by Bob Burls @ Naked Security from Sophos on October 31, 2012
Do you know how to report a computer crime? Or even who you would report it to?
Well, there is no one size fits all solution - it depends on the individual circumstances and where you are in the world - but we've drawn up some scenarios that are typical of some of the crimes that any computer user, at home or work, might come across.
In the first of our series of articles on how to report a computer crime, we'll look at unauthorised email access, what offences are committed when a crime like this happens and how you should report it.
Take this scenario:
- Abigail is at work. She logs into her personal webmail account during her lunch-break, which she is allowed to do according to her company's computer policy.
- A friend had advised her to use a complex password for her personal webmail, but she finds it difficult to remember so she has it written down in her diary.
- Abigail logs out of her personal webmail account and leaves the building to make a private phone call, but doesn't take her diary with her.
- Barry sits opposite Abigail; he has a secret crush on her. Barry goes to Abigail's desk, searches her diary, finds the webmail account name and password and logs into her webmail account from his smartphone at the office.
- Barry reads a number of Abigail's previously read personal emails using his mobile, but does not read any unread mail in case Abigail notices someone has accessed her account.
- Abigail later discovers that someone has read her emails after she checks her email account activity and notices the account has been accessed by a mobile web browser. She suspects it was Barry after he made a comment regarding something she had written in a personal email.
What was the offence?
We can break it down like this:
- Barry deliberately gained access to Abigail’s web-based email account
- Barry did not have permission to access the account, nor would he have been given it if Abigail, the genuine account holder, knew what he was doing.
- Although Barry did not delete or deliberately alter any data, he has still committed an offence because the access was not authorised
The legal bit
We've focused on the UK, USA, Canada and Australia, but each country has its own legislation, though the relevant statute often exists to accommodate the same offences in each country.
UK
In the UK, most computer crime falls under offences covered by one of three pieces of law:
- Computer Misuse Act 1990
- Communications Act 2003
- Fraud Act 2006
Other associated crimes could include Conspiracy or Money Laundering offences, but victims of crime are more often than not affected by at least one of the three Acts listed above.
In this case, Barry committed an offence of "Unauthorised Access" in contravention of S1 Computer Misuse Act 1990, committed when the offender causes a computer to perform a function intending to secure access (which Barry did when he gained authentication to Abigail's account).
USA
In the USA, most cybercrime offences are covered by Title 18, United States Code (USC) Section 1030 – Fraud and related activity in connection with computers. This is what Barry contravened when he logged into Abigail's account.
Canada
The Criminal Code of Canada contains sections that specifically cater for cybercrime, including:
- Unauthorised Use of Computer
- Possession of Device to Obtain Computer
- Mischief in Relation to Data
- Identity Theft and Identity Fraud
In this case, Barry contravened Section 342.1 Canadian Criminal Code (CCC) - Unauthorised Use of Computer.
Australia
Both state laws and commonwealth laws exist in Australia. In South Australia, the investigation of cybercrime by police is classified under three tiers and is spread across the organisation depending, mainly, on severity.
The primary legislation for computer offences is the Summary Offences Act, 1953 (SOA) and the Criminal Law Consolidation Act, 1935 (CLCA).
In this case, Barry has contravened Section 44, Summary Offences Act.
Reporting the crime
UK
In the UK, when a crime has taken place it should be reported to the police, so Abigail should go to her local police station to report it.
A crime allegation may be investigated by a police force or may be referred to the Police Central e-Crime Unit (PCeU) which provides the UK's investigative response to the most serious incidents of cybercrime. The PCeU requests that the routine reporting of computer crime offences are not made directly to them.
There is also an alternative reporting body for internet-enabled crime: Action Fraud.
Action Fraud records and passes on crime reports to the National Fraud Intelligence Bureau, who then decides whether the incident requires further investigation, as not all computer crimes are investigated.
USA
The Department of Justice website contains a Computer Crime and Intellectual Property Section with a contact page for reporting incidents to local, state or Federal Law Enforcement Agencies (LEA).
Two Federal LEAs have a remit to investigate some computer crimes:
- The Federal Bureau of Investigation (FBI)
- The United States Secret Service (USSS)
In this case Abigail should report the crime at her FBI Local Office, or US Secret Service or Internet Crime Complaint Centre.
Canada
The Royal Canadian Mounted Police (RCMP) are the main agency with regard to the investigation of federal statutes but also have policing responsibility for a number of the Canadian provinces and all 3 territories, as well as some local police services in towns and cities.
A computer crime victim, like Abigail, should report their incident to their local police service. If appropriate, it will be escalated for the attention of the agency with federal responsibility, the RCMP.
Australia
Abigail should report the crime to the Australian State or Territory Police.
Investigation policy differs from state to state but the Australian Federal Police website offers a guide on whether the crime should be reported to either Australian State or Territory Police.
Preserving the evidence
Abigail may want to consider informing her webmail service provider that she has reported the incident to the authorities.
She should also request that they preserve the web access logs so they can be looked at during the investigations.
Remediation
Abigail should change her webmail password immediately and use a robust password that she can memorise rather than one which she has to write down. She could also consider using password management software (examples include 1Password, LastPass or KeePass) where she only will need to remember one complicated master password.
Conclusion
In general, it's important that all computer crime is reported. Even if no investigation follows, crime report intelligence can be built up and an accurate picture of the levels of computer crime can be produced.
If victims of a particular crime do not come forward to report incidents, then the number stated in crime reporting statistics will be not be a true reflection of the number of crimes taking place.
The scenario above is given as an example to help you in understanding when and what offences have taken place. Please be reminded that no two situations are the same and we have not catered for the “what if” situation.
We have also not included any corporation’s AUP (Acceptable Use Policy) that may be in place and may have been breached.
All of the scenarios are made up and the characters depicted bear no resemblance to any person.
Acknowledgements
Daedalus Teks does not take credit for this article, Daedalus Teks shares articles like these in order to make clients more aware of the I.T. Field. Daedalus Teks gratefully acknowledges the assistance of Naked Security and the following organisations in preparation of this series of articles:
- UK Police Central e-Crime Unit
- Action Fraud
- United States Federal Bureau of Investigation
- United States Secret Service
- Royal Canadian Mounted Police
- South Australia Police