Tuesday, 2 September 2014

EFCC AND ATTEMPTED HACKING

On the 30th of August, 2014 Sahara Reporters posted a news story on their website; captioned: “EFCC Arrests Three Suspected Fraudsters for Attempted Hacking.” The gist of the story is that some persons conspired to break into or compromise the computer systems/computer networks of a bank using an electronic device, for the purpose of stealing funds. However; their plan failed as an insider reported them to the Economic and Financial Crimes Commission (EFCC) and they were arrested.

The caption of the story got me wondering whether there is a law in Nigeria which directly criminalizes attempted hacking or hacking or breaking into someone’s computer networks or computer systems. To the best of my knowledge there is no such law in Nigeria that directly criminalizes hacking or breaking into or compromising someone’s computer networks or computer systems? Therefore, the caption: “EFCC Arrests Three Suspected Fraudsters for Attempted Hacking.” by Sahara Reporters is inappropriate or misleading.

In the US the Computer Fraud and Abuse Act, has prohibited certain computer crimes. The Act prohibits accessing or attempting to a computer without authorization and subsequently transmitting classified government information, theft of financial information, computer fraud, transmitting code that causes damage to a computer system, trafficking in computer passwords for the purpose of affecting interstate commerce or a government computer, etc. Also in South Africa, under the Electronic Communications and Transactions (ECT) Act 25 of 2002; unauthorised access to, interception of or interference with data on a computer or computer networks is  criminalized.

However, with regard to Nigeria, there is no law like that of the US and South Africa mentioned above. It is therefore, high time that a law regulating computer/internet crime in Nigeria is enacted. The need for a law criminalizing computer crime/cybercrime in Nigeria becomes more urgent considering the drive by the Government (Central Bank of Nigeria) to encourage cashless transactions which compels people to use electronic(computer) means of transactions. Criminals may exploit weaknesses in these electronic means of transactions to defraud customers but a computer crime/cybercrime law would be able to curb such criminal acts by punishing criminals who contravene the law.

In addition to the above, many Nigerians are now taking to online transactions/ecommerce. This can be inferred from the growth and popularity of the two leading online shops in Nigeria: Konga and Jumia. It is has therefore become necessary to pass computer crime/cybercrime laws to protect users of these ecommerce channels/shops. Apart from such computer crime /cybercrime laws there is also need for a data protection law to guard against the misuse/abuse of the personal data which operators of these ecommerce sites gather and hold concerning their customers/users. For instance in China, P.R.C. Criminal Law  stipulates criminal penalties for improper sales, provision and collection of personal data. In the same China, three men were arrested for illegal sales of millions of items of personal information.

Saturday, 12 July 2014

OBSERVATIONS ABOUT THE CASE OF BARRISTER GEOFFREY AMANO vs UNITED BANK FOR AFRICA (UBA) PLC



This article (blog post) is just a part of an insightful, informative and interesting article which will be published in November. As soon as it is published I will put up the link to it on the blog so keep a date with this page.

The case BARRISTER GEOFFREY AMANO vs UNITED BANK FOR AFRICA (UBA) PLC is reported at page 114 of SLP (Section on Legal Practice) Law Journal Vol. 3, 2013 and a pdf version of the report as scanned from the journal can be found here. The SLP Law Journal is a publication of the Section on Legal Practice (SLP), Nigerian Bar Association (NBA).

Brief Facts
Barrister Geoffrey Amano (the claimant) was a customer of UBA PLC (the defendant). The claimant was issued with an ATM card for the operation of his savings account with the defendant. On 11th November 2009, he went to the bank to withdraw money and he discovered that the sum of N149,000.00 had been withdrawn from his account without his authorization between 6th November and 9th November 2009. The defendant however, contended that the withdrawals were made by the claimant through the correct use of his ATM card and PIN, or that he had authorized unknown persons to do so with his ATM correct PIN.

The claimant contended that the bank failed in its duty of care owed to him, which resulted in the loss to him by the unauthorized withdrawal of the sum of N149,000.00 from his account. The particulars of negligence were that the bank failed to make its ATM fraud-proof; that it is only the bank that knew his ATM card number and PIN because it is used on the bank’s machine; that it is the duty of the bank to protect the use of ATM card from being attacked by thieves, which remains its property; that it is the duty of the bank to carry out a thorough investigation to unearth the fraud perpetrated against the customer through the ATM card, and that the bank made it possible for unauthorized persons to break into the customer’s account to steal his money.

On the other hand, the bank contended that it had at all times exercised reasonable measures to ensure best practice, and that no unauthorized persons have access to and or withdraws money from accounts of its customers including The claimant, and that the alleged withdrawals between 6th November and 9th November 2009 were all made by The claimant with his ATM card and PIN and that the PIN was known only to him unless he had disclosed it to any such alleged unknown persons, or had been careless in handling his ATM card and PIN number leading to the alleged transactions. The bank also contended that the ATM card was fraud-proof, with adequate security features to protect its users such as the claimant.

Decision of the court
Although the bank had submitted that the disputed transactions were done using the ATM card and correct PIN of The claimant, it woefully failed to lead credible evidence to show that the said ATM card and PIN were the same ones used for the disputed transactions. The court therefore held that based on the circumstance of the facts and evidence in the case, the withdrawal of the sum of N149, 000.00 from the account of the claimant was unauthorized, and that the bank has the duty of care to ensure that the funds of the customer in its custody are safe, and should only be withdrawn upon due authorization by the customer. The bank had failed in the discharge of its duty of care towards the claimant, and was thus liable in negligence. The court therefore ordered the bank to refund the sum of N149, 000.00 that was withdrawn without the customer’s authorization, and to pay to the claimant the sum of N3, 000,000.00 as general damages for the untold hardship suffered for the unauthorized withdrawal of funds from his account.

The court also ordered that there should be interest on the N149, 000.00 part of the judgement sum at the current interest rate per annum from the 9 November 2009 to the date of the judgement and thereafter, the interest rate of 10 per cent per annum as allowed by the Rivers State High Court Rules 2010 on the entire judgement in the sum of N3, 149,000.00 from the date of the judgement till the entire judgement sum is finally liquidated.

OBSERVATIONS
During the cross examination of the bank’s witness (DW1) he testified that the transactions of 6/11/2009 and 9/11/2009 were done through the use of ATM card and correct PIN of the claimant but failed to lead or give any credible evidence to show that the ATM card and PIN of The claimant was used for the withdrawal. At this juncture it is appropriate to reproduce an excerpt of the DW1’s cross examination below:
Q:    Exhibit A is ATM?
A:     Yes.
Q:    Is the defendant still using this ATM?
A:     No.
Q:    Why did the defendant stop its use?
A:     We migrated to another platform.
Q:    Why?
A:     Because the Exhibit A had no name of the account holder on it.
Q:    So the ATM- Card you use now has more security features?
A:     No, the new ATM has better features.
Q:    The better features are for the security of the customer?
A:     No, it is for fast and better transaction.
Q:    What are the security features of the ATM?
A:     Once a customer inserts his ATM card with a wrong PIN number the ATM machine seizes it.
Q:    How does UBA Plc, determine unauthorised withdrawals over which complaints are made?
A:     Unless the customer compromises his PIN there can be no unauthorized withdrawal by ATM card.
Q:    Look at Exhibit D, the Defendant admitted that fraudster can guess and use PIN illegally?
A:     Yes, but that is - usually through the internet.
 Q:   But the use of the internet is not in Exhibit D?
A:     Yes, it is not there.
Q:    So, since fraudster can get the pin number then unwarranted withdrawal can be made through ATM?
A:     No the customer must have compromised his pin.
Q:    It is common knowledge in banking that a fraudster can hack into the ATM Machines?
A:     I am not aware.
Q:    ATM Machines has the capacity to capture footage of the machine?
A:     Yes.
Q:    Do you have the footage of the withdrawals on 6/11/2009 and 9/11/2009?
A:     No, as the withdrawals were done at other banks which do not have footage but used the journal to know the withdrawals on those dates.
Q:    You did not have the PIN used in those withdrawals?
A:     No, it is known only to the customer.
Q:    You also do have anything to show that it was the same PIN number of the ATM used that date?
A:     No, but it was the same ATM Card that was used.
Q:    Can fraudsters guess and use PIN number of a customer and withdraw money?
A:     No, but a person can guess the pin number of a customer and withdraw money and that is why we usually advice against the use of easy pin numbers such as date of birth.

The defendant in trying to prove that the disputed transactions were done using the claimant’s ATM Card and PIN only tendered Exhibit D1(a comprehensive statement of account of the claimant with the defendant) whose contents were rightly disbelieved or discredited by the court when it stated thus in the judgement:
…for money allegedly withdrawn by the claimant or his authorized person through his ATM Card with correct PIN number on 6/11/2009 and 9/11/2009, in Exhibit D1 not a single fact is stated or shown as to the PIN number used and DW1 did not lead any evidence as to how the court can see and confirm the correct PIN number used as alleged by the defendant.

The ATM card is meant to contain within it what is referred to as an Application Transaction Counter (ATC). The ATC is incremented by one each time a transaction is carried out on the ATM. If the disputed transactions were done using the claimant’s ATM card then the ATC on it would have incremented accordingly.

The ATM card of the customer should therefore have been subjected to a forensic analysis to establish whether the ATC had incremented or increased in accordance with each and every ATM transaction on the customer’s statement of accounts, or whether there are any discrepancies. This piece of evidence coupled with other pieces of evidence such as possible ATM camera footage, transaction and event logs and error reports, ATM receipts (might have confirmed that cash was physically dispensed) and all the Authorization Request Cryptogram (ARCQ) information, would have gone a long way to establish whether the customer’s ATM card and PIN were used by him or by someone else to make the disputed withdrawals. Every time a chip and pin or EMV card is inserted into an ATM, an ARQC is a generated and the Authorization Response Cryptogram is generated by the issuer (bank) in response to the ARQC. This response includes the decision by the bank on the authorization request and is sent back to the card for validation before the transaction is completed. The ARQC would therefore have shown whether the card’s chip had been read by the machine.

It is curious why the bank did not choose to follow the path highlighted above, but rather decided to tender only a printed statement of account which obviously cannot be used to prove that a particular ATM card and PIN was used to make a particular withdrawal. Perhaps if the defendant’s lawyer was tech savvy so as to be aware of all the technical aspects involved in the workings of the ATM card and ATM, he would have probably advised the defendant against the tendering of a mere printed statement of account to show that a particular ATM card and PIN was used for a particular transaction.

Computer Literacy/Technical Training
The case of Barrister Geoffrey Amano therefore demonstrates the need for technical training among lawyers and legal practitioners in Nigeria, especially those involved in litigation. Legal practitioners in Nigeria need to become familiar with or educate themselves about computers and computer-like devices and software so as to be in a better position to handle cases involving or having elements of software. The failure to keep up-to-date with advances in technology and how it affects the law will sooner or later render a lawyer or legal practitioner irrelevant at best, negligent at worst, owing to the ubiquity of electronic communications and documentation; which has in turn elevated electronic evidence to a position of vital importance in modern day litigation.

It is also in this regard that I wish to observe that it is high time that the Council of Legal Education and the National Universities Commission found a way to introduce the teaching of electronic evidence in the universities as a core course, because as a core course any student who fails it would not be able to graduate. This should therefore encourage or compel law students (potential lawyers/legal practitioners) to acquire knowledge of computer usage unlike the present situation where many undergraduate law students are computer illiterates.

The need for lawyers to become proficient in computer usage/ICT or to become familiar with or educate themselves about computers and computer-like devices and software cannot be overemphasized thus in the American case of State v. Crabtree, S.W.3d 2012 WL 3538316, the Kentucky Court of Appeals noted thus:
We note that this case demonstrates a need for technical training among legal professionals. There were several instances during the trial when it appeared that counsel for each party attempted to elicit testimony from the experts but failed because of confusion of technical terms. In this particular case, the evidence of guilt was overwhelming, but we anticipate that this communication gap could be damaging in cases with weaker evidence.

I therefore commend to the Council of Legal Education and the National Universities Commission, the words of Denise H. Wong in her article: “Educatingfor the Future: Teaching Evidence in The Technological Age”:
The advent of the technological age has had significant effect on litigation practice, none more so than in the area of evidence gathering and presentation in court. A significant proportion of evidence that is gathered for both criminal and civil matters is now electronic in nature, and this necessitates a change in the way that lawyers think and advise on evidential issues…rather than simply focusing on principles relating to the admissibility of evidence in court, the traditional course on evidence law should be modified to equip students with an intellectual framework that conceives of electronic evidence in litigation as an entire process. This process begins with the gathering and forensic examination of electronic evidence, and is followed by the admissibility of such evidence in court, ending with the effective presentation of the evidence before a judge or jury…taking such an approach, the law teacher would be playing the role of effective gatekeeper to the legal profession by providing a course that is both intellectually rigorous and adequately prepares would-be litigators for the realities of modern day practice.

Duty to exercise reasonable care and skill
In the case under consideration the bank’s witness was cross-examined thus:
Q:    Do you have the footage of the withdrawals on 6/11/2009 and 9/11/2009?
A:     No, as the withdrawals were done at other banks which do not have footage but used the journal to know the withdrawals on those dates.

Every ATM shall have cameras which shall view and record all persons using the  machines  and  every  activity  at  the  ATM  including  but  not  limited  to:  card insertion,  PIN  entry,  transaction  selection,  cash  withdrawal,  card  taking,  etc. However,  such  cameras  should  not  be  able  to  record  the  key  strokes  of customers using the ATM.

It is the law that banks owe their customers a duty of care to safeguard customers’ funds in their custody and where they breach that duty of care they may become liable in negligence to their customers. In the case of ECOBANK NIGERIA PLC v. ELDER DOMINIC EKPERIKPE (2013) LPELR-20327(CA) it was held that it is the duty of a bank to exercise reasonable care and skill in regard to its customer's affairs. Now, won’t it be negligence on the part of a bank or a breach of the duty to exercise reasonable care and skill considering the level of ATM fraud in Nigeria; to operate ATMs without a camera to capture persons making withdrawals on the ATM or put in another way; where a bank fails to install a camera on any of its ATMs, won’t that be considered negligence on its part in safeguarding its customers’ monies?

Conclusion
All hope is not lost for bank customers whose money in the bank gets missing or stolen through ATM fraud. All they need to do is to write to the bank informing it of the stolen or missing funds and also copy the same letter to the Central Bank of Nigeria (CBN). The CBN circular of February 7, 2011 with reference number BPS/DIR/CIR/GEN/02/003 and titled: Penalty for Non Compliance with CBN Circulars and Guidelines on ATM Operations in Nigeria provides in relevant parts thus:
(a)An ATM without a camera installed will attract a fine of N50,000 and deactivation of the ATM until the camera is installed.
(b)An ATM deployer will be made to refund the full amount involved in any fraud perpetrated on its ATM for failure to provide footages on the disputed transactions when required.
(c)Failure to respond to the customer or to CBN on ATM complaints within 72 hours will attract a fine of N50,000 per day for each complaint after the 72 hours until the response is received.
(d)Failure to resolve any ATM dispute with evidence of resolution within 14 days, the deployer will refund the total amount involved in the fraud.

If the above option fails they should contact a lawyer with the requisite knowledge to seek redress in a court of law. A lawyer with the requisite knowledge in this case, according to Stephen Mason in Electronic Banking: Protecting Your Rights; will be a lawyer who has a fair knowledge of computers and the workings of ATMs and internet banking, a lawyer who is knowledgeable about electronic evidence and electronic signatures, a lawyer who knows the law in relation to electronic evidence and banking disputes.