HACKING & COMPUTER
ICT security gerelateerde Blog
››› Nihil timendum est
| W40 - Week 40 - Weekveertig
THE ROLE OF THE FEDERAL GOVERNMENT 3
Phillips was convicted in a jury trial on one count of computer fraud under the CFAA and one count of possession of an identification document containing stolen Social Security numbers and was sentenced to five years probation, five hundred hours of community service, and a restitution of $170,056. Although major financial services companies, which are heavily regulated and audited by the government, generally provide much better security for their computer systems than less regulated businesses, some smaller players in the financial services industry may have insufficient information security controls. For example, in United States v. Marles, the defendant, a former employee of a credit card company, gained unauthorized access to his personal account using the expertise he gained as an employee and fraudulently increased his credit line to be able to transfer balances from his higher interest rate credit cards. The defendant pleaded guilty to computer fraud and was sentenced under the CFAA. Clearly, the credit card company did not have proper access controls in place to prevent former employees from accessing its computer systems.
In United States v. Willis, the Tenth Circuit upheld a conviction under the CFAA of a debt collecting agency employee who provided criminals with access credentials to a LexisNexis[TM] Web site, which enabled the criminals to commit identity theft and credit card fraud. Apparently, the employee
was the sole person responsible for creating and revoking LexisNexis[TM] access privileges of the debt collecting agency employees, a clear violation of basic information security principles. United States v. Ivanov was a rare case where United States law enforcement successfully apprehended and
prosecuted a foreign hacker in the United States under the CFAA for conspiracy, computer fraud, extortion, and possession of unauthorized access devices.
The hacker broke into a U.S. financial transaction processing company's computer systems and demanded payment for his assistance in making those systems secure. The company's failure to secure its computer systems made the break-in possible.
Despite these successful prosecutions, many cybercrimes go unpunished because of the immense technical complexities in investigating these crimes and finding their perpetrators. Nevertheless, criminal prosecution of online fraud serves as a deterrent contributing to the security of online transactions.
As will be discussed in Part V, crime prosecution together with government regulation and private legal actions constitute an integral element of an effective cybercrime prevention scheme.
B. The Financial Industry as an Example of Government Regulation of Information Security
Extensive government regulation reaches practically all aspects of the financial industry, including information security. Financial institutions are constantly working on improving the security of their online systems in order to ensure compliance with government regulation and make their clients feel safe online. The Federal Financial Institutions Examination Council (FFIEC) prescribes uniform principles, standards, and examination procedures to promote consistency in the supervision of financial institutions by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. The FFIEC Information Technology Examination Handbook (the Handbook) consists of several booklets that cover various aspects of financial institutions' information technology operations. Written by James M. Sheehan, Special Agent in Charge, Criminal Division, FBI Los Angeles.