See

discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/5105324

Fraud in Internet Banking: A Malaysian Legal

Perspective

Article January 2007

Source: RePEc

CITATIONS READS

0 178

2 authors, including:

Gita Radhakrishna
Multimedia University
13 PUBLICATIONS 4 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

electronic evidence and e-discovery View project

All content following this page was uploaded by Gita Radhakrishna on 20 February 2017.

The user has requested enhancement of the downloaded file. All in-text references underlined in blue are added to the original document
and are linked to publications on ResearchGate, letting you access and read them immediately.
INTERNATIONAL CONFERENCE ON FINANCE & BANKING 2005

TITLE:- FRAUD IN INTERNET BANKING:- A MALAYSIAN LEGAL

PERSPECTIVE

AUTHORS:- Gita Radhakrishna and Prof. Leo Desmond Pointon

Multimedia University, (Melaka campus) Jalan Ayer Keroh Lama, 75450 Melaka

Citation: Gita Radhakrishna and Leo Desmond Pointon, Fraud In Internet Banking:- A

Malaysian Legal Perspective Advances in Research in Business & Finance: banking &

Insurance p 61 Vol. III 2005

1.1 Introduction

Internet banking made its advent in Malaysia in June 2000 with the Central Bank, Bank

Negara Malaysias (BNM) Minimum Guidelines on the Provision of Internet Banking

Services by Licensed Banking Institutions (MGIB). BNM defines internet banking as

banking products and services offered by banking institutions on the internet through

access devices, including personal computers and other intelligent devices. This paper

looks at the legal issues specific to internet banking, focussing on the incidence of fraud

and its prosecution. The research objective is to investigate three questions in relation to

Malaysia. Firstly, the incidence of fraud in internet banking, secondly, the adequacy of

the relevant regulations and statutes, and thirdly, the problems in adducing electronic

evidence in the prosecution of such financial crimes in Malaysia.

BNM as the financial authority in the country, vets every application for a license to

operate a banking business and forwards its recommendations to the Minister of Finance

who then acts upon such advice. Internet banking services in Malaysia are provided by

the traditional bricks and mortar banks which have added this service as an additional

1
delivery channel to their existing range of services. The purely virtual or internet only

banks have not as yet made their appearance on the Malaysian banking scene. BNMs

regulatory guidelines adhere to the recommendations of the Basel Committee on Banking

Supervision (BCBS) and the Bank for International Settlements (BIS). Currently there are

14 banking institutions providing internet banking services to 2 million subscribers which

is an increase of 15.4% from 2003. This represents a penetration rate of 7.9% to total

population and 57.4% to total internet subscribers,1 reflecting increasing confidence in

internet banking as a convenient and safe delivery channel to access banking services.

1.2 Risks in Internet Banking

The main concerns in internet banking have been identified as strategic risk, transactional

risk, compliance risk, reputational risk and traditional banking risks. All the major

operational areas in banking represent a good opportunity for fraudsters, which in internet

banking is particularly manifold. Firstly, there is the traditional risk of fraud being

committed by a banks own employees. Secondly, banks are not able to take sole

responsibility for the provision of their services. They are of necessity dependant on third

party service providers for the provision and maintenance of technical support. This

means an increased risk of intrusion along the various links in the chain. Thirdly

technology and the borderless nature of the internet has enabled breaking into a bank

through the use of remote computers located anywhere in the world. Fourthly, technology

has again enabled fraudsters to access bank accounts through consumers themselves

through the method of phishing or identity theft which is the offence selected for study

1
Bank Negara Malaysia Annual Report (2004) , p 222.
Available online:- http://www.bnm.gov.my/files/publication/ar/en/2004/cp10.pdf ; Visited on 3.10.2005

2
herein The guidelines introduced, have been specifically designed to counter these risks.

The repercussions of phishing have transcended the simple theft of credit and debit card

account numbers to facilitate the thiefs shopping spree, to drug trafficking, money

laundering and terrorist financing. Phishing is today the primary threat to internet

banking! Transactions are incredibly mobile and afford anonymity, leaving a challenging

transnational audit trail. As such international co-operation and mandatory reporting of

suspicious transactions have been enforced. In addition in 2004, an industrybased

Internet Banking Task Force was established by BNM to develop industry-wide best

practices and collaborate with relevant agencies to handle security infringement

incidences2.

1.3 What is the Incidence of Fraud in Internet Banking Transactions in Malaysia?

In order to determine this, data was collected through a series of questionnaires and

personal interviews with personnel from the Corporate Communications Department of

BNM, the Technology Crimes section of the Commercial Crimes Department of The

Royal Malaysian Police (RMP) and the Commercial Crimes Division of the Attorney

Generals Chambers (AG). Table 13 below shows general statistics on the type and

volume of commercial crimes for the period 1997 to 2004, compiled by the Commercial

Crimes Division, RMP. Some of those charged may plead guilty and be sentenced

forthwith, whilst others may be referred to the Attorney Generals Office for assessment

2
Supra n 1
3
Statistics from Polis Di-Raja Malaysia, Available online:- www.rmp.gov.my/statistics , .
Statistics from the Attorney Generals Chambers derived from a Questionnaire submitted on 28 th.
September 2004

3
 of the probative value of the evidence, amendment or withdrawal of charges, plea

bargaining and prosecution. This accounts for the marked variance in the statistics

compiled by the AGs Chambers on the number cases actually prosecuted. Compilation

of statistics on cyber crimes began in 2000 with the establishment of a technology

division within the Commercial Crimes Department of the Police and the enactment of

certain cyber legislation such as the Digital Signatures Act 1997 (DSA), Computer

Crimes Act 1997 (CCA), Communication and Multimedia Act 1998 (CMA).

Table 1:- Commercial Crimes Statistics 1997 - 2004

OFFENCE 1997 1998 1999 2000 2001 2002 2003* 2004

CRIMINAL BREACH OF 1876 2517 2192 2000 2017 1877 1109
TRUST [28] [25] [46] [34] [41]
CHEATING 3917 4778 4197 4212 3910 3886 2728
[37] [42] [75] [72] [80]
FORGERY 443 541 381 282 218 245 189
COUNTERFEIT MONEY 115 139 152 90 55 62 48
CREDIT CARD 47 104 72 173 224 149 191
CYBER CRIMES 348 1428 1508 337
HACKING 2
COPYRIGHT ACT 227 439 217 93
FILM CENSORSHIP ACT 415 977 1629 1947
OTHER GOVT.AGENCIES 365 435 889 567
MISC.COMM. CRIMES 739 2301 2552 1819 875 395 278
TOTAL:- 7137 10380 9546 9931 10578 10857 7931

KEY :- Figures without brackets indicate statistics from the Polis Di-Raja Malaysia
* indicates statistics from the Polis Di Raja Malaysia as only up to August 2003
[ ] Figures in brackets indicate prosecutions by the Attorney Generals Chambers

4
 The range of crimes covered under the term cyber crimes4 is rather wide. Cybercrime

is commonly referred to as a criminal activity related to technology and computers

committed on the internet. The offences cover hacking, virus writing, fraudulent

withdrawals of cash using fake Automated Teller Machines (ATM) cards, online credit

card fraud as well as offences such as defamation, false allegations and discrediting

another via the internet, use of counterfeit access devices installed at ATM machines,

credit card point of sale terminals and phishing or identity theft.

Statistical data relating to individual offences are not available. However offences under

s.4 CCA 1997 and s. 232 and 233 CMA 1998 have been steadily increasing . The incidents

relate basically to illegal withdrawals of cash at ATMs. as well as wire tapping into the

distribution points to intercept data being transmitted from credit cards eg. from service

providers at telephone terminals or point of sale terminals by attaching a small device with

the help of an employee who becomes an accomplice .

Table 2 relates to fraudulent fund transfers committed specifically through the medium of

internet banking transactions.5 For eg. it would be easy for a bank employee or a criminal

who infiltrates the banks client accounts to program the computer to round off each

customers account down to the nearest 5 sen and transfer a minimum of 1 sen in each such

calculation to his own account. That in itself would amount to a tidy daily income.

4
The Star:- Thursday October 21st. 2004 p 2
5
Ibid As the cases are still under investigation the matter is sub judice and therefore material facts are not
available for discussion.

5
 Table 2:- (Polis Di-Raja Malaysia_)

CASES ON INTERNET BANKING AS OF JUNE 2004

YEAR OFFENCE No. OF CASES RESULT OF INVESTIGATION

2003 s.4 CCA unauthorized access 1 Completed tracing suspect
2004 s.4 CCA 2 Under investigation

As can be seen this medium of white collar crime is still in its infancy and the tracing of

suspects, investigation of crimes and the collection of evidence is a time consuming

process compounded by the lack of manpower. The modus operandi is normally through

spam e-mail. It is the practice of sending unsolicited e-mail, usually of a commercial nature

in large numbers and repeatedly to individuals with whom the vendor has no previous

contact and whose e-mail address may be found in a public place on the internet such as

newspapers, mailing lists, directories and/ web sites6. Table 3 below provides spam

statistics compiled up to August 2005.

Table 3:- SPAM STATISTICS FOR 20057

JAN FEB. MARCH APRIL MAY JUNE JULY AUG.

1172 1385 1126 1183 135 82 107 91

National ICT Security and Emergency Response Centre (NISER) reports that the spam

incidents show a 62% decrease in the second quarter mainly attributable to more local

Internet Service Providers (ISP) installing anti-spam filters in their e-mail gateways leading

to a corresponding drop in intrusion incidents. The main objective in spam is phishing In

6
The New Straits Times Monday, 6th September 2004:- Computimes p 6
7
National ICT Security and Emergency Response Centre:- Incident Statistics
Available online:- http://www.niser.org.my/statistics.html ; Visited on:- 3.10.2005

6
this case the fraudster will normally set up a fake or spoof bank website and require the

unsuspecting account holder to fill in his account details and password on the pretext of

updating or reconstructing the website (phishing). Once the necessary particulars are

obtained, a third party, normally a drug addict or a student is paid a nominal sum to open

an account in a bank and the money from the victims account is then transferred to the

third partys account and withdrawn.8 Although much publicity has been given to the

offence of phishing, statistical records for this particular offence are not available from the

police because Banks adhere to a strict statutory code of banking secrecy9 so as not to

undermine confidence in the banking sector. However according to the Malaysian

Computer Emergency Response Team (MyCERT) or NISER, it had in May 2005,

received complaints that four local banks had been victims of a major phishing attack 10 A

total of 92 phishing cases were reported to the NISER in 2004. The modus operandi was

phishing. A bogus e-mail phishing for internet banking usernames and passwords was

circulated. Table 4 reproduces the text of the e-mail:-11

Table 4

8
Derived from a personal interview and questionnaire submitted to the Polis diRaja Malaysia, Commercial
Crimes Department, Technology Crimes section on 16 th. August 2004. As the cases are still under
investigation the matter is sub judice and therefore material facts are not available for discussion
9
s.97 102 Banking and Financial Institutions Act 1989
10
Steven Patrick:- MyCERT: Less hacking, more phishing (2nd.August 2005 (The Star)
MyCERT is a unit of the National ICT Security and Emergency Response Team (NISER) responsible for
tracking, logging and analyzing security incidents,
Available online:- http://www.niser.org.my/news/2005_08_02_01.html ; Visited on 24.9.2005

11
Phishing e-mail targets local Internet banking users (19th May 2005 (The Star)
Also available from NISER Available online:- http://www.niser.org.my/news/2005_08_02_01.html

7
 Subject: Hong Leong/Bumiputra Commerce/AmBank Group/Alliance Bank

Dear Hong Leong/Bumiputra Commerce/AmBank Group/Alliance Bank Member, This

email was sent by the Bank server to verify your e-mail address.

You must complete this process by clicking on the link below and entering in the small
window your Hong Leong/Bumiputra Commerce/AmBank Group/Alliance Bank online
access details.

This is done for your protection - because some of our members no longer have access to
their email addresses and we must verify it.

To verify your e-mail address and access your account, click on the link below:

If You Have Hong Leong Bank Account:

http://www.hlb.com.my/Y83fyKAxkpo6h2fc9nij

If You Have Alliance Bank Account

:http://www.alliancebank.com.my/euDs4yqktp3iz7c290ka

If You Have Bumiputra Commerce Bank Account

:http://www.channel-e.com.my/QFW64yGxMF34526zv4
If You Have AmBank Group Account
:http://www.ambg.com.my/qxKM1RujhH7t87j06o0u4

In this case NISER traced the phishing websites to a single machine in Russia, whereupon

their Russian counterparts followed-up and shut down the phishing website within 2 days12

Hence the formation of the Internet Banking Task Force by BNM to monitor these

incidents and maintain confidence in the system.

12
Supra n 10. The Report however does not mention whether fraudsters were caught and or charged.

8
Apart from charges being formulated specifically under the new cyber legislation, a lot of

white collar crime though committed using sophisticated IT technology continues to be

framed under the Malaysian Penal Code. These are typically crimes of cheating and

criminal breach of trust as shown in Table 5 below 13.

Table 5:- PROSECUTIONS UNDER THE PENAL CODE FOR THE YEAR 2003

SECTION NO. OF CASES

1. s.408 Criminal breach of trust by clerk or servant. 1
2. s. 409 Criminal breach of trust by public servant, or by 4
banker, merchant or agent.
3. s. 420 Cheating and dishonestly inducing delivery of 1
property.

1.4 Are the current statutory provisions and regulations in Malaysia adequate for the

prosecution of such financial crimes?

The introduction of cyber laws has aroused much interest and discussion. As can be seen

from the foregoing data, it is the CCA 1997 and the CMA 1998 that are being used

together with the Penal Code itself. It is trite law that the standard of proof required in all

criminal offences is beyond reasonable doubt. To apply any other standard would be a

13
Laporan Tahunan Bahagian Pendakwaan 2003 ms 11 (Annual Report 2003:- Prosecution Division of the
Attorney Generals Chambers, p 11)

9
grave misdirection incapable of being cured as affirmed by the Court of Appeal in the case

of Ishak Shaari v PP14 .

1.4.1 The Computer Crimes Act 1997 (CCA 1997)

The CCA 1997 which has been modeled after the United Kingdoms Misuse of

Computer Act 1990 (UKMCA), received the Royal Assent on 18th. June 1997 and came

into force on 1st. June 2000. It is a short Act divided into 3 parts, with just 12 sections with

cross references to the Penal Code with respect to the terms fraudulantly and

dishonestly

The CCA criminalizes :-

(i) unauthorized access to computer material [section (s) 3(1),] The penalty a fine not

exceeding RM 150,000/- and/or imprisonment for a term not exceeding ten years.

This penalty, is said to be among the highest in the world for such offences15.

(ii) Unauthorised access with intent to commit or facilitate commission of further

offence [ s.4] , also referred to as the ulterior motive offence.

(iii) unauthorized modification of the contents of a computer, [ s.5]

(iv) wrongful communication of the contents of a document enabling access to a

computer, [s.6]

14
[1997] 3 CLJ SUPP 223
15
Sulaiman Azmil:- Crimes on the Electronic Frontier -- Some Thoughts on the Computer Crimes Act
1997, [1997] 3 MLJ lix

10
(v) inchoate offences such as abatement and attempt to commit any act that is an

offence under the CCA s.7(1). This carries a penalty of a maximum fine of RM

25,000/- and / or imprisonment of up to 3 years.

Although the foregoing data shows an increase in the number of offences being charged

under the Act, the provisions have not as yet been tested in Court. (even without

restricting the focus to only internet banking related cases which are in its infancy). The

reasons for this range from inter alia the newness of the crime, time consuming

investigations, complexity of electronic data, lack of technical expertise and insufficient

manpower Therefore any views on its efficacy, at this stage, would be premature and

purely speculative It is nevertheless noted with interest that certain incidents relating

specifically to internet banking have been preferred by the police under s.4 CCA16 which

is termed as an ulterior intent offence. One wonders at this stage whether the charges will

stand the requirement of unauthorised access as phishing is not technically

unauthorized access but fraudulently inducing one to divulge confidential information.

However as specific facts are not available (matters being sub judice) it would be

premature to attempt to comment on the same.

Incidentally though the CCA has been modeled after the UKMCA in the UK separate

anti-spam and identity theft legislation have been enacted to criminalize the offence of

phishing as the UKMCA was found to be inadequate for the purpose.

1.4.2 Communication and Multimedia Act 1998 (CMA 1998)

16
Refer Table 2

11
Although the Act received the Royal Assent on 23rd. September 1998 it only came into

force on 1st April 1999. The Act repeals the Telecommunications Act 1950 and the

Broadcasting Act 1988. Among its stated objectives is to promote a national policy on

communication and multimedia, establish a Malaysian Communication and Multimedia

Commission (MCMC), ensure information security, network reliability and integrity and

commitment to non-censorship of the internet. The jurisdiction of this Act is restricted to

networked services and activities only. The key participants in the industry who are

regulated under the Act include the following:-

(i) network facilities providers,

(ii) network services providers,

(iii) applications service providers,

(iv) content applications service providers who are a special subset of (iii) above.

It is a substantive piece of legislation covering all aspects of the communication and

multimedia industry. For the purposes of this paper s. 232 is of relevance as it covers

cases of wire tapping and network intrusions related to internet banking.

s.232. criminalises fraudulent use, possession or creation of inter alia network facilities

and network services. The penalty on conviction is a fine not exceeding RM 300,000 and

/or imprisonment for a term not exceeding three years.

1.4.3 The Penal Code (Revised 1997)

The Penal Code the backbone of a legal systems criminal laws continues to serve the

efforts of prosecutors and law enforcers in this new field as well. As noted earlier the

main provisions relating to most white collar crimes are equally applicable to the new

12
genre of technology related crimes. The relevant provisions here are sections 405 to 409

on criminal breach of trust and sections 415 to 420 on cheating.

s.405. Criminal breach of trust (also known as criminal breach of trust simpliciter)

His Lordship Chang Min Tat FJ in the case of Tan Sri Tan Hian Tsin v Public

Prosecutor17, gave a clear explanation of CBT where he said:-

.. he is guilty of the offence (criminal breach of trust) as the person who dips his hands

in the companys till on a Saturday morning for his own use, say for instance, a week

ends flutter at the races or the casino, even though he has every intention to pay the

money and in fact does so first thing on the following Monday morning.

This section does not require the creation of a trust as under the law of trust. What is

important is the creation of a relationship whereby the legal owner of property makes it

over to another person to be retained by him until a certain contingency arises or to be

disposed of by him on the happening of a certain event. It is not necessary that the

criminal breach of trust must be committed in respect of the complainants property.

What matters is that there is entrustment of property.18

Under s. 405, the prosecution must establish that the accused was either:

(1) entrusted with property, or

(2) entrusted with dominion over property.

17
[1979] 1 MLJ 73
18
George Mary:- Criminal Breach of Trust Under Malaysian Law : A Review [1990] 1 CLJ i (Part I) and
x (Part II)

13
In PP v. Yeoh Teck Chye19 the accused was a bank manager who was alleged to have

approved payment of cheques to a customer in excess of his overdraft. The accused was

held to be in breach of implied contractual terms gleaned from established banking

practice. The penalty under s.406 is imprisonment for a term between one to ten years,

whipping and a fine based on judicial discretion.

s.408. and s.409 deal with criminal breach of trust by clerk or servant and by a

public servant, banker, merchant or agent respectively. The elements to be proved in

sections 407 to 409 are the same as in s. 405. Whilst the penalty under s. 408 is the same

as that under s. 405, the penalty under s. 409 is stiffer, imprisonment for a term between

two years to twenty years, whipping, and a fine based on judicial discretion.

The case of PP v Aman Shah bin Ahmad (Unreported) KL SC (1) Arrest Case No.

62-50-9020 was one of the earliest cases of using a computer to commit criminal breach

of trust. The accused was charged for 7 offences under s.408 for transferring property in

the total amount of RM 4.01 million with which he was entrusted belonging to Hock Hua

Bank to one Bistro Advertising Agencys account at Bank Bumiputra Malaysia Bhd.

belonging to him between January and March 1990 by means of a series of online

transfers.

A more recent case is that of a former general manager with BBMB Securities Sdn Bhd,

Abdul Jalil Yaakob, 48 who was on 18th. December, 2004 charged under s.409 (known

19
PP. v. Yeoh Teck Chye [1981] 2 MLJ 176
20
Nazura Abdul Manap and Anita Abdul Rahim ;- Pemasalahan Frod/Penipuan Komputer Sejauh Manakah
Penyelesaian nya? ( How Remote is the Solution to Computer Fraud / Cheating ?) 1 MLJ [2002] lix

14
as the bankers section) with commiting criminal breach of trust involving RM79.9

million of the company's funds.21

In Alor Setar Sessions Court Arrest Case PP v Tan Khay Guan (2004) The accused a

bank manager of the RHB Mergong branch, was charged under s.409 for criminal breach

of trust on November 11, 2004. Tan was charged with siphoning off RM 22.2 million

over a period of five months He had allegedly used his position to channel the bank's

money into two separate accounts by manipulating the overdraft facilities of two

accomplices whose loan applications had been rejected some years previously and routed

the money by online transfers to a $2/- share company in Hong Kong 22.

It is submitted that these cases of criminal breach of trust23 have been preferred under the

Penal Code rather than the CCA 1997 because firstly, they satisfy the fiduciary element

of trust and dominion over property as opposed to an unauthorized access by a hacker.

Secondly, in order to reflect the gravity of the crime. The Penal Code imposes mandatory

imprisonment of between 1 to 20 years, whipping and a fine based on judicial discretion.

Under s.4(3) CCA the penalties are discretionary, ie. a fine not exceeding RM 150,000/-

or imprisonment of up to 10 years and /or both. Thus the penalties under the Penal Code

are harsher and more punitive than the CCA and ought to serve as a stronger deterrent.

However it is submitted that the statistical history of commercial crimes do not bear

testimony to this intention of the legislature.

38 New Straits Times, Malay Mail December 27, 2004 :

Available online:- http://www.lexis.com/research/retrieve/
Law>Criminal Breach of Trust> Banking> All Banking News Articles
22
Supra n 38
23
Refer to n 38 and 39

15
s.415. to s. 420 deal with the offence of Cheating.

(b) intentionally induces the person so deceived to do or omit to do anything which he

would not do or omit to do if he were not so deceived is said to "cheat".

The sections do not specifically refer to inducement over the internet, nor to

inducement of a particular person but is of a general nature. As such it is sufficiently

wide in scope to cover inducements of a general nature without any particular

targeted victims over the internet. The elements required to be established are

fraudulently or dishonestly inducing a person to deliver property or retain property

or intentionally inducing a person so deceived to do or omit to do and which omission

causes or is likely to cause damage or harm to any person in body, mind, reputation,

or property.

By way of submission it is suggested that in the absence of a particular offence for

phishing either in the Penal Code or CCA, this offence could well be prosecuted

under s.415 as it would have intentionally induced a person into doing anything which he

would not do if not so deceived to do and which causes damage to his property ie. money

in his bank account in this case and which could possibly lead to the commission of

further offences by the perpetrator.

s.417. provides the penalty for cheating, ie.imprisonment for a term up to five years, or

7 years under s.419 and / or fine.

1.4.4 Anti Money Laundering Act 2002 (AMLA)

16
This Act came into force on 15th. January 2002 with further amendments in relation to

anti- terrorism financing which were gazetted on 25th December 2003 though they are not

as yet in force. On April 23rd. 2004 Dr. Hamimah Idruss became Malaysias first

person to be charged under AMLA for money laundering in the sum of US$ 9,763,391.5

(RM 37,062,251 .65) with further charges for aiding and abetting under the Penal

Code.24 The facts of the case are not available as the case has yet to be heard. This would

be an interesting case to follow through as it would reveal the possible issues that could

be challenged in this far reaching statutory dragnet.

By s. 3 money laundering has been given the widest possible definition covering anyone

who either engages, directly or indirectly, or acquires, receives, possesses money in a

transaction that involves proceeds of an unlawful activity;

By s.4(i). the penalty upon conviction is a fine not exceeding five million ringgit or to

imprisonment for a term not exceeding five years or both.

1.5 Is Electronic Evidence or Computer Evidence Admissible in Malaysia?

Evidence is anything that demonstrates, clarifies or shows the truth of a fact or point in

question. Electronic evidence is information and data of investigative value that is stored

on or transmitted by an electronic device. Such evidence is acquired when data or

physical items are collected and stored for examination purposes.

24
New Straits Times April 24th. 2004

17
Amendments to the Evidence Act 1950 (EA) in 1993 provided for the admissibility of

computer-generated documents. In Gnanasegaran Pararajasingam v PP 25 direction

was sought as to the admissibility and probative value of computer generated documents

from the Court of Appeal. His Lordship Mahadev Shankar JCA: clarified that s. 90A was

enacted to bring the "best evidence rule" up to date with the realities of the electronic age.

It is submitted that s.64 Digital Signatures Act (DSA) 1997 and the amendments to s.90

EA read together puts paid, any argument as to the admissibility or probative value of

any computer generated evidence.

1.5.1 Problems in the Admissibility of Electronic Evidence or Computer Evidence

Electronic evidence:

Is often latent in the same sense as fingerprints or DNA evidence.

Can transcend borders with ease and speed.

Is fragile and can be easily altered, damaged, or destroyed.

Is sometimes time-sensitive.

The growing use of the internet, electronic banking, online hosts and bulletin board

systems means that evidence needs to be collected from remote computers for use in legal

proceedings. The traditional law of evidence as in the best evidence rule and the rule

against hearsay may have to be rethought and reformulated. Issues such as the probative

value of such evidence need to be addressed even if the strict rules of admissibility are

removed. Thus the background processes involved need to be understood if courts are to

be able to assess evidential quality.

25
[1997] 4 CLJ 6

18
The majority of computer derived exhibits in internet banking take the form of print outs

of accounts, statements, invoices, reports, memoranda and such like. Electronic data are

frequently transferred or converted from one storage medium or software system to

another. In this process referred to as "data migration", important information, such as

formatting and the structure and content of electronic forms, may be lost, or even the

record itself destroyed unless appropriate steps are taken. Similarly, unless such changes

are thoroughly documented, it can be difficult to demonstrate that the critical information

was not changed in the process. In transition between systems, institutions sometimes

maintain multiple, overlapping systems, particularly in the transition from paper to

electronic based systems. Because information from all systems may be required to be

maintained and may be needed for various purposes, institutions should address retention

issues for all systems, even overlapping ones.

Another form of computer evidence is read-out from single purpose devices such as

alcohol level metres and telephone call loggers.26 A newly emerging form of evidence is

that derived from data media ie. files derived from hard discs installed within computers,

removable floppy discs used for temporary storage, tapes and optical discs used for back

up or archives. The problem with data media is that it may only be obtainable with the

consent of the computer owner or under formal discovery/disclosure procedures by which

time it may not contain the precise files required or alternatively under search and seizure

provisions with a warrant. Here again there is danger of the file being altered in the time

taken to obtain such a warrant or order. Investigators and regulators tendering such

26
Sommer Peter:- Downloads, Logs and Captures Evidence from Cyberspace Journal of Financial Crime
Vol.5 No.2 , p 138 Available online:- http://www.bna.com/products/ip/ctlr.htm > Electronic Commerce
Law Report

19
evidence in court may face the problems of admissibility arising from the following

allegations:-27

(i) authenticity:- was the file acquired what was on the remote computer? The court

has to be satisfied that the file was acquired from its purported source.

(ii) accuracy:- was the process of acquisition free from error? There should be no

room for reasonable doubt about the quality of procedures used to collect,

analyse, and produce it in court. It should also be proved that material once

acquired was not tampered with. This would require a competent witness to

explain the process.

(iii) Completeness:- the evidence should be able to give a complete record of a

particular set of circumstances or events, a complete audit trail .

The reasons for such anxiety in tendering computer evidence is that:-

(i) computer data can change moment to moment within a computer and along a

transmission line. This can create considerable difficulties over authentication as

to content and time of creation.

(ii) computer data be can easily altered without leaving any obvious trace that such

alteration has taken place.

27
Ibid.
Further reading:-USA:- National Institute of Justice:- Electronic Crime Scene Investigation: A Guide for
First Responders (July 2001) Available online:-http://www.ncjrs.org/txtfiles1/nij/187736.txt

UK:- Association of Chief Police Officers, Good Practice Guide for Computer Based Electronic
Evidence Available online:- http://www.4law.co.il/Lea92.htm

20
(iii) computer material can also be easily changed in the process of collecting it as

evidence, the very act of opening an application or file can create changes through

prior programming unknown to the investigator.

(iv) there can be much computer evidence which is not obviously apparent and

readable. A computer disk can contain various directories of files, with

purportedly accurate representations of the original files and what is presented in

court may be print outs of any number of possible permutations of the purported

original. Thus computer derived exhibits require the court to make a chain of

inference before reaching a conclusion.

(v) computers create evidence as well as record and produce it. The traditionally

maintained books of account were of manually entered records whether hand

written or typed, but in the computerised version only the original entries are

manually input all other records can be assembled by means of software

programs. Thus documents can be created in response to online requests as well

as conventional print outs or on screen reports.

(vi) another area of computer evidence that is engaging the attention of the legal

academia in the USA and the UK is pretrial discovery and disclosure of electronic

evidence in both civil and criminal litigation. The problems here is that there are

now new types of data to be located such as in e-mails, meta- data, network

records, archives and ghost data or deleted files and the policy considerations

such as issues of privacy flowing therefrom.28 In criminal investigations this

28
Kenneth J. Withers:- Is Digital Different? Electronicl Discovery and Disclosure in Civil Litigation
(1999) Available online:- http://www.kenwithers.com/articles/bileta/

Further Reading:-

21
 would depend on the extent of powers of search and seizure accorded in the

specific statute.

As such the science of computer forensics has also developed to keep pace with the

need to trace data and authenticate evidence in court. The Technology Crime Division

of the RMP have established a computer forensics lab to assist in such investigations

and provide expert evidence to satisfy the evidentiary rules. In the course of cross

examination the following questions could well arise:-

(i) where did the exhibits originally come from?

(ii) what immediate stages were required to produce the exhibit as it is shown?

(iii) what computers were involved at each stage? Which was the source

computer? The investigators computer? What computers were used for

intermediate storage and processing?

(iv) Who was involved in these intermediate stages and what did they do?

(v) Are there additional items of evidence that provide corroboration?

In order to satisfy the evidentiary requirements related to computer evidence certain key

tests have been developed. These are29 :-

(i) Remote computers correct working test. It is necessary to show the court that

the computer was in proper working condition at the time. If all that the

computer was doing was holding a series of files (equivalent to a filing

United States Department of Justice, Computer Crime and Intellectual Property Section, Criminal Division,
Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.
Available online:- http://www.cybercrime.gov/s&smanual2002.htm
29
Supra n 42

22
 cabinet) placed by persons the test may be relatively easy to satisfy. But what

about an online order form or banking instruction that is filled in by a

customer, one has to show a trail of evidence to counter non-repudiation by

the customer and satisfy the court. This is where DSA 1997 provides for

certification by a competent authority and personnel. Further, evidence in the

form of logging is important as it is possible to play back or review a users

online session and hence its value in establishing audit trails.

(ii) Provenance of computer source test or Identification:- here one needs to

show that data has been obtained from a specific computer and nowhere else.

This has to be shown by some element in the procedures by which two

computers interact where a remote computer is linked to a telephone, the

number can be traced and linked to an organization or an individual eg. who

pays the telephone bills, and/or who occupies the premises. Thus the issue of

the authentication of the computer source in this instance is fairly

straightforward. However problems can arise when connections are

established through the internet. Hackers have been known to attack web sites,

acquire passwords and usernames through a process known as packet

sniffing30 and introduce alternative pages to an organisation eg. banks

official website. Thus the website is faked and appears to be coming from one

source when in fact it comes from another (a technique used in phishing).

30
Supra n 42 The weakness arises from the fact that most websites are updated remotely. HTML pages are
created on computers other than the one hosting the site (as where a bank out sources its services) and are
FTPd (File Transfer Protocol) over the internet. Packet sniffing enables hackers to identify packets
carrying FTP requests destined for the website and which carry sequences associated with log-ons and
passwords.

23
 (iii) Content party authenticaton test. Here evidence from the remote computer

has to be linked to the accused and the events that are the subject matter of the

legal proceedings, ie. particular day and time. This will require witness

statements, exhibits showing ownership or access to the computer and/or data

media, or the possibility of inference from the nature of the contents of the

files.

(iv) Acquisition process test. Here a full and credible explanation of the process

by which the file was acquired from the remote computer to the users

machine, to show that the result is accurate, complete and free from

tampering. Significant evidence here is logging. This opens up a users file

and plays back a complete record of all characters received by the terminal.

This is especially important in following an accuseds audit trail.

(v) Continuity of evidence / chain of custody test. Evidence has to be given as to

what was done subsequent to the material being retrieved, eg. viewed,

analysed, copied and rendered tamper proof.

(vi) Quality of forensic presentation test. Evidence has to be given as to what was

done by the investigators, was there any subsequent processing such as

retrieval from archive formats, examination by means an application program,

whether there was decryption and print-outs.

Thus presenting electronically derived evidence into a form that a court can handle,

usually a print-out means a certain degree of processing will be required. This therefore

calls for a high degree of technical knowledge of the nature of electronic evidence by all

parties and further calls for a thorough and disciplined approach to evidence gathering

24
and presentation on the part of investigators, auditors, computer managers and lawyers.

Following from this therefore rules have to be formulated as to how, and for what

duration electronic data must be stored who may have access to it, for what purpose and

conditions for divulging such information.

Currently neither the CCA 1997 nor the CMA 1998 address the issue of minimum

storage period thus data stored in logs could well be deleted within 48 hours thereby

hampering police investigative work.31. Internationally too no laws have yet been

formulated in this area. Network service providers and administrators formulate their own

policies in respect of record keeping and maintain data only so long as operationally

necessary which would not be more than a few weeks. 32 Thus this is an area which

requires careful study and the possible reformulating of the law of evidence in respect of

the rule against hearsay, record keeping and powers of search and seizure.

1.6 CONCLUSION & RECOMMENDATIONS

It is submitted that although cyber crimes, particularly fraud in relation to internet

banking, are still in their infancy in Malaysia, they are nevertheless on the rise, as

evidenced by the statistics from the RMP. Prosecutions of such crimes are only preferred

31
Information obtained during a personal interview of ASP Mahfuz bin Dato Abdul Majid at 11.00 a.m. on
Wed. 16th. August 2004, of the Technology Crimes Division , Commercial Crimes Department, Polis Di
Raja Malaysia.
US CODE 18 CHAPTER 119--WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION
AND INTERCEPTION OF ORAL COMMUNICATIONS Section 1250 (17)
Electronic storage" means-- any temporary, intermediate storage of a wire or electronic communication
incidental to the electronic transmission thereof.

32
Best Data Practices for Online Service Providers from the Electronic Frontier Foundation
Available online:- http://www.eff.org/osp/20040819_OSPBestPractices.pdf

25
under the specific cyber laws such as the CCA 1997 and the CMA 1997 in relation to

hackers who gain unauthorized access into an institutions systems. The ratio of

prosecutions to charges varies greatly owing to a variety of factors, such as a guilty plea,

plea bargaining, amendment of charges, lack of evidence, time taken to trace suspects,

investigate, collect evidence, prepare for trial and manpower shortage. From the

aforementioned data collected it appears that fraudulent internet banking transactions

continue to be effectively prosecuted under the Penal Codes provisions for criminal

breach of trust and cheating. In this connection the amendments to the EA 1950, together

with s.64 DSA 1997 facilitate the admissibility of computer generated records in court

proceedings and as such there has to date been no serious challenge to the same. It may

nevertheless be worthwhile considering widening the scope of the EA to be more

technology neutral and non-computer specific by substituting the word electronic

records, for computer, in keeping with the spirit of the definition of document in the EA

and international trends. Article 9 of United Nations Comission on International

Trade Law (UNCITRAL) provides for the admissibility of data messages generated

by means of electronic data interchange so as to facilitate e-commerce.33

The subject of adducing electronic (as opposed to just computer specific) evidence is

becoming a recognized area of specialized study. The fragility and vulnerability of

electronic evidence faces the challenge of conformity with the best evidence rule and the

rule against hearsay so as to effectively discharge the burden of proof.

33
UNCITRAL Preamble and Article 9. Available online:-http://www.uncitral.org/en-index.htm

26
In Rodd v. Raritan Radiologic Associates34 Judge Weinstein observed that computer

technology is like the proverbial genie that has come out of the bottle. Stuffing it back

inside is unlikely. It can be an instrument for good or a weapon of prejudice and

manipulation. The courts will have to harness this unbound energy and set rules for its

appropriate use in the courtroom. And appellate courts will have to accept yet another

burden, meaningful policing of the new genie

REFERENCES

1. Attorney Generals Chambers, Prosecution Division; Annual Report 2003 p 11

2 Bank Negara Malaysia Annual Report (2004) , p 222.

Available online:- http://www.bnm.gov.my/files/publication/ar/en/2004/cp10.pdf ;
Visited on:- 3.10.2005

3. Best Data Practices for Online Service Providers from the Electronic Frontier
Foundation
Available online:- http://www.eff.org/osp/20040819_OSPBestPractices.pdf

4.. George Mary:- Criminal Breach of Trust Under Malaysian Law : A Review [1990]
1 CLJ i (Part I) and x (Part II

5. Hoenig, "Computer-Generated 'Pedagogical' Devices: Admissible or Not?" The New

York Law Journal, Nov. 8, 2004, p. 3. Avalable online:-
http://www.lexis.com/research/ >Legal News Publications >Computer Evidence

34
[2004 N.J. Super. LEXIS 418 [N.J. App. Div. Nov. 24, 2004].] quoted in Hoenig, "Computer-Generated
'Pedagogical' Devices: Admissible or Not?" The New York Law Journal, Nov. 8, 2004, p. 3.
Avalable online:- http://www.lexis.com/research/ >Legal News Publications >Computer Evidence

27
6. Kenneth J. Withers:- Is Digital Different? Electronicl Discovery and Disclosure in
Civil Litigation (1999) Available online:- http://www.kenwithers.com/articles/bileta/

7. National ICT Security and Emergency Response Centre:- Incident Statistics

Available online:- http://www.niser.org.my/statistics.html ; Visited on:- 3.10.2005

8. National Institute of Justice:- Electronic Crime Scene Investigation: A Guide for

First Responders (July 2001) Available online:-http://www.ncjrs.org/txtfiles1/nij/187736.txt

9. Nazura Abdul Manap and Anita Abdul Rahim ;- How Remote is the Solution to
Computer Fraud / Cheating ? 1 MLJ [2002] lix

10. New Straits Times, Malay Mail December 27, 2004 :

Available online:- http://www.lexis.com/research/retrieve/

11. New Straits Times April 24th. 2004

12. New Straits Times Monday, 6th September 2004:- Computimes p 6

13. Phishing e-mail targets local Internet banking users (19th May 2005 (The Star)
Also available from NISER ; Available online:-
http://www.niser.org.my/news/2005_08_02_01.html; Visited on 25.5.2005

14. Polis Di-Raja Malaysia, Available online:- www.rmp.gov.my/statistics ;

Visited on:- 25.9.2004

15. Steven Patrick:- MyCERT: Less hacking, more phishing (2nd.August 2005 (The
Star) Available online:- http://www.niser.org.my/news/2005_08_02_01.html ;
Visited on 24.9.2005

16. Sommer Peter:- Downloads, Logs and Captures Evidence from Cyberspace Journal
of Financial Crime Vol.5 No.2 , p 138 Available online:-
http://www.bna.com/products/ip/ctlr.htm > Electronic Commerce Law Report

17. Sulaiman Azmil:- Crimes on the Electronic Frontier -- Some Thoughts on the
Computer Crimes Act 1997, [1997] 3 MLJ lix

18 The Star:- Thursday October 21st. 2004 p 2

19. USA:- National Institute of Justice:- Electronic Crime Scene Investigation: A Guide
for First Responders (July 2001) Available online:-
http://www.ncjrs.org/txtfiles1/nij/187736.txt

20. United States Department of Justice, Computer Crime and Intellectual Property
Section, Criminal Division, Searching and Seizing Computers and Obtaining Electronic
Evidence in Criminal Investigations. Available online:-
http://www.cybercrime.gov/s&smanual2002.htm

28
21 UK:- Association of Chief Police Officers, Good Practice Guide for Computer Based
Electronic Evidence Available online:- http://www.4law.co.il/Lea92.htm

22.UNCITRAL Preamble and Article 9. Available online:-http://www.uncitral.org/en-

index.htm

STATUTES

1.Banking and Financial Institutions Act 1989

2.Broadcasting Act 1988

3.Computer Crimes Act 1997

4.Communication and Multimedia Act 1998

5. Digital Signatures Act (DSA) 1997

6. Evidence Act 1950

7.Misuse of Computer Act 1990

8.Money Laundering Act 2002 (AMLA)

9.Telecommunications Act 1950
10 The Penal Code (Revised 1997)
11.Wire and Electronic Communications Interception and Interception of Oral
Communications Section 1250 (17)

CASES

1. Alor Setar Sessions Court Arrest Case PP v Tan Khay Guan (2004

2. Gnanasegaran Pararajasingam v PP [1997] 4 CLJ 6

3. Ishak Shaari v PP [1997] 3 CLJ SUPP 223

4. PP v. Yeoh Teck Chye

29
 5. PP v Aman Shah bin Ahmad (Unreported) KL SC (1) Arrest Case No. 62-50-90

6. Tan Sri Tan Hian Tsin v Public Prosecutor [1979] 1 MLJ 73

7. Rodd v. Raritan Radiologic Associates 2004 N.J. Super. LEXIS 418 [N.J. App. Div.
Nov. 24, 2004].

Forcellina24 Case (2004): Husband, 23, accessed chat rooms, used

device to capture screen names of chat room participants; then sent
e-mails pretending to be ISP requiring correct billing information,
including current credit-card number. Used credit-card numbers and
other personal data to arrange for wire transfers of funds via Western
Union, but had others pick up funds from Western Union.

Hill Case (2003)25: He operated AOL and PayPal phishing scheme,

used fraudulently obtained credit-card numbers to obtain goods and
services costing more than $47,000. Sentenced to 46 months.

24
http://www.abanet.org/adminlaw/annual2004/Phishing/PhishingABAAug2004Rusch.ppt#10
25
http://www.abanet.org/adminlaw/annual2004/Phishing/PhishingABAAug2004Rusch.ppt#10
Illegal Fund Manager jailed over Internet Investment Scam
The Kuala Lumpur Sessions Court has sentenced businessman Phazaluddin bin Abu, 49, to four
years in jail after he was convicted of operating an online investment scam without holding a fund
managers licence. He is the first person in the country to be convicted of operating an illegal
online investment scam, after the Securities Commission Malaysia's (SC) investigations found
that he had raised RM65 million from 52,000 investors in 2007 via a website.
MLA Reference No: MLA-120710-R-04; Source(s): SC website; Date(s) of Publication: 09/07/2010; Original Title(s): Illegal
fund manager jailed for 4 years over internet investment scam; Practice Area(s): Cyber Law, Economic Crimes
[Back to Table of Contents]
Do

30

View publication stats