FRAUD 2.0Helping Businesses Prepare forComputer Fraud andData BreachesThe Association ofAccountants and FinancialProfessio...
2#fraud20www.brittontuma.com
3have you everheard of …www.brittontuma.com #fraud20
4Aaron Swartz?www.brittontuma.com #fraud20
5SandraTeague?www.brittontuma.com #fraud20
6Bradley Manning?www.brittontuma.com #fraud20
7Hacking?www.brittontuma.com #fraud20
8Data Breach?www.brittontuma.com #fraud20
9IdentityTheft?www.brittontuma.com #fraud20
10Stuxnet?www.brittontuma.com #fraud20
11Active Defense?www.brittontuma.com #fraud20
12NON COMPUTERRELATED FRAUD?www.brittontuma.com #fraud20
13As of September 2012, cybercrime• costs $110 billion annually• 18 adults every second are victims• 556,000,000 adults ev...
14What is fraud?• Fraud is, in its simplest form, deception• Black’s Law Dictionary• all multifarious means which human in...
15Traditional vehicles for fraud?• verbal communication• written communication• in person• through mail• via wirewww.britt...
16What do computers do?EFFICIENCY!www.brittontuma.com #fraud20
17FRAUD 2.0www.brittontuma.com #fraud20
18Computer Fraud = Fraud 2.0• Deception, through the use of a computer• “old crimes committed in new ways … using computer...
19Who knows the percentage ofbusinesses that suffered at least one actof computer fraud in last year?90%(Ponemon Institute...
20BRIEF HISTORY OFTHE COMPUTER FRAUDAND ABUSE ACT(CFAA)#fraud20
21Computer Fraud and Abuse ActFederal Law – 18 U.S.C § 1030www.brittontuma.com #fraud20
22www.brittontuma.com #fraud20
23www.brittontuma.com #fraud20
24 Primary Law for Misuse of Computers Computers …Why is the Computer Fraudand Abuse Act important?www.brittontuma.com #...
25www.brittontuma.com“Everything has acomputer in it nowadays.”-Steve Jobs#fraud20
26WHAT IS A COMPUTER?#fraud20
27www.brittontuma.comhas a processor or stores data“the term ‘computer’ means anelectronic, magnetic, optical, electrochem...
28www.brittontuma.comWhat about . . .#fraud20
29www.brittontuma.com“’That category can include coffeemakers, microwaveovens, watches, telephones, children’s toys, MP3pl...
30www.brittontuma.comThis may limit the problem of applying it to alarmclocks, toasters, and coffee makers – for now?The C...
31www.brittontuma.comseriously . . .#fraud20
32www.brittontuma.com• TI-99• 3.3 MHz Processor• 16 KB of RAM• Leap Frog Leapster• 96 MHz Processor• 128 MB of RAM• iPhone...
33www.brittontuma.com66 MHz =fastestdesktop in 80s96 MHz = child’stoy today250 MHz =fastest supercomputer in 80s1.02 GHz =...
34WHAT DOES THE CFAAPROHIBIT?#fraud20
35CFAA prohibits the access of a protectedcomputer that is Without authorization, or Exceeds authorized accesswww.britto...
36Where the person accessing Obtains information Commits a fraud Obtains something of value Transmits damaging informa...
37 Overly simplistic list Very complex statute Appears deceptively straightforward Many pitfallswww.brittontuma.com“I ...
38Two Most Problematic Issues “Loss” Requirement• Confuses lawyers and judges alike Unauthorized / Exceeding Authorized ...
39Limited civil remedy Procedurally complex with many cross-references “damage” ≠ “damages” Must have $5,000 “loss” (i....
40What is a “loss”?“any reasonable cost to any victim, including the cost ofresponding to an offense, conducting a damage ...
41Remedies Available• Economic damages• Loss damage• Injunctive relief Not Available• Exemplary damages• Attorneys’ fees...
42Elements of broadest CFAA Claim1. Intentionally access computer;2. Without authorization or exceeding authorizedaccess;3...
43Elements of CFAA Fraud Claim1. Knowingly and with intent to defraud;2. Accesses a protected computer;3. Without authoriz...
44WRONGFUL ACCESS#fraud20
45General Access Principles Access by informational / data use ≠ technician Must be knowing or intentional access ≠ ac...
“without authorization” Outsiders No rights Not defined Only requires intent toaccess, not harm Hacker!“exceeds autho...
47When does authorization terminate?Trilogy of AccessTheories• AgencyTheory• Intended-Use Theory• Strict AccessTheorywww.b...
48Ways to establish limits for Intended-Use Contractual• Policies: computer use, employment & manuals• WebsiteTerms of Se...
49Employment SituationsMost common scenario is employment• Employee access and take customer account information• Employee...
50Family Law SituationsHave you ever logged into your significant other’s email or Facebookto see what they’re saying to o...
51SharingWebsite LoginsHave you ever borrowed or shared website login credentials andpasswords for limited access sites (i...
52Misuse ofWebsitesEver created a fake profile or used a website forsomething other than its intended purpose?DON’T ANSWER...
53www.brittontuma.comHave you ever heard of?• Aaron Swartz – information liberator!• SandraTeague – Obama’s academic recor...
54DATA BREACHWHAT DO YOU DO?#fraud20
55Data Breach• product of computer fraud• on the rise• major risk to virtually all businesses• PII, PHI, financial data, c...
564 Phases of Data Breach• Preparation• Prevention• Understanding• Laws, Rules & Regulations• Respondingwww.brittontuma.co...
57Preparation• Breach Response Plan• Goal  Execute!• Who,What,When, How• Attorney – privilege• Adopted Notification Form•...
58Prevention• Software and Systems Updates• RemediateVulnerabilities• Encrypt, Encrypt, Encrypt• Data Surveillence & IT Al...
59Understanding Laws, Rules & Regulations• No Federal Breach Notification Law (yet)• 46 States’ Have Laws• ≠Alabama, Kentu...
60Responding to a Breach – Just Execute the Plan!• ContactAttorney• Assemble ResponseTeam• Contact Forensics• ContactVendo...
61OTHER LAWS FORCOMBATING FRAUD 2.0#fraud20
62Federal Laws for Combating Fraud 2.0• Electronic Communications Privacy Act - 18 U.S.C. § 2510• Wiretap Act ≠ intercept ...
63Texas Laws for Combating Fraud 2.0• Breach of Computer Security Act (Tx. Penal Code § 33.02)• knowingly access a compute...
64• Welcome to the world of Fraud 2.0!• Why? Remember what Jobs said• CFAA is very broad and covers all kinds ofcomputer f...
65www.brittontuma.com
Upcoming SlideShare
Loading in …5
×

2013.05.16 cfaa powerpoint for ima.v1

895 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
895
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2013.05.16 cfaa powerpoint for ima.v1

  1. 1. FRAUD 2.0Helping Businesses Prepare forComputer Fraud andData BreachesThe Association ofAccountants and FinancialProfessionals in BusinessMay 16, 2013
  2. 2. 2#fraud20www.brittontuma.com
  3. 3. 3have you everheard of …www.brittontuma.com #fraud20
  4. 4. 4Aaron Swartz?www.brittontuma.com #fraud20
  5. 5. 5SandraTeague?www.brittontuma.com #fraud20
  6. 6. 6Bradley Manning?www.brittontuma.com #fraud20
  7. 7. 7Hacking?www.brittontuma.com #fraud20
  8. 8. 8Data Breach?www.brittontuma.com #fraud20
  9. 9. 9IdentityTheft?www.brittontuma.com #fraud20
  10. 10. 10Stuxnet?www.brittontuma.com #fraud20
  11. 11. 11Active Defense?www.brittontuma.com #fraud20
  12. 12. 12NON COMPUTERRELATED FRAUD?www.brittontuma.com #fraud20
  13. 13. 13As of September 2012, cybercrime• costs $110 billion annually• 18 adults every second are victims• 556,000,000 adults every year are victims• 46% of online adults are victims• mobile devices are trending2012 Norton Cybercrime Reportwww.brittontuma.com
  14. 14. 14What is fraud?• Fraud is, in its simplest form, deception• Black’s Law Dictionary• all multifarious means which human ingenuitycan devise, and which are resorted to by oneindividual to get advantage over another byfalse suggestions or suppression of the truthwww.brittontuma.com #fraud20
  15. 15. 15Traditional vehicles for fraud?• verbal communication• written communication• in person• through mail• via wirewww.brittontuma.com #fraud20
  16. 16. 16What do computers do?EFFICIENCY!www.brittontuma.com #fraud20
  17. 17. 17FRAUD 2.0www.brittontuma.com #fraud20
  18. 18. 18Computer Fraud = Fraud 2.0• Deception, through the use of a computer• “old crimes committed in new ways … using computersand the Internet to make the task[s] easier”• computer hacking, data theft, theft of money, breachesof data security, corporate espionage, privacybreaches, computer worms,Trojanhorses, viruses, malware, denial of service attacks• mouse and keyboard = modern fraudster tools of choicewww.brittontuma.com #fraud20
  19. 19. 19Who knows the percentage ofbusinesses that suffered at least one actof computer fraud in last year?90%(Ponemon Institute Study)www.brittontuma.com #fraud20
  20. 20. 20BRIEF HISTORY OFTHE COMPUTER FRAUDAND ABUSE ACT(CFAA)#fraud20
  21. 21. 21Computer Fraud and Abuse ActFederal Law – 18 U.S.C § 1030www.brittontuma.com #fraud20
  22. 22. 22www.brittontuma.com #fraud20
  23. 23. 23www.brittontuma.com #fraud20
  24. 24. 24 Primary Law for Misuse of Computers Computers …Why is the Computer Fraudand Abuse Act important?www.brittontuma.com #fraud20
  25. 25. 25www.brittontuma.com“Everything has acomputer in it nowadays.”-Steve Jobs#fraud20
  26. 26. 26WHAT IS A COMPUTER?#fraud20
  27. 27. 27www.brittontuma.comhas a processor or stores data“the term ‘computer’ means anelectronic, magnetic, optical, electrochemical, or other highspeed data processing device performing logical, arithmetic, orstorage functions, and includes any data storage facility orcommunications facility directly related to or operating inconjunction with such device, but …”IMPORTANT! “such term does not include an automatedtypewriter or typesetter, a portable hand held calculator, or othersimilar device;”The CFAA says#fraud20
  28. 28. 28www.brittontuma.comWhat about . . .#fraud20
  29. 29. 29www.brittontuma.com“’That category can include coffeemakers, microwaveovens, watches, telephones, children’s toys, MP3players, refrigerators, heating and air-conditioningunits, radios, alarm clocks, televisions, and DVDplayers, . . . .”-UnitedStates v. KramerThe Fourth Circuit says#fraud20
  30. 30. 30www.brittontuma.comThis may limit the problem of applying it to alarmclocks, toasters, and coffee makers – for now?The CFAA applies only to “protected” computersProtected = connected to the InternetAny situations where these devices are connected?#fraud20
  31. 31. 31www.brittontuma.comseriously . . .#fraud20
  32. 32. 32www.brittontuma.com• TI-99• 3.3 MHz Processor• 16 KB of RAM• Leap Frog Leapster• 96 MHz Processor• 128 MB of RAM• iPhone 5• 1.02GHz Processer• 1 GB of RAM#fraud20
  33. 33. 33www.brittontuma.com66 MHz =fastestdesktop in 80s96 MHz = child’stoy today250 MHz =fastest supercomputer in 80s1.02 GHz =telephone today#fraud20
  34. 34. 34WHAT DOES THE CFAAPROHIBIT?#fraud20
  35. 35. 35CFAA prohibits the access of a protectedcomputer that is Without authorization, or Exceeds authorized accesswww.brittontuma.com #fraud20
  36. 36. 36Where the person accessing Obtains information Commits a fraud Obtains something of value Transmits damaging information Causes damage Traffics in passwords Commits extortionwww.brittontuma.com #fraud20
  37. 37. 37 Overly simplistic list Very complex statute Appears deceptively straightforward Many pitfallswww.brittontuma.com“I am the wisest manalive, for I know onething, and that is that I knownothing.”-Socrates#fraud20
  38. 38. 38Two Most Problematic Issues “Loss” Requirement• Confuses lawyers and judges alike Unauthorized / Exceeding Authorized Access• Evolving jurisprudence• Interpreted by many Circuits• New conflict on April 10, 2012www.brittontuma.com #fraud20
  39. 39. 39Limited civil remedy Procedurally complex with many cross-references “damage” ≠ “damages” Must have $5,000 “loss” (i.e., cost) Loss requirement is jurisdictional thresholdwww.brittontuma.com #fraud20
  40. 40. 40What is a “loss”?“any reasonable cost to any victim, including the cost ofresponding to an offense, conducting a damage assessment, andrestoring the data, program, system, or information to itscondition prior to the offense, and any revenue lost, costincurred, or other consequential damages incurred because ofinterruption of service.”Loss = cost (unless interruption of service)www.brittontuma.com #fraud20
  41. 41. 41Remedies Available• Economic damages• Loss damage• Injunctive relief Not Available• Exemplary damages• Attorneys’ feeswww.brittontuma.com #fraud20
  42. 42. 42Elements of broadest CFAA Claim1. Intentionally access computer;2. Without authorization or exceeding authorizedaccess;3. Obtained information from any protectedcomputer; and4. Victim incurred a loss to one or more personsduring any 1-year period of at least $5,000.www.brittontuma.com #fraud20
  43. 43. 43Elements of CFAA Fraud Claim1. Knowingly and with intent to defraud;2. Accesses a protected computer;3. Without authorization or exceeding authorizedaccess;4. By doing so, furthers the intended fraud andobtains anything of value; and5. Victim incurred a loss to one or more personsduring any 1-year period of at least $5,000.www.brittontuma.com #fraud20
  44. 44. 44WRONGFUL ACCESS#fraud20
  45. 45. 45General Access Principles Access by informational / data use ≠ technician Must be knowing or intentional access ≠ accidental accesswww.brittontuma.com #fraud20
  46. 46. “without authorization” Outsiders No rights Not defined Only requires intent toaccess, not harm Hacker!“exceeds authorized” Insiders Some rights CFAA defines: access ina way not entitled Necessarily requireslimits of authorization Employees, webusers, etc.46www.brittontuma.comTwoTypes of Wrongful Access#fraud20
  47. 47. 47When does authorization terminate?Trilogy of AccessTheories• AgencyTheory• Intended-Use Theory• Strict AccessTheorywww.brittontuma.com #fraud20
  48. 48. 48Ways to establish limits for Intended-Use Contractual• Policies: computer use, employment & manuals• WebsiteTerms of Service Technological• Login and access restrictions• System warnings Training and other evidence of notification Notices of intent to use CFAAwww.brittontuma.com #fraud20
  49. 49. 49Employment SituationsMost common scenario is employment• Employee access and take customer account information• Employee accesses and takes or emails confidential informationto competitor• Employee improperly deletes data and email• Employee deletes browser history • Employee accessing their Facebook, Gmail,Chase accounts atwork www.brittontuma.com #fraud20
  50. 50. 50Family Law SituationsHave you ever logged into your significant other’s email or Facebookto see what they’re saying to others?DON’TANSWERTHAT!• Estranged spouse inArkansas did after separation• NTTA account?• Bank account?• Cancelling services via online accounts?www.brittontuma.com #fraud20
  51. 51. 51SharingWebsite LoginsHave you ever borrowed or shared website login credentials andpasswords for limited access sites (i.e., online accounts)?DON’TANSWERTHAT!• Recent case held that permitting others to use login credentialsfor paid website was viable CFAA claim• The key factor here was the conduct was prohibited by thewebsite’s agreed toTerms of Servicewww.brittontuma.com #fraud20
  52. 52. 52Misuse ofWebsitesEver created a fake profile or used a website forsomething other than its intended purpose?DON’T ANSWERTHAT!• Myspace Mom case – United States v. Drew• Fake login to disrupt legitimate website sales• Accessing website to gain competitive information whenprohibited byTOS• Creating fake Facebook to research opposing partieswww.brittontuma.com #fraud20
  53. 53. 53www.brittontuma.comHave you ever heard of?• Aaron Swartz – information liberator!• SandraTeague – Obama’s academic records• Bradley Manning –released classified info• Stuxnet – variations for corporate espionage• Active Defense – fun stuff – call me!#fraud20
  54. 54. 54DATA BREACHWHAT DO YOU DO?#fraud20
  55. 55. 55Data Breach• product of computer fraud• on the rise• major risk to virtually all businesses• PII, PHI, financial data, cardholder data• disruption and data loss• claims from data subjects• fines and penalties from govts, agencies, indust. groups• impossible to prevent• plan ahead to reduce harmwww.brittontuma.com #fraud20
  56. 56. 564 Phases of Data Breach• Preparation• Prevention• Understanding• Laws, Rules & Regulations• Respondingwww.brittontuma.com #fraud20
  57. 57. 57Preparation• Breach Response Plan• Goal  Execute!• Who,What,When, How• Attorney – privilege• Adopted Notification Form• EducateTeam• IT Security Audit / PenetrationTesting• Compliance Audit• HIPAA, ERISA, OSHA, PCI, FINRA• Cyber Insurancewww.brittontuma.com #fraud20
  58. 58. 58Prevention• Software and Systems Updates• RemediateVulnerabilities• Encrypt, Encrypt, Encrypt• Data Surveillence & IT Alerts• Cyber CounterIntelligence / CounterEspionage• ITAlertswww.brittontuma.com #fraud20
  59. 59. 59Understanding Laws, Rules & Regulations• No Federal Breach Notification Law (yet)• 46 States’ Have Laws• ≠Alabama, Kentucky, New Mexico, South Dakota• Massachusetts is an oddball• 45 days (FL, OH,VT,WI) otherwise expeditious withoutunreasonable delay• Consumers + State Attorney General• Agencies (FTC, HHS, OCR, DOL, SEC)• Industries (FINRA, PCI)• Internationalwww.brittontuma.com #fraud20
  60. 60. 60Responding to a Breach – Just Execute the Plan!• ContactAttorney• Assemble ResponseTeam• Contact Forensics• ContactVendor for Notification• Investigate Breach• Remediate ResponsibleVulnerabilities• Reporting & Notification• Law Enforcement First• AGs,Admin. Agencies, Industries, Cred. Rpt, Consumerswww.brittontuma.com #fraud20
  61. 61. 61OTHER LAWS FORCOMBATING FRAUD 2.0#fraud20
  62. 62. 62Federal Laws for Combating Fraud 2.0• Electronic Communications Privacy Act - 18 U.S.C. § 2510• Wiretap Act ≠ intercept communications• Stored CommunicationsAct ≠ comm. at rest• Fraud with Access Devices - 18 U.S.C. § 1029• devices to obtain passwords, phishing, counterfeitdevices, scanning receivers, drive through swipe cards• IdentityTheft – 18 U.S.C. § 1028www.brittontuma.com #fraud20
  63. 63. 63Texas Laws for Combating Fraud 2.0• Breach of Computer Security Act (Tx. Penal Code § 33.02)• knowingly access a computer without effective consent of owner• Fraudulent Use or Possession of Identifying Info (TPC § 32.51• Unlawful Interception, Use, or Disclosure ofWire, Oral or ElectronicCommunications (TPC § 16.02)• UnlawfulAccess to Stored Communications (TPC § 16.04)• IdentityTheft Enforcement and ProtectionAct (BCC § 48.001)• Consumer ProtectionAgainstComputer Spyware Act (BCC § 48.051)• Anti-PhishingAct (BCC § 48.003)www.brittontuma.com #fraud20
  64. 64. 64• Welcome to the world of Fraud 2.0!• Why? Remember what Jobs said• CFAA is very broad and covers all kinds ofcomputer fraud (sometimes) – evolving!• Data Breaches – be prepared – it will happen!• Many other Federal andTexas laws also availablefor combating computer fraud• Cyber Insurancewww.brittontuma.com #fraud20
  65. 65. 65www.brittontuma.com

×