T-CY Guidance Note #4 Identity theft and phishing in relation to fraud



Similar documents
T-CY Guidance Note #5

AGREEMENT BETWEEN THE UNITED STATES OF AMERICA AND THE EUROPEAN POLICE OFFICE

CYBERCRIME AND THE LAW

Cyber Crime and Data Retention

IDENTITY THEFT COMMITTED THROUGH INTERNET

Crimes (Computer Hacking)

OVERVIEW. 1. Cyber Crime Unit organization. 2. Legal framework. 3. Identity theft modus operandi. 4. How to avoid online identity theft

Identity Theft. CHRISTOS TOPAKAS Head of Group IT Security and Control Office

THE CYBERCRIME BILL, 2015

An Bille um Cheartas Coiriúil (Cionta a bhaineann le Córais Faisnéise), 2016 Criminal Justice (Offences Relating to Information Systems) Bill 2016

Parliamentary Information and Research Service. Legislative Summary

CYBERSECURITY BILL, 2011

COMPUTER MISUSE AND CYBERCRIME ACT

Crimes Amendment (Fraud, Identity and Forgery Offences) Act 2009 No 99

An Overview of Cybersecurity and Cybercrime in Taiwan

Legal and Regulatory Framework in Africa for Cyber Security

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Pacific Islands Telecommunications Association

Remote Deposit Quick Start Guide

Crimes Amendment (Fraud and Forgery) Bill 2009

1. Any requesting personal information, or asking you to verify an account, is usually a scam... even if it looks authentic.

FAQs Organised Crime and Anti-corruption Legislation Bill

Acceptable Use Policy. This Acceptable Use Policy sets out the prohibited actions by a Registrant or User of every registered.bayern Domain Name.

A Global Treaty on Cybersecurity and Cybercrime

CYBERTERRORISM THE USE OF THE INTERNET FOR TERRORIST PURPOSES

RHODE ISLAND IDENTITY THEFT RANKING BY STATE: Rank 34, 56.0 Complaints Per 100,000 Population, 592 Complaints (2007) Updated January 5, 2009

Acceptable Use Policy

Handbook of Legislative Procedures of Computer and Network Misuse in EU Countries

CHAPTER 124B COMPUTER MISUSE

Learn to protect yourself from Identity Theft. First National Bank can help.

Vijay Pal Dalmia, Advocate Delhi High Court & Supreme Court of India

Criminal Code And Civil Liability Amendment Bill 2007

ITU TOOLKIT FOR CYBERCRIME LEGISLATION

Acceptable Use Policy

109TH CONGRESS 1ST SESSION. discourage spyware, and for other purposes. To amend title 18, United States Code, to AN ACT H. R. 744

THE COMPUTER MISUSE AND CYBERCRIME ACT I assent ARRANGEMENT OF SECTIONS

Cybercrime: risks, penalties and prevention

DISCUSSION OF THE CYBERCRIMES AND CYBERSECURITY BILL

LEGISLATION ON CYBERCRIME IN LITHUANIA: DEVELOPMENT AND LEGAL GAPS IN COMPARISON WITH THE CONVENTION ON CYBERCRIME

WASHINGTON IDENTITY THEFT RANKING BY STATE: Rank 13, 76.4 Complaints Per 100,000 Population, 4942 Complaints (2007) Updated January 11, 2009

How To Help Protect Yourself From Identity Theft

VISA International Security Summit. Dr. Colonel Tran Van Hoa Deputy Director Viet Nam Hightech Crime Police Department

Commonwealth Fraud Control Guidelines Annual Reporting Questionnaire

SECTION 8 GARDA SÍOCHÁNA ACT General Direction No. 2

Migration/ Asylum. Co-operation in the field of drugs

SECTION 59, CRIMINAL JUSTICE (THEFT AND FRAUD OFFENCES) ACT, 2001

Standardisation of definitions of identity crime terms: A step towards consistency Report Series No

FEDERAL IDENTITY THEFT TASK FORCE. On May 10, 2006, the President signed an Executive Order establishing an Identity Theft

Types of Cyber Crimes and Security Threats

GUIDANCE Implementing Section 176 of the Anti-social Behaviour, Crime and Policing Act 2014: Lowvalue

CYBERTERRORISM THE USE OF THE INTERNET FOR TERRORIST PURPOSES

LEGISLATION ON CYBERCRIME IN NIGERIA: IMPERATIVES AND CHALLENGES

Cybercrime : Malaysia. By DSP MahfuzBin Dato Ab. Majid Royal Malaysia Police

MEMORANDUM FOR ASSISTANT REGIONAL COUNSEL (CRIMINAL TAX) SUBJECT: Identity Theft and Assumption Deterrence Act of 1998

LICENSING ACT 2003 GUIDANCE NOTES PERSONAL LICENCE: RELEVANT OFFENCES

Technical Questions on Data Retention

Crime statistics in Lithuania, Latvia, Estonia for the period of. January March 2012* Nr. (6-2) 24S , NA ,3

Law No. 80 for 2002 Promulgating the Anti-Money Laundering Law And its Amendments ١

Explanatory Memorandum

CYBERCRIME LAWS OF THE UNITED STATES Compiled October 2006 by Al Rees, CCIPS

D2.2 Executive summary and brief: Cyber crime inventory and networks in non-ict sectors

The Australian Privacy Foundation

Section Fraud and related activity in connection with identification documents and information

Retail/Consumer Client. Internet Banking Awareness and Education Program

REPUBLIC OF SOUTH AFRICA CYBERCRIMES AND CYBERSECURITY BILL DRAFT FOR PUBLIC COMMENT

STOP Cybercriminals and. security attacks ControlNow TM Whitepaper

The Council of Europe Convention on Cybercrime

WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009

TERMS OF SERVICE TELEPORT REQUEST RECEIVERS

FINAL May Guideline on Security Systems for Safeguarding Customer Information

The Electronic Transactions Law Chapter I Title and Definition

Issue Brief. Arizona State Senate IDENTITY THEFT AND CONSUMER PROTECTION INTRODUCTION IDENTITY THEFT. September 17, 2015.

region16.net Acceptable Use Policy ( AUP )

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

UNDERSTANDING MONEY LAUNDERING

COMPUTER USE IN INSTRUCTION

SAFE ONLINE BANKING. Online Banking, Data Security You. Your Partnership for Safe Online Banking

As of August 1 st, 2014 IMPORTANT LEGALLY BINDING AGREEMENT

DATA PROTECTION LAWS OF THE WORLD. India

Regional Anti-Corruption Action Plan for Armenia, Azerbaijan, Georgia, the Kyrgyz Republic, the Russian Federation, Tajikistan and Ukraine.

Cybersecurity Initiatives

MISSOURI IDENTITY THEFT RANKING BY STATE: Rank 21, 67.4 Complaints Per 100,000 Population, 3962 Complaints (2007) Updated January 11, 2009

Acceptable Use Policy

Terms of Service. As of Julyl 1, 2014 IMPORTANT LEGALLY BINDING AGREEMENT

Identity Theft and Medical Theft. *Christine Stagnetto-Sarmiento, Oglala Lakota College, USA

Kingdom of Cambodia Nation Religion King ****** Cybercrime Law. Draft V.1. Unofficial Translation to English

Fraud Act 2006 CHAPTER 35 CONTENTS

FKCC AUP/LOCAL AUTHORITY

Regulation of Investigatory Powers Act 2000

BE SAFE ONLINE: Lesson Plan

Models for Cyber-legislation in ESCWA member countries

LAWS OF BRUNEI CHAPTER 194 COMPUTER MISUSE ACT

HTC Communications Acceptable Use Policy High Speed Internet Service Page 1 of 5. HTC Communications

CYBER CRIME AWARENESS

The History of Global Harmonization on Cybercrime Legislation - The Road to Geneva

Fraud, Bribery and Money Laundering Offences Definitive Guideline DEFINITIVE GUIDELINE

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

The Key to Secure Online Financial Transactions

Fraud Detection and Prevention. Timothy P. Minahan Vice President Government Banking TD Bank

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Transcription:

www.coe.int/tcy Strasbourg, 5 June 2013 T-CY (2013)8E Rev Cybercrime Convention Committee (T-CY) T-CY Guidance Note #4 Identity theft and phishing in relation to fraud Adopted by the 9 th Plenary of the T-CY (June 2013)

Contact: Alexander Seger Secretary Cybercrime Convention Committee Head of Data Protection and Cybercrime Division Directorate General of Human Rights and Rule of Law Council of Europe, Strasbourg, France Tel +33-3-9021-4506 Fax +33-3-9021-5650 Email alexander.seger@coe.int 2

1 Introduction The Cybercrime Convention Committee (T-CY) at its 8 th Plenary (December 2012) decided to issue Guidance Notes aimed at facilitating the effective use and implementation of the Budapest Convention on Cybercrime, also in the light of legal, policy and technological developments. 1 Guidance Notes represent the common understanding of the Parties to this treaty regarding the use of the Convention. The present Note addresses the question of identity theft and phishing and similar acts 2 in relation to fraud. The Budapest Convention uses technology-neutral language so that the substantive criminal law offences may be applied to both current and future technologies involved. 3 This is to ensure that new forms of crime would always be covered by the Convention. This Guidance Note shows how different Articles of the Convention apply to identity theft in relation to fraud and involving computer systems. 2 Identity theft and phishing While there is no generally accepted definition nor consistent use of the term, identity theft commonly involves criminal acts of fraudulently (without his or her knowledge or consent) obtaining and using another person s identity information. The term identity fraud is sometimes used as a synonym, although it also encompasses the use of a false, not necessarily real, identity. While personally identifiable information of a real or fictitious person may be misused for a range of illegal acts, the present Guidance Note focuses on identity theft in relation to fraud only. This may entail the misappropriation of the identity (such as the name, date of birth, current address or previous addresses) of another person, without their knowledge or consent. These identity details are then used to obtain goods and services in that person's name. Related acts may include phishing, pharming, spear phishing, spoofing or similar conduct, for example, to obtain password or other access credentials, often through email or fake websites. Identity theft affects governments, businesses and citizens and causes major damage. It undermines confidence and trust in information technologies. In many legal systems there is no specific offence of identity theft. Perpetrators of identity theft are normally charged with more serious offences (e.g. financial fraud). Obtaining a false identity normally implies a crime, such as the forgery of documents or the alteration of computer data. A false identity facilitates many crimes, including illegal immigration, trafficking in human beings, 1 See the mandate of the T-CY (Article 46 Budapest Convention). 2 Similar acts to phishing are known under various names such as spear phishing, SMiShing, pharming and vishing. 3 Paragraph 36 of the Explanatory Report 3

money laundering, drug trafficking, financial fraud against governments and the private sector, but is most generally seen in conjunction with fraud. Conceptually, ID theft can be separated into three distinct phases: Phase 1 The obtaining of identity information, for example, through physical theft, through search engines, insider attacks, attacks from outside (illegal access to computer systems, Trojans, keyloggers, spyware and other malware) or through the use of phishing and or other social engineering techniques. Phase 2 The possession and disposal of identity information, which includes the sale of such information to third parties. Phase 3 The use of the identity information to commit fraud or other crimes, for example by assuming another s identity to exploit bank accounts and credit cards, create new accounts, take out loans and credit, order goods and services or disseminate malware. In conclusion: identity theft (including phishing and similar conduct) is generally used for the preparation of further criminal acts such as computer related fraud. Even if identity theft is not criminalised as a separate act, law enforcement agencies will be able to prosecute the subsequent offences. 3 T-CY interpretation of the criminalisation of identity theft in relation to fraud under the Budapest Convention The Budapest Convention is focusing on criminal conduct and not specifically on techniques or technologies used. It does, therefore, not contain specific provisions on identity theft or phishing. However, full implementation of the Convention s substantive law provisions will allow States to criminalise conduct related to identity theft. The Convention requires countries to criminalise conduct such as the illegal access to a computer system, the illegal interception of data, data interference, system interference, the misuse of devices and computer related fraud: Phase Article of convention Examples Phase 1 Obtaining of identity information Article 2 Illegal access While a criminal is hacking, circumventing password protection, keylogging or exploiting software loopholes, the computer may be illegally accessed in the acts of ID theft/phishing. Illegal access to computer systems is one of the most common offences committed in order to obtain sensitive information such as identity information. Article 3 illegal interception ID theft often entails the use of keyloggers or other types of malware for the illegal interception of nonpublic transmissions of computer data to, from or within a computer system containing sensitive information such as identity information. 4

Article 4 Data interference ID theft/phishing may involve damaging, deleting, deteriorating, altering or suppressing computer data. This is often done during the process of obtaining illegal access by installing a keylogger to obtain sensitive information. Article 5 System interference ID theft/phishing may involve hindering the functioning of a computer system in order to steal or facilitate the theft of identity information. Article 7 Computer related forgery ID theft/phishing may involve the inputting, altering, deleting, or suppressing of computer data with the result that inauthentic data is considered or acted upon as if it were authentic. Phishing is possibly the most common representation of computer related forgery (e.g. a forged web page of a financial institution) and as a consequence the most common illegal activity through which sensitive information is collected, such as identity information. Phase 2 Possession and disposal of identity information Article 6 Misuse of devices Stolen identity information including passwords, access credentials, credit cards and others may be considered devices, including a computer program, designed and adapted for the purpose of committing any of the offences established in accordance with articles 2 through 5 of the Convention, or a computer password, access code, or similar data by which the whole of any part of a computer system is capable of being accessed. Phase 3 Use of the identity information to commit fraud or other crimes Article 8 Computer related fraud The use of a fraudulent identity by inputting, altering, deleting or suppressing computer data, and, or interfering with the function of a computer system will result in the exploitation of bank accounts or credit cards, in taking out loans and credit, or ordering goods and services, and thus causes one person to lose property and causes another person to obtain an economic benefit. All Phases Article 11 Attempt, aiding and abetting The obtaining, possession and disposal of identity information may constitute attempt, aiding and abetting of several crimes specified in the Convention. Article 13 Sanctions Identify theft serves multiple criminal purposes, some of which cause serious damage to individuals and public or private sector institutions. 5

A Party may foresee, however, in its domestic law a sanction that is unsuitably lenient for identity theft, and it may not permit the consideration of aggravated circumstances. This may mean that Parties need to consider amendments to their domestic law. Therefore, Parties should ensure, pursuant to Article 13, that criminal offences related to identity theft are punishable by effective, proportionate and dissuasive sanctions, which include the deprivation of liberty. For legal persons this may include criminal or non-criminal sanctions, including monetary sanction. Parties may also consider aggravating circumstances, for example if identity theft affects a significant number of people or causes serious distress or exposes a person to danger. 4 T-CY Statement The T-CY agrees that the above illustrates the various scope and elements of identity theft and phishing and the criminal provisions that may apply. Therefore, the T-CY agrees that the different aspects of such crimes are covered by the Budapest Convention. 6

5 Appendix: Extracts of the Budapest Convention Article 2 Illegal access the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system. Article 3 Illegal interception the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system. Article 4 Data interference 1 the damaging, deletion, deterioration, alteration or suppression of computer data without right. 2 A Party may reserve the right to require that the conduct described in paragraph 1 result in serious harm. Article 5 System interference the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data. Article 6 Misuse of devices 1 establish as criminal offences under its domestic law, when committed intentionally and without right: a the production, sale, procurement for use, import, distribution or otherwise making available of: i a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with the above Articles 2 through 5; ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, 7

with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches. 2 This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system. 3 Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article. Article 7 Computer-related forgery establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches. Article 8 Computer-related fraud establish as criminal offences under its domestic law, when committed intentionally and without right, the causing of a loss of property to another person by: a b any input, alteration, deletion or suppression of computer data; any interference with the functioning of a computer system, with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person. Article 11 Attempt and aiding or abetting 1 aiding or abetting the commission of any of the offences established in accordance with Articles 2 through 10 of the present Convention with intent that such offence be committed. 2 8

an attempt to commit any of the offences established in accordance with Articles 3 through 5, 7, 8, and 9.1.a and c. of this Convention. 3 Each Party may reserve the right not to apply, in whole or in part, paragraph 2 of this article. Article 13 Sanctions and measures 1 ensure that the criminal offences established in accordance with Articles 2 through 11 are punishable by effective, proportionate and dissuasive sanctions, which include deprivation of liberty. 2 Each Party shall ensure that legal persons held liable in accordance with Article 12 shall be subject to effective, proportionate and dissuasive criminal or non-criminal sanctions or measures, including monetary sanctions. 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information