Registered Students login to NYLS Portal for updated Course Information and Reading Assignments.
UNIT 04:
Online Fraud and Identity Theft; Intellectual Property Theft; Virtual Crime
PONDERABLES:
Distinguish fraud from computer fraud.
Explore how existing practices in identity management lead to identity theft and other frauds. Understand the relationship between identity(ies), identification, identification systems, authentication, and security. Examine the "trusted system" paradigm.
Distinguish data loss as cybercrime from data loss on a lost or stolen laptop.
Drawing the line between "sharing" and "piracy" in intellectual property crime. Old paradigm, commercial gain; new paradigm, commercial harm?
When is a "virtual" crime a "real" crime?
REQUIRED READING:
CASEBOOK: David J. Loundy, COMPUTER CRIME, INFORMATION WARFARE, AND ECONOMIC ESPIONAGE, Carolina Academic Press (2003) (ISBN:0890891109):
Chapter 7, Online Fraud, pp. 231-282 (NY v. Lipsitz; PA v. Murgallis; MI v. Jemison; Virgin Atlantic consent order; US v. Mullins; CA v. Gentry; SEC v. Cherif), and
Chapter 9, Identity Theft, pp. 335-344 (KS v. Vargas; WI v. Ramirez).
United States v. LaMacchia, 871 F.Supp. 535 (D. Ma. 1994) (distribution for free of pirated software neither "wire fraud" nor "criminal copyright infringement").
STATUTES:
IDENTITY THEFT AND ASSUMPTION DETERRENCE ACT of 1998
18 U.S.C. § 1028. Fraud and related activity in connection with identification documents, authentication features, and information.
18 U.S.C. § 1343. Fraud by wire, radio, or television.
NO ELECTRONIC THEFT ("NET") ACT
17 U.S.C. § 506. Criminal Offenses.
DIGITAL MILLENIUM COPYRIGHT ACT ("DMCA")
17 U.S.C. § 1201. Circumvention of copyright protection systems.
ADDITIONAL CASES:
Universal City Studios v. Corley, 273 F.3d 429 (2nd. Cir. 2001).
GOVERNMENT RESOURCES:
U.S. Department of State, International Financial Scams – Internet Dating, Inheritance, Work Permits, Overpayment, and Money- Laundering (PDF; 655 KB) ("provides full detailed descriptions of the often sophisticated scams reported to U.S. Embassies and Consulates abroad, and includes samples of email messages and offers that have been sent to potential victims. As illustrated by the brochure, the perpetrators often prey on potential victims’ goodwill by fabricating increasingly complicated but believable scenarios.”)
US DOJ, "Identity Theft and Identity Fraud," US Dept. of Justice:
The Department of Justice prosecutes cases of identity theft and fraud under a variety of federal statutes. In the fall of 1998, for example, Congress passed the Identity Theft and Assumption Deterrence Act . This legislation created a new offense of identity theft, which prohibits knowingly transfer[ring] or us[ing], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.
18 U.S.C. § 1028(a)(7). This offense, in most circumstances, carries a maximum term of 15 years' imprisonment, a fine, and criminal forfeiture of any personal property used or intended to be used to commit the offense.
Schemes to commit identity theft or fraud may also involve violations of other statutes such as identification fraud (18 U.S.C. § 1028), credit card fraud (18 U.S.C. § 1029), computer fraud (18 U.S.C. § 1030), mail fraud (18 U.S.C. § 1341), wire fraud (18 U.S.C. § 1343), or financial institution fraud (18 U.S.C. § 1344). Each of these federal offenses are felonies that carry substantial penalties in some cases, as high as 30 years' imprisonment, fines, and criminal forfeiture.
ADDITIONAL READING:
Overview Fraud/Theft/Response:
Shane Harris, "The Cybercrime Wave: Grifters, fraudsters, and thieves go virtual," Nat'l J. (Feb. 7, 2009) ("The level of prosecutions ... has not kept up with the scale of growth of [cyber]criminal activity").
Ryan Blitstein, "Part I: How online crooks put us all at risk: INERNET FRAUD EPIDEMIC COSTING BILLIONS OF DOLLARS," Mercury News (Nov. 9, 2007) (" During the past few years, a professional class bent on stealthy online fraud has transformed Internet crime, rendering obsolete the hobbyist hackers who sought fun and fame.").
Ryan Blitstein, "Part II: How well are we protecting ourselves?," Mercury News (Nov. 12, 2007) ("... highlights a crisis within America's elaborate system of sensitive data: Internet users, businesses and guardians of information alike are doing a terrible job of self-protection.")
Ryan Blitstein, "Part III: U.S. targets terrorists as online thieves run amok," Mercury News (Nov. 13, 2007) ("Since the outbreak of a cybercrime epidemic that has cost the American economy billions of dollars, the federal government has failed to respond with enough resources, attention and determination to combat the cyberthreat").
Ryan Blitstein, "Online crooks often escape prosecution: JUSTICE DEPARTMENT DECLINES NEARLY THREE OF FOUR CASES," Mercury News (Nov. 18, 2007) (" Even as online crime has mushroomed in the past few years into a multibillion-dollar problem, federal prosecution of Internet crooks nationwide has not kept pace, a Mercury News analysis shows. In nearly three of four cases, federal prosecutors are choosing not to pursue the computer-fraud allegations that investigators bring them. And whether a case is prosecuted appears to vary widely, depending upon where the crime is committed or who the victims happen to be.")
Fraud and Identity Theft:
"Consumers Lose $8 Billion to Online Fraud," consumeraffairs.com (Aug. 8, 2006)
Byron Acohido and Jon Swartz, Cybercrime flourishes in online hacker forums, USA Today (Oct. 11, 2006).
"Online brokerage account scams worry SEC," CNET News (Reuters) (Oct. 13, 2006).
Floyd Norris, "S.E.C. Says Russian Trader Used Stolen Online Passwords," N.Y. Times (Dec. 20, 2006) ("A Russian trader ... found a simpler way to pump and dump stocks. The ... the trader ... used the Internet to steal passwords of account holders at online brokerage firms. ... [He] would buy, through his own account, shares in a thinly traded company. Immediately after that, he would use the accounts of victims to buy large quantities of the stock, driving up the price. He would then sell his shares into that demand.)
Will Knight, "One in 10 snared by fake 'phishing' messages," New Scientist News Service (Oct. 20, 2006) ("One in 10 internet users may be lured into handing over sensitive personal information such as a credit card number, by fraudulent "phishing" emails, research suggests").
Ellen Nakashima, "Hackers Zero in on Online Stock Accounts," Wash. Post A:01 (Oct. 24, 2006). ("'Although these schemes cleverly combine aspects of securities fraud, identity theft and hacking, what they really boil down to is outright thievery,' said John Reed Stark, chief of the Internet enforcement office at the Securities and Exchange Commission.")
Tom Zeller, Jr., "3 Americans Arrested by F.B.I. in Identity Thefts," N.Y. Times (November 3, 2006) ("The proliferation and sale of stolen consumer data on the international black market, particularly through online forums, has been a nagging problem for law enforcement, given the restrictions in national legal systems.")
Brian Krebs, "FBI Tightens Net Around Identity Theft Operations," Wash. Post (Nov. 3, 2006) ("The FBI is cracking down on an international identity theft operation that involves the trading of social security numbers; the sale of stolen credit card account information ["carding"]; and phishing, the practice of using e-mail to trick consumers into handing over personal information").
Ellen Nakashima, "Hack, Pump, and Dump", Washington Post (Jan. 26, 2007) ("... a wave of techno-criminals who meld computer hacking with identity theft to create nightmares for legitimate investors ... hacked into four online trading accounts of unsuspecting investors, selling off their holdings in higher-valued companies to purchase shares [in penny stocks in which they owned shares, when the stock prices went up they dumped their shares] ... The SEC is not saying how [the] ring obtained the user names and passwords on the investors' accounts. Typically, authorities said, hackers use keystroke monitoring software placed on a public computer, or they purchase personal data, such as stolen Social Security and credit card numbers, from criminal enterprises.")
Dawn Kawamoto, "FBI warns of twist in extortion phishing scam," CNET News (Jan. 12, 2007) ("FBI officials are warning users of a new phishing scam that plays off a recent round of bogus extortion threats.")
Enid Burns, Consumers Open One in Six Phishing Messages, ClickZ Stats (Feb. 5, 2007) ("As many as 59 million phishing e-mail messages are sent each day, and up to 10 million of those may be opened by consumers. A study released by Iconix finds one in four phishing messages are opened. Divided into eight categories, spoofed or phished messages had open rates ranging from 1 in 4 to 1 in 10. Fake social-network-related messages maintained 24.9 percent open rates. Other categories, including as e-cards (17.1 percent); payment (16.2 percent); financial (15.5 percent); auction (14.7 percent); information (12.9 percent); retail (12.1 percent); and dating (9.5 percent), had lower open rates.")
Bob Sullivan, "THE BIGGEST DATA DISASTER EVER," Red Tape Chronicles MSNBC (Nov. 30, 2007) ("It's being called the worst data leak of the information age. Earlier this month, U.K. officials had to admit they'd lost computer disks containing personal information on almost half the country's population, including nearly all families with children. If that's not bad enough, the databases included the worst kind of information to lose -- consumer bank account numbers.")
Grant Gross, "Colombian man pleads guilty to computer fraud," InfoWorld (Jan.10, 2008) ("... man pleaded guilty ... [to] ... identity theft scheme in which he installed keylogging software on hotel business center computers and Internet lounges in order to steal passwords, account data, and other personal information").
Cybercrime or property theft?
Robert McMillan, "Nashville laptop theft may cost $1 million: With Social Security numbers at risk, county officials offer registered voters in Tennessee county a year of free identity theft protection at the cost $10 per account," InfoWorld (Jan. 14, 2008) ("County officials say that thieves broke into Davidson County Election Commission offices on the weekend before Christmas, smashing a window with a rock and then making off with a $3,000 router, a digital camera, and a pair of Dell Latitude laptops containing names and Social Security numbers of all 337,000 registered voters in the county.")
Terrorists funding through internet fraud:
Brian Krebs, "Terrorism's Hook Into Your Inbox: U.K. Case Shows Link Between Online Fraud and Jihadist Networks," Washington Post (Jul. 5, 2007) ("Much has been written about how radical Islamic groups use the Internet to distribute propaganda and recruit members. The British investigation, however, revealed a significant link between Islamic terrorist groups and cyber-crime, and experts say security officials must do more to understand and confront cyber-crime as part of any overall strategy for combating terrorism.")
TJ Maxx (Business Model Case Study):
Jenn Abelson,"TJX breach snares over 200,000 cards in region," Boston Globe (Jan. 25, 2007).
Sharon Gaudin, "T.J. Maxx Security Breach Costs Soar To 10 Times Earlier Estimate," Information Week (Aug. 15, 2007).
Ross Kerber, "Visa clashes with retailers over standards for credit card safety," Boston Globe (Oct. 4, 2007) ("... the National Retail Federation ... yesterday called on credit card [issuers] to change procedures under which [retailers] store some data, which they said creates many of the vulnerabilities").
Mark Jewell, "TJX, Visa reach $40.9M settlement for data breach," USA Today (Nov. 30, 2007).
Press Release, "The TJX Companies, Inc. Reports Third Quarter FY08 Results," TJC Companies, Inc. (Nov. 13, 2007) (See footnote 2 to Consolidated Financial Statements: "Thus for the nine months ended October 27, 2007, net income includes after-tax charges of $130 million ($216 million pre-tax), or $0.28 per share, for costs related to the Computer Intrusion.")
Data Breach Cost:
Hope Yen, "VA agrees to pay $20 million to veterans in 2006 data breach," Associated Press (Jan. 28, 2009) ("The Veterans Affairs Department agreed yesterday to pay $20 million to veterans for exposing them to possible identity theft in 2006 by losing their sensitive personal information.")
Brian Krebs. "Data Breaches Are More Costly Than Ever," Wash. Post (Feb. 4, 2009) ("Organizations that experienced a data breach in 2008 paid an average of $6.6 million last year to rebuild their brand image and retain customers, according to a new study.")
Cf., "Experts question fallout from new Monster hack," AP (Feb. 05, 2009) ("For the second time in less than 18 months, the job-search website Monster.com was breached, along with USAJobs.gov, which Monster's parent company runs for the federal government. And yet Monster might suffer little fallout — because the overall state of computer security is so bad anyway.")
Fraud used to lure victims for physical robbery (is this cybercrime?):
Newsday, "Teens charged in Craigslist robbery ring," L.A. Times (Jan. 11, 2008) ("The gang placed fake ads ... offering cheap Porsches to lure cash-carrying victims ... Investigators ... used information from Craigslist and the digital trail left by [the ringleader] to trace the ad postings ... .)
Advertising on Craigslist for Hitman (Is this cybercrime?):
Aaron C. Davis, "FBI: Woman Sought Hit Man on Craigslist," Washington Post (AP) (Jan. 25, 2008) ("A woman advertised on the popular Internet site Craigslist for an assassin to kill the wife of a man with whom she'd had an affair ... It's not the first alleged crime ever solicited over the popular online bulletin board. There have been instances of ads posted by prostitutes and a Minnesota woman was killed last year after responding to an ad for a baby sitter. However, authorities and company officials say the murder-for-hire scheme appears to be the first of its kind.")
Robots harvest data for fraud:
Ina Fried, "Warning sounded over 'flirting robots'," CNet News (Dec. 7, 2007) ("A program that can mimic online flirtation and then extract personal information from its unsuspecting conversation partners is making the rounds in Russian chat forums ... The ... automated chats is good enough that victims have a tough time distinguishing the "bot" from a real potential suitor, ... "As a tool that can be used by hackers to conduct identity fraud, CyberLover demonstrates an unprecedented level of social engineering," ... Among CyberLover's creepy features is its ability to offer a range of different profiles from "romantic lover" to "sexual predator." It can also lead victims to a "personal" Web site, which could be used to deliver malware").
Money Laundering:
Brian Krebs, "'Money Mules' Help Haul Cyber Criminals' Loot," Washington Post (Jan 25, 2008) ("... the victim of a "money mule" scam, in which criminals make use of [sometimes unsuspecting] third parties ... to launder stolen funds. Mule recruitment is an integral part of many cyber crime operations because money transferred directly from a victim to an account controlled by criminals is easily traced by banks and law enforcement. The mules ... serve as a vital buffer, making it easier for criminals to hide their tracks.")
Facilitators:
Jacqui Cheng, "Judge shuts down online check service and fraud magnet Qchex," ars technica (Feb. 10, 2009) ("Federal Trade Commission accused Qchex of violating federal law because the company implemented no safeguards to prevent fraud in its check creation service. Qchex apparently created and sent checks drawn from any old bank account that users claimed were theirs without verifying that they were the owners of said accounts. Unsurprisingly, this made Qchex a shining beacon for scammers from around the globe who used the service to steal money from people's accounts, using those same checks to pay for various goods and services.")
Intellectual Property Crime:
US DOJ, Computer Crime & Intellectual Property Section, "Prosecuting Intellectual Property Crimes" (Third Edition Sep. 2006).
Wendy Davis, "Proposed Law Stiffens Penalties For Piracy," Online Media Daily (Dec. 10, 2007).
Greg Sandoval, "Jury hands feds first guilty verdict for Web music piracy," CNet News (May 23, 2008) ("For the first time ever, the federal government has successfully won a jury verdict against someone accused of illegally downloading music ... [The] jury ... found [defendant] guilty of conspiracy to commit criminal copyright infringement ... [He] faces up to five years in prison, a fine of $250,000 and must make full restitution ...").
Virtual Crime:
F. Gregory Lastowka and Dan Hunter, Virtual Crimes, 49 N.Y.L. Sch. L. Rev. 293 (2004/2005).
Will Knight, "Computer characters mugged in virtual crime spree," New Scientist (Aug. 18, 2005) ("A man has been arrested in Japan on suspicion of carrying out a virtual mugging spree by using software "bots" to beat up and rob characters in the online computer game Lineage II. The stolen virtual possessions were then exchanged for real cash.").
Regina Lynn, "Virtual Rape Is Traumatic, but Is It a Crime?" Wired (May 4, 2007) ("Last month, two Belgian publications reported that the Brussels police have begun an investigation into a citizen's allegations of rape -- in Second Life.").
Alan Sipress, "Does Virtual Reality Need a Sheriff? Reach of Law Enforcement Is Tested When Online Fantasy Games Turn Sordid," Washington Post (June 2, 2007).
"'Virtual theft' leads to arrest," BBC News (Nov. 14, 2007) ("A Dutch teenager has been arrested for allegedly stealing virtual furniture from "rooms" in Habbo Hotel, a 3D social networking website").
STEPHEN STRAUSS, "Virtual crime and punishment vs. free thought," CBC.ca Analysis and Viewpoint (Dec. 27, 2007).
Anita Ramasastry, "Are Virtual-World Bank Robbery, Pickpocketing, and Runs on Banks Covered by Real-World Laws?," FindLaw.com (Dec. 31, 2007)
David Talbot, "The Fleecing of the Avatars," MIT Tech Review, Jan/Feb 2008. (available in Course Documents) ("Recent fraud allegations are ominous for those who see virtual worlds as future centers of e-commerce").
David Talbot, "Second Life Closes Banks: After months of scandals, virtual banks get an eviction notice," MIT Tech Review (Jan. 10, 2008) ("For months, as banking meltdowns in the virtual world Second Life cost participants steep losses of real money, corporate owner Linden Lab of San Francisco stuck to a laissez-faire line, essentially saying, We just host the software; residents should avoid deals that sound too good to be true. But this week, Linden Lab abruptly banned virtual banks that can't furnish "proof of an applicable government registration statement or financial institution charter." The requirement appears likely to shut down all of Second Life's banks.")
Alana Semuels, "Virtual bank's Second Life scheme raises real concerns," LA Times (Jan. 22, 2008).
See also, VIRTUAL CHILD EXPLOITATION, below.
OPTIONAL READING IDENTITY THEFT:
Lynn M. Lopucki, Did Privacy Cause Identity Theft? 54 Hastings L. J. 1277 (2003).
K. A. Taipale, Presentation: Science and Technology: Identity Theft: Policy Implications at The Heritage Foundation, Washington, DC, Nov. 2, 2005. [presentation slides] (arguing that privacy and existing business models enable identity theft).
K. A. Taipale, Presentation: Technical and Policy Challenges: Implications for Evolving Business Models at the 16th Annual Economic Crimes Institute Conference, Tysons Corner, VA, Oct. 24, 2005. [presentation slides] (suggesting use of identity registrars to mitigate identity theft).
K. A. Taipale, Technology, Security and Privacy: The Fear of Frankenstein, the Mythology of Privacy, and the Lessons of King Ludd, 7 Yale J. L. & Tech. 123, 154-162; 9 Intl. J. Comm. L. & Pol'y 8 (Dec. 2004) (excerpt pp. 154-162):
A. TECHNOLOGIES OF IDENTIFICATION
Identification technologies or systems serve to authenticate data attribution – that is, they provide confidence that a particular piece of data (an attribute) or collection of data (an identity) correlates with a specified entity (an individual or other object).147
Authentication generally serves as the first step in one or both of two kinds of security applications or strategies – authorization and/or accountability.148 Authorization (or permission) is the process of deciding what an identified individual is permitted (or not permitted) to do within a system (including whether they are allowed access in the first place). ... . Accountability, on the other hand, is the process of associating a consequence to the individual for any actions that they may take within the system, for example, by recording identifying information prior to entry into a system, or by monitoring, recording or logging activity within the system, to allow for subsequent tracking or sanction. Both authorization and accountability serve to ensure that rules governing behavior within a system are obeyed.149
***
In any identification system, there are generally three forms of authentication that can occur:
• Entity authentication is the process of establishing confidence that an identifier, for example, a name, number or symbol, refers to a specific entity (an individual, place or thing),151
• Identity authentication is the process of establishing confidence that an identifier refers to an identity (a collection of data related to an entity),152 and
• Attribute authentication is the process of establishing confidence that an attribute (a property associated with an entity, for example, a physical descriptor or a role, etc.) applies to a specific entity.153
***
Identity verification can be achieved through tokens (something you have), passwords (something you know), or a data match (something you are).159 The highest level of confidence combines all three, for example, a token (ID card), requiring a password (PIN), and that contains a data match (for example, a biometric identifier).160
Confidence in identification depends not only on the technologies of identification but on the integrity of the process of enrollment (the issuing and maintaining of tokens, passwords and the data to be matched), as well as the process of verification (confirming or verifying identity).161
***
Authentication (that is, identification) in a security system is only the first step and does not provide security against a particular threat on its own. After identity is authenticated it must be used for some security purpose – either by authorizing the individual to do or not do something,165 or by logging or tracking identifying data in some fashion to provide for later accountability. Thus, any identification system is only as good as the watch list or other criteria against which the authenticated identity is compared for authorization166 or the deterrent effectiveness of the sanction for accountability.167
1. IDENTIFICATION SYSTEMS AND SECURITY
Identification based security is always somewhat vulnerable because of what is known as the trusted systems problem.168 With few exceptions, “secure” systems need to be penetrated – under authorized circumstances by trusted people.169 Unfortunately, there is inherently no way to prove trust, the best that any identification system can do is confirm not-yet-proven-untrustworthy status, i.e. confirm that a particular individual is not on a watch list for example.170
***
Therefore, any system of identification needs to be part of a larger security system that recognizes, and compensates for, this problem. So, for example, a system for screening passengers ... should be combined with random searching of non-flagged passengers to provide layered security.172
Another general problem in security systems is balancing security with usability or functionality.173 Authentication imposes friction or overhead on a system and can interfere with its usefulness [and reduce degrees of freedom].
***
Registered Students login to NYLS Portal for updated Reading Assignments.
Course Outline/Class Units
Registererd NYLS students login to my.nyls.edu for updated outline and assignments.
- Overview, What is Cybercrime?
- Computer Intrusions and Attacks (Unauthorized Access)
- Computer Viruses, Time Bombs, Trojans, Malicious Code (Malware)
- Online Fraud and Identity Theft; Intellectual Property Theft; Virtual Crime
- Online Vice: Gambling; Pornography; Child Exploitation
- International Aspects and Jurisdiction
- Infrastructure and Information Security; Risk Management
- Investigating Cybercrime: Digital Evidence and Computer Forensics
- Interception, Search and Seizure, and Surveillance
- Information Warfare, Cyberterrorism, and Hacktivism
- Terrorism, Radicalization, and The War of Ideas
- Trade Secret Theft and Economic Espionage
- National Security
- Case Study: CALEA, VoIP
Course Information
- PAPER RESEARCH
- USEFUL LINKS FOR DEFINING TECHNICAL TERMS
- COURSE SUBTEXT AND OPTIONAL BACKGROUND MATERIAL
Registered Students login to NYLS Portal for updated Reading Assignments.
All original material on this or any linked page is copyright the Center for Advanced Studies in Science and Technology Policy © 2003-2009. Permission is granted to reproduce this material in whole or in part for non-commercial purposes, provided it is with proper citation and attribution.
|
