Fraud 2.0 - The Laws that Help Businesses Combat Computer Fraud

FRAUD 2.0An Overview of the Laws that

Help Businesses and Individuals Combat Computer Fraud

Shawn E. Tumawww.brittontuma.com

Association of Certified Fraud Examiners

November 8, 2012

2

THINK ABOUT THIS …

www.brittontuma.com

3www.brittontuma.com

Did You Know?

[SEE FOLLOING VIDEO]https://vimeo.com/2030361

https://vimeo.com/2030361



4

WHAT DOES THAT MEAN TO YOU?

www.brittontuma.com

5

STUXNET?

www.brittontuma.com

6

NON COMPUTER RELATED FRAUD?

www.brittontuma.com

7

As of September 2012, cybercrime

• costs $110 billion annually

• 18 adults every second are victims

• 556,000,000 adults every year are victims

• 46% of online adults are victims

• mobile devices are trending

2012 Norton Cybercrime Reportwww.brittontuma.com

The Statistics

8

What is fraud?• Fraud is, in its simplest form, deception

• Black’s Law Dictionary

• all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by false suggestions or suppression of the truthwww.brittontuma.com

Fraud?

9

Traditional vehicles for fraud?• verbal communication

• written communication

• in person

• through mail

• over wirewww.brittontuma.com

Fraud?

10

What do computers do?

EFFICIENCY!www.brittontuma.com

11

FRAUD 2.0

www.brittontuma.com

12

Computer Fraud = Fraud 2.0• Deception, through the use of a computer

• “old crimes committed in new ways … using computers and the Internet to make the task[s] easier”

• computer hacking, data theft, theft of money, breaches of data security, privacy breaches, computer worms, Trojan horses, viruses, malware, denial of service attacks

• mouse and keyboard = modern fraudster tools of choice

www.brittontuma.com

Fraud 2.0

13

Who knows the percentage of businesses that suffered at least one act of computer fraud in last

year?

90%(Ponemon Institute Study)

www.brittontuma.com

Fraud 2.0

14

Computer Fraud and Abuse Act

Federal Law – 18 U.S.C § 1030

www.brittontuma.com

The Law!

15

BRIEF HISTORY OF THE CFAA

16

History of CFAA

www.brittontuma.com

17

History of CFAA

www.brittontuma.com

18

Why?

Primary Law for Misuse of Computers

Computers …

Why is the Computer Fraud and Abuse Act important?

www.brittontuma.com


“Everything has a computer in it nowadays.”

-Steve Jobs

Why Computers?

20

WHAT IS A COMPUTER?


has a processor or stores data

“the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …”

IMPORTANT! “such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”

The CFAA says

What is a computer?


What about

What is a computer?


“’Just think of the common household items that include microchips and electronic storage devices, and thus will satisfy the statutory definition of “computer.”’

“’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .”

-United States v. Kramer

The Fourth Circuit says

Anything with a microchip


This may limit the problem of applying it to alarm clocks, toasters, and coffee makers

The CFAA applies only to “protected” computers

Protected = connected to the Internet

Any situations where these devices are connected?

What is a “protected” computer?


•TI-99 •3.3 MHz Processor•16 KB of RAM

•Leap Frog Leapster•96 MHz Processor•128 MB of RAM

•iPhone 5•1.02 GHz Processer•1 GB of RAM

Perspective


66 MHz = fastest desktop in 80s

96 MHz = child’s toy today

250 MHz = fastest super computer in 80s

1.02 GHz = telephone today

Perspective

27

WHAT DOES THE CFAA PROHIBIT?

28

Statutory Language

CFAA prohibits the access of a protected computer that is

Without authorization, or Exceeds authorized access

www.brittontuma.com

29

Statutory Language

Where the person accessing Obtains information

Commits a fraud

Obtains something of value

Transmits damaging information

Causes damage

Traffics in passwords

Commits extortion

www.brittontuma.com

30

Very Complex Statute

Overly simplistic list

Very complex statute

Superficially it appears deceptively straightforward

Many pitfalls

www.brittontuma.com

“I am the wisest man alive, for I know one thing, and that is that I know nothing.”

-Socrates

31

Very Complex Statute

Two Most Problematic Issues

“Loss” Requirement

• Confuses lawyers and judges alike

Unauthorized / Exceeding Authorized Access

• Evolving jurisprudence

• Interpreted by many Circuits

• New conflict on April 10, 2012www.brittontuma.com

32

Civil Remedy

Limited civil remedy Procedurally complex with many

cross-references

“damage” ≠ “damages”

Must have $5,000 “loss”

Loss requirement is jurisdictional threshold

www.brittontuma.com

33

Civil Remedy

What is a “loss”?“any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

Loss = cost (unless interruption of service)

www.brittontuma.com

34

Civil Remedy

What can qualify as a “loss”? Investigation and response costs

• Forensics analysis and investigation• Diagnostic measures• Restoration of system• Bartered services for investigation / restoration

Value of employees’ time Attorneys’ fees if leading investigation

www.brittontuma.com

35

Civil Remedy

What is not a “loss”? Lost revenue (unless interruption of

service)

Value of trade secrets

Lost profits

Lost customers

Lost business opportunities

Privacy and Personally Identifiable Informationwww.brittontuma.com

36

Civil Remedy

Privacy and Personally Identifiable Information

iTracking

Hacking / data breach

Browser cookies

REMEMBER: Loss is only required for civil remedy – not criminal violation

www.brittontuma.com

37

Civil Remedy

What would you advise? Wrongful access of your client’s

computer

Considering a CFAA claim

Your advice would be to ________?

www.brittontuma.com

38

Civil Remedy

Remedies Available

• Economic damages

• Loss damage

• Injunctive relief

Not Available• Exemplary damages

• Attorneys’ fees

www.brittontuma.com

39

Basic Elements

Elements of broadest CFAA Claim1. Intentionally access computer;

2. Without authorization or exceeding authorized access;

3. Obtained information from any protected computer; and

4. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.

www.brittontuma.com

40

Basic Elements

Elements of CFAA Fraud Claim1. Knowingly and with intent to defraud;

2. Accesses a protected computer;

3. Without authorization or exceeding authorized access;

4. By doing so, furthers the intended fraud and obtains anything of value; and

5. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.

www.brittontuma.com

41

WRONGFUL ACCESS

42

Wrongful Access

General Access Principles Access by informational / data use

≠ technician

Must be knowing or intentional access

≠ accidental access

www.brittontuma.com

43

Wrongful Access

“without authorization” Outsiders No rights Not defined Only requires intent to

access, not harm Hacker!

“exceeds authorized” Insiders Some rights CFAA defines: access

in a way not entitled Necessarily requires

limits of authorization Employees, web

users, etc.

www.brittontuma.com

Two Types of Wrongful Access

44

Wrongful Access

When does authorization terminate?

As of April 10, 2012, there are (once again) three general lines of cases: Trilogy of Access Theories

• Agency Theory

• Intended-Use Analysis

• Access Means Accesswww.brittontuma.com

45

Wrongful Access

Ways to establish limits for Intended-Use

Contractual• Policies: computer use, employment & manuals

• Website Terms of Service

Technological• Login and access restrictions

• System warnings

Training and other evidence of notification

Notices of intent to use CFAA

www.brittontuma.com

46

Wrongful Access

Contractual limits should Clearly notify of limits

Limit authorization to access information

Limit use of information accessed

Terminate access rights upon violation

Indicate intent to enforce by CFAA

Goal: limit or terminate authorizationwww.brittontuma.com

47

Wrongful AccessExamples

Employment SituationsMost common scenario is employment• Employee access and take customer account

information

• Employee accesses and takes or emails confidential information to competitor

• Employee improperly deletes data and email

• Employee deletes browser history

• Employee accessing their Facebook, Gmail, Chase accounts at work

www.brittontuma.com

48


Family Law SituationsHave you ever logged into your significant other’s email or Facebook to see what they’re saying to others?

DON’T ANSWER THAT!

• Estranged spouse in Arkansas did after separation

• NTTA account?

• Bank account?

• Cancelling services via online accounts?

www.brittontuma.com

49


Sharing Website LoginsHave you ever borrowed or shared website login credentials and passwords for limited access sites (i.e., online accounts)?


• Recent case held that permitting others to use login credentials for paid website was viable CFAA claim

• The key factor here was the conduct was prohibited by the website’s agreed to Terms of Service

www.brittontuma.com

50


Misuse of WebsitesEver created a fake profile or used a website for something other than its intended purpose?


• Myspace Mom case

• Fake login to disrupt legitimate website sales

• Accessing website to gain competitive information when prohibited by TOS

• Creating fake Facebook to research opposing parties

www.brittontuma.com

51


Hacking & Private InformationHacking was original purpose for CFAA• Hacking and obtaining private information

• (president’s educational records)

• Tracking individuals through geo-tagging

• Website collection of private information

• All fit within the prohibitions of the CFAA

• Loss is the problem, from a civil standpoint

www.brittontuma.com

52


What about …

• Hacking a car?

• Hacking a person?

• What else?

www.brittontuma.com

53

Non-AccessExamples

What about …

• Denial of Service Attacks

• Password Trafficking

www.brittontuma.com

54

OTHER LAWS FOR COMBATING FRAUD

2.0

55

Federal Laws

Federal Laws for Combating Fraud 2.0• Electronic Communications Privacy Act - 18

U.S.C. § 2510

• Wiretap Act ≠ intercept communications

• Stored Communications Act ≠ comm. at rest

• Fraud with Access Devices - 18 U.S.C. § 1029

• devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards

• Identity Theft – 18 U.S.C. § 1028

www.brittontuma.com

56

Texas Laws

Texas Laws for Combating Fraud 2.0• Breach of Computer Security Act (Tx. Penal Code §

33.02)

• knowingly access a computer without effective consent of owner

• Fraudulent Use or Possession of Identifying Info (TPC § 32.51

• Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02)

• Unlawful Access to Stored Communications (TPC § 16.04)

• Identity Theft Enforcement and Protection Act (BCC § 48.001)

• Consumer Protection Against Computer Spyware Act (BCC § 48.051)

• Anti-Phishing Act (BCC § 48.003)

www.brittontuma.com

57

• Welcome to the world of Fraud 2.0!

• Why? Remember what Jobs said

• CFAA is very broad and covers all kinds of computer fraud (sometimes)

• Courts’ interpretation of the CFAA is changing all the time – you must stay updated!

• Many other Federal and Texas laws also available for combating computer fraud

www.brittontuma.com

Conclusion


Do You Want to Know More?

www.brittontuma.com

www.shawnetuma.com

Shawn E. Tumad. 469.635.1335m. 214.726.2808

e. [email protected]@shawnetuma

Copyright © 2012

Technology

Fraud 2.0 - The Laws that Help Businesses Combat Computer Fraud