Evolving Threats: Fighting
Online Fraudulent Activity
LSI Conference, S.F.
William J. Cook
Bill Cook
Evolving Online Threats
» Partner, Wildman Harrold,
Chicago
» Retail response to CPP and
PCI failure claims
» Intellectual Property, Internet
and Web law (Business
Continuity and Security)
» 90 trials
» Expert presentations on
Internet liability before U.S.
House Judiciary Comm., GAO,
FCC
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
» Chicago IMNA Board
Member, Immediate Past
President
» Former Head of US DOJ
Computer Crime Task Force;
Counter-Espionage
Coordinator and CounterTerrorist Coordinator; DOJ
FEMA Coordinator
(Chicago)
» NRC Committee on Critical
Infrastructure Protection and
the Law
September 26, 2006
2
Spam
Evolving Online Threats
» 9 of 10 Internet emails are spam
» 6 of the 9 carry a payload
» Virus
» Bots
» Denial of service attacks
» VOIP attacks
» Virginia AG v. California
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
3
Webpage
BIA Security Crisis
Evolving Online Threats
» May 17, 2005 court continues security
requirements and applied to wireless
» Cobell v. Norton, Fed. 12/05/01
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
4
Other Vendor Issues
NY AG v. ACLU
Evolving Online Threats
»Secret contributor list
»Webpage representations
»The vendor did it
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
5
FTC v. Yesmail Inc. d/b/a Once Corporation
Software ate my homework
Evolving Online Threats
» Yesmail sent unsolicited commercial e-mail after consumers
asked it to stop
» FTC fine $50,717
» Yesmail sent e-mail on behalf of its clients more than 10
business days after recipients had asked it to stop.
» Yesmail offers e-mail marketing services, including sending
commercial e-mail and processing unsubscribe requests from
recipients.
» Yesmail said it’s spam filtering software filtered out certain
unsubscribe requests from recipients which resulted in Yesmail
failing to honor unsubscribe requests by sending thousands of
commercial e-mail messages to recipients more than 10 business
days after their requests.
» http://www.ftc.gov/opa/2006/11/yesmail.htm
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
6
Spoofing
Evolving Online Threats
» The unauthorized use of a third-party domain name
as the sender's name in an e-mail message. Most
often used by spammers, spoofing the name of a
popular retailer or organization entices the recipient
to read the full message
» Handled as ID theft
» No federal prosecutions
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
7
FTP Site Compromise
Evolving Online Threats
» Client’s President accessed competitor’s FTP site and
obtained customer lists, vendor price lists, source code
» Criminal and civil actions filed against Client at the same
time as FBI search of corporate offices
» Issues regarding security, expectation of privacy
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
8
Spyware
Evolving Online Threats
»
»
»
»
»
»
»
Software that covertly gathers user information through the user's Internet
connection without his or her knowledge, usually for advertising purposes.
Typically bundled as a hidden component of freeware or shareware
programs that can be downloaded from the Internet
spyware monitors user activity on the Internet and transmits that
information in the background to someone else.
Spyware can also gather information about e-mail addresses and even
passwords and credit card numbers.
Spyware steals from the user by using the computer's memory resources
and also by eating bandwidth
Because spyware exists as independent executable program, its has the
ability to monitor keystrokes, scan files on the hard drive, snoop other
applications, such as chat programs or word processors, install other
spyware programs, read cookies, change the default home page on the
Web browser, consistently relaying this information back to the spyware
author who will either use it for advertising/marketing purposes or sell the
information to another party.
Violation of ECPA? Computer Fraud & Abuse Act?
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
9
Michigan Becomes First State to Employer
Liability for Workplace Identity Theft
Evolving Online Threats
» June 2005 announced that Michigan will allow
employee lawsuits against employers
» Michigan Ct. of Appeals allows employee
victim to recover $275,000
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
10
Ramifications of Stolen Computers
Evolving Online Threats
» Company’s outsource healthcare information to vendors
» Client’s employee database of health information, personal
credit cards and other personal information missing
» Business Associate rule
» Vendor suffers intrusion and laptops stolen
» Internal investigation
» HIPAA exposure identified
» Potential employee legal action(s) identified
» Vendor forced to meet ISO 17799 and corporate standards
» Prepared and oversaw E&Y ISO 17799 security audit
and evaluated compensating controls
» Negotiated vendor contract changes and remediation
» Rewrote security provisions for vendor contracts
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
11
Defecting CEO
Evolving Online Threats
» CEO and 5 key employees left ecommerce client with
trade secret information to start up competing company
» Forced forensic analysis of departed hard drives to locate
stolen information
» Evaluated Economic Espionage Act referral/not applicable
» Opponents clearly understood liability and embarrassment
if they did not cooperate
» Used threat of litigation to achieve client’s business
strategy without actually having to go to court
» Negotiated return of all data and essentially shut down
potential competitor
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
12
I.D. Theft: Russian Carding
Evolving Online Threats
» Some estimates: 20% of credit card transactions are
fraudulent
» Since Feb. 2005, sensitive personal records
exposed in security breaches: 93,771,829
» Russian carding contributes $1 Billion annually to
Russian economy
» Russian cards sponsor events at the Kremlin
» Underground pages bragging about:
» Infiltrating bank processors
» Attacks on specific financial targets
» Breaching 3DES
» Posting databases
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
13
CPP (CPC) Designation
Evolving Online Threats
» Case against merchant begins with designation
as a common point of purchase (CPP) or a
common point of compromise (CPC)
» CPP is determined by reverse analysis of credit
card or debit card activity
» Credit card association or agent makes contact
» Date of alleged fraud may be remote
» Forensic Audit triggered
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
14
Moving Parts
Evolving Online Threats
»
»
»
»
»
»
»
»
»
»
»
Visa, MC, AmEx, Discovery
Issuing banks
Acquiring banks
Merchants that accept fraudulent credit cards,
increasingly located in Europe
POS software vendors
Insurance companies and brokers
Public relations
Stockholder issues
Board of Director issues
Consumer disclosure issues and Secret Service nondisclosure request
Disclosure / cooperation with federal agencies
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
15
Downstream Liability Issues
Evolving Online Threats
» Standard of care before intrusion
» How much due diligence can be proven
» Corporate policies
» Public relations
» SEC and Stockholder issues
» Board of Director issues
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
16
Questions?
Evolving Online Threats
William J. Cook, Esq.
Wildman Harrold Allen & Dixon LLP
225 West Wacker Drive
Chicago, IL 60606-1229
312.201.2000 (General Number)
312.201.2555 (Fax)
cook@wildmanharrold.com
WILDMAN HARROLD | ATTORNEYS AND COUNSELORS
September 26, 2006
17