Chapter 5:

Crime and
Security

Based on slides prepared by Cyndi Chie,

Sarah Frye and Sharon Gray.
Fifth edition updated by Timothy Henry
Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 New, more-powerful IoT botnet infects
3,500 devices in 5 days
• “It's hard to imagine a stronger form of
censorship than these DDoS attacks because
if nobody wants to take you on then that's
pretty effective censorship" Brian Krebs
• Cost of retaining a DDoS mitigation or
always-on protection service, somewhere
between $100,000 and $200,000 per year

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 iPhone hack that threatened
emergency 911 system lands teen in
jail
• Meetkumar Hiteshbhai Desai published Web links that caused iPhones
to repeatedly dial 911
• The volume authorities "in immediate danger of losing service to their
switches." Affect systems in Arizona, California and Texas.
• Proof-of-concept attack devised by researchers in Israel required just
6,000 infected smartphones in a geographical area to tamper with
the 911 system for the entire state of North Carolina.
• The researchers estimated 200,000 infected phones distributed
across the US could significantly disrupt 911 services for the entire
country.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Google issues warning of critical
Windows vulnerability in wild
• Google’s Threat Analysis Group discovered a set of zero-day vulnerabilities in
Adobe Flash and the Microsoft Windows kernel that were already being actively
used by malware attacks against the Chrome browser.
• Google alerted both Adobe and Microsoft of the discovery on October 21, and
Adobe issued a critical fix to patch its vulnerability last Friday. But Microsoft has
yet to patch a critical bug in the Windows kernel that allows these attacks to
work—which prompted Google to publicly announce the vulnerabilities October
31.
• “After 7 days, per our published policy for actively exploited critical
vulnerabilities, we are today disclosing the existence of a remaining critical
vulnerability in Windows for which no advisory or fix has yet been released,”
wrote Neel Mehta and Billy Leonard of Google’s Threat Analysis Group.”This
vulnerability is particularly serious because we know it is being actively
exploited.”

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 What We Will Cover
• Hacking
• Responsible Disclosure
• Identity Theft and Credit Card Fraud
• Whose Laws Rule the Web

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Hacking History
• Intentional, unauthorized access to computer systems
• The term has changed over time
• Phase 1: The joy of programming
• Early 1960s to 1970s
• It was a positive term
• A "hacker" was a creative programmer who wrote elegant or clever
code
• A "hack" was an especially clever piece of code

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Hacking History
• Phase 2: 1970s to mid 1990s
• Hacking took on negative connotations
• Breaking into computers for which the hacker does not have
authorized access
• Still primarily individuals
• Includes the spreading of computer worms and viruses and
‘phone phreaking’
• Companies began using hackers to analyze and improve security

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Hacking History
• Phase 3: The growth of the Web and mobile devices
• Beginning in mid 1990s
• Growth of the Web changed hacking;
• Viruses and worms could be spread rapidly
• Political hacking (Hacktivism) surfaced
• Denial-of-service (DoS) attacks used to shut down Web sites
• Large scale theft of personal and financial information

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Hacking Harmless?
• Is “harmless hacking” harmless?
• Responding to nonmalicious or prank hacking
uses resources.
• Hackers could accidentally do significant
damage.
• Almost all hacking is a form of trespass.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Hacktivism
• Political Hacking
• Use of hacking to promote a political cause
• Disagreement about whether it is a form of civil disobedience and
how (whether) it should be punished
• Some use the appearance of hacktivism to hide other criminal
activities
• How do you determine whether something is hacktivism or simple
vandalism?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Security Researchers
• “White hat hackers” use their skills to
demonstrate system vulnerabilities and
improve security
• What is “responsible disclosure?”
• Ethical dilemmas:
• Is it ethical to break into a system without permission, even with good

intentions?
• How can people responsibly inform potential victims of security

vulnerabilities without informing malicious hackers who would exploit them?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Hacking as Foreign Policy
• Hacking by governments has increased
• Pentagon has announced it would consider
and treat some cyber attacks as acts of war,
and the U.S. might respond with military
force.
• How can we make critical systems safer
from attacks?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Stuxnet as a Trend
• An extremely sophisticated worm
• Targets a particular type of control system
• Beginning in 2008, damaged equipment in a
uranium enrichment plant in Iran

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Security
• Hacking is a problem, but so is poor security.
• Variety of factors contribute to security weaknesses:
• History of the Internet and the Web
• Inherent complexity of computer systems
• Speed at which new applications develop
• Economic and business factors
• Human nature

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Security
• Internet started with open access as a means of sharing
information for research.
• Attitudes about security were slow to catch up with the
risks.
• Firewalls are used to monitor and filter out
communication from untrusted sites or that fit a profile
of suspicious activity.
• Security is often playing catch-up to hackers as new
vulnerabilities are discovered and exploited.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Responsibility for
•
Security
Developers have a responsibility to develop with
security as a goal.
• Businesses have a responsibility to use security tools
and monitor their systems to prevent attacks from
succeeding.
• Home users have a responsibility to ask questions
and educate themselves on the tools to maintain
security (personal firewalls, anti-virus and anti-
spyware).

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Hacking
After WikiLeaks released thousands of confidential U.S.
•
government diplomatic and military documents on the Web,
hackers conducted a denial-of-service attack on the WikiLeaks
website.
• When major credit card companies stopped processing
donations to WikiLeaks, other hackers attacked the credit card
companies.
• For each action, give arguments that it was justifiable
hacktivism,
• transparency and accountability, exposing information that the public had a right to
know.

• and give arguments that it was not.

• hacking and denial-of-service attacks are illegal actions that disrupt services and
violate cybersecurity laws, regardless of the cause

• Which position do you agree with? Explain your reasons

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Hacking

Discussion Questions
• Is hacking that does no direct damage a victimless
crime?
• Do you think hiring former hackers to enhance security is
a good idea or a bad idea? Why?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Hacking

The Law: Catching and Punishing Hackers

• Criminalize virus writing and hacker
tools?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Small Business
Insecurity
• Small businesses
• can’t afford a security staff
• are gateways to larger systems
• often go out of business after a breach

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 60% of small companies that suffer a
cyber attack are out of business
within six months.
• The U.S. National Cyber Security Alliance found that
60 percent of small companies are unable to sustain
their businesses over six months after a cyber attack.
• Average price for small businesses to clean up after
their businesses have been hacked stands at $690,000;
and, for middle market companies, it’s over $1 million.
• Small and mid-sized businesses are hit by 62 percent of
all cyber-attacks, about 4,000 per day

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Small Business
Insecurity
• Have you heard of the small business Fazio Mechanical?
• Specializes in supermarket refrigeration systems
• Small business (less than 200) employees in
southwest Pennsylvania
• Target Security Breach (Fall 2013)
• Data on 40 million credit cards stolen
• Over 70 million customer records stolen
• Started with phishing email sent to Fazio Mechanical

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Security
• Security breaches occur:
• Poorly written software
• Poorly configured networks and applications

• For Security Researchers and Cybersecurity

Professionals
• Whistleblowing versus Responsible
Disclosure

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Fun With CFAA

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 The Law: Catching and
Punishing
• 1984 Congress passed the Computer Fraud and Abuse Act (CFAA)
• Covers government computers, financial and medical systems,
and activities that involve computers in more than one state,
including computers connected to the Internet
• Under CFAA, it is illegal to access a computer without
authorization
• The USA PATRIOT Act expanded the definition of loss to include
the cost of responding to an attack, assessing damage and
restoring systems

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 The Law: Catching and
Punishing
• Expansion of the Computer Fraud and Abuse Act
• The CFAA predates social networks, smartphones,
and sophisticated invisible information gathering.
• Some prosecutors use the CFAA to bring charges
against people or businesses that do
unauthorized data collection.
• Is violating terms of agreement a form of
hacking?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 CFAA: Robert Morris, Jr (1989)
• The Morris Worm
• Son of Chief Scientist at NSA’s National
Computer Security Center
• Graduate student at Cornell
• 3 years probation, 400 hours community
service

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 CFAA: Lori Drew (2008)
• Opened three false MySpace account to cyberbully a teen girl who had
fallen out with her daughter.
• Girl committed suicide, public pressured authorities to charge Drew with a
crime
• There was no law against cyberbullying, so prosecutors charged Drew with
unauthorized access to MySpace’s computers because she violated the
site’s user agreement
• Prosectors argued that by violating this contract, Drew had committed the
same crime as any hacker. Jury agreed.
• Judge vacated the conviction

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 CFAA: Sergei Aleynikov
(2009)
• Programmer for Goldman Sachs who helped develop trading
software
• Before leaving his job, he downloaded code he’d written
• Prosecutors charged him with unauthorized access
• “only intended to download open source software files”
• “an employee with authority to access his employer’s computer
system does not violate the CFAA by using his access privileges
to misappropriate information.”

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 CFAA: Mathew Keys
•
(2010)
Had been a web producer for KTXL FOX-40 TV in Sacramento
• In an online Anonymous chatroom, he disclosed the
username and password for a server owned by the Tribune
Company (parent of KTXL) — encouraged hackers to mess up
web site
• By government’s own admission, crime was minor, prosecutors
inflated losses to elevate charges from misdemeanors to three
felonies
• Convicted on three felony charges and is awaiting sentencing
• Possible 25 year sentence

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 CFAA: Aaron Swartz (2011)
• Downloaded 2.7 million academic papers from MIT
• Papers freely available to anyone on campus through JSTOR
service
• Connected in a “closet” on campus
• Intent to distribute off-campus
• 13 felony counts — one for each date he downloaded
documents
• Maximum 50 years and $1 million dollars

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 CFAA: Andrew Aurenheimer
(2011)
• (with Daniel Spitler)
• Discovered a hole in AT&T’s website that allowed them to obtain the
email addresses of AT&T iPad users.
• Wrote a script that managed to harvest about 120,000 email
addresses
• Government insisted that accessing unprotected emails that AT&T
didn’t want anyone to access was criminal hacking
• Sentenced to three and a half years
• Sentence overturned because of venue (crime not committed in New
Jersey)

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 CFAA: Fidel Salinas
•
(2012)
Member of Anonymous
• Charged with 44 felony counts of computer fraud and abuse
• Filled out a form on a person web site with junk and
submitted it
• “Cyber-Stalking”
• Potential 440 years of prison time
• Reduced to slowing down a state government website by
repeatedly querying it with vulnerability-scanning software (6
months & $10,600)

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 CFAA: David Nosal (2013)
• Worked for executive search firm Korn/Ferry International
• Former colleagues gave him access to a company database with trade secrets to
help him launch a competing business
• Instead of Korn/Ferry suing him for theft of trade secrets,
• prosecutors charged him for inducing Korn/Ferry workers into accessing data
they were authorized to access but forbidden to divulge under the terms of
their work contract
• Judges ruled that:
• someone didn’t have to actually hack something to be charged as a hacker
• employees could not be prosecuted under the CFAA for simply violating their
employer’s computer use policy
• Sentenced to 1 year and 1 day

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Hacking
• Suppose a denial-of-service attack shuts down two dozen major websites, including retailers,
stock brokerages, and large corporate entertainment and information sites, for several
hours. The attack is traced to one of the following perpetrators.
• Do you think different penalties are appropriate, depending on which it is? Explain why. If
you would impose different penalties, how would they differ?
• A foreign terrorist who launched the attack to cause billions of dollars in damage to the
U.S. economy.
• An organization publicizing its opposition to commercialization of the Web and corporate
manipulation of consumers.
• A teenager using hacking tools he found on a website.
• A hacker group showing off to another hacker group about how many sites it could shut
down in one day.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Hacking
• How is the loss of time and service
from a denial of service attack
different (or the same) as the time and
service lost from a traffic delay caused
by a traffic “accident”?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Hacking
• Do we have an ethical responsibility to
maintain up-to-date antivirus protection and
other security software on our personal
computers to prevent our computer from
being infected with remotely controlled
software that harms others?
• Should a law require that
everyone install such software?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Hacking
• Is hacking that does no direct damage a
victimless crime?
• Do you think hiring former hackers to
enhance security is a good idea or a
bad idea? Why?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Responsible Disclosure
• Whistleblowing — legal definition
• “The disclosure by a person, usually an employee in a government agency or private enterprise, to the public or
to those in authority, of mismanagement, corruption, illegality, or some other wrongdoing.”
• Full Disclosure — legal definition
• “The need in business transactions to tell the ‘whole truth’ about any matter which the other party should know in
deciding to buy or contract.”— legal definition
• Responsible Disclosure
• “Security researcher" who found the vulnerability confidentially reports it to the impacted company.
• The two work in good faith to establish an agreed upon period of time for vulnerability to be patched.
• Once the agreed upon time period expires and the vulnerability is patched or the patch is available for
installation by the users of the software, the security researcher can publicly disclose the vulnerability.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Responsible Disclosure
• A man who copied patient files from a medical
center said he did it to publicize the system’s
vulnerability, not to use the information.
• He disclosed portions of the files to a journalist
after the medical center said that no one had
copied patient files.
• Should we view him as a whistleblower or a
criminal?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Responsible Disclosure
• Hackers collected the email addresses of more than 100,000 iPad owners
from a public AT&T website.
• The site displayed the email address of an iPad owner to anyone who
entered the iPad ID number; it did not require a password.
• The hackers notified media organizations about the security flaw and
discussed it on a chat channel before AT&T knew about it.
• Did they act responsibly or irresponsibly and criminally?
• One of the hackers was found guilty of identity fraud and accessing a
computer without authorization, but an appeals court overturned the
conviction.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Responsible Disclosure
• A hacker broke into the website of the children’s toy manufacturer
VTECH and extracted personal data and photos of millions of adults
and kids.
• He did not publish the data or contact VTECH, but instead, contacted
a media outlet who then ran a story about the existence of the
vulnerability and the risk to children.
• VTECH responded quickly, fixing the defect within a week. U.K. police
arrested the hacker for violating that country’s Computer Misuse Act.
• Did the hacker act responsibly?
• Was the police response reasonable?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 The Law: Catching and
Punishing
• To reduce scams that steal from people banking online,
some people suggest creating a new Internet domain
“bank,” available only to chartered banks.
• Which identity theft and fraud techniques would
this new domain help prevent?
• For which would it be ineffective?
• Overall, do you think it is a good idea? Why or why
not?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 The Law: Catching and
Punishing
• Catching hackers
• Law enforcement agents read hacker newsletters and participate in chat
rooms undercover
• They can often track a handle by looking through newsgroup or other
archives
• Security professionals set up ‘honey pots’ which are Web sites that attract
hackers, to record and study
• Computer forensics specialists can retrieve evidence from computers, even
if the user has deleted files and erased the disks
• Investigators trace viruses and hacking attacks by using ISP records and
router logs

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 The Law: Catching and
Punishing
• Penalties for young hackers
• Many young hackers have matured and gone on to productive
and responsible careers
• Temptation to over or under punish
• Sentencing depends on intent and damage done
• Most young hackers receive probation, community service, and/or
fines
• Not until 2000 did a young hacker receive time in juvenile
detention

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Most common passwords
• list
http://www.passwordrandom.com/most-popular-passwords
# Password MD5
1 password 5f4dcc3b5aa765d61d8327deb882cf99
2 123456 e10adc3949ba59abbe56e057f20f883e
3 12345678 25d55ad283aa400af464c76d713c07ad
4 1234 81dc9bdb52d04dc20036dbd8313ed055
5 qwerty d8578edf8458ce06fbc5bb76a58c5ca4
6 12345 827ccb0eea8a706c4c34a16891f84e7b
7 dragon 8621ffdbc5698829397d97767ac13db3
8 pussy acc6f2779b808637d04c71e3d8360eeb
9 baseball 276f8db0b86edaa7fc805516c852c889
10 football 37b4e2d82900d5e94b8da524fbeb33c0
11 letmein 0d107d09f5bbe40cade3de5c71e9e9b7
12 monkey d0763edaa9d9bd2a9516280e9044d885
13 696969 7d0710824ff191f6a0086a7e3891641e
14 abc123 e99a18c428cb38d5f260853678922e03
15 mustang bee783ee2974595487357e195ef38ca2
16 michael 0acf4539a14b3aa27deeb4cbdf6e989f
17 shadow 3bf1114a986ba87ed28fc1b5884fc2f8
18 master eb0a191797624dd3a48fa681d3061212
19 jennifer 1660fe5c81c4ce64a2611494c439e1ba
20 111111 96e79218965eb72c92a549dd5a330112
21 2000 08f90c1a417155361a5c4b8d297e0d78
22 jordan d16d377af76c99d27093abc22244b342
23 superman 84d961568a65073a3bcf0eb216b2a576
24 harley ef4cdd3117793b9fd593d7488409626d
25 1234567 fcea920f7412b5da7be0cf42b8c93759
Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 When Digital Actions Cross Borders

• Laws vary from country to country.

• Corporations that do business in multiple
countries must comply with the laws of all the
countries involved.
• Someone whose actions are legal in their own
country may face prosecution in another country
where their actions are illegal.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Whose Laws Rule the
•
Web
Yahoo and French censorship
• Display and sale of Nazi memorabilia illegal in France and
Germany
• Yahoo was sued in French court because French citizens
could view Nazi memorabilia offered on Yahoo’s U.S.-based
auction sites
• Legal issue is whether the French law should apply to
Yahoo auction sites on Yahoo’s computers located outside
of France.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Whose Laws Rule the
•
Web
Applying U.S. copyright law to foreign companies
• Russian company sold a computer program that circumvents
controls embedded in electronic books to prevent copyright
infringement.
• Program was legal in Russia, but illegal in U.S.
• Program’s author, Dmitry Sklyarov, arrested when arrived in U.S.
to present a talk on the weaknesses in control software used in
ebooks.
• After protests in U.S. and other countries, he was allowed to
return to Russia.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Whose Laws Rule the
•
companies
Web
Arresting executives of online gambling and payment

• An executive of a British online gambling site was

arrested as he transferred planes in Dallas. (Online
sports betting is not illegal in Britain.)
• Unlawful Internet Gambling Enforcement Act prohibits
credit card and online-payment companies from
processing transactions between bettors and gambling
sites.
• The executive, facing a possible 20-year jail sentence, pleaded guilty for a lower sentence.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Libel, Speech and Commercial
Law
• Even if something is illegal in both countries,
the exact law and associated penalties may
vary.
• In cases of libel, the burden of proof differs
in different countries.
• Some countries have strict regulations on
commercial speech and advertising.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Libel, Speech and Commercial
Law
• Libel tourism
• Traveling to places with strict libel laws in order to sue
• SPEECH Act of 2010 makes foreign libel judgments unenforceable in the
U.S. if they would violate the First Amendment.
• Foreign governments can still seize assets
• Where a trial is held is important not just for differences in the law, but also the
costs associated with travel between the countries; cases can take some time
to come to trial and may require numerous trips.
• Freedom of speech suffers if businesses follow laws of the most restrictive
countries.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Whose Laws Rule the
Web
• What suggestions do you have for resolving
the issues created by differences in laws
between different countries?
• What would work, and what would not?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Culture, Law, and Ethics
• Respecting cultural differences is not the
same as respecting laws
• Where a large majority of people in a
country support prohibitions on certain
content, is it ethically proper to abandon the
basic human rights of free expression and
freedom of religion for minorities?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Potential Solutions
• International agreements
• Countries of the World Trade Organization (WTO)
agree not to prevent their citizens from buying
certain services from other countries if those services
are legal in their own.
• The WTO agreement does not help when a product,
service, or information is legal in one country and not
another.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Potential Solutions
• Alternative principles
• Responsibility-to-prevent-access
• Publishers must prevent material or services from being accessed
in countries where they are illegal.
• Authority-to-prevent entry
• Government of Country A can act within Country A to try to block
the entrance of material that is illegal there, but may not apply its
laws to the people who create and publish the material, or
provide a service, in Country B if it is legal there.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Stealing Identities
• Identity Theft –various crimes in which criminals use the
identity of an unknowing, innocent person
• Use credit/debit card numbers, personal information,
and social security numbers
• 18-29 year-olds are the most common victims because
they use the Web most and are unaware of risks
• E-commerce has made it easier to steal and use card
numbers without having the physical card

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Stealing Identities
• Techniques used to steal personal and financial information
• Requests for personal and financial information disguised as legitimate business
communication
• Phishing – e-mail
• Smishing – text messaging
• Vishing – voice phishing
• Pharming – false Web sites that fish for personal and financial information by
planting false URLs in Domain Name Servers
• Online resumes and job hunting sites may reveal SSNs, work history, birth dates
and other information that can be used in identity theft

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Responses to Identity
Theft
• Authentication of email and Web sites
• Use of encryption to securely store data, so it is useless if
stolen
• Authenticating customers to prevent use of stolen
numbers, may trade convenience for security
• In the event information is stolen, a fraud alert can flag
your credit report; some businesses will cover the cost of a
credit report if your information has been stolen

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Responses to Identity
Theft
• Authenticating customers and preventing use of stolen numbers
• Activation for new credit cards
• Retailers do not print the full card number and expiration date on
receipts
• Software detects unusual spending activities and will prompt
retailers to ask for identifying information
• Services, like PayPal, act as third party allowing a customer to
make a purchase without revealing their credit card information
to a stranger

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 Responses to Identity
Theft
• Biometrics
• Biological characteristics unique to an individual
• No external item (card, keys, etc.) to be stolen
• Used in areas where security needs to be high, such as
identifying airport personnel
• Biometrics can be fooled, but more difficult to do so,
especially as more sophisticated systems are developed

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 • A few months ago, the United States passed the Cybersecurity
Information Sharing Act (CISA).
• The law is designed to improve cybersecurity in the United States
through enhanced sharing of information about cybersecurity
threats.
• The law allows the sharing of Internet traffic information between
the U.S. government and technology and manufacturing
companies
• -- specifically, when there is there is an active cyber attack or
threat of cyber attack.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 • CISA is designed to stem corporate data breaches by allowing
companies to share cybersecurity threat data with the
Department of Homeland Security, who can then pass it on to
other agencies like the FBI and NSA, who would use it to
defend the target company and others facing similar attacks.
• Privacy advocates and civil liberties groups see CISA as a free
pass that allows companies to monitor users and share their
information with the government without a warrant, while
offering a backdoor that circumvents any laws that might
protect users’ privacy.

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved
 • If you are a U.S Citizen, research CISA, and write a short
essay (roughly 600-800 words) either in support of or
against CISA.
• If you not a U.S Citizen, write a short essay (roughly 600-
800 words) answering the questions
• Does your home country have a law similar to CISA?
What is the public's opinion of that law? Do you
support the law?
• If your country does not have a law similar to CISA,
should it? Why or why not?

Copyright © 2018, 2013, 2008 Pearson Education, Inc. All Rights Reserved