IDENTITY THEFT: THE NEW CRIME
Every human-being is defined by the identity that he possesses. A person’s name, his birthplace, his identification number, his bank account number are all valuable information. Thus when one gets his identity stolen it can lead to all sort of complication. The term identity theft can be defined as the unlawful use of another’s personal identifying information without their knowledge, to fraudulently obtain money, goods, services, or anything of value.[1] It can also be defined as a fraud that is committed or attempted; using a person’s identifying information without authority.[2] In general it can be said that identity theft occurs in furtherance or to facilitate the commission of an illegal and fraudulent activity.
There are numerous types of identity theft but there the primary ones: true name fraud, account takeover and criminal identity theft. True name fraud occurs when the thief uses the victim’s information to open new accounts in the victim’s name. Account takeover occurs when the thief gains access to the victim’s financial account and makes unauthorized changes. Identity theft happens when the thief is arrested by law enforcement and provides the police with the stolen victim’s identity. They would then create a false criminal record for the victim. Identity theft is a serious crime as it can be committed in cyberspace or in the real world and from there, it can transcend into either realm for the commission of a further criminal offence. Once an identity of a victim is taken there are many ways that the thief can exploit the personal information of the victim. The most common form of exploitation would be to open up an account under the victim’s name to commit unlawful transactions and to apply for a new credit card using personal information, make charges and leaving the bill unpaid.
The implication on the victim of an identity theft crime can be very damaging. A victim of identity theft may lose job opportunities, be refused loans for education, housing or cars and even get arrested for crimes they did not commit.[3] There is actually no limit on what the thief can do once the victim’s identity is obtained.
Such is the seriousness of identity theft, that the Federal Bureau of Investigation (FBI) calls identity theft one of the fastest growing crimes in the United States and estimates that 500,000 to 700,000 Americans become identity theft victims each year.[4] Identity theft can also cause emotional distress to the victims. Humiliation, anger and frustration are among the feelings victims experience as they navigate the process of rescuing their identity.[5] Such feelings were expressed by one victim of identity theft[6] who said:
I first was notified that someone had used my social security number for their taxes in February 2004. I also found out that this person opened a checking account, cable and utility accounts, and a cell phone account under my name. I’m still trying to clear up everything and just received my income tax refunds after four months. Trying to work and get this all cleared up is very stressful.
There is a common misconception that identity theft began with the internet.[7] Although the internet has facilitated the crime of identity theft to be more widespread, the origins of the crime actually began in the real world when thieves started going through people’s garbage (dumpster diving) looking for personal information such as bills or any relevant and useful financial documents. Another real world method that is used to steal a person’s identity is by a method known as social engineering. Social engineering is the art of convincing somebody that the thief is a legitimate person who needs the desired information (i.e. by either posing as a landlord, co-worker, telemarketers, prospective employers, government officials or others who may need the victim’s personal information. Such acts were usually done through the telephone (usually referred to as telephone scams)
As technology evolves, so does the manner in which crimes are committed. This statement hold true for the crime of identity theft. Nowadays identity thieves have broadened their scope of activities and the methods they apply with the use of technology. One such way is by the method known as skimming where an electronic device is used to record a card’s magnetic strip once it is swiped.
The information captured can later be copied onto another card and used by the perpetrator. In addition to this the method of social engineering is now longer confined by the use of telephone but has now extended to mediums such as the internet by the use of e-mails, pop-up advertisement (the method is known as pretexting) and also the technique of phishing[8] to lure victims to reveal or verify their personal information.
It should also be noted that besides luring victims to reveal their personal information, the perpetrator can scour the internet for gold rich personal information on individuals and if the perpetrator is highly skilled he can even hack into the computer system of the individual, financial institution or place of employment that he is targeting to retrieve the information he requires. With just a couple of clicks a thief can obtain enough information to establish a bogus full name, date of birth, address and phone numbers.[9] One such way that this can be done was by visiting the former website of www.anybirthday.com that contained the birth dates of more than 135 million people in the United States. They could even obtain the person’s address for a specified fee.
This being said it is interesting to note that 4 out 5 people do not know how an identity thief obtains their personal information and identification.[10] Amongst those who think they know what happened, many believe that identity theft occurred when their purse or wallet was stolen. Although identity thefts do sometimes occur by such means, most of us are not aware that we leave behind too much of our personal and sensitive information on the internet when we visit and create a profile on social sites such as MySpace, Facebook and Friendster. Such information may or may not lead to a person’s identity being stolen for the commission of a crime but it does make the job much easier for anyone intending to do so. In a study conducted by Microsoft, it states that there has been a startling rise in the number of computer viruses designed to steal information such as bank account numbers and credit card data.[11]
The study also states that attacks by malicious programs, which include often invisible threats such as worms and Trojan horses has jumped over 40 per cent in the first half of this year. These viruses are designed to mine personal computers for data ranging from your home address to your online banking password.
Personal data can be worth a small fortune in the underground economy; hackers bought and sold US$276 million (S$422 million) worth of such data from July last year to June.[12] According to Microsoft platform strategy manager Matthew Hardman social networking sites, like Facebook, are among the most commonly targeted because of their huge communities of users and that malicious code may be hidden inside Facebook applications or in links under photographs. In recent years the internet has become an appealing place for criminals to obtain identifying data, such as passwords and banking data.[13] The perpetrators play on gullibility of internet users who may respond to certain unsolicited e-mail that promises the user with benefits but requests certain identifying data.[14] There lure of the promised benefit often time than not is sufficient for the user to part away with his most personal and sensitive information.
Therefore users must be educated on the inherent dangers of responding to unknown e-mail and leaving their personal information on the internet. Such steps such as not disclosing your pin number, not responding to websites requiring verification of personal information and keeping track of your financial statements can help reduce the chances of being a victim of identity theft. It is also helpful that a police report be made as soon as possible and a request to the bank to temporarily freeze any transaction if a person believes that he has become a victim
In general the author believes that the fact identity theft cases are growing in number can be attributed to three reasons. Firstly, the potential reward for committing the crime is high with little personal risk to the offender. Secondly, the internet as a source that offers a gold mine of information on an individual in addition to its anonymity that it provides to its users. And third, due to the carelessness of the internet user who consentingly leave their personal information lying around on the internet without much care.
In general, the crime of identity theft in the 20th century is much related to the concept of the internet as an open source of information highway. Such illegal activities no longer require the perpetrator to be in proximity of the victim, all that is needed nowadays is a computer and an internet access to secure information notwithstanding whether legally or illegally about an intending target. Thus, as such crimes increases in number, there is need to examine whether the current law is adequate or is there a need for us to enact a specific legislation to govern the crime of identity theft in the current context.
In Malaysia there have not yet been any reported cases with regards to the offence of identity theft. However if such cases were to arise in Malaysia, it is important to examine if there is an appropriate law in the Penal Code or a new specific legislation is needed to deal with such matters. Recourse will be made to other jurisdiction and their laws to get a better view on how these countries deal with the crime of identity theft.
In jurisdiction such as the United States and the United Kingdom there are specific statutes to deal with crime of identity theft. In the United States there is the Identity Theft and Assumption Deterrence Act 1998, which makes possession of any means of identification to knowingly transfer, possess or use without lawful authority a federal crime, alongside unlawful possession of identification documents. In the UK however, resort is made to the theft Act which encompasses identity theft in several sections.[15] In addition to the Theft Act, there is a further legislation that deals with identity theft which is the Data Protection Act 1998 that makes it unlawful for a person to obtain personal data of another. This fortifies the significance of the offence of identity theft.[16]
A case in the United Kingdom that highlights the issue of identity theft is the case of R v Seward.[17] In this case the accused had made a phone call to the Barclay Bank where the victim, James Turner had his account. Apart from that, James Turner was also a Premier Card Holder which entitled him to a higher credit limit. The accused had made a phone call pretending to be James Turner and instructed the Bank to send the card to the Branch in Leeds. The card was duly sent.
The accused after showing a false driving license and false signature of James Turner managed to obtain the card and subsequently withdrew money from the bank in different locations. However an alert cashier observed the false document and this led to the arrest of the accused. In convicting the accused for the offence of impersonating with the intention to deceive, the courts held that identity fraud is a particularly pernicious and prevalent form of dishonesty calling for a deterrent sentence.
The Malaysian Penal Code contains provisions on cheating by personation and these provisions, although not cyber specific, may apply to identity theft to a certain extent. One such provision is Section 416 of the Penal Code that deals with cheating by personation. The section states that whoever cheats by personation shall be punished with imprisonment for a term which may extend to seven years, or with fine or with both. The phrase cheating by personation is explained in section 416 of the Penal Code which states a person is said to cheat by personation if he cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such other person really is. The definition of cheating is laid down in section 415 and contains two part which reads:
Whoever by deceiving any person, whether or not such deception was the sole or main inducement-
(a) Fraudulently or dishonestly induces the person so deceived to deliver any property to any person, or to consent that any person shall retain any property; or
(b) Intentionally induces the person so deceived to do or omit to do anything which he would not do or omit to do if he were not so deceived and which act or omission causes or is likely to cause damage or harm to any person in mind, reputation or property.
Is said to cheat.
In situation where the perpetrator has stolen and used the identity of a victim to transact in activities such as opening up a new account (i.e. bank account, internet account, etc), making unauthorized changes an account and “pretexting” so as to induce the victim to reveal his personal information, then such acts falls within the definition of cheating under section 415(b) and the perpetrator may be charged for an offence of cheating by personation under section 419 of the Penal Code.
This is because, once the perpetrator uses or assumes the identity of the victim for the acts above, he is impersonating the victim to cause the bank, service provider to open or make changes to an account belonging to the victim, whereas the bank and service provider would not have done such acts had they knew that perpetrator was not the rightful owner to that account. The section would also cover the situation of pre-texting and social engineering when the perpetrator assumes the identity of an employer, representatives from a bank, Internet service provider or even a government official to deceive the victim to reveal his personal record where the victim would not have done had he knew that such representation was not true.
However this being said, if we were to really scrutinize the Penal Code, it does not actually criminalize the act of actually having in possession the personal information of the victim which is used for the purpose of impersonation or any other reason. In addition to this the person who is actually cheated in such cases is not the victim but the bank or service provider. If a perpetrator were to acquire personal and sensitive information about an individual and decides to post it in a bulletin, chat room or blog-site, he would not actually be committing an offence because he has not impersonated or cheated anybody. The danger lies though in the fact that such information could be used by some other individuals or sold off to a third party to commit or facilitate an illegal act.
In conclusion the author believes, it is only a matter of time before such crimes begins to make headways in Malaysia, and the question then, that we have to ask ourselves is whether there are any law provisions in Malaysia criminalizing such offences? Traditional penal laws may apply only to a certain extent and is not intended to be all encompassing, as new crimes may need new age laws to deal with new age offenders.
[1] Knegtzer, M. “Investigating High Tech Crimes.” Pg 61
[2] Federal Trade Commission Identity Theft Survey Report 2004
[3] Fighting Back Against Identity Theft. Accessed on 7 November 2009 at www.ftc.gov/idtheft
[4] Federal Reserve Bank of Boston, “Identity Theft” accessed on 7 November 2009 at http://www.bos.frb.org/consumer/identity/index
[5] ibid
[6] ibid
[7] Bernadette A. Safrath “The history of identity theft” accessed at http://www.ehow.com/about_5100724_history-identity-theft.html on 7 November 2009
[8] When a user is redirected from a legitimate website to a false website created by the perpetrator where information such as passwords and login id can be captured.
[9] Knegtzer, M. “Investigating High Tech Crimes.” Pg 61
[10] Note 3
[11] Rise in Identity Theft Online- 25 November 2008, accessed on 8 November 2009 at http://www.staitstimes.com/breakingnews/Singapore
[12] ibid
[13] Ibid
[14] ibid
[15] Section 15-obtaining property by deception; Section 15A- Obtaining a money transfer by deception; Section 16-obtaining pecuniary advantage by deception; Section 1-Obtaining service by deception; Section 2- Evasion of liability by deception.
[16] Report By Zul Rafique & Partners on the Recommendations of Amendments to the Cyber Law in Malaysia 2009
[17] [2005] ECWA Crim. 194
by:
Nur Azimul Azami
Prosecution Division/Commercial Crimes Unit
No comments:
Post a Comment