it law ass..final

8/7/2019 IT LAW ASS..final

1/22

CREDIT CARD FRAUD IN THE UK 2010

1

1. INTRODUCTIONInformation technology has done a lot to improve and make our life better, but at the same time

it has brought tears and pains to illiterate and less fortunate people. In terms of technology for

instance; internet, internet has created a lot of millionaires and billionaires within the past years

and more to come, but at the same time it has brought a lot of people tears and discomfort.

Discomfort in such a way that the people loss their property to cybercriminals.

As more aspects of our life move to digital networks, crime comes with them. Our lives

increasingly depend on the Internet and digital networks, but these create new vulnerabilities and

new ways for criminals to exploit the digital environment. Not only can many existing crimes be

replicated in online environments, but novel crimes that exploit specific features of digital

networks have emerged as well. With new crimes come new forms of policing and new forms of

surveillance, and with these come new dangers for civil liberties. These issues are the subject of

the present book. The shift to digital environments alters our understanding of crime in five

different ways. First, it alters the scene or location where crimes occur. Second, it facilitates the

commission of new types of crimes. Third, it produces significant changes in law enforcement

methods, for example, a shift to prevention and to new forms of cooperation between public and

private actors. Fourth, it gives law enforcement new tools of digital surveillance and new

methods of sorting data and managing online risks. Fifth, it presents new challenges to the

existing legal process and spurs the development of new forms of proof and procedure. We have

arranged the essays in this book to correspond to these five key phenomena: the new scenes of

crime, the new forms of crime, the new methods of law enforcement, the new tools of digital

surveillance and crime prevention, and the new procedures that courts and legislatures will have

to adopt to deal with threats to Internet security.

Criminology has been rather slow to recognize the importance of cyberspace in changing the

nature and scope of offending and victimization, and a comprehensive introductory textbook on

cybercrime and its social implications is long overdue. One of the many strengths of cyber law is

that it avoids 'tetchy' jargon and unites criminological and sociological perspectives in

discussions of cybercrime, cyber-deviance and cyber-freedoms.


2/22


2

Cybercrime and Society provides a clear, systematic, critical introduction to current debates

about cybercrime. It locates the phenomenon in the wider contexts of social, political, cultural

and economic change. It is the first book to draw upon perspectives spanning criminology,

sociology, law, politics and cultural studies to examine the whole range of cybercrime issues,including:

1.1 TYPES OF CYBERCRIMES

y computer hackingy cyber-terrorismy media 'piracy'y financial fraud and identity thefty online stalkingy hate speechy pornographyy surveillance


3/22


3

2. OBJECTIVEThe main aim and object of this well researched project is to evaluate the misuse of technology

to be prcised information technology for mischievous purposes. So this project is supposed to

achieve a well stated set of laws, crime and its punishment based on international or national law.

Not forgetting the fact that law changes with time or for a course, which is known as

amendment, sometimes the punishment is reduce or increased, sometime added to it. So in this

case one of the objectives of this research is to gather all the information needed to explain why

the law was amended.

Most importantly, the explanation of how the cyber criminology is organized and the processes

involved in it. Processes like digitization, anonymity, decentralization and interdependence.

The first is digitization which is a common standard for data transmission that enable

manipulation and modification. The second is anonymity, the ability to act and spy on others

without disclosing ones identity. The third is interconnectivity, the fact that everyone on the

network is connected to everyone else. The fourth is decentralization, the lack of centralized

control over digital networks. The fifth is interdependence, the shared vulnerabilities that

inevitably exist between and among all the people who use digital networks. Digitization,

anonymity, interconnectivity, decentralization, and interdependence structure the online world as

we currently know it. Hence they structure the opportunities for crime and the ways that people

commit crimes and breach network security. However, the task of cybercrime policy is not

simply to create new laws banning new practices. It also requires us to redesign digital

architectures to reduce the risk of criminal conduct and security breaches in the first place; this

requires policy makers and technologists to decide how we should shape the digital networked

environment.


4/22


4

3. CYBER CRIMES IN UNITED KINGDOMWe picked UK for this research because UK was recorded to have the highest number of credit

card fraud and the number of credit card users is higher in UK. Below is the graph representing

the usage of credit card and the fraud associated with it based on the internet usage.

People that never use the internet can be the victims of credit fraud too, so basically sometimes it

is not only those that surf that get hooked, even a harmless tender of information via telephone

can put you at risk. Technically the credit card agency can be hacked and in this case whether

you are an internet user or not or you have never used your card online it is still going to affect

you.


5/22


5

The figure above shows the increment in credit card fraud and the comparison of credit card

fraud with other cybercrimes, as you can see the pick at which credit card fraud grow is far more

elastic than the other cyber crimes.

3.1 REASONS BEHIND CREDIT CARD FRAUD.

Poverty: Living in unfortunate conditions/broke. Many people tends illegally develop ways ofmaking their ends meet, and one of the ways, happened to be credit card fraud. So we can saypoverty can be a motivation for somebody to indulge in cyber crime.

Desperation: They are in need of money, perhaps to pay off debt or in a quest to get rich.Desperate people can go to any length to get whatever. So in this case, many people involve incredit card fraud to get rich and live the life of a king. Desperation can be a motive for couragebut when it is done illegally, then that becomes a crime and when it is done online its cybercrime.

Just for fun (Justification):For absolutely no particular reason, so they do it because they knowthey can. People under this category, do cyber crime to prove a point or display of skills.

Evil: Some people are just born with the spirit of destruction and infliction of pains to other andthis is also known as evil. So evil is one of the things that create indulgence in the participationof cyber crime.


6/22


6

Revenge: Because it was done to them, so they want pay back and will do it to others.

3.2 CREDIT CARD FRAUD:

The term credit card fraud is generally referred to the theft and fraud committed using a credit

card or any similar payment contrivance as a fraudulent source of funds in a transaction.

It maybe for the purpose of obtaining goods without paying, or to obtain illegal funds from an

account

Credit card fraud involves;

y Stolen cardsy Compromised accountsy Card not Presenty Identity theft

- Application fraud

- Account takeover

y Skimmingy Cardingy BIN attacky Fraudulent charge-back schemes

They are a lot of things that leads to credit card fraud and in this particular section we are going

to be explaining them in a short but explanatory way.

3.2.1 Identity TheftIdentity crime is a generic term for identity theft, creating a false identity orcommitting identity fraud.

Criminals commit identity theft by stealing your personal information and then

pretending to be you. This is often done by taking documents from your rubbish or by

making contact with you and pretending to be from a legitimate organization.


7/22


7

The difficulty has always been that the money is stolen from the credit card company and

not the consumer. Only if the credit card company fails to respect the chargeback can the

consumer take any action, and in that case, the action is against the credit card company

and not the person who perpetrated the fraud.

Once a criminal has the information he needs he could for example:

apply for a credit card in your name; open a bank or building society account in your name; apply for other financial services in your name; run up debts (e.g. use your credit/debit card details to make purchase) or

obtain a loan in your name; apply for any benefits in your name (e.g. housing benefit, new tax credits,

income support, job seekers allowance, child benefit);

apply for a driving license in your name; register a vehicle in your name; apply for a passport in your name; or Apply for a mobile phone contract in your name.

3.3 Identity fraud

3.3.1 Application fraud

Application fraud happens when a criminal uses stolen or fake documents

to open an account in someone else's name. Criminals may try to steal

documents such as utility bills and bank statements to build up useful

personal information. Or they may create counterfeit documents

3.3.2 Account takeover

Account takeover happens when a criminal tries to take over another

person's account, first by gathering information about the intended victim,

then contacting their card issuer masquerading as the genuine cardholder,

and asking for mail to be redirected to a new address. The criminal then

reports the card lost and asks for a replacement to be sent. Some

merchants added a new practice to protect their consumers and their own


8/22


8

reputation, where they ask the buyer to send a photocopy of the physical

card and statement to ensure the legitimate usage of a card.

In the UK, credit cards are regulated by the Consumer Credit Act

1974 (amended 2006

3.4 Skimming

Skimming is the theft of credit card information used in an otherwise legitimate

transaction. It is typically an "inside job" by a dishonest employee of a legitimate

merchant. The thief can procure a victims credit card number using basic methods

such as photocopying receipts or more advanced methods such as using a smallelectronic device (skimmer) to swipe and store hundreds of victims credit card

numbers. Common scenarios for skimming are restaurants or bars where the skimmer

has possession of the victim's credit card out of their immediate view. The thief may

also use a small keypad to unobtrusively transcribe the 3 or 4 digit Card Security

Code which is not present on the magnetic strip. Instances of skimming have been

reported where the perpetrator has put a device over the card slot of an ATM

(automated teller machine), which reads the magnetic strip as the user unknowingly

passes their card through it. These devices are often used in conjunction with a

pinhole camera to read the user's PIN at the same time. This method is being used

very frequently in Europe

3.5 How Skimming Work?

Skimming works on the principle that anyone inserting a credit or debit card into

an ATM (Automatic Teller Machine) can have their details scanned from the

magnetic strip on the rear of the card in question.

Built into this false front panel is a magnetic card reader - known as a skimmer -as well as a small webcam or digital camera which is used to take the still imageor moving video of the card owner as they enter in their PIN (PersonalIdentification Number).

It may sound like the stuff of television or movie fiction but it does happen andover the last five years the instances of skimming in the United Kingdom haveincreased quite dramatically.


9/22


9

Skimming device.

3.6 Carding

Carding is a term used for a process to verify the validity of stolen card data. The thief

presents the card information on a website that has real-time transaction processing. If the

card is processed successfully, the thief knows that the card is still good. The specific

item purchased is immaterial, and the thief does not need to purchase an actual product; a

Web site subscription or charitable donation would be sufficient. The purchase is usually

for a small monetary amount, both to avoid using the card's credit limit, and also to avoidattracting the card issuer's attention. A website known to be susceptible to carding is

known as a card able website.

In the past, carders used computer programs called "generators" to produce a sequence of

credit card numbers, and then test them to see which valid accounts were. Another

variation would be to take false card numbers to a location that does not immediately


10/22


10

process card numbers, such as a trade show or special event. However, this process is no

longer viable due to widespread requirement by Internet credit card processing systems

for additional data such as the billing address, the 3 to 4 digit Card Security Code and/or

the card's expiration date, as well as the more prevalent use of wireless card scanners that

can process transactions right away Nowadays, carding is more typically used to verify

credit card data obtained directly from the victims by skimming or phishing.

A set of credit card details that has been verified in this way is known in fraud circles as

a phish. A carder will typically sell data files of the phish to other individuals who will

carry out the actual fraud. Market price for a phish ranges from US$1.00 to US$50.00

depending on the type of card, freshness of the data and credit status of the victim.

3.7 BIN attack

Credit cards are produced in BIN ranges. Where an issuer does not use random

generation of the card number, it is possible for an attacker to obtain one good card

number and generate valid card numbers by changing the last four numbers using a

generator. The expiry date of these cards would most likely be the same as the good card

3.8 Fraudulent Charge-Back schemes

There is a class of email spam (usually sent to commercial / corporate email addresses)

where the spammer makes an offer to purchase goods (usually not specifically identified)

from a vendor. In the email, the spammer makes it clear that they intend to pay for the

goods using a credit card. The spammer provides the shipping address for the goods, and

requests a product and price-list from the vendor in the initial email. It has been

speculated that this is some form of charge-back scheme, whereby the spammer is using a

valid credit card but intends to request a charge-back to reverse the charge while at the

same time retaining the goods that were shipped to them.


11/22


11

4. CASES OF CREDIT CARD FRAUD IN UK4.1UK Defendants Await Sentencing in Carding Scheme

Two U.K. men have pleaded guilty to charges related to an extensive payment card fraud

ring called DarkMarket busted by authorities in October 2008 as reported by Jeremy Kirk

of IDG News Service. Two U.K. men have pleaded guilty to charges related to the

infamous DarkMarket payment-card fraud ring busted by authorities in October 2008,

according to British police.

Renukanth Subramaniam, 33, and John Michael Francis McHugh, 66, both pleaded guilty

to conspiracy to defraud in Blackfriars Crown Court inL

ondon on Thursday.

DarkMarket was a highly organized, password-protected online forum where criminals

worldwide could buy and sell credit card numbers, a practice known as "carding." Since

its shutdown, more than 60 people have been arrested by law enforcement agencies in the

U.K., U.S., Germany, Turkey and other countries.

Subramanian was an "itinerant loner" who was allegedly observed selling lists of credit

cards near the Java Bean Internet Caf #233; in Wembley where he frequently accessed

the DarkMarket site, according to the Serious Organized Crime Agency (SOCA).

He used a memory stick to carry data around and seemed to think using Internet cafes

would help shield his activities, SOCA said.

Subramanian had no fixed address and frequently stayed with friends but had mortgaged

three houses, SOCA said. In the past, Subramanian had worked for Pizza Hut and a

dispatch company.

McHugh was arrested in December 2008 after investigators found he was allegedly

running a counterfeit credit card factory, SOCA said. McHugh, a retiree who lived inDoncaster, England, allegedly had details for more than 2,000 credit cards in his home

along with a "suite of images and logos" needed to produce fake cards.


12/22


12

1. Case: No love LostA case posted by John

Leyden from Enterprise Security states of a Nottinghamshire man

who attacked the website of London dating agency loveandfriends.com has avoided

imprisonment.

Matthew Byrne, 38, from Kirkby-in-Ashfield, Nottinghamshire, was given a suspended

sentence of eight months imprisonment, suspended for two years, at a sentencing hearing

at London's Southwark Crown Court on Tuesday. He was also sentenced to two years

supervision order after pleading guilty to computer hacking offences (unauthorized

modification of a computer contrary to section three of the Computer Misuse Act 1990)

at an earlier hearing in September.

Byrne was charged in May following a year-long investigation by officers at the

Computer Crime Unit at Scotland Yard over an August 2004 attack on love and

friends.com. He used brute force methods to find easily guessable passwords in order to

gain illicit access to four profiles on loveandfriends' database.

These profiles were subsequently defaced. Byrne then made demands for payment in

exchange for holding off on threats to delete the firm's database. Andy MacCabe,

managing director of love and friends, said at the time that the attacker only had member

level access to four profiles with weak passwords. The hacker did not at any time gainaccess to the loveandfriends financial database or web servers despite threats to the

contrary


13/22


13

5. LAWS AND REGULATIONS IN UK

5.1 COMPUTER MISUSE ACT

The Computer Misuse Act was introduced in 1990 to secure computer Material against

unauthorized access or modification. Three categories of criminal offences were established tocover the following conduct.

1. Unauthorized access to computer material (basic hacking) including the illicitcopying of software held in any computer. Penalty: Up to six months imprisonment orup to a 5,000 fine.

2. Unauthorized access with intent to commit or facilitate commission of furtheroffences, which covers more serious cases of hacking. Penalty: Up to five years ofimprisonment and an unlimited fine.

3. Unauthorized modification of computer material, which includes:

I. Intentional and unauthorized destruction of software or data;II. The circulation of infected materials on-line.

III. An unauthorized addition of a password to a data file.Penalty: Up to five years of imprisonment and an unlimited fine.

You must not:


14/22


14

Display any information which enables others to gain unauthorized access to computermaterial (this includes instructions for gaining such access, computer codes or otherdevices which facilitate hacking)

Display any information that may lead to any unauthorized modification of computermaterials (such modifications would include activities such as the circulation ofinfected software or the unauthorized addition of a password)

Display any material, which may incite or encourage others to carry out unauthorizedaccess to or modification of computer materials.

Credit and debit card fraud

The two pieces of legislation relevant to credit and debit card fraud are:

1. The Consumer Protection (Distance Selling) Regulations 2000(Statutory Instrument 2000 No.2334)

2. Financial Service (Distance Marketing) Regulations 2004(Statutory Instrument 2004 No.2095).

The former legislation states:

Payment by card

(2) Subject to paragraph (4), the consumer shall be entitled to be reaccredited, or

to have all sums returned by the card issuer, in the event of fraudulent use of his

payment card in connection with a contract to which this regulation applies by

another person not acting, or to be treated as acting, as the consumer's agent.

(3) Where paragraphs (1) and (2) apply, in any proceedings if the consumer

alleges that any use made of the payment card was not authorized by him it is for

the card issuer to prove that the use was so authorized.

(6) For the purposes of this regulation -


15/22


15

"card issuer" means the owner of the card; and

"payment card" includes credit cards, charge cards, debit cards and store cards.

Computer misuse Act

This part of the law targets DoS (Denial of Service) attackers with punishments up to 10

years in prison. The law clarifies Britain's Computer Misuse Act, because the old

legislation did not address DoS attacks specifically.

The original act only mentioned penalties for modifying content on a computer without

authorization. Because of the ambiguity in the old law, teenager David Lennon was

cleared of all charges after being accused of sending his former boss 5 million emails.

A DoS attack means flooding a server with huge quantities of data (such as emails or

server requests) until the server collapses. A DDoS attack (Distributed Denial of Service)

is a more advanced DoS attack, where more than one computer is used to send the data or

requests to the server. Both DoS and DDos attacks are prosecuted under the same laws.

According to the new 2006 Act, impairing the operation of any computer, preventing

access to any program or data in a computer, and restricting the operation of any program

on a computer, are all crimes and are punishable with a maximum of 10 years in prison.

Also, causing someone else to do any or all of these crimes can get you into prison for 2

years.


16/22


16

5.2 The British Police and Justice (2006) billChanges being introduced to the Computer Misuse Act (1990) under Part 5

(Miscellaneous) which could have serious implications for those on the murkier side of

computing. The Computer Misuse Act obviously needed updating, as most of the

threats in existence today were not possible 16 years ago.

An interesting insertion is section 3A Making, supplying or obtaining articles for use

in offence under section 1 or 3.

(1) A person is guilty of an offence if he makes, adapts, supplies or offers to

supply any article

(a) knowing that it is designed or adapted for use in the course of or in

connection with an offence under section 1 or 3; or

(b) Intending it to be used to commit, or to assist in the commission of,

an offence under section 1 or 3.

(2) A person is guilty of an offence if he obtains any article with a view to its

being supplied for use to commit, or to assist in the commission of, an offence

under section 1 or 3.

(3) In this section article includes any program or data held in electronic

form.

Maximum sentencing for unauthorized access to computer material has been raised to 2

years. The really interesting modifications come under section 3 Unauthorized acts with

intent to impair operation of computer,


17/22


17

5.3 Information Technology Act-2000:Computer source document tampering: The person who changes the source code on

the website or any computer program will get a punishment up to 3 years of

imprisonment or fine.

Computer hacking: The individual who hacks the computer or computer devices will

get an imprisonment up to 3 years or a fine.


18/22


18

6. CONCLUSION

Cyber crime affects more than the financial integrity of a business. There are many very real and

damaging consequences associated with Internet crime. Understanding the effects of cyber crime

is an important first step in comprehending the necessity of security measures on

a computer network. One of the main effects of cyber crime on a company is the loss of revenue.

Another is time wasted when IT personnel must devote great portions of their day handling such

incidences. Rather than working on productive measures for an organization, many IT staff

members spend a large percentage of their time handling security breaches and other problems

associated with cyber crime.

Although credit card fraud is on the rise, and credit card fraud on the internet is rising even more

dramatically, many savvy internet shoppers know that the reality is that its actually much safer

to enter your number on a secure online order form that it is to give your credit card to a waiter at

a restaurant. After all, whats to stop the waiter later from writing down your credit card number

and placing orders in the phone with it later?

Therefore, precautions need to be taken when giving out any confidential information, including

your credit card number, to avoid or reduce risks of being caught up in a credit card fraud

scheme. For instance:

never provide your credit card information on a website that is not a secure site never leave your credit cards or receipts lying around, never respond to emails that request you provide your credit card info via email keep an eye on your credit card EVERY time you use it and make sure you get it back as

quickly as possible

never give your credit card when you receive a phone call keep a list in a secure place with all of your account numbers and expiration dates Never sign a blank credit card receipt. Carefully draw a line through blank portions of the

receipt where additional charges could be fraudulently added.

If you move, notify your credit card issuers in advance of your change of address.


19/22


19

Techniques used in online card-not-present fraud are becoming more and more sophisticated.

Traditional fraud screening tools can only determine if a credit card is legitimate or if the user

entered account information matches those on record. Today, fraudsters can obtain personal

credit card information, pose as the legitimate card holder, and bypass standard fraud checks. Formore fraud protection, there are websites, such as maxmind.com, that examine online

transactions from various angles. Their tools are not geared to towards verifying the authenticity

of the credit card details used for the purchase, but rather identifying traits and patterns that are

associated with fraudulent orders.

If you are still uncertain on the security of your credit card, mechanisms such as; intelligent fraud

detection computer systemswhich are used by banks and building societies, and can track

customer accounts for unusual spending patterns that may occur due to fraudulent activity on

lost, stolen or compromised cards. The banking industry continues to increase the effectiveness

and sophistication of customer-profiling neural network systems that identify unusual spending

patterns or high-risk transactions. If irregular spending is detected your bank or building society

will contact you to check if the transactions are genuine and, if not, an immediate block can be

put on your card. These systems are not only used for transactions taking place in the UK but

internationally as well.

For those living in the UK, there is the UKs fraud prevention service (CIFAS), which provides a

range of services to enable its member organizations to exchange information and help identify

and prevent fraud, including that relating to plastic cards. CIFAS main emphasis is on identity,

application and first-party fraud. Following specification by the Home Office under the Serious

Crime Act 2007, public sector organizations are able to join CIFAS and share information

reciprocally to prevent fraud.

All in all, credit card fraud is preventable. It may be challenging with technology forever

changing and getting enhanced; but with proper safety measures and laws to punish the wrong

doers whether it may be in the U.K, the U.S or anywhere else in the world, society will be able to

look forward to reduced risks of fraud.


20/22


20

7. REFERENCES

y Cybercrime legislationRetrieved September 30, 2010 from;http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/documents/countryprof

iles/567-LEG-country%20profile-Philippines_5feb2008_En.pdf

y The top countries for cybercrimeRetrieved September 30, 2010 from;

http://www.msnbc.msn.com/id/19789995/

y Cybercrime AnalysisRetrieved October 5, 2010 from:

http://www.eurasiareview.com/201007104761/cybercrime-in-nigeria-analysis.html

y Computer cybercrime surveyRetrieved October 2, 2010 from:

http://www.digitalriver.com/v2.0img/operations/naievigi/site/media/pdf/FBIccs2005.pdf

y Credit card fraudRetrieved October 5, 2010 from:

http://en.wikipedia.org/wiki/Credit_card_fraud

y 21 tips to protect yourself from being a victim of credit card fraudRetrieved October 5, 2010 from:

http://www.scambusters.org/CreditCardFraud.html

y Reduce credit card with minFraudRetrieved October 5, 2010 from:

http://www.maxmind.com/app/ccv_overview


21/22


21

y Steps to prevent credit card fraudRetrieved October 5, 2010 from:

http://sbinfocanada.about.com/od/insurancelegalissues/a/creditcardfraud.htm

y UK Credit cards.comRetrieved October 5, 2010 from:

http://uk.creditcards.com/credit-card-news/credit-card-customers-protection-goldtrail-

1360.php

y Virgin Money changes credit card order of paymentsRetrieved October 5, 2010 from:

http://uk.creditcards.com/credit-card-news/virgin-money-credit-card-payment-order-

1360.php

y Plastic card fraudRetrieved October 5, 2010 from:

http://uk.creditcards.com/credit-card-news/credit-card-fraud-rises-britain-1360.php

y A guide to the Credit Card of 2009Retrieved October 5, 2010 from:

http://www.creditcards.com/credit-card-news/credit-card-law-interactive-1282.php

y Retrial for teenage cyber vandalRetrieved October 5, 2010 from:

http://www.securelist.com/en/weblog?weblogid=186528531

y Cybercrime and the law: a review of UK computer crime legislationRetrieved October 6, 2010 from:

http://www.securelist.com/en/analysis/204792064/Cybercrime_and_the_law_a_review_o

f_UK_computer_crime_legislation


22/22


22

y Retrieved October 6, 2010 from:http://www.securelist.com/en/weblog?weblogid=173378433

y Retrieved October 7, 2010 from:http://www.cifas.org.uk/

it law ass..final

Documents