Written by Richard Wee and Low May Ping
Introduction
In this era, we depend heavily on the Internet and many other online applications. The daily activities of a typical Internet user include checking emails, dealing with banking transactions and finances, news-reading, surfing websites and corresponding on multiple social media accounts. All these simple daily habits may “cause” you to become a potential target for an identity thief. This article addresses the steps that may be applicable against the issue of identity theft.
What is Identity Theft?
Identity theft occurs when cybercriminals attempt to trick Internet users to send over their credentials and personal information. Such information and credentials can then be manipulated for many malicious activities, especially for monetary gains. In 2018, it was reported by RAM Credit Information Sdn Bhd that due to rapid digitalisation, one in 10 Malaysians fell victim to identity theft. As such, the public are more vulnerable to greater credit risks.
There are several types of identity theft.
This is the most common type of identity theft. Cybercriminals may steal a person’s personal information to apply for loans or new credit card accounts in the victim’s name and then not pay the bills. The cybercriminals can even use stolen credit or debit card information to make online purchases or unauthorised money transfers from a victim’s bank account.
This is a rather new type of identity theft whereby the cybercriminals combine multiple victims’ information to create a totally new “synthetic” identity. This impacts all the victims whose information was used in creating the “synthetic” identity. For example, A’s name, B’s address and C’s phone number may be used in creating the fake identity and then used for fraudulent activities.
This often happens when a cybercriminal seeks medical care posing as the victim. The victim’s information may be used to avoid payment of medical bills. This not only results in huge medical bills, but also damages the victim’s credibility.
In a more serious scenario, there is a risk of combining the victim’s medical records with the cybercriminal. As a result of inaccurate information on medical history, misdiagnosis or fatal treatment procedures may happen.
This is the most severe type of identity theft. For example, stolen identity may be used to facilitate crimes such as terrorism and illegal immigration. If someone was arrested, they provide false identification posing as the victim, criminal convictions would appear on the victim’s record, despite being unaware of the charges. This then ruins the victim’s reputation, the opportunity of securing a job in the future, or even cause the victim to be prohibited by the immigration department from leaving the country.
The above list is sourced from this link:-
How Identity Theft is done online?
There are various techniques to carry out identity theft.
This involves an act of masquerading behind realistic appearances. For example, an email may be sent out to trick the recipient into thinking it comes from a legitimate entity such as a bank. Fooled by the realistic appearance, the recipient may then be directed to a website where they are required to verify their account information. Such sensitive data (e.g. account number, password) are transmitted straight to the cybercriminals.
In September 2019, the Employees Provident Fund (EPF) warned the public of a phishing scam being shared across social media. A fake website was set up with the intent of phishing for members’ personal data by asking the people to respond to a survey to check on their entitlement to a RM 10,000 incentive.
This involves an act of hijacking the domain name server (DNS) of a legitimate entity and redirecting Internet user’s web requests to a fake website. The cybercriminals will make the appearance of the fake website exactly the same as the genuine website. Therefore, Internet users will key in their personal information without any hesitation.
This happens when an Internet user does not notice downloading the spyware. It is hardly noticeable as it is usually incorporated together with an email attachment or free applications/software such as wallpapers, image/video editing tools and etc. Personal data will be collected and delivered to cybercriminals to steal a person’s identity.
The users may not realise seemingly harmless personal information such as their full names, family members, schools they attended or birth dates, provide an opportunity for cybercriminals to commit identity theft. Indeed, everyone should be aware that once data is put online, it is impossible to be fully removed.
The above list is sourced from this link:-
https://www.cybersecurity.my/data/content_files/11/763.pdf
Despite the fact that identity theft is against the law, it is vital to note that prevention is always better than cure. In reality, there are some self-help practices to lower your risk of online identity theft.
How to keep yourself safe from Online Identity Theft?
- Never simply give out your personal information, unless you know who you are dealing with online.
- Ensure that your devices are equipped with adequate anti-malware and antivirus protection.
- Set strong PINs/passwords that are not related to any personal information like your name, family members, address, telephone numbers, IC number, birthdays and etc.
- Monitor and review your bank and credit card statements carefully.
- Obtain your credit report periodically and review it to ensure that it does not contain accounts that you have not opened, or any other issues such as litigation proceedings.
What should you do if you are a victim of Identity Theft?
- Change your password, PIN and security questions immediately for all your accounts.
- Ensure no unknown phone numbers, emails or addresses have been added to your accounts. Keep a close eye for any unexpected activity or transaction.
- Report the incident
- Victims should make a report to the banks and also the Cyber999 help centre, which handles computer security incidents and is operated by Malaysia Computer Emergency Response Team (“MyCERT”).
- Likewise, MyCERT which formed under Cyber Security Malaysia, provides assistance for users who are affected by identity theft. MyCERT collaborates with other law enforcement agencies and regulators such as the Royal Malaysian Police, Securities Commission, Central Bank of Malaysia, alongside with Internet Service Providers and several computer security response teams around the world.
- As an alternative, victims can report phishing emails or websites to the Malaysian Communications and Multimedia Commission (MCMC) through [email protected] or [email protected].
What are the laws that may be relevant to Identity Theft?
With regard to the Malaysian cyber laws, there is no specific provision on computer-related or online identity theft. However, it was suggested that reference may be made to the Penal Code and Section 416 of the Penal Code may be applicable to identity theft. Section 416 of the Penal Code provides that it is an offence to “cheat by personation”, where a person cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such person really is.
The offence is committed as long as there is personation, be it a real or imaginary person. Furthermore, Section 419 of the Penal Code provides that the offence of cheating by personation is punishable with imprisonment for a term which may extend to seven years and/or a fine.
Nevertheless, it is insufficient to use the Penal Code to deal with cyber offences such as identity theft. In fact, when the Penal Code was enacted, it was definitely not meant to address cybercrime properly. The Penal Code came into force since the pre-information technology age. It is worth noting that this may lead to a gap in the law and inadequate protection in cyberspace.
With reference to the Computer Crimes Act 1997, Section 3 and Section 4 which govern unauthorised access to computer material and unauthorised access with intent to commit or facilitate commission of further offence respectively may be relevant for identity theft issues. A hypothetical scenario is that a cybercriminal steals a victim’s identity by using spyware with the intent to achieve monetary gain.
Section 3: Unauthorized access to computer material | (1) A person shall be guilty of an offence if— (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorized; and (c) he knows at the time when he causes the computer to perform the function that is the case. (2) The intent a person has to have to commit an offence under this section need not be directed at— (a) any particular program or data; (b) a program or data of any particular kind; or (c) a program or data held in any particular computer. (3) A person guilty of an offence under this section shall on conviction be liable to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding five years or to both. |
Section 4: Unauthorized access with intent to commit or facilitate commission of further offence | (1) A person shall be guilty of an offence under this section if he commits an offence referred to in section 3 with intent— (a) to commit an offence involving fraud or dishonesty or which causes injury as defined in the Penal Code [Act 574]; or (b) to facilitate the commission of such an offence whether by himself or by any other person. (2) For the purposes of this section, it is immaterial whether the offence to which this section applies is to be committed at the same time when the unauthorized access is secured or on any future occasion. (3) A person guilty of an offence under this section shall on conviction be liable to a fine not exceeding one hundred and fifty thousand ringgit or to imprisonment for a term not exceeding ten years or to both. |
With regard to the Communications and Multimedia Act 1998, Section 232 and Section 236 which governs fraudulent use of network facilities, network services, etc. and fraud and related activity in connection with access devices, etc. respectively, may also be relevant for identity theft issues. “Access devices” broadly refer to any card, plate, code, account number, electronic serial number, mobile identification number, personal identification number. These Sections may be relevant because more often than not, cybercriminals do not merely steal one’s personal information, but also go on to use the information to commit fraud such as unauthorised bank transactions.
If cybercriminals do not commit fraud with the stolen identity, they may also fall within Section 233 which governs improper use of network facilities or network service, etc. In addition, Section 234 which governs interception and disclosure of communications prohibited may be applicable. An example is that cybercriminals carry out identity theft via spyware.
On the other hand, the offence for distributing or advertising any communications equipment or device for interception of communication is governed under Section 240. A hypothetical scenario whereby a cybercriminal may be charged under this Section is that they send through an email to a victim and that email is primarily useful for the purpose of the surreptitious interception of any communication by the victim. The interception may obtain the victim’s credentials that enter into social media accounts or online financial services.
Section 232: Fraudulent use of network facilities, network services, etc. | (1) A person who— (a) dishonestly transmits or allows to be transmitted any communication or obtains a service provided by a licensed network facilities provider, network service provider, applications service provider or content applications service provider; or (b) dishonestly receives a content applications service from a place within Malaysia not intended for general reception, with intent to avoid payment of any rate or fee applicable to the provision of that facility or service commits an offence. (2) A person who possesses, obtains or creates a system designed to fraudulently use or obtain any network facilities, network service, applications service or content applications service commits an offence. (3) A person who commits an offence under subsection (1) or (2) shall, on conviction, be liable to a fine not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both. |
Section 233: Improper use of network facilities or network service, etc. | (1) A person who— (a) by means of any network facilities or network service or applications service knowingly— (i) makes, creates or solicits; and (ii) initiates the transmission of, any comment, request, suggestion or other communication which is obscene, indecent, false, menacing or offensive in character with intent to annoy, abuse, threaten or harass another person; or (b) initiates a communication using any applications service, whether continuously, repeatedly or otherwise, during which communication may or may not ensue, with or without disclosing his identity and with intent to annoy, abuse, threaten or harass any person at any number or electronic address, commits an offence.
(2) A person who knowingly— (a) by means of a network service or applications service provides any obscene communication for commercial purposes to any person; or (b) permits a network service or applications service under the person’s control to be used for an activity described in paragraph (a), commits an offence. (3) A person who commits an offence under this section shall, on conviction, be liable to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding one year or to both and shall also be liable to a further fine of one thousand ringgit for every day during which the offence is continued after conviction. |
Section 234: Interception and disclosure of communications prohibited | (1) A person who, without lawful authority under this Act or any other written law— (a) intercepts, attempts to intercept, or procures any other person to intercept or attempt to intercept, any communications; (b) discloses, or attempts to disclose, to any other person the contents of any communications, knowing or having reason to believe that the information was obtained through the interception of any communications in contravention of this section; or (c) uses, or attempts to use, the contents of any communications, knowing or having reason to believe that the information was obtained through the interception of any communications in contravention of this section, commits an offence. (2) A person authorized under this Act who intentionally discloses, or attempts to disclose, to any other person the contents of any communications, intercepted by means authorized by this Act— (a) knowing or having reason to believe that the information was obtained through the interception of such communications in connection with a criminal investigation; (b) having obtained or received the information in connection with a criminal investigation; or (c) to improperly obstruct, impede, or interfere with a duly authorized criminal investigation, commits an offence.
(3) A person who commits an offence under subsection (1) or (2) shall, on conviction, be liable to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding one year or to both. (4) It shall be lawful under this Chapter for an officer, employee or agent of any network facilities provider, network service provider, applications service provider or content applications service provider whose facilities or services are used in communications, to intercept, disclose, or use those communications in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his facilities or services or to the protection of the rights or property of the provider of the facilities or services, but the provider shall not utilize the facilities or services for observing or random monitoring unless it is for mechanical or service quality control checks. |
Section 236: Fraud and related activity in connection with access devices, etc. | (1) A person who knowingly or with intention to defraud— (a) produces, assembles, uses, imports, sells, supplies or lets for hire any counterfeit access devices; (b) possesses any counterfeit access device or unauthorized access device; (c) produces, assembles, uses, imports, sells, supplies or lets for hire, or has control or custody of, or possesses any device-making equipment; or (d) produces, assembles, uses, imports, sells, supplies or lets for hire, or has control or custody of, or possesses— (i) any equipment, device or apparatus that has been modified or altered to obtain unauthorized use of any network service, applications service or content applications service; or (ii) hardware or software used for altering or modifying any equipment, device or apparatus to obtain unauthorized access to any network service, applications services or content applications service, commits an offence. (2) A person who without the authorization of the issuer of an access device, solicits a person for the purpose of— (a) offering an access device; or (b) selling information regarding, or an application to obtain, an access device, commits an offence. (3) A person who commits an offence under subsection (1) or (2) shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding five years or to both. (4) For the purposes of this section— “counterfeit access device” means any access device that is counterfeit, fictitious, altered, or forged, or an identifiable component of an access device or a counterfeit access device; “device-making equipment” means any equipment, mechanism, or impression designed or primarily used for making an access device or a counterfeit access device;
“unauthorized access device” means any access device that is lost, stolen, expired, revoked, cancelled or obtained with intent to defraud. |
Section 240: Offence for distributing or advertising any communications equipment or device for interception of communication | A person who intentionally— (a) sends through the mail, or sends or carries in national or international commerce, any electronic, mechanical, or other equipment or device, knowing or having reason to believe that the design of the equipment or device renders it primarily useful for the purpose of the surreptitious interception of any communication; or
(b) places in any newspaper, magazine, handbill, or other publication any advertisement of— (i) any electronic, mechanical, or other equipment or device, knowing or having reason to believe that the design of the equipment or device renders it primarily useful for the purpose of the surreptitious interception of any communication; or (ii) any other electronic, mechanical, or other equipment or device, where the advertisement promotes the use of the equipment or device for the purpose of the surreptitious interception of any communication, knowing or having reason to believe that the advertisement will be sent through the mail or transported in national or international commerce, commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. |
Last but not least, the Personal Data Protection Act 2010 should also be considered. Pursuant to Section 9 of the Act, the organisations that process users’ personal data shall ensure the security of the users’ personal data. The organisations shall also always be in compliance with the minimum security requirements laid down by the Personal Data Protection Standards 2015. If there is any contravention with the principles, a person upon conviction, may be liable to a fine not exceeding RM300,000 or to imprisonment for a term not exceeding 2 years or to both.
Section 9: Security Principle | (1) A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction by having regard— (a) to the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction; (b) to the place or location where the personal data is stored; (c) to any security measures incorporated into any equipment in which the personal data is stored; (d) to the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and (e) to the measures taken for ensuring the secure transfer of the personal data. (2) Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction, ensure that the data processor— (a) provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and (b) takes reasonable steps to ensure compliance with those measures. |
Conclusion
In a nutshell, everyone who surfs online is a potential target to be lured by the cybercriminals and attackers via various tactics. As identity thefts can make a significant impact on the victim in terms of the credit status, financial status, integrity of a person or to a certain extent, a criminal record, each of us shall stay vigilant and not fall into the traps of cybercriminals.
Published on 3 September 2020
Photo by Markus Spiske on Unsplash