The Dark Ages: “Sorry we do not accept credit or debit card payments here!” The Interplay between Identity Theft and Card Fraud IDENTITY THEFT 1. Identity theft is the deliberate and unlawful use of the personal information of another person to commit a criminal offence including theft or fraud. Jamaica’s National Cyber Security Strategy (“the Strategy”) declares that “identity theft is the most profitable form of cybercrime.” 1 This declaration was partly based on the United Nations Office of Drugs and Crime estimate that identity theft generates approximately US$1 billion per year in revenue on a global basis. 2 PERSONAL OR IDENTITY INFORMATION 2. Locally, personal information is described as identity information. Identity information may include, inter alia, names, addresses, email addresses, signatures, electronic signatures, credit card numbers, debit card numbers or any other unique personal identification number (PIN) or password used, alone or together, to identify a person. 3 The person may be dead or alive. HIGH COMMODITY ITEM 3. Today, businesses routinely harvest and store, electronically, sensitive identity information of their customers. The advantage to businesses is evident: they have large amounts of exploitable identity information readily accessible to them. However, this identity information is also a potential treasure trove for unscrupulous persons. It is, therefore, unsurprising that identity information has become, to borrow the language of the Strategy, a high commodity item to cybercriminals. 4 CARD FRAUD 4. One manifestation of the exploitation of identity information by cybercriminals is credit/debit card fraud. Traditionally, fraudsters mainly perpetrated this crime by skimming the card and cloning it. The process involved the use of a device to read and copy the information contained on the magnetic strip affixed to the back of the card. The skimming device is usually affixed to a Point of Sale Machine, Automated Banking Machine or supplied to the wait staff at a Restaurant or Pump Attendant at the Gas Station. The information is then 1 National Cyber Security Strategy, accessed at mstem.gov.jm/sites/default/files/Jamaica%20National%20Cyber%20Security%20Strategy.pdf 2 ibid 3 Section 10 (3) of the Law Reform (Fraudulent Transactions) (Special Provisions) Act, 2013, accessed at moj.gov.jm/sites/default/files/laws/The%20Law%20Reform%20Fraudualent%20Transactions%29%28Special%20P rovisions%29%20Act%20%282013%29.pdf 4 National Cyber Crime Strategy, ibid
1|Page
transferred to another card enabling the fraudster to conduct fraudulent transactions in the name of the actual cardholder. THE WORLD OF BIG DATA 5. The advent of big data has changed the game. The modern trend is towards the centralization of large amounts of sensitive identity information on various online platforms. The cyber criminal no longer requires the physical card to clone it. He ‘simply’ hacks into these treasure troves of identity information. Two fairly recent data breaches illustrate the value of big data to the cybercriminal. 6. The Equifax data breach exposed the identity information of 143 million American consumers. The cybercriminals accessed consumers’ names, social security numbers, birth dates and addresses stored on the credit agency’s platform. They also accessed the credit card numbers of 209,000 consumers. 5 This breach occurred between May, 2017 and July, 2017. 7. Similarly, in 2013, cyber criminals hacked the Point of Sale system of discount retailer Target. Target initially reported that the cybercriminals stole credit and debit card information of 40 million persons who shopped at Target stores between November 27, 2013 and December 15, 2013. Subsequently, as the investigation progressed, Target advised that the cybercriminals accessed the identity information and card data of another 70 million shoppers over the period. 6 8. In both data breaches the cybercriminals accessed the identity information required to effectively assume the identity of another person. Consequently, the cybercriminal is enabled to execute fraudulent transactions online even where the site requires other personal information (such as the social security number or date of birth) in addition to the credit card information to authenticate the transaction. Unfortunately, cybercriminals are no longer limited to the information contained on the magnetic strip of a card. THE EXTENT OF CORPORATE RESPONSIBILITY OR LIABILITY FOR DATA BREACHES 9. In 2005 the Fair Trade Commission of the United States began bringing administrative action against companies with allegedly deficient cyber security that failed to protect consumer data. The Commission brought the action under “the unfair or deceptive acts or practices in or affecting commerce” provision of the Fair Trade Commission Act. The Commission’s 5
“Credit Firm Equifax says 143m Americans Social Security Numbers exposed in hack”, The Guardian accessed at https://www.theguardian.com/us-news/2017/sep/07/equifax-credit-breach-hack-social-security 6 “Target Says up to 70 Million More Customers were hit by Dec Data Breach”, The Washington Post accessed at https://washingtonpost.com/business/economy/target-says-more-than-70-million-customers-were-hit-by-dec-databreach-more-than-first-reported/2014
2|Page
authority to initiate these actions was challenged by Wyndham Worldwide Corporation (“Wyndham”). 7 10. The Commission filed a suit against Wyndham after it was hacked three times between 2008 and 2009. The hackers successfully accessed Wyndham’s computer systems obtaining payment card information of 619,000 consumers. This resulted in at least US$10.6 million in fraud loss. Consequently, the Commission alleged that since April 2008, Wyndham engaged in “unfair security practices that when taken together unreasonably and unnecessarily exposed consumer’s personal data to unauthorized access and theft.” 8 11. The Commission based its claim on remediable weaknesses in Wyndham’s cyber security apparatus that were inconsistent with representations contained in its privacy policy. For instance, Wyndham failed to use firewalls at critical network points, it did not use any encryption for certain customer files (allowing payment information to be stored in readable text) nor did it require users to change default passwords (the first port of call for hackers). 9 12. Of course, Wyndham appealed, questioning the Commission’s authority to regulate cyber security under the unfairness prong of the Act. On Monday, August 24, 2015, the United States Court of Appeals for the Third Circuit affirmed the District Court for the District of New Jersey by holding that the Commission had the authority to regulate cyber security as it contended. 10 Wyndham eventually settled the charges with the Commission. 13. The wrath of the Commission is one aspect of liability faced by these companies. They are also faced with class action law suits and the cost of reimbursing fraudulent charges that resulted from the data breaches. The financial cost to these companies is potentially debilitating. However, these financial costs pale in comparison to the long term reputational harm faced by these companies as a result of these cyber attacks. THE JAMAICAN COUNTER ATTACK 14. The local legislative response to the threat of cybercriminals is contained in the Cybercrimes Act, 2015. For present purposes the focus will be limited to section 8 of the Act. The section provides that a person commits an offence if that person fraudulently, with intent to secure an advantage for himself or another person, a) causes loss to another by inputting, altering, deleting or suppressing any data or interfering with a computer; or 7
Federal Trade Commission v Wyndham www2.ca3.uscourts.gov/opinarch/143514.pdf 8 ibid 9 ibid 10 ibid
Worldwide
Corporation
et
al,
accessed
at
3|Page
b) by accessing a computer and intentionally altering, deleting or suppressing any data stored in a computer with the intention that the “altered data� will be treated as the original data. 11 15. There are two courses available to Prosecutors. A prosecution may be pursued under section 8(1) (a) where it may be proved that a person suffered loss of property due to the interference with the function of the computer or any data contained on it. Alternatively, where loss is difficult to establish, section 8 (1) (b) enables the Prosecution to show that the person deliberately altered data intending to mislead. Of course, the use of fraudulently in the section must not be overlooked. It requires the Prosecution to show that the person acted intentionally and deliberately, without mistake. 12 16. The provisions of the Law Reform (Fraudulent Transactions) (Special Provisions) Act may also be deployed in the fight against cybercriminals. The following activities are outlawed by it: a) stealing, forging or falsifying access devices; 13 b) possessing, using or trafficking an access device, whether genuine or forged, knowing that it was obtained, altered or forged unlawfully (it is immaterial whether the unlawful conduct took place in Jamaica or elsewhere); 14 c) fraudulently possessing, using, trafficking in or permitting another person to use data from an access device that would enable the other person to benefit from the services provided by the issuer of the access device; 15 d) making, repairing, buying, selling, possessing or distributing, without lawful excuse, any device used for copying data from an access device or forging the access device; 16 e) knowingly obtaining and possessing identity information of others in circumstances which give rise to a reasonable inference that it was intended to commit an offence against any law; 17 f) transmitting, distributing, selling or making available the identity information of others in circumstances which give rise to a reasonable inference that it was intended to commit an offence against any law. 18
11 The Cybercrimes Act, 2015 accessed www.japarliament.gov.jm/atachments/article/341/The%20Cybercrimes%20Act%202015-final%20No.31.pdf 12 R v Williams 1 QB 660 13 section 8(1)(a) and (b) 14 section 8(1)(c) 15 section 8(2) 16 section 9(a) and (b) 17 section 10(1) 18 section 10(2)
at
4|Page
17. The Act defines access devices as, inter alia, any card, plate, code, account number, personal identification number and any other means of access that can be used alone or with another device to obtain a benefit or thing of value or that may be used to initiate the transfer of money. 19 CONCLUSION 18. In this era of big data, identity theft offences will remain a feature of this ultra-modern existence. Consequently, it is imperative that business leaders and consumers remain knowledgeable of the risks that exist and how best to combat them. Failing this, many of us could find ourselves without identities.
19
Section 2 of the Law Reform (Fraudulent Transactions) (Special Provisions) Act, 2013
5|Page