New manifestations of terrorism pose a major challenge to states to tackle them with appropriate security policy tools. On the one hand, the present study aims to provide an overview of the concept, purpose, and characteristics of cyberterrorism. On the other hand, I analyze how cyberspace and social media change terrorism with special attention to identity theft. This form of crime often a tool for preparing serious terrorist attacks and a means for financing their activities.
The study is divided into the following parts. In the first part I deal with the conceptual basics regarding terrorism and the cyberspace. In the following parts, I examine a special form of crime called identity theft which can committed by terrorist online to facilitate their goals. The concluding chapter reviews possible tools to combat cyberterrorism and identity theft.
Cyber-terrorism is one of the greatest security policy challenges of postmodern societies. The development of information technology in recent decades has created new opportunities for terrorist organizations, which are also used to commit and prepare for terrorist acts.[1]
Terrorists can target the operation of critical infrastructures in cyberspace (such as power grids, water supply systems, and financial systems[2]) to cause economic and social disruption. They can also launch actions against hospitals and military facilities. In addition, they engage in ideological and psychological warfare to increase fear in society and their membership.[3]
To date, there is no uniformly accepted definition of cyberterrorism. There are many definitions in the literature. In the United States, Barry Collin, a California security expert, introduced the concept of cyberterrorism in the 1980s. According to Collin, in the case of cyberterrorism, terrorists use physical and virtual convergence, which gives the engine of cyberterrorism.[4]
Mark M. Pollit, a senior agent at the Federal Bureau of Investigation (FBI), defined this new phenomenon as: "Cyber-terrorism is a pre-planned, politically motivated attack on information, computer
- 97/98 -
systems, programs, and data that non-combinatorial targets by secret agents."[5]
One of the most cited definitions comes from Dorothy E. Denning. According to her, cyber terrorism is nothing more than the convergence of terrorism and cyberspace. It usually involves illegal attacks and threats against computer networks and the information stored on them. They aim to intimidate governments and the population and to force political and social change. In Denning's view, for an act of terrorism to qualify as cyberterrorism, an attack must manifest itself in violence against a person or property that is capable of inciting fear. Violence is at the heart of her concept, but terrorists do not just use cyberspace to commit terrorist acts.[6] Terrorists use of the Internet, however, is not limited to violence. The use of information technology for terrorist purposes can be divided into two main groups:
- The "soft" use of information technology refers to the case when terrorist organizations use the internet for propaganda and recruit reasons.[7]
- The "hard" use of information technology: when cyber warfare equipment is used. Examples of such cyberwarfare devices include:
• hacking into computer networks,
• restricting the operation of information infrastructures,
• load attack,
• sending worms and viruses
• phishing
• hacking electronic bank accounts, etc.[8]
According to relatively new and more complex approach in the literature, cyberterrorism, has the following characteristics:
- it is the application, preparation, or threat of an act aimed at changing social order.
- Cyberterrorist's ultimate goal is to realize their political, religious, racial and ideological vision, by attacking integrity of information systems and networks is and misuse information technology.
- It can include
• violence against persons,
• causing serious property damage,
• threat to health and safety of the society.[9]
There are many links between digitalization and criminality in general.[10] Criminals also commit several crimes in an organized form in the cyberspace, but their main motive is financial gain. In the case of a credit card fraud committed by a cybercriminal, the main purpose of the perpetrator is to obtain money from the victim's bank account. Of course, this does not mean that cybercrime cannot have other motives. The so-called hackers (who are not always criminals) break into Information Technology systems to gain attention and gain the recognition of their fellow hackers.[11] One of the most famous
- 98/99 -
hacker in the history, Kevin Mitnick's main motivation wasn't financial but to use social engineering (a form of psychological manipulation).[12]
The types of cyber-attacks used by cyber-criminals and terrorists (e.g., hacking, otherwise known as illegal intrusion) are not fundamentally different, but how an attack is carried out differs in many cases. Cybercriminals usually attack more targets, and their action takes as little time as possible to reduce the risk of detection. The goal of cybercriminals is to stay hidden. For example, they want to steal money in a bank account unnoticed, so they can repeatedly get a smaller amount in the long term. Another example when criminals commit cyber espionage but avoiding causing any kind of direct damage so that they can stay hidden and continue to steal valuable data unnoticed. Cyber-terrorists are less inclined not to participate. Terrorists are looking for easier points of attack where they can do the most damage to the community or the state in a short amount of time. For them, financial gain is at most a mere means of perpetrating their acts of violence or paralyzing critical infrastructures. One of the main differences between cybercrime and cyber-terrorism lies in the purpose of the attack. Cybercriminals commit their actions primarily to gain profit, while cyber-terrorists may have several motives (political, ideological motives) and in many cases, the acquisition of property is only a secondary or tertiary goal.[13]
Communication anonymity and encryption methods provide a form of security for terrorists in cyberspace. Many tools and techniques are used to ensure anonymity. Zoltán Nagy highlights steganography and passive e-mailing. Using the former, hidden messages can be displayed on web pages, in the latter case a common e-mail account will be opened where the messages will not be sent, they will only be saved as drafts.[14]
Cyberspace is also important for future terrorists. Potential terrorist soldiers can easily find information on the Internet needed to commit terrorist acts (e.g., execution techniques, bomb prescriptions, etc.).[15] The Internet provides access to videos and messages that spread extreme religious ideologies and provide a psychological breeding ground for future terrorists.[16]
Summarizing the benefits of working in cyberspace:
- easy access: the Internet can be used to launch cyber-attacks against targets remotely, even from the other end of the world.
- More effective recruitment: more people can be reached through websites than before the age of the internet.
- Greater effectiveness of propaganda activities: in the context of the former.
- Fast exchange of information between members.
- Communication anonymity.
- 99/100 -
Several authors raise the question of whether cyberterrorism exists or is it just a well-sounding term.[17] According to Jones, cyberterrorism does not pose a great danger yet. Give the power supply as an example. He says there have been and will be power outages worldwide so far and they are not causing more panic in society. While acknowledging that we are increasingly dependent on a wide range of technologies, he sees that most people are not yet dependent on them to the extent that this would cause social disruption. He thinks it could be a bigger problem in more developed countries, but in a country like Afghanistan, for example, where dependence on technology is extremely low, it won't cause a huge issue for the state and the lives of the people.[18]
On the other hand, the existence of cyber-terrorism is proven by legal cases. One of the first such documented cases was a cyberattack by guerrilla fighters of the Tamil Tigers in Sri Lanka. The terrorist organization flooded embassies in Sri Lanka around the world with emails (sending an average of 800 emails a day) with the message, "We are the Tigers of the Black Internet, and we will disrupt your communications systems."
In 2009, a cyber-attack was carried out through an Israeli embassy against the country's internet structure in the Gaza Strip in response to stories. The attack affected more than five million computers. A terrorist organization called Hezbollah and Hamas was believed to have been behind the actions.16 The so-called example of soft cyber-terrorism is the terrorist attack in Paris in 2015, where the so-called telegram encrypted mobile application was used for communication.[19]
In one of the first cyber-terrorism cases in the United States, Ardit Ferizi was also convicted. The legal case was preceded by the fact that Junaid Hussain, a British citizen, founded a hacker group called "TeaMpoisoin." In 2012, Hussain was jailed for obtaining personal information from former British Prime Minister Tony Blair through illegal intrusion. After his release, Jihadists taught online how to steal money from bank accounts and finance terrorist acts. He joined the Islamic State in 2014 and began working in its hacker department in March 2015. He focused primarily on making money. Hussain committed Internet financial crimes against the Islamic State and financed the terrorist organization with cryptocurrency mining. On March 20, 2015, the "Hacker Department of the Islamic State" published the names, photos, and addresses of about a hundred U.S. soldiers, as well as threatening e-mails. One of the people who shared the data was Hussain. He used the name of a man beheaded by the Islamic State as a pseudonym. On August 11, 2015, Hussain posted a death list of 1,251 U.S. government officials on a community portal, Twitter, and claimed to have reached it by hacking U.S. security servers. This is an example how terrorists can use the social media to create threats in the society.
- 100/101 -
According to Ardit Ferizi Linkedin's profile, he was one of the FBI's hackers. Facebook groups sold many fake user accounts (e.g., PayPal, eBay, Facebook, accounts) for bitcoin units and real money. For example, he asked for $ 5 in exchange for 2,430 Facebook accounts. According to a Kosovo article, he was a person linked to ISIS. The FBI cracked his Twitter account with a search warrant, and the investigation revealed that he had communicated with ISIS members about stolen credit cards.
Ardit Ferizi was eventually captured and brought to justice in the United States. He pleaded guilty to illegal computer hacking in support of terrorism and obtaining information and was sentenced to 20 years in prison.[20] In exchange for the defendant's confession, the authorities dropped the charge of a classified case of identity theft.[21]
There is no uniformly accepted definition of identity theft in the literature. Several names are used in foreign literature for the same phenomenon. On the one hand, it is commonly referred to as identity theft (identitatsdiebstahl), which is more prevalent in the United States[22] and Germany[23] on the other hand, in the United Kingdom, this form of crime is apostrophized as identity fraud,[24] as it is not defined by law with specific statutory provisions but is valued as fraud under the Fraud Act 2006.[25]
According to Charles M. Kahn and William Roberds, the use of other personal information for fraudulent purposes constitutes identity theft.[26] Katie A. Farina's definition emphasizes fraud: "The use of an individual's personal information for fraudulent purposes."[27]
Canadian authors Lawson and Lawford put it similarly. Identity theft, in their view, is the illegal collection and fraudulent use of another person's personal information. The primary purpose of the perpetrators is to make a profit. There are several ways to obtain personal information, such as:
- stealing wallets, laptops, credit cards, Winchesters hacking into computer storage media via the Internet, or
- fraudulently disguising themselves as internet service providers for market research.[28]
According to Biegelman, who wrote a handbook on the subject, identity theft is nothing more than stealing people's reputations and reputations for financial gain.[29]
According to the authors of a German book on identity theft, the essence of identity theft is the unlawful acquisition of identity. According to their definition, the acquisition of personal data (e.g., the bank card number) does not qualify as identity theft, only if the data set (the name, expiration number next to the bank card number) is suitable for identifying the person.[30] A distinction must be made between identity theft and identity fraud (identitatmissbrauch), which means the fraudulent use of personal data.[31]
Similar to the foreign literature, several technical terms have appeared in
- 101/102 -
Hungary as well. In a joint study by Dániel Eszteri and Zsolt István Máté, the term identity theft is used in connection with delicacies committed in software called "Second Life", which simulates virtual reality.[32] Hámori also uses this term, and his definition focuses on the unlawful acquisition of personal data: "the unlawful theft of a person's data (name, year of birth, address, credit card ID, social security number and other personal data for that they are used for financial gain in various transactions, from car rentals to bank loans."[33]
In contrast to the above, Zsolt Haig uses personality theft terminology. Referring to Scwhartau's book[34], he classifies personality theft in the category of information warfare, including personal information warfare. If the crime is committed, their victim may suffer damage to their material and human dignity.[35] Kinga Sorbán uses the term identity theft.[36] According to her, this form of crime has two moments. In the first phase, the offender steals the victim's personal information (e.g., Social Security Number). The second phase is about the misuse of data. He points out that the Hungarian Penal Code does not contain any special statutory provisions and, in her opinion, this is not necessary, because the related conducts can be included in existing facts (e.g.: personal data may be considered misuse).[37] In my view a special statutory provision would be necessary in the future as this type of crime is growing worldwide on the internet and in the social media and it would be easier for the legal practice to recognize and value these type of conducts.[38]
The relationship between identity theft and terrorism is exemplified by several notorious legal cases. Of the 19 perpetrators of the terrorist attacks of 11 September 2001, two can be singled out: Abdul Aziz Alomart and Ahmed Saleh Alghmadit. The former was involved in the hijacking of American Airlines Flight 11, which collided with the north tower of the World Trade Center. The latter carried out the hijacking of United Airline Flight 175, which eventually crashed into the south tower of the World Trade Center. Both terrorists also dealt with identity theft. In the month before the terrorist attack, Alomari and Alghamdi approached the secretary of a Virginia lawyer to fill them out with an affidavit.) and proof of residence. The lawyer's secretary did this to her for a fee. The documents testified that Alomari and Alghamdi were residents of the state of Virginia. In reality, they lived in a motel in Maryland. Another seven perpetrators obtained identity documents for the automotive department at the DMV in Virginia so that none of them lived in the state. Anno the regulations were relatively loose, and this was exploited by the perpetrators, all it took was a notarized document to prove their residence there. This regulation has benefited not only terrorists but also other offenders. Despite preliminary warnings from FBI investigators, the state maintained this simple identification system.
- 102/103 -
The cases also exemplify that identity theft provides terrorists with a source of revenue on the one hand and facilitates the commission of terrorist acts on the other. One of the first tasks of terrorist individuals is to enter the destination country, for which fake passports are often used. They can then mingle in society with a with fake, stolen identity documents. Thus, the terrorists in the first phase of the so-called. synthetic identity theft is implemented. There is also a danger that existing persons will be quasi-cloned with stolen personal data and thus try to mingle in society. Once a false person is created, they try to get financial benefit with it. One of the most common techniques is to commit credit card fraud by obtaining other people's credit card information. There are several techniques for financial identity theft. To establish the terrorist attack on September 11, the so-called skimming technique was used. Skimming is commonly referred to in Hungarian as data collection, data recording and data theft.. Youseff Hmimssa was an experienced counterfeiter who delivered fake visas and other identity documents to a Detroit terrorist agent before the U.S. terrorist attack. He testified that he had hired a Moroccan taxi driver, who was also working as a waiter, to steal customers' credit and debit card numbers. Hmimmsa's accomplice read the victims' card data using a small device similar to a personal caller (so called skimmer device). The accomplice obtained the encrypted data on the magnetic tape of the bank cards with a single swipe. He handed over the obtained data to Hmimmsa, who uploaded it to a laptop. The result of the alliance's activity was that they obtained about 250 credit card numbers and caused nearly a hundred thousand dollars in damage to customers. According to a study by Halas, several terrorist agents have been apprehended by authorities in the United States in recent years through identity theft crimes.[39]
One of the typical forms of identity theft is the production and use of fake passports. Recently, terrorists have taken advantage of the influx of many refugees into Europe as a result of the crisis in the Middle East. One of the perpetrators of the November 2015 terrorist attack, Ahmad al-Mohammad of Syria, also allegedly entered the European Union with a fake or stolen passport who arrived in Greece with the flood of refugees. In the Middle East, there is a high demand for counterfeit or forged Syrian passports on the black market. Ahmad al-Mohammad was the terrorist who blew himself up next to the Stade de France.[40] The use of false identification documents is not just a tool for the average offender. In many cases, personal information is purchased by terrorists on the Dark Web and also on social media sites.
According to Ian Heller, a global trad-able credit system could be set up to regulate the handling of personal data by commercial companies, which would help in the fight against terrorism and identity theft. There should
- 103/104 -
be a regulatory agency in this system that identifies and sets a threshold for acceptable errors in consumer personal data. The system would work similarly to the penalty points associated with a driver's license, if a driver collects a lot of points, his driver's license will be involved. According to Heller, organizations that misuse the collection of personal information or fail to take precautionary measures to prevent it from falling into the hands of criminals could be prosecuted. According to Heller, the Federal Trade Commission (FTC) could play a controlling role in the United States for this purpose. This organization examines the personal data management of private data processing companies, banks, credit institutions and telephone service providers.[41]
The most effective way to combat identity theft is through technical means. The development of technical tools can also help prevent identity theft in the future. The institution of double authentication is already used in financial transactions, where it is not enough to log in to the bank account with a code known to the customer, but an SMS code received by telephone is also required. In addition to the aforementioned solution, in recent years more and more smartphones have built-in fingerprint readers (physical or under the screen) that could also be used to authenticate identities when citizens perform acts with different legal effects.[42] Other biometric identification methods may be used, such as retinal scans.
On the other hand, it is worth mentioning opponents of the above methods of identification, who claim that their personal, private rights are being violated, and the establishment of such a database could also be abusive.[43] The fight against terrorism, on the other hand, may justify the wider use of such biometric identification methods. There is a greater interest in society to prevent terrorist acts from happening, and if we deprive terrorists of the means of identity theft, their chances of perpetrating them will be greatly reduced.[44]
Cyber-terrorism is a complex problem that requires complex solutions, the short study would highlight only one important prevention tool: up-to-date software protection for computers (firewalls, antivirus programs, access control lists, and identity theft and user authentication systems). In addition to technical protection, however, in many cases, human failures result in the success of cyberattacks. Many cyber-attacks do not even require software tools in such cases. Therefore, infrastructure systems must be also prepared for the problems arising from human negligence and develop an internal regulatory system to prevent them.[45] ■
JEGYZETEK
* Az Innovációs és Technológiai Minisztérium ÚNKP-21-4-II-PTE-962 kódszámú Új Nemzeti Kiválóság Programjának a Nemzeti Kutatási, Fejlesztési és Innovációs Alapból finanszírozott szakmai támogatásával készült.
[1] Kasznár Attila: The challenges of the cyber-terrorism. Hadmérnök 2018/2. p. 410.
[2] Józan, Flóra - Kőhalmi, László: Lawyers and Money laundering. Journal of Eastern-European Criminal Law 2016/2. pp. 131-134.
[3] Jian Hua - Yan Chen - Xin Luo: Are we ready for Cyber Terrorist Attack? - Examining the Role of the Individual Resilience. Information Management 2018/7. p. 928.
[4] Collin Barry C.: The Future of cyberterrorism: Where the physical worlds converge. Crime and Justice International 1997/2. pp. 14-18.
- 104/105 -
[5] Pollit, Mark. M.: Cyberterrorism-fact or fancy? Computer Fraud & Security 1998/2. p. 9.
[6] Denning, Dorothy E.: Activism, hacktivism, and cyberterrorism: the internet as a tool for influencing foreign policy. The future of terror, crime and militancy. 2001. p. 281.
[7] Vacca, John R. (Eds): Online Terrorist Propaganda, Recruitment, and Radicalization. CRC Press, Boca Raton - London - New York. 2021.
[8] Haig Zsolt - Kovács, László: New way of terrorism: Internet- and cyber-terrorism. Academic and Applied Research In Military Science. 2007/4. p. 659.
[9] Luiijf, Eric: Definitions of cyber terrorism. Babak Akhgar - Andrew Staniforth - Francesca Bosco (Eds.): Cyber Crime and Cyber Terrorism Investigator's Handbook. Syngress, Amsterdam. 2014. pp. 1117.
[10] Gáti Balázs: Possible links between digitalization, cybercrime, and the COVID-19 pandemic. Büntetőjogi Szemle 2021. különszám pp. 23-33.
[11] Lachlan MacKinnon - Liz Bacon - Diane Gan -Georgios Loukas - David Chadwick - Dimitrios Frangiskatos: Cyber Security Countermeasures to Combat Cyber Terrorism. Strategic intelligence management. Butterworth-Heinemann, 2013. pp. 234-257.
[12] See further: Mitnick, Kevin D. -L. Simon William - Wozniak, Steve: The Art of Deception? Controlling the Human element of Security. Wiley Publishing, Indianapolis. 2002.
[13] MacKinnon et. al: Op. cit. p. 236.
[14] Nagy Zoltán: Kiberbűncselekmények, kiberháború, kiberterrorizmus - avagy ébresztő Magyarország! Magyar Jog 2016/1. p. 23.
[15] Serbakov Márton Tibor: A terroristák internethasználata. Büntetőjogi Szemle 2018/2. p. 87.
[16] Kőhalmi László: Gondolatok a vallási indíttatású terrorizmus ürügyén. Belügyi Szemle. 2015. 7/8. pp. 52-71.
[17] Pollit, Mark. M.: Cyberterrorism-fact or fancy? Computer Fraud & Security 1998/2.pp. 8-10.
Jones, Andrew: Cyber Terrorism: Fact or fiction? Computer Fraud & Security 2005/6.pp. 4-7.
[18] Cohen, Daniel: Chapter 13 - Cyber terrorism: Case studies. Babak Akhgar - Andrew Staniforth -Francesca Bosco (Eds): Cyber Crime and Cyber Terrorism Investigator's Handbook. Syngress, Amsterdam. 2014. pp. 165-174.
[19] Nance, Malcolm - Sampson, Chris: Hacking Isis. How to destroy the cyber jihad. Skyhorese publishing, New York. (Kindle e-book) 2017.p. 48.
[20] https://www.justice.gov/opa/file/896326/download (2021. 11. 10.)
[21] Ibidem.
[22] Biegelman, Martin T.: Identity theft Handbook: detection, prevention and security. John Wiley and Sons, Inc, Hoboken, New Jersey. 2009. p. 2.
[23] Borges, G. - Schwenk J. - Stuckenberg C. -Wegener, C.: Identitätsdiebstahl und identitätsmissbrauch im Internet. Rechtliche und technische Aspekte. Springer, Heidelberg - Dordrecht - London - New York. 2011. p. 9.
[24] https://www.actionfraud.police.uk/a-z-of-fraud/identity-fraud-and-identity-theft (2022. 06. 10.)
[25] Alisdair A. Gillespie: Cybercrime. Key Issues and Debates. Routledge, New York. 2016. p. 145.
[26] Kahn, Charles M. - Roberds, William: Credit and identity theft. In: Journal of Monetary Economics 55. 2008. p. 251.
[27] Farina, Katie A: Cyber Crime: Identity Theft. International Encyclopedia of the Social & Behavioral Sciences. 2015. p. 633.
[28] See further: Lawson Philippa - Lawford, John: Identity theft: the need for better consumer protection. Public Interest Advocacy Centre. 2003. pp. 3-19.
[29] Biegelman, Op. Cit. p. 2.
[30] Borges et al. Op. Cit. p.11.
[31] Busch, Christoph: Biometrie und Identitätsdiebstahl. In: Datenschutz und Datensicherheit -DuD. 2009/5. p. 317.
[32] See further: Eszteri Dániel - Máté István Zsolt: Identitáslopás a virtuális világban. Belügyi Szemle 2017/3. pp. 79-107.
[33] Hámori Balázs: Bizalom, jóhírnév és identitás az elektronikus piacokon. Közgazdasági Szemle 2004/9. pp. 832-848.
[34] Schwartau, Winn: Information warfare. Kindle e-book edition. Interpact Press Inc, New York. 2010. Location 163.
[35] Haig Zsolt: Az információs hadviselés kialakulása, katonai értelmezése. Hadtudomány, a Magyar Hadtudományi Társaság Folyóirata. 2011/1-2. p. 14.
[36] Sorbán Kinga: Az informatikai bűncselekmények elleni fellépés nemzetközi dimenziói. Themis: 2015/1. pp. 343-375.
[37] Sorbán: Op. Cit. pp. 369-370.
[38] Tóth Dávid: Identity crimes on the darknet and the social media. Büntetőjogi Szemle 2021. különszám. pp. 85-89.
[39] Maras Marie-Helen: A terrorizmus elmélete és gyakorlata. Antall József Tudásközpont Kiadó. Budapest. 2016. pp. 177-178.
[40] Willox, Norman A. Jr. - Regan, Thomas M.: Identity fraud: providing solution. Journal of Economic Crime Management 2002/1. pp. 1-15.
- 105/106 -
[41] Heller, Ian: How the internet has expanded the threat of financial identity theft, and what congress can do to fix the problem. Kansas Journal of Law Public Policy 17. 2007/1. pp. 84.-108.
[42] Kraut Andrea - Kőhalmi László - Tóth Dávid: Digital Dangers of Smartphones. Journal of Eastern-European Criminal Lae 2021/1. pp. 37-41.
[43] Kőhalmi, László: Terrorism and Human Rights. Journal of Eastern-European Criminal Law 2016/1. pp. 159-163.
[44] Ibidem.
[45] MacKinnon et. al. Op. Cit. pp. 234-257.
Lábjegyzetek:
[1] The Author is senior lecturer, University of Pécs, Faculty of Law, Criminology and Penal Execution Law Department.
Visszaugrás
