Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
FRAUD 2.0An Overview of the Laws that HelpBusinesses and Individuals Combat        Computer Fraud        Association of Ce...
THINK ABOUT THIS …www.brittontuma.com              2
[SEE FOLLOING VIDEO]                      https://vimeo.com/2030361www.brittontuma.com                               3
WHAT DOES THAT MEAN             TO YOU?www.brittontuma.com          4
STUXNET?www.brittontuma.com              5
NON COMPUTER                RELATED FRAUD?www.brittontuma.com              6
As of September 2012, cybercrime      • costs $110 billion annually      • 18 adults every second are victims      • 556,0...
What is fraud?      • Fraud is, in its simplest form, deception      • Black’s Law Dictionary          • all multifarious ...
Traditional vehicles for fraud?      • verbal communication      • written communication      • in person      • through m...
What do computers do?           EFFICIENCY!www.brittontuma.com           10
FRAUD 2.0www.brittontuma.com         11
Computer Fraud = Fraud 2.0      •   Deception, through the use of a computer      •   “old crimes committed in new ways … ...
Who knows the percentage of       businesses that suffered at least one act           of computer fraud in last year?     ...
Computer Fraud and Abuse Act                  Federal Law – 18 U.S.C § 1030www.brittontuma.com                            ...
BRIEF HISTORY OF    THE CFAA                   15
www.brittontuma.com   16
www.brittontuma.com   17
Why is the Computer Fraud                      and Abuse Act important?       Primary Law for Misuse of Computers       ...
“Everything has a          computer in it nowadays.”                            -Steve Jobswww.brittontuma.com            ...
WHAT IS A COMPUTER?                      20
The CFAA says          has a processor or stores data              “the term ‘computer’ means an electronic, magnetic, opt...
What aboutwww.brittontuma.com   22
The Fourth Circuit says         “’Just think of the common household items that         include microchips and electronic ...
The CFAA applies only to “protected” computers         This may limit the problem of applying it to alarm         clocks, ...
• TI-99               • Leap Frog Leapster   • iPhone 5    • 3.3 MHz Processor   • 96 MHz Processor     • 1.02 GHz Process...
66 MHz =        fastest        desktop in 80s        96 MHz = child’s        toy today        250 MHz =        fastest sup...
WHAT DOES THE CFAA     PROHIBIT?                     27
CFAA prohibits the access of a protected     computer that is          Without authorization, or          Exceeds author...
Where the person accessing          Obtains information          Commits a fraud          Obtains something of value   ...
“I am the wisest man alive,              for I know one thing, and that              is that I know nothing.”             ...
Two Most Problematic Issues           “Loss” Requirement              • Confuses lawyers and judges alike           Unau...
Limited civil remedy          Procedurally complex with many cross-           references          “damage” ≠ “damages”  ...
What is a “loss”?         “any reasonable cost to any victim, including the cost of         responding to an offense, cond...
What can qualify as a “loss”?           Investigation and response costs              •   Forensics analysis and investig...
What is not a “loss”?          Lost revenue (unless interruption of service)          Value of trade secrets          L...
Privacy and Personally Identifiable Information          iTracking          Hacking / data breach          Browser cook...
What would you advise?          Wrongful access of your client’s           computer          Considering a CFAA claim   ...
Remedies          Available                 •    Economic damages                 •    Loss damage                 •    I...
Elements of broadest CFAA Claim         1. Intentionally access computer;         2. Without authorization or exceeding au...
Elements of CFAA Fraud Claim         1. Knowingly and with intent to defraud;         2. Accesses a protected computer;   ...
WRONGFUL ACCESS                  41
General Access Principles          Access by informational / data use          ≠ technician          Must be knowing or...
Two Types of Wrongful Access    “without authorization”        “exceeds authorized”        Outsiders                    ...
When does authorization terminate?         As of April 10, 2012, there are (once again) three         general lines of cas...
Ways to establish limits for Intended-Use          Contractual             •   Policies: computer use, employment & manua...
Contractual limits should          Clearly notify of limits          Limit authorization to access information         ...
Employment Situations           Most common scenario is employment           •   Employee access and take customer account...
Family Law Situations           Have you ever logged into your significant other’s email or Facebook           to see what...
Sharing Website Logins           Have you ever borrowed or shared website login credentials and           passwords for li...
Misuse of Websites           Ever created a fake profile or used a website for           something other than its intended...
Hacking & Private Information           Hacking was original purpose for CFAA           •   Hacking and obtaining private ...
What about …           • Hacking a car?           • Hacking a person?           • What else?www.brittontuma.com           ...
What about …           • Denial of Service Attacks           • Password Traffickingwww.brittontuma.com                    ...
OTHER LAWS FORCOMBATING FRAUD 2.0                      54
Federal Laws for Combating Fraud 2.0        •   Electronic Communications Privacy Act - 18 U.S.C. § 2510            •   Wi...
Texas Laws for Combating Fraud 2.0        •   Breach of Computer Security Act (Tx. Penal Code § 33.02)            •   know...
• Welcome to the world of Fraud 2.0!        • Why? Remember what Jobs said        • CFAA is very broad and covers all kind...
www.brittontuma.com   58
Upcoming SlideShare
Loading in …5
×

Fraud 2.0 - The Laws that Help Businesses Combat Computer Fraud

15,916 views

Published on

What is Fraud 2.0? Computer fraud is the fraud of the century and it is increasing exponentially each year. Shawn Tuma provides an in-depth analysis of the federal Computer Fraud and Abuse Act, the primary law that is available to help businesses and individuals combat the threat of computer fraud and obtain both civil and criminal remedies for those frauds. Tuma explains how the Computer Fraud and Abuse Act works, some of the practical steps that need to be taken in advance to ensure it is available should a computer fraud occur, and give practical examples of several situations where the Computer Fraud and Abuse Act has been used successfully. He also provides a brief overview of some of the other laws that can be used to combat computer fraud – Fraud 2.0.

This presentation was made to Association of Certified Fraud Examiners (ACFE) - Dallas on November 8, 2012.

Published in: Technology
  • Be the first to comment

Fraud 2.0 - The Laws that Help Businesses Combat Computer Fraud

  1. 1. FRAUD 2.0An Overview of the Laws that HelpBusinesses and Individuals Combat Computer Fraud Association of Certified Fraud Examiners November 8, 2012
  2. 2. THINK ABOUT THIS …www.brittontuma.com 2
  3. 3. [SEE FOLLOING VIDEO] https://vimeo.com/2030361www.brittontuma.com 3
  4. 4. WHAT DOES THAT MEAN TO YOU?www.brittontuma.com 4
  5. 5. STUXNET?www.brittontuma.com 5
  6. 6. NON COMPUTER RELATED FRAUD?www.brittontuma.com 6
  7. 7. As of September 2012, cybercrime • costs $110 billion annually • 18 adults every second are victims • 556,000,000 adults every year are victims • 46% of online adults are victims • mobile devices are trending 2012 Norton Cybercrime Reportwww.brittontuma.com 7
  8. 8. What is fraud? • Fraud is, in its simplest form, deception • Black’s Law Dictionary • all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by false suggestions or suppression of the truthwww.brittontuma.com 8
  9. 9. Traditional vehicles for fraud? • verbal communication • written communication • in person • through mail • over wirewww.brittontuma.com 9
  10. 10. What do computers do? EFFICIENCY!www.brittontuma.com 10
  11. 11. FRAUD 2.0www.brittontuma.com 11
  12. 12. Computer Fraud = Fraud 2.0 • Deception, through the use of a computer • “old crimes committed in new ways … using computers and the Internet to make the task[s] easier” • computer hacking, data theft, theft of money, breaches of data security, privacy breaches, computer worms, Trojan horses, viruses, malware, denial of service attacks • mouse and keyboard = modern fraudster tools of choicewww.brittontuma.com 12
  13. 13. Who knows the percentage of businesses that suffered at least one act of computer fraud in last year? 90% (Ponemon Institute Study)www.brittontuma.com 13
  14. 14. Computer Fraud and Abuse Act Federal Law – 18 U.S.C § 1030www.brittontuma.com 14
  15. 15. BRIEF HISTORY OF THE CFAA 15
  16. 16. www.brittontuma.com 16
  17. 17. www.brittontuma.com 17
  18. 18. Why is the Computer Fraud and Abuse Act important?  Primary Law for Misuse of Computers  Computers …www.brittontuma.com 18
  19. 19. “Everything has a computer in it nowadays.” -Steve Jobswww.brittontuma.com 19
  20. 20. WHAT IS A COMPUTER? 20
  21. 21. The CFAA says has a processor or stores data “the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …” IMPORTANT! “such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”www.brittontuma.com 21
  22. 22. What aboutwww.brittontuma.com 22
  23. 23. The Fourth Circuit says “’Just think of the common household items that include microchips and electronic storage devices, and thus will satisfy the statutory definition of “computer.”’ “’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .” -United States v. Kramerwww.brittontuma.com 23
  24. 24. The CFAA applies only to “protected” computers This may limit the problem of applying it to alarm clocks, toasters, and coffee makers Protected = connected to the Internet Any situations where these devices are connected?www.brittontuma.com 24
  25. 25. • TI-99 • Leap Frog Leapster • iPhone 5 • 3.3 MHz Processor • 96 MHz Processor • 1.02 GHz Processer • 16 KB of RAM • 128 MB of RAM • 1 GB of RAMwww.brittontuma.com 25
  26. 26. 66 MHz = fastest desktop in 80s 96 MHz = child’s toy today 250 MHz = fastest super computer in 80s 1.02 GHz = telephone todaywww.brittontuma.com 26
  27. 27. WHAT DOES THE CFAA PROHIBIT? 27
  28. 28. CFAA prohibits the access of a protected computer that is  Without authorization, or  Exceeds authorized accesswww.brittontuma.com 28
  29. 29. Where the person accessing  Obtains information  Commits a fraud  Obtains something of value  Transmits damaging information  Causes damage  Traffics in passwords  Commits extortionwww.brittontuma.com 29
  30. 30. “I am the wisest man alive, for I know one thing, and that is that I know nothing.” -Socrates  Overly simplistic list  Very complex statute  Superficially it appears deceptively straightforward  Many pitfallswww.brittontuma.com 30
  31. 31. Two Most Problematic Issues  “Loss” Requirement • Confuses lawyers and judges alike  Unauthorized / Exceeding Authorized Access • Evolving jurisprudence • Interpreted by many Circuits • New conflict on April 10, 2012www.brittontuma.com 31
  32. 32. Limited civil remedy  Procedurally complex with many cross- references  “damage” ≠ “damages”  Must have $5,000 “loss”  Loss requirement is jurisdictional thresholdwww.brittontuma.com 32
  33. 33. What is a “loss”? “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Loss = cost (unless interruption of service)www.brittontuma.com 33
  34. 34. What can qualify as a “loss”?  Investigation and response costs • Forensics analysis and investigation • Diagnostic measures • Restoration of system • Bartered services for investigation / restoration  Value of employees’ time  Attorneys’ fees if leading investigationwww.brittontuma.com 34
  35. 35. What is not a “loss”?  Lost revenue (unless interruption of service)  Value of trade secrets  Lost profits  Lost customers  Lost business opportunities  Privacy and Personally Identifiable Informationwww.brittontuma.com 35
  36. 36. Privacy and Personally Identifiable Information  iTracking  Hacking / data breach  Browser cookies REMEMBER: Loss is only required for civil remedy – not criminal violationwww.brittontuma.com 36
  37. 37. What would you advise?  Wrongful access of your client’s computer  Considering a CFAA claim  Your advice would be to ________?www.brittontuma.com 37
  38. 38. Remedies  Available • Economic damages • Loss damage • Injunctive relief  Not Available • Exemplary damages • Attorneys’ feeswww.brittontuma.com 38
  39. 39. Elements of broadest CFAA Claim 1. Intentionally access computer; 2. Without authorization or exceeding authorized access; 3. Obtained information from any protected computer; and 4. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.www.brittontuma.com 39
  40. 40. Elements of CFAA Fraud Claim 1. Knowingly and with intent to defraud; 2. Accesses a protected computer; 3. Without authorization or exceeding authorized access; 4. By doing so, furthers the intended fraud and obtains anything of value; and 5. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.www.brittontuma.com 40
  41. 41. WRONGFUL ACCESS 41
  42. 42. General Access Principles  Access by informational / data use  ≠ technician  Must be knowing or intentional access  ≠ accidental accesswww.brittontuma.com 42
  43. 43. Two Types of Wrongful Access “without authorization” “exceeds authorized”  Outsiders  Insiders  No rights  Some rights  Not defined  CFAA defines: access in  Only requires intent to a way not entitled access, not harm  Necessarily requires  Hacker! limits of authorization  Employees, web users, etc.www.brittontuma.com 43
  44. 44. When does authorization terminate? As of April 10, 2012, there are (once again) three general lines of cases: Trilogy of Access Theories • Agency Theory • Intended-Use Analysis • Access Means Accesswww.brittontuma.com 44
  45. 45. Ways to establish limits for Intended-Use  Contractual • Policies: computer use, employment & manuals • Website Terms of Service  Technological • Login and access restrictions • System warnings  Training and other evidence of notification  Notices of intent to use CFAAwww.brittontuma.com 45
  46. 46. Contractual limits should  Clearly notify of limits  Limit authorization to access information  Limit use of information accessed  Terminate access rights upon violation  Indicate intent to enforce by CFAA Goal: limit or terminate authorizationwww.brittontuma.com 46
  47. 47. Employment Situations Most common scenario is employment • Employee access and take customer account information • Employee accesses and takes or emails confidential information to competitor • Employee improperly deletes data and email • Employee deletes browser history  • Employee accessing their Facebook, Gmail, Chase accounts at work www.brittontuma.com 47
  48. 48. Family Law Situations Have you ever logged into your significant other’s email or Facebook to see what they’re saying to others? DON’T ANSWER THAT! • Estranged spouse in Arkansas did after separation • NTTA account? • Bank account? • Cancelling services via online accounts?www.brittontuma.com 48
  49. 49. Sharing Website Logins Have you ever borrowed or shared website login credentials and passwords for limited access sites (i.e., online accounts)? DON’T ANSWER THAT! • Recent case held that permitting others to use login credentials for paid website was viable CFAA claim • The key factor here was the conduct was prohibited by the website’s agreed to Terms of Servicewww.brittontuma.com 49
  50. 50. Misuse of Websites Ever created a fake profile or used a website for something other than its intended purpose? DON’T ANSWER THAT! • Myspace Mom case • Fake login to disrupt legitimate website sales • Accessing website to gain competitive information when prohibited by TOS • Creating fake Facebook to research opposing partieswww.brittontuma.com 50
  51. 51. Hacking & Private Information Hacking was original purpose for CFAA • Hacking and obtaining private information • (president’s educational records) • Tracking individuals through geo-tagging • Website collection of private information • All fit within the prohibitions of the CFAA • Loss is the problem, from a civil standpointwww.brittontuma.com 51
  52. 52. What about … • Hacking a car? • Hacking a person? • What else?www.brittontuma.com 52
  53. 53. What about … • Denial of Service Attacks • Password Traffickingwww.brittontuma.com 53
  54. 54. OTHER LAWS FORCOMBATING FRAUD 2.0 54
  55. 55. Federal Laws for Combating Fraud 2.0 • Electronic Communications Privacy Act - 18 U.S.C. § 2510 • Wiretap Act ≠ intercept communications • Stored Communications Act ≠ comm. at rest • Fraud with Access Devices - 18 U.S.C. § 1029 • devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards • Identity Theft – 18 U.S.C. § 1028www.brittontuma.com 55
  56. 56. Texas Laws for Combating Fraud 2.0 • Breach of Computer Security Act (Tx. Penal Code § 33.02) • knowingly access a computer without effective consent of owner • Fraudulent Use or Possession of Identifying Info (TPC § 32.51 • Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02) • Unlawful Access to Stored Communications (TPC § 16.04) • Identity Theft Enforcement and Protection Act (BCC § 48.001) • Consumer Protection Against Computer Spyware Act (BCC § 48.051) • Anti-Phishing Act (BCC § 48.003)www.brittontuma.com 56
  57. 57. • Welcome to the world of Fraud 2.0! • Why? Remember what Jobs said • CFAA is very broad and covers all kinds of computer fraud (sometimes) • Courts’ interpretation of the CFAA is changing all the time – you must stay updated! • Many other Federal and Texas laws also available for combating computer fraudwww.brittontuma.com 57
  58. 58. www.brittontuma.com 58

×