Security Watch

You Can Take It With You

Computer Fraud and Abuse Act can't be used against employees who access data and take that information to competitors. Plus: Beware of debit-only ATMs.

• By Russ Cooper
• 09/19/2007

The CFAA is intended to prevent employees from exceeding their authorization, thereby making it illegal if they access files for which they have no permission. However, it has been piled on against individuals in cases where they have taken files they do have access to, and privilege to access, when those files are taken to competitors. The recent court rulings are strongly suggesting this wasn’t what the Act was intended to penalize.

More Skimming Incidents At ATMs
AM/PM customers in northern California were targeted by criminals who installed a skimming device at a gas station there (read about it here and here). The device was attached to a debit card reader, and when a customer had problems trying to swipe his card he discovered the device and removed it. This is the second time that an AM/PM has been found with a skimming device.

It is worth noting that the device was installed on a payment system that only accepted debit cards. This would allow the criminals to obtain mag stripes and pins to access case via ATM systems, thus avoiding the anti-fraud mechanisms of credit card companies. Such actions suggests that criminals view the anti-fraud measures of ATM systems (or the banks that support them) as less effective than those of the credit card companies.

Be leery of debit-only systems. Typically there are no contractual agreements with your bank to refund fraudulent transactions done via debit systems. Banks have been fairly good at refunding such transactions, but at some point they may decide to stick closer to the agreement you have.