Over the past three decades, our world has changed beyond all recognition. From large mysterious machines in the bowels of governments and corporations, computers have become an everyday part of all our lives. But a new world of possibilities has opened up for criminals and Macau police are launching a comprehensive response.
It’s an over-used formulation but nevertheless true, we live in an age where almost everything is just the click of a button away. The impossible has become possible, national boundaries have melted away and we can all do everything much, much quicker.

But there is a downside to the technological revolution – cybercrime.

Computer systems offer new and highly sophisticated opportunities for law breaking, and they also create the potential to commit traditional crime in non-traditional ways.

No boundaries

Computer crime knows no boundaries and it is always innovating, making it hard for authorities to keep up. As Chan Kin Hong – head of the Economics Crimes Division of the Judiciary Police of Macau – points out, what happens in real life, happens in the virtual world with the advantage that cyber criminals can act incognito.

It may not be new, but the wide ranging discussion around the subject of cybercrime rages on.

There is a lack of global consensus on what types of conduct constitute a computer-related crime, on the legal definition of criminal conduct and of expertise on the part of police, prosecutors and the courts in this field, sometimes adding to the inadequacy of legal powers for investigation of and access to computer systems.

Action vital

Whatever the problems, the issue has to be tackled, as was recognised by the 11th United Nations Congress on Crime Prevention and Criminal Justice.

It said: “The last few decades have seen significant changes. The development from industrial to post-industrial society, the increasing value of information in economics, culture and politics, and the growing importance of computer technology have led to legal challenges and new legal responses to information law.”

Chan says Macau took a huge step forward in the fight against Information Technology (IT) crimes last year when it enacted new laws.

Since June 2009, the IT-related crimes section of the Judiciary Police, which performs under the Economics Crimes Division, started to look into cybercrimes within the framework of this new law.

Chan tells Macau Business that six people have been formally accused following the investigation of five cases.

For the moment, the situation is not so serious in Macau says Chan: “When we compare our crime rate in the computer field with neighboring cities, we can see there are no serious cases,” he says.

Prevention and cure

However, prevention is better than cure says Chan, adding that it is better to have a legal framework to fight computer crimes that could rise suddenly.

Historically, economic value has been placed on visible and tangible assets. With the increasing appreciation that intangible data can possess economic value, it has become an economic asset that can be the target of criminals.

Internationally, criminals often target banks, financial institutions and even smaller business that have adopted online banking.

This is not the case in Macau says Chan, who says there is no information on companies or banks that suffered losses due to computer crimes. Fraud and defamation are the most common crimes related to computers here, said the head of the Economics Crimes Division.

Local companies who deal with financial transactions are aware of the existing threats related to computer crimes, says Chan, adding that they have imposed self-protection systems.

Moving forward

If computer crime is not so serious in Macau, is there really a need to strengthen the department?

Chan says yes. Apart from more staff, there is a need to restructure work methods and priorities. Besides computer forensics, the 5th section of the Judiciary Police is also charged with preventing and investigating crimes involving counterfeiting, and the use of bogus documents and credit cards, among others.

That is why they submitted a proposal to the government asking to restructure IT from a section to a division, which would focus specifically on computer crimes – online and hardware.

“Computer forensics is very time consuming work, it requires lots of hours spent analysing data,” says the head of the Department of IT and Telecommunications Coordination of the Judiciary Police, Tou Chi Meng.

“The goal now is to increase from 20 to almost 30 officers and focus solely on fighting IT crime,” he adds.

Since 2003, when the IT section was formed, the police have upped training and sent officers overseas to liaise and learn new skills from other jurisdictions. The United States Federal Bureau of Investigation has even been hosted here in Macau to discuss computer crime.

Future recruitment will look for people with IT related backgrounds or computer related degrees.

Cooperation pays off

Authorities are also paying special attention to illegal gambling, a crime that goes way beyond Macau’s geographical boundaries. Operation SOGA – short for Soccer Gambling – was a good example of international cooperation.

In 2008, the international police organisation Interpol coordinated an operation targeting illegal soccer gambling across Asia resulting in more than 1,300 arrests and the seizure of over US$16 million.

In a two-month operation, law enforcement agencies across China (including Hong Kong and Macau), Indonesia, Malaysia, Singapore, Thailand and Vietnam identified and raided 1,088 illegal gambling dens, many of which were controlled by organised crime gangs.

Chan Kin Hong said local authorities are dedicated to combating this crime: “We have always cooperated with other jurisdictions and international enforcement agencies to fight computer crimes that represent a threat to Macau.”

Global threat

Even if the mainland, along with US, is considered one of the major countries with malicious computer activity, there are no special precautions.

“IT crime is a transnational offence way beyond geographical boundaries. It’s actually a global issue that has to be tackled everywhere. There is no special fear just because we are so close to mainland China, because attacks can come from the other side of the world,” says the chief of the Economics Crime Division.

All threats have to be dealt with in the same way: analysing the current trends of IT crime; identifying the kind of crimes that are being perpetrated; and stepping up measures to fight them are the normal steps taken by the Judiciary Police.

That is why local authorities are constantly working with Interpol through a direct communication channel and have established a mechanism with Hong Kong and the mainland.

“We are now able to maintain a direct dialog with all parts and to cooperate to prevent and combat computer crimes,” says Chan.

A question of evidence

Greater powers to investigate cybercrime have raised fears over human rights, but according to Macau police last year’s new laws are no reasons for panic.

Legal expert Nuno Lima Bastos says laws on computer crime need to distinguish between the accidental misuse of a computer system, negligent misuse and intended, unauthorised access to or misuse of a computer system.

But above all, there should be clear restrictions to how the authorities can act during investigations.

Bastos recalls an incident involving the Olympic Torch in 2008, when a man was arrested after posting a plan on a CTM forum describing how someone could steal the torch.

At that time, there was no legal framework against computer crimes and worries emerged about the way the police handled the case, mainly because of the search procedures.

Unethical or illegal?

It took a little more than a year after the incident for the law to be enacted.

“It shows that there was a major concern after that episode and left us wondering if the enactment of the law was really to fight computer crime or simply to better control the flow of information,” Bastos tells Macau Business.

“A distinction must be made between what is unethical and what is illegal. The legal response to the problem must be proportional to the activity that is alleged,” he adds.

However, such fears have no basis, according to the head of the Economics Crimes Division of the Judiciary Police.

“The enactment of the law had nothing to do with the Olympic Torch incident. What happened in that case was only a rumour and the authorities acted according the existing laws,” says Chan Kin Hong.

He adds that the episode was not even considered a cybercrime.

Chan says: “The law was enacted because there was a loophole in our judicial system. The law tried to focus on what was not covered, like information technology crimes or attacks perpetrated on the internet.”

Race against time

But concerns persist on provisions in the law that suggest special powers be given to the police to seize computer data evidence without the permission of the courts – something that caught the attention of lawmakers when the bill was discussed.

But there’s no reason to panic says Chan: “Not just in IT crimes, but also in any other investigation, we will ensure that personal privacy is well protected. We will only work within the framework of the law and we won´t allow any personal information to leak out to the public,” he says.

This type of “emergency situation” is also included in the Penal Procedure Code, which states that a judge has to validate a search within 72 hours.

“The same provision was applied in the law against computer crimes, especially considering that computer data can be instantly changed or erased with minimal chance of detection,” says the chief of the Economics Crime Division. “The Judiciary Police will not overuse this mechanism,” he insists.

Even if the authorities act without the approval of a judge, they will only obtain the physical evidence but won´t examine it immediately.

“First, we’ll get the authorisation from the judge, then we’ll move forward in examining the material we have,” Chan adds.

Control under a commission

But Bastos worries that the police can obtain evidence or search through material just to get information, without going forward with the criminal process.

“That way, they wouldn’t need to go to a judge to get the search validated,” he says.

Despite agreeing that Macau needs the law, the legal expert says there is no data to back up this provision: “I don’t see that we have such a serious threat in Macau that something like this is needed. The authorities should be well prepared to distinguish what is a computer crime,” says Bastos.

On the other hand, to control how the police use the “urgent provision”, “a commission should be set – by legislators, scholars and judges, to regularly ask for reports from criminal authorities and also from service providers to confront all the information”.

“This would be a huge step in guaranteeing the protection of the basic rights of each citizen,” adds Bastos.

Scams Inc

Online racketeers are constantly changing and updating their skills. A few recent cases paint

an ominous picture

Latvian tax hacking

An unknown group of hackers said they had illegally downloaded millions of Latvian tax documents to show that Riga’s attempts to fight the economic crisis were not working. An alleged hacker using the alias “Neo” reported that over a period of three months, his group used a security loophole to download over 7.5 million documents from the State Revenue Service’s website. The massive data theft has embarrassed politicians and officials whose income and wealth – often many times the national average – has been exposed to the public at a time when Latvia is undergoing painful budget cutbacks to rebound from a severe recession.

Rogue carbon trading

Earlier this year, an organised group of hackers got access to online accounts where companies maintain their carbon credits, according to Der Spiegel. The German newspaper said the hackers launched a phishing attack against employees of companies in Europe, New Zealand and Japan, which appeared to come from the German Emissions Trading Authority. Using the workers´ credentials, the hackers were able to hi-jack the credentials to access the companies´ Trading Authority accounts and transfer their carbon credits to two other accounts controlled by them. According to the BBC, it’s estimated the hackers stole 250,000 carbon credit permits from six companies worth more than US$4 million.

Taking it – from ATMs

According to a federal grand jury indictment in 2008, two hackers, using bank accounts and PINs stolen over the internet, managed to steal millions of dollars from Citibank. The pair is alleged to be part of a worldwide scam that has made 9,000 fraudulent ATM withdrawals, according to court documents. ATM cards encoded with Citibank customer account information were used to withdraw the money.

Google under attack

Global media reports say computer codes used in the recent attacks on the networks of Google and dozens of other major US companies were developed by a group of Chinese hackers. Some say they were security professionals, consultants and temporary contractors, while others believe it appears to have been deployed by amateurs. Nonetheless, the computer attack made Google leave the mainland and created a firestorm between Washington and Beijing. Chinese authorities have denied any involvement and dismissed the reports that linked the attack to two local schools. Google and Beijing are still trying
to reach a final solution about the company’s future in the mainland.

Large wire fraud

In 1994, Vladimir Levin accessed the accounts of several large corporate customers of Citibank via their dial-up wire transfer service and transferred funds to accounts set up by accomplices in different countries. Three of his accomplices were arrested and the interrogation directed investigators to Levin, a 23-year-old computer programmer in St. Petersburg. However, at the time, there were no extradition treaties between the US and Russia covering these crimes, but in March 1995 Levin was apprehended in London making an interconnecting flight from Moscow. Levin was delivered into US custody in September 1997, and in a plea agreement he admitted to one count of conspiracy to defraud and to stealing US$3.7 million.

Baidu offline

China’s leading search engine has revealed a shocking lack of security nous as its chosen domain name registrar was responsible for a prolonged outage last January. Baidu, which commands 70 percent of the Chinese search market, was offline for at least four hours. During the incident, its baidu.com home page instead showed the messaged “This site has been hacked by the Iranian Cyber Army”. China’s Baidu says in legal papers that an obvious scammer was able to con Register.com support staff into handing over the keys to its kingdom, resulting in millions of dollars in lost revenue.

Classification and solutions

The Council of Europe’s Cybercrime Treaty identifies offences ranging from criminal activity against data, to content and copyright infringement. However the United Nations Manual on the Prevention and Control of Computer Related Crime gives a broader definition which includes fraud, computer sabotage, forgery, drug trafficking, unauthorised access, dealing in child pornography and even cyberstalking

Common crimes

Password phishing and sniffers

Offenders often dupe new and unsophisticated Internet users into revealing their passwords by pretending to be law enforcement officials or agents of the service-provider. Password sniffers use software to identify a user’s password, which can then be used to hide their true identities and commit other crimes – ranging from unauthorised use of computer systems to economic crimes, vandalism or terrorist offences.

Spoofing

Spoofers use various techniques to disguise a computer to electronically “look” like another, so that access may be gained to a normally restricted system, and crimes committed.

Fraud

Fraudulent offers have already been made to consumers in the region of electronic commerce, such as trading stocks and bonds or buying and selling computer equipment. You have to remember there is no such thing as “free money”. If anyone offers you free money, you should automatically consider them a scammer. Also, do not become a “money mule”. Cybercriminals hire legitimate bank account owners that are normally unaware that they are “mulling” stolen money, but think that they are being paid for “working from home” and other moneymaking schemes. The stolen money is transferred to his/her bank account. Later on, after deduction of his or her commission, it is again transferred to a bank account provided by the offenders.

Gambling

Online gambling has increased as commerce provides ways of establishing credit and transferring funds on the Internet. Problems have arisen in countries where gambling is a crime, or where domestic authorities require licenses. Also, fairness to players cannot be guaranteed, given the technical and jurisdictional hassles of monitoring games.

Sabotaging systems

Attacks such as “mail bombings” can send repeated messages to an e-mail address or website, denying legitimate users access to it. The mail influx can potentially overwhelm the receiver’s personal account and shut down entire systems. Although a disastrously disruptive practice, it is not necessarily illegal.

Sabotaging and vandalizing data

Intruders can access websites or databases and erase or change data, damaging the data itself and causing further harm if incorrect data is later used for other purposes.

Child porn

The global spread of child pornography on the Internet is huge. Exacerbating the problem are new technologies, such as cryptography, which can be used to conceal pornography and other “offensive” material being transmitted or stored.

Money laundering

Electronic commerce is expected to provide a new avenue for the electronic transfer of goods or money used to launder the proceeds of crime, especially if transactions can be concealed.

Industrial espionage

Hackers can carry out sophisticated espionage for corporations or on their own, copying trade secrets ranging from technical or product information to marketing strategies.

How do they do it?

In the cyberworld there are numerous methods available to commit identity theft and other crimes. Trojan Horses and spyware are two of the most popular methods used.

A Trojan Horse program presents itself as a useful computer program, while it actually causes havoc and damage to your computer. Unlike viruses and worms, Trojan Horses cannot spread by themselves. They are often delivered to a victim through an email message where they masquerade as an image or joke, or by a malicious website, which installs the Trojan Horse on a computer.

Spyware is a general term used for programs that covertly monitor your activity on your computer, gathering personal information, such as usernames, passwords, account numbers, files, and even driver’s license or social security numbers. Spyware is similar to a Trojan Horse in that users unknowingly install the product when they install something else.

How to protect yourself?

The more difficult you make a cybercriminal’s job, the more likely they are to leave you alone and move on to an easier target. Here are some tips:

Keep your computer current with the latest patches and updates.

Make sure your computer is configured securely.

Choose strong passwords and keep them safe.

Protect your computer with security software.

Protect your personal information.

Don’t share information with people that you don’t know personally.

Be aware that online offers that look too good to be true usually are.

Review bank and credit card statements regularly.

What to do if you become a victim

There are a series of steps you can take to respond to and recover from cybercrime.

Crimeware

Disconnect immediately. Unplug the network cable, phone, cable line from your machine or disconnect your network connection. This can prevent data from being leaked back to the attacker.

Scan your computer with an up-to-date antivirus program – a program with antivirus and antispyware capabilities would be more suitable.

Back up your critical information. Sensitive data may be leaked by crimeware and it may also be inadvertently destroyed or lost during the clean-up effort.

Consider going back to ground zero by re-installing the operating system of your computer or using back-up software.

Online Fraud

Close affected accounts immediately. In the best-case scenario, you will be able to shut down or change any credit card, bank or other online service accounts before the thief can leverage them.

File a police report. Ideally this would be done in the area where the crime took place. While this may or may not provide the police enough information to bring the criminal to justice, you can use a copy of the police report or the report number as evidence with your creditors in case they ask
for proof.

Contact government agencies if any of your identification data has been stolen (ID, driver’s license, etc).

Watch your credit card reports closely.

Look for signs of identity theft. It’s natural to have your guard up after
having your identity stolen. During this time, be on
the look out for odd things in the mail, including
credit cards you did not request and bills that you normally receive which have gone missing.

Challenge time

Cybercrime expert Marco Gercke says Macau’s law is one of the best, in a world that faces many outstanding challenges.

By their very nature, online offenders are always looking for new ways to commit crimes, but the degree of innovation is limited says Marco Gercke, director of the Cybercrime Research Institute in Germany.

“A significant number of methods used by offenders have been known for decades. In the last few decades various counter methods and investigation techniques have been developed on an international level,” Gercke tells Macau Business Tools and training

Gercke says lawmakers need to make sure that law enforcement agencies have the right investigative tools and can provide the right training for law enforcement agencies.

Even though Macau only enacted the law to fight computer crime last year, it did so in compatibility with international standards.

“The Macau law is not only compatible to those standards but also reflects trends in the region. Drafting such legislation in general takes longer than drafting legislation with a focus on national demands only,” says the Council of Europe expert.  .

Macau seems to be ready to cooperate with other jurisdictions says Gercke, who was involved as an advisor in the development process of law.

“From what I have seen, both regional approaches as well as national approaches within the region were carefully taken into consideration. Macau in this context is very well prepared for international cooperation,” he adds.

Soaring challenges

Even though offenders have their limitations, the challenges are many, varied and global.

“They range from the emerging use of encryption technology, that makes the collection of digital evidence more difficult, to the threat of powerful attacks carried out by botnets,” says Gercke, who is also a visiting lecturer for International Criminal Law at the University of Macau.

There is also a need to raise public awareness of cybercrime. “Neither law enforcement nor citizens and companies are fully aware of the threat of cybercrime. The problem with regard to law enforcement is the fact that too many crimes are not reported and therefore do not appear in the crime statics.

“With regard to citizens and companies, the main problem is that the awareness raising approaches have not turned out too effective so far,” says Gercke.

Social networking sites, for example, have seen tremendous growth, raising concerns.

“Information made available by users in social networks can be collected and used by offenders preparing identity-related crimes,” adds the expert.

In the fight against Cybercrime, the private sector plays an important role. “While it is neither necessary nor desirable that the private sector is actively taking over the work of law enforcement, a close cooperation of law enforcement and the private sector is important,” says Gercke.

Good example

Despite only a few cases which have surfaced in Macau, legal responses should not be quantitative, says Gercke.

“It is desirable that any country in the world is able to effective investigate cybercrime cases – even if only a few cases are discovered.

“The legislation enacted by Macau is one of the best in the world and has already caught the attention not only of Portuguese speaking countries. It is widely seen as a very balanced approach.”

Human rights

More technical power for authorities doesn’t necessary mean that human rights will suffer, he believes.

“The importance of protecting human rights and especially the privacy of internet users does not only need to be taken into consideration when technical power is created, but also with regard to the extent of criminalisation and the implementation of procedural instruments,”
he says.