Wednesday, June 29, 2011

Computer Theft and “Access”

This post examines a recent decision from the Superior Court of New Jersey – Appellate Division. The case is State v. Kin Chi Wong, 2011 WL 2437225 (2011), and it arises from Wong’s conviction on second-degree computer theft in violation of New Jersey Statutes § 2C:20-25 and third-degree theft by deception in violation of New Jersey Statutes § 2C:20-4. State v. Kin Chi Wong, supra.

We’re only concerned with the computer theft conviction which arose from what the opinion refers to as an “elaborate scheme” in which Kin Chi Wong opened four

accounts at TD Bank, when it was Commerce Bank. . . . Two . . . were in the name of Yi Han Zheng and the other(s) were in the name of Xi Yi Gao.

[F]rom November 2006 to August 2007, . . . Commerce Bank had a policy of making funds readily available to its customers on the next business day after a check was deposited into an account. Following several legitimate deposits into the Zheng accounts, a series of checks, in amounts such as $20,000 and $50,000, were deposited [and] were then immediately drawn upon by use of a Visa card linked to the accounts.

Numerous cash advances were taken against the accounts through the Global Cash Access (GCA) computer system at Trump Plaza Casino in Atlantic City (Trump). . . .

The deposited checks were subsequently determined to be void for insufficient funds, and the Zheng accounts became overdrawn. When the bank closed the two Zheng accounts for fraudulent activity in December 2006, the combined loss on the accounts was $25,622.98.

About one week before the bank closed the Zheng accounts, checking and savings accounts were opened in the name of Xi Yi Gao at another branch in New York. These accounts were also linked to a Visa debit card. The same pattern ensued: a series of legitimate deposits were made into the accounts, followed by a series of larger deposits, which were immediately drawn upon by use of the debit card before the checks in question proved void for insufficient funds. The Visa card was used to make a series of withdrawals through the GCA service at Trump in August 2007. The bank closed the Gao accounts in September 2007 for fraudulent activity; the bank's loss on the two accounts totaled $52,068.02.

State v. Kin Chi Wong, supra.

Commerce Bank investigative analyst Kelly Loverdi, who was assigned to the Gao case "[i]dentified a “connection to the Zheng accounts, as the same maker deposited checks in Gao and Zheng's accounts.” State v. Kin Chi Wong, supra. She contacted State Police Detective Eric Hubbs in January 2008 about “the GCA transactions at Trump.” State v. Kin Chi Wong, supra. She gave Hubbs “dates in November 2006 and August 2007” and he obtained surveillance tapes of logs for those dates. State v. Kin Chi Wong, supra. On April 20, 2008, a surveillance officer at Trump contacted Hubbs and told him “Xi Yi Gao was in the casino.” State v. Kin Chi Wong, supra. State troopers responded and arrested a man who “identified himself as Kin Chi Wong.” State v. Kin Chi Wong, supra.

When he was arrested, Kin Chi Wong was carrying three New York driver’s licenses in the names of

Kin Chi Wong, Yi Han Zheng and Xi Yi Gao; two Trump player cards, a Total Rewards card and a Hilton Casino player card in the name of Xi Yi Gao; a Bank of America Visa card in the name of Zhang Wei Guang; a Capital One Platinum card in the name of Yuet M. Chik; a Washington Mutual Visa card in the name of Xiu Qi; a Chase Visa card in the name of Xiu F. Qi; a Citibank Mastercard in the name of Xiu Fang Qi; an ATM receipt for a $2004 withdrawal from the Citibank Mastercard in Qi's name; an Auction Access card in the name of Kin Chi Wong; and a guest card receipt from Trump.

State v. Kin Chi Wong, supra. After reviewing these documents, surveillance tapes and photographs “from both Trump and the bank,” Hubbs determined that Kin Chi Wong was the person who “`was using different identifications . . . at the bank as well as in the casino”. State v. Kin Chi Wong, supra.

As noted above, based on all this and other evidence, Kin Chi Wong was charged with computer theft in violation of New Jersey Statutes § 2C:20-25. We’ll get to the nature and elements of that charge in a minute. First, we need to review testimony on which the prosecution relied to prove the charge at trial:

Marianne Simpson works at the GCA facility in Trump. She described GCA as a company that allows people to `take advances on their credit cards. . . . [GCA is] like the middleman.’ She described the process . . .as follows:

`They could . . . go to the A.T.M., and the A.T.M. would give them the funds or . . . process the receipt which would tell them to go to the cashier. If they . . . took the receipt, came to the cashier, the cashier would take their ID, their credit card, run it through the computer, make sure all the information: customer's name, address, ID, was in the system, then it would print up a check. On the back of the check, we would emboss the credit card, time stamp it with our time stamp, and have the customer initial the fee and sign the front of the check. Then we would compare the . . . signature on the check to the one on the credit card and the ID. . . .'

`[I]f they swipe it through the A.T.M., then when we swipe it at the cage, it processes it through with the dollar amount, but if they come right to us, we . . . follow the same . . . procedures. We just have to put in the dollar amount they requested.’

Simpson [said] GCA services are provided through a computer system, and each cashier has a terminal. She identified a series of GCA-issued checks in the names of Zheng, from November 2006 and Gao, from August 2007. The checks indicated that a Visa credit card was used for the transactions.

Alexis Esquilin, an employee of GCA, described the service and its processes in greater detail. At Trump, casino employees run GCA's service. The equipment GCA provides to process transactions is a computerized, `web-base[d]’ product. Once the cashier is satisfied with the identification presented by the customer, such as `a driver's license . . . or a passport[,]’ the cashier `run[s] the transaction through a kiosk or a terminal at which time it goes out to [GCA's] authorization center. It then in return goes out to the issuing bank. They either accept or decline the transaction based upon available funding. [It g]oes back to [GCA's] authorization center at which time the cashier gets a message either to print the check or that the transaction's been declined.’

State v. Kin Chi Wong, supra.

This evidence was, as I noted above, submitted to prove the computer theft charge. Under New Jersey Statute § 2C:20-25(c), a “person is guilty of” computer-related theft if he/she “purposely or knowingly and without authorization” accesses or attempts to

access any data, data base, computer, computer storage medium, computer program, computer software, computer equipment, computer system or computer network for the purpose of executing a scheme to defraud, or to obtain services, property, personal identifying information, or money, from the owner of a computer or any third party. . . .

The offense is a “crime of the second degree” if “the value of the services, property, personal identifying information, or money obtained or sought to be obtained exceeds $ 5,000” (which doesn’t seem a problem here). New Jersey Statute § 2C:20-25(g).

Kin Chi Wong argued, at trial and again on appeal, that the prosecution didn’t prove beyond a reasonable doubt that he “accessed” a computer as that term is used in New Jersey Statute § 2C:20-25(c). State v. Kin Chi Wong, supra. According to this opinion, he “interpret[ed] the statute as requiring that he personally operate the computer in the course of `executing a scheme to defraud, or to obtain . . . money, from the owner of a computer or any third party.’” State v. Kin Chi Wong, supra. It's not an obviously specious argument; as I’ve probably noted in earlier posts, and as those familiar with the evolution of “hacking” and computer intrusion crimes know, they have traditionally involved perpetrators who personally “broke into” a computer system, either for the sake of simply gaining “access” to the system or for the purpose of facilitating a crime such as theft or fraud.

The Appellate Division pretty summarily rejected this interpretation of the statute, noting that it was “satisfied that such a strained interpretation finds no support in the statute and, in fact, is inconsistent with the broader language prohibiting `otherwise mak[ing] use’ of a computer for a fraudulent purpose.” State v. Kin Chi Wong, supra.

As to the “broader language”, the court first pointed out that the “legislative history of the computer theft statutes indicates that `[t]he intent of th[e] bill [was] to provide a comprehensive approach to prosecuting the increasing varieties of computer abuse.’” State v. Kin Chi Wong, supra (quoting Assembly Judiciary Committee, Statement to A–1301 (March 26, 1984)). It then noted that the “statutory definition of `access’ is consistent with such a `comprehensive approach.’” State v. Kin Chi Wong, supra.

As to the second point, New Jersey Statute § 2C:20-23(a) defines “access” as “to instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer, computer storage medium, computer system, or computer network.” The question, then, was whether Kin Chi Wong had engaged in any of the acts that constitute “access”.

I don’t have the briefs in the case so I can’t be sure precisely what his argument was, but I think this passage from the Appellate Division at least suggests what his theory was:

Esquilin did not specifically testify that either the cashier or the customer `swiped’ the credit card at the cashier's terminal. The prosecutor asked, `what kind of system is used to . . . facilitate the communication between the card being swiped, your authorization center, the authorizing bank, and then back to the authorization center?’ (Emphasis added.) Esquilin responded with the name of the product, `K.C.P.W.,’ which she described as a web-based product[,]’ meaning `it's all done through the Internet . . . via computer’ [and did not] correct or otherwise comment on the prosecutor's reference to a card `being swiped.’

State v. Kin Chi Wong, supra.

The Appellate Division did not find process of “swiping” a card relevant to the state’s case against Kin Chi Wong:

The testimony of Simpson and Esquilin established beyond a reasonable doubt that GCA's services are provided by computer, including access to the Internet. It is of no moment whether defendant or a cashier swiped the Visa card at the terminal in the GCA kiosk, or whether defendant used that card first at an A.T.M. machine to produce a receipt upon which GCA relied in accessing the cash on his behalf through its computer, The evidence clearly established that defendant `ma[d]e use of’ the `resources of’ GCA's “computer . . . [and] computer network.’

State v. Kin Chi Wong, supra. The court also found that the evidence proved that

defendant `ma[d]e use of’ GCA's computer/network services to obtain cash fraudulently [as required by the New Jersey Statutes § 2C:20-25(c)]. [He was clearly aware of the bank's `immediate access’ policy and took advantage of that policy to make withdrawals immediately upon the deposits of the insufficiently funded checks.

State v. Kin Chi Wong, supra.

No comments: