references needed and each question need 100 words
Case Study 2 – Due 10/06 Scenario 1 Shadowcrew At 9:00 p.m., Andrew Mantovani, cofounder of the group Shadowcrew, received a knock at his door while chatting on his computer. For Mantovani and 27 others, that knock marked the end of Shadowcrew, which provided online marketplaces and discussion forums for identity thieves. Shadowcrew members used the organization’s website to traffic in stolen Social Security numbers, names, e-mail addresses, counterfeit driver’s licenses, birth certificates, and foreign and domestic passports. It also shared best practices for carrying out fraudulent activity. By the time it was shut down, Shadowcrew had trafficked in at least 1.7 million credit cards and was responsible for more than $4.3 million in fraud losses. Considered the online equivalent of the Russian Mafia, Shadowcrew operated as a highly sophisticated and hierarchical organization. All users operated under aliases, never revealing their true names or other personal information. Operations and communications were conducted using proxy servers that hid the location and identity of the users. Shadowcrew users were divided into five different roles: administrators, moderators, reviewers, vendors, and members. Administrators Shadowcrew administrators were the heads of the organization. Moderators A dozen moderators, chosen from the general membership based on proven skill in fraudulent activity, controlled the flow of information. Reviewers Reviewers tested the quality of illicit goods (credit cards, passports, etc.) trafficked on the Shadowcrew site. For example, reviewers would run a test called a “dump check” on credit card numbers by hacking into a retailer’s cash register system. The fraudster accessed the system through back doors used by technical support personnel to remotely perform maintenance or repairs. The reviewer would then enter a trivial charge of $1 or $2 to see whether the charge was approved. Reviewers would then write up and post detailed descriptions of the credit cards or other merchandise tested. Vendors Vendors managed the sale of stolen data. Prices were posted and products were sold using an auction forum much like eBay. Payments were processed via Western Union money transfers or an electronic currency and were made using a fraud victim’s stolen data. Members Thousands of people used the Shadowcrew website to gather and share information on committing identity fraud. Shadowcrew practiced open registration, but more sensitive discussion areas were password protected, and members needed another trusted member to vouch for them in order to join the forum. Members could be promoted up the organization by providing quality products or by sharing new or unique tips or techniques for committing fraud. Shadowcrew punished acts of disloyalty. For instance, one disloyal group member had his actual name, address, and phone number posted on the website for all to see. Shadowcrew’s demise began when MasterCard informed the United States government that a hundred websites promoted and supported identity fraud. The United States Secret Service covertly infiltrated Shadowcrew. Acting as trusted members, agents set up a Virtual Private Network (VPN) over which Shadowcrew leaders could conduct illicit business. The VPN allowed the Secret Service to track the organization’s doings and discover the real identities and locations of Shadowcrew users. It was vital that all arrests occur simultaneously, because any one of the targets could instantly warn the others via Shadowcrew’s discussion forum. With the help of the Justice Department, Homeland Security, the Royal Canadian Mounted Police, Europol, and local police departments, authorities simultaneously knocked on the suspects’ doors at precisely 9:00 p.m. The operation led to 28 arrests, 21 in the United States. Rather than immediately deactivating the website, investigators replaced the home page with the following warning: “Activities by Shadowcrew members are being investigated by the United States Secret Service.” Under a picture of hands clutching bars of a jail cell, agents listed the criminal charges that Shadowcrew members faced and called on visitors to turn themselves in: “Contact your local United States Secret Service field office before we contact you!” (Source: J. McCormick and D. Gage, Baseline Security, March 7, 2005.) (Explain your answers in detail. Your answer to each question should be at least 100 words.) 1. How did Shadowcrew members conceal their identities? How can average citizens protect their identities while interacting online? 2. How has the Internet made detecting and identifying identity fraudsters difficult? 3. What are some of the most common electronic means of stealing personal information? 4. What is the most common way that fraudsters use personal data? 5. What measures can consumers take to protect against the online brokering of their personal data? 6. What are the most effective means of detecting identity theft? 7. What pieces of personal information are most valuable to identity fraudsters? Scenario 2 The Greater Providence Deposit & Trust Embezzlement Nino Moscardi, president of Greater Providence Deposit & Trust (GPD&T), received an anonymous note in his mail stating that a bank employee was making bogus loans. Moscardi asked the bank’s internal auditors to investigate the transactions detailed in the note. The investigation led to James Guisti, manager of a North Providence branch office and a trusted 14-year employee who had once worked as one of the bank’s internal auditors. Guisti was charged with embezzling $1.83 million from the bank using 67 phony loans taken out over a three-year period. Court documents revealed that the bogus loans were 90-day notes requiring no collateral and ranging in amount from $10,000 to $63,500. Guisti originated the loans; when each one matured, he would take out a new loan, or rewrite the old one, to pay the principal and interest due. Some loans had been rewritten five or six times. The 67 loans were taken out by Guisti in five names, including his wife’s maiden name, his father’s name, and the names of two friends. These people denied receiving stolen funds or knowing anything about the embezzlement. The fifth name was James Vanesse, who police said did not exist. The Social Security number on Vanesse’s loan application was issued to a female, and the phone number belonged to a North Providence auto dealer. Lucy Fraioli, a customer service representative who cosigned the checks, said Guisti was her supervisor and she thought nothing was wrong with the checks, though she did not know any of the people. Marcia Perfetto, head teller, told police she cashed checks for Guisti made out to four of the five persons. Asked whether she gave the money to Guisti when he gave her checks to cash, she answered, “Not all of the time,” though she could not recall ever having given the money directly to any of the four, whom she did not know. Guisti was authorized to make consumer loans up to a certain dollar limit without loan committee approvals, which is a standard industry practice. Guisti’s original lending limit was $10,000, the amount of his first fraudulent loan. The dollar limit was later increased to $15,000 and then increased again to $25,000. Some of the loans, including the one for $63,500, far exceeded his lending limit. In addition, all loan applications should have been accompanied by the applicant’s credit history report, purchased from an independent credit rating firm. The loan taken out in the fictitious name would not have had a credit report and should have been flagged by a loan review clerk at the bank’s headquarters. News reports raised questions about why the fraud was not detected earlier. State regulators and the bank’s internal auditors failed to detect the fraud. Several reasons were given for the failure to find the fraud earlier. First, in checking for bad loans, bank auditors do not examine all loans and generally focus on loans much larger than the ones in question. Second, Greater Providence had recently dropped its computer services arrangement with a local bank in favor of an out-of-state bank. This changeover may have reduced the effectiveness of the bank’s control procedures. Third, the bank’s loan review clerks were rotated frequently, making follow-up on questionable loans more difficult. Guisti was a frequent gambler and used the embezzled money to pay gambling debts. The bank’s losses totaled $624,000, which was less than the $1.83 million in bogus loans, because Guisti used a portion of the borrowed money to repay loans as they came due. The bank’s bonding company covered the loss. The bank experienced other adverse publicity prior to the fraud’s discovery. First, the bank was fined $50,000 after pleading guilty to failure to report cash transactions exceeding $10,000, which is a felony. Second, bank owners took the bank private after a lengthy public battle with the State Attorney General, who alleged that the bank inflated its assets and overestimated its capital surplus to make its balance sheet look stronger. The bank denied this charge. Source: John Kostrezewa, “Charge: Embezzlement,” Providence Journal-Bulletin (July 31, 1988): F-1. (Explain your answers in detail. Your answer to each question should be at least 100 words.) 1. How did Guisti commit the fraud, conceal it, and convert the fraudulent actions to personal gain? 2. Good internal controls require that the custody, recording, and authorization functions be separated. Explain which of those functions Guisti had and how the failure to segregate them facilitated the fraud. 3. Identify the preventive, detective, and corrective controls at GPD&T, and discuss whether they were effective. 4. Explain the pressures, opportunities, and rationalizations that were present in the Guisti fraud. 5. Discuss how Greater Providence Deposit & Trust might improve its control procedures over the disbursement of loan funds to minimize the risk of this type of fraud. In what way does this case indicate a lack of proper segregation of duties? 6. Discuss how Greater Providence might improve its loan review procedures at bank headquarters to minimize its fraud risk. Was it a good idea to rotate the assignments of loan review clerks? Why, or why not? 7. Discuss whether Greater Providence’s auditors should have been able to detect this fraud. 8. Are there any indications that the internal environment at Greater Providence may have been deficient? If so, how could it have contributed to this embezzlement? Page 1 of 4 ACCT 4020 Case Study Guidelines 1. Your full name and case study number should appear on the first page (refer to case study exemplar posted on eCourseware). 2. Your typed answer sheet do not need to include the scenarios. 3. Number your answers correctly so your instructor can refer to them. 4. Type your answers single-spaced, with margins of standard width (usually 1 inch on the sides and bottom and 1 1/2 inch on the top). Use Times New Roman font size 12. 5. You must acknowledge the sources of all your information and any ideas or interpretations you have taken from