Natalia Akhtyrskaja , Ph.D.
Fighting crimes committed in the bank computer systems
Information has become one of the main elements of national resources due to a rapid development of information technologies in the latter half of XX century. Today the crisis of a society, change of a social and economic structure, increase in the number of managing subjects and development of business undertakings result in intensifying social and economic tensions as well as crimes committed against particular persons and managing structures.
A modern information revolution resulted from the coincidence of some factors:
- Introduction of information processing electronic means^; rapid development of electronics^;
- Space exploration and development of satellite communication technologies^;
- Development of information network technologies and the Internet.
It allowed accumulating and transferring anywhere huge amounts of information at very high speeds and low costs. For example, transferring 45 gigabits of information per a kilometer of communication line for a second costs 0.01 cent whereas it was $1 fifteen years ago. According to the YNIDO Technological Prevision Summit 2003, every year the world market of information and telecommunication technologies increased by 6-8% over last decade but in China, Vietnam and Poland – by 25-27%. This market is allotted among various regions worldwide in quite an irregular way depending on the general level of their economic development. Thus, the USA accounts for 34% of the world market, Europe – 29%, Japan – 12% and the rest world countries – 25%.
According to the World Bank, many OECD (Organization of economic cooperation and development) countries had an extra cost in knowledge fields increased about by 3% over last 15 years when compared with 2.3% of a general economic growth. The increase in joint extra costs in these fields in Germany is ranged from 51-60%, in Great Britain – 45-51% and Finland – 34-42%.
The process of globalization precipitates these tendencies. Comparative advantages of national economics depend on knowledge and scientific innovations rather than natural resources or cheap labor force. Today the process of storing knowledge favors a social progress and the accumulation of capital. OECD countries’ investments in non-material assets, professional staff training, scientific researches, patenting and licensing, software for computer systems and marketing are equal to funds invested into main reserves and sometimes exceed the latter.
Unfortunately, developed countries and those with a transitive economy (including Ukraine) do not fully take all advantages and potential benefits given by an information society. The process of generating and using knowledge, as well as making investments into science and education to develop and increase a living standard significantly differs in different countries. According to the World Bank, 85% of joint world funds in science are invested by OECD countries, 11% - by India, China, Brazil and new industrial states of East Asia and 4% - by other countries worldwide including Ukraine .
The development of computer technologies makes us approach the time when technical means will contain a considerable part of information resources. Computers that are more effective and widely used in economic, social and management activities resulted in increasing the importance and value of information and informational resources. However, positive phenomena of the general computerization cause many negative ones connected with misusing computer potentialities. Crimes committed by applying electronic computers and information technologies arouse a special concern for Ukraine’s law enforcement bodies.
Computers themselves can be both an object of property crimes (stealing, destroying, damaging) and a tool of committing them i.e. a means of drawing money, concealing taxes, distorting information and so on. Information itself cannot be an object of property crimes because it has no physical features.
According to the analysis of crimes committed against credit and financial institutions, the number of large-scale electronic misappropriations keeps increasing when compared with that of traditional thefts and robberies. Today banking transactions are made to draw and transfer to offshore accounts tens million US dollars within some minutes. In 1991, $2.6 billion were illegally transferred only to Cyprus.
The criminalistical essence of crimes committed in banking computer systems should be understood to fight them in an effective way. For example, in June-July 2000 Mr. K illegally penetrated into the automated system of the “Platinum” Commercial Bank Ltd by using appropriate software and distorted its data. After that, he drew a tidy sum by swindling and breaching trust. The offense can be qualified as an illegal access to computer information. In this case, computer information on banking accounts was modified in an illegal way. Any form of penetration into the automated system by using computer techniques that allow manipulating data can be regarded as an access to computer information. The criminal had no legal right to handle such data. Therefore, it can be concluded that he obtained an illegal access to computer information by neutralizing means of protection (in itself it can be viewed as a corpus delicti).
The criminal’s actions resulted in drawing money from other’s account. It means an illegal gratuitous appropriation of smb else’s property in favor of a guilty or another person that caused some damage to the proprietor. It raises no doubts. However, the problem is how to qualify this misappropriation. The Penal Code runs that the property can be misappropriated through the theft, swindle, appropriation or embezzlement, robbery or that with violence. In this case, it is not a matter of the above offenses.
The secret appropriation of other’s property is a necessary characteristic of the theft. On the one hand, this case features it. However, the theft is not supposed to use the deception as a way of misappropriating other’s property. In this case, a sum was evidently transferred from other’s account through the fraud. Besides, money proper was not stolen as a material object. The modification of electronic notes resulted in changing the right to possess and dispose of the property (money).
These actions might be qualified as a swindle that is the appropriation of other’s property or gain of the right to other’s property through the fraud or breach of trust. However, the peculiarity of the crime consists in that the proprietor transfers money to the criminal in a free-will way. The voluntariness of transferring money can be hardly detected in this case. Therefore, this crime can be hardly qualified as a swindle.
When does the fraud take place? The computer memory contains electronic information on funds. It allows operating with them. As a rule, special software and hardware are used to protect information from an unauthorized access.
The criminal uses fraud only when penetrating into the banking computer system and overcoming its protection. These actions can be regarded as an “illegal penetration into the dwelling, lodgment or other depository”. According to comments, the penetration can be viewed as an intrusion into the depository with the help of devices (in this case by means of the computer) and fraud. The penetration is not a crime end in itself but a way of obtaining an access to values kept. “Other depository” means a “special device or place equipped, fitted or intended for constant or permanent storage of values and their protection from stealing, damaging or destroying”.
The theft can be regarded as a finished crime only when the property is practically removed and the criminal has a real opportunity to dispose of it at his/her own discretion. In this case, the delinquent person has such an opportunity after accomplishing the transaction .
Thus, we have a complex crime characterized with obtaining an unauthorized access to law protected computer information stored in the banking computer system and resulted in modifying it and drawing money from the victim’s account. It shows what damage such crimes can cause and the difficulty of exposing and examining them in court, as well as instituting proceedings against the guilty person.
Criminal proceedings instituted against Gennadie Kuzmichov can be cited as an example of the above situation. In February-July 2000, he opened and used outside Ukraine a dollar account without Ukraine’s National Bank permission, as well as stole a large sum of money by obtaining an illegal access to automated systems.
1. Opening and using a dollar account
On February 10, 2000, G.Kuzmichov, Ukraine’s resident, opened in Russia’s Commercial Bank “Platinum” a special dollar account and deposited $50 without Ukraine’s National Bank permission thereby violated the law “On the system of foreign currency regulation and control in Ukraine” of February 19, 1993. According to it, Ukrainians should obtain individual licenses to deposit money on accounts in foreign banks.
Article 80-1, Ukraine’s Criminal Code, qualifies premeditated actions of G.Kuzmichov, Ukraine’s resident, on opening and using a dollar account outside Ukraine without Ukraine’s National Bank permission.
2. The large misappropriation of CB “Platinum” collective property by using an illegal dollar account, penetrating into automated systems and distributing appropriate detrimental software.
In June-July 2000, G.Kuzmichov deliberately penetrated into the CB “Platinum” automated system by using appropriate detrimental software and distorted its information. After that, he stole a large sum of money by swindling and breaching trust.
On February 10, 2000, G.Kuzmichov obtained an international debit plastic card “BANK PLATINA-VISA ELECTRON” and personal identification number to dispose of funds that he had deposited on the “Platinum” bank special account.
G.Kuzmichov used this plastic card to pay for goods and services in the establishments operating with VISA cards, as well as a PIN-code to know his account condition or draw cash at appropriate money access machines.
The sum written off his special “Platinum” bank card account did not exceed the amount of deposited money. According to the “Platinum” bank tariffs, $1 was written off his card account to obtain an abstract of his account in the cash machine of another bank.
On April 28, 2000, CB “Platinum” employees were charging commissions from their card clients for account balance verification in the other bank cash machines.
A bank employee wrote off by mistake not $1 but $220200 from Kuzmichov’s special card account that in fact represented the date “22.02.00” when he had checked his card account balance.
On May 3, 2000, CB “Platinum” employees replenished Kuzmichov’s card account with $22099 to correct a mistake made in the computer database of their plastic card clients. One dollar was charged as a commission for an abstract of his account taken in the other bank cash machine.
On June 13, 2000, G.Kuzmichov applied again to the “Platinum” Bank for replacing his plastic card because his surname had been changed in the foreign passport. He obtained a new plastic card “BANK PLATINA-VISA ELECTRON” with the previous number of his special card account.
Besides, since 2000 the “Platinum” bank has started rendering its clients an additional service on verifying a card account balance through the Internet.
Having replaced his plastic card, G.Kuzmichov also got an opportunity to check the balance of his card account through the Internet. When verifying the balance of his card account through the Internet, he saw that on April 28, 2000, the bank had wrote off by mistake $220200 from his special card account and on May 3, 2000, it was replenished with $220199.
G.Kusmichov decided to penetrate into the bank automated system through the Internet and introduce changes into the computer database of the “Platinum” bankcard clients by imitating the mistake made on April 28, 2000. After that, he wanted to increase funds on his account by $220200 in an illegal way and receive them in cash machines.
On June 16, 2000, G.Kuzmichov informed the bank by e-mail that he could not check the balance of his card account through the Internet. On the same day, the bank employee verified that information and gave an electronic reply that there were no defects.
Having received an e-letter and scanned its program characteristics in the computer, G.Kuzmichov extracted from it an IP-address of the e-mail server that simultaneously allowed verifying the balance of card accounts through the Internet.
On June 25, 2000, the criminal illegally penetrated into the database computer system containing information on the condition of plastic card accounts by cracking the IP-address of the “Platinum” bank server and decreased the balance of his card account by $220200 by imitating the second bank mistake.
Thus, the modification of information in the Oracle database on the part of G.Kuzmichov resulted in the negative balance of his card account (-$220200).
Meanwhile, the computer database establishing plastic card expense limits contained real information on the condition of the criminal’s card account and allowed using only a sum that did not exceed a deposited one.
Continuing to deceive the Platinum Bank employees, G.Kuzmichov informed the bank operator by phone that his card account showed the negative balance and requested the bank to correct its error.
When verifying obtained information, bank employees found that G.Kuzmichov’s card account actually reflected the negative balance (-$220200). They took it for a failure in the automated system work and replenished his account with $220200. It allowed G.Kuzmichov to dispose of $220200 besides deposited funds and to accomplish his criminal intent to misappropriate a large sum of money.
Thus, on June 26, 2000, the Oracle database computer system automatically obtained data on the condition of bank client accounts adjusted for G.Kusmichov’s one illegally enlarged.
At the same time, the printed abstract of account did not indicate G.Kusmichov’s account increase because official operations are not reflected in account abstracts.
Having created conditions to steal $220200, G.Kuzmichov inquired about the abstract of his card account through the Internet and money access machines to check possibilities of obtaining those funds.
After making sure that his card account had been replenished with a sum of $220200 and he could dispose of it, G.Kuzmichov received and defalcated 143750 UAH (nearly $27122) by using his plastic card and PIN-code.
G.Kuzmichov intended to steal $220200 but he could not accomplish his purpose because his criminal actions were detected and the bank employees blocked his card account.
Article 198-1, Part 2, Ukraine’s Criminal Code, qualifies G.Kuzmichov’s actions on penetrating into the Platinum Bank automated system by using appropriate detrimental software, distorting and destroying information, as well as inflicting a great damage.
Article 86-1, Ukraine’s Criminal Code, qualifies G.Kuzmichov’s premeditated actions on stealing a large collective property of the Platinum Bank of 143750 UHR ($27122) by swindling and breaching trust.
Article 17 Part 2 and Article 86-1 Ukraine’s Criminal Code qualify G.Kuzmichov’s premeditated actions on attempting the large misappropriation of the Platinum Bank collective property of 1053339 UHR ($198743) by swindling and breaching trust.
Thus, G.Kuzmichov committed crimes specified in Articles 80-1, 86-1, 17 (Part 2), 198-1 (Part 2) Ukraine’s Criminal Code .
Some objective and subjective reasons favor the commitment of crimes in the bank computer systems. The knowledge of them allows preventing crimes and decreasing the probability of perpetrating offenses against bank information. The main reasons and conditions that favor the perpetration of such crimes are as follows:
- The lack of appropriate control over an unauthorized access to the bank autonomous computer or that used as a remote working station of the bank computer network to transfer data on primary bookkeeping documents when financing^;
- A careless use of computers on the part of bank employees that allows the criminal to exploit them as a tool of committing crimes^;
- A low level of applied software used in the bank computer systems that has no monitoring protection to check the correspondence and accuracy of input information^;
- The imperfectness of password protection (or insufficient one) from an unauthorized access to information bank recourses that does not identify and authenticate a user^;
- The lack of an official person responsible for the confidentiality of banking information and its security^;
- The lack of a clear categorized system of access to paper and electronic documents of strict financial accounting^;
- The lack of agreements (contracts) with bank employees on keeping commercial and official secrecy.
1. M.Zgurovsky The society of knowledge and information – tendencies, challenges, perspectives. – “Weekly miracle”, 2003. - ¹ 19 (444). – P.17.
2. V.Buyanov, N.Zhogla, O.Zaytsev, G.Kurbatov, A.Petrenko, N.Fedotov Information security in Russia. – Ì., “Examine”, 2003.
3. Criminal case ¹ 70001151. Court of Appeal archives in Dnepropetrovsk (Ukraine)
^macro[showdigestcomments;^uri;Fighting crimes committed in the bank computer systems]