Your SlideShare is downloading. ×
2013.05.16 cfaa powerpoint for ima.v1
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

2013.05.16 cfaa powerpoint for ima.v1


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. FRAUD 2.0Helping Businesses Prepare forComputer Fraud andData BreachesThe Association ofAccountants and FinancialProfessionals in BusinessMay 16, 2013
  • 2.
  • 3. 3have you everheard of … #fraud20
  • 4. 4Aaron Swartz? #fraud20
  • 5. 5SandraTeague? #fraud20
  • 6. 6Bradley Manning? #fraud20
  • 7. 7Hacking? #fraud20
  • 8. 8Data Breach? #fraud20
  • 9. 9IdentityTheft? #fraud20
  • 10. 10Stuxnet? #fraud20
  • 11. 11Active Defense? #fraud20
  • 13. 13As of September 2012, cybercrime• costs $110 billion annually• 18 adults every second are victims• 556,000,000 adults every year are victims• 46% of online adults are victims• mobile devices are trending2012 Norton Cybercrime
  • 14. 14What is fraud?• Fraud is, in its simplest form, deception• Black’s Law Dictionary• all multifarious means which human ingenuitycan devise, and which are resorted to by oneindividual to get advantage over another byfalse suggestions or suppression of the #fraud20
  • 15. 15Traditional vehicles for fraud?• verbal communication• written communication• in person• through mail• via #fraud20
  • 16. 16What do computers do?EFFICIENCY! #fraud20
  • 17. 17FRAUD #fraud20
  • 18. 18Computer Fraud = Fraud 2.0• Deception, through the use of a computer• “old crimes committed in new ways … using computersand the Internet to make the task[s] easier”• computer hacking, data theft, theft of money, breachesof data security, corporate espionage, privacybreaches, computer worms,Trojanhorses, viruses, malware, denial of service attacks• mouse and keyboard = modern fraudster tools of #fraud20
  • 19. 19Who knows the percentage ofbusinesses that suffered at least one actof computer fraud in last year?90%(Ponemon Institute Study) #fraud20
  • 21. 21Computer Fraud and Abuse ActFederal Law – 18 U.S.C § #fraud20
  • 22. #fraud20
  • 23. #fraud20
  • 24. 24 Primary Law for Misuse of Computers Computers …Why is the Computer Fraudand Abuse Act important? #fraud20
  • 25.“Everything has acomputer in it nowadays.”-Steve Jobs#fraud20
  • 26. 26WHAT IS A COMPUTER?#fraud20
  • 27. 27www.brittontuma.comhas a processor or stores data“the term ‘computer’ means anelectronic, magnetic, optical, electrochemical, or other highspeed data processing device performing logical, arithmetic, orstorage functions, and includes any data storage facility orcommunications facility directly related to or operating inconjunction with such device, but …”IMPORTANT! “such term does not include an automatedtypewriter or typesetter, a portable hand held calculator, or othersimilar device;”The CFAA says#fraud20
  • 28. 28www.brittontuma.comWhat about . . .#fraud20
  • 29.“’That category can include coffeemakers, microwaveovens, watches, telephones, children’s toys, MP3players, refrigerators, heating and air-conditioningunits, radios, alarm clocks, televisions, and DVDplayers, . . . .”-UnitedStates v. KramerThe Fourth Circuit says#fraud20
  • 30. 30www.brittontuma.comThis may limit the problem of applying it to alarmclocks, toasters, and coffee makers – for now?The CFAA applies only to “protected” computersProtected = connected to the InternetAny situations where these devices are connected?#fraud20
  • 31. 31www.brittontuma.comseriously . . .#fraud20
  • 32.• TI-99• 3.3 MHz Processor• 16 KB of RAM• Leap Frog Leapster• 96 MHz Processor• 128 MB of RAM• iPhone 5• 1.02GHz Processer• 1 GB of RAM#fraud20
  • 33. 33www.brittontuma.com66 MHz =fastestdesktop in 80s96 MHz = child’stoy today250 MHz =fastest supercomputer in 80s1.02 GHz =telephone today#fraud20
  • 35. 35CFAA prohibits the access of a protectedcomputer that is Without authorization, or Exceeds authorized #fraud20
  • 36. 36Where the person accessing Obtains information Commits a fraud Obtains something of value Transmits damaging information Causes damage Traffics in passwords Commits #fraud20
  • 37. 37 Overly simplistic list Very complex statute Appears deceptively straightforward Many“I am the wisest manalive, for I know onething, and that is that I knownothing.”-Socrates#fraud20
  • 38. 38Two Most Problematic Issues “Loss” Requirement• Confuses lawyers and judges alike Unauthorized / Exceeding Authorized Access• Evolving jurisprudence• Interpreted by many Circuits• New conflict on April 10, #fraud20
  • 39. 39Limited civil remedy Procedurally complex with many cross-references “damage” ≠ “damages” Must have $5,000 “loss” (i.e., cost) Loss requirement is jurisdictional #fraud20
  • 40. 40What is a “loss”?“any reasonable cost to any victim, including the cost ofresponding to an offense, conducting a damage assessment, andrestoring the data, program, system, or information to itscondition prior to the offense, and any revenue lost, costincurred, or other consequential damages incurred because ofinterruption of service.”Loss = cost (unless interruption of service) #fraud20
  • 41. 41Remedies Available• Economic damages• Loss damage• Injunctive relief Not Available• Exemplary damages• Attorneys’ #fraud20
  • 42. 42Elements of broadest CFAA Claim1. Intentionally access computer;2. Without authorization or exceeding authorizedaccess;3. Obtained information from any protectedcomputer; and4. Victim incurred a loss to one or more personsduring any 1-year period of at least $5, #fraud20
  • 43. 43Elements of CFAA Fraud Claim1. Knowingly and with intent to defraud;2. Accesses a protected computer;3. Without authorization or exceeding authorizedaccess;4. By doing so, furthers the intended fraud andobtains anything of value; and5. Victim incurred a loss to one or more personsduring any 1-year period of at least $5, #fraud20
  • 44. 44WRONGFUL ACCESS#fraud20
  • 45. 45General Access Principles Access by informational / data use ≠ technician Must be knowing or intentional access ≠ accidental #fraud20
  • 46. “without authorization” Outsiders No rights Not defined Only requires intent toaccess, not harm Hacker!“exceeds authorized” Insiders Some rights CFAA defines: access ina way not entitled Necessarily requireslimits of authorization Employees, webusers, etc.46www.brittontuma.comTwoTypes of Wrongful Access#fraud20
  • 47. 47When does authorization terminate?Trilogy of AccessTheories• AgencyTheory• Intended-Use Theory• Strict #fraud20
  • 48. 48Ways to establish limits for Intended-Use Contractual• Policies: computer use, employment & manuals• WebsiteTerms of Service Technological• Login and access restrictions• System warnings Training and other evidence of notification Notices of intent to use #fraud20
  • 49. 49Employment SituationsMost common scenario is employment• Employee access and take customer account information• Employee accesses and takes or emails confidential informationto competitor• Employee improperly deletes data and email• Employee deletes browser history • Employee accessing their Facebook, Gmail,Chase accounts atwork  #fraud20
  • 50. 50Family Law SituationsHave you ever logged into your significant other’s email or Facebookto see what they’re saying to others?DON’TANSWERTHAT!• Estranged spouse inArkansas did after separation• NTTA account?• Bank account?• Cancelling services via online accounts? #fraud20
  • 51. 51SharingWebsite LoginsHave you ever borrowed or shared website login credentials andpasswords for limited access sites (i.e., online accounts)?DON’TANSWERTHAT!• Recent case held that permitting others to use login credentialsfor paid website was viable CFAA claim• The key factor here was the conduct was prohibited by thewebsite’s agreed toTerms of #fraud20
  • 52. 52Misuse ofWebsitesEver created a fake profile or used a website forsomething other than its intended purpose?DON’T ANSWERTHAT!• Myspace Mom case – United States v. Drew• Fake login to disrupt legitimate website sales• Accessing website to gain competitive information whenprohibited byTOS• Creating fake Facebook to research opposing #fraud20
  • 53. 53www.brittontuma.comHave you ever heard of?• Aaron Swartz – information liberator!• SandraTeague – Obama’s academic records• Bradley Manning –released classified info• Stuxnet – variations for corporate espionage• Active Defense – fun stuff – call me!#fraud20
  • 54. 54DATA BREACHWHAT DO YOU DO?#fraud20
  • 55. 55Data Breach• product of computer fraud• on the rise• major risk to virtually all businesses• PII, PHI, financial data, cardholder data• disruption and data loss• claims from data subjects• fines and penalties from govts, agencies, indust. groups• impossible to prevent• plan ahead to reduce #fraud20
  • 56. 564 Phases of Data Breach• Preparation• Prevention• Understanding• Laws, Rules & Regulations• #fraud20
  • 57. 57Preparation• Breach Response Plan• Goal  Execute!• Who,What,When, How• Attorney – privilege• Adopted Notification Form• EducateTeam• IT Security Audit / PenetrationTesting• Compliance Audit• HIPAA, ERISA, OSHA, PCI, FINRA• Cyber #fraud20
  • 58. 58Prevention• Software and Systems Updates• RemediateVulnerabilities• Encrypt, Encrypt, Encrypt• Data Surveillence & IT Alerts• Cyber CounterIntelligence / CounterEspionage• #fraud20
  • 59. 59Understanding Laws, Rules & Regulations• No Federal Breach Notification Law (yet)• 46 States’ Have Laws• ≠Alabama, Kentucky, New Mexico, South Dakota• Massachusetts is an oddball• 45 days (FL, OH,VT,WI) otherwise expeditious withoutunreasonable delay• Consumers + State Attorney General• Agencies (FTC, HHS, OCR, DOL, SEC)• Industries (FINRA, PCI)• #fraud20
  • 60. 60Responding to a Breach – Just Execute the Plan!• ContactAttorney• Assemble ResponseTeam• Contact Forensics• ContactVendor for Notification• Investigate Breach• Remediate ResponsibleVulnerabilities• Reporting & Notification• Law Enforcement First• AGs,Admin. Agencies, Industries, Cred. Rpt, #fraud20
  • 62. 62Federal Laws for Combating Fraud 2.0• Electronic Communications Privacy Act - 18 U.S.C. § 2510• Wiretap Act ≠ intercept communications• Stored CommunicationsAct ≠ comm. at rest• Fraud with Access Devices - 18 U.S.C. § 1029• devices to obtain passwords, phishing, counterfeitdevices, scanning receivers, drive through swipe cards• IdentityTheft – 18 U.S.C. § #fraud20
  • 63. 63Texas Laws for Combating Fraud 2.0• Breach of Computer Security Act (Tx. Penal Code § 33.02)• knowingly access a computer without effective consent of owner• Fraudulent Use or Possession of Identifying Info (TPC § 32.51• Unlawful Interception, Use, or Disclosure ofWire, Oral or ElectronicCommunications (TPC § 16.02)• UnlawfulAccess to Stored Communications (TPC § 16.04)• IdentityTheft Enforcement and ProtectionAct (BCC § 48.001)• Consumer ProtectionAgainstComputer Spyware Act (BCC § 48.051)• Anti-PhishingAct (BCC § 48.003) #fraud20
  • 64. 64• Welcome to the world of Fraud 2.0!• Why? Remember what Jobs said• CFAA is very broad and covers all kinds ofcomputer fraud (sometimes) – evolving!• Data Breaches – be prepared – it will happen!• Many other Federal andTexas laws also availablefor combating computer fraud• Cyber #fraud20
  • 65.