From: Robert Hettinga <rah@shipwright.com>
Date: Fri, 7 Nov 1997 13:36:28 +0800
To: cypherpunks@cyberpass.net
Subject: From Our Friends at the Fed
Message-ID: <v0311070eb08852eb87a8@[139.167.130.248]>
MIME-Version: 1.0
Content-Type: text/plain




--- begin forwarded text


Mime-Version: 1.0
Date: Thu, 6 Nov 1997 20:23:25 -0800
From: jmuller@brobeck.com (John D. Muller)
Subject: From Our Friends at the Fed
To: rah@shipwright.com
X-MIME-Autoconverted: from quoted-printable to 8bit by pop.sneaker.net id
XAA28997

     Thought this missive from the Federal Reserve (SR Letter 97-28 for
     those who insist on a formal citation) might be of interest.  Not sure
     if it's e$ or dcsb or cypherpunk-type material or none of the above,
     so I punt and let you decide.  Cheers.

     John Muller
     mailto:jmuller@brobeck.com



     ----------------------------------------------------------------------
     --
     Suggested Cover Letter


     To the Chief Executive Officer or General Manager of Each State Member
     Bank, Bank Holding Company, State Chartered, Non-Insured U.S. Branch
     or Agency of a Foreign Bank, and Edge and Agreement Corporation in
     Your District


     Dear ______________________:


              The Federal Bureau of Investigation, working with Federal
     Reserve staff and representatives from the other federal banking
     agencies as well as other federal law enforcement agencies, developed
     the attached guidance concerning the reporting of violations of the
     federal criminal statute relating to computer crimes, 18 U.S.C.
     ß 1030 (Fraud and Related Activity in Connection with Computers) in
     Suspicious Activity Reports (SARs).  The guidance is intended to
     facilitate the timely and accurate reporting of apparent violations of
     this law to law enforcement and bank supervisory agencies.


               The guidance describes the provisions of 18 U.S.C. ß 1030
     and gives some examples of conduct that may violate the law.  It also
     tells you how to report violations in a SAR.


               We would appreciate you bringing this matter to the
     immediate attention of all personnel in your organization responsible
     for reporting suspicious activity.


               In the event you have any questions concerning this matter,
     please contact __________________________.


     Sincerely,


     [Reserve Bank Official]





     Attachment




     ----------------------------------------------------------------------
     --



     GUIDANCE CONCERNING THE REPORTING OF COMPUTER-RELATED CRIMES
     BY FINANCIAL INSTITUTIONS



              This guidance is provided in order to explain the federal
     criminal statute relating to computer crimes, 18 U.S.C. ß 1030, and to
     ensure the timely and accurate reporting of apparent violations of the
     statute to law enforcement authorities.


     Background


              Regulations issued by the Federal Reserve, OCC, FDIC, OTS,
     and NCUA generally require banks, thrifts, credit unions, the U.S.
     branches and agencies of foreign banks, and other types of financial
     institutions to file Suspicious Activity Reports (SARs) whenever they
     detect any known or suspected federal criminal law violation or
     suspicious activity.  The SAR system facilitates the reporting of
     suspected criminal activity and money laundering in a standard format
     to a single collection point, from which the information may be
     rapidly disseminated to appropriate law enforcement agencies.  SARs
     play a critical role in collecting information about criminal activity
     affecting the financial community.  Under the five financial
     institutions supervisory agencies' current SAR rules, a financial
     institution is required to report any known or suspected criminal law
     violation involving an insider, regardless of amount.  A financial
     institution is also required to report any known or suspected federal
     criminal law violation that involves or aggregates more than $25,000
     in the event no suspect can be identified--a threshold that drops to
     $5,000 if a potential suspect can be identified.


               The current SAR form includes in Part III, Box 37, a listing
     of 17 various categories of criminal law violations and suspicious
     activities that a financial institution can check.  The categories
     include check, credit and wire transfer fraud,
     defalcation/embezzlement and mysterious disappearances, and also
     include a general category under "Other" that is to be used in the
     event the offense or activity does not appear to fit any of the
     delineated types of crimes.  There is no category in Part III, Box 37,
     specifically reserved for violations of the provisions of the U.S.
     criminal code relating to computer crimes--18 U.S.C. ß 1030 (Fraud and
     Related Activity in Connection with Computers).


     Criminal Law Relating to Computers


                Computers and computer networks are at the heart of
     operations of a modern financial institution.  Criminals--both inside
     and outside of financial institutions-- recognize the potential
     vulnerability of computer systems.  Consequently, financial
     institutions must be cognizant of the federal computer crime law, 18
     U.S.C. ß 1030. This statute specifically includes as a "protected
     computer," among other computers shielded by the statute, any computer
     exclusively for the use of a financial institution, or, if not
     exclusively for such use, used by or for a financial institution where
     the conduct constituting the offense affects that use.


                 Financial institutions should pay particular attention to
     three provisions of 18 U.S.C. ß 1030.  Section 1030(a)(2) specifically
     prohibits intentionally accessing a protected computer to obtain
     certain kinds of information without authority or in excess of
     authority.  Not only does it generally prohibit improperly obtaining
     information from any "protected" computer, but it specifically
     prohibits improperly obtaining information contained in a "financial
     record" of a financial institution.  The provision may also apply to
     an individual who hacks into a financial institution computer system.
     "Financial record" is defined as information derived from any record
     held by a financial institution pertaining to a customer's
     relationship with the institution.


                 Another provision applicable to financial institutions is
     the prohibition on using a "protected" computer without authorization
     or in excess of authorization to commit fraud.  The provisions of 18
     U.S.C. ß 1030(a)(4) criminalize the knowing use of a protected
     computer without authorization or in excess or authorization with
     intent to defraud, and by means of such conduct furthering the
     intended fraud and obtaining anything of value.  Thus, an individual
     who intentionally uses another person's home banking software and
     purloins that person's password in order to transfer money
     fraudulently into his or her personal bank account has committed a
     crime.


                  The third provision--18 U.S.C. ß 1030(a)(5)--with
     applications to financial institutions is the prohibition on
     intentional access without authorization that results in "damage" to a
     protected computer.  Damage is defined to include any impairment to
     the integrity or availability of data, a program, a system, or
     information that causes loss aggregating at least $5,000 in value
     during any one-year period.  An example may involve a disgruntled
     former employee who maintains a "back door" into the computer system
     and uses it to introduce a virus that disrupts the system.  Another
     example may involve an intruder who causes a system outage by flooding
     an institution's computer system with e-mail requests for information.


                 Other provisions of 18 U.S.C. ß 1030 applicable to
     financial institutions include subsection (a)(6), which outlaws
     trafficking in passwords knowingly and with intent to defraud.
     Subsection (a)(7) prohibits transmitting threats to cause damage to a
     protected computer with intent to extort money or any other thing of
     value from any legal entity, specifically including financial
     institutions.  This prohibition applies regardless of whether any
     actual damage is caused, or whether the offender actually had the
     ability to cause such damage.


                A violation of 18 U.S.C. ß 1030 can result in a fine or
     imprisonment for up to ten years.


     Guidance


                A financial institution should report on a SAR any activity
     that appears to be violative of 18 U.S.C. ß 1030.  If a reportable
     offense is detected, a financial institution should check Box 37r,
     marked "Other", and describe as completely as possible in Part VII,
     the narrative section of the SAR, the nature of the illegal or
     suspicious activity.

--- end forwarded text



-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/
Ask me about FC98 in Anguilla!: <http://www.fc98.ai/>