Employee computer crime on the rise. (industry insider) David L. Ahl.
Employee Computer Crime on the Rise
Most computer crimes are not committed by hackers but by trusted employees--programmers, managers, clerks, and consultants--who turn against their employers, using company computers for extortion, theft, and sabotage. Consider these recent cases.
Allen Green, a clerk at Girard Bank in Philadelphia, was to scan computer printouts for signs of suspicious automatic teller machine transactions. His department also received automatic teller machine cards that the Post Office couldn't deliver. According to police, Green made a fake deposit in the account of a man whose card was returned. He then raised the withdrawal limit, made an actual withdrawal of $4500, and later returned the withdrawal limit to its usual $200 ceiling. He repeated these maneuvers 13-times before an audit program-- in a sense a backup to his own job-- finally nabbed him.
In Washington, Stanley Slyngstad was a programmer who developed software through which the state authorized payments to injured loggers. Mr. Slyngstad lost an arm in a childhood accident and, according to his supervisor, was all the more trusted because of his own handicap. However, he used his program to authorize $17,000 of payments to himself and two friends, and then erased all record of the fraud. The daughter of one of his friends tipped police to the scheme, and Slyngstad was arrested.
Sabotage by disgruntled employees is becoming increasingly popular. For example, Dennis Williams and Michael Lampert, unhappy with the management at Collins Foods, are accused by police of placing "logic bombs' in the company's two computers. They were set to activate in the future and destroy the operating systems. The company was tipped off by a worker who overheard Williams discussing the scheme. Fortunately, both bombs were deactivated before causing any damage.
Last February an employee of Micro Porcelain Dental Laboratories tampered with the company computer so it couldn't be started without his help. But that would cost the company $573 in vacation pay he claimed he was owed. Police filmed the transaction and, with that as evidence, arrested the employee.
Most computer crimes are not reported because companies feel that customers may interpret such events as managerial shortcomings. Chance, informers, and errors on the part of the culprit, not security controls, are the clues that reveal most crimes. Experts say that for security systems to be effective, there should be two overlapping systems (as there were at the Girard Bank) and no single employee should have the details of both systems.
The omnibus federal 1984 crime bill took some tentative first steps toward combatting computer crime. However, it defined only a few limited categories of computer crime mainly related to breaking into files containing classified data or credit records of individuals.
On the other hand, some of the newly passed state laws go much further. South Dakota, for example, added a provision in 1984 that punishes the use or disclosure of passwords, as well as unauthorized access. Kentucky makes it a felony to fraudulently access a system to obtain money, or alter, damage, or attempt to alter information. Hawaii defines any unauthorized computer use as afelony, whereas Idaho distinguishes between altering information (a felony) and access only (a misdemeanor).
In all, 36 states have enacted laws on computer crime, but the 14 states without such laws include two of the three largest. The states without computer crime laws are Alabama, Arkansas, Indiana, Kansas, Maine, Mississippi, Nebraska, New Hampshire, New Jersey, New York, Oregon, Texas, Vermont, and West Virginia.
A complete list of the statutes is available in Compilation of State and Federal Privacy Laws 1984-85 for $22 from Privacy Journal, P.O. Box 15300, Washington, DC20003.