Home / Articles

Computer Crime Typology

January 9, 2004 · Vladimir Golubev

Experts consider that computer crimes today represent more serious danger for our country than 5 years ago.

According to Economic Crime Unit of the Ministry of Internal Affairs of Ukraine official statistics for 4 months of 2001 year, 7 crimes, in 2002 – 25, for 6 months of 2003 - 51 crimes have been revealed. It is necessary to note that qualification of the revealed criminal acts in sphere of computer and Internet technologies, except actions provided for by Articles of Section 26 of the Criminal Code of Ukraine, is based on Articles providing theft, causing of damage, illegal actions with payment orders and other means of access to bank accounts, illegal actions concerning information with restricted access, etc. 24 criminal cases on 37 crimes committed with use of Internet technologies have been processed for the first six months of 2003. It is possible to define groups of widespread crimes in Ukraine.

First group covers offences with ids (logins - passwords, PIN-codes) which are committed both by outsiders, and workers of communication and Internet services companies (“insiders”). Second group are offences with information of restricted access using remote access technologies. It is possible to mark out the third group of crimes with computer accounts, access to which is provided remotely by network technologies. For example, illegal use of “client-bank” systems against enterprises (institutions), or for efficient control of electronic money funds of criminal character.

It is necessary to consider official statistics on cybercrime critically in view of high latency of this kind of crime. In global practice, unfortunately, it makes only 12% of cybercrimes that become known to public and law enforcement. Say for example, what bank is interested in situation when everyone knows about its hacked payment system? Right next day all clients will close their accounts in this bank.

Distribution of computer viruses, swindle with plastic cards, theft of money resources from bank accounts, computer information theft and service regulations of automated computer systems violations are not all kinds of computer crimes. That is why the problem of counteraction is emerging both for Ukraine, and many other countries of the world. The main feature of such criminality as the integral part of criminality in general lies in fact that every year brings new tendencies of aggravation and it is getting a transnational (boundless) character.

Recently Ukrainian hackers have attacked computer payments system of The Royal Bank of Scotland Group (Great Britain). As a result the system of payments (WorldPay) has been put out of action. The Royal Bank of Scotland is taking measures now to renew the computer system of retail payments. By means of this system The Royal Bank has served 27,000 clients by WorldPay and accepted payments on Visa, Mastercard, Diners and Eurocard in more than 27 countries all over the world. Maxim Kovalchuk, 25 years old resident of Ternopol, Ukraine, who has been arrested in Bangkok, was nominated as the October 2003 “Best hacker”. As experts assert, he is one of the most dangerous hackers in the world and he has caused damage of 100 million USD to leading computer companies of the USA.

Despite of efforts of many countries aimed at fighting cybercrimes, their number is not decreasing, on the contrary is constantly increasing. Ukraine is also involved in this negative process. That’s why research into computer crime typology and analysis of modus operandi (crime commitment method) for such kinds of crimes are topical in view of crime prevention.

European Union Convention on Cybercrime defines four types of “pure” computer crimes. These are offences against confidentiality, integrity and availability of computer data and systems [2]:

• Illegal access, Article 2 (the access to the whole or any part of a computer system without right);

• Illegal interception, Article 3 (intentional interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system);

• Data interference, Article 4 (the damaging, deletion, deterioration, alteration or suppression of computer data without right)

• System interference, Article 5 (the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data).

Other - computer-related or computer-facilitated crimes, they are:

• crimes when computer is a mean (e-thefts, frauds, forgeries, etc)

• content-related crimes when computer is the intellectual mean (i.e. placing of child pornography, information unleashing national, racial, religious hostility, etc.) [3].

Modus operandi is a system of actions of the criminal (and/or related persons) united by one intention directed on preparing, committing and covering up a crime, determined by objective or subjective factors and connected to use of corresponding facilities and means [4].

Today there is no clear classification of modus operandi for illegal interference in computers, systems and networks functioning [5]. On our opinion they can be divided in to 3 main groups:

The first group: ways of direct access.

It covers damaging, deletion, deterioration, alteration, suppression or copying of computer data, and also serious hindering without right of computer, system or network functioning by inputting corresponding commands from the computer where information is stored. Direct access may be made by both persons working with data (related to this work), and persons intentionally penetrating in restricted areas or premises, where information is processed.

It is necessary to note that today mentioned ways are the least spread in view of decentralization of information processing. In other words it is easier to intercept computer information during its transfer via telecommunication channels or computer networks, than in case of direct penetrating in premises.

Now and then in order to seize information left by the user, offender looks around workplaces of programmers for drafts. On this purpose criminal may examine and/or restore erased software.

The second group includes ways of indirect (remote) access to information. Access without right to certain computer or information is made via computer networks from another computer, located at certain distance. Ways of indirect (remote) access are:

1. Connecting to telecommunication cables of authorized user (i.e. phone line) and obtaining access to his system.

2. Penetrating in other information systems by automated picking out of phone numbers of subscribers with further connection to their computers (picking out is carried out till the criminal receives the answer of the modem on the other side of phone line).

It is necessary to note that attempt of unauthorized access may be detected easily. That’s why similar hack is carried out from several workplaces: at specified time several (more than 10) PCs perform attempt of unauthorized access. System security may prevent several “attacks” and others get desirable illegal access. One of the penetrated computers blocks network logging system that fixes all access attempts. In a result other penetrated computers may not be detected and allocated. Some of them start to hack certain subnetwork, other carry out fake operations in order to hinder functioning of the enterprise, institution, authority and cover up crime [6].

3. Penetrating in computer network with help of passwords, pretending to be an authorized user. Using this method violators crack password on purpose to access other’s computer. There is a number of specially developed software for these purposes. They may be purchased on the ”shadow” computer market. Having got the right password (it takes less than 24 hours for choosing 8-digit password), illegal user obtains access to computer information and may use it whatever he likes: copy, delete, deteriorate, modify or suppress computer data, perform operations like wire transfers, forgery of payment orders, etc. as the authorized user.

Methods of direct and electromagnetic interception are also referred to methods of indirect (remote) access to computer information.

Direct interception is the simplest way of access without right. Intercept is made via external communication channels, or by way of direct connection to cables of peripheral devices. At that cable and wire systems, land microwave systems, satellite communication systems and also government communication systems are the object of direct listening.

Electromagnetic interception. Present day technical devices allow to obtain information directly without connecting to computer system: in result of emissions interception of central processors, display, communication channels, printer, etc. All this may be committed in enough distance from the object of interception. E.g. one may “take” information from computer located in a nearby room, building by using special equipment.

Method of using “bugs” is one of the most spread electromagnetic interception. These “bugs” are sensitive microphones designed for listening of conversations of attendants.

The third group is made up by mixed methods that may be committed both by direct and indirect (remote) access. They are:

• secret insertion of commands in programs that allow to perform new unplanned functions, making this program runnable (program copies files, but simultaneously it deletes data on financial activity of enterprise);

• alteration of programs by way of secret placing of command sets that should snap into action under specified conditions in some time. E.g. as soon as the program illegally transfers money funds to so called false account, it will self-destruct and delete all the data on the committed operation;

• access to data bases and files of the authorized user through weak places in security systems. There arises an opportunity to read and examine information stored in the system, copy it, appeal for it in case of necessity. Thus one may appeal to data base of the competitor company and have an opportunity not only to analyze its financial state, but also obtain evident advantages in competition struggle;

• using bugs in programs and flaws. The program is “breaking” and malefactor inputs some amount of certain commands that help to perform new unplanned functions, making this program runnable. Thus, one may transfer money to false accounts, obtain info on real estate, identities, etc.

Criminals may obtain passwords, keys, ids (by way of getting a list of users with all required info, documents in institutions where there is no control of documents preservation, listening of phone talks) and penetrate in computer system as authorized users. Systems with no authentic identification (e.g. identification by physiological features: fingerprints, eye retina, voice) are especially invulnerable in this relation.

As it was already noticed, interference in computer, computer system and network operation without right may be connected to violating or threatening a person. Violating or threatening a person may take place in case of direct, indirect or mixed methods of committing computer crime. At that subject to violating or threatening are both authorized user of computer system and other person related to computer equipment.

Direct access to computer information connected to violating or threatening a person may occur in case when authorized user of other person after violating or under the threat of which, are forced to commit interference in computer, computer system and network operation without right. The damaging, deletion, deterioration, alteration or suppression of computer data without right is performed on the computer where information is stored.

Indirect access to computer information connected to violating or threatening a person will take place in case of direct or electromagnetic interception of information from computer where it is stored (with further copying, deletion, alteration and suppression of computer data without right) is committed by a person, suffered violation. This action may be not compulsory committed by a person suffered violation in full extent. It is enough only to obtain passwords, ids, access cards, etc.

Mixed methods of interference in computers, computer systems and networks operation without right may be committed the same way. For instance in case of physical influence (or threat) on programmers (operators) on purpose of inputting unplanned commands in program or its alteration: if violence occurs in order to detect flaws in security system, or other kinds of mistakes related to program structure, for its further use without right.

A. Rodionov and A. Kuznetzov suggest next classification of methods of interference in work of computer, computer systems and networks without right [7]:

1. Computer facilities impressments

2. Illegal interference in computer, computer systems and networks operation

• crimes committed with computer information in global computer networks;

• crimes committed with computer information in beepers, cellular phones, cash registers, etc.

3. Development or distribution of malicious software (viruses, cracks, etc.)

4. Interception of information: a). electromagnetic, b). indirect.

5. Copyright violation (computer pirates)

6. Mixed (complex) methods On our opinion the given classification has some lacks. First, the reason of classification is direct object of criminal offence, but not the way of crime commitment. Second, illegal interference in work of computers, computer systems and networks is performed by a lot more ways (in particular, we didn’t mention direct ways). Third, ways of information interception are the ways of illegal access to it, that’s why it is unfounded to single out to a separate group.

Lets illustrate the way and mechanism of illegal interference in computers, computer systems and networks operation commitment by such case: bank employees are enrolled at initial stage (by way of bribe or blackmail). One of them will be a victim, the other will be a recipient of money funds, the third are the employees of banks where the stolen money will be withdrawn from the accounts and will be cashed. An employee of a telephone office in the place where the management of all the illegal operation will be performed is enrolled for confidence. An apartment is hired for a man on straw In this town, where the necessary equipment is installed: computer, communication facilities and uninterruptible power supplies. The main actual doer will act here in this appartment. Besides him, approximately 10-12 computers with operators are involved, since one computer can’t provide efficient operation. Thus total amount of accomplices may reach 30 persons. However its true goal is known only by not more than 5 persons – main actual doer and his direct accomplices. Each of other participants knows only his own concrete task.

Penetration in computer system of a commercial bank is performed by way of indirect access considered above.

The main actual doer, in case of successful course of operation, initiates the main payment order and makes it primary for processing and sending off to the specified addresses. Afterwards he inputs false payment orders on purpose to cover up the main payment. Right after the main transfer false orders disorganize the system of accounts settlement and temporarily paralyze it.

In conclusion we should mark out that typology of ways and methods of computer crime commitment will allow to develop more efficiently estimation and criteria in broad range of high-tech and computer crimes, and also will facilitate development of domestic laws taking into account international legislation.

[1] A. Koryagin, Computer and internet technologies crimes: urgency and problems of fighting with them. - http://www.crime-research.ru/library/Koragin.html

[2] V. Golubev, Investigating Computer crime / Monograph - Zaporozhye: University of Humanities “ZIGMU”, 2002.

[3] T. Tropina, Cyber criminality and terrorism, - http://www.crime-research.ru/library/Tropina.html.

[4] J. Baturin, A. Zhodzinski, Computer crimes and security - Moscow: Jurid. Lit, 1991, p. 18-34.

[5] B. Vehov, Computer crimes: ways of commitment and investigation methods – Moscow: 1996, p. 49-105.

[6] V. Golubev, J. Urchenko, Computer information crimes: ways of commitment and protection – edited O. Snigeryov, V. Martuzaev – Zaporizhzhya: Pavel, 1998, p.45.

[7] V. Sergeev, Computer crimes in banking – Banking, 1997, #2, p.27-28.

[8] A. Rodionov, A. Kuznetzov, High-tech crimes investigating – Bulletin of the Ministry of Internal Affairs of Russian Federation, 1999, #6, p.67.

[9] V. Sergeev, Computer crimes in banking – Banking, 1997, #2, p.27-28.