Upload
shawn-tuma
View
15.766
Download
0
Tags:
Embed Size (px)
DESCRIPTION
What is Fraud 2.0? Computer fraud is the fraud of the century and it is increasing exponentially each year. Shawn Tuma provides an in-depth analysis of the federal Computer Fraud and Abuse Act, the primary law that is available to help businesses and individuals combat the threat of computer fraud and obtain both civil and criminal remedies for those frauds. Tuma explains how the Computer Fraud and Abuse Act works, some of the practical steps that need to be taken in advance to ensure it is available should a computer fraud occur, and give practical examples of several situations where the Computer Fraud and Abuse Act has been used successfully. He also provides a brief overview of some of the other laws that can be used to combat computer fraud – Fraud 2.0. This presentation was made to Association of Certified Fraud Examiners (ACFE) - Dallas on November 8, 2012.
Citation preview
FRAUD 2.0An Overview of the Laws that
Help Businesses and Individuals Combat Computer Fraud
Shawn E. Tumawww.brittontuma.com
Association of Certified Fraud Examiners
November 8, 2012
2
THINK ABOUT THIS …
www.brittontuma.com
3www.brittontuma.com
Did You Know?
[SEE FOLLOING VIDEO]https://vimeo.com/2030361
4
WHAT DOES THAT MEAN TO YOU?
www.brittontuma.com
5
STUXNET?
www.brittontuma.com
6
NON COMPUTER RELATED FRAUD?
www.brittontuma.com
7
As of September 2012, cybercrime
• costs $110 billion annually
• 18 adults every second are victims
• 556,000,000 adults every year are victims
• 46% of online adults are victims
• mobile devices are trending
2012 Norton Cybercrime Reportwww.brittontuma.com
The Statistics
8
What is fraud?• Fraud is, in its simplest form, deception
• Black’s Law Dictionary
• all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by false suggestions or suppression of the truthwww.brittontuma.com
Fraud?
9
Traditional vehicles for fraud?• verbal communication
• written communication
• in person
• through mail
• over wirewww.brittontuma.com
Fraud?
10
What do computers do?
EFFICIENCY!www.brittontuma.com
11
FRAUD 2.0
www.brittontuma.com
12
Computer Fraud = Fraud 2.0• Deception, through the use of a computer
• “old crimes committed in new ways … using computers and the Internet to make the task[s] easier”
• computer hacking, data theft, theft of money, breaches of data security, privacy breaches, computer worms, Trojan horses, viruses, malware, denial of service attacks
• mouse and keyboard = modern fraudster tools of choice
www.brittontuma.com
Fraud 2.0
13
Who knows the percentage of businesses that suffered at least one act of computer fraud in last
year?
90%(Ponemon Institute Study)
www.brittontuma.com
Fraud 2.0
14
Computer Fraud and Abuse Act
Federal Law – 18 U.S.C § 1030
www.brittontuma.com
The Law!
15
BRIEF HISTORY OF THE CFAA
16
History of CFAA
www.brittontuma.com
17
History of CFAA
www.brittontuma.com
18
Why?
Primary Law for Misuse of Computers
Computers …
Why is the Computer Fraud and Abuse Act important?
www.brittontuma.com
19www.brittontuma.com
“Everything has a computer in it nowadays.”
-Steve Jobs
Why Computers?
20
WHAT IS A COMPUTER?
21www.brittontuma.com
has a processor or stores data
“the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …”
IMPORTANT! “such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”
The CFAA says
What is a computer?
22www.brittontuma.com
What about
What is a computer?
23www.brittontuma.com
“’Just think of the common household items that include microchips and electronic storage devices, and thus will satisfy the statutory definition of “computer.”’
“’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .”
-United States v. Kramer
The Fourth Circuit says
Anything with a microchip
24www.brittontuma.com
This may limit the problem of applying it to alarm clocks, toasters, and coffee makers
The CFAA applies only to “protected” computers
Protected = connected to the Internet
Any situations where these devices are connected?
What is a “protected” computer?
25www.brittontuma.com
•TI-99 •3.3 MHz Processor•16 KB of RAM
•Leap Frog Leapster•96 MHz Processor•128 MB of RAM
•iPhone 5•1.02 GHz Processer•1 GB of RAM
Perspective
26www.brittontuma.com
66 MHz = fastest desktop in 80s
96 MHz = child’s toy today
250 MHz = fastest super computer in 80s
1.02 GHz = telephone today
Perspective
27
WHAT DOES THE CFAA PROHIBIT?
28
Statutory Language
CFAA prohibits the access of a protected computer that is
Without authorization, or Exceeds authorized access
www.brittontuma.com
29
Statutory Language
Where the person accessing Obtains information
Commits a fraud
Obtains something of value
Transmits damaging information
Causes damage
Traffics in passwords
Commits extortion
www.brittontuma.com
30
Very Complex Statute
Overly simplistic list
Very complex statute
Superficially it appears deceptively straightforward
Many pitfalls
www.brittontuma.com
“I am the wisest man alive, for I know one thing, and that is that I know nothing.”
-Socrates
31
Very Complex Statute
Two Most Problematic Issues
“Loss” Requirement
• Confuses lawyers and judges alike
Unauthorized / Exceeding Authorized Access
• Evolving jurisprudence
• Interpreted by many Circuits
• New conflict on April 10, 2012www.brittontuma.com
32
Civil Remedy
Limited civil remedy Procedurally complex with many
cross-references
“damage” ≠ “damages”
Must have $5,000 “loss”
Loss requirement is jurisdictional threshold
www.brittontuma.com
33
Civil Remedy
What is a “loss”?“any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”
Loss = cost (unless interruption of service)
www.brittontuma.com
34
Civil Remedy
What can qualify as a “loss”? Investigation and response costs
• Forensics analysis and investigation• Diagnostic measures• Restoration of system• Bartered services for investigation / restoration
Value of employees’ time Attorneys’ fees if leading investigation
www.brittontuma.com
35
Civil Remedy
What is not a “loss”? Lost revenue (unless interruption of
service)
Value of trade secrets
Lost profits
Lost customers
Lost business opportunities
Privacy and Personally Identifiable Informationwww.brittontuma.com
36
Civil Remedy
Privacy and Personally Identifiable Information
iTracking
Hacking / data breach
Browser cookies
REMEMBER: Loss is only required for civil remedy – not criminal violation
www.brittontuma.com
37
Civil Remedy
What would you advise? Wrongful access of your client’s
computer
Considering a CFAA claim
Your advice would be to ________?
www.brittontuma.com
38
Civil Remedy
Remedies Available
• Economic damages
• Loss damage
• Injunctive relief
Not Available• Exemplary damages
• Attorneys’ fees
www.brittontuma.com
39
Basic Elements
Elements of broadest CFAA Claim1. Intentionally access computer;
2. Without authorization or exceeding authorized access;
3. Obtained information from any protected computer; and
4. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.
www.brittontuma.com
40
Basic Elements
Elements of CFAA Fraud Claim1. Knowingly and with intent to defraud;
2. Accesses a protected computer;
3. Without authorization or exceeding authorized access;
4. By doing so, furthers the intended fraud and obtains anything of value; and
5. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.
www.brittontuma.com
41
WRONGFUL ACCESS
42
Wrongful Access
General Access Principles Access by informational / data use
≠ technician
Must be knowing or intentional access
≠ accidental access
www.brittontuma.com
43
Wrongful Access
“without authorization” Outsiders No rights Not defined Only requires intent to
access, not harm Hacker!
“exceeds authorized” Insiders Some rights CFAA defines: access
in a way not entitled Necessarily requires
limits of authorization Employees, web
users, etc.
www.brittontuma.com
Two Types of Wrongful Access
44
Wrongful Access
When does authorization terminate?
As of April 10, 2012, there are (once again) three general lines of cases: Trilogy of Access Theories
• Agency Theory
• Intended-Use Analysis
• Access Means Accesswww.brittontuma.com
45
Wrongful Access
Ways to establish limits for Intended-Use
Contractual• Policies: computer use, employment & manuals
• Website Terms of Service
Technological• Login and access restrictions
• System warnings
Training and other evidence of notification
Notices of intent to use CFAA
www.brittontuma.com
46
Wrongful Access
Contractual limits should Clearly notify of limits
Limit authorization to access information
Limit use of information accessed
Terminate access rights upon violation
Indicate intent to enforce by CFAA
Goal: limit or terminate authorizationwww.brittontuma.com
47
Wrongful AccessExamples
Employment SituationsMost common scenario is employment• Employee access and take customer account
information
• Employee accesses and takes or emails confidential information to competitor
• Employee improperly deletes data and email
• Employee deletes browser history
• Employee accessing their Facebook, Gmail, Chase accounts at work
www.brittontuma.com
48
Wrongful AccessExamples
Family Law SituationsHave you ever logged into your significant other’s email or Facebook to see what they’re saying to others?
DON’T ANSWER THAT!
• Estranged spouse in Arkansas did after separation
• NTTA account?
• Bank account?
• Cancelling services via online accounts?
www.brittontuma.com
49
Wrongful AccessExamples
Sharing Website LoginsHave you ever borrowed or shared website login credentials and passwords for limited access sites (i.e., online accounts)?
DON’T ANSWER THAT!
• Recent case held that permitting others to use login credentials for paid website was viable CFAA claim
• The key factor here was the conduct was prohibited by the website’s agreed to Terms of Service
www.brittontuma.com
50
Wrongful AccessExamples
Misuse of WebsitesEver created a fake profile or used a website for something other than its intended purpose?
DON’T ANSWER THAT!
• Myspace Mom case
• Fake login to disrupt legitimate website sales
• Accessing website to gain competitive information when prohibited by TOS
• Creating fake Facebook to research opposing parties
www.brittontuma.com
51
Wrongful AccessExamples
Hacking & Private InformationHacking was original purpose for CFAA• Hacking and obtaining private information
• (president’s educational records)
• Tracking individuals through geo-tagging
• Website collection of private information
• All fit within the prohibitions of the CFAA
• Loss is the problem, from a civil standpoint
www.brittontuma.com
52
Wrongful AccessExamples
What about …
• Hacking a car?
• Hacking a person?
• What else?
www.brittontuma.com
53
Non-AccessExamples
What about …
• Denial of Service Attacks
• Password Trafficking
www.brittontuma.com
54
OTHER LAWS FOR COMBATING FRAUD
2.0
55
Federal Laws
Federal Laws for Combating Fraud 2.0• Electronic Communications Privacy Act - 18
U.S.C. § 2510
• Wiretap Act ≠ intercept communications
• Stored Communications Act ≠ comm. at rest
• Fraud with Access Devices - 18 U.S.C. § 1029
• devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards
• Identity Theft – 18 U.S.C. § 1028
www.brittontuma.com
56
Texas Laws
Texas Laws for Combating Fraud 2.0• Breach of Computer Security Act (Tx. Penal Code §
33.02)
• knowingly access a computer without effective consent of owner
• Fraudulent Use or Possession of Identifying Info (TPC § 32.51
• Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02)
• Unlawful Access to Stored Communications (TPC § 16.04)
• Identity Theft Enforcement and Protection Act (BCC § 48.001)
• Consumer Protection Against Computer Spyware Act (BCC § 48.051)
• Anti-Phishing Act (BCC § 48.003)
www.brittontuma.com
57
• Welcome to the world of Fraud 2.0!
• Why? Remember what Jobs said
• CFAA is very broad and covers all kinds of computer fraud (sometimes)
• Courts’ interpretation of the CFAA is changing all the time – you must stay updated!
• Many other Federal and Texas laws also available for combating computer fraud
www.brittontuma.com
Conclusion
58www.brittontuma.com
Do You Want to Know More?
www.brittontuma.com
www.shawnetuma.com
Shawn E. Tumad. 469.635.1335m. 214.726.2808
e. [email protected]@shawnetuma
Copyright © 2012