Big Phish, Little Phish

Today's Japan Times reports that Japanese police arrested eight people yesterday for alleged involvement in a "phishing" ring that obtained personal information from Internet users through a bogus Yahoo! Japan auction site. The Tokyo-based ring allegedly obtained personal data for about 1,000 people since last year and used some of those data to defraud about 700 people out of approximately 100 million yen (more than $890,000). From September 2005 to April 2006, the ring allegedly spammed users of Yahoo! Japan with email that purported to show their auction records. Clicking on the link in the spam took users to a bogus Yahoo! auction site at which many evidently disclosed their IDs and passwords. The members of the ring allegedly then used some of these identifying data to access the real Yahoo! Japan site and conduct bogus auctions, in which bidders who thought they were successful wired payments to the ring's bank accounts.
Interestingly, police reportedly disclosed more details than usual in Internet crime cases about how they tracked down the ring members. According to the article, police said that investigators analyzed Internet access records "and videos from security monitors at financial institutions where the wired money was withdrawn."
The same article also reported that the Tokyo Metropolitan Police Department had turned over to prosecutors the case of a 14-year-old boy who allegedly ran a separate phishing scheme. The scheme reportedly involved obtaining names and email addresses of dozens of people who thought they were registering for an online gaming site. The boy, who allegedly admitted to the scheme, said that he used these data to access a real online gaming site to play online games and send threatening emails to some of his victims. Police also said that they do not plan to arrest the boy "because he lives with his parents and there is little risk that he will flee or destroy evidence."

Beyond Panchira

The Mainichi Daily News recently reported on a loathsome trend in Japan that makes "upskirting" ("panchira" in Japanese) look tame. In the underground DVD market in Japan, the new attraction is footage - distributed via the Net and DVDs - that shows men running up to unsuspecting women, pulling up their dresses, and pulling down their underwear. One writer told the Daily News reporter, "They're all underground movies, so the faces and other parts you see are all real. And it's the horrified reaction of these women that's apparently the biggest turn-on for the perverts who are into this kind of thing. They're really popular." The writer also estimated that with five DVDs of this type on the market, each containing about 30 filmings, at least 150 woman have been subjected to these assaults. Some filmmakers are reportedly expanding into footage that shows women wearing tube tops having their tops ripped off.

In the United States, there is supposedly active debate in some quarters on whether upskirting should receive First Amendment protection, at least in some situations when the upskirting is shot in a public place. [See Wikipedia.] This new wave of behavior in Japan isn't even close to upskirting -- it's sexual assault, plain and simple, and should be treated as such. It's also, like upskirting, a paramount example of the need for laws that vindicate, as Justice Brandeis elegantly put it more than a century ago, "the right to be let alone." If upskirting can be made a misdemeanor, as the State of Maryland just did, this new practice, if it's not already covered by current sexual-assault statutes, should be made a felony before it catches on anywhere else in the world.

BB = Barely Bothersome or Big Bucks?

Yesterday's Japan Times reported that on Friday, May 19, the Osaka District Court ordered BB Technology Corp., a Yahoo! BB ISP, to pay 6,000 yen (about $53.75 at today's exchange rate) in compensation to each of five former or current BB subscribers for the theft of their personal data from BB Technology's server. [http://search.japantimes.co.jp/cgi-bin/nn20060520b1.html] On two occasions between June 2003 and January 2004, former employees of a company that was doing business with BB Technology reportedly stole personal information, including names, addresses, and telephone numbers, of about 11 million Yahoo! BB subscribers.

According to the article, the presiding judge said "the company failed to protect its customers' data from illegal access through such measures as regularly changing passwords." While the damages award is de minimis in this case, lawyers in Japan and elsewhere will likely pay close attention to the precedent it sets for future civil actions involving data breaches.

Fondly METI

Today's Japan Times reports that the Japanese Ministry of Economy, Trade, and Industry (METI) is planning to issue safety guidelines for future robots that will provide services in industry sectors such as nursing, security, and cleaning. [http://search.japantimes.co.jp/cgi-bin/nn20060521a7.html] METI officials reportedly indicated that "the guidelines will require manufacturers to install ample sensors to minimize the risk of the robots running into people and use soft lightweight materials so they do not cause harm if they do so," and to install emergency shut-off buttons.

The article's explanation for the demand for these new robots is "the looming labor shortage stemming from Japan's sharp population decline." It also says that METI plans to complete the guidelines by the end of this year, "after consulting with users at hospitals, event sites and other areas." It's too much to hope that the writers of the METI guidelines will find a way to squeeze in a citation to Asimov or Bester. Reet!

Click Once for Mail Fraud, Twice for Wire Fraud

One Internet-related criminal prosecution that has gotten surprisingly little public attention so far involves the hot topic of “click fraud.” On March 28, a federal grand jury in the Northern District of California indicted a man on charges of conspiracy, mail fraud, and wire fraud for allegedly running a “click fraud” scheme against the online business FreeRide from 2000 to 2002. [See http://www.usdoj.gov/usao/can/press/html/2006_03_29_tam.indictment.press.htm]

The press release by the U.S. Attorney’s Office alleges that the defendant obtained computer source code from his employer, K.C. Multimedia, and used that source code to develop a “robot” program for use on FreeRide’s website. [For the current FreeRide.com site, see http://www.freeride.com/signUp.out.php.] At the time, FreeRide offered a “rewards” program to Internet users, based on various online activities in which registered users engaged on the FreeRide site. These activities reportedly included viewing banner ads, completing consumer surveys, and purchasing products online. The indictment alleges that the defendant used the “robot” program he developed to fraudulently generate and accumulate FreeRide points by emulating activities on the FreeRide site, then redeemed those points for products that other Internet retailers, including Amazon, offered for sale.

Even though this may be the first federal prosecution for “click fraud” in the country, it’s interesting to note that so far the indictment got only passing attention from UPI [http://www.physorg.com/news62920503.html], the San Jose Mercury News [http://www.mercurynews.com/mld/mercurynews/news/columnists/14360231.htm], and a law firm [http://www.theregister.co.uk/2006/04/03/click_fraud_perpetrator_charged/].

Skimming the Surface of Japanese ATM Fraud

In the May 3 issue of the Daily Yomiuri Online, there’s an article about ATM fraud in Tokyo that, if the details are true, provides a fascinating glimpse into possible ties between traditional Japanese organized crime and Chinese identity-theft operations. [http://www.yomiuri.co.jp/dy/national/20060503TDY02001.htm] According to the article, an alleged gangster with ties to the Yamaguchi-gumi crime syndicate, Koji Shishido, was arrested by Tokyo Metropolitan Police on charges relating to an ATM fraud case.

Shishido reportedly told the Tokyo police on April 13 that in August 2005, he was sitting in a coffee house in Ueno, Tokyo, when a late-middle-aged Chinese man who spoke Japanese approached him. The man supposedly told Shishido that “he was counterfeiting ATM cards using [miniature] cameras [mounted near ATMs], and that he had a plan to use the cards to take money out of people's accounts." When the police asked why someone would approach him in that manner, Shishido reportedly replied – tongue presumably planted firmly in cheek – that "I guess he thought I looked and dressed like a gangster."

The deal that they struck gave Shishido a 20 percent commission on funds that were withdrawn using counterfeit ATM cards that the Chinese group helped to make. Shishido reportedly proceeded to recruit people from cellphone Internet message boards to participate in the ATM fraud scheme. At least 20 recruits “were put up in hotels in August in Asakusa, Tokyo, and near JR Sugamo Station, where they were based during their two months of repeated identity theft.” Also, cameras were mounted near ATMs of what was then UFJ Bank to record data on the bank's customers. To date, the Daily Yomiuri reports that 17 Japanese men and women, including Shishido, have been arrested in connection with the case.

One critical detail, however, is missing from the article. While the cameras could certainly record PINs that customers typed on the keypads, how did the counterfeit-card ring get the bank account numbers associated with the real customers’ cards? The most logical conclusion, given the speed with which bank customers would have approached ATMs and conducted transactions, would be skimmers mounted on the ATMs. Reports of portable credit-card skimmers in Japan go back to at least 2002 [http://search.japantimes.co.jp/print/features/media2005/fd20050130tc.htm], but the only reason to use cameras near the ATMs is to capture the PIN while the actual card is in the customer’s possession. Hand-held skimmers wouldn’t have fit the bill.

Last year, a Japanese Financial Services Agency panel that studied bank card-related crime recommended several measures to reduce the incidence of ATM fraud: replacing magnetic-stripe cards with integrated-circuit cards to make the cards harder to counterfeit, putting expiration dates on cards, lowering the maximum ATM withdrawal to perhaps 500,000 yen (equivalent at that time to a surprising US $4,585) per day, and considering changing the standard four-digit PIN to something more complex. [http://search.japantimes.co.jp/print/business/nb06-2005/nb20050625a2.htm] Curiously, there was no mention of measures to counteract ATM-mounted skimmers, even though those have been in use in Asia, Australia, New Zealand, and North America for some time. Nor is there any mention of ATM-mounted skimmers in other articles about ATM fraud in Japan. A substantial part of the story about ATM fraud trends in Japan has yet to be told.