Title: COUNTERMEASURES

Countermeasures

Legal Measures

Criminal Law

No specific criminal provisions have been introduced to criminalize identity theft or identity fraud. Most cases of identity-related crime can be prosecuted on the basis of existing criminal provisions, both traditional ones, like theft, fraud, and forgery, or on the basis of computer-related offences. With respect to the latter category, it is relevant that Germany is expected to ratify the Council of Europe Cybercrime Convention soon. The German Bundesrat passed the government’s draft ratification law on 9 September 2007 without objections or amendments. The Cybercrime Convention contains obligations for the ratifying countries to adopt legislative measures to criminalize various forms of cybercrime. These forms, which under certain circumstances can be used to prosecute identity-related crime, are already largely regulated in German criminal law. In August 2007, a law changing the Penal Code was passed which aimed at adjusting the German Penal Code to the Cybercrime Convention as well as at transposing Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems. presents a rough overview of the corresponding German provisions.

Table 4.. Cybercrime Convention and German criminal law

Security breach notification

Companies do not provide data on cases of identity-fraud on a regular basis. In Germany, currently no security breach notification law is in place. In June 2006 the parliamentary group Bündnis 90/Die Grünen submitted a request to the German Bundestag, calling for the introduction of such a law. In this request, which is expected to be denied by the majority of members of parliament, the parliamentary group voices its concern regarding the ‘growing number of cases of Identity Theft’. Furthermore, the representatives refer to the security breach notification laws passed in California and several other US states, and call to strengthen affected citizens’ rights regarding improper use of data by private entities. The US approach is regarded as a promising approach to fight criminal activities with regard to identity related security breaches. A reference to existing sanction powers of the Federal Trade Commission (FTC), the Federal Communication Commission (FCC), and banking supervision institutions is made. The parliamentary group even calls for the implementation of a claim for a provision of damages in case of a security breach as well as a provision regulating fines in case of violation of the notification obligation. Even though not explicitly mentioned in the request, these instruments would significantly increase pressure on private entities to implement state of the art technical and organisational measures to prevent identity-related criminal activities. In addition to financial consequences, an existing notification obligation may affect customers’ trust in case a security breach occurred.

In May 2007 the ‘Innenausschuss’ (Committee for interior issues) of the German Bundestag conducted a consultation on the ‘Modernization of Data Protection Law’, Some of the invited experts addressed the request and supported passing security breach notification legislation as the aforementioned request was part of the agenda. One invited expert was of the opinion that a German security breach information law should not only be addressed at private entities but also at public entities. However, she stated that a security breach notification law would damage the economy (due to potential costs of notification via ordinary mail as well as negative impact on private entities’ reputation in case of a security breach which was ‘not the company’s fault’). She therefore called for self-regulation of companies. The Federal Data Protection Commissioner supported security breach notification legislation pointing to the fact that only in case a security breach was brought to the attention of affected customers were they put in a position to take countermeasures or file a lawsuit for compensation of damages. The Federal Data Protection Commissioner highlighted in his opinion that the market would ‘punish’ companies unable to process and protect data appropriately if a security breach was brought to the attention of affected customers. The Commissioner further indicated that US companies are known to have put far greater effort on implementing a strategy for better data protection after security breach laws had been passed and that security breach laws in general help to limit customers’ damages as it enables them to take countermeasures. The Privacy Commissioner of Berlin supported this view and stated that transparency with regard to security breach fosters the implementation of preventive measures as well as a quick response to actual breaches. Finally, he supported the Art. 29 Data Protection Working Party’s opinion 8/2006 on the review of the regulatory Framework for Electronic Communication and Services which advocates the requirement of notification of security breaches by network operators, ISPs, and data brokers, banks and other online service providers.

The German Association for Data Protection and Data Security (GDD) voiced its concerns regarding proportionality of a security breach notification law. Only in case of ‘severe’ infringement of personal rights should private entities be obliged to notify customers, according to GDD. GDD regards a general obligation to notify of any security breach an ‘inadequate burden’ for companies. Finally, the Deputy Privacy Commissioner of Schleswig-Holstein pointed to existing international management standards which already today include obligations to notify according to the severity of the security incident in question. In this light he regards security breach notification as part of a Data Protection Management Process (DPMP). Finally, he stresses that security breach notification would foster competition on privacy-compliant technologies and processes assuring compliance.

Technical and organisational measures

The Federal Office for Information Security’s IT Security Report 2007 describes countermeasures taken by the German government as follows: ‘Main measures of the Federal Government for ensuring a secure electronic identity and for protection against identity theft are the introduction of an electronic ID card and funding for citizen portals within the framework of the E-Government 2.0 campaign. Both projects enable binding authentication of citizens and service providers in the electronic world.’ Recently the German government has commissioned several analyses regarding technical and legal requirements of such a citizen portal. This initiative is called Bürgerportale.

Security measures have been implemented in the banking sector, aimed at combating phishing activities during online banking. These include awareness measures and technical measures. In online banking, many banks in addition to simple TAN / PIN or iTAN procedures, are offering eTAN, eTANplus and mTAN, HBCI (homebanking computer interface) or FinTS (financial transaction service) interfaces and procedures.

TANs (transaction authentication numbers) were introduced for online banking services as single use passwords in addition to the permanent PIN (personal identification number) set by the customer or provided to the customer usually upon registration to the online banking service. The bank customer receives a letter with a list of usually 50 TANs, each 8 characters long. Every following transaction has to be verified with any unused TAN left on the list. The bank then verifies the TAN against the list issued to the customer.  

It is common for banks to use iTANs (indexed TANs) today. This means the TANs are numbered and for every transaction made online a specific TAN is requested for verification by the bank. This method is considered to provide higher security than the ordinary TAN procedure, but it can be attacked by means of a man-in-the-middle-attack. When iTANs were introduced by Deutsche Bank and Postbank in 2005 experts from Bochum University’s ‘Arbeitsgruppe Identitätsschutz im Internet’ were able to successfully attack the method within one day. The attack involved two steps. First the customers were tempted to visit a forged website resembling the real bank website. By means of pretending that a ‘security check’ was required, customers were motivated to enter their bank account number and their online banking PIN. With these data the experts logged into the victim’s online banking account and initiated a transaction. The iTAN requested by the bank for verification purposes was obtained from the customer still by means of the simulated ‘security check’.

A further security procedure offered for online banking is eTANs (electronic TANs). Instead of TANs physically sent to the customer on a list the customer receives a TAN generator. During an online banking transaction the bank generates a check number which the customer enters into the TAN-generator. The device then generates an eTAN which can be used to verify the transaction. The algorithm used to generate is known only to the bank issuing the TAN-generator. An eTAN is valid only for a restricted period of time.  

Further security features are implemented with the eTANplus method. The customer receives a TAN generator device into which he has to insert his debit card. Similar to the eTAN method, the bank provides a check number during the online transaction process, which the customer enters via a key pad into the TAN-generator. Generating the eTAN then takes into account information specific to the transaction requested by the customer (for example designated remittee’s bank account number, and amount of the transaction) as well as a key stored on the debit card. This measure is considered more secure than the TAN/iTAN approach.  

Furthermore, online banking can be conducted using HBCI-banking (Home Banking Computer Interface). HBCI is a German bank-independent protocol for electronic banking passed by the Central Credit Committee (Zentraler Kreditausschuss – ZKA) and in use by German banks. The customer has to install homebanking software on the computer used for online-banking and connects to the bank’s HBCI server using that software and not a web browser. In addition customers need an HBCI-enabled card reader device. During an online banking transaction the customer inserts his debit card into the reader and enters the debit card PIN via the reader’s key pad. The card electronically signs the transaction. HBCI has subsequently been refined and named FinTS (Financial Transaction Services). More than 2,000 banks support the FinTS specification.

A different way to receive a one-time TAN is the mTAN (mobile TAN) method. The customer requests a TAN by submitting a filled in transaction form at the online banking website. A TAN is then sent to the customer’s registered mobile phone as a text message. The TAN is valid only for the ongoing transaction and the customer then has to finalize the transaction by entering the TAN. 

A new approach reported by American banks is the use of biometric authentication during online banking. The PARDA Federal Credit Union (23,000 customers) is using a software-based solution called BioPassword. This software analyzes the customers’ individual key stroke pattern upon entering user name and password. The interval between two keystrokes (called “flight time”) is measured as well as the duration of pressing a key.