Your SlideShare is downloading. ×
Fraud 2.0 - The Laws that Help Businesses Combat Computer Fraud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Fraud 2.0 - The Laws that Help Businesses Combat Computer Fraud

15,446
views

Published on

What is Fraud 2.0? Computer fraud is the fraud of the century and it is increasing exponentially each year. Shawn Tuma provides an in-depth analysis of the federal Computer Fraud and Abuse Act, the …

What is Fraud 2.0? Computer fraud is the fraud of the century and it is increasing exponentially each year. Shawn Tuma provides an in-depth analysis of the federal Computer Fraud and Abuse Act, the primary law that is available to help businesses and individuals combat the threat of computer fraud and obtain both civil and criminal remedies for those frauds. Tuma explains how the Computer Fraud and Abuse Act works, some of the practical steps that need to be taken in advance to ensure it is available should a computer fraud occur, and give practical examples of several situations where the Computer Fraud and Abuse Act has been used successfully. He also provides a brief overview of some of the other laws that can be used to combat computer fraud – Fraud 2.0.

This presentation was made to Association of Certified Fraud Examiners (ACFE) - Dallas on November 8, 2012.

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
15,446
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
25
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Who knows what movie this was from?Anyone remember?Early 80s – 1983
  • Movie War Games!
  • Why? Because this is the primary law that is used to pursue those who misuse a computer to commit crimes, defraud, etc. Computers are everywhere and are involved in virtually everything!
  • CFAA’s definition of computer:Remember the “But”!!!
  • Now that we know what it applies to, let’s take about what the CFAA prohibits.
  • Not too long ago I was talking with someone about a case they had involving criminal indictment for the CFAA.I offered help but was rebuffed – told: “I’ve read the statute, I’ve got it”Ok – best of luck to you (and your clients!)!
  • What would your advice, as a lawyer, be in this situation?
  • Why? (Remember what Steve Jobs said last December – everything has a computer in it nowadays!)The CFAA is what is most commonly used to deal with misuse of computers.
  • Why? (Remember what Steve Jobs said last December – everything has a computer in it nowadays!)The CFAA is what is most commonly used to deal with misuse of computers.
  • Transcript

    • 1. FRAUD 2.0An Overview of the Laws that HelpBusinesses and Individuals Combat Computer Fraud Association of Certified Fraud Examiners November 8, 2012
    • 2. THINK ABOUT THIS …www.brittontuma.com 2
    • 3. [SEE FOLLOING VIDEO] https://vimeo.com/2030361www.brittontuma.com 3
    • 4. WHAT DOES THAT MEAN TO YOU?www.brittontuma.com 4
    • 5. STUXNET?www.brittontuma.com 5
    • 6. NON COMPUTER RELATED FRAUD?www.brittontuma.com 6
    • 7. As of September 2012, cybercrime • costs $110 billion annually • 18 adults every second are victims • 556,000,000 adults every year are victims • 46% of online adults are victims • mobile devices are trending 2012 Norton Cybercrime Reportwww.brittontuma.com 7
    • 8. What is fraud? • Fraud is, in its simplest form, deception • Black’s Law Dictionary • all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by false suggestions or suppression of the truthwww.brittontuma.com 8
    • 9. Traditional vehicles for fraud? • verbal communication • written communication • in person • through mail • over wirewww.brittontuma.com 9
    • 10. What do computers do? EFFICIENCY!www.brittontuma.com 10
    • 11. FRAUD 2.0www.brittontuma.com 11
    • 12. Computer Fraud = Fraud 2.0 • Deception, through the use of a computer • “old crimes committed in new ways … using computers and the Internet to make the task[s] easier” • computer hacking, data theft, theft of money, breaches of data security, privacy breaches, computer worms, Trojan horses, viruses, malware, denial of service attacks • mouse and keyboard = modern fraudster tools of choicewww.brittontuma.com 12
    • 13. Who knows the percentage of businesses that suffered at least one act of computer fraud in last year? 90% (Ponemon Institute Study)www.brittontuma.com 13
    • 14. Computer Fraud and Abuse Act Federal Law – 18 U.S.C § 1030www.brittontuma.com 14
    • 15. BRIEF HISTORY OF THE CFAA 15
    • 16. www.brittontuma.com 16
    • 17. www.brittontuma.com 17
    • 18. Why is the Computer Fraud and Abuse Act important?  Primary Law for Misuse of Computers  Computers …www.brittontuma.com 18
    • 19. “Everything has a computer in it nowadays.” -Steve Jobswww.brittontuma.com 19
    • 20. WHAT IS A COMPUTER? 20
    • 21. The CFAA says has a processor or stores data “the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …” IMPORTANT! “such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”www.brittontuma.com 21
    • 22. What aboutwww.brittontuma.com 22
    • 23. The Fourth Circuit says “’Just think of the common household items that include microchips and electronic storage devices, and thus will satisfy the statutory definition of “computer.”’ “’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .” -United States v. Kramerwww.brittontuma.com 23
    • 24. The CFAA applies only to “protected” computers This may limit the problem of applying it to alarm clocks, toasters, and coffee makers Protected = connected to the Internet Any situations where these devices are connected?www.brittontuma.com 24
    • 25. • TI-99 • Leap Frog Leapster • iPhone 5 • 3.3 MHz Processor • 96 MHz Processor • 1.02 GHz Processer • 16 KB of RAM • 128 MB of RAM • 1 GB of RAMwww.brittontuma.com 25
    • 26. 66 MHz = fastest desktop in 80s 96 MHz = child’s toy today 250 MHz = fastest super computer in 80s 1.02 GHz = telephone todaywww.brittontuma.com 26
    • 27. WHAT DOES THE CFAA PROHIBIT? 27
    • 28. CFAA prohibits the access of a protected computer that is  Without authorization, or  Exceeds authorized accesswww.brittontuma.com 28
    • 29. Where the person accessing  Obtains information  Commits a fraud  Obtains something of value  Transmits damaging information  Causes damage  Traffics in passwords  Commits extortionwww.brittontuma.com 29
    • 30. “I am the wisest man alive, for I know one thing, and that is that I know nothing.” -Socrates  Overly simplistic list  Very complex statute  Superficially it appears deceptively straightforward  Many pitfallswww.brittontuma.com 30
    • 31. Two Most Problematic Issues  “Loss” Requirement • Confuses lawyers and judges alike  Unauthorized / Exceeding Authorized Access • Evolving jurisprudence • Interpreted by many Circuits • New conflict on April 10, 2012www.brittontuma.com 31
    • 32. Limited civil remedy  Procedurally complex with many cross- references  “damage” ≠ “damages”  Must have $5,000 “loss”  Loss requirement is jurisdictional thresholdwww.brittontuma.com 32
    • 33. What is a “loss”? “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Loss = cost (unless interruption of service)www.brittontuma.com 33
    • 34. What can qualify as a “loss”?  Investigation and response costs • Forensics analysis and investigation • Diagnostic measures • Restoration of system • Bartered services for investigation / restoration  Value of employees’ time  Attorneys’ fees if leading investigationwww.brittontuma.com 34
    • 35. What is not a “loss”?  Lost revenue (unless interruption of service)  Value of trade secrets  Lost profits  Lost customers  Lost business opportunities  Privacy and Personally Identifiable Informationwww.brittontuma.com 35
    • 36. Privacy and Personally Identifiable Information  iTracking  Hacking / data breach  Browser cookies REMEMBER: Loss is only required for civil remedy – not criminal violationwww.brittontuma.com 36
    • 37. What would you advise?  Wrongful access of your client’s computer  Considering a CFAA claim  Your advice would be to ________?www.brittontuma.com 37
    • 38. Remedies  Available • Economic damages • Loss damage • Injunctive relief  Not Available • Exemplary damages • Attorneys’ feeswww.brittontuma.com 38
    • 39. Elements of broadest CFAA Claim 1. Intentionally access computer; 2. Without authorization or exceeding authorized access; 3. Obtained information from any protected computer; and 4. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.www.brittontuma.com 39
    • 40. Elements of CFAA Fraud Claim 1. Knowingly and with intent to defraud; 2. Accesses a protected computer; 3. Without authorization or exceeding authorized access; 4. By doing so, furthers the intended fraud and obtains anything of value; and 5. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.www.brittontuma.com 40
    • 41. WRONGFUL ACCESS 41
    • 42. General Access Principles  Access by informational / data use  ≠ technician  Must be knowing or intentional access  ≠ accidental accesswww.brittontuma.com 42
    • 43. Two Types of Wrongful Access “without authorization” “exceeds authorized”  Outsiders  Insiders  No rights  Some rights  Not defined  CFAA defines: access in  Only requires intent to a way not entitled access, not harm  Necessarily requires  Hacker! limits of authorization  Employees, web users, etc.www.brittontuma.com 43
    • 44. When does authorization terminate? As of April 10, 2012, there are (once again) three general lines of cases: Trilogy of Access Theories • Agency Theory • Intended-Use Analysis • Access Means Accesswww.brittontuma.com 44
    • 45. Ways to establish limits for Intended-Use  Contractual • Policies: computer use, employment & manuals • Website Terms of Service  Technological • Login and access restrictions • System warnings  Training and other evidence of notification  Notices of intent to use CFAAwww.brittontuma.com 45
    • 46. Contractual limits should  Clearly notify of limits  Limit authorization to access information  Limit use of information accessed  Terminate access rights upon violation  Indicate intent to enforce by CFAA Goal: limit or terminate authorizationwww.brittontuma.com 46
    • 47. Employment Situations Most common scenario is employment • Employee access and take customer account information • Employee accesses and takes or emails confidential information to competitor • Employee improperly deletes data and email • Employee deletes browser history  • Employee accessing their Facebook, Gmail, Chase accounts at work www.brittontuma.com 47
    • 48. Family Law Situations Have you ever logged into your significant other’s email or Facebook to see what they’re saying to others? DON’T ANSWER THAT! • Estranged spouse in Arkansas did after separation • NTTA account? • Bank account? • Cancelling services via online accounts?www.brittontuma.com 48
    • 49. Sharing Website Logins Have you ever borrowed or shared website login credentials and passwords for limited access sites (i.e., online accounts)? DON’T ANSWER THAT! • Recent case held that permitting others to use login credentials for paid website was viable CFAA claim • The key factor here was the conduct was prohibited by the website’s agreed to Terms of Servicewww.brittontuma.com 49
    • 50. Misuse of Websites Ever created a fake profile or used a website for something other than its intended purpose? DON’T ANSWER THAT! • Myspace Mom case • Fake login to disrupt legitimate website sales • Accessing website to gain competitive information when prohibited by TOS • Creating fake Facebook to research opposing partieswww.brittontuma.com 50
    • 51. Hacking & Private Information Hacking was original purpose for CFAA • Hacking and obtaining private information • (president’s educational records) • Tracking individuals through geo-tagging • Website collection of private information • All fit within the prohibitions of the CFAA • Loss is the problem, from a civil standpointwww.brittontuma.com 51
    • 52. What about … • Hacking a car? • Hacking a person? • What else?www.brittontuma.com 52
    • 53. What about … • Denial of Service Attacks • Password Traffickingwww.brittontuma.com 53
    • 54. OTHER LAWS FORCOMBATING FRAUD 2.0 54
    • 55. Federal Laws for Combating Fraud 2.0 • Electronic Communications Privacy Act - 18 U.S.C. § 2510 • Wiretap Act ≠ intercept communications • Stored Communications Act ≠ comm. at rest • Fraud with Access Devices - 18 U.S.C. § 1029 • devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards • Identity Theft – 18 U.S.C. § 1028www.brittontuma.com 55
    • 56. Texas Laws for Combating Fraud 2.0 • Breach of Computer Security Act (Tx. Penal Code § 33.02) • knowingly access a computer without effective consent of owner • Fraudulent Use or Possession of Identifying Info (TPC § 32.51 • Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02) • Unlawful Access to Stored Communications (TPC § 16.04) • Identity Theft Enforcement and Protection Act (BCC § 48.001) • Consumer Protection Against Computer Spyware Act (BCC § 48.051) • Anti-Phishing Act (BCC § 48.003)www.brittontuma.com 56
    • 57. • Welcome to the world of Fraud 2.0! • Why? Remember what Jobs said • CFAA is very broad and covers all kinds of computer fraud (sometimes) • Courts’ interpretation of the CFAA is changing all the time – you must stay updated! • Many other Federal and Texas laws also available for combating computer fraudwww.brittontuma.com 57
    • 58. www.brittontuma.com 58