The Computer Misuse Act was introduced in 1990 to deal with the problem of unauthorized use of computers, which is usually described as ‘hacking‘. The Act does not clarify the responsibilities and liabilities between the bank and consumers. Maybe that is the reason when we lost money by any kind of electronic “hacking”, it is hard to get it back. Actually, I disagree with “hacking”. Form my point of view, losing money by using electronic banking service, at least bank should first replace the money we lost, and then get back work to trace back the money. Most time, we hear the different story, “sorry we are dealing with it”, what that is supposed to mean “shut up, we can’t help.”
Let’s give a close look what British Computer Act specifies.
The risk of genuine hacking into electronic banking can never be totally eliminated, but any attempt to do so is likely to be identified at a very early stage in view of the use of the security techniques including authentication, encryption, compression of messages and message sequencing.
The Act introduced three new criminal offences, namely:
- Unauthorized access to computer material. (Maximum penalty: fine of £2,000 and/or six months’ imprisonment.)
- Unauthorized access with the intent to commit or facilitate commission of further offences. (Maximum penalty: unlimited fine and five years’ imprisonment.)
- Unauthorized modification of computer material. (Maximum penalty: unlimited fine and five years’ imprisonment.)
The main offence which affects electronic banking or treasury systems is that of unauthorized access with intent to facilitate a further offence, which might be theft or sabotage. To commit an offence, access must be deliberate and unauthorized, and the person involved must know that their access is unauthorized. For these offences to be traced, it is necessary to have a full audit trail which records all access attempts, both successful and unsuccessful. Most electronic banking systems provide this facility, and prevent access after a specified number of unsuccessful attempts. The audit trail should also record what action occurs after a successful access and it is important that the audit trail is always examined to look for unauthorized use of a system.
To date, there have not been many prosecutions under the Act. One technical ruling has said that access didn’t necessarily have to be unauthorized to be covered by the Act. This clarified the position where someone who was authorized to access a computer could be prosecuted if he/she used that access to commit an offence.
In another case, a printer who was owed £2,275 by a company, installed a pirate program which added a password to deny the company access to its own computer. The action cost the company £36,500 and it subsequently went out of business.
Other prosecutions have concentrated on the offence of unauthorized modification, which is still a matter of debate, but a prosecution involving a major attempted theft has not yet occurred. The Act does not clarify the responsibilities and liabilities between the bank and the corporate customer, which reinforces the reason for the detailed documentation on electronic banking
