The attack by virus poses as an imminent danger to on-line financial services. It would result in downtime on the on-line operation and loss towards customers' data and more important loss of the providers' goodwill and business. Besides, it may generate legal liability towards the financial services providers, stock brokers or financial institutions are all alike. Malicious virus like Kournikova, Melissa and I Love You are real threats to on-line trading businesses. The viruses can tie up computer networks and crashed e-mail servers resulting to downtime of the businesses and hence huge losses. The on-line merchants are potentially liable for losses owing to consumers or businesses visitors to the web-sites. That is why in recent years, security and legal liability have become one of the major areas of concern to system administrators and business managers. Cyberinsurance can also serves as a way to mitigate the risk among on-line merchants. However, cyberinsurance is far from being a mature product in the cyberspace world. According to Marsh Inc., a leading cyberinsurer for e-business insurance have given a rather comprehensive list on risks of e-businesses. Damage, theft, loss of service remain to be the leading items of concern of e-business participants.
A few years ago, young people in Hong Kong have begun to be attracted by online games. Many games are fighting or war programs offering virtual weapons which can be purchased by players. The weapons have a money value. The higher level a player attained in the game with your virtual weapon, the more monetary value your weapon is worth.
Beginning in 2003, there are increasing number of complaints regarding virtual weapons being stolen from online game players' account. According to the police's report, some complaints refer to online gaming accounts being misused thus accumulating large sums to the victims' monthly bills. From the police's enquiry, there are several ways in which the culprits could have stolen the virtual weapons or misuse the accounts. These methods may in fact be criminal in nature and the culprits may therefore be subject to criminal prosecution:-
Sometime in 2004, the Hong Kong Police managed to get hold of a Nigerian who have succeeded in cheating a lawyer employed at a leading Hong Kong law firm. The scam is widely known at “Nigerian Scam”. The police commented that it is hardly believable that someone could have been cheated in that way.
The power of the Internet has made it all too easy for these scams to flourish. The perpetuators can send thousands of emails without cost and then wait for someone to response. Sometimes, you may even receive the same messages by different email accounts you use.
Those looking for big business or easy big money (often falsely claimed to be having millions of US dollars) are often tempted by these scams. The scam messages sounds that you can get big money easily. If you are really tempted to take part it will inevitably make you lost money.
These scams often reach your business email box unsolicited and pretend to be highly confidential and private. They are typically known as "Nigerian Scam" or “Lotto Scams”. The tactics are the same although the “stories” may be different.
The “Westpac Bank Scam” is extremely dangerous because it will extract your ebanking details by posing as the valid Westpac Internet Banking site. Recently, perpetrators has begun the same scam with the St George Bank. In Hong Kong, quite a number of faked bank sites were discovered by the Hong Kong Monetary Authority. All pretended to be sites licensed to practiced in Hong Kong.
The Lotto Scam
The Lotto Scam will send you an email announcing that you are the lucky winner of a lottery win, which could exceed 1 million US dollars, even though you have not participated before. The senders claim to be the lawful lottery companies and of course these claims are false and the emails are also false.
The following are instances pretending to be coming from the following lottery companies:
If you respond, an application form will be sent to you for your filling. The blanks will seek information about your bank account or ask you to pay a sizable sum of money to cover security, insurance, or administration costs. When they have obtained your information and your money, you would no longer hear from them.
This is a Court of Appeal judgment.
On 16 February 2001, the Applicant pleaded guilty in the District Court to:-
On 19 February 2001, Deputy Judge Ma sentenced the Applicant to concurrent terms of twelve months for each offence of criminal intimidation (charges 5 and 6) and four months on each of the criminal damage charges (charges 1 to 4, 8, 10, 12 and 14).
The Applicant sought leave to appeal against sentence on two grounds, complaining that the sentence was manifestly excessive on the two counts of criminal intimidation.
Two victims were involved by the Applicant through his criminal acts. Both victims were female(X and Y). They were undergraduates at the Hong Kong University where they shared the same dormitory. Each of them had an e-mail account with the university computer system.
The offences were committed between September 1998 and May 1999. On a number of occasions between those dates, the Applicant hacked into X and Y's e-mail accounts at the University. In X's case, some of the data stored in her computer was transferred to the Applicant's computer, including a photograph of herself. In Y's case, the Applicant was able to interfere with the operation of her computer's mouse. In both their cases, data was altered by the Applicant's infiltration of their computers. Their e-mail accounts were overloaded to the point that they became inoperative as a direct result of the number of e-mails the Applicant had sent to them. These e-mails included highly obscene articles and pictures and other sexually explicit material.
Amongst the e-mails sent by the Applicant to X and Y was a message which read:
"Don't you believe that I will go to your hall to rape you."
X and Y were very frightened by this.
The offences contrary to sections 60(1) and 24 of the Ordinance with which the Applicant was charged carry maximum sentences of ten years and five years' imprisonment respectively although, in the circumstances of this case, it was the two offences in the latter category, i.e. the intimidation offences, which were by far the more serious.
The judge, in passing sentence, equated the offences committed by the Applicant with offences brought under section 161 of the Crimes Ordinance. It goes without saying that none of the offences in this case was brought under that section of the Ordinance which provides for a maximum sentence of five years' imprisonment for accessing a computer with criminal or dishonest intent. It is in this context that, in his first ground of appeal, Mr Philip Wong, on behalf of the Applicant, contended that the judge erred in principle in drawing support from HKSAR v Tam Hei-lun  3 HKC 745, for his view that the offences committed by the Applicant should be dealt with by imprisonment unless there were most unusual circumstances making a custodial sentence inappropriate. Tam Hei-lun was concerned with offences brought under section 161 of the Ordinance. This error, he submitted, was compounded by a failure to consider a basic principle of sentencing that a defendant who has pleaded guilty should only be sentenced on the plea he has entered and on the basis which the prosecution has accepted (See: R v Booker  4 Cr. App R (S) 53.)
The acts of criminal intimidation, by accessing X and Y's computers, was a serious invasion of their privacy and the consequences of such acts were likely to be not only extremely upsetting but also very alarming to both of them. We find ourselves in full agreement with the sentencing judge's sentiments that a deterrent sentence for this kind of conduct was called for.
The lower sentences for the criminal damage charges, although there is no appeal in relation to them, was a reflection by the judge of the short-term nature of the damage done to the computers. The gravamen of the offences lay in the criminal intimidation charges.
The application was dismissed.
Coram: Hon Stuart-Moore VP and Stock JA
Date of Hearing: 20 June 2001
Date of Judgment: 20 June 2001
This is a Court of Appeal decision.
The prosecution arose out of an earlier conspiracy in which customs officers had arranged for illegal immigrants to enter Hong Kong from China for transit abroad. These two applicants were charged with other offences related to that original conspiracy.
On 11 November 1994 after trial Judge Eccleton in the District Court convicted the 1st applicant (Hung) of one offence of obtaining access to a computer with a view to dishonest gain contrary to s. 161 of the Crimes Ordinance, Cap. 200.
The trial judge convicted Hung on his interpretation of s.161 of the Crimes Ordinance in the following terms:
"However Section 161 of the Crimes Ordinance specifically extends the meaning of "gain" beyond that of monetary terms.
When sensitive or classified information is given to an unauthorised person whether money changes hands or not and regardless of the use to which that person intends to put such information there has been a dishonest gain in that the otherwise unobtainable information or knowledge has been gained by that unauthorised person."
Hung appealed to the Court of Appeal.
Facts of Hung's Case
The facts of Hung's offence were that on 14 May 1993 he obtained access to the Immigration Dept computer containing the Travel Record and Immigration Control Enforcement system to discover whether certain people were on the watch list.
The indictment alleged that he obtained access to the computer with a view to dishonest gain for himself and /or another. The prosecution case was that Hung obtained access at the request of Lee Kang Sun, a senior customs officer who was the main participant in the original conspiracy, and that the access was with the view to dishonest gain because Hung performed the service in the expectation that he would be paid for it.
The relevant part of s.161 of the Crimes Ordinance Cap. 200 provides
"(1) Any person who obtains access to a computer -
(c) with a view to dishonest gain for himself or another;
.... commits an offence and is liable to conviction upon indictment to imprisonment for 5 years.
(2) For the purposes of subsection (1) "gain" and "loss" are to be construed as extending not only to gain or loss in money or other property, but as extending to any such gain or loss whether temporary or permanent, and -
(a) "gain" includes a gain by keeping what one has, as well as a gain by getting what one has not; and
(b) "loss" includes a loss but not getting what one might get, as well as a loss by parting with what one has".
Held by the Court of Appeal Mortimer JA (giving the judgment of the Court):
The act is complete once access is obtained. It is then for the prosecution to prove that the person had the requisite intent - in this case a view to dishonest gain for himself or another. Once the judge had decided that the applicant obtained the access to the computer in this case as an act of friendship, that he was unaware of the underlying illegal purpose, and that he was not expecting any monetary payment or other reward, evidence relevant to proof that any gain was dishonest called for very careful consideration.
Assuming that obtaining information may be sufficient gain within the meaning of the section the judge decided that as the access to the computer was unauthorised, it was therefore dishonest - without further examination of his other findings apparently inconsistent with dishonesty. This finding we cannot accept. Looking at the judge's reasons in the round, it was not open to him to find that the access to the computer was shown by the prosecution to be with a view to dishonest gain.
The Court of Appeal allowed the appeal and quashed the conviction.
Coram: Litton, V.-P., Mortimer and Ching, JJ.A.
Date of Judgment: 4 August 1995; 8 September 1995
Virus is a computer program and is the result of someone developing a mischievous program that is self-replicating. Computer program is digitized information easily transmisable on the Internet. Virus can therefore likewise be transmitted on the Internet easily not bound by territory. Because it is self-replicating, computers can be infected in large scale and in very short period of time.
Hong Kong does not have a specific legislation on hacking. People sending virus can be subject to the criminal charge of criminal damage. The offence reads as follows:-
Destroying or damaging property
A person who without lawful excuse destroys or damages any property belonging to another intending to destroy or damage any such property or being reckless as to whether any such property would be destroyed or damaged shall be guilty of an offence.
(2) A person who without lawful excuse destroys or damages any property, whether belonging to himself or another:
(a) intending to destroy or damage any property or being reckless as to whether any property would be destroyed or damaged; and
(b) intending by the destruction or damage to endanger the life of another or being reckless as to whether the life of another would be thereby endangered,
shall be guilty of an offence.
Threats to destroy or damage property
A person who without lawful excuse makes to another a threat, intending that that other would fear it would be carried out:
(a) to destroy or damage any property belonging to that other or a third person; or
(b) to destroy or damage his own property in a way which he knows is likely to endanger the life of that other or a third person,
shall be guilty of an offence.
Before its amendment, 'property' does not include computer program and 'damage' can only be done to physical objects. Section 59, Crimes Ordinance has now covered these situations:
(a) to cause a computer to function other than as it has been established to function by or on behalf of its owner, notwithstanding that the misuse may not impair the operation of the computer or a program held in the computer or the reliability of data held in the computer;
(b) to alter or erase any program or data held in a computer or in a computer storage medium;
(c) to add any program or data to the contents of a computer or of a computer storage medium, and any act which contributes towards causing the misuse of a kind referred to in paragraph (a), (b) or (c) shall be regarded as causing it.
HKSAR Government's website at http://www.itsd.gov.hk was hacked twice on 10 and 11 of June, 2000. Hacker successfully posted insulting short messages of “ Own3d by the crows” and “ hacked by o analista” on the web page on 10 June and “Hacked by The Crows –Owned by id3nt FXXK Government!! Hacking for Justice”was shown on the page on 11 June. As a result, the website was forced to suspend. Fortunately, the website being hacked was a standalone website. It did not affect the websites of other government departments.
This was the first reported incident that HKSAR Government's website was successfully hacked. If the hacker can be arrested, he can be prosecuted for criminal damage (misuse of computer). However, the culprit was not traceable and it did not result in any arrest or prosecution.
Scammers forged bank's identity and sent emails in massive scale (i.e. spamming). This is called 'branded fake'. Quite often, the e-mail addresses were randomly generated and it then by chance ‘hit’ the bank's customer. UK customers of MBNA had that experience in February 2004 which was widely reported in the news.
The faked emails came with a variety of subject lines such as "MBNA's OfficiaI Notice," "Attention all MBNA users" and "0fficial Notice for all users of MBNA." The message falsely claimed that the “bank” is putting in a new security system to "help you avoid frequently fraud transactions and to keep your investments in safety".
Customer logging in the fake page will have their personal bank information or identity stolen and relayed directly to the crooks who adopted spamming as a cheating tool.
Very often, the link on the email will lead the customer to a site bearing a ‘look and feel’ (colour, lay-out and even fonts) highly similar to the true site but in any event, the site will have a professional look in order not to arouse the customer's suspicion.
To avoid such kind of fraud, customers are advised to note the following:
1. Ensure that the emails truly come from the bank.
2. Don’t click on any links provided in the emails without thoughts
3. Before deciding to take any actions including clicking on the link, visit the true site first
4. If customer has doubts or is not sure, telephone the bank's customer hotline and enquire. Make sure that the telephone number is the number of the true bank.
5. Compare the domain name of the site if you have accidentally clicked on the link with the true site.
6. Report to the bank if you suspect there is a fraud or attempted fraud or you have been cheated.
7. Informing the bank IMMEDIATELY on being cheated is VERY IMPORTANT. This will enable the bank to take immediate step to ban the crook on dealing with your bank account.
In the past few years, many banks in UK and US as well as in Hong Kong had been bit by phishing scams. In Hong Kong, fraudsters were found to attempt to cheat banks’ customers by releasing fake web-site using domain names highly similar to the true banks. To give a few examples, they are: HSBC, DBS and Bank of East Asia.
In December 2003, NatWest of UK temporarily suspended its internet banking facility after some of its customers were sent fraudulent e-mails asking them to divulge their account details.
In October 2003, Nationwide and NatWest in UK were targeted by a similar hoax as was the Halifax, while in September fraudsters tried to trick customers of Lloyds TSB and Barclays.
On 7 December 2001 in UK, a five-strong Net fraud gang has been sentenced to a total of just under eight and half years for a conspiring to defraud online banks.
The four men and one woman made bogus multiple credit card applications with Egg, Cahoot, Smile, Marbles, MBNA, and SonyCard.
The gang, hailing from Buckinghamshire and Northamptonshire, were arrested by officers from the National Crime Squad in August 2000 after a six month operation.
The is a Court of Final Appeal decision.
The appellant was charged with obtaining access to a computer, namely, the Inland Revenue Department's (IRD) computer system, with a view to dishonest gain for himself or another, contrary to s.161(1)(c) of the Crimes Ordinance, Cap 200. He was acquitted after trial before a magistrate, Ms J M Livesey. Section 161(1)(c) of the Crimes Ordinance with which the appellant was charged provides:
"(1) Any person who obtains access to a computer -
(c) with a view to dishonest gain for himself or another;
whether on the same occasion as he obtains such access or on any future occasion, commits an offence ..."
Upon an application by the prosecution pursuant to s.105 of the Magistrates Ordinance, Cap 227, the magistrate stated a case for the opinion of a judge of the Court of First Instance. Beeson J, having heard submissions from the parties, ordered the case to be remitted to the magistrate with a direction that she convict the appellant and pass sentence accordingly.
As directed by the judge, the magistrate subsequently convicted the appellant and fined him $1,000. The appellant appeals to this Court on the ground of substantial and grave injustice.
The facts are not in dispute. Since the end of 1996, the appellant has been employed as an Assistant Assessor of the IRD. As required for the discharge of his duties, he made an Affirmation of Secrecy under s.4(2) of the Inland Revenue Ordinance, Cap 112, stating, among other things, that he would at all times preserve and aid in preserving secrecy with respect to all matters that may come to his knowledge in the performance of his duties under that Ordinance.
For the purpose of gaining access to the IRD's computer system, the appellant was assigned a user identity and a password which he used in the performance of his duties. All staff of the IRD, including the appellant, received regular reminders of the importance of observing the official secrecy provisions.
On 11 July 2000, using his user identity and password, the appellant gained access to the IRD computer system and obtained the identity card number and address of the complainant who was one of his colleagues and whose record as a taxpayer was kept in that system. He had no business in handling the complainant's tax matters and he obtained such information without the authority of the IRD or the complainant's consent.
The appellant then made use of such information in applying for membership of the World Wide Fund for Nature Hong Kong on behalf of the complainant. In the application form, he also included his own name and credit card number to enable payment of the entrance fee and he signed to authorize payment through his credit card. The complainant had not requested the appellant to make the application on her behalf.
It is accepted that there was an unauthorised access by the appellant to IRD's computer system. It is further accepted (although the appellant argued to the contrary in the courts below) that he had obtained a gain within the meaning of s.161(2) from the system by extracting the relevant information relating to the complainant. The remaining issue is whether there was dishonesty on the part of the appellant. It is common ground that this issue is to be determined by the application of the Ghosh test to the facts.
Evidence of Dishonesty:Any ordinary reasonable person would be aware that members of the public, particularly taxpayers, expect that their personal information kept by the IRD is protected and not released without their permission. Any public officer would be aware of the need and importance of maintaining such confidentiality. It was precisely for this purpose that the appellant was provided with a user identity and password for gaining access to the computer and was required to and did make an Affirmation of Secrecy under s.4(2) of the Inland Revenue Ordinance. IRD staff including the appellant were reminded of the importance of this obligation by the IRD's regular circulars. The appellant must have known that his access to the computer was unauthorized and that the IRD would not have given approval. He must be aware that this would be a breach of the trust which the IRD had placed in him as an employee and which the public had placed in him as a public officer. He must be aware that this would seriously affect the integrity of the IRD computer system and was an abuse of his position.
On the other hand, it is not disputed that the appellant did not intend to obtain and had not obtained any personal financial gain. On the contrary, he paid the entrance fee to join the WWF and he did what he did for purely personal or benevolent reasons. What is more significant is that in the application form for membership, he had put down his own name and credit card number. It is thus clear that he never intended to conceal his own identity or involvement in it. He did not try to cover his tracks. Indeed it might well be that he wanted the complainant (and possibly other people as well) to know that it was he who had done it. This is a conduct which could reasonably be regarded as inconsistent with dishonesty.
In the present case, it cannot, in my view, be said that the only reasonable conclusion which could have been open to a tribunal of fact was that the appellant was dishonest. It cannot be said that the magistrate's verdict is perverse.
There has been a departure from the accepted norm: the judge was not entitled to intervene. The Court therefore allowed the appeal and set aside the conviction and sentence.
Court: Chief Justice Li, Mr Justice Bokhary PJ, Mr Justice Chan PJ, Mr Justice Ribeiro PJ and Mr Justice Litton NPJ
Date of Hearing: 27 October 2003
Date of Judgment: 6 November 2003
This is an appeal (against conviction and sentence) from the Magistrate's Court heard by the Chief Judge of the High Court, Hon. Patrick Chan.
The appellant was convicted after trial of obtaining access to a computer with a view to dishonest gain for himself, contrary to section 161(1)(c) of the Crimes Ordinance, Cap.200. He was sentenced to 6 months imprisonment. He now appeals against both conviction and sentence.
In April 1998, the appellant was employed as a technical assistant by Dr Ooi who was a radiologist of the University of Hong Kong attached to the Radiology Department of the Queen Mary Hospital. The appellant's duties included making literature searches, arranging appointments for patients, liaising with other research assistants in the Hospital, and generally helping Dr Ooi in her research.
The Hospital's computer system had a Radiology Information System ("RIS") which contained some patients' medical records. In her research, Dr Ooi had access to the RIS. To prevent unauthorised access to these medical records, there was a security system in the computer. Access could only be gained to the RIS by the use of a password. Such password would be changed every now and then. Since the appellant was helping Dr Ooi, he too was given the password. But this was given only for the purpose of and to facilitate the discharge of his duties.
At 8:30 am on 2 April 1998, the Secretary for Justice was admitted to the Queen Mary Hospital for urgent treatment. Dr Chu who attended to her decided that computerised X-ray tomographic scanning ("CT scan") was required for diagnosis. The Secretary for Justice was then sent to the Radiology Department at about noon for scanning. A report was then prepared by the Consultant Radiologist. Some time in the morning, during a conversation, Dr Ooi disclosed to the appellant that it was a very famous lady who required the CT scan. The appellant guessed that it might be the Secretary for Justice. Dr Ooi then indicated that this was confidential.
Between 3:30 pm and 6:00 pm, Dr Chu operated on the Secretary for Justice. The report of the CT scan had been input into the RIS.
At about the same time in the afternoon, the appellant made use of the password given to him by Dr Ooi and entered the RIS. He printed out a copy of the CT scan report. He took it home and showed it to his wife. After that, he threw it away.
On that day, the Government issued a Note to Editors of the local news media stating that the Secretary for Justice was admitted to hospital "for observation due to enterogastric disorder". This was reported on television in that evening and in the Ming Pao and Apple Daily newspapers on the following morning, 3 April.
Some time on 3 April, the appellant again entered the RIS using the password and printed out another copy of the CT scan report. He took the copy to see two of his friends, a Mr Cheung and a Mr Ho who were research assistants in another department and showed it to them. In the afternoon, the appellant faxed the copy report to the Ming Pao and Apply Daily. On the following day, the Ming Pao and the Apply Daily published a story about it with a copy of the CT scan report.
Investigations started in the Hospital concerning this leak in the days that followed. The appellant was arrested on 9 April after it was traced to Dr Ooi's password. Under caution, the appellant admitted in two video-recorded interviews that he had accessed the RIS on 2 and 3 April and obtained copies of the CT scan report and that he had anonymously faxed a copy to two newspapers on 3 April. He also said that the reason for his doing so was because he thought the public had the right to know the truth. During the interviews, he further said that he "began to regret because (he) felt that (he) shouldn't do what (he) had done" and that he hoped the Secretary for Justice would forgive his foolish behaviour.
The offence with which the appellant was charged and of which he was convicted is s.161(1)(c) of the Crimes Ordinance.
The gravamen of the offence with which the appellant was charged was his obtaining access to the Hospital's computer with a specific view in mind. The actus reus of the offence was the access to the Hospital's RIS and this admittedly took place on 3 April while he was in the Hospital. The prosecution did not rely on his making a printout from the computer or his transmission of a copy by fax to the newspapers. These of course came after his access to the computer and at a later stage. The printout and the fax were only evidence which might cast light on his state of mind at the time of his access to the computer. There was evidence (and this came on his own admission) that at the time of his access into the computer on 3 April, he had decided to print out a copy and to leak it to the press. That was the purpose of his access on the second occasion. He had in fact committed the actus reus of the offence by obtaining access to the computer on the previous day. But it could be argued that on that previous occasion, he was doing it out of curiosity and without a view to dishonest gain to himself.
The situation on 3 April is quite different. On this later occasion, he gained access to the computer for a specific purpose : to obtain information in the form of a printout of the CT scan report for the purpose of sending it to the newspapers. The question is whether that was with a view to dishonest gain. If it is, then it falls within s.161(1)(c). The fact that he did it because he thought "the public have the right to know the truth" or he wanted to reveal the Government's "lies" is merely his motive. For the purpose of a s.161 offence, there is or should be any difference between gaining access without authority and gaining access in excess of authority. The section makes no distinction between the two.
The Court was satisfied that any ordinary and reasonable person would have considered such conduct as not only discreditable, dishonourable or inappropriate, but also dishonest and reprehensible . It is not only conduct which people would dislike or detest but conduct which they would regard as wrong and totally unacceptable.
In the circumstances of the case, it is not difficult to draw the inference, which is the only reasonable inference, that the appellant knew and must have realised that it was dishonest conduct to have access into the computer, print out a copy and leak it to the press.
For these reasons, I take the view that the learned magistrate had come to the right conclusion. There was access into the computer by the appellant. He did it in excess of his authority. At the time he did so, he intended to obtain the confidential information in the computer for the purpose of and with a view to printing out a copy and leaking it to the press. That is a gain within the definition in section 161. It was dishonest conduct and he knew it was dishonest. There is no merit in the appeal against conviction and it must be dismissed.
Sentence: Community Service Order substituting 6-month of imprisonment
The appeal against sentence was allowed. The Court set aside the sentence of 6 months imprisonment and ordered that the appellant should serve 100 hours of community service within the next 12 months in accordance with the directions of the probation officer.
Coram : Hon Chan, CJHC in Court
Date of Hearing : 8 January 1999
Date of Judgment : 15 January 1999