Security Watch

You Can Take It With You

Computer Fraud and Abuse Act can't be used against employees who access data and take that information to competitors. Plus: Beware of debit-only ATMs. reports on a Philadelphia Federal District Court ruling that has, for the second time in recent history, refuted the idea that the Computer Fraud and Abuse Act can be used against employees who take files they are authorized to access from their employers prior to leaving their employment. While there still remains a Seventh Circuit Court ruling suggesting the CFAA is relevant, it is looking like this may not hold true in future.

The CFAA is intended to prevent employees from exceeding their authorization, thereby making it illegal if they access files for which they have no permission. However, it has been piled on against individuals in cases where they have taken files they do have access to, and privilege to access, when those files are taken to competitors. The recent court rulings are strongly suggesting this wasn’t what the Act was intended to penalize.

More Skimming Incidents At ATMs
AM/PM customers in northern California were targeted by criminals who installed a skimming device at a gas station there (read about it here and here). The device was attached to a debit card reader, and when a customer had problems trying to swipe his card he discovered the device and removed it. This is the second time that an AM/PM has been found with a skimming device.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

It is worth noting that the device was installed on a payment system that only accepted debit cards. This would allow the criminals to obtain mag stripes and pins to access case via ATM systems, thus avoiding the anti-fraud mechanisms of credit card companies. Such actions suggests that criminals view the anti-fraud measures of ATM systems (or the banks that support them) as less effective than those of the credit card companies.

Be leery of debit-only systems. Typically there are no contractual agreements with your bank to refund fraudulent transactions done via debit systems. Banks have been fairly good at refunding such transactions, but at some point they may decide to stick closer to the agreement you have.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular