Article

Internet Crime - The Nigerian Perspective

Internet Crime: The Nigerian Perspective
By
Adetoun Adebiyi, LL.M (LOND)
Director and Head of Academic Division,
Nigerian Law School, Lagos Campus, Lagos, Nigeria.

Introduction:

An increasing number of criminals use mobile phones, computers Internet and network servers in the course of committing their crimes.

The purpose of this publication is to explain the myriad cyber threats to which we are vulnerable, and to if appropriate recommend suitable measures to counter these threats. It will explore the possibility of equating the cyber crimes with the traditional crimes and perhaps highlight whether these “crimes” are known to our law and highlight the possible problems that a Nigerian prosecutor will face in proving these virtual crimes and in securing a conviction for crimes that can only be proved almost entirely by reliance on computer and other electronically generated evidence. The major issue that one may need to examine is in respect of the liability of the culprit and the additional liability of the network service provider.

Defining Internet Crime

A simple yet sturdy definition of internet crime would be "unlawful acts using the computer as either a tool or a target or both".

A broad, yet vague attempt was made in section 3(h) of the Telecommunications and Postal Offences Decree No. 21 1995,Act Cap. T4 L.F.N. 2004 to define an electronic crime

“any person who inter alia engages in computer fraud or does anything relating to fake payments, whether or not the payment is credited to the account of an operator or the account of a subscriber is guilty of an offence”.

This Law has been repealed by Nigerian Communications Commission Act No. 19 2003and the offence in the repealed law is not mentioned in the new Act.

The commission of the offence in question is never in doubt; the problem is the proof of its commission, because most of the steps are electronic in nature. Electronic records such as computer network logs, e-mails, word processing files, and increasingly will invariably provide the prosecution with important (and sometimes essential) evidence in criminal cases, but how does the prosecutor analyse, understand, and present electronic evidence stored in computers to prove beyond a reasonable doubt to the understanding of the court that a crime, known to Nigerian law has indeed been committed?

   

Categories of Internet related criminal activity

Firstly, a computer can be the target of crime, for example, when someone steals information from, or causes damage to a computer or computer network.

Secondly, a computer can be the tool used to commit an offence. In this category of computer crime, the computer is not essential for the crime to occur, but it is related to the criminal act. This means that the crime could occur without the technology; however, computerization helps the crime to occur faster, permits processing of greater amounts of information, and makes the crime more difficult to identify.

Thirdly, a computer stores evidence, and even though the computer is not directly used for criminal purposes this evidence can be of great value to criminal investigators. Cases involving drug raids, money laundering seizures, and other arrests have produced computers and electronic storage media containing incriminating information. Many times, the criminals encrypt the data or design the files to erase themselves if not properly accessed. In some instances, criminals even destroy the storage media, such as disks, to eliminate evidence of their illegal activities.

Let us examine the acts where the computer is a tool for an unlawful act. This kind of activity usually involves a modification of a conventional crime by using computers. Some examples are:

Financial crimes:

This would include stealing, cheating, credit card fraud, money laundering etc.

A steals B’s credit card details (his identity and potentially his money) A uses his Internet service provider (ISP’s) Internet connectivity to buy goods from C with the stolen card details.

Undoubtedly A is the culprit, what about an additional liability of his ISP?

Other instances are:

False merchant website:

 In this situation, the criminal is running a merchant website, usually an adult site, almost invariably hosted by an ISP, the criminal accepts credit cards/ATM card for access or even accepts credit cards/ATM card as proof of age. In all of these cases, the consumer’s actual account is never charged (at least not on this site). Once the identities are gathered, the merchant makes purchases on real merchant sites.

The chain of events here shows 3 offences, Personation, Stealing and obtaining by false pretence.

Closely related to the false merchant website activities just discussed is to steal someone’s identity.

 A cyber criminal can either take over somebody else’s credit card/ATM card account or steal his identity to create a new credit account; these accounts are then used to attack e-businesses.

In essence, the suspect completes an order form using the false information, the web merchant accepts the order, and then ships the goods or services to the suspect. Here also, the chain of events here shows 3 offences, Personation, Stealing and obtaining by false.

One key difference from a traditional in-store fraud is that the criminal can "hit" many different merchants and do a lot of damage very fast in the virtual world of the Internet. The suspect does not have to drive between shops, does not have to risk being identified by a sales clerk, does not have to be videotaped by surveillance cameras or doesn’t have to speak to a anyone to commit their crime, so his facial identity is not known, he would probably use a cyber café to commit the crimes. How can he be traced?

Section 382 of the Criminal Code provides that every inanimate thing whatever which is the property of any person, and which is movable, is capable of being stolen….

Many Nigerian tourists abroad are reputed to open credit card accounts on line with someone else’s identity; they would run up thousands of dollars of charges within days, using the stolen identity. When they are through, they dispose of the credit card and return to Nigeria with the booty. This perhaps explains why imported goods sometimes cost less in Nigeria than the manufacturer’s price and this trend is sometimes erroneously believed to be money-laundering fronts.

The instant credit accounts issued on the Internet are completed and set up in a few minutes. Given the speed with which “instant credit” is approved, it is not surprising that fraudsters will continue to prey on the willingness of the bank or merchant to issue an instant account. All too often, these entities understand the potential risk and will quickly write-off losses when faced with a non-paying customer. The information needed to create new accounts can be gathered from a variety of sources including trash bins, legitimate files or even public records.

The closest definition of the offence just described is provided in section 419 of the Criminal Code CAP 77 L.F.N. 1990 but

” Any person who by any false pretence or by means of any other fraud obtains credit for himself or any other person-

in incurring any debt or liability; or by means of an entry in a debtor and creditor account between the person giving and the person receiving credit,

is guilty of a felony…….”

The question posed here is how do you apply the traditional provisions of obtaining property or credit by false pretence to the unauthorised "appropriation" of electronic information? The offence of theft or stealing requires that tangible property be taken away with the intention of permanently depriving the victim of it. Applying traditional criminal concepts to acts involving intangible information can only mean that amendments to our criminal statutes are inevitable.

Occurrences on the Internet where people give false credit card details in order to access a merchant store to perpetuate fraud can give rise to some interpretation difficulties. For a fraud to be deemed to have occurred it is necessary that a 'person' must be deceived. Where the machine was deceived to obtain a service no 'person' as such was deceived.

Section 382 of the Criminal Code, requires that property (being an inanimate thing) ' which is the property of any person, and which is movable is the thing capable of being stolen. Where information on a computer is manipulated, this may well be a matter for civil rather than criminal law. The criminal element is perhaps at the stage where the credit card is used to purchase an item on line and the item is ultimately delivered to the culprit.

 

Phishing

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. An e-mail could purport to emanate from a bank to lure the unsuspecting users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies. There are poor attempts by Nigerian banks to deal with the growing number of phishing incidents. Sporadically, Banks send out mails warning customers to ignore such messages, but most users cannot differentiate between an authentic and a fake communication and there is no legislation to counter these frightening incidents.

 

The Nigerian 419 Scam

A worldwide Scam, which has run since the early 1980's is the "Advance Fee Fraud", "419 Fraud" (Four-One-Nine) after the relevant section of the Criminal Code of Nigeria.

The Scam operates as follows: the target receives an unsolicited fax, email, or letter often concerning Nigeria or another African nation containing either a money laundering or other illegal proposal OR you may receive a Legal and Legitimate business proposal by normal means. Common variations on the Scam include "over invoiced" or "double invoiced" oil or other supply and service contracts where the culprits want to get the overage out of Nigeria; crude oil and other commodity deals; a "bequest" left you in a will; "money cleaning" where the suspect has a lot of currency that needs to be "chemically cleaned" before it can be used and he needs the cost of the chemicals; "spoof banks" where there is supposedly money in your name already on deposit; "paying" for a purchase with a cheque larger than the amount required and asking for change to be advanced; and ordering items and commodities off "trading" sites on the web and then cheating the seller. The variations of Advance Fee Fraud (419) are very creative and virtually endless.

At some point, the victim is asked to pay up front an Advance Fee.

The Advance Fee Fraud and Other Fraud Related Offences Act 2006 was enacted to ease the proof of these crime, the Economic and Financial Crimes Commission established under the Economic and Financial Crimes Commission (Establishment) Act, No. 1  2004 is now charged with the responsibility of enforcing the provisions of  the 2006 Act..

 

Cyber pornography:

This would include pornographic websites including transmission of images of children; pornographic magazines produced using computers (to publish and print the material) and the Internet (to download and transmit pornographic pictures, photos, writings etc). The dissemination of pornography, via the Internet has raised numerous legal questions. The major issues that need to be examined are in respect of the liability of the author of the material and the additional liability of the network service provider.

In the American case of State of New York v. BuffNet, An Internet service provider (ISP) pleaded guilty to the misdemeanour charge of knowingly providing access to child pornography. A two-year investigation found that ISP, BuffNet, knowingly hosted a child pornography newsgroup called "Pedo University". The police notified BuffNet that they were hosting illegal content, yet BuffNet failed to remove the newsgroup from its servers. Police then seized the ISP's servers. BuffNet was levied a $5000 fine, and removed the obscene content.

Under our law, an obscene publication imports the sending of a publication albeit (obscene) by post

Child’s Right Act 2003 now makes publication of pornographic pictures of children an offence. See alsoTrafficking In Persons (Prohibition) Law Enforcement And Administration Act, No. 24 2003

Child grooming over the Internet

Sexual grooming of children is growing at an alarming rate in the virtual world of the Internet. Some abusers will pose as children online and make arrangements to meet with children in person and ultimately abuse them sexually.

 

Internet husbands

A story was featured in The Observer (UK) Sunday July 20, 2003

Anastasia Solovieva, a citizen of the former Soviet Union signed up with a mail-order bride agency. The agency matched her with a fat, balding man in Seattle (USA) more than twice her age; she left Russia to marry the man in America.

The attractive 18-year-old was determined to make her US marriage work. In early letters home to her parents Kyrgyzstan, she praised her husband for his intelligence and smart dress sense.

Two years after their wedding, Anastasia was dead, strangled and buried in a junkyard by her husband. Anastasia had no idea that Indle King Jr was a violent thug divorced from a first overseas bride who testified in court how he had beaten her regularly and pounded her head against a wall.

The mail-order bride industry(largely unregulated) is booming and fraught with abuse Some states in America plan to introduce legislation to offer greater protection for 4,000 to 6,000 women, mainly from former Soviet bloc countries and the Philippines, who come to the US each year for marriage.

'These internet matchmaking services offer images to men and women that are inflated, they market compliant, docile, controllable women and in any mismatched relationship there will be expectations that set the couple up for marital problems. The issue that must be addressed here is to redefine the culpability of these agencies. One wonders, why a matchmaker should be made answerable for the offence ultimately committed by the man. They do not know the parties involved, they prey (for a fee) on the vulnerability of these females who are desperate to leave their countries for greener pastures, the only reason why the business is not booming in Nigeria is the inability of the mail-order bride agency to secure visas for the girls here and of course the financial constraints. Although an adventurous American lady came to Nigeria, to visit a labourer that she met in a chat room, they are planning to marry later on this year. We will wait to see how their story unfold

Sale of illegal or stolen articles:

Prohibited or regulated goods, reported being marketed on the Internet, include: illegal drugs (e.g. ecstasy), prescription -only medicines (e.g. viagra), quack cures, body parts (e.g. kidneys), skins and by-products of endangered species, armaments, counterfeit products and stolen goods. Other services identified on the Internet have included provision of investment advice, child adoption and, in Japan, a suicide ‘service’ (offering advice on lethal dosages and sale of potassium cyanide capsules - at least one death was attributed to the ‘service’).

One of the most common types of Internet crime is online auction fraud: You are buying something you saw advertised on, say, eBay. The vendor may be describing the products or services in a false or misleading manner, or may take orders and money, but fail to deliver the goods. Or the seller may supply counterfeit goods instead of legitimate ones or even stolen goods. Primarily, receiving stolen property is an offence in Nigeria under section 427 of the Criminal Code. In a case of receiving stolen goods, the essential ingredients of such a charge are (i) the theft of the goods. (ii) that the goods were taken into possession by the prisoner and (iii) that at the time the goods were taken into his possession the prisoner knew that they were stolen.. Territorial culpability is discussed later.

In Nigeria, the Endangered Species (Control of International Trade and Traffic) Act CAP. 108 L.F.N. 1990 controls the sale of animal species threatened with extinction. Narcotic drug trafficking is an offence under National Drug Law Enforcement Agency Act Cap. 253 L.F.N. 1990 Act Cap. N30 L.F.N. 2004 , NDLEA is empowered to prosecute such offences, then it is also referred to as an economic crime under the Economic and Financial Crimes Commission (Establishment) Act, 2004 that can be prosecuted by the Commission.

Under the Firearms Act Cap. F28 L.F.N. 2004 it is an offence to own or sell a firearm without having the required licence, the problem is how does one determine the culpability of a transaction on the Internet involving an unlicenced Nigerian seller and an American buyer (who may be licenced to carry firearms), or vice versa.

Online gambling:

Many websites today offer online gambling. In fact, it is believed that many of these websites are actually fronts for money laundering. Gambling is not an offence under our laws[ii], however in order to ascertain when gambling is a front for money laundering, it is required that casinos should keep records of gamblers who visit them under the Money Laundering (Prohibition) Act No. 7 2003. The question posed here is whether the same responsibility can be imposed on an ISP hosting an online casino originating from Nigeria.

Intellectual Property crimes:

These include software piracy, copyright infringement, trademarks violations, theft of computer source code etc. A situation may arise whereby a Nigerian illegally downloads music, software or book from the Internet. How can the owner seek redress?

At a domestic or national level, law is displayed in:

Statute, e.g. Copyright Act CAP. 68 LFN 1990 or

case law, espoused by judges, e.g. the civil wrong (known as a tort) of passing off another’s goods as your own.

At the international level, law is displayed in:

Treaty/agreement, signed by two States (bilateral treaty) or many States (multilateral treaty)

International law, without more is not part of the Nigerian legal system. It must be transformed into Nigerian law usually, through statute. Therefore, a person cannot normally invoke an international treaty on copyright to found an action for breach of copyright in a domestic court. The person will normally rely on the Copyright Act which itself may transform parts of international treaties on copyright. Berne is the oldest international copyright agreement, to which Nigeria is a signatory, however more attention is given to the protection of local inventors.

In Nigeria, computer programmes are protected by Copyright Act CAP. 68 LFN 1990. Theft of corporeal information (e.g. books, papers etc, CD ROMs, floppy disks) is easily covered by traditional penal provisions. There does not appear to be any protection afforded other electronic information other than a “computer programme”.

Informa and Telecoms conducted a survey recently and found out that Nigeria has one of the piracy rates in the world- 82 per cent nine out of 10 products we see around are fake!

However, the problem begins when electronic records are copied quickly, inconspicuously and often via telecommunication facilities. Here the “original” information, so to say, remains in the “possession” of the “owner”.

Email spoofing:

A spoofed email is one that appears to originate from one source but actually has been sent from another source.

Email spoofing can cause monetary damage. In India, a Pune based businessman received an email from the Vice President of the Asia Development Bank (ADB) offering him a lucrative contract in return for a large sum of money. The businessman verified the email address of the Vice President from the web site of the ADB and subsequently transferred the money to the bank account mentioned in the email. It later turned out that the email was a spoofed one and was actually sent by an Indian based in Nigeria. The effect of this crime is clear, but the proof is still required, need I say that there is no law closely related to email spoofing under our laws.

Cyber Defamation:

This occurs when defamation takes place with the help of computers and / or the Internet. E.g., someone publishes defamatory matter about someone else on a website or sends e-mails containing defamatory information to all of that person's friends. This offence is traditional in nature. For example, defamation is defined in section 142 of Shari'ah Penal Code Law of Zamfara State of Nigeria as spoken or reproduced words by mechanical means intending to harm or knowing or having reason to believe that such imputation will harm the reputation of a person

The question posed here is whether the same responsibility can be imposed on an ISP hosting the suspect. To send email, the user usually composes the message on his own computer and then sends it off to the ISP's mail server. At this point, her computer is finished with the job, but the mail server still has to deliver the message. It does this by finding the recipient's mail server, talking to that server and delivering the message. It then sits on that second mail server until the recipient comes along to read his mail, when he retrieves it onto his own computer, normally deleting it from the mail server in the process. In the American case of Anderson v New York Telephone Co The plaintiff was a bishop. A person by the name of Jackson broadcast a programme on radio urging the listeners to call up two telephone numbers.

'A person calling these numbers would hear accusations against plaintiff involving him in all sorts of scurrilous activities not the least of which was illegitimately fathering children by women and girls in the church. Jackson's telephones were attached to equipment leased to Jackson by defendant. This equipment contained the recorded messages which would automatically play upon activation of the telephone by a caller.'

The Court held that '… the telephone company's role is merely passive and no different from any company which leases equipment to another for the latter's use … In order to be deemed to have published a libel a defendant must have had a direct hand in disseminating the material whether authored by another, or not … It could not be said, for example, that International Business Machines, Inc., even if it had notice, would be liable were one of its leased typewriters used to publish a libel. Neither would it be said that the Xerox Corporation, even if it had notice, could be held responsible where one of its leased photocopy machines is used to duplicate a libellous publication.

Pagejacking

Pagejacking is stealing the contents of a Web site by copying some of its pages, putting them on a site that appears to be the legitimate site, and then inviting people to the illegal site by deceptive means - for example, by having the contents indexed by major search engines whose results in turn link users to the illegal site. Users of the search engine sites may then receive results from both the illegitimate as well as the legitimate site and can easily be misled to link to the wrong one. Users linking to the illegitimate site may find themselves redirected to a pornographic or other unwanted site. As an additional annoyance, users subjected to pagejacking may also encounter mousetrapping, in which clicking the Back button with the mouse does not lead out of the illegal site but only to the viewing of additional unwanted pages. To escape, the user may need to close the browser or even restart the operating system. This would be the technological equivalent of a criminal trespass. The only problem here is that the criminal laws deal with persons who physically entered a material space—real world property—without being authorized to do so.

Cyber stalking:

Although no universally accepted definition exists, cyber stalking is generally considered to be the use of the Internet, e-mail or other electronic communications device to stalk or harass a person. No appropriate similar offence can be found in our laws. In a UK case, in March 2001, Donald Ridley pleaded guilty to 25 offences relating to “Internet stalking” and child pornography. He conducted a campaign against a young woman, whom he had met six years previously when she was 17, by setting up a Web site which invited strangers to rape and abuse here. At one point, his victim was receiving around 30 e-mails a day from people who had seen the site and a number even turned up at her home. Ridley was sentenced to seven and a half years in prison.

Computer as the target:

Let us now examine some of the acts where the computer is the target for an unlawful act. It may be noted that in these activities the computer may also be a tool. This kind of activity usually involves sophisticated crimes usually out of the purview of conventional criminal law. Some examples are:

Hacking refers to all means of securing unauthorised access to a computer or computer network.

Packet sniffing, tempest attacks, password cracking, buffer overflow, Email Interception, Trojans, are common techniques used by hackers for obtaining unauthorised access. The contemporary concept of unauthorized access is sometimes compared to the traditional law of trespass. However, in most countries, this traditional law concept cannot be stretched to protect information stored in computers, particularly “recreational” hackers who are only primarily motivated by a desire to beat the challenge offered by secure code or a wish to show up shortcomings in security without committing any crime or causing any damage. These hackers have been spared because the statutes require an actual physical intrusion into a tangible physical area, they cannot be used to prosecute a hacker who metaphorically “breaks into” a computer system; while the computer system is itself a form of real world property, and while the hacker does in a sense “enter into” that system, the concepts traditionally used to operationalize the trespass crimes simply do not apply to the hacker’s conduct. A hacker who breaks into a system for nefarious purposes, to achieve certain goals such as financial gain, sabotage or revenge is not so spared as the resultant offence motivates the justification for convicting him.

Internet time thefts:

This connotes the use by an unauthorized person of the Internet hours paid for by another person.

An example is where Bajuwa, asked an ISP official (Bolu) to come and set up his Internet connection. For this purpose, the ISP official needed to know his username and password. After having set up the connection, he went away knowing Bajuwa’s username and password. He then sold this information to another (Wole). One week later Bajuwa found that his Internet hours were almost over.

Under section 390 of the Nigerian Criminal Code, 382. Every inanimate thing whatever which is the property of any person, and which is movable, is capable of being stolen

Perhaps an offence could be proved under section 484 of the Criminal code. It states

“Any person , (Bolu and probably Wole) who, with intent to defraud (Wole could be exonerated if no intent can be proved) any person, falsely represents himself to be some other person living or dead, is guilty of a felony ……………  This is clumsy and our criminal laws must be amended to specifically take care of this crime

Web jacking:

This occurs when someone forcefully takes control of a website (by cracking the password and later changing it). The actual owner of the website does not have any more control over what appears on that website.

In a recent incident reported in the USA the owner of a hobby website for children received an e-mail informing her that a group of hackers had gained control over her website. They demanded a ransom of 1 million dollars from her. The owner, a schoolteacher, did not take the threat seriously. She felt that it was just a scare tactic and ignored the e-mail.

It was three days later that she came to know, following many telephone calls from all over the country, that the hackers had web jacked her website. Subsequently, they had altered a portion of the website which was entitled 'How to have fun with goldfish'.

In all the places where it had been mentioned, they had replaced the word 'goldfish' with the word 'piranhas'. Piranhas are tiny but extremely dangerous flesh-eating fish. Many children had visited the popular website and had believed what the contents of the website suggested. These unfortunate children followed the instructions, tried to play with piranhas, which they bought from pet shops, and were very seriously injured! I am unable to find a specific law against this act in our laws.

Cybersquatting

This is the act of reserving a domain name on the Internet, especially a name that would be associated with a company's trademark, and then seeking to profit by selling or licensing the name to the company that has an interest in being identified with it. In the real world, if you reserve a name at the Corporate Affairs Commission, and later register that name, nobody else can use it without your consent. The same scenario can be played out in the virtual world. If you own a trademark and find that someone is holding it hostage as a domain name until you pay a large sum for it, you may be the victim of cybersquatting.  No offence is committed, but ethical issues can arise.

Email bombing:

A simple way of achieving this would be to subscribe the victim’s email address to a large number of mailing lists. Mailing lists are special interest groups that share and exchange information on a common topic of interest with one another via email. Mailing lists are very popular and can generate a lot of daily email traffic - depending upon the mailing list. Some generate only a few messages per day others generate hundreds. If a person has been unknowingly subscribed to hundreds of mailing lists, his incoming email traffic will be too large and his service provider will probably delete his account.

There are several hacking tools available to automate the process of email bombing. These tools send multiple emails from many different email servers, which makes it very difficult, for the victim to protect himself or the suspect to be traced.

Salami attacks:

These attacks are used for the commission of financial crimes. The key here is to make the alteration so insignificant that in a single case it would go completely unnoticed. E.g. a bank employee inserts a program, into the bank's server, that deducts a small amount of money (say N1 a month) from the account of every customer. No account holder will probably notice this unauthorized debit, but the bank employee will make a sizable amount of money every month.

To cite an example, an employee of a bank in USA was dismissed from his job. Disgruntled at having been supposedly mistreated by his employers the man first introduced a logic bomb into the bank's systems.

Logic bombs are programmes, which are activated on the occurrence of a particular predefined event. The logic bomb was programmed to take ten cents from all the accounts in the bank and put them into the account of the person whose name was alphabetically the last in the bank's rosters. Then he went and opened an account in the name of Ziegler. The amount being withdrawn from each of the accounts in the bank was so insignificant that neither any of the account holders nor the bank officials noticed the fault. It was brought to their notice when a person by the name of Ziegler opened his account in that bank. He was surprised to find a sizable amount of money being transferred into his account every Saturday.

This crime is traditionally fraud, forgery or perhaps stealing. The challenge though for the prosecutor is the proof of the identity of the man who introduced the logic bomb in the first place, how did he have access to the bank’s system etc.? If the proceeds can be traced, then the arduous task of proving that money was stolen by the fraudster is less.

Denial of Service attack (DoS):

This is the name given to attacks involving hackers preventing the normal flow of Internet traffic to a web site or e-Business. The suspect initiates it by sending excessive demands to the victim's computer(s), exceeding the limit that the victim's servers can support and making the servers crash. These attacks may be launched using one single computer Another variation to a typical denial of service attack is known as a Distributed Denial of Service attack where the perpetrators are many and are geographically widespread. It is very difficult to control such attacks. Usually these attacks do not necessitate the need to get access into anyone’s system. It causes the web server to crash thereby denying authorized users the service offered by the server. Denial-of-service attacks have had an impressive history having, in the past, brought down websites like Amazon, CNN, Yahoo and eBay!

Virus / worm attacks:

One major concern when you are accessing the Internet to transfer or receive files is infection of your computers by viruses. They can be put into a system by someone intending to cause harm, or they can be innocently transferred by a user who has an infected disk. A virus is simply a program that attaches itself to some other program or data file.

It may be programmed to do great harm to its new computer host or it may be programmed to provide a silly message that pops up on your screen. At the least, it can be irritating; at the worst, it can completely disable your computer.

You catch a virus by loading a program or a data file onto your computer from an external source, usually a cd or floppy disk or from the Internet.

Trojan Horses

Unlike viruses, Trojan horses don't usually replicate themselves; instead they hide their true intent behind something benign.

Trojan horses usually present themselves as a harmless program like a game, joke or screensaver, only once you download and run the program you activate the Trojan horse. Trojan horses are designed primarily to give hackers remote control of your computer, but they can also do a number of other malicious things.

They may send themselves to everyone in your address book.

They may erase or alter your files.

They may steal your data including credit card details.

They may install a virus or download another Trojan horse program which can steal your passwords.

The Back orifice Trojan

This program allowed a hacker to control a person's computer and was thought to have infected over 100,000 computers when it was launched in 1998. It arrived disguised as a program attached to an email but once the program was run it allowed a remote operator on the internet complete control over the computer - anything the user did on the keyboard so could the hacker, and its stealth capabilities meant that a user was oblivious to the fact that they had installed a Back orifice on their computer.

In 2000 a more advanced version was updated and re launched by its creators called the Cult of the Dead Cow. There are no figures on actual numbers of those infected or the damage it has done, but if a hacker wanted to, they could steal secret documents or destroy data from your computer using the Back Orifice Trojan.

Prevention

 

As with all viruses and forms of infections like Trojan Horses, prevention is the best cure. If you install a firewall configure it properly, and with the use of anti-virus software you are severely limiting the risk of infection.

 

Worms

A worm is closely related to a virus. Worms, unlike viruses do not need the host to attach themselves to. They merely make functional copies of themselves and do this repeatedly until they eat up all the available space on a computer's memory.

Worms can damage or compromise your network security, though their main aim is to spread as far as possible in the fastest possible time. Many worms arrive disguised as a joke program, a piece of software or an e-mail message.

 

The love bug worm: The infamous love bug message of 2000 originated from Manila, Philippines and spread in the form of an email from a family member of friend with the message ˜I love you' showing up in the subject box. If the recipient opened up the attached love letter they activated a virus that would then delete their image and music files. The worm also installed a Trojan horse which then stole their passwords. The results were catastrophic as the worm sent itself to every person in an address book, and any computers attached to the network. It clogged up computer systems across the world.

Prevention: it is advisable to invest in anti-virus software, from a trusted source. Good programs will be constantly updated as new viruses are created on a daily basis so you can scan your machine regularly for new viruses.

Logic bombs

 

Also referred to as time bombs. Logic bombs are codes that are written or inserted into a program designed to cause some destructive or security-compromising activity whenever specified conditions are met. Logic bombs wait for a pre-designated time or event to occur such as midnight to strike, and then wreak havoc on the system, usually destroying data. A simple logic bomb may trigger when a dismissed employee's name is deleted from payroll records.

On one occasion in the United States a former System Administrator was charged after he planted a Logic Bomb in the computer system of the company where he was employed. When the bomb went off, it caused the firm an estimated $10 million in damage.

Time bombs can be harmless in some situations, for e.g. Butterworth’s books on screen software used to access cases, laws and precedents are time bomb activated, an annual subscriber receives a replacement cd every month, when the current cd in use expires. The problem with this is that if you are unable to renew after the first year you are left with 12 time bombed cds. You could request for a cd that is not time bomb dependent. If you originally purchased the package from Butterworth’s in England, they could oblige, but they remind you that the licence does not include handing out cds without protection.

 

Prevention

Fortunately most logic bombs can be detected and eliminated before they go off if you regularly scan all your computer files using the latest anti-virus software.

 

Proof

The main problem that confronts a prosecutor is that the commission of a crime imports something physical, tangible and visible, whereas a Computer-related crime not only violates traditional objects in the form of new media but additionally also involve intangible objects e.g. computer programs. Instead of stretching the wording of already existing penal provisions, many countries have enacted new laws fighting computer-related crime, some countries have modified their definitions quite considerably (e.g. replacing the word “document” with the words “document or electronic record” etc.

There is often a lack of parity in understanding the technical details associated with electronic evidence between prosecution and defence. The relative infrequency or non-existence of cases that hinge upon electronic evidence, and the lack of experience in this area on the part of most lawyers, contribute to this lack of parity. We see that lawyers lacking the technical understanding of digital issues are not able to argue the merits of the digital evidence.

In England, one Mr Caffrey was charged to court for unauthorised modification of computer material. It was alleged that on 20 September 2001, he launched an attack on one of the US's biggest ports, bombarding its computer system with thousands of electronic messages. It froze the port's web service, which contained vital data for shipping, mooring companies and support firms responsible for helping ships navigate in and out of the harbour.

Mr Caffrey admitted being a member of a group called Allied Haxor Elite and hacking into computers for friends to test their security. But he insisted he was not responsible for the attack on the port of Houston.

Both the defence and prosecution acknowledged that the attack had come from Mr Caffrey's computer.

The case hinged on whether the jury believed the defendant's argument that his computer had been taken over by a hacker using a Trojan horse program.

A forensic examination of Mr Caffrey's PC had found no trace of a hidden program with the instructions for the attack.

The verdict was that the prosecution case failed to convince the jury that the teenager was responsible for the attack.

"The Caffrey case suggests that even if no evidence of a computer break-in is unearthed on a suspect's PC, they might still be able to successfully claim that they were not responsible for what their computer does, or what is found on its hard drive."

The Trojan defence has been successfully used in the UK courts before.

In July, a man was cleared of possessing child porn when a number of Trojan horses were discovered on his computer.

Experts say the Caffrey case could prompt a review by police of how to present evidence before a jury in computer crime cases.

Just as important is ensuring that judges, barristers, lawyers and prosecutors are knowledgeable enough to handle the electronic evidence that does make it to trials. As it stands now, most of these judicial officers are not as educated as they could be in dealing with such evidence.

Securing Websites

A costly problem that plagues corporations and on-line vendors arises when culprits gain access to their websites to commit one crime or the other. This happens when there is a security lapse.

They must endeavour to secure their Web server and the files that it contains, also provide some assurance to guarantee the integrity of the information that travels between their Web server and the end user.

All sensitive information must be protected adequately from the risk of being intercepted by hackers and computer criminals.

Securing the Web server itself can usually be accomplished by using standard computer security techniques, such as authentication mechanisms and intrusion protection devices. Gatekeepers and digital locks can also secure networks on which these servers reside.

The more complicated problem is securing information in transit between the server and the end user. The only sure way to secure this data is through encryption, encoding the transmitted information so that only an authorised recipient can read it with a proper key that decodes the information such as SET (Secure Electronic Transactions)

Digital Signatures

The best way to verify identity is via the use of digital signatures .This technology also relies on the use of encryption keys to encode and decode a message. In this case, a private key is used to sign one's signature to some message or piece of data and a public key is used to verify a signature after it has been sent. The public key might be published in a directory or otherwise made available to other users.

These digital signatures will undoubtedly play a major role in preventing impersonation during e-commerce transactions.

Access Control Software

Access control software closes password loopholes. This software restricts users, individually identified by password and codes, to only those files they are authorised to use.

Firewalls

A firewall consists of hardware and / or software designed to insulate an organisations internal network from the Internet. Firewall software gives access only to trusted Internet addresses and scrutinises data for irregularities or signs of danger. Ideally firewalls are configured so that all connections to an internal network go through relatively few well-monitored locations. Firewalls can sometimes be used to protect the Web server, but most companies set up public Web sites outside the firewall to make them more easily accessible to those trying to buy their products.

The international cooperation

The criminal justice systems and international cooperation have not kept pace with technological change. Only a few countries have adequate laws to address the problem, and of these, not one has resolved all of the legal, enforcement and prevention problems.

When the issue is elevated to the international scene, the problems and inadequacies are magnified. Computer crime is a new form of transnational crime and effectively addressing it requires concerted international cooperation. This can only happen, however, if there is a common framework for understanding what the problem is and what solutions there may be.

Some of the problems surrounding international cooperation in the area of computer crime and criminal law can be summarized as follows:

The lack of global consensus on what types of conduct should constitute a computer-related crime;

The lack of global consensus on the legal definition of criminal conduct;

The lack of expertise on the part of police, prosecutors and the courts in this field;

The inadequacy of legal powers for investigation and access to computer systems, including the inapplicability of seizure powers to intangibles such as computerized data;

The lack of harmonization between the different national procedural laws concerning the investigation of computer-related crimes;

The transnational character of many computer crimes;

The lack of extradition and mutual assistance treaties and of synchronized law enforcement mechanisms that would permit international cooperation, or the inability of existing treaties to take into account the dynamics and special requirements of computer-crime investigation.

The need for global action

Much of the international work has so far been centered in western European and OECD countries; the potential extent of computer crime is as broad as the extent of the international telecommunication systems. All regions of the world must become involved in order to prevent this new form of criminality.

Ensuring the integrity of computer systems is a challenge facing both developed and developing countries. It is predicted that within the next decade, it will be necessary for developing nations to experience significant technological growth in order to become economically self-sufficient and more competitive in world markets. As dependence on computer technology grows in all nations, it will be crucial to ensure that the rate of technological dependence does not outstrip the rate at which the corresponding social, legal and political frameworks are developing. It is important to plan for security and crime prevention at the same time that computer technology is being implemented.

Conclusion

Computer information, which is the main object of computer crime, is characterized by an extreme mobility, which exceeds by far the mobility of persons, goods or other services. International computer networks can transfer huge amounts of data around the globe in a matter of seconds thus enabling the use of a computer based in one country with the results surfacing in another

[i] PRESENTED AT THE 1^ST ANNUAL CONFERENCE ON CYBER SECURITY BY THE ANTI-MONEY LAUNDERING AND CYBER SECURITY COALITION, NATIONAL ASSEMBLY-THEME: COMBATING CYBER CRIMES IN THE 21^ST CENTURY: WHAT ARE THE CHALLENGES? 4^TH – 5^TH MAY, 2009

[ii] POOLS BETTING AND CASINO GAMING (PROHIBITION) ACT REPEAL ORDER S.I. 29 2007

Back