Cyber Security Malaysia

I came across an interesting agencies in Malaysia that deal with CyberCrime issues that is Cyber Security Malaysia. Please refer Cyber Security Malaysia

Below are some of the functions of Cyber Security Malaysia

- to provide advise for Internet users on how to cope with cyber threats and deal with safety issues.

- to provide specialised services to support the growth of digital forensics, security management and best practices, and cyber security products evaluation based on international standards.

- to provide third party validation on quality and reliability of security products is important as it will ensure that Malaysian products get accepted globally.

- to provide education, training and creating awareness in the area of cyber security.

- to increase the number of cyber security professionals.

- to develop educational content on cyber security that can be used by Internet users of all ages for example students, office workers and home users.

- to run a help centre, the Cyber 999 service.

In this case, Cyber Security Malaysia will help us for CyberCrime issues, we can contact them for help. However, I think Cyber Security should be more active, for example give advertisement to promote themself and let people know their existence and their purpose because I have to browse the Internet to get to know about Cyber Security. 

In this stage, I think that by giving awareness to cyber users regarding cyber crime and the law that implemented to the cyber crime is not enough. Even there is guide through cyber security also not sufficient, cyber users need to learn and follow the correct and good ethics. Ethical in cyber is very important also and have to emphasizes to cyber users.

Cyber users must realise that what they did in cyber, certain acts might harm or make losses to someone else and some of the acts might give big negative impacts to other people. Stealing is illegal in crime even you steal people identity is also crime. 

Identity Theft Reference

After searching the internet, I find that below article is quite complete and informative about Identity Theft and ways to prevent the risk of identity theft. Unfortunately, the informations is focus on US not Malaysia.

Sample of Identity Theft File

However, some tips can be useful for our reference while some tips only applicable in US for example place a fraud alert on credit report, i dont think in Malaysia we have credit report. We can only inform bank that issue us the credit card in case suspect fraud happened.

For most of Malaysians, we didnt realize much or pay attention to Identity Theft in Cybercrime even that if someone encounter that his identity is stolen to make fraud. He also didnt know what really happened so it is better to let people know what is happening and know the ways to prevent it. Prevention is better than letting cybercrime to happened and nobody can help on it.

Better Laws Needed

Better Laws Needed

From above articles, it really expressed and raised the concerns that better laws and ways of strengthen laws is needed to deal with identity theft and cybercrimes and identify some of the common techniques use in identity theft in Malaysia.

According to intellectual property lawyer Deepak Pillai, Malaysia's legal position does not address online identity theft directly.

So, Data Protection Bill since 1999 is badly needed to strengthen the existing laws, namely the Computer Crimes Act 1997 and the Penal Code, in curbing identity theft activities in Malaysia.

Besides, another positive move in curbing the problem would be to get the Anti-Spam Act passed.

The Anti-Spam Act would regulate interstate commerce by imposing limitations and penalties on the transmission of unsolicited e-mails via the internet.

While for Credit Cards fraud, it is advisable that authorities to spend their time and money to pin down the culprits.

Finally, online users must aware that identity theft like phising and information can be retrieved from online social network like facebook.

In conclusion, good and relevant cyber laws is needed, authorities have to enforce the cyberlaws effectively and bring down anyone that is involved in identity theft or cybercrime and lastly online users must aware of their data privacy and protection try not to expose their personal to risk.

Besides this, I think not just good and relevant cyber laws needed only. Because of the cybercrime can be committed in different ways and become more and more types of cybercrime happened from time to time. The cyberlaws have to be amended from time to time to cope with new cybercrime. In other words, the cyberlaws must be updated, sufficient, accurate, and on time to cope with the cybercrime that happened. If not cyber users will take advantages of the cyber world to commit crime.

Data protection violated

Based on Lin Mun Poo and Gooi Kok Seng case of identity theft on credit cards numbers, can be related to Data Protection Act 2010.

** Data Protection Act aim is to regulate the collection, possesion, processing and use of personal data so as to safeguard the privacy of an individual in relation to that data.

Both cases raises the awareness and concerns whether privacy and data protection is protected.

The consumers that is the victim of both cases were exposed to the risk of misuse of their credit card numbers information for fraud purpose.

Under Data Protection Principles
- Principle 1 Personal Data shall be collected Fairly and Lawfully and principle 2 Purposes of Collection of Personal Data already being violated that is the Data is collected neither lawfully or fairly, neither necessary or relevant but for the purpose of fraud credit cards numbers.

- Principle 4 also being violated because the data after collected is sold out to crime syndicates for counterfeit credit cards usage.

Malaysian credit card scam at US

Another interesting case of Malaysian hacking into US card scam is Gooi Kok Seng case

Gooi Kok Seng, age 44, arrested Jan 2010 is basically charged for following charges
- illegal possession of a data access device,
- illegal dealing in a data access device
- hacking into a computer
- consipiracy
- computer intrusion
- fraud
- identity theft

Below are brief introduction to Gooi Kok Seng case
- Gooi was a prominent member of a credit card fraud gang which had been operating in the US for the past three years.
- The group is suspected to have stolen credit card information from victims patronising restaurants and major department stores in the US.
- They then sold the data to organised crime syndicates in Asia who produced counterfeit credit cards.
- US Secret Service uncovered what was believed to be the largest hacking and identity theft case ever in the country involving 11 individuals.
- The 11 were charged in Boston and San Diego with three identified as US citizens, three from Ukraine, two from China, one each from Estonia, Belarus and Malaysia.
- The three-years probe uncovered the theft and sale of more than 40 million credit and debit card numbers from nine major US retailers.

Let's assume and analysis if the defendant is arrested and found hacking in Malaysia, in my opinion,

- The defendant will be charged under Computer Crimes Act 1997 that is misuse of computers to commit fraud and identity theft

- Under section 3(1), defendant is found guilty of Unauthorized Access because of his intention that cause computer to secure access to data in financial and national security, military sectors like banks and military transport systems, the access is unauthorized and lastly he had the knowledge to access to the network
- if guilty, he will be fine for amount maximum of RM50000.00 or to 5 years imprisonment or both

- Under section 4(1), defendant is found guilty of unauthorized access with intent to commit fraud by earning money through finding and exploiting network vulnerabilities or trading and selling the information contained and selling for example selling credit and debit card account numbers
- if guilty, he will be fine for amount maximum of RM150000.00 or to 10 years imprisonment or both

-  Under section 5(1), defendant is found guilty of unauthorized modification of contents of any computer. In this case defendant had taken victims credit cards information for counterfiet credit cards through modification of database
- if guilty, he will be fine for amount maximum of RM100000.00 or to 7 years imprisonment or both

- Under section 7(1), defendant gang is found guilty of aiding and abetting defendant to commit s3, s4 and s5 crime
- if guilty, his punishment will be the same as principal offender but cannot be more

For more details of Gooi Kok Seng case, please refer beow
Sample of Gooi Kok Seng Case

*Notes above texts is my comments

Malaysian Cyber Law Case Detention Letter

I found out that for Lin Mun Poo case. There is a detention letter that request for permanent order of detention of defendant.

I found that it is quite interesting as the letter clearly stated facts about why request for permanent order of detention for defendant and clearly stated the reasons.
    
Lin Mun Poo is basicaly charged for following
- Access device fraud and aggravated identity theft (Counts One and Two)
- Computer hacking (unauthorized computer access and tranmission of malicious code involving computer network of the federal reserve bank targeting the national security, military and financial sectors of US (Counts Three and Four)

Under US Bail Reform Act, there is two elements to prove for maintain permanent detention

1. Nature and Circumstances of Crimes Charged and the Evidence of the Defendant's Guilt
- During defendant arrest, seized defendant's ecrypted laptop with massive quantity of stolen financial account and personal identifying information include 400,000 credit card, debit card and bank account numbers which in violation of 18 U.S.C SS 1029 and 1028A (Counts One and Two)
- In his post arrest statement, defendant admitted compromise a computer network of the Federal Reserve Bank by exploiting vulnerability of the secure system around June 2010 resulting thousands of dollars in damage and affecting ten or more FRB computers forming (Counts Three and Four)
- Laptop contains significant hacking activity, for example possesed data illegally from FedComp computer network, illegally hacking into the Fedcomp system and unauthorized access to data of Firemen's Association of the State of New York Federal Credit Union and Mercer County New Jersey Teacher's Federal Credit Union
- Admitted to compromise computer networks of several major international banks and companies and admitted earning money by finding and exploiting network vulnerabilities or trading and selling the information contained
- In august 2010, defendant hacked into secure computer system of a major Department of Defense Contractor which provides systems management of military transport and other highly sensitive military operations
- In conclusion, evident showed that defendant hack into US financial and national security sectors

2. History and Characteristics of the Defendant and Risk of Flight
- Defendant appears to US sole purpose is to engage in criminal activity within hours of arrival on October 21,2010, US Secret Service Agents observed defendant selling stolen credit card numbers for $1000 at diner in Brooklyn and arrested him
- Defendant if released will obtain a new identity and obtain financial through unauthorized access to faciliate his flight back to Malaysia or other countries
- Under United States Sentencing Guideline S 2B1.1, which assigns a minimum of loss amount of $500 per unauthorized access device (resulting in a total loss amount of at least $20 million), estimated Guidelines range for Count One alone is 78 or 97 months
- Charged with aggravated identity theft in violation of 18 U.S.C. S 1028A, which carries a mandatory consecutive sentence of 2 years

In Conclusion
- For these reasons,government requested Court maintain permanent order of detention issued on October 22,2010 to defendant

Sample of Lin Mun Poo Detention Letter

*Note above texts is my comments

Malaysian hacking and identity theft

After searching Internet, I found an interesting cyberlaw case and can be use to analysis purpose that is regarding identity theft and hacking case that happened in US and the defendant is an Malaysian.

Below is an brief introduction of the case

Lin Mun Poo, age 32 was arrested on Oct 21 2010 at US, for selling $1000 worth of stolen credit card numbers at Brooklyn diner
- After arrested and inspected his laptop, U.S. Secret Service investigators found more than 400,000 stolen credit and debit card account numbers allegedly obtained by hacking into various computer systems of other financial institutions

- defendant was charged for hacking, fraud and identity theft

- defendant was found hacking into companies' networks and selling the sensitive information he uncovered

- for example: hacked into the FedComp system and accessed data belonging to many victims, including the Firemen's Association of the State of New York Federal Credit Union and the Mercer County New Jersey Teachers' Federal Credit Union.

- defendant admitted to compromised the computer networks of several major international banks and companies, and admitted earning money by finding and exploiting network vulnerabilities or trading and selling the information

- defendant also hacked into a major Department of Defense contractor, which provided systems management for military transport and other highly sensitive military operations

I noticed that one of the charges of that similar with Computer Crimes Act in Malaysia for unauthorized access is below
- Under United States Sentencing Guideline S 2B1.1, which assigns a minimum of loss amount of $500 per unauthorized access device (resulting in a total loss amount of at least $20 million), estimated Guidelines range for Count One alone is 78 or 97 months

Let's assume and analysis if the defendant is arrested and found hacking in Malaysia, in my opinion,
- The defendant will be charged under Computer Crimes Act 1997 that is misuse of computers to commit fraud and identity theft

- Under section 3(1), defendant is found guilty of Unauthorized Access because of his intention that cause computer to secure access to data in financial and national security, military sectors like banks and military transport systems, the access is unauthorized and lastly he had the knowledge to access to the network
- if guilty, he will be fine for amount maximum of RM50000.00 or 5 years imprisonment or both

- Under section 4(1), defendant is found guilty of unauthorized access with intent to commit fraud/dishonesty by earning money through finding and exploiting network vulnerabilities or trading and selling the information contained and selling for example selling credit and debit card account numbers
- if guilty, he will be fine for amount maximum of RM150000.00 or 10 years imprisonment or both

-  Under section 5(1), defendant is found guilty of unauthorized modification of contents of any computer. In this case defendant had admitted earning money by finding and exploiting network vulnerabilities or trading and selling the information through modification of database
- if guilty, he will be fine for amount maximum of RM100000.00 or to 7 years imprisonment or both

Please refer below links for more details about Lin Mun Po
Sample of Lin Mun Poo Case

*Note above texts is my comments

Technique use in Identity Theft

I found out that this video link below is quite interesting that describe how Identity Theft is being done through phising.

Sample of Phising Technique

**phishing can be define as criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular web sites

It is considered serious also where Malaysian Communication And Multimedia Commission (MCMC) received 40-50 emails of phishing attempts on local bank in Malaysia every day. Maybank and CIMB become the target for phising of Identity Theft.

Phising of emails usually happened in banks for example Maybank and CIMB bank where phising email is sent to user to ask for activation of bank account. Once user, click on the web page and key in there username and password and click submit. The user information will be sent to syndicate gang to use the information for crime purpose without notice to user and bank. User will notice after the fraud happened and at the end have to pay for the fraud that is charge under the user name.

Because in cyber world, identity theft is hard to be detected and the fraud method can be changed from time to time. To avoid this from keep on happening to bank users, Maybank have to inform his customers regarding the identity theft that happened and have to remind bank customers not to trust any emails that claim to be Maybank. Maybank will not send email to their customers. These emails should be treated as spam.

From my opinion, identity theft is unavoidable to bank. But if always happened to the same bank, the bank customers will lose their trust to the bank and will slowly effect the bank reputation and image.
For more information about phising in Malaysia, please visit below url
Phising Emails

Identity Theft Awareness and Prevention

In my opinion, usually in Malaysia, we don't much aware much about the impacts of Identity Theft. We will be aware only if the cyber crime really happened among our friends or relatives. So it is important to aware and prevent identity theft before identity theft really happened to use.

After browsing this website Watch Out Identity Theft, I get to know more about identity theft and some basic tips to prevent identity theft from happening.

It is indeed serious of the identity theft in Malaysia where everyday the THE MALAYSIAN COMMUNICATIONS AND MULTIMEDIA COMMISSION (MCMC) received 30 -40 complaints about ID theft over internet. This mean everyday someone become a victims of identity theft.

Because of identity theft is hard to be trace so it is wise that we are aware of identity theft and know some techniques to prevent it.

I totally agree with the above articles that suggests, it is a good reference because we seldom think of identity theft can become a serious cyber crime and do not know ways to avoid it when it happened.

1. try not to disclose any of our personal informations in cyber world, if necessary don't disclose your full name
2. if possible limits yourself from using online transactions where you can buy the items in store
3. remove your computer cache frequently especially after finished online transactions
4. contact mail master if you suspect some one using your identity
5. inform bank if you suspect some one is using your account to do transactions
6. never respond or open mails with unknown source, the mail may contains virus or spam or software to capture your identity

If you suspect you have become a victim of identity theft, you must inform:
1.the police.
2. CyberSecurity Malaysia via Malaysian Computer Emergency Response Team (MyCERT) (Tel: 03-8992-6969, Fax: 03-8945-3442, e-mail: cyber999@cybersecurity.org.myor mycert@ mycert.org.my, SMS: 019-281-3801 (24 hours), Mobile phone: 019-266-5850 (24 hours).
3. the social networking website in which you signed up for, notice them and ask them to take down any parties involved.
4. If someone is using your identification card number to create credit or new accounts, contact the National Registration Department.
5. Inform your bank and close financial accounts that may have been compromised.

Impact of Identity Theft

One type of common cyber crime is identity theft. It can be found easily in newspaper.

**Identity theft is defined as a crime in which criminal obtains other people personal information for example ID and name to obtain credit, merchandise, and services using victim's name. In this case, victims have to pay the price for something that is not done by them. While the criminal is safe from the crime they done.

Usually the impact of the crime is bad. Victim of the crime will be declared bankrupt if they don't settle the bank loan, or the money they owe. An example of identity theft, please refer below link where a woman declared bankrupt because of identity theft and she have to pay bank loan for the car she didn't buy. 

Sample of Identity Theft Case

Through this sample case raises the questions is it safe to disclose our personal informations, in the cyber world, why the criminal is undetected and why victim have to pay for the fraud didnt done by them, is there any cyber law that can protect us from Identity Theft, is our CyberLaw sufficient towards Identity Theft..  

National Information Technology Council Malaysia

Through browsing google, I get to know of National Information Technology Council Malaysia. It is very useful Malaysia organization towards ICT which gives details about CyberLaws, .my domain registry, National ICT Policies and others National ICT matters.

Below is the brief introduction of NITC. Please refer NITC for more details.

**The National Information Technology Council of Malaysia (NITC MALAYSIA) is the country’s premier organization that strategically manages ICT in the interest of the nation. The Council functions as the primary advisor and consultant to the Government on matters pertaining to ICT in Malaysia’s national development.

Types of CyberCrime

CyberCrime have many types and the crime is increasing every days causing harms to victims. Any crime that involved using computer or network is a CyberCrime.

Types of CyberCrime
1. Hacking - mean illegal access into a computer system without the permission of the computer owner/user

2. Denial of Service Attack - mean floods the bandwidth of the victim’s network or fills his e-mail box with spam mail stopping of the services heiis entitled to access

3. Virus Dissemination - mean malicious software that attachesiitself to other software and do harm

4. Software Piracy - mean illegal copying of genuine programs

5. Credit Card Fraud - mean your credit card identity has been stolen for misuse, for example identity theft

6. Net Extortion - mean copying company private and confidential data

7. Phising -  mean a technique for pulling out company like bank private and confidential informations

8. Spoofing - mean a computer that pretend to have identity of another computer

9. Cyber Defamation - mean posts insulting matters on a website

10. Threatening - mean send threatening emails

11. Salami Attack - mean make a program that can deduct small amounts of money from other people bank accounts to his own bank account without being noticed

There will be a lots more new cybercrime from time to time.

What is CyberLaw ?

Because of existence of CyberCrime in cyber world, governments have to come out rules and laws to enforce CyberCrime. So it is called CyberLaw.

**CyberLaw can be defined as a term that summarize the legal issues related to use of communicative, transactional, and distributive aspects of networked information devices and technologies.

 In Malaysia, there is a few CyberLaws. For more details about the cyberlaws, please refer this web site NITC CyberLaw. Below listed the CyberLaws of Malaysia.

1. Digital Signature Act 1997 (Purpose: provides licensing and regulation of Certification Authorities (CA))

2. Computer Crime Act 1997 (Purpose: prohibits users to enter into computers and computer systems without authorization,  prohibits users to damage or alter data/information in computers or computer systems by planting viruses or other means, prohibits users to give passwords to people who are not authorized to receive it)

3. Telemedicine Act 1997 (Purpose: provides registered doctor may practise "telemedicine" but other healthcare providers like a medical assistant, nurse or midwife must first obtain a license to do so)

4. The Copyright Ammendment Act 1997 (Purpose: amends the Copyright Act 1987 to extend copyright law to the new and converged multimedia environment)

5. The Communications and Multimedia Act 1998 (Purpose: provides for a restructuring of the converged ICT industry)

6. The Eletronic Government Activities Act 2007 (Purpose: to facilitate the electronic delivery of government services to the public)

7. Personal Data Protection Bill 2009 (Purpose: to protect the privacy of the individual and ensure that people who collect data on individuals use that data only for the purpose specified during collection)

New CyberLaw will be added from time to time to suit the CyberCrime

What is CyberCrime?

Usually in our normal lives and activities, from our childhood begin, we will get to know and aware from our parents, teachers, friends, colleagues that certain acts is wrong and will be punish by the law if we done it. For example: if we go to a shop and take an item from a shop without paying it then it is a crime. If being caught, will be sentenced to jail or fined

**Crime can be defined as an act or evil act that break rules and laws govern by the legal systems of governments.

However, in cyber world, most of us didn't aware of what is cybercrime, is there any laws for cybercrime and what is the impact towards victims of cybercrime. For example: if i use my neighbors name and ID to do transactions online and ended up my neighbors have to pay for my transactions. Then it is a type of cybercrime that is called identity theft.  Before studying Cyberlaw class, I also not aware of the cybercrime, cyberlaw and impacts of cybercrime towards victims.

**CyberCrime can be defined as a crime act that is performed through using computers or Internet. as a medium.

Please Share Comments

To anyone who visited this blog, please give any comments, feedbacks or ideas regarding Cybercrime, Cyberlaw, and Identity Theft. Thank You.

Welcome to My Cyberlaw Identity Theft Blog

Hi, Everyone.
First of all would like to welcome and thank you for coming to my blog that will discuss about any issues and topics related to Cybercrime, Cyberlaw especially Identity Theft in Malaysia and around the world.
This is my first time creating a blog. Hopes that this blog will be interesting and provide meaningful comments.