self-contained program called a worm) had infected approximately 6,000 military, corporate, and university computers. In January of 1990, Robert Tappan Morris, Jr., a Cornell University graduate student, was convicted of unleashing the worm.
THEFT OF SERVICES: Computer services may be abused in a variety of ways. Some examples of theft of computer services have involved politicians using a city's computer to conduct campaign mailings and employees conducting unauthorized freelance services on a company computer after working hours.
Time-sharing systems have been exposed to abuse due to inadequate or nonexistent security precautions. It is much easier to gain unauthorized access to a time-sharing system than to a closed system. Though most systems require the user to have a password to gain access, a system is only as good as the common sense and caution of its users. A time-sharing system that does not require regular changing of access codes is inviting the theft of valuable computer time. The amazing lack of care exercised by supposedly sophisticated users made national headlines when a group of high school computer buffs in Milwaukee were discovered accessing numerous information systems, including banks, hospitals, and the defense research center in Los Alamos, New Mexico. The students reportedly gained access by using each system's password. Some of the passwords had not been changed for years, while others were obtained from public sources.
Wiretapping is another technique used to gain unauthorized access to a time-sharing system. By tapping into a legitimate user's line, one can have free access to the system whenever the line is not being used by the authorized party.
One of the prime examples of computer services theft took place at the University of Alberta. In 1976, a student at the university began an independent study under the supervision of a professor. The purpose of the study was to investigate the security of the university's computer system, a time-sharing system with more than 5,000 users, some as far away as England. After discovering several gaps in the system's security, the student was able to develop a program that reduced the possibility of unauthorized use and tampering. The student brought this program to the attention of the computer center, which took no action on the student's recommendations. It was assumed that planned changes in the system would remove security shortcomings. However, the changes were not implemented for another nine months. During that period, the program, which was capable of displaying passwords, was leaked to several students on campus. "Code Green," as the program was nicknamed, was eventually run several thousand times.
The university attempted to crack down on the unauthorized users and revoked several students' access privileges. Two of the students involved could get the computer to display the complete listing of all user passwords, including those at the highest privilege levels. In essence, this gave them unlimited access to the computer's files and programs. These students retaliated against the university administration by occasionally rendering the system inoperable or periodically inserting an obscenity into the payroll file. With an unlimited supply of IDs, they were able to escape detection, compiling a library of the computer's programs and monitoring the implementation of the new security system. The desperate university computer personnel focused exclusively on this situation, keeping a detailed log of all terminal dialogues. This effort led them to a terminal in the geology department one evening, and the students were apprehended.
THEFT OF PROPERTY: The most obvious computer crime that comes to mind concerning crimes of property is the theft of computer equipment itself. Thefts have become more common with the increasing miniaturization of computer components and the advent of home computers. These crimes are easily absorbed into traditional concepts of crime and present no unique legal problems. More intriguing is the issue of what actually constitutes property in the context of computer crimes. Different courts have come to very different conclusions on this issue.
Computer crimes of property theft frequently involve merchandise from a company whose orders are processed by computers. These crimes are usually committed by internal personnel who have a thorough knowledge of the operation. By record manipulation, dummy accounts can be created, directing a product order to be shipped to an accomplice outside the organization. Similarly, one can cause checks to be paid out for receipt of nonexistent merchandise.
Theft of property need not be limited to actual merchandise but may also extend to software. People with access to a system's program library can easily obtain copies for personal use or, more frequently, for resale to a competitor. Technical security measures in a computer installation are of little use when dishonest personnel take advantage of their positions of responsibility.
This kind of theft is by no means limited to those within the company structure, however. A computer service having specialized programs but poor security may open itself up to unauthorized access by a competitor. All that is necessary is that the outsider gain access to proper codes. This is accomplished in a number of ways, including clandestine observation of a legitimate user logging on from a remote terminal or use of a remote minicomputer to test for possible access codes.
FINANCIAL CRIMES: Although not the most common type, financial computer crimes are perhaps the most serious in terms of monetary loss. With the projected increasing dependence on electronic fund transfers, implications for the future are serious.
A common method of committing this kind of crime involves checks. Mass-produced, negotiable instruments can be manipulated in a number of ways. An employee familiar with a firm's operations can direct the computer to make out multiple checks to the same person. Checks can also be rerouted to a false address. These crimes do not seem so incredible when one realizes the scope of unintentional mistakes that have been made with computerized checks. For example, the Social Security Administration once accidentally sent out 100,000 checks to the wrong addresses while the system's files were being consolidated.
Another form of a financial computer crime is known as the "round-off fraud." In this crime, the thief, perhaps a bank employee, collects the fractions of cents in customers' accounts that are created when the applicable interest rates are applied. These fractions are then stored in an account created by the thief. The theory is that fractions of cents collected from thousands of accounts on a regular basis will yield a substantial amount of money.
Still another crime involves juggling confidential information, both personal and corporate, within a computer. Once appropriate access is gained to records, the ability to alter them can be highly marketable. One group operating in California engaged in the business of creating favorable credit histories to clients seeking loans.
These cases exemplify the types of electronic crime being committed: manipulating input to the computer; changing computer programs; and stealing data, computer time, and computer programs. The possibilities for computer crime seem endless. It has been suggested that computers are used extensively by organized crime and that a computer-aided murder may already have taken place.
The unique threat of computer crime is that criminals often use computers to conceal not only their own identities but also the existence of the crimes. Law officers worry because solving computer crimes seems to depend on luck. Many such crimes are never discovered because company executives do not know enough about computers to detect them. Others go unreported to avoid scaring customers and stockholders. Many reported crimes do not result in convictions and jail terms because the complexities of data processing mystify most police officials, prosecutors, judges, and jurors. For a summary of the types of computer crimes, see the table below.
Last Updated Jan.7/99