Current trends

P J Louw26 September 2014

“Everybody has a plan until they get punched in the face” – Mike Tyson

Significant security breaches by Organised cybercrime since 2008

• 2009: African Bank R74 million• 2009 Department of Justice R16 million• 2010: FNB R27 million • 2011 Land Bank R300m• 2012 Postbank R42 million

This excludes phishing, credit cards, easy payments etc.

POSTBANK CASE 2012• Open bank accounts with false information• Recruit insider in call centre of bank• Stole a terminal cloned it. Create virtual branch• Insider lifted the limits on bank accounts to R500 k

each• Created “virtual” money and transferred it to bank

accounts• Three days withdrew the money from ATM’s R42

million gone. See next two slides

Current International Trends: prepare our prosecutors

“Guilty Verdict in First Ever Cybercrime RICO Trial”

http://www.wired.com/2013/12/rico/?cid=co15532334

Identity thief guilty of federal racketeering charges for facilitating his crimes over a website

The case of David Kernell

Intentionally accessing without authorization the e-mail account of former Alaska governor Sarah Palin

The case of David Bronk.

•Hack into email accounts

•Stole nude pics

•Extortion

ECT ACT

• Recent convictions section 86(1) unauthorised access and interception of data

• S v Smith Lydenburg Regional Court. Senior citizen sentenced to 5 years imprisonment

• See, e.g., Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1124 (W.D. Wash. 2000) (finding that insiders with authorization to use a system can lose that authorization when they act as agents of an outside organization).

• See also International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (holding that an employee's access to data became unauthorized when breach of his duty of loyalty terminated his agency relationship);

• Vi Chip Corp. v. Lee, 438 F.Supp.2d 1087, 1100 (N.D. Cal. 2006) (applying the holding of Citrin to an employee who deleted data after being informed that his employment was to be terminated).

Unauthorized access to, interception of or interference with data (Section 86) (1) Subject to the Interception and Monitoring Prohibition Act, 1992 (Act 127 of 1992), a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence. (2) A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence.(3) A person who unlawfully produces, sells, offers to sell, procures for use, designs, adapts for use, distributes or possesses any device, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilize such item to contravene this section, is guilty of an offence.(4) A person who utilises any device or computer program mentioned in subsection (3) in order to unlawfully overcome security measures designed to protect such data or access thereto, is guilty of an offence.(5) A person who commits any act described in this section with the intent to interfere with access to an information system so as to constitute a denial, including a partial denial, of service to legitimate users is guilty of an offence.

a fine or imprisonment for a period not exceeding 12 months.

a fine or imprisonment for a period not exceeding 5 years.

Theft of information?In S v Boesak the Supreme Court of Appeal stated

“Theft, in substance, consists of the unlawful and intentional appropriation of the property of another (S v Visagie 1991 (1) SA 177 (A) at 1811). The intent to steal (animus furandi) is present where a person (1) intentionally effects an appropriation (2) intending to deprive the owner permanently of his property or control over his property, (3) knowing that the property is capable of being stolen, and (4) knowing that he is acting unlawfully in taking it (Milton South African Criminal Law and Procedure vol II 3rd ed at 616).”

Theft of information?It should be pointed out that this definition

(description) – unlike the one advanced by

Snyman and other modern authorities – does not claim that as a general rule only “corporeals”

can be the subject-matter of theft. The above definition also uses the concept “appropriation”

as opposed to the concept “contrectatio”

Theft of information?• There are several High Court decisions where it was held

that theft cannot be committed in respect of “incorporeals”, such as “electricity”, “board and lodging” and “a design or idea”. These decisions, however, have neither been confirmed nor rejected by the Supreme Court of Appeal S v Mintoor 1996 (1) SACR 514 (C).

• R v Renaud 1922 CPD 322. It has been suggested that there can be no theft of a computer software programme by copying it (Skeen (1984) 8 South African Journal of Criminal Law and Criminology 262 at 264).

• R v Cheeseborough 1948 (3) SA 756 (T).

Theft of informationIn S v Graham 1975 (3) SA 569 (A) at 576 Holmes JA

merely observed that “[i]t may well be that, strictly according to Roman-Dutch Law, only corporeal things were capable of being stolen …”

The object must be a corporeal one. In our reported cases little on this issue is to be found, and the Appellate Division has not yet addressed this requirement specifically but has also not rejected it.]

Theft of information?• The Supreme Court of Appeal has, however,

indeed decided that money is “capable of being stolen even where it is not corporeal cash but is represented by a credit in books of account” – per Holmes JA in S v Graham. Supra at 576H. exception – referred to by Snyman as “theft of credit” – was created to meet the valid demands of modern financial transactions, practices and arrangements Op cit 487.

• It seems clear that the distinction between “corporeal” and “incorporeal” is not necessarily decisive in determining whether something is capable of being stolen. Share certificates (as opposed to shares) are corporeal and obviously capable of being stolen. But shares, it was held by Milne J (as he then was) in S v Harper and another, can also be the subject-matter of theft despite their incorporeal nature. The court pointed out that the notion that only corporeal property could be stolen, stemmed from the Roman Law principle that there had to be a contrectatio, that is, some actual physical handling of the property. At 666H Milne J stated that given the fact that the courts had moved away from the requirement of a physical handling, the very ratio for claiming that there can be no theft of an incorporeal object in any circumstances would seem to have collapsed.

New cyber bill exciting new development

strategy: Recusal of prosecutors

Project Glacy