Cybersecurity

Avoiding Banking Fraud

Published on: October 3, 2016 | by Law Offices of Salar Atrizadeh

Nowadays, we’re using the web for numerous purposes, including, but not limited to, online banking. So, we should be able to protect our financial information. There are many options for hackers to gain access to financial information, and without the prerequisite security, financial information can be accessed by hackers. The law outlines the rules for financial institutions, such as data protection, data sharing, data preservation, security breach notification, or insurance requirements. Also, there are different standards when it comes to consumer and business bank accounts. For example, businesses face different prerequisites that must be fulfilled prior to submitting a claim towards a financial institution.

How might hackers commit banking fraud?

Looking at how hackers may even access your financial information, there are a few tools that need to be highlighted. Among them are Pivoting, Rubber ducks, and Pineapples. While this perhaps sounds odd, the way they can work is terrifying. Pivoting is a process hackers can use to break into a computer system by accessing it through an already-compromised device. For example, a hacker may access a web server by gaining access to an email server within the same network. These discrepancies can also occur between smart devices, which indicate a downside to the Internet of Things. Rubber ducks are special USB drives with small processors. They act as a “Trojan Horse” by downloading and re-uploading information quickly and autonomously without causing alerts. Pineapples, in comparison, are more likely to come across, but more difficult to avoid. These are devices that “clone” Wi-Fi networks. They will function in the same way, allowing individuals to connect and access the web, but can also be used to access and hack data after someone is connected. Pineapples and Rubber ducks are dangerous because they can download “keyloggers” onto computers, which would record and transfer confidential information (e.g., passwords, financial data) to the hacker’s computer.

FCC Proposes New Broadband Privacy Regulations

Published on: March 28, 2016 | by Law Offices of Salar Atrizadeh

This one isn’t an April Fools’ prank. On April 1, 2016, the Federal Communications Commission (“FCC”) announced its proposed rulemaking to create regulation that would bind Broadband Internet Access Service (“BIAS”) providers in the interest of enhancing privacy towards consumers. This proposal has raised objections from AT&T, Comcast, USTelecom, and the Application Developer’s Alliance, claiming that the ensuing regulations would create a morass of regulation in the privacy sphere. Yet, the FCC’s regulations are to prohibit the monetization of the information that these providers would have due to the use of their services. So, what is a BIAS and how could these rules possibly protect privacy?

What is a BIAS provider?

The BIAS providers provide internet service through wire or radio. The FCC even expands this to any functional equivalents to BIAS providers. Of some note is which entities are not BIAS entities. For example, companies like Facebook, Apple, and to some extent, Google, would not be bound by the terms here and could use the information that is collected through their services. This is because none of them actually provide the internet service that their consumers use. There is some room for Google to be prohibited as it provides internet service in some locations through Google Fiber, but the regulations would only prohibit the information that was gained through the use of its internet services, but not services that it provides towards online consumers. Thus, Google’s Fiber service would likely be prohibited from using consumer’s personal information, while Google’s YouTube service would not.

FTC v. Wyndham Worldwide Corporation

Published on: November 23, 2015 | by Law Offices of Salar Atrizadeh

On August 24, 2015, the United States Court of Appeals for the Third Circuit handed down its decision in favor of the Federal Trade Commission (FTC) against Wyndham Worldwide Corporation. This lawsuit was against the defendant and its subsidiaries for their failure to implement proper cybersecurity measures and protect consumers’ personal information against hackers. The FTC alleged that defendants did not use encryption, firewalls, and other commercially reasonable methods for protecting personal information.

What was the basis of the lawsuit?

In general, the FTC has the responsibility to protect consumers against unfair and deceptive business practices. These illegal practices could range from false advertising to antitrust issues. The FTC has started to prosecute companies with inadequate cybersecurity to protect consumer data. The companies that made false statements about their level of security in their terms of service also had lawsuits filed against them. In this case, between 2008 and 2009, hackers breached Wyndham Worldwide Corporation’s network and computer systems three separate times. One incident occurred in 2008 and two occurred in 2009. The hackers were allegedly able to breach the network due to the use of weak and obvious passwords, lack of response to the first incident, and inadequate monitoring systems. In one of the instances, it took approximately two months for Wyndham Worldwide Corporation to discover its systems had been accessed without authorization. The hackers successfully accessed personal information of approximately 619,000 consumers and managed to cause $10.6 million in fraudulent charges. Therefore, on June 26, 2012, the FTC brought the lawsuit against defendants. Their motion to dismiss was denied by the district court and their appeal was heard on two issues in order to determine whether there was a valid claim. The issues that were raised included: (1) whether the FTC had authority to regulate cybersecurity under 15 U.S.C. § 45; and (2) if so, whether defendants received fair notice that their cybersecurity practices were inadequate under the guidelines.

Data Breach Notification and Applicable Laws

Published on: October 26, 2015 | by Law Offices of Salar Atrizadeh

This year saw the data breaches of Sony Pictures, Ashley Madison, and Experian Credit Bureau. The increasing commonality of data breaches has prompted the federal and state legislatures to review their data breach notification laws.

What is a data breach?

A data breach occurs when an unauthorized user (i.e., hacker) accesses sensitive personal identifiable information. The hacker then copies the confidential information and uses it as he or she sees fit. Often times, the personally identifiable information is used to commit identity theft and fraud. This information can include, names, telephone numbers, email addresses, credit card numbers, or social security numbers. The target of these breaches can be businesses, financial institutions, and health care institutions.

Internet of Things and Security

Published on: September 21, 2015 | by Law Offices of Salar Atrizadeh

The Internet of Things (“IoT”) is the network of electronic devices that communicate with each other via the Internet without human intervention. It has caused concerns regarding security since vast amounts of unsecure electronic devices are being used to send and receive information. Furthermore, the data breaches that lead to the loss of privacy have become more common as the Internet is used to connect electronic devices via private and public networks.

What is the proper security level for electronic devices?

Electronic devices that connect to each other over the Internet were created to transfer information, but were not originally designed with proper security features. What is the proper security level when electronic devices are interconnected? In order to avoid unauthorized access, security precautions should be implemented within the electronic devices and computer networks. For example, firewalls, encryptions, intrusion detection systems, and multi-factor authentications should be implemented as preventive and reactive measures. The electronic devices—which are accessed via the Internet—should be segmented into their own network and include network access restrictions. Also, consumers should change the default passwords on smart devices and implement strong passwords.

Internet of Things and Privacy

Published on: September 3, 2015 | by Law Offices of Salar Atrizadeh

The Internet of Things (a/k/a “IoT”) functions through smart devices that communicate with each other and collect data without human interaction. These devices include smart cars, smart homes, smart hospitals, smart highways, or smart factories. However, the lack of security protecting information is creating privacy concerns as data is collected by companies and shared with third parties (e.g., marketing firms, governmental agencies). Also, the smart device can be accessed without authorization (i.e., hacked) by third parties and its information can be used for various illegal purposes.

What is the Internet of Things and what private information does it hold?

According to the Organization for Economic Cooperation and Development (“OECD”), one of the Fair Information Practice Principles is the collection limitation of personal data. Stated otherwise, data should be collected with the owner’s consent, through fair and lawful means, and should be limited. The OECD has issued its guidelines that are considered as minimum standards for the protection of privacy and individual liberties. From a practical standpoint, these principles (and relevant guidelines) should be uniformly enforced in the United States and other countries.

FTC’s Enforcement Action Against LifeLock

Published on: August 27, 2015 | by Law Offices of Salar Atrizadeh

According to its website, the Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. LifeLock has used the massive security breaches of companies like Anthem and Target to increase its membership. On July 21, 2015, the Federal Trade Commission (FTC) claimed that LifeLock—an identity theft protection company—has violated a 2010 Settlement it had made with the agency and thirty-five state attorneys general. This assertion was made due to LifeLock’s alleged misrepresentation of its security capabilities and failing to take steps to protect consumers’ information.

What is the Federal Trade Commission’s responsibility?

The FTC was created to prevent anti-competition business practices and protect consumers against deceptive or unfair business dealings. The Federal Trade Commission Act (which incorporates the U.S. Safe Web Act amendments of 2006) sets the parameters for how the agency can prosecute companies, which it believes are misleading consumers through false or deceptive advertising. In fact, sections 45 and 52 of the statute indicate that, when a company commits an unfair act or deceptive practice, “and if it shall appear to the Commission that a proceeding … would be to the interest of the public, it shall issue and serve … a complaint stating its charges …” In addition, section 52 addresses the illegality of false advertisements, which would be likely to induce consumers to purchase a product. Although, LifeLock was not advertising a product, it was falsely advertising services, so consumers were induced to buying memberships. Therefore, the FTC is utilizing its ability to prosecute companies for violating the law.

Cloud Computing and Privacy

Published on: August 3, 2015 | by Law Offices of Salar Atrizadeh

Cloud computing is a service that is offered by service providers and allows for large amounts of information to be stored in virtual servers. These organizations are referred to as Cloud Computing Service Providers (collectively “CCSPs”) and operate within the “cloud.” They are able to operate on a global scale, which makes their activities subject to international laws and places their users at the risk of loss of privacy.

What steps have been taken to protect user data?

In general, users of cloud computing relinquish their data, which may include confidential information, in order to store large amounts of information. Thus, CCSPs must be careful to protect privacy according to industry standards. The failure to establish proper safeguards may result in legal action by private individuals or governmental agencies (e.g., Federal Trade Commission). However, due to the security risk that users face by storing their data, governments have taken active roles in protecting against information loss. For example, the European Commission has instituted a Data Protection Directive. The purpose of this directive is to to give citizens control over of their personal data and to simplify the regulatory environment for business.

The LastPass Data Breach

Published on: July 6, 2015 | by Law Offices of Salar Atrizadeh

LastPass is a password management service that allows users to centralize all of their collective passwords under one master password. On June 15, 2015, LastPass announced that it was hacked and user data was compromised in the process.

What was stolen from the LastPass database?

LastPass officials released a statement following the attack proclaiming that the hackers did not steal master passwords, but instead gained access to authentication hashes and/or checksums. These are used in order to verify that the master password is correct upon trying to access an account. The attack also compromised cryptographic salts, password reminders, and user email addresses. Officials are confident that LastPass encryption measures ensure the protection of most users and their master passwords. However, it is also possible that fairly weak master passwords, or ones short in length, were also subject to the attack.

Computer Hacking Laws

Published on: June 22, 2015 | by Law Offices of Salar Atrizadeh

In general, computer crime is a term that covers a variety of crimes involving internet or computer use that may be prosecuted under state or federal laws. Because of the rise in computer crimes, California state laws include provisions that prohibit these violations. In addition, other states have passed computer crime statutes in order to address this problem.

What is a computer crime?

An individual who accesses a computer, computer system or computer network and alters, destroys, or disrupts any of its parts is considered a perpetrator of computer crime. The charge is selected based upon the intention of unlawful access. Hacking is the breaking into a computer, computer system, or computer network with the purpose of modifying the existing settings under malicious intentions. Unlawful or unauthorized access means that there is trespassing, storing, retrieving, changing, or intercepting computer resources without consent. Viruses, or other contaminants, include, computer code that modify, damage, or destruct electronic information without the owner’s permission. This often disrupts the operations of a computer, computer system, or network. As such, Congress enacted the Computer Fraud and Abuse Act in order to regulate computer fraud and to expand laws against it. This federal statute provides that “whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period” shall be punished accordingly.