Your SlideShare is downloading. ×
2013.05.16 cfaa powerpoint for ima.v1
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

2013.05.16 cfaa powerpoint for ima.v1

436
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
436
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. FRAUD 2.0Helping Businesses Prepare forComputer Fraud andData BreachesThe Association ofAccountants and FinancialProfessionals in BusinessMay 16, 2013
  • 2. 2#fraud20www.brittontuma.com
  • 3. 3have you everheard of …www.brittontuma.com #fraud20
  • 4. 4Aaron Swartz?www.brittontuma.com #fraud20
  • 5. 5SandraTeague?www.brittontuma.com #fraud20
  • 6. 6Bradley Manning?www.brittontuma.com #fraud20
  • 7. 7Hacking?www.brittontuma.com #fraud20
  • 8. 8Data Breach?www.brittontuma.com #fraud20
  • 9. 9IdentityTheft?www.brittontuma.com #fraud20
  • 10. 10Stuxnet?www.brittontuma.com #fraud20
  • 11. 11Active Defense?www.brittontuma.com #fraud20
  • 12. 12NON COMPUTERRELATED FRAUD?www.brittontuma.com #fraud20
  • 13. 13As of September 2012, cybercrime• costs $110 billion annually• 18 adults every second are victims• 556,000,000 adults every year are victims• 46% of online adults are victims• mobile devices are trending2012 Norton Cybercrime Reportwww.brittontuma.com
  • 14. 14What is fraud?• Fraud is, in its simplest form, deception• Black’s Law Dictionary• all multifarious means which human ingenuitycan devise, and which are resorted to by oneindividual to get advantage over another byfalse suggestions or suppression of the truthwww.brittontuma.com #fraud20
  • 15. 15Traditional vehicles for fraud?• verbal communication• written communication• in person• through mail• via wirewww.brittontuma.com #fraud20
  • 16. 16What do computers do?EFFICIENCY!www.brittontuma.com #fraud20
  • 17. 17FRAUD 2.0www.brittontuma.com #fraud20
  • 18. 18Computer Fraud = Fraud 2.0• Deception, through the use of a computer• “old crimes committed in new ways … using computersand the Internet to make the task[s] easier”• computer hacking, data theft, theft of money, breachesof data security, corporate espionage, privacybreaches, computer worms,Trojanhorses, viruses, malware, denial of service attacks• mouse and keyboard = modern fraudster tools of choicewww.brittontuma.com #fraud20
  • 19. 19Who knows the percentage ofbusinesses that suffered at least one actof computer fraud in last year?90%(Ponemon Institute Study)www.brittontuma.com #fraud20
  • 20. 20BRIEF HISTORY OFTHE COMPUTER FRAUDAND ABUSE ACT(CFAA)#fraud20
  • 21. 21Computer Fraud and Abuse ActFederal Law – 18 U.S.C § 1030www.brittontuma.com #fraud20
  • 22. 22www.brittontuma.com #fraud20
  • 23. 23www.brittontuma.com #fraud20
  • 24. 24 Primary Law for Misuse of Computers Computers …Why is the Computer Fraudand Abuse Act important?www.brittontuma.com #fraud20
  • 25. 25www.brittontuma.com“Everything has acomputer in it nowadays.”-Steve Jobs#fraud20
  • 26. 26WHAT IS A COMPUTER?#fraud20
  • 27. 27www.brittontuma.comhas a processor or stores data“the term ‘computer’ means anelectronic, magnetic, optical, electrochemical, or other highspeed data processing device performing logical, arithmetic, orstorage functions, and includes any data storage facility orcommunications facility directly related to or operating inconjunction with such device, but …”IMPORTANT! “such term does not include an automatedtypewriter or typesetter, a portable hand held calculator, or othersimilar device;”The CFAA says#fraud20
  • 28. 28www.brittontuma.comWhat about . . .#fraud20
  • 29. 29www.brittontuma.com“’That category can include coffeemakers, microwaveovens, watches, telephones, children’s toys, MP3players, refrigerators, heating and air-conditioningunits, radios, alarm clocks, televisions, and DVDplayers, . . . .”-UnitedStates v. KramerThe Fourth Circuit says#fraud20
  • 30. 30www.brittontuma.comThis may limit the problem of applying it to alarmclocks, toasters, and coffee makers – for now?The CFAA applies only to “protected” computersProtected = connected to the InternetAny situations where these devices are connected?#fraud20
  • 31. 31www.brittontuma.comseriously . . .#fraud20
  • 32. 32www.brittontuma.com• TI-99• 3.3 MHz Processor• 16 KB of RAM• Leap Frog Leapster• 96 MHz Processor• 128 MB of RAM• iPhone 5• 1.02GHz Processer• 1 GB of RAM#fraud20
  • 33. 33www.brittontuma.com66 MHz =fastestdesktop in 80s96 MHz = child’stoy today250 MHz =fastest supercomputer in 80s1.02 GHz =telephone today#fraud20
  • 34. 34WHAT DOES THE CFAAPROHIBIT?#fraud20
  • 35. 35CFAA prohibits the access of a protectedcomputer that is Without authorization, or Exceeds authorized accesswww.brittontuma.com #fraud20
  • 36. 36Where the person accessing Obtains information Commits a fraud Obtains something of value Transmits damaging information Causes damage Traffics in passwords Commits extortionwww.brittontuma.com #fraud20
  • 37. 37 Overly simplistic list Very complex statute Appears deceptively straightforward Many pitfallswww.brittontuma.com“I am the wisest manalive, for I know onething, and that is that I knownothing.”-Socrates#fraud20
  • 38. 38Two Most Problematic Issues “Loss” Requirement• Confuses lawyers and judges alike Unauthorized / Exceeding Authorized Access• Evolving jurisprudence• Interpreted by many Circuits• New conflict on April 10, 2012www.brittontuma.com #fraud20
  • 39. 39Limited civil remedy Procedurally complex with many cross-references “damage” ≠ “damages” Must have $5,000 “loss” (i.e., cost) Loss requirement is jurisdictional thresholdwww.brittontuma.com #fraud20
  • 40. 40What is a “loss”?“any reasonable cost to any victim, including the cost ofresponding to an offense, conducting a damage assessment, andrestoring the data, program, system, or information to itscondition prior to the offense, and any revenue lost, costincurred, or other consequential damages incurred because ofinterruption of service.”Loss = cost (unless interruption of service)www.brittontuma.com #fraud20
  • 41. 41Remedies Available• Economic damages• Loss damage• Injunctive relief Not Available• Exemplary damages• Attorneys’ feeswww.brittontuma.com #fraud20
  • 42. 42Elements of broadest CFAA Claim1. Intentionally access computer;2. Without authorization or exceeding authorizedaccess;3. Obtained information from any protectedcomputer; and4. Victim incurred a loss to one or more personsduring any 1-year period of at least $5,000.www.brittontuma.com #fraud20
  • 43. 43Elements of CFAA Fraud Claim1. Knowingly and with intent to defraud;2. Accesses a protected computer;3. Without authorization or exceeding authorizedaccess;4. By doing so, furthers the intended fraud andobtains anything of value; and5. Victim incurred a loss to one or more personsduring any 1-year period of at least $5,000.www.brittontuma.com #fraud20
  • 44. 44WRONGFUL ACCESS#fraud20
  • 45. 45General Access Principles Access by informational / data use ≠ technician Must be knowing or intentional access ≠ accidental accesswww.brittontuma.com #fraud20
  • 46. “without authorization” Outsiders No rights Not defined Only requires intent toaccess, not harm Hacker!“exceeds authorized” Insiders Some rights CFAA defines: access ina way not entitled Necessarily requireslimits of authorization Employees, webusers, etc.46www.brittontuma.comTwoTypes of Wrongful Access#fraud20
  • 47. 47When does authorization terminate?Trilogy of AccessTheories• AgencyTheory• Intended-Use Theory• Strict AccessTheorywww.brittontuma.com #fraud20
  • 48. 48Ways to establish limits for Intended-Use Contractual• Policies: computer use, employment & manuals• WebsiteTerms of Service Technological• Login and access restrictions• System warnings Training and other evidence of notification Notices of intent to use CFAAwww.brittontuma.com #fraud20
  • 49. 49Employment SituationsMost common scenario is employment• Employee access and take customer account information• Employee accesses and takes or emails confidential informationto competitor• Employee improperly deletes data and email• Employee deletes browser history • Employee accessing their Facebook, Gmail,Chase accounts atwork www.brittontuma.com #fraud20
  • 50. 50Family Law SituationsHave you ever logged into your significant other’s email or Facebookto see what they’re saying to others?DON’TANSWERTHAT!• Estranged spouse inArkansas did after separation• NTTA account?• Bank account?• Cancelling services via online accounts?www.brittontuma.com #fraud20
  • 51. 51SharingWebsite LoginsHave you ever borrowed or shared website login credentials andpasswords for limited access sites (i.e., online accounts)?DON’TANSWERTHAT!• Recent case held that permitting others to use login credentialsfor paid website was viable CFAA claim• The key factor here was the conduct was prohibited by thewebsite’s agreed toTerms of Servicewww.brittontuma.com #fraud20
  • 52. 52Misuse ofWebsitesEver created a fake profile or used a website forsomething other than its intended purpose?DON’T ANSWERTHAT!• Myspace Mom case – United States v. Drew• Fake login to disrupt legitimate website sales• Accessing website to gain competitive information whenprohibited byTOS• Creating fake Facebook to research opposing partieswww.brittontuma.com #fraud20
  • 53. 53www.brittontuma.comHave you ever heard of?• Aaron Swartz – information liberator!• SandraTeague – Obama’s academic records• Bradley Manning –released classified info• Stuxnet – variations for corporate espionage• Active Defense – fun stuff – call me!#fraud20
  • 54. 54DATA BREACHWHAT DO YOU DO?#fraud20
  • 55. 55Data Breach• product of computer fraud• on the rise• major risk to virtually all businesses• PII, PHI, financial data, cardholder data• disruption and data loss• claims from data subjects• fines and penalties from govts, agencies, indust. groups• impossible to prevent• plan ahead to reduce harmwww.brittontuma.com #fraud20
  • 56. 564 Phases of Data Breach• Preparation• Prevention• Understanding• Laws, Rules & Regulations• Respondingwww.brittontuma.com #fraud20
  • 57. 57Preparation• Breach Response Plan• Goal  Execute!• Who,What,When, How• Attorney – privilege• Adopted Notification Form• EducateTeam• IT Security Audit / PenetrationTesting• Compliance Audit• HIPAA, ERISA, OSHA, PCI, FINRA• Cyber Insurancewww.brittontuma.com #fraud20
  • 58. 58Prevention• Software and Systems Updates• RemediateVulnerabilities• Encrypt, Encrypt, Encrypt• Data Surveillence & IT Alerts• Cyber CounterIntelligence / CounterEspionage• ITAlertswww.brittontuma.com #fraud20
  • 59. 59Understanding Laws, Rules & Regulations• No Federal Breach Notification Law (yet)• 46 States’ Have Laws• ≠Alabama, Kentucky, New Mexico, South Dakota• Massachusetts is an oddball• 45 days (FL, OH,VT,WI) otherwise expeditious withoutunreasonable delay• Consumers + State Attorney General• Agencies (FTC, HHS, OCR, DOL, SEC)• Industries (FINRA, PCI)• Internationalwww.brittontuma.com #fraud20
  • 60. 60Responding to a Breach – Just Execute the Plan!• ContactAttorney• Assemble ResponseTeam• Contact Forensics• ContactVendor for Notification• Investigate Breach• Remediate ResponsibleVulnerabilities• Reporting & Notification• Law Enforcement First• AGs,Admin. Agencies, Industries, Cred. Rpt, Consumerswww.brittontuma.com #fraud20
  • 61. 61OTHER LAWS FORCOMBATING FRAUD 2.0#fraud20
  • 62. 62Federal Laws for Combating Fraud 2.0• Electronic Communications Privacy Act - 18 U.S.C. § 2510• Wiretap Act ≠ intercept communications• Stored CommunicationsAct ≠ comm. at rest• Fraud with Access Devices - 18 U.S.C. § 1029• devices to obtain passwords, phishing, counterfeitdevices, scanning receivers, drive through swipe cards• IdentityTheft – 18 U.S.C. § 1028www.brittontuma.com #fraud20
  • 63. 63Texas Laws for Combating Fraud 2.0• Breach of Computer Security Act (Tx. Penal Code § 33.02)• knowingly access a computer without effective consent of owner• Fraudulent Use or Possession of Identifying Info (TPC § 32.51• Unlawful Interception, Use, or Disclosure ofWire, Oral or ElectronicCommunications (TPC § 16.02)• UnlawfulAccess to Stored Communications (TPC § 16.04)• IdentityTheft Enforcement and ProtectionAct (BCC § 48.001)• Consumer ProtectionAgainstComputer Spyware Act (BCC § 48.051)• Anti-PhishingAct (BCC § 48.003)www.brittontuma.com #fraud20
  • 64. 64• Welcome to the world of Fraud 2.0!• Why? Remember what Jobs said• CFAA is very broad and covers all kinds ofcomputer fraud (sometimes) – evolving!• Data Breaches – be prepared – it will happen!• Many other Federal andTexas laws also availablefor combating computer fraud• Cyber Insurancewww.brittontuma.com #fraud20
  • 65. 65www.brittontuma.com