This is a reproduction of a library book that was digitized

by Google as part of an ongoing effort to preserve the

information in books and make it universally accessible.

https://books.google.com
IT.PUB
B]
+
COUNTERFEIT ACCESS DEVICE AND COMPUTER
B9 / 1 FRAUD AND ABUSE ACT
B/144
UNIVERSITY OF CA RIVERSIDE, LIBRARY

3 1210 02495 4552

HEARINGS
BEFORE THE

SUBCOMMITTEE ON CRIME
OF THE

COMMITTEE ON THE JUDICIARY

HOUSE OF REPRESENTATIVES
NINETY-EIGHTH CONGRESS
FIRST AND SECOND SESSION

ON

H.R. 3181 , H.R. 3570, and H.R. 5112

COUNTERFEIT ACCESS DEVICE AND COMPUTER FRAUD AND ABUSE
ACT

SEPTEMBER 29 , NOVEMBER 10 , 1983 , AND MARCH 28, 1984

Serial No. 144

UNIVERSITY OF CALIFORNIA
RIVERSIDE

MAR 19 1985

GOVERNMENTLIB
PUBRAR
LICY
ATIONS DEPT.
11 Do na to

Printed for the use of the Committee on the Judiciary

U.S. GOVERNMENT PRINTING OFFICE

38-178 O WASHINGTON : 1984
 COMMITTEE ON THE JUDICIARY
PETER W. RODINO, JR., New Jersey, Chairman
JACK BROOKS, Texas HAMILTON FISH , JR. , New York
ROBERT W. KASTENMEIER , Wisconsin CARLOS J. MOORHEAD, California
DON EDWARDS, California HENRY J. HYDE, Illinois
JOHN CONYERS, JR., Michigan THOMAS N. KINDNESS, Ohio
JOHN F. SEIBERLING , Ohio HAROLD S. SAWYER, Michigan
ROMANO L. MAZZOLI, Kentucky DAN LUNGREN, California
WILLIAM J. HUGHES, New Jersey F. JAMES SENSENBRENNER, JR. ,
SAM B. HALL, JR . , Texas Wisconsin
MIKE SYNAR, Oklahoma BILL McCOLLUM , Florida
PATRICIA SCHROEDER , Colorado E. CLAY SHAW, JR., Florida
DAN GLICKMAN, Kansas GEORGE W. GEKAS, Pennsylvania
BARNEY FRANK , Massachusetts MICHAEL DEWINE, Ohio
GEO. W. CROCKETT, JR . , Michigan
CHARLES E. SCHUMER , New York
BRUCE A. MORRISON, Connecticut
EDWARD F. FEIGHAN , Ohio
LAWRENCE J. SMITH, Florida
HOWARD L. BERMAN, California
FREDERICK C. BOUCHER, Virginia
ALAN A. PARKER, General Counsel
GARNER J. CLINE, Staff Director
ALAN F. COFFEY, Jr. , Associate Counsel

SUBCOMMITTEE ON CRIME

WILLIAM J. HUGHES, New Jersey, Chairman

CHARLES E. SCHUMER , New York HAROLD S. SAWYER, Michigan
BRUCE A. MORRISON , Connecticut E. CLAY SHAW, JR., Florida
EDWARD F. FEIGHAN, Ohio F. JAMES SENSENBRENNER, JR.,
LAWRENCE J. SMITH, Florida Wisconsin
HAYDEN W. GREGORY, Counsel
EDWARD O'CONNELL, Assistant Counsel
CHARLENE VANLIER, Associate Counsel
( II )
 CONTENTS

HEARINGS HELD
Page
September 29, 1983 1
November 10 , 1983 ..... 147
March 28, 1984 .......... 201
Opening statement of Hon. William J. Hughes ... 11
TEXT OF BILLS

H.R. 3570 ........ 3

H.R. 3181 .... 7
H.R. 5112.......... 203

WITNESSES

Bequal, August, attorney at law, Washington, DC 46

Prepared statement 58
Carlon, Joseph, Acting Assistant Director, U.S. Secret Service 164
Prepared statement 165
Clarke, Floyd I., Deputy Assistant Director, Criminal Investigative Division,
FBI ........ 159
Prepared statement 162
Dreifus, Henry N., president, CORPRA Research , Rosemont, PA 256
Prepared statement ....... 259
Falco, James F., assistant State attorney, consumer fraud and economic crime
division , 11th Judicial Circuit of Florida 221
Prepared statement ............. 227
Farnon , Robert L , vice president, Mid-Atlantic National Bank-Citizens, Engle
wood Cliffs, NJ ........... 79
Prepared statement 119
Fish, Hon. Hamilton, Jr., a Representative in Congress from the State of New
York ........ 13
Prepared statement 17
Hoadley, Robert A., international vice president, Data Processing Manage 79
ment Association , Park Ridge, IL
Prepared statement ...... 82
Hoyo, Arturo, incarcerated credit card violator, Federal Correction Institute,
Tallahassee, FL ............. 32
Prepared statement ............. 36
Johnson , Donald E. , chief counsel , Pennsylvania Crime Commission , St.
Davids, PA ......... 177
Prepared statement 178
Karchmer , Clifford L., Law and Justice Program , Human Affairs Research
Center, Battelle Institute ...... 295
Prepared statement .... 313
153
Keeney , John C. , Deputy Assistant Attorney General, Department of Justice ...
Prepared statement ........ 154
Kelleher, Thomas, vice president of security, Mastercard International Inc 79
Prepared statement ..... 94
Maisch ,Wilhelm , general manager, U.S. Postal Inspection Service .... 156
Prepared statement 157
Minot, George M. , senior vice president, CompuServe, Inc ........ 295
Prepared statement ... 299
Miller, Wilbur C. , president, Drake University 209
Prepared statement .... 211

( III )
 ( iv )
Page
Nellis, Joseph L. , counsel, Spriggs, Bode, and Hollingsworth, Washington ,
DC .......... 79
Nelson, Hon . Bill, a Representative in Congress from the State of Florida ......... 25
Neumann, William D. , vice president of security, Visa International, Inc. 79
Prepared statement ........ 90
Nycum, Susan (Gaston, Snow & Ely Bartlett, Palo Alto CA )............ 179
Prepared statement 180
Ortega, Alex, detective, economic crime unit, Metro-Dade County Police De 32
partment, Miami, FL ............
Waal, Peter C. , vice president, marketing, GTE Telenet, Vienna, VA 183
Prepared statement ... 184
Shriver, Richard H. , Assistant Secretary of the Treasury . 149
Prepared statement 150
Siegel, Bernard L. , deputy district attorney for investigations, Philadelphia,
PA ..... 46
Prepared statement .... 48
Weinstein , Steven, vice president, corporation strategy technology, American
Express, Inc ................ 256
Prepared statement 277

ADDITIONAL MATERIAL

Barreaux, Theodore C., vice president, American Institute of Certified Public

Accountants, letter dated May 25, 1984, to Hon. William Hughes. 327
Credit Card Fraud Thrives in South Florida, MiamiHerald, May 31,1983 ...... 191
Criscuoli, E.J. , Jr. , executive vice president, American Society for Industrial
Security, prepared statement.. 194
" How to Prevent Credit Card Ripoffs,” by Joe Starita ...... 193
National Retail Merchants Association , prepared statement 198
Steinbach, Sheldon Elliot, general counsel, American Council on Education ,
division of governmental relations, letter dated March 26, 1984, to Hon .
William J. Hughes .......... 359
COUNTERFEIT ACCESS DEVICE AND COMPUTER
FRAUD AND ABUSE ACT

THURSDAY, SEPTEMBER 29, 1983

HOUSE OF REPRESENTATIVES,
SUBCOMMITTEE ON CRIME,
COMMITTEE ON THE JUDICIARY,
Washington, DC.
The subcommittee met, pursuant to call, at 10:10 a.m., in room
2237, Rayburn House Office Building, Hon. William J. Hughes
(chairman of the subcommittee) presiding.
Present: Representatives Hughes, Feighan, Smith, Shaw, and
Sensenbrenner .
Also present: Representative Fish .
Staff present: Hayden W. Gregory, counsel; Edward O'Connell,
assistant counsel; Charlene Vanlier, associate counsel, and Phyllis
N. Henderson , clerical staff.
Mr. HUGHES. The Subcommittee on Crime will come to order.
The Chair has received a request to cover this hearing in whole
or part by television broadcast, radio broadcast, still photography
or by other similar methods. In accordance with committee rule
5 (a ), permission will be granted unless there is objection . Hearing
no objection , coverage will be permitted.
Today we will receive testimony on the problems relating to
credit card fraud and counterfeiting and the related issue of com
puter-assisted crimes.
I am sure it is not surprising to most of us that currency and
even checks are becoming a diminishing part of our everyday life.
Instead, we are increasingly becoming dependent on credit cards,
computers, and other such devices. These technological advances
have left our laws almost totally inadequate. In fact , we have good
reason to believe that merely bringing our laws up to date by revis
ing them to reflect present technology will not be adequate; for
rapidly changing technology will leave them obsolete in another 5
or 10 years.
Experts tell us that we need to shift attention in our statutes
fromconcepts such as tangible property and possession to concepts
of information and access to information .
H.R. 3570, which Mr. Sawyer and I introduced on July 14th of
this year, makes counterfeiting, producing, or possessing counter
feit-making equipment and credit cards ifthese illegal acts in the
aggregate produce anything of value worth $ 5,000 — within 1 year
orthe defendant is in possession of 10 or more counterfeit instru
ments indicating he or she is more than a small-time thief. It also
expands a scope of this legislation to other computer -assisted
crimes if they aggregate $ 5,000 in illegal gains in 1 year.
(1 )
 2

H.R. 3181 , which Mr. Fish, the ranking minority member of the
Committee on the Judiciary, has introduced and which I am a co
sponsor as well as Mr. Sawyer and other members of the Judiciary,
makes counterfeiting of these instruments, possession of five or
more counterfeit instruments, or producing, possessing, et cetera ,
device-making equipment a crime.
The essential differences between the bills before this subcom
mittee, H.R. 3570 and H.R. 3181 , is that H.R. 3570 requires a larger
scale criminal credit card activity to make the activity a Federal
crime and it adds a computer fraud count.
I might say that there are a number of other bills that have been
introduced bearing on computer crime, not the least of which is
one introduced by our colleague Bill Nelson of Florida - certainly
an expert in this area, who has worked diligently both here in
Washington and in the past in the State of Florida, on computer
type crime. We therefore expect to have a very interesting and
worthwhile hearing this morning. I suspect it will be the first of a
series of hearings in order that we can identify the issues and en
deavor to address what are the concerns of a lot of members and
certainly a lot of different groups throughout our society.
[Copies of H.R. 3570 and H.R. 3181 follow :]
 3

I
93TH CONGRESS
1ST SESSION
H.R.3570
To amend title 18 of the United States Code to provide penalties for the
counterfeiting of access devices, and for other purposes.

IN THE HOUSE OF REPRESENTATIVES

JULY 14, 1983
Mr. HUGHES (for himself and Mr. SAWYER) introduced the following bill; which
was referred to th : Committee on the Judiciary
‫ز‬

A BILL
To amend title 18 of the United States Code to provide penal
ties for the counterfeiting of access devices, and for other
purposes.

1 Be it enacted by the Senate and House of Representa

2 tives of the United States of America in Congress assembled,
3 That this Act may be cited as the “ Counterfeit Access
4 Device and Computer Fraud Act of 1983 ” .
5 SEC. 2. (a) Chapter 47 of title 18 of the United States
6 Code is amended by adding at the end thereof the following:
 4

1 “ 8 1029. Fraud and related activity in connection with

2. access devices and computers
3 “ ( a) Whoever
4 “ (1) knowingly and without lawful authority pro
5 duces, buys, sells, or transfers a fraudulent access
6 device;
7 “ (2) knowingly produces, buys, sells, transfers, or
8 possesses device -making equipment, with the intent
9 that such equipment be used in the production of a
10 fraudulent access device; or
11 “ (3) uses a computer with intent to execute a
12 scheme to defraud;

13 and thereby affects interstate or foreign commerce, and

14 either, in the case of any offense under any paragraph of this
15 subsection, obtains anything of a value aggregating $5,000
16 or more during any one year period, or, in the case of any
17 offense under paragraph (1) or (2) of this subsection , pos
18 sesses ten or more fraudulent access devices in connection

19 with the offense, shall be punished as provided in subsection

20 (c) of this section.

21 “(b) Whoever attempts or conspires to commit an of

22 fense under paragraph (1), (2), or (3) of subsection (a) of this
23 section shall be punished as provided in subsection (c) of this
24 section.

25 " (c) The punishment for an offense under subsection (a)

26 or ( b ) of this section is
 5

1 “ ( 1) a fine of not more than $50,000 or imprison

2
ment for not more than fifteen years, or both, if the
3 offense is a violation of subsection (a )(2) of this section
4 or an attempt or conspiracy to violate such subsection
5 (a )( 2);
6 “ (2) a fine of not more than $ 100,000 or impris
7
onment for not more than twenty years, or both, in the
8
case of an offense occurring after a previous conviction
9 of the offender under this section ; and
10 “ (3) a fine of not more than $ 10,000 or imprison
11
ment for not more than ten years, or both, in any other
12 case .

13 "(d) The United States Secret Service shall, in addition

14 to any other agency having such authority, have the authori
15 ty to investigate offenses under this section.
16 “ (e) As used in this section
17 “ ( 1) the term ' access device' means any card,
18 plate, code, account number, or other means of account
19 access existing for the purpose of obtaining, alone or in
20 conjunction with another access device, money, goods,
21 services , or any other thing of value, or for the purpose
22 of initiating a transfer of funds (other than a transfer
23 originated solely by paper instrument);
24 “ ( 2) the term 'fraudulent access device' means

25 any access device or a representation, depiction,

 6

1 facsimile, or component of an access device that is

2
counterfeit, fictitious, altered, forged, lost, stolen, in
3 complete, fraudulently obtained or obtained as part of a
4 scheme to defraud;
5 “ (3) the term 'produce’ includes design , alter, au
6 thenticate, duplicate, or assemble; and
7
“(4) the term "device-making equipment' means
8
any equipment, mechanism , or impression specially de
9
signed or primarily used, for making an access device,
10 a false access device, or any component thereof.” .
11 ( b) The table of sections at the beginning of chapter 47
12 of title 18 of the United States Code is amended by adding at
13 the end the following new item :
“ 1029. Fraud and related activity in connection with access devices and
computers. ".
 7

I
98TH CONGRESS
1st SESSION H.R. 3181
To amend title 18 of the United States Code to provide penalties for credit card
counterfeiting and related fraud.

IN THE HOUSE OF REPRESENTATIVES

JUNE 1 , 1983
Mr. Fish ( for himself, Mr. HUGHES, Mr. HYDE , Mr. MAZZOLI, Mr. McCOLLUM,
Mr. MOORHEAD, Mr. SAWYER, Mr. SENSENBRENNER, Mr. SHAW , and Mr.
Smith of Florida) introduced the following bill; which was referred to the
Committee on the Judiciary
AUGUST 18, 1983
Additional sponsors: Mr. SEIBERLING, Mr. FRANK, Mr. CAMPBELL, Mr. AUCOIN,
Mr. PATMAN , Mr. ROE , Mr. WORTLEY, Mr. FEIGHAN, Mr. KINDNESS, Mr.
Won Pat, Mr. FORSYTHE, Mr. KOGOVSEK, Mr. FASCELL, Mr. GLICKMAN ,
Mr. HORTON, Mr. WYDEN, Mr. MCGRATH, Mr. DEWINE , Mr. ANDREWS of
Texas, Mrs. BOXER, Mr. TALLON, Mr. BARNARD, Mr. LUNGREN, Mr.
GEKAS, Mr. Fazio, Mr. DREIER of California, Mr. KasicH, Mr. HAMMER
SCHMIDT, Mr. LEWIS of Florida, Mr. RIDGE , Mr. STANGELAND, Mr. BILIR
AKIS, Mr. GILMAN , Mr. BOEHLERT, Ms. OAKAR, Mr. HUBBARD, Mr. JEF
FORDS, Mr. SCHUMER, Mr. STRATTON, Mr. GREEN, Mr. PORTER, Mr.
PACKARD, Mr. DUNCAN , Mr. CHAPPELL, Mrs. ROUKEMA, and Mr. DAUB

A BILL
To amend title 18 of the United States Code to provide
penalties for credit card counterfeiting and related fraud.
1 Be it enacted by the Senate and House of Representa
2 tives of the United States of America in Congress assembled,
 8
2

1 SECTION 1. This Act may be cited as the “ Credit Card

2 Counterfeiting and Fraud Act of 1983” .
3 SEC. 2. Chapter 47 of title 18, United States Code, is
4 amended by adding the following new section 1029 at the
5 end thereof:

6 “ 8 1029. Fraud and related activity in connection with

7 payment devices
8 “ (a) Whoever, in circumstances described in subsection
9 (c) of this section
10 “ ( 1) knowingly and without lawful authority pro
11 duces, buys, sells, or transfers a fraudulent payment
12 device;
13 “ (2) knowingly possesses with intent to defraud or
14 transfer unlawfully five or more fraudulent payment
15 devices;
16 “ (3) knowingly produces, buys, sells, transfers or
17 possesses device-making equipment, with the intent
18 that such equipment be used in the production of a
19 fraudulent payment device; or
20 " (4 ) attempts or conspires to do so,
21 shall be punished as provided in subsection ( b) of this section.
22 “(b) The punishment for an offense under subsection (a)
23 of this section is

24 “ (1) a fine of not more than $ 10,000 or imprison

25 ment for not more than ten years, or both ;
 9

1 “ (2) a fine of not more than $ 50,000 or imprison

2 ment for not more than fifteen years, or both, if the
3 offense involves any device -making equipment, or five
4 or more fraudulent payment devices; or
5 “(3) a finė of not more than $ 100,000 or impris
6 onment for not more than twenty years, or both, in the
7 case of second or repeated offenses.
8 “ (c) The circumstance referred to in subsection ( a) of
9 this section is that
10 “ (1) the offense affects a financial institution or
11 interstate or foreign commerce;
12 “ (2) the offender in the course of the offense uses
13 an instrumentality of interstate or foreign commerce; or
14 “ (3) the fraudulent payment device or device
15 making equipment, or any aspect or component there
16 of, has been in interstate or foreign commerce.
17 “ ( d) As used in this section
18 “ (1) the term “ payment device' means any card,
19 plate, code, account number, or other means of account
20 access existing for the purpose of obtaining, alone or in
21 conjunction with another payment device, money,
22 goods, services, or any other thing of value, or for the
23 purpose of initiating a transfer of funds (other than a
24 transfer originated solely by paper instrument);
 10

1 “ (2) the term “fraudulent payment device' means

2 ( A ) any payment device or a representation, depiction,
3 facsimile, aspect or component of a payment device
4 that is counterfeit, fictitious, altered, forged, lost,
5 stolen, incomplete, fraudulently obtained or obtained as
6 part of a scheme to defraud; or ( B ) any invoice, vouch
7 er, sales draft, or other reflection or manifestation of
8 such a device;
9
“ (3) the term 'produce' means to make, design,
10 alter, authenticate, duplicate, or assemble;
11 “ (4 ) the term ' financial institution ' means an insti
12 tution with deposits or accounts insured by the Federal
13 Deposit Insurance Corporation, the Federal Savings
14 and Loan Insurance Corporation, or the National
15 Credit Union Administration; and
16 “ (5 ) the term 'device-making equipment' means
17 any equipment, mechanism , or impression designed,
18 used, or that can be used for making a payment device,
19 a false payment device, or any aspect or component
20 thereof . " .
 11

[ The statement of Mr. Hughes follows:]

STATEMENT OF HON. WILLIAM J. HUGHES, CHAIRMAN, SUBCOMMITTEE ON CRIME
The Subcommittee on Crime will come to order. Today we will receive testimony
on the problems relating to credit card fraud and counterfeiting and the related
issue of computer assisted crimes.
In discussing these complicated issues which often deal with futuristic methods of
crime, I am sure that we will not develop any " final solutions” to these innovations
in crime. There is no final victory in any so -called war against crime but sometimes
we can improve upon the arsenals whereby the law enforcement community can
win some battles. Earlier this year this subcommittee moved to aid the front line
soldiers in these battles, the State and local enforcement agencies, with the passage
of the Justice, Assistance Act. We also have spearheaded the passage of anti-tamper
ing legislation to deal with the " Tylenol” problem and a drug testing process for
Federal probationers and parolees. All of these bills are pending in the Senate, and
I have been urging the other body and the administration to expedite the passage of
these bills andother legislation dealing with drug trafficking which this subcommit
tee is pursuing in order to deal with what can be characterized as violent crime in
America .
The present problem before us deals with a different problem that can be charac
terized as " white collar” crime and as such often is neglected both at the Federal
and State level. I believe that this neglect is a great mistake and in fact an attack
on white collar crime can often be much more productive, economically, to this
country than the more publicized emphasis on violent crime.
For instance, the Wall Street Journal had an article early this spring that stated
the cost of constructing highways in the Nation had fallen significantly, in some
cases as much as 25 to 30 percent below engineer estimates. This remarkable de
cline in costs has been directly attributable to the Department of Justice prosecu
tion in dozens of cases of bid -fixing in the highway construction industry. These
prosecutions have resulted in over 90 percent convictions with numerous jail sen
tences and fines totaling $41 million. This news is evidence that the deterrent power
of the law when enforced can be very strong, especially in the area of white collar
crime. The prosectuion of white collar crime, which silently robs billions of dollars
from all of the taxpayers, a few dollars at a time, I believe, must remain a high
priority for Federal law enforcement. It is in this perspective that we will deal with
the problems presented here today.
In this regard, I am sure that it is not surprising to most of us that currency and
even checks are becoming a diminishing part of our everday life. Instead, we are
now increasingly becoming dependent on numerous credit cards and other plastic
devices, all of which eventually involve use of computers and other electronic de
vices which also are subject to criminal attack. For example, financial institutions
claim that they lost $ 128 million from bank card fraud in 1982-an increase of 35
percent over 1981 losses. They further estimate that $40 million of this figure was
just from counterfeit credit cards which was a 500 -percent increase since 1980.
There are also indications that thieves are becoming increasingly sophisticated and
infactarestealing account numbersand using them withouteven gettingphysical
control of the cards themselves, thus coming ever closer to " computer crime.
There are two major pieces of Federal legislation in this area, both in title 15 of
the United States Code.They are in 15 U.S.C. 1644, the Truth in Lending Act, and
the Electronic Funds Transfer Act, 15 U.S.C. 1693, and they deal with fraudulent
use of credit cards and debit instruments.
Debit instruments include a card, code or other device other than a check, draft
or other paper instrument which may initiate an electronic fund transfer. Neither
of these acts deals with counterfeiting. Nor is there any general law dealing with
computer fraud .
The chairman of the Subcommittee on Consumer Affairs and Coinage of the Com
mittee on Banking, Finance and Urban Affairs, Mr. Annunzio, has introduced H.R.
2885 to close some of these gaps in title 15 involving the use of these instruments
and other matters dealing with disclosure of account numbers. This bill has been
reported out of his subcommittee as H.R. 3622.
H.R. 3570, which Mr. Sawyer and I introduced on July 14, 1983, complements Mr.
Annunzio's bill by making counterfeiting or producing, possessing, etc., counterfeit
making equipment for these instruments a crime if these illegal acts in the aggre
gate obtain anything of value worth $5,000 within 1 year or the defendant is in pos
session of 10 or more counterfeit instruments indicating he or she is more than a
 12

small-time thief. It also expands the scope of this complementary legislation to

other computer assisted crimes if they aggregate $5,000 in illegal gains in 1 year.
H.R. 3181, which Mr. Fish, the ranking minority member of the Committee on the
Judiciary, has introduced (I am a cosponsor ), makes counterfeiting of these instru
ments, possession of 5 or more counterfeit instruments or producing, possessing, etc.,
devise -making equipment a crime.
The essential differences between the bills before this subcommittee, H.R. 3570
and H.R. 3181 , is that H.R. 3570 requires a larger scale criminal credit card activity
to make the activity a Federal crime and it adds a computer fraud count.
Mr. HUGHES. At this point I recognize the ranking minority
member from Michigan, Mr. Sawyer.
Mr. SAWYER. Thank you, Mr. Chairman .
First, I would like to commend you for holding these hearings
today on what is a growing problem of credit card fraud. As con
sumers have grown to rely on the credit card system and credit
cards, so, too, has grown the creativity of the criminal mind with a
profit motive.
The sharp criminal no longer needs to hold up a bank or snatch
a purse, but needs only to recite a phony credit card account
number on the telephone. Even more alarming, a simple survey of
existing laws reveals that many of these activities are not even
against the law . For example, an individual counterfeiting credit
cards, 50 at a time, is not committing a crime.
Consumers pay for this; the credit card users bear the cost. The
result is the same as if the cash was stolen, and I believe that pun
ishment should also exist. Credit purchases are a reality upon
which our society is dependent. The cost of credit should not in
clude the profits of credit card con artists.
I thank the chairman for holding this series of meetings today so
that we might learn more about the problem and act to prevent it.
I must also commend Hamilton Fish for being at the forefront of
this legislation.
I recently read an article about two gentlemen in Florida - gen
tlemen may be the wrong word — who set up a system whereby they
obtained a lot of credit card numbers as a result of advertisements
in the Wall Street Journal and then used them to make what is
estimated to be perhaps millions of dollars by setting up a phony
rent-a -car business and sending in the credit card numbers for
cash . Anyway, I am very pleased that we are holding these hear
ings and I thank the chairman , and welcome.
Mr. HUGHES. Thank you. I want to welcome at this point our
first panel:Congressman Hamilton Fish of the 21st District of New
York, and Bill Nelson of the 11th Congressional District of Florida .
Our distinguished colleague Ham Fish is the ranking minority
member of the full Judiciary Committee, now serving his eighth
term in the Congress. He has an enviable reputation as a real gen
tleman, an aggressive member of Judiciary, a strong supporter of
law enforcement, and a very able representative of his district.
He is a graduate of Harvard College with a B.A. degree on Amer
ican history, an LLD degree from New York University.
Mr. Fish is a sponsor of H.R. 3181 , which is one of the bills
before this committee .
Our other distinguished colleague, Bill Nelson of Florida, was
first elected in 1978 to the House of Representatives and has been
subsequently reelected in 1980 and 1982.
 13

He graduated from Yale University with a bachelor of arts

degree
and received his doctorate degree in law from the Universi
ty of Virginia Law School.
Prior to being elected to Congress he was a very distinguished
member of the Florida legislature, where, as I indicated in the
opening statement, he was instrumental in the passage of the State
of Florida's comprehensive computer crime bill — the first in the
Nation .
So we are delighted to have both of you with us this morning.
We have your statements which, without objection , will be made a
part of the record, and we hope you can summarize for us your tes
timony but proceed as you deem fit.
Mr. SAWYER. Just one more thing, Mr. Chairman . I wonder if at
the conclusion of such testimony as he wants to give we might
invite Ham Fish as the ranking member of the Judiciary to sit ex
officio on this subcommittee for the rest of the hearing.
Mr. HUGHES. We would be delighted to have Ham Fish as a
member of this panel. As a matter of fact, Congressman Fish assist
ed us this morning in getting a quorum so we could move along
expeditiously. Welcome. We are delighted to have you, Ham.
TESTIMONY OF HON. HAMILTON FISH, JR ., A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF NEW YORK
Mr. Fish . Thank you very much, Mr. Chairman .
I greatly appreciate the opportunity to appear before the Sub
committee on Crime, a subcommittee that Ihad the pleasure of
serving on under your leadership in past Congresses.
I am here to discuss the serious, growing problem of credit card
counterfeiting and credit card fraud. Inrecognition of this problem
I have introduced H.R. 3181 , the Credit Card, Counterfeiting and
Fraud Act of 1983. Later, in the course of my remarks, I will be
explaining the principal features of this bill.
However, at the outset, Mr. Chairman, I would like to express
my personal thanks to you for joining me as a principal cosponsor
of this legislation .
In addition, I am gratified that the ranking Republican of this
subcommittee, my friend Hal Sawyer, is also a cosponsor along
with subcommittee members Clay Shaw , Jim Sensenbrenner,
Chuck Schumer, and Larry Smith.
In fact, H.R. 3181 now has 63 cosponsors, 64, counting myself.
This includes 19 members of the House Judiciary Committee, 6 of
whom serve on this subcommittee.
Last week, Senators Thurmond and Biden, together with 12
other Members of the Senate, joined in this bipartisan effort and
introduced companion legislation: S. 1870.
What this congressional concern reflects is that credit card fraud
in general, and credit card counterfeiting in particular, are serious
problems warranting prompt legislative attention. Existing Federal
laws dealing with credit cards , the Truth -in -Lending Act and the
Electronic Funds Transfer Act, do not adequately address the twin
problems of credit card counterfeiting and credit card fraud. Why ?
Simply because these important consumer protection laws were en

38-178 O - 85 - 2
 14

acted prior to the development of the methods of criminal activity

that we now face. For example:
It is not a Federal crime to counterfeit a credit card ;
It is not a Federal crime to knowingly possess a counterfeit
credit card ;
It is not a Federal crime to knowingly deal and traffic in account
numbers or sales slips; and
It is not a Federal crime to knowingly possess or deal in devices
or equipment used in counterfeiting or in altering otherwise valid
credit cards.
Furthermore, case law interpretation of the language of the
truth-in -lending statute has limited its prohibitions to acts that
specifically involve credit cards or facsimile cards themselves. And
I refer, of course, to U.S.v. Callahan (666 F.2d 422 (1982)).
So, the current Federal law does not, for example, deal with the
use or sale of any device or mechanism which could be used in the
place of a legitimate payment device. The devices or mechanisms to
which I refer would include account numbers, sales slips, or credit
slips.
Now, criminal laws do exist in certain States which would make
some of the offenses punishable. But most of these, Mr. Chairman ,
are general criminal fraud statutes that do not focus on contempo
rary credit card fraud problems.
In addition, enforcement by the States and localities necessarily
stops at their jurisdictional boundaries.
In recent years , credit card counterfeiting and fraud schemes
have become so well organized and so sophisticated that they easily
bypass State jurisdiction. It is my view that counterfeiting a credit
card is analogous to counterfeiting money. It is a classic example of
a crime being committed in interstate commerce.
Provisions should be added to title 18 that would enable the Fed
eral law enforcement agencies and U.S. attorneys to deal with
interstate manufacturing of, and interstate trafficking in, counter
feit or altered credit cards.
In recent years, the losses incurred by banks and card issuers
due to counterfeiting have risen at a rate out of proportion to the
losses sustained from card fraud generally. Counterfeiting now rep
resents 11 percent of the overall fraud losses incurred by the indus
try .
The scope of this problem has expanded at an astronomical rate
within the last 3 years. Losses directly attributable to card counter
feiting rose from $15 million in 1981 to over $50 million in 1982.
Industry representatives have estimated that their worldwide
losses due tocounterfeiting for 1983 will approach $100 million.
While these are worldwide loss figures, Mr. Chairman , I would
stress that 94 percent of this activity is estimated to take place in
the United States.
MasterCard members reported $ 9.3 million in losses resulting
from counterfeit credit card usage in 1982. This represents an 11
percent increase over 1980 figures and a staggering 763 percent in
crease over their 1973 figures.
Likewise, VISA's statistics show that their members' losses have
climbed from $750,000 in 1981 to $10.9 million in 1982. The 1983
figure is expected to approach $20 million . VISA losses due to coun
 15

terfeiting were seven times greater last year than their entire
losses due to counterfeiting in the previous 9 years.
There are a number of schemes used in these fraudulent activi
ties. Account numbers can be obtained from discarded carbon re
ceipt slips or directly from an unscrupulous merchant or store em
ployee. These account numbers can then be embossed on white
cards - plain white, plastic cards the size of a normal credit card
containing no issuer logo. They are then used to run off phony
sales slips, which the merchant forwards to the card issuer for re
imbursement.
Another method is the so -called shave and paste scheme. Here,
the account information is cut off a lost or stolen card and replaced
with another account number. Most recently, credit card counter
feiters are using such highly sophisticated methods as the silk
screening process; and they have also used advanced photo -offset
printing to reproduce counterfeit cards.
Again, I stress, these kinds of criminal methods were not widely
used or even perfected when the existing Federal credit card laws
were first enacted in the 1970's .
The sophistication shown by silk-screening and photo -offset tech
niques are the criminal application of the new technology. What is
most disturbing is that it may well reflect a new dimension to
credit card fraud: the involvement of organized crime.
Allow me, now, to turn to the provisions of our bill, H.R. 3181. It
would make it a Federal crime to produce, buy, sell, or transfer a
fraudulent payment device. Thus, the act of counterfeiting or traf
ficking in credit cards would be illegal under Federal criminal law
for the first time.
The term "fraudulent payment device ” is defined in section 2(d)
of the bill to cover a broad range of improper payment mechanisms
that can be used in a card fraud scheme. The term includes all
manner of fraudulent or potentially fraudulent devices including
counterfeit cards, altered cards, stolen cards, white cards, account
numbers, and sales slips.
This legislation would also punish the possession, with intent to
defraud, of five or more fraudulent payment devices.
Finally, it would punish the production , sale, transfer, or posses
sion of equipment used in making fraudulent payment devices or
used to alter otherwise valid cards.
My bill does not specifically address the issue of which Federal
agency would enforce these new provisions. I know, Mr. Chairman,
that your other bill, H.R. 3570, on this subject, calls for enforce
ment by the U.S. Secret Service.
Senator Thurmond has a similar provision that he has added to
the language of my bill in introducing a companion in the U.S.
Senate. On this matter I defer to the wisdom ofthis subcommittee,
and to the Department of Justice, and to the Department of the
Treasury, on the jurisdictional enforcement question.
Finally, it should be emphasized that this is important legislation
from a consumer standpoint. While the direct victims of credit card
counterfeiting and credit card fraud are the banks and the credit
card companies themselves, they are not the only victims. The
losses suffered by the financial institutions and credit card compa
 16

nies are passed on to consumers in the form of higher user fees for
the card and increased interest costs.
In the past, credit card fraud and counterfeiting was viewed as
the cost of doing business. But all segments of society now agree
that it costs too much to ignore.
Mr. Chairman and subcommittee members, I am extremely hope
ful that our legislation will receive prompt and active consideration
in the Subcommittee on Crime.
In my judgment, it is essential that we obtain the passage of ef
fective legislation as quickly as possible so that vigorous enforce
ment activity against credit card crime can begin immediately.
I thank you again for the opportunity to testify before youtoday,
and I would be happy to try and answer any questions that the
committee may have .
[ The statement of Mr. Fish follows:]
 17

TESTIMONY OF THE
HONORABLE HAMILTON FISH , JR .

MR . CHAIRMAN , I GREATLY APPRECIATE THE OPPORTUNITY TO

APPEAR BEFORE THE SUBCOMMITTEE ON CRIME , TO DISCUSS THE SERIOUS ,
GROWING PROBLEM OF CREDIT CARD COUNTERFEITING AND CREDIT CARD
FRAUD .

IN RECOGNITION OF THIS PROBLEM, I HAVE INTRODUCED H.R. 3181

THE " CREDIT CARD COUNTERFEITING AND FRAUD ACT OF 1983. "
LATER , IN THE COURSE OF MY REMARKS , I WILL BE EXPLAINING THE
PRINCIPAL FEATURES OF MY BILL . HOWEVER , AT THE OUTSET, LET ME
EXPRESS MY PERSONAL THANKS TO YOU , MR . CHAIRMAN , FOR JOINING
WITH ME AS A PRINCIPAL CO- SPONSOR OF THIS LEGISLATION . IN
ADDITION , I AM GRATIFIED THAT THE RANKING REPUBLICAN OF THIS
SUBCOMMITTEE MY FRIEND , HAL SAWYER IS ALSO A CO - SPONSOR ,

ALONG WITH SUBCOMMITTEE MEMBERS CLAY SHAW , JIM SENSENBRENNER ,

CHUCK SCHUMER , AND LARRY SMITH .

IN FACT, H.R. 3181 NOW HAS 63 co-SPONSORS , 64 TOTAL . THIS

INCLUDES 19 MEMBERS OF THE HOUSE JUDICIARY COMMITTEE SIX OF WHOM
SERVE ON THIS SUBCOMMITTEE . (A LIST OF ALL THE CO- SPONSORS IS
ATTACHED TO MY PREPARED TESTIMONY . )

LAST WEEK, SENATOR THURMOND AND SENATOR BIDEN , TOGETHER

WITH 12 OTHER MEMBERS OF THE SENATE , JOINED IN THIS BI - PARTISAN
EFFORT AND INTRODUCED COMPANION LEGISLATION S. 1870 .
 18

WHAT THIS CONGRESSIONAL CONCERN REFLECTS IS THAT CREDIT

CARD FRAUD IN GENERAL , AND CREDIT CARD COUNTERFEITING IN
PARTICULAR , ARE SERIOUS PROBLEMS WARRANTING PROMPT LEGISLATIVE

ATTENTION . EXISTING FEDERAL LAWS DEALING WITH CREDIT CARDS

THE TRUTH- IN - LENDING ACT AND THE ELECTRONIC FUNDS TRANSFER ACT
DO NOT ADEQUATELY ADDRESS THE TWIN PROBLEMS OF CREDIT CARD
COUNTERFEITING OR CREDIT CARD FRAUD . THESE IMPORTANT CONSUMER
PROTECTION LAWS WERE ENACTED PRIOR TO THE DEVELOPMENT OF THE
METHODS OF CRIMINAL ACTIVITY WE NOW FACE . FOR EXAMPLE :

IT IS NOT A FEDERAL CRIME TO COUNTERFEIT A

CREDIT CARD ;

IT IS NOT A FEDERAL CRIME TO KNOWINGLY POSSESS

A COUNTERFEIT CREDIT CARD ;

IT IS NOT A FEDERAL CRIME TO KNOWINGLY DEAL

AND TRAFFIC IN ACCOUNT NUMBERS OR SALES SLIPS ;
AND

IT IS NOT A FEDERAL CRIME TO KNOWINGLY POSSESS

OR DEAL IN DEVICES OR EQUIPMENT USED IN COUNTER
FEITING OR ALTERING OTHERWISE VALID CREDIT CARDS ,

FURTHERMORE , CASE LAW INTERPRETATION OF THE LANGUAGE IN

THE TRUTH- IN - LENDING STATUTE HAS LIMITED ITS PROHIBITIONS TO
ACTS THAT SPECIFICALLY INVOLVE CREDIT CARDS OR FACSIMILE CARDS

THEMSELVES . See :
SEE U.S. V. CALLAHAN 666 F.2d 422 ( 1982 ) .,
SO , THE CURRENT FEDERAL LAW DOES NOT , FOR EXAMPLE , DEAL WITH
THE USE OR SALE OF ANY DEVICE OR MECHANISM WHICH COULD BE USED
 19

IN THE PLACE OF A LEGITIMATE PAYMENT DEVICE . THE DEVICES OR

MECHANISMS TO WHICH I REFER WOULD INCLUDE ACCOUNT NUMBERS ,
SALES SLIPS , OR CREDIT SLIPS .

CRIMINAL LAWS DO EXIST IN CERTAIN STATES WHICH WOULD MAKE

SOME OF THESE OFFENSES PUNISHABLE . MOST OF THESE ARE GENERAL
CRIMINAL FRAUD STATUTES , THAT DO NOT FOCUS ON CONTEMPORARY
CREDIT CARD FRAUD PROBLEMS . IN ADDITION , ENFORCEMENT BY THE
STATES OR LOCALITIES STOPS AT THEIR JURISDICTIONAL BOUNDARIES ,
IN RECENT YEARS , CREDIT CARD COUNTERFEITING AND FRAUD SCHEMES
HAVE BECOME SO WELL ORGANIZED AND SO SOPHISTICATED THAT THEY
EASILY BY- PASS STATE JURISDICTION . IT IS MY VIEW THAT COUNTER
FEITING A CREDIT CARD IS ANALOGOUS TO COUNTERFEITING MONEY ,
IT IS A CLASSIC EXAMPLE OF A CRIME BEING COMMITTED IN INTERSTATE
COMMERCE . PROVISIONS SHOULD BE ADDED TO TITLE 18 THAT WOULD
ENABLE THE FEDERAL LAW ENFORCEMENT AGENCIES AND UNITED STATES
ATTORNEYS TO DEAL WITH INTERSTATE MANUFACTURING OF , AND INTER
STATE TRAFFICKING IN , COUNTERFEIT OR ALTERED CREDIT CARDS .

IN RECENT YEARS ; THE LOSSES INCURRED BY THE BANKS AND

CARD ISSUERS DUE TO COUNTERFEITING HAVE RISEN AT A RATE FAR
OUT OF PROPORTION TO THE LOSSES SUSTAINED FROM CARD FRAUD
GENERALLY . COUNTERFEITING NOW REPRESENTS 11% OF THE OVERALL
FRAUD LOSSES INCURRED BY THE INDUSTRY . THE SCOPE OF THIS PROBLEM
HAS EXPANDED AT AN ASTRONOMICAL RATE WITHIN THE LAST THREE YEARS ,
LOSSES DIRECTLY ATTRIBUTABLE TO CARD COUNTERFEITING ROSE FROM

$15 MILLION IN 1981 TO OVER $50 MILLION IN 1982. INDUSTRY

 20

REPRESENTATIVES HAVE ESTIMATED THAT THEIR WORLDWIDE LOSSES

DUE TO COUNTERFEITING FOR 1983 WILL APPROACH $100 MILLION .
WHILE THESE ARE WORLDWIDE LOSS FIGURES , MR . CHAIRMAN , I WOULD
STRESS THAT 94% OF THIS ACTIVITY IS ESTIMATED TO TAKE PLACE
IN THE UNITED STATES ,

MASTERCARD MEMBERS REPORTED $9.3 MILLION IN LOSSES RESULTING

FROM COUNTERFEIT CREDIT CARD USAGE IN 1982 . THIS REPRESENTED
AN 11% INCREASE OVER THEIR 1980 FIGURES AND A STAGGERING 763%
INCREASE OVER THEIR 1973 FIGURES . VISA'S STATISTICS SHOW THAT
THEIR MEMBERS ' LOSSES CLIMBED FROM $ 750,000 IN 1981 to $10.9 MILLION
IN 1982. THE 1983 FIGURE IS EXPECTED TO APPROACH $20 MILLION .
VISA LOSSES DUE TO COUNTERFEITING WERE SEVEN TIMES GREATER
IN 1982 THAN THEIR ENTIRE LOSSES DUE TO COUNTERFEITING IN THE
PREVIOUS NINE YEARS .

THERE ARE A NUMBER OF SCHEMES USED IN THESE FRAUDULENT

ACTIVITIES . ACCOUNT NUMBERS CAN BE OBTAINED FROM DISCARDED
CARBON RECEIPT SLIPS OR DIRECTLY FROM AN UNSCRUPULOUS MERCHANT
OR STORE EMPLOYEE . THESE ACCOUNT NUMBERS CAN THEN BE EMBOSSED
ON "WHITE CARDS " PLAIN WHITE , PLASTIC CARDS THE SIZE OF A

NORMAL CREDIT CARD CONTAINING NO ISSUER LOGO . THEY ARE THEN

USED TO RUN OFF PHONEY SALES SLIPS , WHICH THE MERCHANT FORWARDS
TO THE CARD ISSUER FOR REIMBURSEMENT .

ANOTHER METHOD IS THE SO - CALLED "SHAVE AND PASTE " SCHEME .

HERE , THE ACCOUNT INFORMATION IS CUT OFF A LOST OR STOLEN CARD
AND REPLACED WITH ANOTHER ACCOUNT NUMBER . MOST RECENTLY , CREDIT
 21

CARD COUNTERFEITERS ARE USING SUCH HIGHLY SOPHISTICATED

METHODS AS THE SILK- SCREENING PROCESS SIMILAR TO THAT USED
IN MAKING T- SHIRTS . THEY ALSO HAVE USED ADVANCED PHOTO
OFFSET PRINTING TO REPRODUCE COUNTERFEIT CARDS .

AGAIN , I STRESS, THESE KINDS OF CRIMINAL METHODS WERE NOT

WIDELY USED OR EVEN " PERFECTED " WHEN THE EXISTING FEDERAL CREDIT
CARD LAWS WERE FIRST ENACTED IN THE 1970s . THE SOPHISTICATION
SHOWN BY SILK- SCREENING AND PHOTO OFFSET TECHNIQUES ARE THE
CRIMINAL APPLICATION OF NEW TECHNOLOGY , WHAT IS MOST DISTURBING
IS THAT IT MAY WELL REFLECT A NEW DIMENSION TO CREDIT CARD
FRAUD THE INVOLVEMENT OF ORGANIZED CRIME .

ALLOW ME , NOW , TO TURN TO THE PROVISIONS OF MY BILL ,

H.R. 3181. MY BILL WOULD MAKE IT A FEDERAL CRIME TO PRODUCE ,
BUY , SELL, OR TRANSFER A " FRAUDULENT PAYMENT DEVICE . " THUS
THE ACT OF COUNTERFEITING OR TRAFFICKING IN CREDIT CARDS WOULD
BE ILLEGAL UNDER FEDERAL CRIMINAL LAW FOR THE FIRST TIME . THE
TERM " FRAUDULENT PAYMENT DEVICE " IS DEFINED IN SECTION 2 (a )
OF THE BILL TO COVER A BROAD RANGE OF IMPROPER PAYMENT MECHANISMS

THAT CAN BE USED IN A CREDIT CARD FRAUD SCHEME . THE TERM

INCLUDES ALL MANNER OF FRAUDULENT OR POTENTIALLY FRAUDULENT

DEVICES INCLUDING COUNTERFEIT CARDS , ALTERED CARDS , STOLEN CARDS ,
"WHITE CARDS , " ACCOUNT NUMBERS AND SALES SLIPS . THIS LEGISLATION

WOULD ALSO PUNISH THE POSSESSION , WITH INTENT TO DEFRAUD , OF

FIVE OR MORE FRAUDULENT PAYMENT DEVICES . FINALLY , THIS MEASURE
WOULD PUNISH THE PRODUCTION , SALE , TRANSFER , OR POSSESSION OF
 22

EQUIPMENT USED IN MAKING FRAUDULENT PAYMENT DEVICES OR USED

TO ALTER OTHERWISE VALID CARDS ,

PENALTIES FOR THE VIOLATION OF THIS NEW CRIMINAL LAW

WOULD BE AS FOLLOWS : FIRST, IN THE CASE OF A SINGLE VIOLATION ,
A PUNISHMENT UP TO $10,000 OR IMPRISONMENT FOR NOT MORE THAN
10 YEARS ; SECOND , WHERE THE OFFENSE INVOLVES POSSESSION OF
FIVE OR MORE FRAUDULENT PAYMENT DEVICES OR THE POSSESSION OF
ANY DEVICE MAKING EQUIPMENT, A FINE OF NOT MORE THAN $50,000
AND IMPRISONMENT FOR UP TO 15 YEARS ; AND THIRD, IN THE CASE
OF SECOND OR REPEATED OFFENSES , FINES MAY BE LEVIED UP TO
$100,000 AND IMPRISONMENT FOR UP TO 20 YEARS .

MY BILL DOES NOT SPECIFICALLY ADDRESS THE ISSUE OF WHICH

FEDERAL AGENCY WOULD ENFORCE THESE NEW PROVISIONS . I KNOW ,
MR . CHAIRMAN , THAT YOUR OTHER BILL ( H.R. 3570 ) ON THIS SUBJECT ,
CALLS FOR ENFORCEMENT BY THE U.S. SECRET SERVICE . SENATOR
THURMOND ADDED A SIMILAR PROVISION TO THE LANGUAGE OF MY BILL ,
WHEN HE INTRODUCED IT LAST WEEK . I DEFER TO THE WISDOM OF
THIS SUBCOMMITTEE , AND THE DEPARTMENT OF JUSTICE AND THE
DEPARTMENT OF THE TREASURY , ON THE JURISDICTIONAL ENFORCEMENT
QUESTION ,

FINALLY , IT SHOULD BE EMPHASIZED THAT THIS IS IMPORTANT

LEGISLATION FROM A CONSUMER STANDPOINT . WHILE THE DIRECT VICTIMS

OF CREDIT CARD COUNTERFEITING AND CREDIT CARD FRAUD ARE THE

BANKS AND THE CREDIT CARD COMPANIES , THEY ARE NOT THE ONLY
VICTIMS . THE LOSSES SUFFERED BY THE FINANCIAL INSTITUTIONS AND
 23

CREDIT CARD COMPANIES ARE PASSED ON TO THE CONSUMER IN THE FORM

OF HIGHER USER FEES FOR THE CARD AND INCREASED INTEREST COSTS .
IN THE PAST , CREDIT CARD FRAUD AND COUNTERFEITING WAS VIEWED
AS THE COST OF DOING BUSINESS . BUT ALL SEGMENTS OF SOCIETY

VOW AGREE THAT IT COSTS TOO MUCH TO IGNORE .

MR . CHAIRMAN AND SUBCOMMITTEE MEMBERS , I AM EXTREMELY

HOPEFUL THAT OUR LEGISLATION WILL RECEIVE PROMPT AND ACTIVE
CONSIDERATION IN THE SUBCOMMITTEE ON CRIME . IT IS ESSENTIAL

THAT WE OBTAIN THE PASSAGE OF EFFECTIVE LEGISLATION AS QUICKLY

AS POSSIBLE SO THAT VIGOROUS ENFORCEMENT ACTIVITY AGAINST
CREDIT CARD CRIME CAN BEGIN IMMEDIATELY .

THANK YOU AGAIN FOR THIS OPPORTUNITY TO TESTIFY BEFORE

YOU TODAY , AND I WOULD BE HAPPY TO TRY AND ANSWER ANY QUESTIONS
YOU MAY HAVE .
 24

CO - SPONSORS OF H.R. 3181

( Sponsor : Mr. Fish )

Mr. Andrews ( Texas ) Mr. Hammerschmidt Mr. Roe

Mr. Aucoin Mr. Horton Mrs. Roukema

Mr. Barnard Mr. Hubbard Mr. Rudd

* *
Mr. Bilirakis Mr. Hughes Mr. Sawyer
*
*
Mr. Boehlert Mr. Hyde Mr. Schumer
*
Mrs. Boxer Mr. Jeffords Mr. Seiberling
*
Mr. Campbell Mr. Kasich Mr. Sensenbrenner
Mr. Chandler *
Mr. Kindness *
Mr. Shaw

*
Mr. Chappell Mr. Kogovsek Mr. Smith ( Florida )

Mr. Daub Mr. Lewis ( Florida ) Mr. Stangeland

*
* Mr. DeWine Mr. Lungren Mr. Stratton
* Mr. Mazzoli
Mr. Dreier Mr. Tallon
*
Mr. Duncan Mr. McCollum Mr. Tauke

Mr. Dwyer Mr. McGrath Mr. Wolpe

Mr. Fascell Mr. McNulty Mr. Won Pat

*
Mr. Fazio Mr. Moorhead Mr. Wortley

* Mr. Feighan Ms. Oakar Mr. Wyden

Mr. Forsythe Mr. Oxley

* Mr. Frank Mr. Packard

Mr. Gilman Mr. Patman

*
Mr. Gekas Mr. Porter

* Mr. Glickman Mr. Pritchard

Mr. Green Mr. Ridge

Member , House Judiciary Committee

 25

Mr. HUGHES. Thank you , Ham .

I understand that Bill Nelson has conflicts. If it is Ok with you,
we are just going to take his testimony and then if there are any
questions we will ask them then.
Bill, welcome.
TESTIMONY OF HON. BILL NELSON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
Mr. NELSON . Thank you, Mr. Chairman.
Mr. Chairman , I appreciate the opportunity to share some
thoughts with you about this legislation. I think that you are right
on target here in your very gracious opening remarks you made
reference to the fact that I have been involved in similar kind of
legislation even before I came to the Congress. I might say that the
Comprehensive Computer Crimes Act that we passed in Florida
has had some successful prosecutions. Perhaps the State that has
had the most prosecutions under its law is the State of California
which followed our enactment but is a very similar kind of law.
Now, I share this with you because as you approach your legisla
tion, Mr. Chairman , one of the things that you are going to need to
determine per your statement on page 2, line 11, subparagraph 3,
where you add in addition to the bill that you and Mr. Fish spon
sor, you add the provision whoever uses a computer with intent to
execute a scheme to defraud as a part of approaching this credit
card fraud.
Now, what I would suggest to you is that it is going to take a
considerable effort to try to define computer. And this may be
where you would want to have a tandem track as the legislation
that I have been privileged to sponsor is now moving its way
through the Judiciary Committee. Chairman Don Edwards has in
dicated that he is going to have a second set of hearings shortly
and anticipates markup later this year .
Interestingly, and this is an aside- I will get back to my point.
We have had this legislation in the Congress almost 4 years. But,
interestingly , it has taken the 414's, the computer hackers, from
Milwaukee, WI, to focus national attention that there is a problem .
As a result, there is sort of a ground swell now after the Nation's
attention had been riveted to the fact that there is a problem and
there is this ground swell with the appearance of a national man
date already before you in addressing computer crime of which you
make reference to in your bill .
And testifying in this very room we have had the endorsement of
the Department of Justice, the FBI, Secret Service, and then a host
of industry committees such as the ComputerBusiness Equipment
Manufacturers Association , the American Bankers Association,
Data Processing Management Association, and so forth , and so on.
So I think you are right on, the time is now.
Now, let me get back to my point. It might be that you will want
to cross -reference what is the definition of a computer - maybe
cross-reference it to our bill or should our bill get into law, cross
reference it to the particular statute, or, in the alternative, you
may want to put right in your specific legislation coming out of
this subcommittee, the definition of a computer.
 26

Now , when you start to define what a computer is you are going
to have a little difficulty. We put in, for example, in the Florida
law that we passed 5 or 6 years — we put a rather general defini
tion. We did so specifically at the time because we knew that the
technology was going to be changing so fast that there was not
going to be a way that I could specifically, 6 years ago in Florida,
state what a computer was. Thus far, with that general definition ,
it has worked well .
As we approached this Federal legislation , we tried to be more
specific. But there is one body of opinion that says that you ought
to be specific; there is another body of opinion that says that you
ought to be general.
Let me share with you in our bill, H.R. 1092, which is in Mr. Ed
wards' subcommittee , what the specific definition of a computer is.
Computer means an electronic, magnetic, optical, hydraulic, organ
ic, or other high speed data processing device or system performing
logical, arithmatic, or storage functions, and includes any property,
data storage facility, or communications facility directly related to
or operating in conjunction with such device or system .
Then we go on to exclude a certain area. For example, we say
but it does not include an automated typewriter, or a typesetter, or
Then

a portable hand -held calculator, or, and then we go on to describe

the personal computer.
Now, when you describe personal computer, if, as a matter of
practical politics you want to exclude that, which is the theory that
we have, then you have to be very careful to say, OK, as long as
that is being used for personal household purposes. But once that
personal computer, as the 414 hackers so amply demonstrated,
once that taps in to another system then the means is immediately
there for the person with criminal intent or malicious mischief to
either steal, embezzle, et cetera, or to damage the property of an
other. And therein is where the crime occurs.
So I would urge you over the course of these hearings to struggle
with the definition of a computer.
I think what we are going to do is take this definition and mas
sage it a little bit, perhaps simplify it a little bit. But you can't, if
you get hung up on the definition of the computer, you will never
get out a law , simply because you have got to draw a line and say,
OK, we are going todo the best that wecan, recognizing that tech
nology is going to change rather rapidly in the future and we have
got to go ahead.
I would urge this subcommittee, and as we start H.R. 1092 in Mr.
Edwards' subcommittee, to take that approach — and then if technol
ogy advances so fast that we have to do some definition changes in
the future, then so be it.
That's my comment, Mr. Chairman.
Mr. HUGHES. Thank you. Thank you for your contributions.
Let me just tell you that this past Tuesday, I was privileged to
meet with Don Parker, who, as you may know, is a national
expert in the field of computer crime, and he suggested that we
might be well advised to move away from describing computers as
the vehicle for crimes and emphasize instead the object of the
crime, that is, information or information service.
 27

What are your thoughts in this area Ham, and Bill? Bill I think
you point up, how difficult it is to describe what we are talking
about since it actually is information which is the property that is
the center or object of the person with criminal intent.
I believe, it would be far preferable to focus in on exactly what is
diverted which becomes of value to the thief.
Mr. NELSON . I think Mr. Parker's suggestion to you is a reflec
tion of the frustration of the rapid advance of technology.
Now , I happen to know Mr. Parker very well. He helped me
draw the Florida law 6 years ago. It was specifically his testimony
from which we fashioned the words that became the first computer
crime law in the Nation.
But I think the frustration that Don is expressing is that he is
being a visionary and he is looking 10 years into the future, and he
is saying that it is going to be information crimes, not crimes just
committed with the use of computers.
But right now the specific concern that wehave in credit card
fraud and the approach that I am using in H.R. 1092 is the use of
computer. What that device may be 10 years fromnow, it may be
called a widget; it may not be called a program . But we have to
operate from the base of knowledge that we have today.
So I think that if you are going to make reference to the devices
that produce this mammoth credit card society, you are going to
have to make reference to these devices; and you are going to have
to call them as best as we can describe them. Most ofthose devices
are known as computers; and in so describing it with that word you
are going to have to define it in thebest way that we can.
Mr. Fish . Mr. Chairman, while I defer to my colleague on the
whole question of computer fraud, since it is not addressed in my
legislation. However, I would just like to comment that I would
think that in any criminal statute you would have to define what a
computer is in order to avoid achallenge of statutory vagueness
and perhaps a constitutional challenge to legislation .
Mr. HUGHES. Mr. Sawyer ?
Mr. SAWYER. I have some reservations about Mr. Nelson's view
that we ought to get involved in describing a computer. It strikes
me that we could I lean toward the approach suggested by Mr.
Nelson that we in effect accomplish any device that is used to steal
information . But we haven't gotten into it in that depth yet and I
may change my view - just my initial threshold view is that we
ought not to attempt to describe a computer.
We have the same problem in the copyright law that we are
dealing with in another one of my subcommittees on the question
of cable and television producers, professional sports, Ted Turners,
and whatnot, that the technology is moving so fast that about as
quick as you get a law on the books it has been outmoded by the
movement of the technology. Between satellites and transponders
and the chips, and everything else, that I am beginning to think
that any law dealing with the edges of technology or the fast
moving electronic type technology, we would do better to do our
specific defining coming from theother end rather than anchoring
it on a specific set of technology that is in existence for the
moment but is really almost momentary in its existence before it is
moved on somewhere else.
 28

Anyway, that is just my threshold inclination .

Mr. NELSON . May I respond to that ?
Mr. SAWYER. Sure.
Mr. NELSON . Mr. Sawyer, I think that is a very legitimate con
cern. I think it is in the province of your committee and your sub
committee to question whether or not you want to include within
this attempt at credit card crime, whether or not you want to get
in and specifically talk about the use of the computer with regard
to the credit card crime. I think that is a very legitimate question.
What I am saying here is a different point, that is, that if you
determine that you are going to have a line such as page 2, line 11
and 12, in here which uses the word computer, you are going to
have to define it. Either you are going to have to define it in this
specific bill or you are going to have to cross-reference it to another
bill that may become law . That is my point.
Mr. SAWYER. Thank you. I yield back, Mr. Chairman .
Mr. HUGHES. The gentleman from Florida, Mr. Smith .
Mr. SMITH. Thank you , Mr. Chairman.
Once again , I am about to announce that my State is the biggest
and most fertile field for this kind of crime. We sit here andtalk
about drugs, and it is Florida's name that comes up most. We talk
about credit card crime , and Florida's name comes up most. So I
am very happy that we are dealing in the subject, although I would
like to offer to any State that is listening the ability to come in and
take over our role as being the leading place where you can
commit these kinds of crimes . So far, I haven't had any takers, Mr.
Chairman.
Let me just start by saying that I think it is an obviously very,
very serious matter. This is my credit card, Southeast Bank, that
hasn't been revoked yet. I guess I have been paying my bills more
or less on time. Well, it takes about 3 months to catch up because
the computers are always down. This is a fake Southeast Bank
card - except for slight variations in colors, they are almost exactly
the same. Obviously, any normal clerk in the business would have
great difficulty in attempting to find it. And if they were rather
careless, and the volume of business, and there was not a hot sheet
available for them to be looking at, the chances are they could get
away with it.
In addition, there are a lot more ways that they have been doing
it lately, especially with the collusion of clerks, salesclerk, owners
of stores, managers of stores.
Mr. Sawyer related to the new way of obtaining names, address
es, and credit card numbers, and that was to open up a mail order
business, invite people to mail in their orders and list their name,
address, credit card company, and credit card number by which
they could charge their purchases with this mail order business
when, in fact, the mail order business was nothing more than a
front to get those names, addresses, and credit card numbers. What
they were offering you for sale in the mail order was of little or no
value to either them or you. Then they opened up a phony compa
ny and used all this list of credit card numbers to obtain great
amounts of dollars.
However, we have just, in Florida, finished one of the largest op
erations and arrests of a major organized credit card ring which
 29

had organized crime involvement. Basically, it was a very simple

matter. It appealed to the most basic interests of those involved.
Greed was the motivation of the people that were not only formu
lating but also those people who were in fact involved, and they
were store owners, store managers, store employees. They just took
credit cards they knew were phony, ran the plates off, and shared
in the profit. That is basically all it was.
So you have it at every level, the most sophisticated level where
the average person is not involved, and you have it at the most
base levelwhere everybody is in on the take for some reason .
So I applaud both Mr. Fish and certainly Mr. Nelson from Flori
da, who was a leader in the early stages of having this kind of
problem viewed.
My concern is that when you have a situation like you do dealing
with some of the things as we do in terms of credit cards which are
so pervasive, and people have so many of them individually in
this -- literally hundreds of millions of credit cards in this country.
I am happy to be a cosponsor along with Mr. Fish , of this credit
card bill. But I am a little concerned about one aspect of it, and I
would like Mr. Fish's comments. On page 2, you deal with the
intent to defraud. That is, if you are inpossession of a number of
these fraudulent cards with intent to defraud, then you will be, as
suming convicted, you would be guilty.
I am curious whether or not you feel that intent to defraud is a
necessary item - whether or not you can make possession alone a
rebuttal presumption of guilt, why you need intent to defraud. I
don't think that that is a necessary incident in the law if you make
it a rebuttal presumption. I don't know if we are on page 2.
Mr. Fish. The distinction there, if I could reply , Mr. Smith , is
that there are two elements here. One is knowingly possesses with
intent to defraud or unlawfully transfers five or more fraudulent
payment devices as defined later in the bill.
Šo
So that you don't need the intent to defraud if it is actually
proven that you possess five or more fraudulent payment devices.
But I do think that if it is just a mere card that you are talking
about, or a slip, or whatever their payment device of the criminal
mind will devise in the future — and that is the reason for the broad
definition .
I think that if an innocent person ends up with the credit card
that has been misdirected or lost or stolen, that he never used, I
think you would have to show intent to defraud because there
hadn't been any defrauding by the mere possession.
Mr. SMITH. I understand. I know that there is always a problem
with the innocent recipient of a card through whatever devices
who doesn't know . The same people who buy Cadillacs for $4,000
brand-new and then they tell you they never knew it was stolen.
But my problem is this : knowingly possesses with intent to de
fraud or transfer unlawfully five or more fraudulent payment de
vices. Now, I would assume that fraudulent payment device is a
fraudulent credit card . You are talking about five or more, either
on a transfer or with intent to defraud.
I am asking you why you could not limit it to possesses five or
more fraudulent payment devices and, therefore, have a rebuttable
presumption rather than having intent to defraud having to be

38-178 0 - 85 - 3
-
 30

proven; have a rebuttable presumption that if you are in possession

of five or more of these devices you are per se in violation of the
law.
I don't think that covers transfer, or even you need to be con
cerned about that . Somebody that is walking around with a half a
dozen of these cards in their pocket, in my estimation, has no good
intentions nor are they carrying them to impress their friends.
I think that you ought to shift the burden-and it is allowable, I
believe, under the law - shift the burden to the defendant to show
that that was without any intentions and maybe without knowl
edge.
Mr. Fish. Mr. Smith, two things come to mind. First, let me just
say that I obviously defer to the subcommittee as to whether or not
they want to change this language. But the provisions of the bill
that is the counterpart introduced by the chairman and ranking
member, and my bill, on the penalties, is identical. That is why
didn't discuss it in my opening remarks.
But we propose some prettytough penalties here. Inthe case of a
single violation, punishment of up to $ 10,000, or imprisonment, for
not more than 10 years. Now, it goes up, to possession , for five or
more fraudulent payment devices or the possession of any device
making equipment, a fine of not more than $50,000 and 15 years in
prison.
So I do think that when we are talking about mere possession
that we are mindful that we are going into this thing with high
penalties because we recognize that it is not going to take the real
criminal very long to run up a tab of $10,000. So we thought that
level of penalties was appropriate.
Second, if we get into the question of white collar crime are they
going to beincarcerated at all? So, the fines should be appropriate
ly high to be a deterrent. Those are the factors that dictated the
high fines. I do think that there should be fraudulent intent when
you have mere possession.
But, as I said, this obviously should be a matter of consideration
by the committee.
Mr. HUGHES. Thank you , Mr. Chairman .
We are going to try to comply with the 5 -minute rule. We have a
lot of witnesses today and we would like to conclude at least by 1
o'clock.
The gentleman from Wisconsin.
Mr. SENSENBRENNER. I yield back the balance of my time.
Mr. HUGHES. Very good. The gentleman from Ohio.
Mr. FEIGHAN. Thank you, Mr. Chairman.
Let mejust ask one question, if I can, of Mr. Fish.
What do the credit card companies or the banks do today to pre
vent credit card fraud or credit card counterfeiting? Are you satis
fied that the efforts that they have made have been sufficient to
prevent what, obviously, according to the data and your testimony
which reports dramatically increasing incidence of both fraud and
counterfeiting ?
Mr. Fish. Following the next panel will be the representatives of
the major credit card companies who will be testifying on this ques
tion and I think, what they are going to say is that it is the new
technologies have overtaken the scope of prior laws. So, for exam
 31

ple, you can phone in a number, you can do all kinds of things,
such as the illustration that Mr. Sawyer gave of the fellow who
made a mint on this type of operation.
But really the same technology that allows for a quicker, more
convenient financial transaction is what makes it easier for the
criminal and subjects the system to abuse . So that there are no
laws today that deal, as I indicated, with what we are dealing with .
The statutes on the books today are restricted to cards them
selves. And I mentioned that one case we had the Callahan
case — which specifically limited the prohibitions in the acts to
transactions that involved credit cards or facsimile cards. In that
case, as I recall, Callahan used only the account number. And since
this fraud wasn't perpetrated by a card itself, the court said the act
didn't apply. That iswhy I say we need to go beyond the existing
law , and catch up with the criminal application of the technology
that we have put to good use. But I rely on the companies to go
into their own security features.
Mr. FEIGHAN . Thank you very much.
Mr. HUGHES. Thank you.
Thank you very much, Ham and Bill . We would extend an invi
tation to both ofyou to join us, if you would like. You both have
made major contributions to this whole area and we appreciate it.
Mr. NELSON. I would like to but if you will excuse me, I am sup
posed to be on another panel right now . I would invite any of you
who would like to join on H.R. 1092 as cosponsors — we have well
over a hundred and it is starting to move, and I would appreciate
it.
Mr. HUGHES. Thank you .
Mr. NELSON . Thank you.
Mr. HUGHES. Our next witnesses are a panel that includes Detec
tive Alex Ortega, who is with the Economic Crime Unit of Metro
Dade Police Department in Miami, FL, and Mr. Arturo Hoyo, an
incarcerated credit card violator at the Federal Correction Institute
in Tallahassee.
Detective Ortega has been with the Metro -Dade Police Depart
ment for some 3 years, the last year and a half of which has been
with a special credit card section which was set up at the request
of numerous Miami banks. Mr. Ortega owned his own business
prior to his current police employment, and before that he was a
securitymanager for a department store.
Mr. Ortega obviously is well qualified to discuss credit card
fraud .
Mr. Hoyo is presently serving a sentence, as I have indicated, at
a Federal correctional institute .
At this point I would like to make a few things clear. First, Mr.
Hoyo is testifying before the Subcommittee on Crime purely on a
voluntary basis and, as a matter of fact, at his own request.
We asked the Federal Bureau of Prisons to make him available
and they graciously acceded to our request in order to acquaint the
subcommittee with Mr. Hoyo's special knowledge of credit card
fraud .
We on the subcommittee have no intention of glorifying Mr.
Hoyo for his criminal activity and, in fact, his present incarcer
 32

ation, I think speaks loud and clear as to where criminal activity

eventually leads: to institutionalization .
Mr. Hoyo has indicated to the subcommittee a desire to partially
redeem himself and stated in his own words that he has a profound
knowledge of the various schemes used today to exploit credit card
and other facets of the economy.
So, we welcome you as a panel. First, let's begin with you , Mr.
Ortega. We have your statement and, without objection, will be
made a part of the record. You may proceed as you see fit.
TESTIMONY OF ALEX ORTEGA, DETECTIVE, ECONOMIC CRIME
UNIT, METRO-DADE POLICE DEPARTMENT, MIAMI, FL, AND
ARTURO HOYO, NO. 10849—004, INCARCERATED CREDIT CARD
VIOLATOR, FEDERAL CORRECTION INSTITUTE , TALLAHASSEE,
FL

Mr. ORTEGA. I am here today basically to explain to the panel

that the problems involved in credit card counterfeiting are in
creasingly growing throughout the United States, but more particu
larly insouth Florida or in the State of Florida.
If I may say, the cards you see before you there were made by a
silk screen process. Theywere all imprinted with the Farrington
embossing machine which I have brought one with me today. If
you would like to see one, I will show it.
The Metro -Dade Police Department, which put together a squad
of detectives to specifically investigate credit card fraud, began
over a year or so ago and since then we have noticed that cases
seem to be coming in faster than we can handle them.
It is a type of crime that is sophisticated and involves a growing
number of people that came on the Mariel boatlift in 1980. It would
be safe to say that 70 percent of the individuals involved in credit
card fraud in the south Florida area were recent arrivals from the
boatlift.
Now , we have noticed that, as in Mr. Hoyo's case, which was a
special case that what he did, as we said earlier, would solicit ad
vertisements in the Wall Street Journal. Mr. Hoyo, after he accu
mulated X number of account numbers, would then print them up
on plain pieces of plastics, as you have before you there, with the
machine .
The large amount of the frauds that we have occurring now in
south Florida is
Mr. HUGHES. Are these the cards we have ?
Mr. ORTEGA. Yes, sir.
Mr. HUGHES. You say you do have a machine with you ?
Mr. ORTEGA . Yes, I do .
Mr. HUGHES. Can you show us what you are talking about so
that we can view that as you are testifying ?
Mr. ORTEGA . Sure .
Mr. HUGHES. Now , what does this machine actually do?
Mr. ORTEGA. This machine, what it actually does, it imprints the
account numbers, names, and information that is on a legitimate
credit card. It printed that one there.
Mr. HUGHES. It prints something like this ?
Mr. ORTEGA. Yes, sir.
 33

Mr. HUGHES. With the number and name?

Mr. ORTEGA. The name and the lettering and the numbers on
there are very similar to the font style that is used by the industry,
with the exception of aa few numbers.
If I may say, just 2 or 3 months ago, as our unit was making sev
eral arrests on manufacturers of these credit cards, the criminals
involved in this type of organized crime broke into a business ma
chine company where they sell these to any legitimate business.
They broke in and they burglarized it and took six machines.
Along with the embossing machines that were taken there was an
in -coder taken . Now, an incoder is something where you can run
the credit card through the mag strip that contains the account in
formation on the cardholder; you can erase that information and
put in new information, and you can continuously use the card
over and over again .
Now , that particular machine has not been recovered even
though a few of the embossing machines have been recovered. A
major problem in south Florida and throughout the country, speak
ing to other police agencies, have been with an operation which is
termed a “bust-out” operation. A “ bust-out” operation is where a
merchant just opens a business for the sole purpose of submitting
fraudulent charges. They start a corporation under alias names;
they open a bank account; and they submit an average of $80,000
$ 90,000 in a few weeks period before they close shop and disappear.
The problem with the bust-out operations is that before the
banks or the card -issuing banks realize that they are counterfeit,
naturally the merchant has gone. We have encountered a problem
in the past and to date it is changing; the industry is making a lot
of improvements to assist law enforcement agencies in curtailing
this type of crime, and I emphasize not all, but certain card -issuing
banks throughout the country, when they sign up a merchant, for
instance, like Mr. Hoyo, and the merchant becomes a fraud mer
chant, they are susceptible to charge -backs for everything that
merchant submitted .
Now , the process that the card-issuing bank takes is that after
they have received, say, for instance, $ 50,000 in fraud charges, they
will then submit those charges to the card -issuing banks; in other
words, the bank that the card originated from .
Those banks in turn charge the customer and then the customer
replies he did not makethat purchase and, finally, somebody along
the line will have to suffer the loss .
It was, some time ago, beneficial for some banks not to report a
fraud merchant for fear of charge -backs. I want to emphasize that
has been changing slowly but surely, but there was a point that it
was more beneficial to the bank that would sign up the fraud mer
chant not to report it to the police for those reasons.
In the case of Mr. Hoyo, he submitted approximately $248,000
worth of fraud charges to the American Express Co. Mr. Hoyo's
process took approximately 8 days, 8 business days, to accumulate
this type of fraud .
Mr. HUGHES. What was the size of the fraud in 8 days? $240,000?
Mr. ORTEGA. $248,000 .
Mr. HUGHES. $248,000?
 34

Mr. ORTEGA . Yes, that is correct. That was not including the
fraud that was perpetrated on the west coast of Florida, I believe in
Naples, to anotherbusiness that Mr. Hoyo set up.
Another major problem we encounter in investigating these
types of crimes is as Mr. Smith pointed out, merchantinvolvement
as far as the criminal is concerned: There are hundreds, literally
hundreds of what we call runners, in the south Florida area that
go to businessmen and women just to solicit their business in this
type of activity. It is usually done at a 50-50 type split or usually
the merchandise that is to be taken is marked up tremendously for
the store owner makes a great deal of profit.
Our unit, currently investigating numerous merchants, have
noted that the majority of them right now are slacking off and
waiting for the Christmas season to arrive. They have mentioned to
some of our agents that they are waiting for the month of Decem
ber to come around in which they will "hit the bank ” for quite a
substantial amount of money .
Mr. HUGHES. When they work this kind of arrangement, do they
get actual names and numbers, or are they fictitious?
Mr. ORTEGA. No, Mr. Chairman , all the names that they acquire
are actual legitimate names and account numbers. One organiza
tion which we broke up, for instance, the leader was payingpeople
on the streets that had no jobs or anything — they would just pay
them $ 20 or $25 a day to go through garbage cans at night and ac
cumulate carbon copies of receipts.
This one particular individual which I just mentioned, after we
had arrested him our unit had arrested him several times — every
time he was in a different apartment with brand -new furnishings,
the life-style which follows: The Mercedes, the fancy cars, the jew
elry, and things of that nature.
This particular individual has admitted to me making over $ 242
million in the 3 years he has been in this country, just in this type
of crime.
They are blatantly going out there perpetrating this crime even
while out on bond. The bond for economic crimes usually is not
that high so it is not much of a deterrent, but they continuously do
it without any fear of punishment.
Mr. HUGHES. How widespread in your region is credit card
fraud ?
Mr. ORTEGA. Mr. Chairman, I have a rough list of over 300 mer
chants in the south Florida area are known to be accepting coun
terfeit cards. Now, there are many more merchants who are sus
pected of accepting counterfeit cards but as of now we have got a
list of around 300.
Mr. HUGHES. Do these merchants that accept counterfeit cards
use any of their own customers' numbers ?
Mr. ORTEGA. Yes, they do. In some cases they will have a person
that works inside a hotel, register, or a mall shopping center where
people with high limits on their accounts go to shop . And they will
pay these individuals behind the counter, the clerks, up to $10 and
$20 per carbon that they bring home with them. So these clerks,
instead of discarding them, naturally put it in their pockets and
their purses, whatever the case may be. They make $200 or $300 a
day, just bringing these carbons home.
 35

The people involved in this in south Florida, I may add, have

knowledge to the codes that are used on the credit cards. For in
stance, the digits, the first four digits on the cards usually will tell
you from what bank it is issued out of. The logo does not necessari
ly mean that, for instance, a Southeast card does not necessarily
mean that is a Southeast account number .
These criminals do know where the card is issued and if it is
from a South American bank, usually those cards have greater
credit limits, and they will look for those, and use those more read
ily than the others.
Mr. HUGHES. I would imagine it would be very difficult in an in
vestigation of one of these credit card frauds to establish that some
body is taking from their own establishment, certain receipts or
copies of the credit card receipts every night, simply because they
don't leave a paper trail of any kind.
Mr. ORTEGA . That is correct. As far as the merchant is con
cerned, we notice that it is the same merchants over and over
again. They close the store, they will reopen one 2 weeks later
under different names to do the same type of crime. But by leaving
a trail, or a paper trail, as you put it, Mr. Chairman , usually we
can connect when one counterfeit card runs through a business we
can connect other businesses that ran the same card, and that is
how we group our organizations. There are several groups in the
south Florida area and every time we do crack down and execute
search warrants, for instance, and recover some of these ma
chines - instances like what happened several months ago, where
they will break into a business machine and just take more and
keep embossing these cards.
I may add that the numbers that are embossed by the Farrington
machine in particular are very similar to the ones that the indus
try uses.
Mr. HUGHES. Mr. Hoyo, we welcome you also. I wonder if you
would in general, without naming particular victims or credit card
companies, tell us about your own activity in credit card fraud and
possibly discuss the schemes that you are aware of, for example,
how easy it is to institute these schemes.
Mr. Hoyo. Mr. Chairman, I have one page here that I would like
to read to you and then I would like to go ahead with the questions
you have.
Mr. HUGHES . All right, sure.
Mr. Hoyo. Mr. Chairman, distinguished members of the House
subcommittee:
A few words to introduce myself, and give you a brief outline of
my past and the motive of mypresence before you.
My name is Arturo Hoyo. I am 35 years old, a Cuban by birth,
and a naturalized citizen of this great country.
Presently I am serving an 8 -year sentenceat the Federal Correc
tional Institution in Tallahassee, FL, and as a very important and
vital part of my rehabilitation I appear before you.
In the past, and for the past 6 years, I have been involved in
many different sophisticated frauds; some of them with credit
cards.
By 1980, I was considered by the criminal world one of the top
sting artists in the United States. A variety of people came to me
 36

from other States and other countries to see me. They would ap
proach me with their ideas and these ideas, if I felt they had any
merit or could be improved, I would work out a deal at aminimum
fee of $100,000, up front; then I would put it to practical use and
improve on it if it was necessary.
Now, after realizing the wrongful past, I am changing my crea
tivity to the right way. I would like to fight legally, using my tal
ents, to get the white collar criminals who are presently defrauding
credit card companies and their innocent customers.
Plastic money has become a national nightmare for many banks,
business people, credit card companies, and their customers. Plastic
money is a real cancer which is growing daily in the United States.
It is more difficult to go to a bank in Miami and change a $100
check than do a “ sting” on a credit card company and make a
quarter of a million dollars in 8 days.
My only wish and desire is that in the near future I will not be
known as the best sting artist that everyone said I was, but as the
best specialist in fighting credit card frauds and other related
frauds that I will be; so my family and my children can once be
proud again of me .
I am sure you are well aware of my notorious past; and with no
reservation, I will try to help and answer all yourquestions.
Thank you , Mr. Chairman .
[The statement of Mr. Hoyo follows:]
STATEMENT OF ARTURO HOYO
Mr. Chairman, distinguished members of the House subcommittee, a few words to
introduce myself, and give you a brief outline of my past and the motive of my pres
ence before you.
My name is Arturo Hoyo, I am 35 years old, a Cuban by birth , and a naturalized
citizen of this great country.
Presently I am serving an 8 -year sentence at the Federal Correctional Institution
in Tallahassee, Florida, and as a very important and vital part of my rehabilitation
I appear before you .
In the past, and for 6 years, I have been involved in many different " sophisticated
frauds ''; some of them with credit cards.
By 1980 I was considered by the criminal world one of the " top sting artists” in
the United States. A variety of people came to Miami from other States and coun
tries to see me. They all approached me with their “ ideas” and if I felt that these
“'ideas” had any merit or could be improved, I worked out a deal at a minimum fee
of $ 100,000 up front; then I would put it to practical use and improve if it was neces
sary .
Now after realizing the wrongful past, I am changing my creativity to the right
way. I would like to fight legally, using my talents, to get the white collar criminals
who are presently defrauding credit card companies and their innocent customers.
“ Plastic money” has become a national nightmare for many banks, business
people, credit card companies, and their customers. “ Plastic money is a real cancer
which is growing daily in the United States. It is more difficult to cash a check at
the bank for $ 100 than do a " sting" on credit card companies and make $250,000 in
one week's work.
Although I was caught and convicted, it is not because the F. B. I. or the Dade
County Public Safety Department [Credit Card Squad) did their work and caught
me. I am here because a man that worked for me was arrested. Later, the attorney
that I hired to represent him , blackmailed me for $ 50,000; finally, the attorney and
the man worked out a deal with the government and sold me out.
Back in Cuba many years ago, someone very close to me told me that I was like
the phoenix bird and that I will have different cycles in my life; and that someday I
was going to be burned in the Temple of the Sun, like the phoenix did; that every
one thought I was dead, but out of the ashes I was born again , this time stronger.
How right he was .
 37

I have decided to change my ways and repay justice and the society in which we
live.
My only wish and desire is that in the near future, I will not be known as the best
" sting artist” that everybody said I was, but as the best specialist in fighting credit
card frauds and other related frauds that I can be; so my family and my children
can once again be proud of me and not ashamed as they are now .
I am sure you are well aware of my notorious past; and with no reservations
whatsoever, I shall try to help and answer all your questions to the best of my abili
ty, so help me God.
Mr. HUGHES. Would you tell us, first of all, how you got involved
in this scheme, and what the scheme was, without naming compa
nies or victims?
Mr. Hoyo. I don't recall the amount of victims. The first scheme
that I did , I made a quarter of a million dollars. The name of the
company was Check Guard Corp. This particular scheme—we run
just one ad at the Wall Street Journal, and within 2 weeks I made
a quarter of a million dollars.
Six months after that, I did the same scheme but a little bit dif
ferent. This particular scheme that I did first, I did what is called
through a mail order. I did not use this particular machine that
you see next to me. I didn't use any credit card. I just used the
numbers and the names of the people that called me to purchase
the particular items that I was selling at the Wall Street Journal. I
just fill it out by pen and send it to American Express—where it
said signature, I just put mail order, and they went ahead and paid
me a quarter of aa million dollars.
Mr. HUGHES. What did the ad in the Journal say?
Mr. Hoyo. That particular ad I was selling a color TV, AM/FM
stereo tape for $199. That particular TV cost me $220. I bought
only 50 of them, and I sent it to the people that were screaming
more at me.
Mr. HUGHES. And what did you do when people responded to the
ad
Mr. Hoyo. I went ahead and printed a card that says that I was
going to be a little bit late in my delivery; instead of it taking me 6
weeks, it will take me 10 weeks. If you didn't want that I will go
ahead and reimburse with their American Express; and that is ex
actly what I did. I sent everybody - I reimbursed through American
Express telling them I was very sorry I could not. But at that time
I already charged those people probably 10 times the amount of
money.
Mr. HUGHES. What advice do you have to people that write in to
ads like that to make sure that they don't get bilked out of $ 199?
Mr. Hoyo . I think you have tobe extremely careful who you buy
from in the mail order, extremely careful - you have to check this
company out. I want you to know that probably Mr. Ortega here
knows that in the second company that I opened up, I even had a
D&B report, which was Dun & Bradstreet report, this company
being opened 77 years. And we were probably worth $ 8 million, and
we have offices all over Florida. And if you check me out, this com
pany will be a very good and legitimate company, if you check me
out by paper, though .
Mr. HUGHES. You mentioned in your prepared statement that
you were approached by members of organized crime that were in
terested in your expertise.
 38

Can you share with us just how deeply involved organized crime
is in this whole area of credit card fraud?
Mr. Hovo. I think that in south Florida the problem with drugs
are getting to be very bad, so people are changing the way, and
criminals are going more into an easier type of market. And credit
cards are a very easy market. It is very easy to make a lot of
money with plastic money. And people are going to that market in
stead of going to other markets and there are people that with or
ganized crime that have been approached by themto go ahead and
do. As a matter of fact, after I was going to finish my American
Express job , I was going to go ahead and hit Southeast Bank for
about $4 million.
As a matter of fact, I would liketo tell you something else - I al
ready met with the people from the Southeast Bank . I told them
exactly what I was going to do this past Monday and they went
ahead and told me not to say anything because that still could be
done, and they would lose the $4 million .
I am trying to help them right now in stopping their credit card
fraud at the bank.
Mr. HUGHES. You indicated that you were asking a $ 100,000 re
tainer for your services.
Mr. Hoyo. That was in other frauds that I was involved in, sir,
and not in this particular-
Mr. HUGHES. Not in this particular area ?
Mr. Hovo. No, nobody wants to pay me $100,000.
Mr. HUGHES. That is what I understood , that you were basically
a consultant as well as your own entrepreneur.
Mr. Hoyo. Well, somebody would have give me the $ 100,000, I
would have go ahead and take it, but it was more profitable to do it
by myself than to get $100,000 from somebody else.
Mr. HUGHES. How long were you in the business?
Mr. Hoyo. Frauds or credit card frauds, sir?
Mr. HUGHES. Credit card frauds.
Mr. Hoyo . I was in about a year, less than a year.
Mr. HUGHES. Less than a year. And your most successful scam
was in a period of 7 or 8 days?
Mr. Hovo. I was making a quarter of a million dollars every 8
days.
Mr. HUGHES. Every 8 days?
Mr. Hoyo. Yes; I made a half a million dollars; from the second
scam-I made on the first scam half a million dollars. And I was
preparing my third scam for around $4 million or $5 million.
Mr. HUGHES. You had three scams altogether ?
Mr. Hoyo. No, I was going to, but I was stopped.
Mr. HUGHES. The third was interrupted ?
Mr. Hoyo. Yes, sir; it was interrupted .
Mr. HUGHES. It is your position now that this was fortunate.
Mr. Hoyo. Well, I am glad it happened, Congressman , believe it
or not .
Mr. Hughes. The gentleman from Michigan.
Mr. SAWYER. You apparently had quite a lot of preparatory edu
cation before getting into the credit card scam.
Mr. Hoyo. I guess I was a professional con artist, sir; that's what
you call what I was.
 39

Mr. SAWYER. For how long?

Mr. Hoyo. For 6 years.
Mr. SAWYER. And did you make a lot of money at these other
ones, too, while you were building up to the credit card?
Mr. Hoyo. I will let Mr. Ortega let you know about that. I guess
I lived pretty well, sir.
Mr. SAWYER. In a newspaper article I read about one of your two
credit card scams indicated that none of the moneys or properties
had ever been recovered .
Mr. Hoyo. The properties are the credit card. Those I threw in
the ocean. The money has not been recovered, no.
Mr. SAWYER. Where is the money ?
Mr. Hoyo. I don't have any money, sir. I don't know where the
money is. I spent it.
Mr. SAWYER . What did you do with it?
Mr. Hovo. I lived very wealthy in Miami. I lived in half a million
dollar homes; I have very expensive cars, and very expensive taste.
Mr. SAWYER. I presume all this money was tax-free, too, right?
Mr. Hoyo. Yes, sir ; I haven't been charged yet.
Mr. SAWYER. You didn't pay any income taxes on this, I assume?
Mr. Hovo. No, sir; I don't have any money to pay income taxes.
Mr. SAWYER. I yield back, Mr. Chairman.
Mr. HUGHES. The gentleman from Florida, Mr. Smith.
Mr. SMITH. Thank you , Mr. Chairman.
Let me just compliment Detective Ortega for being here today
and I am aware of his work . We are very proud of people like this
who are dedicated to trying to root out people likethe gentleman
sitting next to him .
I think your flip answers to Mr. Sawyer's comments basically
show the kind of person you really are, Mr. Hoyo. I don't think you
have a care in the world about anybody that you are taking from
or the fact thatthere are innocent people who frankly get caught
up in schemes. You think this is a big joke, and that everybody is
open to your schemes.
If I know anything about anything at all, and I think I know a
little bit, you have got a whole pile of money somewhere. I would
just love to have somebody discover where that pile is. Your rotten
schemes have cost a lot of people, a lot of innocent people, an awful
lot of money . Your high -living life-style was at other people's ex
pense .
Mr. Hoyo. Sir, can I answer that?
Mr. SMITH. Detective Ortega, you have a tremendous amount of
ongoing investigations with reference to these kinds of operations.
You have allowed the fact there is a scheme among merchants, or
at least one or two people, who branch out.
Do a lot of them use the fraudulent cards or do a iot of them mix
fraudulent cards with carbon copies? In other words, are there
some who go for one particular kind of scheme against paying for
carbons and using numbers off carbons, or using fraudulent cards?
Mr. ORTEGA. Mr. Smith , the way to obtain account numbers still
remain the same: either going through garbage cans, or having an
employee that works at a financial institution such as a bank that
has access to the computers which brings up account numbers. I
may add, that those sources are very good in the sense that they
 40

are selective in what account numbers they bring up the ones

with the highest limits, whether it be a Gold Card which has up to
$25,000 limits or a regular card .
The merchant, at one point in the south Florida area, was using
just the plastics, that means without any logos, just the plain piece
of plastic.
Mr. Smith. The imprinter?
Mr. ORTEGA. That is correct.
Now , after the bank investigators, and the police investigators
started going to these merchants, for some reason or another they
decided to only accept the silk screens. I guess in their conscience,
knowing that the card is still bad, they could say to the investiga
tor, well, it looked legitimate to me. They feel they are not lying.
They know in the back of their minds we have made several pur
chases where these merchants know they are bad—they refer to
them as Mickey Mouse cards. They know they are completely not
legitimate, let's say, and they will still accept them , rationalizing to
themselves that they are doing absolutely nothing wrong.
Mr. SMITH. Are there a lot of legitimate businessmen who, there
fore, succumb just to the temptation to make additional dollars ? In
other words, are there more people in opening up illegitimate busi
nesses to funnel through illegal credit cards and take the money
and run, or are there more legitimate businessmen who are using
what they know are illegitimate credit cards but stay in business
they are not bust-out schemes, they are strictly legitimate business
men? You know, where is the line going to be ?
In other words, is there more money being lost in the illegiti
mates or money being lost to the legitimate guys who are process
ing illegitimate claims?
Mr. ORTEGA. In my opinion and with our files that indicate that
there is more money being lost with the legitimate businessmen ,
due to the economy or whatever excuse they will say to themselves.
There are businessmen in Miami who have had their stores for 5,
7, 10 years, and all of a sudden start accepting fraud. A merchant
that 1 month, or throughout the whole year, maybe deposited
$15,000 in charges, and in a 20 -day period deposit $ 30,000 to
$40,000.
Mr.Smith. Do the banks pick up on that? You see, part of what
Mr. Hoyo said and part of what you told me, and part of what I
know myself, leads me to believe that some of the companies frank
ly have rather less than rigorous standards that they adhere to
when they look at these things.
He was able to open up a business and start submitting from
scratch gigantic sums of money in terms of the credit cards going
in and they were being paid. Obviously, the companies did not
question him and say, you are a new business and just off the
street, you are processing all this.
What is happening? Isn't there a computer that is checking on
the computers paying out?
Mr. ORTEGA. There are now certain security measures taken by
some of the card -issuing banks in south Florida and the company
Mr. Hoyo defrauded the money from in which they have an active
system in their computers that when high volumes of sales start
being deposited through the business it would raise a flag and then
 41

they would question it. But sometimes in a business that has high
volume in credit card charges, they won't even question it because
it will be mixed up - say, 30 percent of the charges that are going
through a particular store that has high volume of credit card pur
chases, they won't even be questioned .
Mr. SMITH. Thank you, Mr. Chairman .
Mr. HUGHES. Mr. Hoyo, you wanted to respond.
Mr. Hoyo. I just want to say that I don't have, sir, I mean, any
money. I was just responding to Mr. Sawyer where I have the
money. So I would like to respond to Mr. Smith, if he ever found
this money, and know where it is, he can keep all the money, be
cause I do not have any money .
Thank you, sir.
Mr. HUGHES. The gentleman from Florida, Mr. Shaw .
Mr. SHAW . Thank you, Mr. Chairman.
Mr. Ortega, I would like to ask you this question and then I
would like to pose the same question to Mr. Hoyo.
Is there any way that the American public can protect them
selves from their number and their name being used in such a
scam, keeping in mind the numerous people that have access to
our credit card numbers, whether it be a carelessly left receipt in
the ashtray of a car that is pulled out in a car wash ; whether it be
the man at the gas pump; whether it be a clerk at a store; whether
it be someone shuffling through a garbage can? Is there any way
that the American people can protect themselves from the use of
their name and number ?
Mr. ORTEGA. Unfortunately, Mr. Shaw, the answer to that is no.
There has been certain measures that the industry and the police
departments have asked the public to take, such as asking the
store to have the carbons so that they could retain the carbons;
check your bills when you get your statement at the end of the
month. But to somebody that needs and wants these account num
bers there is always a way. If not through the garbage picking that
they do, it is to an employee that worksat any kind of store.
A major problem thatwe are seeing now is the car rental agen
cies. Our supervisor, Arthur Stack, has had meetings with the As
sociation of Car Rental Agencies to let them knowabout a major
source of account numbers that is being distributed in south Flori
da and eventually will reach New Yorkand Los Angeles — through
out the United States.
As long as there is a person that is willing to take money and
supply these account numbers to the criminals, there will be access
to these account numbers.
Mr. Shaw . Do you agree with that, Mr. Hoyo ?
Mr. Hoyo. Yes, sir; it is very difficult. I will have to agree with
almost everything he says. There are methods, though, that people
can prevent, like I say,, trying to physically use the mail order,
trying to know this company, trying to makesure that this particu
lar company has done this for several years and he knows for a
fact that a next door neighbor or whatever, he has bought from
this company, because, otherwise, it will be taken .
Mr. Shaw . Let me concentrate just a minute on the mail order
and I want to go back to the direct purchase because I think there
is a possible difference here.
 42

If the mail order company is required by the credit card compa

ny to wait until after the billing to get their funds, wouldn't that
cut it off ?
Mr. Hoyo. The way that I set it up with this particular company,
they were paying me every 3 days. They were sending me a check .
I was submitting between $ 20,000 and $ 30,000 a day and they were
paying me every 3 days. I was getting a check almost every day
after Istarted the company. I was getting paid almost immediately.
Mr. SHAW. Now, if you were having to wait, say, 60 daysfor your
money from the credit card company,that would be after their bill
ing cycle, so that their customer would have an opportunity to re
ceive this charge on their bill .
Mr. Hoyo. That is a greatidea, sir.
Mr. Shaw. Do you think that would work?
Mr. Hoyo. There is no way that if they do that, there is no way I
can be able to collect any money whatsoever because at that time
then the credit card company, all the customers will know that this
particular person has not got his merchandise and then we will go
ahead and stop the transaction .
Mr. SHAW. It would appear to me that we are in the dark ages of
the credit card business at this particular point and that the credit
card industry is about ready to be on the edge of a collapse if some
major overhaul isn't done. Not only with what I have just men
tioned with regard to the use of collection in instances when a
number is used rather than the actual card, but the physical
makeup of the card .
Perhaps what we should be looking at is some type of an electro
magnet type of reading such as we have in our night depository
systems which would have to be used with such cards so that the
number would not be readily available. And perhaps through bill
ing such as this and use of such devices back to the credit card
company where the merchant himself would never really know
what the number was, that there would just be some type of a
printing that could not be read on the slip that would go in that
could be double checked .
It would appear to me that the use of the actual card such as
those that all of us are familiar with; those that have been distrib
uted to us here today, perhaps this is as archaic as a manual type
writer in today's type of business world.
Would you care to comment on that?
Mr. ORTEGA. I would tend to agree with you, Mr. Shaw.
The problem is, though, that in the billing cycle, this 30- or 60
day billing cycle, that might be a good idea, say, the merchant
would not get his funds until that period is over where the card
holder can examine his or her bill and say they did make the pur
chase.
The problem with that is that on many occasions even though
the merchant gets the money that he fraudulently deposited in his
account, once they make the deposit, I believe that the bank clears
it within 2 days — they withdraw the money, and that is usually the
way it is done.
Now, after the 30-day period where the customer contacts his
bank and says I didn't make this purchase; that bank contacts the
merchant bank and says my customer didn't make that purchase;
 43

and the merchant bank goes to the merchant itself and says, you
know , this purchase was never made here. It is then the bank's
word against the merchant.
Mr. ŠHAW. I understand that but I think the value of this would
be in the situation Mr. Hoyo and his television sales, that all of a
sudden the credit card company would become aware that there is
a quarter of million dollars worth of sales that are being disputed.
And in that instance they could close down very quickly on it and
withhold payment and take emergency action .
One or two cries that say I didn't receive it, or the merchandise
was faulty, or some complaints that I am sure credit card compa
nies get regularly, would not raise such an action that they would
probably go ahead and disburse on it anyway if they have some his
tory with this particular customer.
Would it be a way to at least find out that there is a large
volume of denials coming through prior to the disbursement?
It appears to me that the only reason that credit card companies
are really in business today is that the majority of the American
people just don't realize how easy the fraud mechanism is to be put
into place. We are going to have to — the industry itself, and per
haps Federal law, also - is going to have to adjust to today's tech
nology and today's criminalmind.
Mr. Hoyo. Yes; I have to agree with you . I also believe that the
people at the credit card companies, they are not well organized.
They don't really know how to deal with this particular problem .
OK?
As a matter of fact, I was the one that called in to get the num
bers, you know, the code numbers, approvals, on this particular
thing that I did. This particular guy came on the phone and says, I
want to speak to the customer. I told him, the customer is not here.
I have to pick him up at the airport. Then, you know, if you have
answers to these people and they don't really know how to act, this
is the time that you will get them.
Another thing, also , that I think that shows up, this particular
company has a panic button that I will call. And they push this
panic button sometimes too early. So when I call panic button ,
then is when people like myself are nolonger going to be there. So
Mr. Ortega can catch me. That is exactly what I did in one of the
he can probably comment on that, I pressed the panic button . I
knew something was wrong. They did not send me a check for
$ 147,000. I went ahead and took all those names and numbers to
another company that I opened up and I then hit them for more
money .
Mr. SHAW . The same names, the same people, the same cards ?
You just shifted names of your business and there was no cross
check that would pick you up on that?
Mr. Hoyo. Yes.
Mr. Shaw . And the same credit card company?
Mr. Hoyo. Yes, sir.
Mr. ORTEGA. Mr. Shaw, what Mr. Hoyo is referring to is that the
credit card company in question here submitted these checks to
Mr. Hoyo's company every 3 days, a computer would send out a
check. What happened was when the company realized the account
was flagged, saying that it is possible this is a fraud merchant
 44

when this was realized,, they stopped all payments immediately.

When Mr. Hoyo stopped receiving his check he closed up shop and
disappeared.
Our unit executed a search warrant at his business one day prior
to him leaving. He had emptied out the whole store.
The mere contempt by these individuals, apart from the ones
that use this money to fund drug runs or the drug activity which is
closely related in south Florida one to the other - apart from those
the mere contempt for the laws and statutes currently in our State,
and my State, is that they fear no punishment. In other words, a
codefendant in Mr. Hoyo's case , while outon bond pending trial on
State and Federal charges, committed the identical fraud for a
quarter of a million dollars - identical.
-

Mr. HUGHES. What was the amount of the bond?

Mr. ORTEGA. The amount of bond on Mr. Hoyo and his codefen
dant on the State charges was $ 50,000. We asked, naturally, for a
higher bond - it was setat $50,000. When he was arraigned in Fed
eral court I believe it was $100,000 for the initial fraud scheme in
volving the business he had set up in Miami. While out on bond
the co -defendant perpetrated another fraud which we are currently
investigating. But Mr. Hoyo attempted to defraud a bank of addi
tional money in which he was apprehended, then his bond was set
at $ 1 million .
Mr. SHAW. I understand that Florida has among the best laws in
the country, as inadequate as they may be, it is among the best of
any of the other States; is that correct ?
Mr. ORTEGA. That is correct, Mr. Shaw , but, unfortunately, as
you are well aware of the problems with our jails and things of
that nature, nonviolent criminals tend to go-
Mr. SHAW . Is my time expired, Mr. Chairman ?
Mr. HUGHES. It has expired.
Mr. SMITH. Mr. Chairman, if I could just ask because I think this
will come up with the next panel and I am curious to get an
answer from them , I would like to ask Mr. Hoyo now. If, in fact,
you closed up shop when those checks stopped coming to you and
you immediately went and used those same names and charges and
numbers, et cetera, with another business; did that other business
exist already, because you have to go and contact the credit card
companies in order to be an authorized merchant to get yourself
into this mess?
Mr. Hoyo. Mr. Smith, that is very good that you point that out
because what I did, I had noticed that there was some sort of inves
tigation and what I have done is I bought a company that already
had business with the credit card company.
Mr. Smith.So you boughtthe authorization ?
Mr. Hoyo. That is right, sir.
Mr. HUGHES. Is there any check, Mr. Ortega, once that happens?
In other words, once a business transfers, can another company
come in and make another examination to determine whether or
not they are reputable merchants?
Mr. ORTEGA. The particular banks have their own format or
their own system on how they operate when they open a merchant.
I believe it is part of the industry's policy that when a merchant
 45

opens up they have to go out and check that it is a business. But in

most cases I would like to emphasize that it is not an empty store.
Mr. Hoyo, for instance, did purchase just a corporate structure
with no inventory whatsoever, just the name of the business. In 90
percent of our cases where these businesses open up and close con
stantly , these people, with the moneys they make, they invest
maybe $ 20,000- $ 30,000 in some sort of inventory, usually clothing,
because it is software, it is very easy to transport. And they will
just go to a store, put a deposit for rental; set up shop. When the
salesperson from the bank comes out, they see the store — it is le
gitimate, it is open — the signs, everything looks rightto them. And
they give them the authorization to accept VISA or Master Charge.
Mr.HUGHES. How long have you been a member of this special
unit? My understanding is it is unique.
Mr. ORTEGA. The unit was put together sometime in August
1982.
Mr. HUGHES. Do you see any improvements in the procedures
used by credit card companies during the period of time you have
been in existence?
Mr. ORTEGA. Yes; I have. The credit card industry is drastically
changing a lot of their procedures as far as investigating these type
of crimes. The local card -issuing banks are hiring more investiga
tors to assist us because a lot ofthese investigations involve a lot of
detailed work such as going through papers and checking deposits.
They work hand in hand with us in obtaining records that we need
vital to prosecution.
Mr. HUGHES. Thank you very much. We appreciate the contribu
tions that you have made today and trust you will have a safe
return back to Florida.
Mr. ORTEGA. Thank you very much.
Mr. HUGHES. Our next panel consists of Bernard L. Siegel and
August Bequai. Mr. Siegel is chief deputy district attorney for
policy and planning, and deputy district attorney for investigations
in the Philadelphia district attorney's office. Heis also executive
director of the economic crime project of the National District At
torneys Association .
Prior to his present position he was deputy attorney general and
special prosecutor for Philadelphia, and first assistantdistrict at
torney of Erie, PA .
He was also in private practice in Erie from 1963 through 1972.
Mr. Siegel is a member of the Pennsylvania Supreme Court, and
has graduated from Brandeis University with a bachelor of arts
and Harvard Law School with a doctor of laws degree.
Mr. Bequai holds a L.L.M. in criminal law from the George
Washington University, a doctor of laws from American Universi
ty; and a master's degree, as well as a bachelor of arts degree from
New York University .
He is presently practicing law in Washington , DC, specializing in
the areas of lawand technology.
He is a former prosecutor and a consultant to the Senate and, as
such , was one of the early architects of the Federal Computer Sys
tems Protection Act.
He has also written and lectured extensively on computer and
white collar crime.

38-178 0 - 85 - 4
 46

I am delighted to have both of you with us, gentlemen. We have

your statements which, without objection , will be made a part of
the record; and we hope that you can summarize.
Why don't we begin with you, Mr. Siegel?
TESTIMONY OF BERNARD L. SIEGEL, DEPUTY DISTRICT ATTOR
NEY FOR INVESTIGATIONS, PHILADELPHIA, PA, AND EXECU
TIVE DIRECTOR, ECONOMIC CRIME PROJECT OF THE NATION
AL DISTRICT ATTORNEYS ASSOCIATION, AND AUGUST BEQUAI,
ATTORNEY AT LAW, WASHINGTON, DC
Mr. SIEGEL. Thank you , Mr. Chairman .
I, obviously, am not going to be as dramatic or provocative as the
last of the speakers but I think I bring a perspective here that is a
little different than you heard before.
I am here to represent the National District Attorneys Associa
tion, which is the umbrella group for all of the local prosecutors in
the United States, and in particular a segment among that group
that engages on a regular basis in white collar crime investigation,
the members of the economic crime project and the metropolitan
prosecutors of this country.
Any time that there can be Federal legislation in an area which
is causing us grave concern, we welcome it. So as a general proposi
tion we welcome the proposed legislation that is in front of you for
consideration today.
In July, I conducted a National Economic Crime Conference in
Philadelphia at which were in attendance many of the representa
tives of the largest offices at the local level in this country. They
talked about some of the increasing concerns we have in the white
collar crime area.
The most easily identifiable problem of concern today in the
white collar crime area to the members of the conference was the
problem of credit card fraud. It is not that weare incapable of deal
ing with it on a local level, but that the sophistication of some of
the forms of credit card fraud as you obviously just heard, becomes
so great that it had outstripped the ability of local prosecutors to
adequately deal with the problem .
This was also reiterated at the Annual meeting of the National
District Attorneys Association . What we recognized was that we
can deal with the isolated instance of local fraud or a local ring;
with the fraudulent merchant who will accept credit cards knowing
that they are stolen, or believing that they are stolen. But what we
cannot cope with and what we cannot deal with in an adequate
way are the interstate rings, the groups that can move cards across
State lines with great rapidity and can cause incalculable damage.
The reason that we can't deal with it on a local level is obviously
because our jurisdiction stops, as was indicated by Mr. Fish, at the
State line. We cannot marshal sufficient resources; we do not have
the manpower; we do not have the funds to go beyond that. That is
why we welcome a Federal statute that would provide for Federal
involvement in investigating and prosecuting these more sophisti
cated rings.
Now, one of the concerns we have any time there is a Federal
criminal statute that is passed, however, especially in the white
 47

collar area-is that the statute be designed in such a way as to

make it clear to the Department of Justice that Congress intends
and desires a very substantial effort on their part in the field .
I say that because what we run into constantly, at the local level,
is an attitude on the part of U.S. attorneys' offices as to what cases
they will or will not take in spite of the existence of the Federal
legislation.
If Congress does not strongly express what specific levels of
crime it intends for the U.S. attorney's office to prosecute, then
they exercise what amounts to carte blanche discretion in deter
mining which cases to accept and which to decline. It is for this
reason that from the local perspective it would seem to me that set
ting a threshold level, as I believe was set in the proposed H.R.
3570 which states to the Department of Justice the specifics and so
phisticated nature of the crimes that you want investigated, is per
haps the most appropriate way to go. This is the proposed statute
that sets a threshold limit of 10 cards and/or $5,000 in actual goods
and services or money that is stolen.
That statute seems to provide a direction, in that it isn't just
credit card fraud that is in question, but it is a particular kind; it is
a particular sophisticated kind. And it is the kind that the Federal
Government is uniquely in a postition to deal with, as opposed to
local government.
Working in tandem that way, I think that local prosecutors can
begin to address, with Federal authorities, the whole overriding
issue. To the extent that there is fallout, to the extent that there is
declination on the part of U.S. attorneys offices, to the extent that
they fail or refuse to prosecute, then the problem will continue to
exist. And the problem will continue to fall on the local prosecutor,
most of whom-and I am talking now more from the perspective of
those offices that have the capability to do this, the metropolitan
office - most of whom will try to pick up those kind of cases even if
they are inadequately staffed in order to do so.
It is also one of the reasons why the proposal—I believe it is also
the same bill, 3570—to include the Secret Service as one of the in
vestigating agencies is also welcome from the standpoint of the
local prosecutors. This is because the Secret Service, as I indicate
in my written remarks, is one of two Federal investigating agencies
that really works the closest with local prosecutors. Thus, whatever
act is passed, to the extent that the U.S. attorneys offices were to
decline prosecution; we could expect that with the Secret Service
or if it involves the Postal Inspection Service, for example, in the
utilization of mail fraud statutes — we could expect cooperation and
assistance from those agencies, whereas, we do not receive at a
local level, the cooperation of some other investigative agencies at
the Federal level once it has been determined there will be no Fed
eral prosecution.
With those remarks, Mr. Chairman, I thank you for allowing me
to appear.
Mr. HUGHES. Thank you, Mr. Siegel.
[The statement of Mr. Siegel follows:]
 48

TESTIMONY OF BERNARD L. SIEGEL, DEPUTY DISTRICT ATTORNEY FOR

INVESTIGATIONS OF PHILADELPHIA AND EXECUTIVE DIRECTOR OF THE
ECONOMIC CRIME PROJECT OF THE NATIONAL DISTRICT ATTORNEYS
ASSOCIATION

Thank you for the opportunity to testify today on proposed

legislation to strengthen and increase the federal presence in an
area of criminality that has reached staggering economic
proportions ... the problem of fraud through misuse and abuse of
credit and debit cards . As previous witnesses before this and

other committees have made abundantly clear , fraud in the use of

credit cards now .exceeds $ 1 billion annually . The bulk of the

burden of investigating and prosecuting such offenses falls

substantial degree on understaffed and underresourced local
prosecutor's offices in spite of the interstate sweep of much of
this growing area of criminality . It is from the perspective of the
local prosecutor that I wish to address you . However , before

proceeding with my substantive remarks , I think it important to

briefly detail for you the nature of the constituency on whose
behalf I appear before you today .
In 1973 , the National District Attorney's Association ,
recognizing that the proliferation of white - collar crime and
corruption was causing increasing problems for local prosecutors ,
formed a national demonstration project to assist in these areas .
This project , designated the Economic Crime Project , was an
association , within the structure of NDAA , of those local

prosecuting offices across the country that had separate units

designed to combat white - collar crime . Its goals were to provide
 49

funding for the development of new economic crime units in local

prosecutors' offices and for technical assistance through the
formation of task forces , training seminars , publications and
conferences .

During the period 1973 to 1980 , the Project was run from
the headquarters of the National District Attorney's Association ,
then located in Chicago . The Project received $ 5.3 million from
LEAA over this period . As a result of this funding and its method
of operating , the Project was considered by LEAA to be one of the
Trost viable demonstration projects which it funded . During the

funded period numerous benefits floved to the meinbership , including

sixteen manuals covering various areas of white - collar and consumer
fraud ; a bi -monthly law digest was published and distributed to
approximately 2,000 law enforcement agencies per year ; over 1
million public awareness brochures were published and distributed ;
four national conferences per year were held ; and highly experienced
investigative accountants were hired and nade available to local
prosecutors who otherwise lacked such resources . From 1973 to 1980

membership grew from 15 to 69 local prosecutors offices , serving 40 $

of the United States population .
In 1980 , when LEAA funding expired , the individual office
members of the Project , in conjunction with NDAA , voted to continue
the Project and to relocate it in the Philadelphia District
Attorr.ey's Office . While initially , it was agreed that this
arrangement would last for only two years , until December 31 , 1982 ,
unless substantial federal funding were re - instituted , the interest
 50

and enthusiasm of the Project members has led to the continuation of

the Project for the foreseeable future , although at a funding level :
amounting to less than 1 % of the prior LEAA budget . This has caused
a severe limitation on Project activities , since the budget allows
for only one paid staff coordinator to coordinate the flow of
information , collect statistics , prepare newsletters and serve as a

clearing house for problems of coinnon concern .

In spite of the fact that membership has now leveled off
at 34 offices , the Project nonetheless makes its work product
available to all interested local prosecutors , with particular
emphasis on the 82 metropolitan prosecutor's offices , i.e. offices
with constituencies of 500,000 permanent population or more , who
are all invited to participate and contribute suggestions and
ideas . The Project is still the only national - level clearing house
for local prosecutors faced with serious white - collar crime
problems , and , in keeping with this function , a National Conference
1

was held in Philadelphia on July 13-15 , 1983 . At this conference ,

a major topic of discussion was the problem of credit card fraud as
an increasingly time - consuming , resource - using area of
investigative tools and manpower .
What makes the foregoing review of the history of the
Project and its recent National Conference relevant to the concerns
of this subcommittee is the fact that at the same time that the key
source of funding for both the Project and for the individual
efforts of its constituent members , LEAA , was abolished , the
policies of the U.S. Department of Justice were undergoing a
 51

change of emphasis whereby the federal presence in the

investigation of white - collar crime was diminished . Accordingly ,

the burden of investigating and prosecuting white - collar crimne ,

including sophisticated rings engaging in interstate credit card
fraud and counterfeiting , has fallen harder on the offices of state
and local prosecutors than ever before . Yet , as stated , the

ability to deal with this increased level of sophisticated problem

has lessened as the problem has grown .

It is thus with great interest and support that the

members of the Economic Crime Project and metropolitan local
prosecutors offices in general view the proposed legislation to
increase and strengthen the role of the federal law enforcement
community in this volatile and highly significant area of economic
crime . The largest area of consensus among our nembers was the
need for a strengthened federal power in dealing with interstate
rings of stolen and counterfeit cards and other debit and credit
devices , which the proposed legislation clearly addresses . Not

only are the dollar losses the highest in such criminal activities ,
but the speed and sophistication of the criminal element outstrips

the ability of the local prosecutor to track down and locate both
the victims and the perpetrators . Moreover , once the criminality
has been determined , the local prosecutor faces an enormous , often

unattainable financial obligation , to transport experts and victims

and to extradite defendants , that can outstrip the budgetary

constraints of even the well - funded offices .

Thus , legislation giving greater powers to federal

 52

investigating agencies and the respective u.s. Attorney's Offices

to more easily investigate and prosecute persons who affect
interstate commerce through the use of fraudulent cards or other
access devices used to facilitate entry into bank accounts and

sales departments is viewed as a positive step by local

prosecutors . Moreover , creating severe penalties for violations , as

the proposed statutes do , serves a valuable dual function it

serves notice on the criminal comnunity that this form of white

collar crime will be considered as a serious matter to be dealt

with in a meaningful way , and it also serves notice on the

Department of Justice and federal investigating agencies that
Congress intends for these crimes to be pursued and resolved as a

high priority matter .

This latter point , i.e. impressing upon the federal
agencies the seriousness of the offense in order to enhance their
willingness to proceed with investigation and prosecution , is made
in order to point out an inherent weakness that exists in any
federal criminal statute passed by Congress . Clearly , the only way

in which an increased federal power in the area of credit card fraud

will be of assistance to law enforcement at all levels is if the

U.S. Department of Justice , and the investigating agencies that work

with it , in fact investigates and prosecutes violations of the law .
However , traditionally each local U.S. Attorney's ge

area of discretion in which to formulate po ?:

cases each office will accept or decline ť :

federal investigating agencies . As indica carrier ,
 53

comic-ment of the Department of Justice , as ommunicated to its;

cor

constituent agencies , has been to reduce the so - called "war on

white -- collar crime " , an arena in which interstate credit card
counterfeiting rings clearly falls . Thus , while Congress may , in
fact , legislate more severe penalties and easier access routes for
federal investigative involvement in dealing with this growing
species of crime , such actions can be rendered moot and meaningless
if those agencies under whose aegis investigation and prosecution
would take place should simply choose to decline , except perhaps in
the most newsworthy instances . This expression is by no means
cynical, but is based on long and objective experience by myself and
others active in the prosecution arena . Moreover , when the federal
agencies , having commenced an investigation , then choose to exercise
their right to decline prosecution , an increased burden is placed on
the local prosecutor , since the only alternatives to a federal
declination are to either let the case simply die or for the local
prosecutor to take it over . Because federal declinations are often
not based on the merits of the case but on the dollar amounts or
numbers of persons involved , there are many meritorious cases which

will otherwise drop through the cracks unless the local prosecutor
picks them up . In picking these cases up , however , ( which most
respor sible local prosecutors now do rather than give some .
significant criminals what amounts to a " free ride " ) , the local
prosecutor finds himsef not only back in the same position referred
to previously , i.e. understaffed and underfunded , but actually often
in a
worse position . The investigation will have commenced , certain
 * 54

critical and binding investigative decisions will have been made and
the federal agencies involved , in particular the F.B.I. , will refuse .
to assist the local prosecutor in picking up the pieces , as a matter
of departmental policy .
The point in highlighting both the strengths and potential
weaknesses of the proposed legislation from the viewpoint of the
local white - collar prosecutor is not to denigrate what we believe a
viable , important step to be taken by Congress . However , we wish to
stress the fact that without a firm comnitment by the Executive
branch to give high priority to enforcement of the proposed
legislation : what could be a great boon could quickly turn into a
burden . In this regard , I think it significant to note that in one
of the proposed statutes , investigative authority would be given to
the Secret Service . Over the years , the two federal investigating
agencies which have worked the closest and best with local
prosecutors have been the Postal Inspection Service and the Secret
Service . To the extent that both of these agencies would be
involved in credit card investigation efforts , some of the adverse
impacts caused by federal declination policies might be avoided .
In conclusion , I want to reiterate that , from the

standpoint of the local prosecutor , and in particular the

metropolitan prosecutors offices , the proposed pieces of
legislation are needed , desirable , and , if utilized properly , very
welcome acts to relieve a burden on us that we are finding

increasingly difficult to meet . However , law enforcement is not

easily capable of categorization into concerns that are purely
 55

loca : as opposed to these that are national . Accordingly , because

historically every federal criminal statute carries with it a

significant amount of local fall - out , and because at present local
prosecutors receive little , if any , federal assistance in dealing
with white - collar crime , I believe that Congress should consider
inclusion of provisions for local assistance in any legislation
dealing with white - collar crine . These provisions can take various
forms , including , for example , the creation of national clearing
houses to disseminate information on credit - card rings and methods
of establishing their existence and location ; or the setting aside
of funds and /or personnel to assist local prosecutors in following
through on investigations which are dropped by federal authorities .
I feel optimistic that with the proposed legislation , coupled with
provisions to assist local prosecutors in picking up what federal
agencies decline , we can begin to have an impact on this most

serious economic problem at all levels of the law enforcement

Conunity .
 56

Mr. HUGHES. Mr. Bequai ?

Mr. BEQUAI. Thank you, Mr. Chairman, for inviting me to speak
on this matter. I have already presented a written statement. I am
just going to address several issues.
First of all, I think H.R. 3570 is pretty much ontarget. I think it
is on target because it addresses the coming problems of the cash
less society .
We have heard testimony today, but little on electronic funds
transfer systems and basically that is where our facility is moving.
Fortune magazine, I am sure you have seen it, had an article on
VISA and the International EFT network that VISA is contemplat
ing.
Having said that, I feel H.R. 3570, with its reference to computer
crime with and a broad definition of access devices, is on target.
However, I would like to elaborate a bit on what I really haven't
heard come out in today's testimony. The gentleman that testified
before us came from the State of Florida. I have some experience
down there. I have lectured extensively before both private and law
enforcement groups. For example, the Florida Organized Crime In
stitute, I am somewhat familiar with that State's problems.
I have also lectured before the crime division for the State of
Ohio and law enforcement groups in New York, New Jersey, and
other States .
Passing a law is oftentimes a simple thing. It does take time to
do so; but getting the law is a first and necessary step. However,
even once you have a law , especially in a technical area such as
this one, the next question then is who is going to enforce that law .
I think it is fair to say that in about 80 or 85 percent of the
simple credit card fraud cases, local law enforcementcan easily do
the task if given adequate resources and training. However, you
still have to train individuals at the police agency level to handle
the more sophisticated crimes; especially when the computer is in
volved, or sophisticated EFTS networks.
Right now, to be candid, Mr. Chairman, there is little or no
training going on in this country, especially at the local and State
level for law enforcement in this area. We haven't set aside the
necessary resources; we have not set aside the money; we have not
given the subject enough planning. It is fair to say that — and I
think that Bernie would agree with me, since I am very familiar
with his office — that a lot of local prosecutors in America today
have the capability, I believe, to handle perhaps as many as 80 per
cent of the credit card fraud cases, but just don't have the re
sources; and they also don't have the trained manpower. Prosecu
tors cannot investigate; they are not trained to investigate. They
are trained to prosecute. They need in-house investigators. In -house
investigators cost money. Prosecutors don't have the money to hire
them and they don't have the money to train them.
So even if we pass laws at the State level and Federal level , we
are still going to have the problem of training. We are going to
have to train law enforcement.
The other thing I think we ought to address is the sentencing
aspect; that has come up. If you look at white collar crime cases,
whether they be credit card fraud cases, embezzlements, security
frauds, commodity frauds, computer frauds, et cetera - and when
 57

we talk about white collar crime cases, I think it is important to

point out we aretalking about more than $40 billion aa year in
losses to the private sector.
It is the taxpayer and the consumer that picks up the tab. It is
not corporate America, I can assure you of that. They pass that on
as an expense of doing business.
Having said that, for arguments sake let us say that H.R. 3570 or
perhaps H.R. 3181 , or even a similar bill is passed. Let us also
assume that we have trained law enforcement to investigate; we
have trained prosecutors to prosecute these cases. Now we go
before a judgeand we have a conviction. If you look at the data,it
will tell you that oftentimes judges will take the slap -on -the-wrist
attitude — in many white collar crime cases for example the bank
teller who takes his employer for a million dollars in a computer
caper, received only 33 years probation. Several executives who were
involved in a $ 150 million land fraud scheme, only received 6
month jail terms. I can go on with other examples.
The point that I am making is that even if you get H.R. 3570
passed I believe that we ought to have some kind of minimum
mandatory imprisonment provisions in it. Now we don't have any.
If you leave it up to the judges, they are going to be lenient with
white collar criminals. They have demonstrated this time and time
again .
The question, thus, is why prosecute and spend a lot of time and
resource if, in fact, judges are going to be lax?
I believe we should have someminimum mandatory imprison
ment sections in the bill, or any bill of that nature.
The other thing that I want to highlight and then I will take
some questions with Bernie, is that of private sector involvement.
There is oftentimes a tendency on the part of the private sector to
always run to Washington for the answers. We run to Washington
for the magic solution a
, nd the quick fix.
I believe that the private sector can play an important role in
the area of white collar crime. I have always been surprised to find
that many companies do not have a corporate security director;
multibillion dollar companies that do not have the in -house capa
bility to investigate and bring to the attention of prosecutors mas
sive ripoffs; either directed at them by outsiders or involving top
management, midmanagement, or others within the company.
So † think that the private sector can do a number ofimportant
things. First, as the gentleman before testified, it can retain pri
vate investigators, especially in-house investigators, to assist local,
State, and Federal law enforcement.
Second, the private sector can provide funds and its expertise for
sting operations in conjunction with local law enforcement.
Third, there are a number of security measures that the private
sector can implement to curtail some of the existing abuses.
Fourth, there are reward systems that can be employed for infor
mation leading to arrests, hotline systems, et cetera, to receive the
information .
There is much that we in the private sector can do but are not
doing today to assist in the prosecution of these crimes.
So I think the private sector must take on the initiative; it has to
exert leadership in this area. Though I do believe that legislation is
 58

necessary ; I don't think that the bill or any other bill is going to be
the overall answer. There is no quick fix in the area of white collar
crime, whether it be computer crime or what have you.
I think if we look for the quick fix, we are going to find ourselves
in serious difficulties in the coming years, especially as we increas
ingly become a cashless society.
However, in conclusion I would like to note that I believe H.R.
3570 is a necessary step; one that is in the right direction, Mr.
Chairman. I think the EFTS, if you will, directions that this bill
provides, fine; and the computer fraud provision, I think is also
fine.
Having said that, I would like to thank you, and I would be
happy to take any questions.
Mr. HUGHES. Thank you, Mr. Bequai.
[The statement of Mr. Bequai follows:]
STATEMENT OF AUGUST BEQUAI, ATTORNEY AT LAW
ABOUT THE SPEAKER

In his many roles as author, lecturer, instructor and attorney, August Bequai has
become recognized as one of America's formeost experts on law and computer secu
rity. The author of more than 50 articles on various aspects of law and technology,
Mr. Bequai has produced six books: Computer Crime, White Collar Crime: A Twenti
eth Century Crisis, Organized Crime:The Fifth Estate, The Cashless Society: EFTS
at the Crossroads, How to Prevent Computer Crime: A Guide for Managers, and
Making Washington Work for You .
Mr. Bequai has lectured before numerous mangement, security, banking, and
other professional groups, and has served as an adjunct professor at both the George
Washington University and American University.Presently in the private practice
of law in Washington , D.C., specializing in law and security, he is the former chair
man of the Federal Bar Association's Subcommittee on White Collar Crime, and
former vice -chairman of Washington, D.C.'s Bar Committee on Regulating Agencies;
he currently sits on the Advisory Board of the Journal of Media Law and Practice.
Mr. Bequai holds an L.L.M. in criminal law from the George Washington Universi
ty, a J.D. from American University, and an M.A. and B.A.from New York Univer
sity.
SUMMARY OF STATEMENT
The cashless society - also known as the Electronic Funds Transfer Systems
[ EFTS ] -poses a serious challenge to the legislative and judical branches of govern
ment, and to our society as a whole. Rudimentary EFTŠ have taken root in many
parts of the country; EFTS is no longer science fiction, it is a reality. These new
technologies, however, have sparked new forms of crime. They have increasingly
been employed in complex white collar crimes, most notably, computer frauds.
This statement outlines the serious existing and potential threat caused by the
computer criminal to the American public. It contends that of the two bills under
review before this House Subcommittee on Crime, H.R. 3570 is the more comprehen
sive and urgent. A brief look at related areas in which we should simultaneously
direct our efforts concludes the statement.
Mr. Chairman, in conformance with your request, I am pleased to testify before
this Subcommittee on H.R. 3181 and 3570. The proposed legislation could, I believe,
serve to address a serious and growing problem: crime by computer.
Increasingly, we are becoming a cashless society. Paper is giving way to electronic
blips. Rudimentary Electronic Funds Transfer Systems [EFTS ] have already become
part of our daily lives. Telephone bill paying systems, automated teller machines,
point-of-sale systems, automated clearing houses, and wire fund transfers are daily
occurrences. Without these, modern businesses would find it difficult to function .
The workhorse of the cashless society is the computer. The EFTS revolution was
made possible by the computer. It is the computer that records the billions of daily
financial transactions. It is also the computer that is the “ Achilles heel” of EFTŠ.
Presently, an army of more than one million men and women operate more than
25,000 computer sites in the United States. These sites serve to transfer over $400
 59

billion daily, and transmit critical data-in short, carry out the nation's financial
business. Manipulate their computers, and you wreak havoc on the economy.
The cashlesssociety is under constant attack . Computer -connected crimes are said
to account for over $ 100 million in annual losses. Some experts place the losses as
high as $1 billion. The theft of data, the diversion of valuable property, and an as
sortment of financial frauds, have become daily occurrences.
While frauds involving the counterfeiting of access devices continue to plague the
financial sector, frauds involving the manipulation of computers should be of para
mount concern . For example, 125 customers of New York City bank lost $ 30,000 in
an electronic cash machine caper; a consultant, however, ripped -off a California
bank for over $ 10 million in a computer fraud. The very survival of the cashless
society depends on the security of its computers.
The necessary technology and know -how to subvert computers is presently readily
available. The home computer revolution has now made it possible for even a 15
year -old to penetrate a company's computers. The equipment needed to wiretap
EFTS networks can presently be purchased for less than $1,000 from a local Radio
Shack store.
Credit card fraud is a serious problem, and accounts for more than $ 100 million in
annual losses. Professional criminals have entered this market. The real concern,
however, is that these same criminals may increasingly turn their attention to the
computers that make the cashless society a reality.
Computer-connected crimes are more difficult to investigate and prosecute than
are credit card frauds; and the likelihood of going to prison is less. Thus, the ration
ale would be, why steal a cash register if one can steal the entire vault - and do so
with less risk. We would ill-serve the public if we failed to see that the real threat
to EFTS lies with its computers.
Legislation in the area of EFTS crime should, by necessity, address two issues:
counterfeit access devices; and threats to the computers that run the system . H.R.
3570 addresses both. I also concur with the bill's provision that authorizes the U.S.
Secret Service to investigate EFTS -connected crimes. The Service has, in the last
several years, developed a cadre of trained agents in this area. No one agency
should hold a monopoly in this area; there is ample work for all.
These legislative efforts, however, must be viewed as only a beginning. There is
still a need to train our law enforcement personnel in the area of computer crime;
especially our local police and prosecutorial forces, which are called upon daily to
investigate and prosecute these crimes. Unlike street crimes, computer frauds are
costly to investigate and prosecute; they could easily bankrupt the meager resources
of small local law enforcement agencies.
I should also point out that efforts must also be made to sensitize the judiciary to
the need to adequately address computer-connected crimes. It makes little sense to
enact even the best laws if computer criminals continue to receive a " slap on the
wrist .” A computer criminal, for example, took his employer for over $ 1 million, and
received only a suspended sentence.
There is also a need to change the public's perception of computer crime. The
computer criminal is no “ Robin Hood .” In the final analysis, it is the public that
picks up the tab for his crimes. Presently, white collar crime costs the American
public more than $40 billion annually. Massive computer crimes will only increase
the losses.
We live in the dawn of the cashless society. Paper currency is giving way to elec
tronic blips. The traditional credit card is giving way to elaborate EFTS access de
vices . The legislation before this Subcommittee constitutes a step in the right direc
tion.
In closing, Mr. Chairman , I would like to thank you and the Subcommittee for
offering mean opportunity to testify on this important area. Thank you.
 60

JOURNAL OF

Media Law
and
Practice
VOLUME 1 SEPTEMBER 1980 NUMBER 2

Symposium on the Report of the Williams Committee

on Obscenity and Film Censorship
( 1 ) Frightening the Horses Geoffrey Robertson
(2) The Film Censorship Proposals Reviewed Enid Wistrich
(3 ) A Committee Member Replies A. W. B. Simpson

The State as a Subject of Copyright in Soviet Law Serge L. Levitsky

America's Cashless Society: The Problem of
Crime in the Electronic Society August Bequai
The COMSAT Pay - TV Proposal: American Regulatory
Process vs. Telecommunications Technology Don R. LeDuc
Threats to the Life of the President : An Analysis
of Linguistic Issues Brenda Danet,
Kenneth B. Hoffman and Nicole C. Kermish
Notes :
New Thrust of Standard Terminology in
Telecommunication Gerd D. Wallenstein
Musical Mischief from the Duchy M. William Krasilovsky
Book Reviews

Notes on Contributors
ISSN 0144-0373

FRANK CASS . LONDON

 61

America's Cashless Society:

The Problem of Crime in the Electronic Society

August Bequai

The cashless society - also known as the Electronic Funds Transfer

Systems ( EFTS) – raises serious political, economic, and social
questions that every industrialized society must resolve. In America,
the cashless society is a reality ; rudimentary EFTS have already made
their appearance. International EFTS are already in their infancy.
The article explores the benefits and challenges that EFTS have
brought and will, increasingly, bring to American society. It explores
the problem of crime in the electronic society; categories of new
crimes are discussed, and also a portrait ofthe EFTSfelon is offered.
The author proceeds to discuss the drawbacks of America's criminal
justice system ; the difficulties that American prosecutors,
investigators, and judges face in this cashless environment.
Evidentiary and procedural problems are also discussed. New
American legislation, both pending and enacted, designed to address
EFTS crimes is also reviewed . Readers are warned to learn from
America's experiment; the cashless society is upon us, and we should
take note. Other countries are asked to study the American
experiment and draw their own lessons from it.

Introduction

The year: 1990. The place : New York City , U.S.A. Mr. Smith has gone
shopping for the coming Christmas holidays. He stops at a local jewelry
store and purchases a bracelet for his wife . 'Will it be cashless, ' inquires the
store clerk . ' Yes , ' replies Mr. Smith and with this he hands the clerk a small
plastic card . The clerk inserts the card in a terminal located behind his
counter. In a matter of seconds , the terminal transmits coded information to
a bank's computer several miles away. The computer scans its memory
banks, and computes Mr. Smith's credit rating. By means of a signal device
located behind the counter, the computer instructs the clerk to complete the
transaction . The clerk activates a second device ; electronically , funds are
transferred by the computer from Mr. Smith's account to that of the store .
No funds exchange hands ; the entire transaction was completed in a matter
of minutes. The exchange was cashless.

38-178 0 - 85 - 5 -
 62

AMERICA'S CASHLESS SOCIETY 155

Mr. Smith lives in America's cashless society ; a world where paper money
and checks have given way to electronic funds transfers. The computer,
however, not only pays Mr. Smith's bills, but it also assists him in
maintaining his monthly expenses at a specified rate. The cashless society -
also known as the Electronic Funds Transfer Systems (EFTS ) - has already
taken root in America. Rudimentary EFTS are found in dozens of American
cities. EFTS, however, bring with them both blessings and challenges.
Other countries would do well to study the American experience.

Defining the Cashless Society

EFTS - as the cashless society is most commonly referred to in America -
can best be described as an array of financial services, which employ
electronic impulses generated and interpreted by computers to debit and
credit financial accounts . ' Each such debit or credit transaction is termed an
electronic funds transfer. Electronic impulses have replaced paper as a
medium for effecting economic transactions. Rudimentary EFTS have
already taken shape ; among the more common of these systems are the
following:
- Automated Clearing Houses (ACHs): these are computerized , inter
bank transfer systems ; through these an originating bank transmits
payment orders electronically or on computer tapes . These payments
are routed by the ACH to designated receiving banks. A typical ACH
process commences with a computerized list of payment orders from
one or more payers. On the list are recorded the names and account
numbers of the payees ; those of their banks, and also the amount to be
paid each . The payer's bank computer transmits the list , through
electronic means, to the ACH's computer. The latter then directs
payment to the appropriate receiving bank .
- Point-of-Sale Systems ( POSs): these systems have been described as
the most pure of all present EFTS in America . In a POS system , a
terminal is installed at a store or other location where a sale will be
transacted ; the terminal, in turn, is connected to the computer of a
bank many miles away. POS terminals can be used to conduct an array
of financial transactions: purchases, deposits, withdrawals, and also
account verifications. One of the first POS systems to be installed in
America involved the First Federal Savings and Loan of Lincoln ,
Nebraska . Bank customers were issued POS cards which enabled them
to conduct electronic banking transactions from the convenience of
local stores.
Automated Teller Machines (ATMs): there are presently more than
10,000 ATMs in America. They have also made their way into Europe
(more than 4,000 ) and Japan (more than 5,000 ). ATMs can perform a
 63

156 MEDIA LAW AND PRACTICE

variety of banking functions: they can accept deposits, provide

withdrawals, and transfer funds between accounts . In addition , ATM
services are also convenient . They are available 24 hours a day ; seven
days a week. The Cash Dispensing Machines (CDMs) , commonly
found in Europe and Japan represents a more primitive form of ATM .
– Telephone Bill Paying (TBP ): these rudimentary EFTS are
increasingly gaining customer acceptance in America. TBP systems
are found in a number of American cities. Bank customers can pay
their bills by simply dialing their telephone ; giving their secret code to
the teller at the bank , and informing the teller how much to pay and to
whom . A bank customer with a touch-tone phone simply punches a
secret seven digit number ; this gains him entry to the bank's computer.
He then gives the computer his account number and secret payment
code , and instructs it whom to pay and the sum to be paid .
Rudimentary international EFTS have also commenced to take shape.
The Society for Worldwide Interbank Financial Telecommunications
( SWIFT ) was established several years ago by a group of international
financial institutions ; created under Belgian law, it links more than 500
international financial institutions and handles more than 100,000
transactions daily. SWIFT has replaced the mails, telex, and the cables as a
medium for communicating international payments between member
institutions. Several other international rudimentary EFTS have made their
appearance ; many of these , however, continue to be experimental.
EFTS represent a potential $ 100 billion annual market for computer
hardware and software manufacturers; for banks and retailers, they
represent potential new services. In America , at least, there is growing
pressure by these groups for the establishment ofaa cashless society.

Rise of EFTS

The oldest form of financial exchange is said to be the barter system; it

continues to survive in many underdeveloped nations. Primitive barter
systems gave way , with the rise of Ancient Empires, to the metal coinage
system . The latter reached its zenith under the Roman Empire. It too, gave
way to a system of written receipts; the rise of the nation - state brought with
it a system of paper currency. The nineteenth century witnessed the rise of
our modern checking system. Long considered the most sophisticated and
successful payment system, it came under increasing attack in the late 1960s.
In 1970, a study by the Arthur D. Little Company concluded that the check
collection system would continue to function effectively only until the early
1980s.? One year later, the American Bankers' Association called for the
establishment of Automated Clearing Houses to deal with the increasing
 64

AMERICA'S CASHLESS SOCIETY 157

volume of paperwork created by the checking system . The powerful

Federal Reserve joined the call for an automated payment mechanism to
replace the checking system .
Much of the momentum for the cashless society has come from America's
banking community. Powerful members of the banking community are
seriously concerned whether banks can handle, effectively, the increasing
volume of checks. In 1945, the volume of checks was placed at 5.3 million .
By 1970, it had grown to more than 20 billion, and by 1980 to 45 billion . The
cost of operating this costly paper system also continues to grow . It presently
costs banks more than 20 cents to process each check ; the total cost of
processing all the checks in America exceeds 11 billion dollars annually.
Proponents of the cashless society argue that EFTS would cut many of these
costs. In addition, they note that they would also help reduce the present
paper glut in America's banking system .
Proponents of EFTS also point to other benefits which EFTS hold in store
for society. They note that the aged and infirm can bank from the
convenience of their homes; professionals can bank and conduct their
financial transactions without ever leaving the office. Financial transactions
that took hours to conduct, will now take minutes. Furthermore, postage
costs will be cut and payments will be completed within a matter of minutes.
The threat of lost mail , or of a postal strike will be eradicated . Telephone
lines will replace the postal system as the medium for transacting financial
payments. Traditional crime will also wither under EFTS; in a cashless
society, it will make little sense for criminals to rob citizens, stores, or banks.
Political corruption may also become a thing of the past ; since all financial
transactions will be computerized, the corrupt will fear detection.
EFTS, however, also have many critics in America. Since the requisite
EFTS technology is expensive, critics charge that EFTS will squeeze out the
small banks and give the giant financial institutions even greater control over
the economy. There is also justifiable concern that the cost for EFTS will be
borne by the consumer, rather than the banking industry. Consumer
advocates also fear that once EFTS are established , the banking interests
will raise , rather than lower, their service charges.
Critics also charge that the consuming public, itself, is not receptive to
EFTS. Several studies have pointed out that the majority of the public is
content with its present exchange system 6. More than 40 per cent of all
Americans rely expressly on paper money for their everyday financial
transactions. Forcing them to switch to EFTS raises serious Constitutional
questions. Critics also point out that privacy will become an endangered
specie in the cashless society ; a computerized system that records an
individual's everyday confidential financial transactions lends itself to
political and economic abuse . EFTS have taken root in America, but the
debate surrounding them continues.
 65

158 MEDIA LAW AND PRACTICE

Problem of Electronic Crime

At the heart of the cashless society lies the computer. This technological
marvel of the twentieth century has made EFTS a reality. The cashless
society will employ hundreds of thousands of computers ; these, in turn will
be manned by an army of several million men and women . Satellite
communication networks will also enable EFTS computers to communicate
with their counterparts in Europe. However, such a complex system ,
composed of thousands of computers, millions of terminals, and billions of
feet of wire is, by its very nature , vulnerable to criminal attack .
Computers have increasingly , in the last dozen years, come under
criminal attack . The Chamber of Commerce of the United States has stated
that computer related crimes in America cost government and business in
excess of $ 100 million annually . Recently , an employee for a government
agency was charged with programming her employer's computer to issue
more than $ 500,000 in checks to her friends. Crime by computer is a serious
and growing problem in America; one that will pose serious challenges for a
pure cashless society .
It may well be that traditional crime , as we know it in America , may soon
become a thing of the past in pure EFTS . Armed robbery and bank
robberies may become obsolete . New trends in crime will take place . Crime
will center around the computer system . Various types of present computer
related crimes will probably attain even more complex and sophisticated
levels of operation under complex EFTS. Crime itself may also become
more organized , and desciplined ; computer attacks will involve well
thought-out and financed plans. '
'Financial crime' in the cashless society, through the use of computers,
will certainly be on the rise. These crimes are best performed in a system
where the computer is used for financial processing; including payrolls,
accounts payable and receivable , and storage and maintenance of files and
financial data . We have many present-day examples of this ; one of the
biggest computer related frauds involved the Equity Funding Company, a
large American insurance company . In this fraud, top management played a
key role . In late 1969 , management began to falsify thousands of life
insurance policies. Out of 97,000 policies, 63,000 were created and
recorded in the computer' files. The 'phony policies' were assigned a secret
code : ' Department 99 '. The '99 ' designation enabled the computer billing
programs to skip the bogus policies when bills were sent to policy holders.
At audit time - when documentation on policies was requested to support
a random selection of the policies in the computer file – the company
executives stalled for time by saying the files were not immediately
available. They then used the gained time to forge the hard -copy files, which
contained such things as contracts, health reports, confirmations, etc. By the
next day , they would have manufactured the evidence that the auditors
 66
AMERICA'S CASHLESS SOCIETY 159

wanted. The whole matter came to the surface when a discharged employee
'blew the whistle ' . Neither the local nor Federal American authorities
suspected that a massive fraud was being perpetrated right under their
noses. The fraud cost the investing public more than one billion dollars. 10
“ Property crime ' will also take on a new dimension in an EFTS society.
This will involve the theft of merchandise or other property through the use
of EFTS computers. Through access to a company's computer, a firm's
employees or subdivisions can be instructed to deliver material to different
locations and individuals .
'Information crime' will also be on the rise . “Time-sharing' situations will
increasingly come under attack . Valuable computer programs will be taken
or copied and sold to competitors or even to credit companies . At present,
such information crimes can be performed by gaining unauthorized access to
a computer system . This can be done either by entering the system from the
outside , or from within with the assistance of an employee who has access to
the computer.
‘ Theft of services' will take on new forms. A company's computer could
easily be used for personal benefit by dishonest employees . At present,
university computers have come under attack . There have been instances
where politicians have also used a municipality's computer for direct
mailing purposes in order to advance their own political campaign. In an
EFTS environment, criminal elements could easily manipulate and use a
computer for their own business ends without the victim ever being aware .
'Vandalism' will take various forms in EFTS. It may involve damage to a
computer system so as to make that system inoperable , and result in large
expenses and long delays. Vandalism may be an outgrowth of company
labor disputes. Workers on strike may attack the system . A competitor may
also sabotage a firm's computer system with the objective of undermining
that competitor. In one recent case, an irate employee removed all the labels
from 1,500 reels of tape and cost the firm thousands of dollars to reidentify
the data .
The profile of the criminal will also undergo a transformation in an EFTS
society. The poor and ill -educated criminal will give way to the criminal of
the computer facility. Studies of present-day computer felons show that they
are intelligent and young — between 18 and 30 years of age. " They are also
well educated, and have some type of technical training. This new breed of
criminals will also be better organized, funded, and have , in some cases, the
assistance of international criminal organizations . The era of the techno
felon is upon us.

Investigating Electronic Crime

Prosecutors in America, as in other countries, rely on investigatory bodies to
go forth and uncover violations of the law. The investigator must develop
 67

160 MEDIA LAW AND PRACTICE

bits of evidence into a credible case for use by prosecution. In America, the
investigatory apparatus is divided into two camps: Federal and local.
The Federal apparatus consists of various regulatory agencies and various
divisions within the United States Department of Justice . Within the latter is
found the Federal Bureau of Investigation (FBI) . The regulatory agencies –
( for example , the U.S. Securities and Exchange Commission) – suffer from
serious jurisdictional drawbacks : they can only bring civil actions. They
must, by law, refer all criminal cases to the Justice Department for
prosecution. " 2 A regulatory agency , after completing its investigation , will
draft a 'criminal reference memo' which , in turn , it forwards to the Justice
Department. The decision to prosecute rests with the latter. If the
Department declines to prosecute, the regulatory agency, then, goes to
court to obtain an injunction . This civil remedy is hardly adequate to deter
criminals from attacking the EFTS society . "
Crimes involving banks and similar institutions are often investigated by
the FBI . However, the FBI has been , traditionally , slow to move into the
field of white collar crime . Whether the FBI can, with its limited resources
and manpower, police the EFTS society, remains doubtful. Conceivably, an
entire revamping of America's Federal investigatory apparatus may be
needed to deal with the array of technical crimes that the EFTS society will
give rise to. New and costly training programs will be needed to revamp the
prosecutorial apparatus to meet these new threats. For without an adequate
investigatory apparatus, even the best of laws and prosecutors fall short of
their objectives.
Locally, the dilemma is even more serious. At present, there are more
than 40,000 local police departments in America. About 50 per cent of these
employ fewer than five full-time employees, and 60 per cent employ fewer
than 10 full -time employees. The local trend in America is not towards
merger and centralization of resources, but rather towards a proliferation of
' smallness ' . The President's Commission on Law Enforcement and the
Administration of Justice has described America's local law enforcement as
made up of small police forces, each acting independently within the limits
of its jurisdiction .
A study by the National Association of Counties Research Foundation
(NACRF) found that more than 50 per cent of the urban centers in
America's large counties had police forces numbering fewer than 10 full
time employees ; while only 6 per cent of those urban centers had forces
larger than 100 employees. Only 61 per cent of the counties in the NACRF
study provided even the minimum police services; while 39 per cent fell short
of this. The NACRF study concludes that :

With the function of police becoming more technical and with the high
mobility of the modern criminal , these small departments find it
increasingly difficult to meet generally accepted police standards. "
 68

AMERICA'S CASHLESS SOCIETY 161

Both Federal and local prosecutors rely largely on their respective police
forces to develop and bring criminal cases to their attention . Whether
America's investigative apparatus - both Federal and local - can perform
this task in a complex EFTS environment, remains to be seen.

Prosecuting Cashless Crimes

Once crime is brought to the attention of a prosecutor, he must then decide
what course to pursue. In an EFTS society, however, financial transactions
will be largely electronic. No paper money will exchange hands. There will
be no witnesses to the ‘robbery '. The government's case will often have to
rely on the adequacy of the computer-generated evidence.
There is, however, a difference of opinion among American lawyers on
whether the present evidentiary rules suffice in the prosecution of computer
related frauds. Some legal experts are skeptical about the admissibility of
computer- generated evidence. They take the position that new legislation
will be needed to relax the present evidentiary procedures. Other legal
experts argue that the present evidentiary rules suffice. It would appear,
however, that the former group stands on more solid ground.
Under the common law, regular business entries were introduced into
court under the shop -book rule. The majority of American States have
adopted the Uniform Business Records as Evidence Act, which places
substantially the same requirements as the old common law shop-book rule .
Both rules have one basic commonality: they will allow a business record to
be introduced into evidence if it proves itself reliable . At the Federal level,
the New Federal Rules of Evidence were enacted in 1975. The New Federal
Rules, however, do not represent — as some of their proponents have held
- a radical break with the past ; however, the Federal Rules do allow for the
introduction of computer printouts into evidence under limited
circumstances. 16 However, even the Federal Rules are not sufficiently
flexible , it is feared, to accommodate complex EFTS litigation.
To prove itself reliable, a business record must possess the following
attributes: (1 ) it was made routinely during the course of business; ( 2 ) it
must be entered contemporaneously or within a reasonable time of the
transaction recorded; (3) by a person´unavailable as a witness; (4 ) who
had personal knowledge of the event; and (5) had no motive to misstate it.
The problem with computer-generated evidence is threefold : first, it may
not have been routinely made ; secondly it may not have been entered
contemporaneously; and thirdly, it may have been made by a number of
people who probably had no personal knowledge of the event."
It should also be noted , that computer- generated evidence suffers from
flaws unique to the technology itself: (1) it lends itself to fabrication ;
(2) computerized data may be added or deleted; and (3) the original source
documents , once computerized, are often destroyed, making it difficult
 69

162 MEDIA LAW AND PRACTICE

confirm the accuracy of the computerized data . The danger, however, in

relaxing the evidentiary requirements lies in the possibility that 'doctored
data ’ may make its way into court.
Several American courts have already, on their own initiative , relaxed the
evidentiary rules as regards computer-generated evidence ; specifically,
computer printouts. The leading American case in this area is that of
Transport Indemnity Co. v. Seib. 18 In the Seib case , the plaintiff attempted
to introduce into evidence a computer printout prepared by the director of
accounting for the company. The director testified as to the accuracy of the
printout. The court was satisfied its three crucial requirements had been
met : ( 1 ) the custodian had testified as to the mode of preparation and
identity of the printouts ; (2) they had been made in the regular course of
business ; and (3) the record-keeping involved had been an indispensable
part of that business. The court allowed its admissibility into evidence.
In a criminal prosecution in Arizona , State v. Veres," the government
prosecutors had sought to introduce a computerized statement of a bank
account into evidence against a defendant charged with passing forged
checks. The court held the evidence was admissible under that State's
Uniform Business Records as Evidence Act .
In the Federal system , the Fifth Circuit , in the case of Olympia Insurance
Co. v. Harrison , Inc., found no merit in the defendant's contention that
computer printouts made in the regular course of business were unreliable.20
The Ninth Circuit, in the case of United States v. De Georgia , concluded that
a computer printout was admissible into court as evidence under the Federal
rules.2' Computer printouts have also been admitted into evidence in several
other recent cases. However, in the case of Arnold D. Kamen & Company v.
Young, a Texas court held that a printout would be inadmissible where there
was no proof that the person who prepared it had personal knowledge of the
data . 22
The above American cases, however, constitute a minority position . Even
in these cases, the courts have not been clear as to what type of testimony is
necessary to provide an adequate foundation for the admission of computer
generated evidence . It should also be noted that these cases have only dealt
with computer printouts; they have not addressed the question of magnetic
tapes or discs. None of the cases has dealt with the difficulty in laying a
proper foundation to demonstrate the reliability of a computer that arrives
at a complex, independently contrived conclusion not verifiable by an
examination of the input stage ; nor has any case eliminated the personal
knowledge requirement in a completely automated system. Further, no
American case has dealt with the question of whether the admission of
computer-generated evidence would violate the confrontation or due
process clauses of the Constitution.
It would appear that even if the investigatory arm served the prosecutor
well , the latter would still face serious difficulties with the evidentiary rules.
 70

AMERICA'S CASHLESS SOCIETY 163

In a complex EFTS society , where thousands of computers are integrated

into a large network through millions of terminals; with millions of men and
women operating this maze, the prosecutor will face serious challenges.

Criminal Laws and Penal Sanctions

Even the best investigative and prosecutorial tools are nullified if a criminal
system lacks adequate laws with which to charge a defendant. An adequate
legal arsenal is gauged by the ability of prosecutorial bodies to bring a
suspect before the courts of our legal system. To ward off criminal attacks
against EFTS there must, by necessity, be a deterrence.
To deter criminals from attacking EFTS , the prosecutor must have an
adequate legal arsenal. Presently, the prosecutor's arsenal is somewhat
deficient. For example , the American Federal 'mail fraud statutes' pose as
formidable weapons for the prosecutor ;23 however, these statutes deal with
crimes involving the Postal Service of the United States. Therefore, they will
be of limited value in prosecuting EFTS crimes. Additionally, while the
Federal 'wire fraud statute' may play some role in EFTS criminal
prosecutions, that statute relates only to transmittals by means of wire,
radio , or television communications in interstate commerce.24 It is doubtful
that sophisticated criminals attacking EFTS would make use of these
vehicles .
As another example , the Federal banking statutes' provide for up to five
years' imprisonment and up to $ 5,000 in fines for anyone involved in the
embezzlement or theft of funds from federally insured banks.25 The
offender, however, must be an employee , officer or agent of such an
institution . Thus, only bank insiders are covered. In addition , the statutes
provide for the unlawful taking or concealing of funds’ , 'money' , 'bonds’ , or
'security’ . 'Funds’ in EFTS will take the form of electronic blips' . Banking
statutes will have to be redefined to take these physical changes into
consideration . At present, they would prove of limited value in dealing with
complex EFTS crimes.
Title III of the Omnibus Crime Control and Safe Streets Act makes it a
Federal offense to willfully intercept any wire or oral communications. ?
However, the objective of the act is to protect the privacy of oral
communications rather than financial transmissions. Transmittal of financial
data over EFTS communication lines will not be oral ; nor will it be
intelligible , since secret codes will be used. It is doubtful if the act can be of
much value in prosecuting EFTS criminals.
The Federal 'counterfeiting and forgery statutes' will also prove of limited
value in combating EFTS criminals.27 The cashless society will have no
paper funds to 'falsely make , forge or counterfeit '. The 'extortion and threat
statutes ' will perhaps deter those who seek to physically attack EFTS
with the objective of destroying them . 28 However, a criminal must
 71 1

164 MEDIA LAW AND PRACTICE

make use of the postal system in mailing his threats for these statutes to come
into play .
Present criminal laws will not suffice to deal with complex and
sophisticated EFTS . New legislation will be necessary to deal with potential
crimes in the EFTS arena. Some legislation has already been introduced.

Legislative Efforts
Eleven American states have already enacted criminal legislation to address
the problem of computer related crime.29 Other states may follow suit . In
January 1979, United States Senator Abraham Ribicoff introduced Federal
legislation specifically designed to combat crime by computer: the Federal
Computer Systems Protection Act (S.240 ). In early November 1979, the
Senate's Subcommittee on Criminal Laws and Procedures recommended
passage of the bill . A sister bill (HR.6192) has been introduced in the House
of Representatives by Congressman Bill Nelson from Florida .
Much of the problem confronting many present criminal statutes revolves
around the definition of property'. In an EFT system , property will take the
form of electronic blips' . S.240 addresses this problem by defining property
as being :
anything of value , and includes tangible and intangible personal
property, information in the form of electronically processed,
produced, or stored data , or any electronic data processing
representation thereof, and services.
S.240 specifically addresses crimes by computer by making it a felony -
punishable by imprisonment of up to five years and up to $ 50,000 in fines - if
convicted of using a computer for purposes of:

-defrauding another ;
-obtaining property under false pretenses , representations , or
promises from another;
embezzling the funds of an employer ; or
-stealing or converting to one's use the property of another.
Further, S.240 would come into play any time an illegal act is directed on any
computer:
-owned or operated by a federal agency ;
-owned or operated by a federally insured financial institution ; or
-owned or operated by any private business which operates or uses
the facilities of interstate commerce .
The bill defines a computer as being any device that :
perform (s) logical, arithmetic, and storage functions by electronic
 72

AMERICA'S CASHLESS SOCIETY 165

manipulation, and includes any property and communications facility

directly related to or operating in conjunction with such a device .
In 1978 , the United States Congress enacted the Electronic Funds
Transfer Act (EFTA );"º the Act, among other things, defis the rights and
responsibilities of participants in an EFT system . The Act's jurisdiction is
broad : it covers national banks, Federally insured banks, Federal credit
unions , and other financial sectors of the economy. The Act also provides
for limited criminal sanctions in cases where a felon gives false or inaccurate
information ; alters, steals, or fraudulently obtains a 'debit instrument' so as
to obtain anything of value which exceeds $ 1,000 in value. If convicted, the
felon could be imprisoned for up to 10 years and fined up to $ 10,000. The
Act , however , addresses only those EFTS crimes where a debit card is
employed. It may prove ill equipped to address other EFTS related crimes .
Further, the Act has yet to be tested in a court of law. Several states are also
considering passing similar EFTS legislation .

Conclusion

The debate over EFTS in America continues . Proponents see them as a

blessing; while opponents view them as already bankrupt, and as a
dangerous technology. EFTS , it must be said , provide governments with the
potential tools for an Orwellian dictatorship. However, an EFT system also
carries with it an array of benefits. The two must be weighed and balanced. It
challenges America's political, social, and economic fiber to meet the test . It
poses serious problems for America's criminal justice apparatus ; some with
no simple solutions. Other nations would do well to study and learn from
America's experience.

NOTES
1. Maria M. Johnson , 'An Update on EFTS”, Journal of Computer Law, 6 ( 1978) , 227 .
2. August Bequai, 'A Survey of Fraud and Privacy Obstacles to the Development of an
EFTS ', Catholic University Law Review , 25 ( 1976 ), 766.
3. Harold E. Mortimer, Current Legal ProblemsFacing CommercialBanksParticipating in
Electronic Funds Transfer Systems', Banking Law Journal, 2 ( 1978), 116.
4. Mark G. Bender. Electronic Funds Transfer Systems, (Port Washington, N.Y .: Kennikat
Press, 1975 ) , 9–11.
5. Peter H. Schuck , 'Electronic Funds Transfer: A Technology in Search of a Market' ,
Maryland Law Review , 35 ( 1975), 77–78.
6. Ibid . , 81–84 .
7. Chamber of Commerce of the United States, White Collar Crime (Washington, D.C.:
Chamber of Commerce of the United States, 1974), 6; see also August Bequai, Computer
Crime (Lexington , Mass.: D. C. Heath & Co., 1978 ), 12–15.
 73

166 MEDIA LAW AND PRACTICE

8. Chris Schouble, 'U.S. Aide Held in $ 500,000 Theft by Computer' , Washington Post,
February 20 , 1980, C - 3.
9. August Bequai, Organized Crime: the Fifth Estate ( Lexington , Mass.:D.C. Heath & Co.,
1979 ), 195–199.
Gleeson I. Payne, 'Equity Funding Life Insurance Company', The Forum , 10 ( 1975 ),
1120–29.
11. August Bequai, Computer Crime, 3-5.
12. American Federal regulatory agencies like the Federal Deposit Insurance Corporation,
Securities and Exchange Commission, Federal Trade Commission, and others, must refer
all their criminal cases to the U.S. Department of Justice for criminal action. These
agencies can only initiate administrative or civil action on their own ; they have no criminal
jurisdiction.
13. An injunction is an order which directs a defendant to cease certain specified activity; if he
fails to do so, he can then be held in civil contempt. This latter measure is a drastic one,
and rarely utilized in the United States.
14. National Association of Counties Research Foundation , County -Wide Law Enforcement:
A Report on a Survey of Central Cities in 97 Counties (Washington, D.C.: National
Association of Counties, 1975), 5.
15. August Bequai, Organized Crime, 209–13.
16. See the New Federal Rules of Evidence : 802 , 803, 1001-4 .
17. August Bequai, Computer Crime, 98–101.
18. 132 N.W. 2d 871 ( 1965 ).
19. 446 P. 2d 629 ( 1968).
20. 418 F. 2d 669 (5th Cir. 1969).
21. 420 F. 2d 889 (9th Cir. 1969).
22. D & H Auto Parts v. Ford Marketing Corp., 57 F.R.D. 548 (E.D.N.Y. 1973 ).
23. 18 U.S.C. 1341–42 .
24. 18 U.S.C. 1343.
25. 18 U.S.C. 656-57.
26. 18 U.S.C. 2510–20 .
27. 18 U.S.C. 471-509 .
28. 18 U.S.C. 876–77.
29. The states are as follows:Arizona, California, Colorado, Florida, Illinois, Michigan, New
Mexico, North Carolina, Rhode Island, and Utah .
30. See P.L. 95-630 .

1
!
 74

Mr. HUGHES. Let me ask you first, do you think that we can be
talking in terms of credit card fraud, counterfeiting of access de
vices, and so forth, without talking about the diversion of informa
tion or electronic transfer transactions in a world where the tech
nology is changing so radically and rapidly ?
Mr. BEQUAI.We are becoming increasingly an informational soci
ety. And information is power; information is money; in the coming
years it is information that will increasingly be the target, if you
will, of theft.
I don't think we can talk about credit cards without talking
about electronic funds transfer systems. One of the gentleman that
testified before Bernie and myself indicated that in the seventies
we did, if you will, get credit card fraud legislation on the books.
The problem is we didn't look at the eighties.
I think we are going to be in serious difficulties if we don't look
at the nineties. And the nineties are going to be the age, if you
will, of the electronic funds transfer systems. They are here; we
have ATM's, POS's, ACH's telephone bill paying systems and other
EFT systems. There are provisions in this bill which I have serious
reservations would in fact apply to the wiretapping of EFTS net
works.
If I were a defense attorney, I think I would have an easy time
with sections of some of the bills that I have seen .
The point I am making is that we must look at EFTS. It is here,
and it is a fact of life .
I had occasion several months ago to speak in England before the
Internal Auditors of the United Kingdom and they were talking
about an EFTS society in England by the year 1986 ; where the ma
jority of the financial transactions, would be in fact in EFTS. Right
now, some $400 billion in transactions are daily carried out by com
puters and EFTS networks.
So, yes, I think, Mr. Chairman, that you are right on target
when you talk about information and when you talk about EFTS;
yes, sir .
Mr. HUGHES. Mr. Siegel, in your prepared text you allude to
some of the problems that exist when the Federal Government
picks up an investigation involving credit card fraud or some relat
ed series of transactions and then ends up declining jurisdiction,
particularly if that agency is the FBI.
Can you just elaborate a little on what problems are created for
local prosecutors under that scenario?
Mr. SIEGEL. Under that scenario, Mr. Chairman, what will
happen is that the investigation will simply be referred to the local
prosecutor. Normally, if it is referred, a letter is sent to the local
prosecutor saying, this has been investigated by the U.S. Attorney's
office or by the Federal Bureau of Investigation, and we have de
termined that for whatever reasons, we choose not to prosecute and
here it is.
More often than not, the local prosecutors had no input in the
investigation. Although sometimes there occurs a scenario where
there has been a joint investigation, more often than not, that is
the way it comes to the office. We have to make a judgment— “ we ”,
being collectively, the prosecutors to whom this happens.
 75

The one thing that will happen when it is the FBI that is in
volved, is that we will know when we make our decision as to
whether we will pick the case up ; and whether we can fit it in a
State statute, that we obviously will get no Federal help. The Fed
eral Bureau of Investigation will give us no assistance. As a matter
of departmental policy, they will not become involved in local in
vestigations unless there is Federal jurisdiction. They made that
abundantly clear to every local prosecutor who has requested some
followup on investigations they have commenced.
So we are stuck with what could be the middle of an investiga
tion , trying to fit it within a State framework where it may notbe
easily filled, and trying to do it with resources that we may not
have. This is an ongoing problem ; it is nothing that can be easily
solved-it is something that has to be worked out, I guess in each
local office.
But it is a problem , and it is a problem that I bring to your at
tention because it is going to exist every time there Federal, white
collar crime legislation is passed. That is particularly prevalent in
that area .
Mr. HUGHES. The gentleman from Michigan.
Mr. SAWYER. I don't know that I have any specific questions. Do
either of you have any view as to whether we have to get into
detail in defining what a computer is, or merely allude to the use
of a device?
Mr. BEQUAI. I take the view that you need a broad definition or
approach to the computer - I think that if you were to take a look
at other legislation that we have had in this country, for example
the 1933-34 securities acts, you will find that the adopted broad
definition .
I think you are going to find judges as time goes by, that are suf
ficiently educated and sophisticated, and that will pretty much
adopt the legislation to the changing technological environment.
I think there is a danger in having a narrow definition . I think
some smart lawyer, as Bernie can tell you, will raise his hand and
say, uh -huh, there are grounds for appeal.
The other thing that I want to add, is what Bernie pointed out. I
think it is important to note out that Federalprosecutors, U.S. at
torneys, exert a lot of leeway in deciding whether to handle a case
or not. Oftentimes you are going to find that in large metropolitan
areas, U.S. attorneys look, if you will, for the more interesting
cases, for example cases in the large dollar figures - half a million
dollars, or more, tend to be the informal rule in the southern dis
trict of New York . Unless the case is at least a half - a -million dollar
fraud, they are usually not interested in it.
San Franciso, for example, used to be $20,000 and up-and de
fense attorneys know that; they are not fools. They weren't born
yesterday.
Having said that, oftentimes even if you do get the best of legis
lation on the books it may not help I say this because corporate
management many times is not aware of this problem. We have
MBA's from Harvard and Yale, who know little if anything about
white collar crime. They often know less about it than a 13-year
old.
1

76

Having said that, if, in fact, the U.S. attorney declines to pros
ecute a case, as Bernie indicated, and I know the U.S. attorney in
Philadelphia has on many occasions declined to prosecute white
collar crime cases, then it goes to Bernie's shop. That is why I be
lieve we need more resources for local law enforcement.
I believe we would be very derelict, we neglected local law en
forcement. I think the gentleman that testified before this subcom
mittee simply illustrated that local law enforcement has an impor
tant role to play; and can play it with the correct training.
So I think if we are going to attack the problem , we should real
ize the limitations at the Federal level in terms of manpower, re
sources, interest and policies — and I also believe that we must not
dismiss local law enforcement.
Thank you.
Mr. SAWYER . Thank you. I yield back , Mr. Chairman .
Mr. HUGHES. I might say you won't get any argument from us on
that.
Mr. BEQUAI. Thank you.
Mr. HUGHES. This subcommittee has fought for the past several
years trying to get more resources for the Federal law enforcement
establishment. We are lousy partners with local law enforcement
agencies. We are declining jurisdiction in cases we should be pursu
ing.
There was a time in south Florida where the declination policy
was that if there wasn't a couple tons of marijuana, we would
dump it onthe State prosecutors. So I say amen to your suggestion.
The gentleman from Florida, Mr. Shaw .
Mr. SHAW. No questions, Mr. Chairman.
Mr. HUGHES. The gentleman from New York, Mr. Fish .
Mr. FISH. Thank you very much, Mr. Chairman , I appreciate
being back here—it is like old times.
Mr. HUGHES. Nice to have you aboard .
Mr. FISH . Thank you .
Mr. Siegel, I understood you to say that you favored a threshold
which is one of the differences between the two bills before us.
It was myunderstanding that the experience in prosecution with
the threshold in the Truth -in -Lending Act and the Electronic
Transfer Act, that the threshold was interpreted as a floor. So we
have the results that it is necessary to show that a single card had
been used to meet the $ 1 thousand threshold and, therefore, a per
petrator who had five instances of $999 could claim the law was
not broken .
Now , I can see where a threshold is appropriate in cases of pos
session, but I would like your comment on this other problem that
has been experienced to date on threshold.
Mr. SIEGEL. It seems to me , Mr. Fish, that it is a matter of how
you define the threshold and not so much the existence of the
threshold. In the piece of legislation to which I had reference, I
think the definition is an aggregate amount of $5,000. It doesn't
seem to matter whether it is one card, two cards, or more. That is
one way to draw the threshold where the particular defense that
you just indicated couldn't be utilized, because it is very clear what
is meant - it is the amount. It doesn't matter how many cards were
used for that purpose .
 77

My belief that a threshold is a valuable provision to include in

the bill is primarily based upon my belief that by putting it in a
Federal criminal statute, it simply expresses very, very clearly that
the intent of this body, Congress, is to see that those cases that
meet that threshold are in fact dealt with by the prosecuting au
thorities at the Federal level. By leaving it wide open ; by simply
allowing it to be one card and on up, with no limit on the amount
of money, no threshold to limit the amount of money or goods or
services that are stolen; you basically are leaving the total area of
discretion, complete open area of discretion to the prosecuting au
thorities. They can then, pick, pretty much pick and choose at any
given time what they choose to do, what they want to do, and what
cases they want to prosecute .
Now , Idon't mean to say that by Congressputting a threshold in
they won't do the same thing. They still will do that probably in
the 92 or 93 U.S. Attorneys ' offices in the United States. But at
least by having Congress, make a strong expression, that this is
what you want, you are going to be able to exercise some influence
on the decisionmaking process that goes on when they decide
which cases they will take and which ones they won't take .
Mr. Fish . Thank you.
Mr. Bequai, you commented quickly, I believe, you were feeling
the flow of it in the seventies and the technology of the eighties
and, in fact, you said we should be looking and thinking about the
nineties.
Mr. BEQUAI. Yes, sir.
Mr. Fish. I direct your attention to the definition of fraudulent
payment devices which is identical in both pieces of legislation. As
defined in section 2(d) of 3181, it is to cover a broad range of im
proper payment mechanisms, noncard ways that can be used in
credit card fraud schemes, which would include account numbers,
sales slips, et cetera .
The reason for this broad definition was my belief that any enu
meration would soon be outdated by technology in the criminal ap
plication of this technology and that we would have to be prepared
for bizarre ways in the future.
I wondered if you care to comment on that definition .
Mr. BEQUAI. I agree with you, Mr. Fish. I think you should have
a broad definition to take into consideration new technological de
velopments; , and they are coming every day. So Ibelieve as broad
a definition as possible, would best serve your bill., So I concur; I
think it is a good idea to have a broad definition .
Mr. Fish . Thank you, Mr. Chairman .
Mr. HUGHES. I just want to thank you for your testimony. You
have been a greathelp to us. Your statements were excellent.
Let me just assure you that you have made a number of valuable
points, not the least of which is that we have got to spend more
attention to this aspect of white collar crime; the statutes have to
be updated
Second of all, we have got to make a major commitment at the
Federal level; provide some leadership and someseed money for in
novative programs such as develop the NDAA's special economic
unit. And training is also essential to local law enforcement agen
cies and this points up the need for the Justice Assistance Act of

38-178 0 - 85 - 6
 78

1983 which is over on the Senate side. We feverently hope that the
Senate will take up H.R. 2175 on an expedited basis so we can pro
vide some seed money for these innovative programs such as the
sting operations that have been so successful in this area.
We look forward to working with you.
Mr. SAWYER. I might say, Mr. Bequai, that $40 billion white
collar crime figure was the figure used about 8 years ago when I
was an urban prosecutor in order to adjust it-
Mr. BEQUAI. Exactly. I was being conservative. It has gone up
with inflation .
Mr. SAWYER. Thank you.
Mr. HUGHES. Thank you. We look forward to working with you
and trying to ensure that proper sentences are meted out. Maybe
sentencing guidelines would be of some assistance there. I know
members of this committee support that approach. Insofar as bond
ing, it is ridiculous to put somebody out on $50,000 bond where
they have just scammed amounts for $150,000 or $250,000. But, un
fortunately, we have very little say over that except perhaps by
oversight.
Thank you very much.
Mr. BEQUAI. Thank you , Mr. Chairman.
Mr. SIEGEL. Thank you.
Mr. HUGHES. Our last witnesses consist also of a panel: Robert A.
Hoadley is vice president of Government and Public Affairs for the
Data Processing Management Association , Inc. He is also the Data
Processing Director for the City of Raleigh, NC. He holds a certifi
cate in municipal administration from the Institute of Government
at the University of North Carolina and has served more than 26
years in data processing with the City of Raleigh.
Thomas Kelleher is vice president of Security, MasterCard Inter
national, Inc. Mr. Kelleher joined MasterCard International in
1982. Prior to that time he had a distinguished record with the FBI
for some 25 years and was their assistant director of the FBI Crime
Laboratory. He also has a Bachelor of Science degree from Ford
ham and a degree in Forensic Science from George Washington
University.
William D. Neumann is vice president of Security Operations,
VISA International . Mr. Neumann received his B.A. and Masters
degrees from Siena College, Loundonville, NY; and his Doctor of
Laws degree from St. John University in New York City. He is a
member of the New York State Bar and got his appointment as
vice president of Security with VISA International in 1982.
Mr. Neumann was special agent in charge of the FBI in San
Francisco, CA, and a 26 -year old veteran of the FBI where he
served on assignment in the United States and abroad in various
and sundry assignments.
Robert I. Farnon is vice president, Mid-Lantic National Bank
Citizens. Mr. Farnon was appointed to this position in 1980. He
began his career at Mid-Lantic as an installment loan officer in
1966 .
He is a graduate of the National Installment Audit School at the
Universityof Oklahoma, and attended William Paterson College.
 79

Mr. Farnon currently serves as chairman of the New Jersey

Bankers Association, Consumer Credit Committee, and is repre
senting the American Bankers Association .
I understand that a Mr. Alexander is also with us today as a rep
resentative of the American Bankers Association .
We welcome each and every one of you . We have your state
ments which, without objection, will be made a part of the record,
and we hope that you can summarize for us. We will begin with
you, Mr. Hoadley.
TESTIMONY OF ROBERT A. HOADLEY, INTERNATIONAL VICE
PRESIDENT, DATA PROCESSING MANAGEMENT ASSOCIATION ,
PARK RIDGE , IL., ACCOMPANIED BY JOSEPH L. NELLIS , COUN
SEL, SPRIGGS, BODE & HOLLINGSWORTH , WASHINGTON, DC;
WILLIAM D. NEUMANN, VICE PRESIDENT OF SECURITY, VISA
INTERNATIONAL, INC.; THOMAS KELLEHER, VICE PRESIDENT
OF SECURITY, MASTERCARD INTERNATIONAL INC., AND
ROBERT L. FARNON, VICE PRESIDENT, MID-LANTIC NATIONAL
BANK-CITIZENS , ENGLEWOOD CLIFFS, NJ, ON BEHALF OF THE
AMERICAN BANKERS ASSOCIATION, ACCOMPANIED BY JOHN
ALEXANDER, AMERICAN BANKERS ASSOCIATION
Mr. HOADLEY. Thank you very much , Mr. Chairman, and mem
bers of the Subcommittee on Crime.
I am very pleased to appear before you today, together with our
Washington counsel, Mr. Joseph Nellis, to give you the views of
Data Processing Management Association on H.R. 3570 as it relates
to computer crime and credit card fraud.
I should first like to mention that DPMA is an international pro
fessional society of over 40,000 computer managers, technicians,
scientists , and academicians .
It is the oldest professional society in the computer field with
chapters in every State, in Canada, Japan and other foreign coun
tries .
Officers of our association have recently completed trips to Japan
and China to exchange views on computer technology. To say that
we have much experience is an understatement.
DPMA was among the first computer groups to call for a compre
hensive computer crime bill, after investigating the existing situa
tion throughout the United States.
We sponsored an outstanding seminar on this subject at the
Brookings Institute in November of 1982 where expert after expert,
including your colleagues, Congressman Bill Nelson, Senator Joe
Biden and Senator Charles Mathias made it clear that computer
crime was not being prosecuted as vigorously as it might be be
cause prosecutors have to examine some 40 Federal statutes which
are, in part or in whole, applicable to illegal penetrations of com
puters for possible use in their indictments.
Problems abound. Is software “ property” within the meaning of
the larceny statutes ? Is the mail fraud statute applicable ? Does
theft occur when someone penetrates software, yet the software re
mains under the control of the owner?
These are but a few of the issues that plagued and continue to
plague our industry , prosecutors and the courts.
 80

For all these reasons, DPMA has been and continues to be in

support of H.R. 1092, introduced by Congressman Bill Nelson of
Florida in the House, and S. 1733 introduced by Senator Paul
Trible in the Senate.
Congressman Nelson's bill, H.R. 1092, now has over ahundred co
sponsors. This bill, in our opinion, will remove nearly all the uncer
tainties now in existence regarding Federal prosecutions of comput
er crime.
This issue has become so prominent in the public mind and press
as exemplified by a six -column front page article in the Sunday,
September 18, 1983 edition of The New York Times, which is at
tached to my testimony and I ask that it be made a part of it.
No legislation will prevent crime, but it can certainly make pros
ecutions easier, convictions possible, and deterrents more promi
nent.
To turn to H.R. 3570—
Mr. HUGHES. I wonder if we can just interrupt you there, Mr.
Hoadley. We are going to have at least two votes and that is prob
ably going to bring us back here at quarter of one. I think it would
be far preferable at this point if we just broke for lunch and came
back at 1:30. That way we won't be cutting your testimony short in
any way , because there are a number of questions we want to get
into .
I am sorry that we have to do this but it is not going to work out
otherwise and we would just be cutting your testimony short.
Why don't we break at this point and we will just pick up where
we have left off at 1:30.
Mr. HOADLEY. All right.
Mr. HUGHES. I might say it is good to see Joe Nellis back . He is
former General Counsel of the full Judiciary Committee anda very
valuable member of that committee for a number of years. He gave
me my initial training, as a matter of fact, when I first came to the
Congress back in 1974. It is good to see you, Joe.
We stand in recess until 1:30.
[Whereupon , at 12:15 p.m., the subcommittee was recessed, to re
convene at1:30 p.m., the same day .)
Mr. HUGHES. The subcommittee will come to order.
I am sorry for the delay. Mr. Hoadley, will you proceed where
you left off ?
Mr. HOADLEY. Thank you, Mr. Chairman. I will take up right
where I left off by turning to H.R. 3570. Let me say that in general
we , being the Data Processing Management Association, would sup
port any legislation that would make credit card fraud more diffi
cult and prosecution easier. We believe H.R. 3570, as a means of
attackingthe burgeoning crime of credit card fraud, is a valuable
tool in the hands of Federal prosecutors.
To the extent that the language in H.R. 3570 relating to comput
er crime will not conflict with the more comprehensive prohibi
tions contained H.R. 1092, we would have no hesitancy in support
ing it. We would have to leave it to the parliamentary experts in
the Congress to determine whether, if both bills become law, they
will complement or inhibit one another.
Our main objective is to secure, in the Congress, the kind of
debate and consideration this vexatious subjectdeserves. To this
 81

end, we wish you to know that DPMA is available, through its

headquarters staff in Park Ridge and through the office of our
Washington counsel, Mr. Nellis, to assist youin any way that we
can . Let me just say that the ingenuity and boldness ofcomputer
thieves know no bounds.
Some 19 States now have computer fraud or crime statutes of
their own . Experience has shown that daily, larcenous penetrators
come up with new schemes to defraud, to steal software, various
business records, to write checks on non -existent debts, to steal in
formation that would benefit a stock market speculator, to change
grades in a university computer and in general, to develop new
schemes that are costing the American public billions of dollars
annually.
Through H.R. 3570 and H.R. 1092, hopefully, the Congress will be
providing tools for prosecution and conviction of computer thieves
and a major deterrent, which presently does not exist. At the same
time, the industry is spending massive amounts of dollars to en
hance its own security systems.
It is to be hoped that with a Federal statute and the industry's
own enlarged efforts, we will soon see a decline in unauthorized
use or penetration and those who seek to commit this offense, pun
ished as examples to others.
Mr. Chairman, thank you for the opportunity to make this testi
mony to you and your courtesy and consideration . If the subcom
mittee has any questions, I would be glad to try to answer them.
[ The statement of Mr. Hoadley follows:]
 82

STATEMENT
OF

ROBERT A. HOADLEY , INTERNATIONAL VICE PRESIDENT ,

DATA PROCESSING MANAGEMENT ASSOCIATION ,
PARK RIDGE , ILLINOIS

ON H.R. 3570

BEFORE THE HOUSE OF REPRESENTATIVES COMMITTEE

ON THE JUDICIARY
SUBCOMMITTEE ON CRIME

September 29 , 1983

Mr. Chairman and Members of the Subcommittee :

I am pleased to appear before you , together with our

Washington Counsel , Mr. Joseph Nellis , to give you our views
on H.R. 3570 as it relates to computer crime and credit card
fraud .

I should first mention that DPMA is an international

professional society of over 40,000 computer managers ,

technicians , scientists , academicians and operators . It is

the oldest professional society in the computer field , with

chapters in every state , in Canada , Japan and other foreign
countries . Officers of our Association have recently
 83

completed trips to Japan and China to exchange views on

computer technology . To say that we have experienced much
is an understatement .

DPMA was among the first computer groups to call for a

comprehensive federal computer crime bill , after
investigating the existing situation throughout the United
States . We sponsored an outstanding seminar on this subject
at the Brookings Institution in November , 1982 where expert
after expert , including your colleagues , Congressman Bill
Nelson , Senator Joe Biden and Senator Charles Mc . Mathias ,

made it clear that computer crime was not being prosecuted

as vigorously as it might be because prosecutors have some
40 federal statites which are , in part or in whole ,

applicable to illegal penetrations of computers to examine

for possible use in indictments . Problems abound . Is

software " property " within the meaning of the larceny

statutes ? Is the mail fraud statute applicable ? Does theft

occur where someone penetrates software , yet the software

remains under the control of the owner ? These are but a few

of the issues that plagued and continue to plague our

industry , prosecutors and the courts .
For all these reasons , DPMA has been and continues to
be in support of H.R. 1092 , introduced by Congressman Bill
Nelson of Florida in the House and s . 1733 introduced by

Senator Paul Trible , Jr. in the Senate . We believe

Congressman Nelson's bill , H.R. 1092 now has over 80

co- sponsors . This bill , in our opinion , will remove nearly
 84

all the uncertainties now in existence regarding federal

prosecutions of computer crime . This issue has become so

prominent in the public mind and press as exemplified by a

six - column front page article in the Sunday , September 18 ,
1983 edition of the New York Times , which I have attached to
my testimony and ask that it be made part thereof . NO

legislation will prevent crime , but it can certainly make

prosecution easier , convictions possible and deterrents more
prominent .

To turn to H.R. 3570 , let me say that in general we

Iwould
would support any legislation that would make credit card
fraud more difficult and prosecution easier .. We believe

H.R. 3570 , as a means of attacking the burgeoning crime of

credit card fraud , is a valuable tool in the hands of

federal prosecutors . To the extent that the language in

H.R. 3570 relating to computer crime will not conflict with
the more comprehensive prohibitions contained in H.R. 1092 ,
we would have no hesitancy in supporting it . We would have

to leave it to the parliamentary experts in the Congress to

determine whether , if both bills become law , they will

complement or inhibit each other .

Our main objective is to secure , in the Congress , the

kind of debate and consideration this vexatious subject
deserves . To this end , we wish you to know that DPMA is
available , through its headquarters staff in Park Ridge and
through the office of our Washington counsel , Mr. Nellis , to
assist you in any way that we can . Let me just say that the
 85

ingenuity and boldness of computer thieves knows no bounds .

Some 19 states now have computer fraud or crime statutes of
their own . Experience has shown that daily , larcenous
penetrators come up with new schemes to defraud , to steal
software , hospitat- records, to write checks on non - existent
debts , to steal information that would benefit a stock

market speculator , to change grades in a university computer

and in general , to develop new schemes that are costing the
American public billions of dollars annually .
Through H.R. 3570 and H.R. 1092 , hopefully , the
Congress will be providing tools for prosecution and
conviction of computer thieves and a major deterrent , which
presently does not exist . At the same time , the industry is
spending massive amounts of dollars to enhance its own
security systems .
It is to be hoped that with a federal statute and the

industry's own enlarged efforts , we will soon see a decline

in unauthorized use or penetration and those who seek to

commät this offense , punished as examples to others

If the Subcommittee has any questions , I would be glad
to try to answer them .

Thank you for your courtesy and consideration .

 86

Prosecutors Find Laws Inadequate to Fight New Computer Crimes

Condoved From Page 1 financial and corporate centers, there ofyoungmen in Milwaukee entered one In both Connecticut and w Jersey ,
specifically designed to prosecute gion's hidden maze of computersys of the hospital's computers over tele legislators are drafting bilis,basedon
some of the most common forms of
tems processes billions of dollars in phone lines. in New York who are models
Prosecutors
in other states, particularly
California, that would establish spe
transactions each day. the Sloan- familiar with the case say that Federal cific penalties for computer abuses.
is the major reason
computer crime ofthepeople Το
thatonly fraction or tampering with Kettering
pected of aentering
sus and Columbia casesilus officials are unsurewhatcharge to levy TheCalifornia Statute, considered one
crate the difficulties of criminal prose against the youths.Mr. Miller atHar. of the strictest, provides for the prese
computer systems areever prosecuticution. No charges have been brought clear vard Law School pointed out:" Itis not. accesses,
where the crime was committed any person
cutionof alters, whotralicious
deletes , damages o
ed , according to prosecutors and legal against the young men linked to the Was it in New York? !n Wisconsin ? destroys any computer system , com
Prosecutors distinguish between two tampering
experts. Sources atColumbia cancer
at the say cer.ter .
the university This is why the Federal Government puiet tietwork, computer program o
tala .
types of comp uter nals n use
crimi . On the took civil actio beca it appe ared will have to take a major role ."
to
orie hand, they said , are those who use be the only swift way to make sure the
activity
computers as a tool to defraud banks or is was
unclear stopped
that . To uter
the comp both vand
casesals
, it
other businesses, often using modern broke any laws, according to experts .
technology to cover their tracks. Prose " Most states simply do not have stat.
cutors and private computer security utes that apply to these types of activi
consultants said such cases were still lies," said Arthur Miller, a computer fa Ye is fr ",
the most common and the laws dealing Harvard
and privacy expert and a professor at
Law School. " This is an area
with them were adequate.
On the other hand are the new com- in which the kids in blue jeans are often
puter criminals who seekto obtainor farahead of the guys in three piece
destroy information, sometimes conti suits. The lawis beginning to catch up,
Page Cu
dential, that is stored in networks of in
but it is one hell of a track meet."
Congressional committees have de
terlocking computer systems. It is for bated several proposed Federal stat 9/18/83
this type of crime that the laws are in utes since 1977, but no legislation has
sufficient, the prosecutors said . been enacted to prevent unauthonzed
" There are some Federal laws to access or use of computers. The latest
handle problemsofmajor proportions bill, introducedlast month andre
but they are indirect mail fraud, ferred to the Senate Judiciary Commit.
wire fraud or lawsdealing with access tee, woud establish fines for using a
to Government installations," said Ru- computer to steal or embezzle.
doll w . Gruliani, the United States At Report From Bar Associadoo
torney for the Southern District of New
The strongest move toward legisla
. "We are
Yorkdesigned
ist to using
deal with a newthat
statutes eraare
of tionin the Metropolitan area is in New
crime." York, where a subcommittee of the
Until such legislation is passed, most state barassociation issued a detailed Laws in U.S. Called
prosecutors say their hands are tied report last Octobr- expressing fears
While they are free to take a thiet to that the state's ciininal statutes were
court for stealing documents from afil. insufficient to deal withmost formsof Inadequate to Block
ing cabinet,they oftenhave a difficult computer crime, unless a fraud - such
isumeestablishin g that
property, or that who copies as
a computerfile
someone of a bank - hasmoney
outtransferring electronically
also taken place.
Abuse ofComputers
information out of it is a thief. The report , which led to the introduc.
And while they can freely prosecute tion of a bill in the Legislature last An auxiliary policeman in Orange,
3 burglar who walks intoanunlocked January , was prompted largelybythe Conn ., was investigated last spring by
house, theyhave little recourseagainst case of Theodore Weg. Mr. Weg, a con . authorities who suspected he was using
individvals who enter a computer sys putersystems manager with the Board the Police Department computer to
tem through the telephone line. of Education , was charged with theft of check records for his full-time employ.
services in 1981. He was accused of er. But the suspect was never charged
Little Remedy for Tampering using school computers to create a with a crime, prosecutors said , bee
Frequently, computer crimes are not handicapping system and to trace the cause he violated no Connecticut law .
genealogy of racehorses.
: ien reported . Victims say that even in " It was an abuse of the syster .. bu
states enacted laws
that havecrimethey The case attracted considerable pub
com licity,
to little
cat computer have with city officials usingthe event under current law not a crimiral
rernedy. Major corporations, tre to announce a new set of rules govern. abuse," said Emest Diette , an assist
quentlythe victim of tampering with ing theuse ofmunicipalcomputers.In ant state's attorney in Connecticut.
their computersystemsby employees April 1982,CriminalCourtJudgeMi Without an applicable statute, he said .
chael R. Juviler dismissed the charges ,
or outsiders ,arealso fearful of thepub rulingthatMr. Weg hadnot viola:ed " We could not have brought charges i!
About
licity that20surrounds
states have crimes . laws any New York law or shown criminal
such adopted we wanted to . "
governing computer abuse . But not all intent.
In an affidavit attached to Columbia
That complaint is arising with in
of the new laws make illegal some of creasing frequency among prosecutors
the most common forms of computer University'scivilsuit filedin State Su and legal experts across the country
randomly dis- premeCourt in March,the university
crime: using stolen
coveredcodes to enterora computer sys charged that David Nochlin of Brous who say they are severely hindered in
countering a rising tide of computer
cmover the telephone lines, removing you, a formerstudent at Carnegie Mel. abuse.
05 altering information in the compus lon University inthemaster
gainedaccessto , had
Pittsburghcontrol Most states, including New York ,
32 outfiles
+7's of service. Ottenitsuch
, or causing crash ,' or system ofa DigitalEquipment Corpo
to " tampering New Jersey and Connecticut, have yet
resultsin the permanent loss of intor: ration computer used by students to enact legislation against entering
mation at trernendous cost and incon throughout Columbia University. computer systems without authoriza
" enjence to the users of the system . Entered Through Telepbone Link tion, stealing some types of informa
In some cases , such activities are In the court papers , the university tion from them or causing them to go
potentially life threatening. In August, said that Mr. Nochlin had entered its out of service .
officials at the Memorial Sloan -Ketter system repeatedly through a telephone The lack of local and Federal laws
ing Cancer Center called in the F.B.I link .
when they discovered that a group of It also said he causedthe system to Continued on Page 42, column ]
young men had altered patient files crash, resulting in the loss of " large
controlling radiation treatment. amounts of data " and requiring the
Billions of Dollars Daily university to change thousands of ac.
cess passwords. Columbia said its
In other cases,tampering resultsin damagestotaled $ 25,000, and it asked
damage. Columbia University distor $250,000 in punitive damages. In an
closed in May,in court papers filed in a out-of-court settlement the university
civil suit. that a computer hobbyist agreed to drop its suit in return for a
säking to crash one of the university's consent degree that permanently er.
main computers had caused thousands joins Mr. Nochlin from " attempting to
of dollars in damage and the loss of use, access or interfere with the uns. ,
large batchesofdata - all by remote versity'scomputers.
control. Mr. Nochlin denied the charges in
In fact, the problems are considered courtpapers .
particularly severe in the New York by the Sloan-Kettering case, investi
area. As one of the country's leading gatorsbelieve that a loosely knit group
 87

Mr. HUGHES. Thank you, Mr. Hoadley. I think what we will do is

finish all the testimony and then go right to questioning.
Mr. HUGHES. Mr. Newman , we have your very excellent and
comprehensive statement. We hope that you can summarize it for
us .

Mr. NEUMANN. I am William D. Neumann, vice president of Visa

International in charge of security. I am appearing today in behalf
of Visa U.S.A. Inc. , a nonstock membership corporation which ad
ministers the Visa Card and Travelers Cheque Program through
out the United States. Our membership includes more than 13,000
commercial banks , savings banks, savings and loan associations,
and credit unions that participate in the Visa program .
As of the end of 1982 the Visa “ Blue, White and Gold ” card was
carried by almost 67 million Americans and accepted at nearly 2
million merchant outlets and 523,000 member offices all over the
country. For 1982, the total dollar volume of the Visa Card system
in the United States was approximately $39 billion.
On behalf of the extensive membership of Visa, I would like to
thank you, Mr. Chairman , for convening these timely hearings to
discuss the alarming increase in the incidence of card fraud . We
appreciate the leadership demonstrated by your cosponsorship of
H.R. 3181 and your introduction of H.R. 3570. Our testimony today
will focus on the credit and debit card aspects of the legislation.
Over the past few years, the fraudulent use of bank cards and
travel and entertainment cards has spiraled to incredible heights.
Its growth has been far out of proportion to the increase in the le
gitimate use of these cards. To illustrate the nature and scope of
the problem , it is helpful to look at just one of its aspects, counter
feiting
As Mr. Fish pointed out earlier today, and as detailed in our
written testimony, the losses from counterfeiting are staggering.
We are currently auditing the claims by our members at Visa
International headquarters, and at this time we are approximating
$23 million losses from counterfeiting alone, representing approxi
mately 20 percent of our overall fraud losses, and it is interesting
to note that a few years ago the counterfeiting losses vis - a -vis the
total fraud losses, was less than 1 percent.
As mentioned in earlier testimony, the Achilles' heel of the bank
card is its embossed account number. Perpetrators obtain a good
account number and emboss it on a counterfeit card, a plain piece
of " white plastic,” or reemboss it on a lost or stolen card. This so
called new card can then generate hundreds ofpurchases and cash
advances before it is blocked by the issuer. We have seen actual
cases in which a hard-working fraudulent card user could use a
single card for $ 10,000 in phony transactions.
Early criminal activity centered on lost and stolen cards, and
then moved to manual alteration. The next stage in the evolution
of card fraud was the development of far more sophisticated
schemes including those involving counterfeiting and white plastic,
White plastic scheme, was ably described and demonstrated by De
tective Ortega of the police department.
 88

I might mention his work was outstanding and the work of the
Metro Dade Police Department in the southern Florida area has
contributed immensely to combating card fraud. I would like to
point out that VISA has worked very closely with the Metro Dade
Police Department, and we have funded some of their operations.
Most counterfeiting and card alteration activities are the work of
organized gangs that operate with impunity across State lines,
drain millions of dollars weekly fromthe economy, and apply pro
ceeds from their card activities to other types of crimes - notably
drug and firearms dealings.
In the judgment of a unified credit card industry, the present
magnitude ofthis problem and its potential for even more stagger
ing losses warrant a congressional review of laws protecting the
public from fraud in connection with credit and debit cards . The
current problems have far-reaching ramifications for the integrity
of the Nation's payment system that increasingly involve credit
and debit cards and related codes and numbers.
For these reasons, Mr. Chairman , we would like to commend
you, Representative Fish and the others who cosponsored legisla
tion in this area , for your recognition of this problem and your ef
forts in fashioning legislation that will address many of these con
cerns. Quite clearly, you and the other members of this subcommit
tee appreciate that these pieces of plastic are tantamount to cash
and their fraudulent use directly analogous to the counterfeiting of
U.S. currency
Moreover, Mr. Chairman, your extensive efforts demonstrate an
awareness of the fundamental point that it is the consumer who is
the real victim of these unlawful activities. It is intuitively clear
that ultimately fraud losses are paid by consumers, as components
of the cost of credit and merchandise.
As demonstrated by the introduction of H.R. 3181 and H.R. 3570,
the problem is so extensive and geographically pervasive that a
Federal rather than a State response is warranted. In addition,
there are other reasons that commend a Federal response. I will
note just two.
First, and perhaps most important, the criminal behavior in
volved here places into jeopardy the entire national payments
system . Second, the activities generally are interstate in nature
and tend to shift geographically based on the degree of industry
and prosecutorial pressure exerted in major crime areas.
Inshort, a timely and effective legislative response can be forth
coming only from Congress. While the direction and thrust of both
bills demonstrate a recognition of the problem we would like to dis
cuss the bills briefly, describing common elements that we support
and indicating our basis for preferring H.R. 3181 .
Since counterfeiting appears to be the fastest growing area of
both card abuse and industry losses, we are pleased that both H.R.
3181 and H.R. 3570 deal with this major, previously unaddressed
area of credit and debit card abuse. In addition, both bills include
the alteration of legitimate cards, the fabrication of fraudulent pay
ment devices, andthe possession of, or trafficking in, fraudulent
device -making equipment.
These activities are at the very center of the evolving area of
credit and debit card criminality . It is also very important to ad
 89

dress the other areas of fraudulent activity encompassed by H.R.

3181 that arise from the possession of, or trafficking in, fraudulent
payment devices.
There are a number of specific reasons for our preference for
H.R. 3181. First, H.R. 3570 does not include possession of the credit
or debit card with fraudulent intent, which may be a unique and
troublesome offense. Second, H.R. 3570 would appear to require
that certain Federal thesholds be achieved before the provisions
would apply, which could create a loophole for criminals and
present some proof problems.
As an aside, I would like to point out that in my many years of
being involved in white- collar crime cases, the threshold problem
was handled as guidelines set up by the Federal Government and
the U.S. attorneys as a result, I witnessed many, many instances
where people that should have been convicted or tried were let free
because ofthese guidelines.
Third, the use of federally insured depository institutions as a ju
risdictional basis inH.R. 3181 would greatly ease the task of estab
lishing jurisdiction for the U.S. attorney.
Finally, in view of the improper use of sales drafts and vouch
ers -- particularly those produced from white plastic we believe that
it is important to include them in the definition of “fraudulent pay
ment devices.”
In terms of encouraging Federal enforcement, we also supportef
forts to focus the maximum possible attention on this problem . We
favor the highest level of Federal investigatory involvement by all
appropriate agencies, in a manner that is collectively acceptable to
the Federal law enforcement community and to the Department of
Justice.
Wecannot overstate the urgent need for action on this legisla
tion. Since an immediate response is necessary, and both the prob
lems of, and remedies for, credit and debit card fraud are well fo
cused, we believe it would be advisable to separate the different
and discrete issues of credit and debit card fraud from those of gen
eral computer crime.
In conclusion, the pervasive and growing use of plastic cards and
related access mechanisms is ushering in a worldwide system of
electronic funds exchange . These payment mechanisms holds the
potential for allowing consumers to use their assets any way they
see fit, instantly, anywhere in the world and at any time of day.
They hold the key to expanding their freedom by expanding their
financial flexibility.
If this new approach to financial services is to be implemented
successfully, it must be able to develop free of the existing threat of
widepsread criminality not effectively addressed under-and, thus,
not deterred by — the Federal Criminal Justice System . VISA and
others in the card industry respectfully urge this subcommittee
and the Congress to give immediate consideration to the adoption
of appropriate legislation in this area. We look forward to continu
ing our efforts in working together to fashion a sound, effective
bill.
Thank you .
Mr. HUGHES. Thank you , Mr. Neumann .
[The statement of Mr. Neumann follows:]
 90

STATEMENT OF VISA U.S.A., INC.

Mr. Chairman and Members of the Subcommittee, I am William D. Neumann ,
Vice President of Visa International in charge of security. Before joining Visa in
1982, I wasSpecial Agent in Charge of the Federal Bureau of Investigation's San
Francisco office. During my 25 years at the FBI, I was extensively involved in iden
tifying and investigating all types of white collar crime.
I am appearingtodayon behalfof VISA U.S.A. Inc., a non -stockmembership cor
poration whichadministers the Visa Card and Travelers Cheque Program through
out the United States. Our membership includes more than 13,000 commercial
banks, savings banks, savings and loan associations, and credit unions that partici
pate in the Visa program .
As of the end of 1982 the Visa “ Blue, White and Gold ” card was carried by almost
67 million Americans and accepted at nearly 2 million merchant outlets and 52,000
member offices all over the country. For 1982, the total dollar volume of the Visa
Card system in the United States was approximately $ 39 billion.
On behalf of the extensive membership of Visa ,I would like to thank you , Mr.
Chairman , for convening these timely hearings to discuss the alarming increase in
the incidence of card fraud. We appreciate the leadership demonstrated by your co
sponsorship of H.R. 3181 and your introduction of H.R. 3570. Our testimony today
will focus on the credit and debit card aspects of the legislation.
THE SCOPE OF THE PROBLEM
Over the past few years , the fraudulent use of bank cards and travel and enter
tainment cards has spiraled toincredible heights. Its growth has been far out of pro
portion to the increase in the legitimate useof these cards. To illustrate the nature
and scope of the problem , it is helpful to look at just one of its aspects, counterfeit
ing.
Worldwide card industry losses from counterfeiting alone were $ 15 million in
1981. In 1982, these losses soared to over $ 450 million , an increase of over 330 percent
in one year alone. Of these worldwide losses, 94 percent were suffered in the United
States. For the Visa system , counterfeit losses climbed from about $ 750,000 in 1981
to almost 15 times as much, or nearly $11 million, in 1982. Our preliminary reports
for 1983 indicate that these losses could reach $23 million .
You should realize, however, that losses from counterfeiting are only one facet of
the problem . In addition , Visa International had general fraud losses in excess of
$ 100 million in 1982.

HOW FRAUD IS PERPETRATED

It may interest the Members of this Subcommittee to know how fraud is perpe
trated. The Achilles' heel of the bank card is its embossed account number. Perpe
trators obtain a “ good ” account number and emboss it on a counterfeit card, a plain
piece of “ white plastic,” or reemboss it on a lost or stolen card. This so -called new
card can then generate hundreds of dollars of purchases and cash advances before it
is blocked by the issuer. We have seen actual cases in which a hard -working fraudu
lent user could use a single card for $ 10,000 in phony transactions. On the street
these cards can be bought illicitly for about $ 200.
Early criminal activity centered on lost and stolen cards, and then moved to
manual alteration. The next stage in the evolution of card fraud was the develop,
ment of far more sophisticated schemes including those involving counterfeiting and
" white plastic.” “ White plastic " is a term that refers to regular size plain blank
plastic cards that are embossed with an account number, cardholder name and expi
ration date.
Most counterfeiting and card alteration activities arethe work of organized gangs
that operate with impunity across state lines, drain millions of dollarsweekly from
the economy, and apply proceeds from their card activities to other types of
crimes - notably drug and firearms dealings.
CONGRESS IS CORRECTLY MOVING IN THIS AREA
In the judgment of a unified credit card industry , the present magnitude of this
problem and its potential for even more staggering losses warrant a Congressional
review of laws protecting the public from fraud inconnection with credit and debit
cards. The current problems have far-reaching ramifications for the integrity of the
nation's payment system that increasingly involves credit and debit cards and relat
ed codes and numbers.
 91
For these reasons, Mr. Chairman , we would like to commend you, Representative
Fish and the others who cosponsored legislation in this area, for your recognition of
this problem and your efforts in fashioning legislation that will address many of
these concerns. Quite clearly, you and the other Members of this Subcommittee ap
preciate that these pieces ofplastic are tantamount to cash and their fraudulent use
is directly analogous to the counterfeiting of U.S. currency.
Moreover, Mr. Chairman, your extensive efforts demonstrate an awareness of the
fundamental point that it isthe consumer who is the real victim of these unlawful
activities. It is intuitively clear that ultimately fraud losses are paid by consumers,
as components of the cost of credit and merchandise.
As demonstrated by the introduction of H.R. 3181 and H.R. 3570, the problem is
so extenisve and geographically pervasive that a federal rather than a state re
sponse is warranted. In addition, there are other reasons that commend a federal
response. I will note just two.
First, and perhaps most important, the criminal behavior involved here places
into jeopardy the entire national payments system . Second, the activities generally
are incerstate in nature and tend to shift geographically based on the degree of in
dustry and prosecutorial pressure exerted in major crime areas.
In short, a timely and effective legislative response can be forthcoming only from
Congress.
LEGISLATIVE PROPOSALS
H.R. 3181 and H.R. 3570 are major and important steps toward the development
of a comprehensive response to credit and debit card fraud. We greatly appreciate
your efforts and those of Representative Fish in fashioning such timely legislation.
Through his efforts and yours, Mr. Chairman, in accumulating more that sixty co
sponsors for H.R. 3181 , invaluable assistance has been provided in focusing congres
sional attention on this serious problem .
While the direction and thrust of both bills demonstrate a recongition of the prob
lems, we would like to discuss the bills briefly, describing common elements that we
support and indicating our basis for preferring H.R. 3181.
Since counterfeiting appears to be the fastest growing area of card abuse and in
dustry losses, we are pleased that both H.R. 3181 and H.R. 3570 deal with this
major, previously unaddressed, area of credit and debit card abuse. In addition, both
bills include the alteration of legitimate cards, the fabrication of fraudulent pay
ment devices, and the possession of, or trafficking in , fraudulent devicemaking
equipment. These activities are at the very center of the evolving area of credit and
debit card criminality. It is also very important to address the other areas of fraudu
lent activity encompassed by H.R. 3181 that arise from the possession of, or traffick
ing in , fraudulent payment devices.
There are a number of specific reasons for our preference for H.R. 3181. First,
H.R. 3570 does not include possession with fraudulent intent, which may be a
unique and troublesome offense. Second, H.R. 3570 would appear to require that cer
tain federal thresholds be achieved before the provisions would apply, which could
create a loophole for criminals and present some proof problems. Third, the use of
federally insured depository institutions as a jurisdictional basis in H.R. 3181 would
greatly ease the tasks of establishing jurisdiction. Finally, in view of the improper
use of sales drafts and vouchers - particularly those produced from "white plastic'
we believe that it is important to include them in the definition of " fraudulent pay
ment devices."
In terms of encouraging federal enforcement, we also support efforts to focus the
maximum possible attention on this problem . We favor the highest level of federal
investigatory involvement by all approporiate agencies, in a manner that is collec
tively acceptable to the federal law enforcement community.
We cannot overstate the urgent need for action on this legislation. Since an imme
diate response is necessary, and both the problems of, and remedies for, credit and
debit card fraud are well focused, we believe it would be advisable to separate the
different and descrete issues of credit and debit card fraud from those of general
computer fraud.

CONCLUSION
In ccnslusion, the pervasive and growing use of plastic cards and related access
mechanisms is ushering in a worldwide system of electronic funds exchange. These
payment mechanisms hold the potential for allowing consumers to use their assets
any way they see fit, instantly, anywhere in the world and at any time ofday. They
hold the keyto expanding their freedom by expanding their financial flexibility.
 92

If this new approach to financial services is to be implemented successfully, it

must be able to develop free of the existing threat of wide-spread criminality not
effectively addressed under - and, thus, not deterred by — the federal criminal justice
systems. Visa and others in the card industry respectfully urge this Subcommittee
and the Congress to give immediate consideration to the adoption of appropriate leg
islation in this area. Welook forward to continuing our efforts in working together
to fashion a sound, effective bill.
Thank you .
Mr. HUGHES. Mr. Kelleher, we likewise have your very compre
hensive statement. We hope that you can summarize.
Mr. KELLEHER. Thank you, Mr. Chairman. The previous testimo
ny by Congressman Fish effectively provided MasterCard fraud sta
tistics . The previous testimony by Congressman Smith aptly de
scribed the current criminal methodology, so I am batting a little
far down the line, I believe, to come up with anything new , and I
understand that much of this, of course, is already in our given
statement.
I just would like to make a few extemporaneous comments
rather than read anything further. Detective Ortega, in discussing
the fraud merchant program and investigations which have been
supported in part by funding by both MasterCard and VISA, has
highlighted one of the major problems that we are having in the
industry, which involves fraudmerchant activity.
I don't know all of the sociological reasons for this having devel
oped as such a major problem , but we can't argue much that in
fact it has developed as such a problem . And we have addressed
that as one of themajor issues in attacking the overall fraud prob
lem involved in the credit card and bank card industry.
MasterCard, for example, concerned over the ease with which
the traditional MasterCard could be duplicated through silk screen
methods, went to a redesign of the card that would require a
highly sophisticated offset method of printing to reproduce, and
through fine-line printing and through the addition ofthe ultravio
let-sensitive inks in the center of the newly designed card, and
then added a hologram which we feel takes the state of the art of
application of a security device out of the current technical capabil
ity of the criminal community.
This, however, is a dynamic situation, of course, and the fraud
merchant program takes into recognition the fact that the card,
when it is presented at the point of sale , may not in any way even
resemble a good card, if the merchant is in collusion with them.
We feel we had to, and I think the industry has taken steps to
look at its own process from within , and make adjustments to that
process to see that we make it much more difficult for these people
to operate in that environment, and move our authenticating pro
cedures and so forth inside of the merchant loop, so that we can do
a better job of stopping that.
Part of that is addressed by a fraud merchant program at Mas
terCard, where we have insisted that our members do onsite visits
and better preinvestigations of merchants prior to signup; that
they prescreen merchant deposits when they come in , to see that
they are not giving out largeamounts of money on dubious submis
sions of records of sale, and that we have insured the members to
some degree for charge backs, in the event they discover a mer
chant within their area that has been collusive, and they are con
 93

cerned about making public knowledge of the fact that this mer
chant was a fraud merchant, for fear of charge back . So there are
steps that are being taken that we feel will certainly slow down, if
not turn around, the trend that we have seen over the past several
years.
We have aa fraud reporting system within MasterCard that we
encourage our members to use, and through analysis of this
system , we have been able to identify suspected fraud merchants,
and in the past several months have sent out almost 2,000 notifica
tions to the effect that this particular merchant should be looked
at, because the level of fraud coming through his activity, while
looked at several months later unfortunately , indicate that there
may be activity that bears closer watching; at least that there may
be required additional eduction of that merchant as to how to stop
fraud activity.
On margin, if we may say, I believe a provision of H.R. 3181
offers an edge to investigators in that possession of just five fraudu
lent payment devices makes an offer of proof.
Also that the threshold for jurisdiction is expanded to include of
fenses affecting a federally insured institution .
I do applaud the inclusion in H.R. 3570 of extending jurisdiction
to the U.S. Secret Service. That agency has had a special expertise
over the years in safeguarding our currency, and has done a re
markable job in that of all the world's currencies, the United
States is the leastduplicated, and we haveprobably less of a prob
lem on that than does any country in the Western World.
In general, I would like to say the knowledge of the current prob
lem that has been demonstrated by the content of both bills, both
H.R. 3811 and H.R. 3570, has shown a great deal of diligence and
interest on the part of the committee and staff that have put these
together. We are very grateful at MasterCard for the interest that
you have taken in this problem, and that you do recognize it as we
do, as a clear and present danger that does require immediate
action .
We very much appreciate your attention and thank you , sir.
Mr. HUGHES. Thank you very much.
[The statement of Mr. Kelleher follows:]

38-178 0 - 85 7
 94
STATEMENT
OF
THOMAS F. KELLEHER

ON BEHALF OF

MASTERCARD INTERNATIONAL INCORPORATED

Good morning . My name is Thomas F. Kelleher . Until 1982 , I

was the Assistant Director of the FBI Crime Laboratory and I spent
21 years with the FBI in several other capacities . I am now Vice
President , Security of MasterCard International Incorporated .
MasterCard International is a membership corporation composed of
the over 13,000 U.S. financial institutions which issue and honor
the familiar MasterCard credit and debit cards . MasterCard is
pleased to have the opportunity to come before this subcommittee
today in order to comment on H.R. 3181 and H.R. 3570 , in order to
focus attention on the very real and growing problem of counter
ing and card fraud .
 95

BACKGROUND

Historically , card counterfeiting and fraud were relatively

contained activities , both in terms of the number of improper
transactions and the dollar losses which resulted . Improper card

use typically originated from a lost or stolen card which fell

into the hands of an individual petty thief . In such case , the
cardholder would miss his card and would promptly notify the card
issuer of the loss or theft of the card or of an unauthorized
transaction appearing on his billing statement . The issuer could
promptly block the card account through the authorization system
and publish the card account number in our warning bulletin as a
restricted account which should not be honored further by banks or
merchants . By publishing an account as " restricted " , the issuer
can provide an economic incentive to the merchant to not honor the
account . The losses which resulted from these abuses typically

occurred over a short time span and could be addressed quickly .

Generally too , these practices were perpetrated by an individual
for his own personal gain , utilizing an actual plastic card
initially issued as a valid , authorized card . Thus , the exposure

from these frauds was of a limited nature .

 96

SCOPE OF PROBLEM

In 1973 , total fraud and counterfeit losses for MasterCard

members were $ 2,780,000 . Over the course of the decade , fraud
losses grew unspectacularly , keeping pace with the growth of

transaction volume . However , beginning in 1980 , the bank card

industry began to experience an overwhelming and unexpected rise

in the number and amount of card- related fraud as well as a change

in the nature of this fraudulent activity . For the record , we are

submitting additional statistics and graphs evidencing the growth

of this problem and indicating its likely upward trend .
Particularly noteworthy is the picture of fraud percent change
increase charted against transaction volume percent change

increase displayed in Appendix A. While the Mastercard system has

enjoyed a steady percent change increase in transaction volume the
percent change increase in fraud and counterfeit losses is

dramatic and sudden . In 1981 our volume percent change growth

increased 232 % over the base volume of 1973 and volume growth
increased 255 % in 1982. Fraud loss percent change increases over
1973 base losses for those years grew 8298 in 1981 and 1540 % in
1982 respectively . Counterfeit loss percent change increases grew
an astounding 10,652 % in 1981 over 1973 counterfeit base losses
and 76,763 % in 1982 ! In 1979 total fraud losses for MasterCard
members amounted to $ 12,569,290 . In 1980 , MasterCard members
 97

reported $ 19,041,897 in fraud losses . For 1981 , the figure was

$ 25,817,918 . By 1982 , dollar losses escalated to $ 45,613,550 , an

increase over 1981 alone of $ 19.8 million !
Taken alone , the staggering increase in dollar losses is

reason enough for concern . But , of at least equal concern is the

type of activity responsible for the increase in these figures .
Specifically , our research indicates that many of the card- related
abuses which are reflected in the industry's losses today are of a
type which were unimaginable when the existing card crime laws
were enacted . A new type of fraud has surfaced ; fraud utilizing
not only the card itself , but the account number as well .

NEW FRAUD

Today's fraud is an intricate structure based on the illegal

use of account numbers , encompassing the production of counterfeit
cards , and the alteration of validly issued cards . Offenders have
devised several different ways to obtain valid account numbers
without the cardholder knowing that the number will be used by
another person . Account data can be extracted from carbon slips
which were used in valid card transactions and discarded by the
merchant or may be memorized by the perpetrator while someone was

making a legitimate purchase . Or , account data can be obtained

from the cardholder directly , generally over the telephone

utilizing a variety of fraudulent techniques varying from
 98 .

purported surveying , to product offerings , to representations that

the perpetrator is the bank confirming the account information .
Valid account numbers are surely a valuable commodity and
have been used dishonestly in some unlikely ways . One practice of

recent vintage involves collusion by a merchant or a merchant

clerk who obtains valid account numbers taken from authorized

sales at the merchant's place of business . These account numbers

are transcribed onto sales slips which are then " sold " to other
colluding merchants for deposit with their respective bank for
payment . Or , account numbers can be used on "white plastic "
cards . The white plastic fraud cases literally involve a card
which does not bear any design or service marks on it . The card's

face is embossed with a valid account number so that when

presented to a dishonest merchant , the card can be imprinted on a
sales slip and the slip could then pass as a valid transaction .

Whether the slip is made by hand or against a white plastic card ,

these " phony " sales slips are entered into the system by the
merchants , commingled with valid slips so as to better conceal the
scam .

Account numbers can be used on unauthorized sales slips by

dishonest merchants as described above or , used to purchase goods
from telephone/mail order houses . Goods would then be shipped to
a temporary address given by the perpetrator who would change
locations before the cardholder would report the unauthorized
transaction from his billing statement .
 99

More significantly , account numbers may also be used to

create a counterfeit card . Card counterfeiting techniques have

become distressingly popular among sophisticated criminals . One

favorite method of counterfeiting employs a silk screening process

( the same process used to print T - shirts ) . It is a common

technique , inexpensive to use and has proven , unfortunately , to be
an effective process . Briefly , a plastic card which can be

obtained through many legitimate sources is silk screened with the

registered design and service marks of a card organization . Then ,

valid account numbers obtained in one of the ways I just described ,

are embossed onto the card . The resulting product is a card that
looks and acts , for a given period , as an authorized card . Another

card fabrication scam utilizes a lost or stolen card . The

criminal irons out the original cardholder identifying information
on the card and re-embosses over it with different , valid account

data . While not as sophisticated as the silk-screening process ,

it was an " improvement " on the old " shave and paste " scheme , where
account data information was literally carved off of one card and
reglued onto another card . One industry group has calculated that
counterfeits comprise 14 % of non - cardholder related fraud losses ;

account number alterations , 53 % ; white plastic , 22 % and stolen

blanks , 11 % .

Based on our review of these fraudulent practices , MasterCard

estimates that the improper use of account numbers , card
alteration , card counterfeiting and collusive merchant activity ,
 100

is to a great degree responsible for the unprecedented increase in

card fraud activity .
Our research indicates that the dramatic increase in

fraudulent card activity , is in large part the result of the

participation and direction of sophisticated criminals , not the
penny ante thief of earlier times . In a recent counterfeit credit

card conspiracy case , federal investigators exposed a

counterfeiting ring of unprecedented scope and sophistication .
The members of the ring produced counterfeit VISA , MasterCard and
American Express cards which were virtually undistinguishable from
authentic cards . The materials seized by law enforcement
officials included the highest -quality card manufacturing
equipment , and , a total of nine thousand unfinished counterfeit
VISA , MasterCard and American Express cards . Additionally , agents
also found enough magnetic tape to manufacture 100,000 credit
cards . Law enforcement officials estimated that if each

counterfeit card meant $ 1,000 in fraudulent purchases , the

counterfeit cards produced by this particular ring , if circulated
and used , could have resulted in nine million dollars in
fraudulent transactions .

Most distressingly , organized crime figures prominently in

the burgeoning card account abuses , as evidenced by recent
arrests , investigations and law enforcement reports . In the

counterfeit card conspiracy case I just discussed , witnesses

testified that the leader of the ring dealt exclusively with
 101

members of organized crime . The ringleader ( who plead guilty to

conspiracy to manufacture and distribute credit cards , and to
aiding and abetting in using such cards ) wholesaled finished
counterfeit cards to a " fence " associated with organized crime .
The " fence " would later retail the cards to other criminal figures
who used the cards nationwide . This same man also intended to
penetrate the international market and traveled to England for

that purpose . And , as is typically the case with organized crime ,

violence , played a part in its activities . According to govern

ment witnesses , the self-confessed leader of the counterfeiting

ring talked incessantly about " whacking " anyone who " crossed " his
criminal enterprise . He also boasted of having been a " hit man "
for a reputed mobster . Furthermore , this card entrepeneur was

implicated in a plot to murder a state prosecutor . The prosecutor

was in charge of a pending case against the principal artist of

the counterfeiting ring . Fortunately , the " hit " was never brought
to fruition .

Unfortunately , this has not been the only instance of

violence's preeminent role in organized crime's venture into the
card business . Postal Inspectors have arrested a number of people

within the past two years who were allegedly associated with
organized crime . In one case two persons were arrested and
charged with operating a counterfeit card ring . Shortly after
their arrest , four men linked to them were found shot to death .
The " street " rumor said that the dead men had " fingered " the two
 102

arrestees . In another case a man and his wife were arrested along
with six other co-conspirators and charged with fourteen counts of
conspiracy to commit credit card fraud . The couple was convicted

and sent to federal prison . The wife was paroled to care for her
child . Eleven months after her arrest , the wife , her son and her
nephew , were slain gangland style in their home , while her husband
was in jail .

Prostitution and drug trafficking are also involved in card

fraud . In New York City's Times Square area a pool room served as
a credit card supermarket . Card thieves , posing as prostitutes ,
would steal the cards from their clientele and then wholesale the
stolen plastic at the pool room .
Fraudulent card abuse is a lucrative activity . The so called
" profits " earned by its practioners are reinvested in other
illegal activities , most infamously , the narcotics trade . At one

end of the spectrum , newspapers have reported that many

individuals turn to card crime to support their drug habits . At

the other end , witnesses in recent congressional hearings on card

crime have testified that card fraud cases have been linked by law
enforcement officials to major drug trafficking . The ill - gotten
gains obtained from card fraud abuse are used by some fraud rings
to finance their narcotic activities , as well as other illegal
operations . These operations not only cross state lines , but

extend into the Caribbean and Latin American countries as well .

 103

Thus , the nature of card - related abuses has changed from a

non -violent type of petty thievery involving isolated instances of
dishonesty to a sophisticated , well organized activity of far
reaching proportions that feeds into and supports the very worst
elements of criminal society at home and abroad .

COSTS OF COUNTERFEITING AND FRAUD

The compelling figures of the high cost of this crime clearly

translate into higher dollar losses for card issuing institutions .
Presently , we estimate that these fraud losses cost the MasterCard
system approximately $ .08 per transaction , up from a cost of $ .008
per transaction based on 1973 figures . This represents an
increase in this cost of the MasterCard service of an overwhelming

900% . When industry is forced to absorb higher and higher costs

for providing a service , those costs will , by necessity , be
reflected in the price charged to consumers . Yet , it is not only

in the price of services that consumers are impacted by this type

of fraud . Consumers are also injured by the sheer annoyance of
having to deal with improper charges on their account statements ,
of having to obtain a card replacement , of being conned over the
phone and , generally , of being personally victimized by such

abusive tactics . These latter injuries are hard to quantify , but

easy to sympathize with .
 104

MASTERCARD EFFORTS

Because we can not countenance the manipulation of the

MasterCard service by others to harass consumers and because of
the costs we are forced to bear and pass on , the industry has not
sat idly by . We at MasterCard have taken strong steps at many

levels to stem the tide and to control counterfeiting and fraud ,

beginning with the physical properties of the card itself . The

MasterCard card has been redesigned to contain three anti

counterfeiting features : fine line printing ; ultra-violet ink
printing and a unique hologram covering part of the embossed
account number . The hologram contains a laser produced three
dimensional image of the MasterCard logo . In addition to making

the MasterCard card extremely difficult and costly to reproduce ,

it will make alteration of the embossed account number digits
covered by the hologram much harder to accomplish and much easier
to detect . To further prevent transactions with fraudulent or
altered cards , we have reprogrammed our authorization system to
enable our members to better identify cardholders at the point of
sale . However , some time will be required until the system is
fully implemented and more time will be needed to measure its
impact on this fraudulent activity .
In our increasing awareness and concern over the rising tide

1 of fraud , we have taken additional steps to control the abuse of

account numbers by merchants . We have added a provision in the
 105

MasterCard Operating Rules which prohibits a merchant from

providing , selling or exchanging account number information , in
any medium , to any other party unless connected with the
merchant's legitimate bank card business .
We are actively cooperating and supporting local and federal

law enforcement officials in the investigation and prosecution of

card - related crimes . Each of our principal members has one or
more security representatives with whom we coordinate
investigative activities and law enforcement assistance . These

representatives create an important network of card security

experts with which local officials can obtain support and

assistance in investigating and prosecuting crimes .

regard , MasterCard regularly maintains communication with these
security representatives when MasterCard is alerted to possible
criminal activities in a given area in order to contain the spread

of any criminal ring . And , as the national organization , we

operate a computerized fraud reporting system to which all member
institutions input information on fraudulent or questionable

activity . MasterCard utilizes this system to monitor developments

which on a local level may not by themselves indicate any

reason for concern but which , on a national level , create a
pattern of activity worthy of additional scrutiny and assist in
law enforcement efforts .

These actions are only intended to exemplify the commitment

of MasterCard to curtail counterfeiting and fraudulent practices
 106

and the whole of the bank card industry is working hard toward
this end , as well . We will continue to channel our energies and
resources in this area but these continuing efforts are not
enough . In our work with law enforcement agencies it became
apparent that congressional intervention was necessary . It is for

this reason especially that we welcome the introduction of H.R.

3181 and H.R. 3570 and their reflection of the seriousness with

which this problem is finally being addressed .

H.R. 3181

H.R. 3181 , the Credit Card Counterfeiting and Fraud Act , is

an important piece of legislation which MasterCard International

heartily endorses . It is a landmark effort in recognizing the
painfully wide deficiencies in the federal law relating to credit
card crimes . As I mentioned , credit card counterfeiting has grown
recently in enormous proportions and , yet , it is presently not a
federal crime to counterfeit a credit card . Credit cards are
acceptable as currency throughout the world and each card can

represent thousands of dollars of purchasing power for goods and

services or , in fact for cash itself . Because of the worldwide

utility of the credit card , the card industry represents a

significant factor in the national payment system . Clearly , the
criminal compromise of the card device has an undesirable ,
 107

destabilizing impact on the integrity of the national payment

system as a whole and , in particular , on the consumers and

businesses who draw on the card systems for payment services .
It is an anomaly of the law that card counterfeiting or the
possesion of counterfeit cards is not a federal crime , in spite of
the fact that cards provide the kind of exchange value offered by

currency Misuse of currency is , and should be , a crime of the

highest priority . Misuse of cards and account numbers should
likewise be labeled as crimes and likewise be a priority .
Section 2 of H.R.3181 would add new Section 1029 to title 18
of the United States Code making it unlawful to produce , buy or
sell counterfeit cards and other means of account access . It

would also make it a federal crime to possess five or more

fraudulent payment devices with intent to defraud . This is an

important provision . In our conversations with prosecutors they

have advised us of several incidents where numerous counterfeit

cards were found in the possession of a suspect in the course of

card fraud or card counterfeiting investigations but have found it

dificult , despite evidence of an intent to defraud , to obtain a

criminal conviction in view of the inadequacy of federal law .

Section 2 would also properly make it a crime to produce ,

sell or buy counterfeit card equipment with the intent to make
counterfeit cards . Prosecutors have also told us of
investigations which have uncovered card counterfeiting rings in
action . Yet , prosecutors have been unable to bring these cases
 108

to prosecution because of the federal law's omission of these

activities as crimes .
Subsection ( b ) of Section 2 also provides for increasing
penalties for multiple offenses . This is a very critical element

in view of the participation of sophisticated criminal

organizations . The organizations must be made to feel the risk of
engaging in card related crimes and MasterCard agrees that
multiple offenders should be subject to stronger punishment .
Finally , subsection ( c ) of Section 2 adds a critical notion

to the card crime provisions by recognizing the interstate nature

of card activities . As is usually the case with money , credit
cards involve interstate commerce both directly and indirectly .
Card use directly involves interstate commerce when any two of the
four parties involved in effecting an interchange transaction
( cardholder , cardholder bank , merchant , merchant bank ) are located

in different states . Even if such is not the case much of the

technical and operational support for the card will involve
interstate facilities and , likely , the payment for those goods and
services will involve interstate commerce . As with currency , the

credit card virtually by definition , is an interstate product and

deserves to be addressed in the federal laws .
H.R.3181 also makes other worthwhile technical changes to the
law . Subsection ( d ) ( 1 ) would define " payment device " to include
credit cards , account numbers , codes or other means of account
access . We approve of this definition of payment device since it
 109

recognizes that other means of account access than the physical

plastic can exist today and it is vitally important to preserving

the integrity of our nation's payment system which increasingly

involves the use of such devices .
Furthermore , under Subsection ( d ) ( 2 ) the term " fraudulent

payment device " would for the first time not only include in
Subsection ( d ) ( 2 ) ( A ) a card or card component that is counterfeit ,
fictitious , altered , forged , lost , stolen , fraudulently obtained
or obtained as part of a scheme to defraud ; but would also include
under Subsection ( d ) ( 2 ) ( B ) any invoice , voucher , sales draft or
other reflection or manifestation of such a device . The inclusion
of this type of documentation will greatly enhance the prosecution
of mail /telephone order or merchant collusion scams where the sale
is made without the physical presence of a card or its imprint .

H.R. 3570

H.R.3570 , the counterfeit Access Device and Computer Fraud

Act of 1983 , is also an important piece of legislation . Like

H.R.3181 , this bill recognizes the vast deficiencies in the

federal law pertaining to card- related fraud and , in addition ,
addresses another concern of our technology-oriented society ,
namely , computer fraud . MasterCard International endorses the

provisions of H.R. 3570 which pertain to fraudulent card

activity .

38-178 O - 85 - 8
 110

Section 2 of H.R.3570 would amend title 18 of the United

States Code by adding new Section 1029 which encompasses fraud and
related activity in connection with access devices and coaputers .

Subsection ( a ) of Section 2 would make it a federal crime to

produce , buy , sell or transfer a fraudulent access device or the

equipment to manufacture such a device , with the intent that such

equipment be used in the production of a fraudulent access

device .

Subsection ( a ) ( 3 ) of Section 2 would also make the use of a

computer with intent to execute a scheme to defraud a federal
crime as well . Since MasterCard considers others to be more
qualified authorities to opine on the complexity of computer abuse
and/or fraud , we must decline to comment on this matter .
Like H.R.3181 , H.R.3570 also provides for increasing
I

penalties for multiple offenses for card fraud and computer abuse
as well . It also recognizes the interstate nature of these
crimes . The case of credit cards involving interstate commerce
has been well documented .
Finally , H.R.3570 recognizes that the concept of the federal
government's involvement in the fight against fraud is of immense

significance . Subsection ( a ) of new Section 1029 would authorize

the United States Secret Service to investigate offenses under

this section , in addition to any other agency having such

authority . MasterCard believes the dramatic increase in card

related fraud over the past few years has demonstrated the need
 111

for additional investigatory assistance by the federal government .

clearly , the efforts of local government would be enhanced by the

participation of the Secret Service in those cases invoking
federal jurisdiction . The Secret Service is internationally
recognized for its long history and expertise in protecting the
integrity of our currency . Their experience in this regard would
be invaluable .

Whenever there are deficiencies in criminal laws , technical

barriers to prosecution are provided and criminals who might

otherwise be convicted are released on " technicalities . " The

public is then the loser . It is therefore important for the card

crime laws to be drawn as broadly as constitutionally permissible

in order to provide prosecutors with the necessary tools with
which to prosecute offenders . Without solid criminal statutes

with which to prosecute offenders , it is apparent to us the

industry efforts to control criminal fraud card activity will be
undermined . clearly , in the fight against such criminal activity ,
it is important for both industry and government law enforcement

officials to be armed with a Congressional directive that

fraudulent card account activities are a criminal affront against

consumers , institutions and society at large and shall not be

tolerated .

On behalf of MasterCard International , I want to thank you

for the opportunity to express our views . I will be pleased to

answer any questions you might have .

 112

APPENDIX A

Fraud Percent Change Increase

Percent
Change
Increase
100,000
90,000

80,000
70,000 Count feit
Base 1973 $ 12,148
60,000

50,000

40,000
30,000
20,000

10,000
9,000
8,000
1 .

7,000

6,000
5,000

4,000

3,000
2,000

1,500 Praud
Base 1973 - stooo
$ , 000
1,000
900
800
700

600
500

400
300
Bese 1973 = 52.21.420,000
200
100
1973 1900 TOT 102
 113

Fraud Losses Reported

1979 $ 12,569,290
1980 $ 19,041,897
1981
$ 25,817,918
1982
$ 45,613,550

Illustration :
Millions 1979 1980 1981 1982

50

40

30

20

10

1
 114

Counterfeit Losses Reported

1979 $ 172,143
1980 $ 839,379
1981 $ 1,306,148
1982 $ 9,337,354

Illustration :
Millions 1979 1980 1981 1982

10

0
 115

Mr. HUGHES. Mr. Farnon, we likewise have your statement.

Mr. FARNON. I am testifying today on behalf of the American
Bankers Association. As you mentioned earlier, Mr. Chairman, I
am accompanied here today by Mr.John Alexander, senior vice
president of Bank One in Columbus, OH, who is also the American
Bankers Association chairman of the Task Force Committee on
Bank Card Fraud, and hopefully Mr. Alexander will be given per
mission to briefly describe the activities of that task force.
We commend, Mr. Chairman, your timely action in convening
this hearing, and for introducing H.R. 3570.We also extend our
thanks to Congressman Fish for introducing H.R. 3181, and to you
and other members of this subcommittee who cosponsor that meas
ure.
In the last few years , fraud losses have grown at a geometric
rate. The losses of the Visa and MasterCard system have grown
from a combined loss of $ 11.7 million in 1972 to over $ 125 million
in 1982, over a 1,000 percent increase. We are particularly .con
cerned about the counterfeit and altered card losses; for the com
bined systems these losses have increased from a relatively minor
$ 175,000 in 1978 to over $25 million in 1982.
When these losses are aggregated with the losses of other card
issuers such as private label, retail cards, gasoline cards, travel and
entertainment cards, it is clear that thiscountry is faced with a
major criminal activity that can no longer be ignored.
Mr. HUGHES . If I could just interrupt you there, that is another
vote that we have in progress. We are going to have to excuse our
selves again to catch that vote. We have another problem in that
Mr. Sawyer and I have to manage a conference report dealing with
antitampering. That is going to take us probably 15 or 20 minutes.
With your indulgence, we are going to recess for a half hour. I hesi
tate to do that to you. I know you are all very busy, but unfortuan
tely that call is from the Speaker's Office, and we are scheduled to
come up next in the House. Let's suspend right now and we will
come back as soon as we can get back.
[ Recess.]
Mr. HUGHES. The subcommittee will come to order.
Mr. Farnon, again I apologize for the delay.
Mr. SAWYER. We got our bill passed .
Mr. FARNON. You did ? Well, congratulations.
About the need for legislation in this area, we are hopeful that
the efforts of the industry, which Mr. Alexander will describe, will
help reduce substantially the current fraud and counterfeiting ac
tivities. However, it is our experience that in spite of the industry's
best efforts the criminal element will always strive to be one step
ahead of the industry's latest technology or security procedures. Ef
fective law enforcement is the only way ultimately to deter crimi
nal activity.
We believe that H.R. 3181 and H.R. 3570 would make a great
contribution toward effective law enforcement efforts. Not only
would these bills aid in current prosecutions, but in addition, they
would lay a sound basis for future investigations and prosecutions
as criminal activity becomes more sophisticated .
The increase in losses due to counterfeiting of cards is of particu
lar concern. Where counterfeiting was virtually unknown or ex
 116

tremely unsophisticated 10 years ago, today it has become much

more sophisticated, involving organized groups and the use of
highly technical equipment. These bills, by making it a crime to
buy, sell, transfer or possess equipment used in making fraudulent
payment devices, would lay the foundation for effective Federal in
vestigation and prosecution of this crime.
The interstate nature of this crime also creates a need for Feder
al legislation. We have seen many examples of criminal activity
moving freely about the country and the world. This interstate or
international aspect of the criminal activity speaks strongly in
favor
ties .
of a comprehensive Federal statute addressing these activi
The industry recognizes that more criminal legislation is not a
complete answer to the current problems and theproblems we will
face in the future. Indeed, legislation may represent only a small
part of the solution. A large part of the responsibility for counter
feiting prevention falls on the industry. Mr. Alexander will briefly
describe the activities of his task force and then I want to conclude
by making one or two points about the specific provisions of the
bills pending before this subcommittee.
Mr. HUGHES. Mr. Alexander ?
Mr. ALEXANDER. Mr. Chairman, in February 1982, the associa
tion formed a task force on bank card fraud in an attempt to devel
op a comprehensive analysis of the growing counterfeit and alter
ation problems. Working closely with VISA and MasterCard, we
have developed what we believe to be an effective industry pro
gram to deal with this problem . The task force's efforts can be di
vided into several categories.
First, the task force has recommended a number of changes in
policies and procedures to the two major card associations (VISA
and MasterCard ). These changes have been implemented or are
being implemented by the associations and the card -issuing banks
in a timely and thoughtful manner . By way of example:
The number and quality of security personnel at both associa
tions has been notably increased. The major card -issuing banks
have also made major increases in security personnel.
Both associations have committed to requiring banks and other
issuers to incorporate new features into cards that will make coun
terfeiting much more difficult.
New systems such as cancelled or fraudulent merchant indexes
and counterfeit reporting systems are being implemented. This will
help to identify merchants who participate in fraud activity and
then prevent them from becoming a merchant with another bank
in the system .
New policies to safeguard numbers and materials during card
manufacturing, card embossing, and card transportation services
have been or are being implemented. This will help prevent crimi
nals from obtaining the numbers and materials necesary for pro
ducing counterfeit cards.
Second, the task force has developed a comprehensive Card
Fraud Manual. To date, over 400 copies of this manual have been
placed in the hands of card issuers.
This Card Fraud Manual includes materials for educating bank
ers, merchants, and consumers on the extent of the problem and
 117

some simple procedures that can be used to detect or prevent fraud

and counterfeiting. Some of these same materials have been provid
ed to various newspapers, radio stations, and television stations
across the country for use in public services announcements, edito
rials or feature articles on the fraud problem . Hopefully, this pub
licity will heighten consumer awareness and thereby reduce crimi
nal opportunities.
Third, on June 10, 1983, ABA sponsored a successful National
Card Fraud Management Seminar. This program brought together
many experts in the industry and provided many security person
nel and managers with the tools needed to implement better fraud
control programs.
Fourth, together with MasterCard and VISA, the ABA Task
Force sponsored a major study of card secure properties. Card
secure properties are the physical aspects of the card that make
counterfeiting or alteration more difficult. To date, over 100 tech
nologies have been tested . Some technologies were recommended
for immediate implementation .
Other promising technologies have been singled out for further
study. The ABA Task Force is now contracting with the manufac
turers of the card secure properties for “ field testing” of these addi
tional technologies.
Mr. Chairman , our efforts will continue along the lines of educat
ing banks, merchants, service agents, and customers on how to pro
tect account numbers and detect possible fraud. Since card issuers
are the most direct victims of the fraud schemes , the efforts must
begin with the card issuer. But all parties, including consumers,
must assume their share of the responsibility. Ultimately, costs of
fraud are borne by the consumer in the form of higher prices for
credit or for the use of the card .
Thank you.
Mr. HUGHES. Thank you.
Mr. Farnon .
Mr. FARNON . Yes , Mr. Chairman .
With the need for legislation firmly in mind, we would like to
comment on the specific provisions of H.R. 3181 and H.R. 3570.
H.R. 3570 includes a provision giving the U.S. Secret Service au
thority to investigate offenses with respect to card and computer
crime. We strongly support this involvement of the U.S. Secret
Service. That agency has developed expertise in their investigation
of counterfeit currency that would be invaluable in investigating
counterfeit credit cards and debit cards.
We would, however, express one reservation. We do not want to
see the role of the office of the postal inspector diminished. The
budget of the chief postal inspector should not be reduced nor
should the time of that office spent in investigating credit card
fraud be diminished.
In fact, both these elements should be increased. The role of the
U.S. Secret Service should be one that augments rather than re
places the postal inspector's role.
Computer crime is an urgent concern of financial institutions.
The existing body of criminal law was never intended to cover
problems associated with the high levels of technology in use today.
 118

However, enactment of a provision as broad as the one included

in H.R. 3570 without further definition and explanation could
prove unwise. Experience under other legislation has given our in
dustry cause to be extremely cautious with broadly drafted provi
sions. Without more specific guidance on what the proposed provi
sion is intended to cover, we are concerned that problems may
arise which adversely affect legitimate industry.
At this time, we would encourage the subcommittee and the full
Judiciary Committee to give further study to computer crime in a
broader sense rather than just as it relates to credit and debit card
fraud .
We would encourage the subcommittee to specifically include
fraudulent sales slips as a separate part of the definition of " fraud
ulent access device” or “ fraudulent payment device " depending on
which bill is ultimately voted on by the subcommittee.
We would also urge the subcommittee to treat possession of
fraudulent devices as a separate punishable offense as is done in
H.R. 3181 and to eliminate possession of fraudulent devices and the
obtaining of $ 5,000 in value as separate elements of crimes punish
able under H.R. 3570.
These changes will ensure that law enforcement agencies and
prosecutors have the statute they need to effectively deal with card
criminals .
Mr. Chairman , the industry has recognized a growing area of
criminal activity. We are taking what steps we can to curtail this
activity before the problem becomes worse. We would welcome en
actment of legislation along the lines of H.R. 3181 or H.R. 3570 to
lay a firm foundation for effective law enforcement efforts in this
area. Again , we appreciate the subcommittee's attention to this
problemand the opportunity to make our views known.
Thank you , Mr. Chairman.
[ The statement of Mr. Farnon follows:]
 119

STATEMENT OF THE
AMERICAN BANKERS ASSOCIATION

BEFORE THE

SUBCOMMITTEE ON CRIME

HOUSE COMMITTEE ON THE JUDICIARY

ON

H.R. 3181 AND H.R. 3570

SEPTEMBER 29 , 1983

Mr. Chairman and members of the Subcommittee , my name is Robert

Farnon , Vice President of Midlantic National Bank / Citizens in Englewood
Cliffs , New Jersey . I am testifying today on behalf of the American
Bankers Association . I am accompanied by John Alexander , Senior Vice

President of Bank One in Columbus , Ohio . Mr. Alexander is Chairman of the

American Bankers Association's Task Force on Bank Card Fraud which has

focused on the issues dealt with in the bills which are the subject of this
hearing .
The Association membership consists of over 90 percent of the
approximately 14,500 full service banks in this country . The combined
assets of our nearly 13,000 member banks represents approximately 95
percent of the industry total. Approximately 90 percent of our members can
be described as community banks having assets of $100 million or less .

members issue and service the majority of the domestic cards in the VISA
and MasterCard systems. In addition , our members issue many private label
credit cards and debit cards including the cards commonly used in automated
teller machines .
 120

We commend your timely action , Mr. Chairman , in convening this hearing

and for introducing H.R.3570 . We extend our thanks to Congressman Fish for
introducing H.R.3181 , and to you and the other members of the Subcommittee
who cosponsored that measure .

Our Association welcomes the opportunity to present our comments on

the problems associated with card fraud and counterfeiting and with
computer crime .

Scope of the Problem

Ten years ago fraud losses in the bank card industry were not
sufficient to cause great concern . However , in the last few years fraud
losses have grown at a geometric rate . Attached as Appendix A to this
statement is a graph showing the combined losses of the VISA and MasterCard
systems over the past ten years . The losses have grown from a combined

$ 11.7 million in 1972 to $ 125.8 million in 1982 - over a 1,000 percent

increase .

We are particularly concerned about the counterfeit and altered card

losses . For the MasterCard and VISA systems , these losses have increased
from a relatively minor $ 175,000 in 1978 to more than $25,000,000 in 1982 .
When these losses are aggregated with the losses involved in private label
bank cards , retail cards , gasoline cards , and travel and entertainment
cards , it is clear that the country is faced with major criminal activity
that cannot be ignored .
Need for Legislation

Others testifying today are more intimately familiar with the specific
operating procedures used by criminals in this area and have or will
describe those activities . I will not repeat this information in my
testimony , but I will try to indicate to you how fraud losses impact

1
 121

financial institutions and ultimately consumers .

The credit card industry has had its ups and downs in terms of
profitability over the past years . In the modern era of bank card
operation , our first period of profitability came ( during a period when our
cost of funds was stable) when the industry learned to control the major
elements of its operating costs . More recently, we have experienced a
period of unprofitable operations as our cost of funds fluctuated upward
beyond our ability to control .

Now with operating costs under control and , hopefully , with the cost
of finds more stable , we can generally operate under profitable conditions .
The exception to this rosy picture , is our non - operating costs specifically
fraud losses , charge -offs , and bankruptcy losses . Unless these
non -operating costs can be controlled , we cannot operate profitability in a
campetitive environment .

A profitable credit card operation depends in part on the volume of

sales transactions involved . In this high volume atmosphere , the costs of
even a small number of transactions involving fraud losses can have a

dramatic impact on the profitability of a card operation . In other words ,

a small percentage of the total dollars in transactions processed which
result in losses can translate into a large percentage of total costs
thereby reducing or eliminating profitability .
We are hopeful that the efforts of the industry , which are described
below , will help to reduce substantially the current fraud and
counterfeiting activities . However , it is our experience that in spite of
the industry's best efforts , the criminal element will always be just one
step ahead of the industry's latest technology or security procedures . As
our methods for detecting and eliminating fraud become more sophisticated ,
 122

so do the criminal activities designed to beat the system . Effective law

enforcement is the only way to ultimately deter criminal activity .

To that end , we believe that H.R. 3181 and H.R.3570 would make a great
contribution toward effective law enforcement activities . Not only would
these bills aid in current prosecutions, but in addition , they would lay a
sound basis for future investigations and prosecutions as criminal activity
becomes more sophisticated .

We have already alluded to the increasing sophistication of criminals

as they seek to bypass the industry's security efforts and technology .

This has been particularly true with respect to credit cards . Time and
again we have seen criminals who begin their "career " with the use of lost
and stolen cards during the brief period before those cards appear on the

restricted card lists or card recovery bulletins. This "career " can
progress through alteration of cards and fraud involving merchant collusion
to more sophisticated means of counterfeiting involving silk - screening or
photo off - set printing.
The fastest growing element of industry losses due to credit card
fraud , relate to counterfeiting . Where counterfeiting was virtually
unknown or extremely unsophisticated 10 years ago , today it has become much

more sophisticated , involving organized groups and the use of highly

technical equipment . This bill , by making it a crime to buy , sell ,
transfer or possess equipment used in making fraudulent payment devices ,
would lay the foundation for effective federal investigation and
prosecution of this crime .

The interstate nature of this crime also creates a need for federal

legislation . We have seen examples of criminal activity moving freely

about the country. As law enforcement and industry efforts tighten in one
 . - 123

particular area , the organized criminal activities easily shift to a

different area of the country or the world . This interstate or
international aspect of the criminal activity speaks strongly in favor of a
comprehensive federal statute addressing these activities .
Finally , while banks have not yet experienced significant fraud losses
with respect to electronic funds transfer activities , we can expect that
this area of criminal activity will grow over the years as electronic funds
transactions become more common . This criminal activity , if it develops ,
wil. obviously be of a very sophisticated nature , often beyond the
capabilities of the limited resources of any one local law enforcement
agency . The obvious interstate nature of electronic funds transfers
requires same federal response to crime associated with this activity.
H.R. 3181 and H.R.3570 would lay a sound foundation for federal prosecution
of this activity .

Efforts of the Industry

The industry recognizes that more criminal legislation is not a

complete answer to the current problems and the problems we will face in
the future . Indeed , legislation may represent only a small part of the
solution . A large part of the responsibility for counterfeiting prevention
falls on the industry .

In February of 1982 , the Association formed a Task Force on Bank Card

Fraud under the auspices of the Bank Card Division , in an attempt to

develop a comprehensive analysis of the growing counterfeit and alteration
problems . Working closely with VISA and MasterCard , we have developed what
We believe to be an effective industry program to focus on this problem and
take necessary corrective measures within the industry . The Task Force's

efforts can be divided into several categories .

 124

First , the Task Force has recommended a number of changes in policies ,

procedures , and practices to the two major card association ( VISA and
MasterCard ) . These changes have been implemented or are being implemented
by the associations and the card issuing banks in a timely and thoughtful
manner . These changes include the following :

o The number and quality of security personnel at both associations

has been notably increased . The major card issuing banks have also
made major increases in security personnel .

o Senior management and governing boards of the associations have made

major commitments to address the issue on a long term basis .

o Both associations have committed to requiring banks and other

issuers to incorporate new features into cards that will make
counterfeiting much more difficult .

o New systems such as cancelled or fraudulent merchant indexes and

counterfeit reporting systems are being implemented . This will help
to identify merchants who participate in fraud activity and then
prevent them from becoming a merchant with another bank in the
system .

o New policies to safeguard numbers and materials during card

manufacturing , card embossing , and card transportation services have
been or are being implemented . This will help prevent criminals
fram obtaining the numbers and materials necessary for producing
counterfeit cards .

o Rewards to merchants and sales personnel for the recovery of altered

or counterfeit cards at the point of sale have been implemented or
increased .

o Portions of VISA's card recovery bulletin and MasterCard's

restricted card list are being used to educate merchants on this
problem .

o Corrmunication and education efforts have been initiated with banks ,

enforcement agencies , and merchants and between the two
associations .

Second , the Task Force has developed a comprehensive Card Fraud

Manual . This manual is designed for banks as a manager's guide for
developing a comprehensive fraud prevention and control program . The
|
manual provides guidelines for dealing with card manufacturers , guidelines
 125

for protecting account information , procedures and policies for staff

training, procedures for merchant training, educational material for
consumers , and other useful guidelines for comprehensive fraud prevention .
To date over 400 copies of this manual have been placed in the hands of
cará issuers .

This Card Fraud Manual includes materials for use in educating

merchants and consumers on the extent of the problem and some simple

procedures that can be used to detect or prevent fraud and counterfeiting.

These materials and other educational material have been provided to
various newspapers , radio stations, and television stations across the
country for use in public services announcements , editorials or feature
articles on the fraud problem . Hopefully , this publicity will heighten
consumer awareness and thereby reduce criminal opportunities .
Third , on June 10 , 1983 , ABA sponsored a successful national Card
Fraud Management Seminar . This program brought together many experts in
the industry and , together with the Card Fraud Manual , provided many
security personnel and managers with the tools needed to implement better
fraud control programs . This seminar was teleconferenced live to sites in
five cities : New York , Atlanta , Dallas , Chicago , and San Francisco . This
program is now being made available on tape for state banking associations
and other groups interested in sponsoring fraud seminars . A similar
seminar was held recently in connection with our National Bank Card

Conference . Further , educational efforts are scheduled in connection with

our upcoming Annual Convention .

Fourth , together with MasterCard and VISA , the ABA Task Force

sporisored a major study of card secure properties . Card secure properties

are the physical aspects of the card that make counterfeiting or alteration

38-178 O - 85 - 9
 126

more difficult . This study , undertaken in the fall of 1982 by Battelle

Laboratories of Columbus , researched other industries for applicable

technology that could be utilized in the card industry. To date , over 100
technologies have been tested . Same technologies were recommended for
immediate implementation . Other promising technologies have been singled
out for further study . The ABA Task Force will be contracting , in the near
future , with the manufacturers of the card secure properties for " field
testing " of these additional technologies .
Our efforts will strive to educate banks , merchants , service agents ,

and customers on how to protect account numbers and detect possible fraud .
Since card issuers are the most direct victims of the fraud schemes , the

efforts must begin with the card issuer . But all parties , including
consumers , must assume their share of the responsibility . Ultimately ,
costs of fraud are borne by the consumer in the form of higher prices for
credit or for the use of the card as a payment mechanism .
Specific Provisions

With the need for legislation firmly in mind , we would like to comment
on the specific provisions of H.R.3181 and H.R.3570 .
1. Investigative Authority . H.R.3570 includes a provision giving the
United States Secret Service authority to investigate offenses with respect
to card and computer crime. We strongly support this involvement of the
United States Secret Service . That agency has developed expertise in their
investigation of counterfeit currency that would be invaluable in
investigating counterfeit credit cards and debit cards. Further , to the
extent that the Secret Service has periods during which protective
responsibilities are lighter than during presidential campaigns. this
investigative activity would certainly make effective use of a very capable
 127

group of law enforcement personnel .

We would , however , express one reservation . Historically , the primary

investigative body on the federal level with respect to credit card fraud
has been the Office of the Postal Inspector . Although credit card
investigations comprise only a small part of the Postal Inspector's

responsibilities, they have rendered valuable service to the industry and

to consumers . We do not want to see that role diminished . The expertise

and working relationships developed by the Postal Inspector's Office should

not be lost due to a perception that another agency is assuming
responsibility for this particular area of investigation . The budget of
the chief postal inspector should not be reduced nor should the time of

that office spent in investigating credit card fraud be diminished .

fact , both these elements should be increased . The role of the U.S. Secret
Service should be one that augments rather than replaces the Postal
Inspector's role .

2. Computer Crime. Computer crime is an urgent concern of financial

institutions . The existing body of criminal law was never intended to
cover problems associated with the high levels of technology in use today .
We feel that problems, particularly relating to the value of intangible
property , information , programs , computer processing time and computer
storage capacity , in addition to fraud with the use of the computer , could
more successfully be prosecuted under a federal statute dealing
specifically with computer crime .
However , enactment of a provision as broad as the one included in
H.R.3570 without further definition and explanation could prove unwise .

Experience under other legislation has given our industry cause to be

extremely cautious with broadly drafted provisions . Without more specific
 128 "

guidance on what the proposed provision is intended to cover , we are

concerned that problems may arise which adversely affect legitimate
industry .

Several groups within the Association , including ABA's Task Force on

Bank Internal Auditing, are examining problems associated with computer
crime . As these groups prepare information on computer crime as it relates
to financial institutions , we will provide that information to this
Subcommittee . However , at this time, we would encourage the Subcommittee
and the full Judiciary Committee to give further study to computer crime in
a broader sense rather than just as it relates to credit and debit card
fraud .

3. Fraudulent sales slips . Many recent fraud losses have involved

" white plastic" cards. These losses involve the use of an imprinted piece
of plain white plastic , the size of a credit card , embossed with a valid
account number . These cards are then used to imprint sales slips . The

sales slips are then deposited by a merchant acting in concert with the
criminal in a merchant account held with a bank . The merchant and criminal
then share the illgotten proceeds in the merchants account .
H.R.3181 would define " fraudulent payment device " to include any
" invoice , voucher , sales draft" or other manifestation of any counterfeit
card . This addition to the definition , not included in H.R.3570 , would
make possession or transfer of the phony sales slips involved in white
plastic schemes a separate crime . We view this as a potentially helpful
provision in the prosecution of white plastic criminal and collusive
merchants , While the definition of " fraudulent access device " in H.R.3570

may be sufficiently broad to cover these sales slips , specific reference to

such slips would remove any doubt as to the intent of the legislation . We
 129

urge that it be incorporated into any bill reported by this Subcommittee .

4. Possession of fraudulent devices. H.R. 3181 would make the simple
act of possessing five or more counterfeit cards a crime . H.R. 3570 does

not go that far . Under H.R.3570 , possession of 10 or more cards would be

required as a separate element of an offense involving producing , buying ,
selling , or transferring counterfeit cards .
The Association believes that mere possession of five or more cards ,
with the required intent , should in itself constitute a crime under the

proposed section of the criminal code. In many cases , possession may be

the only thing that can be proven in court . The buying or selling of such
devices would require additional evidence that may not be available in some
cases .

Further , we object to possession of access devices being an element of

the crime in all cases under the proposed section . Possession of equipment
or evidence that devices have been sold or transfered , together with

ev.idence on intent , should itself be sufficient to define a punishable act .

In many cases , devices may not be found with equipment or with an
individual, but other evidence will demonstrate that individual's
involvement with counterfeit cards .

5. $5,000 value. Section 1029 ( a ) , as proposed in H.R.3570 would

require a showing that a criminal obtained something with a value
aggregating at least $5,000 as one element of a violation of the section .

While evidence to prove this element of the crime will generally be

available to prosecutors , its inclusion imposes an unnecessary burden on

those investigating or prosecuting crimes under the proposed section .

A prosecutor should be able to use evidence that an individual has
obtained value due to activities involving counterfeit cards in proving
 130

intent . However , other evidence may exist that demonstrate intent prior

to the time an individual has illicitly earned $5,000 . In effect , by

including this requirement, a crime may not be punishable in its embryonic
stage . For example, a counterfeitor who has sold nine cards for $ 500 each
could not be prosecuted under this section even though he possessed other
cards and a clear intent to sell them . Therefore , we urge that this
provision be eliminated .

6. Financial institutions. H.R. 3181 includes a provision providing

that the required nexus to interstate commerce is satisfied by a showing
that the offense affects a federally insured financial institution . Courts
have established that this type of provision is constitutional . We would
urge its inclusion in this legislation as a means of easing the burden on
prosecutors .

7. Fraudulent access device . We suggest one clarification in the

definition of " fraudulent access device " in H.R.3570 or " fraudulent payment
device " in H.R.3181 . The parenthetical at the conclusion of each

definition is designed to exclude checks from the definition . Forged

checks are properly treated elsewhere in criminal law. However , we would

note that many transactions involving credit card accounts involve the use
of paper instruments . Some of these transactions may be interpreted to
involve solely paper instruments .

Therefore , we recommend that the parenthetical at the end of these

definitions be changed to make it clear that the language of the
parenthetical modifies and limits the term " transfer of funds" and does not
limit the scope of the entire definition . We suggest that the

parenthetical be changed to read " ( other than initiating a transfer of

funds solely by check , draft , or other similar paper instrument ) " .
 131

Summary and Conclusion

Mr. Chairman , the industry has recognized a growing area of criminal

activity. We are taking what steps we can to curtail this activity before
the problem becames worse . We would welcome enactment of legislation along
the lines of H.R. 3181 or H.R.3570 to lay a firm foundation for effective

law enforcement efforts in this area . Again , we appeciate the

Subcommittee's attention to this problem and the opportunity to make our
views known .
 132

Appendix A

CREDIT CARD INDUSTRY

TOTAL FRAUD LOSSES
( $ Million )

130

120

110

100

90

80

70

60

50

40

30

20

10
.

1973 1974 1975 1976 1977 1978 1979 1980 1981 1982

Source : VISA , U.S.A. , Inc. and MasterCard International Incorporated

 133

Mr. HUGHES. Thank you very much, Mr. Farnon.

First, Mr. Farnon, where do you get the impression that we
would exclude the Postal Service from credit card investigations?
Where did you get that impression ?
Mr. FARNON.It is really not an impression. It is a concern that
perhaps due to budgetary reasons, if the Secret Service were in
volved in investigation and prosecution of these crimes that per
haps it would diminish the role of the Postal Office.
Mr. HUGHES. I find from my own experience that regardless of
what we do the executive determines priorities. The Secret Service
under the terms of this bill would just receive authority in addition
to authority any otheragency has. It wouldn't take away authority
of the Postal Service. What falls within the province of the postal
authorities would still remain with the postal authorities.
Mr. FARNON . Well, we are hopeful, Mr. Chairman , that that is
exactly what would happen , thatboth of these
Mr. HUGHES. Not all credit card or other fraud would trigger ju
risdiction of the postal authorities. That is part of the difficulty.
Some other law enforcement agency has to pick up the jurisdiction,
otherwise you have a hiatus. I don't think anything in here sug
gests we would be in any way diminishing the jurisdiction of the
postal authorities.
The difficulty unfortunately is that the law enforcement agencies
are all spread so very thin . That is what declination means. In es
sence, it means the Federal Government operates not to exercise
jurisdiction even though it is there. They do it every day . It varies
from jurisdiction to jurisdiction. In some jurisdictions, a U.S. attor
ney prosecutes 90 percent of the bank robbery cases where there
is clear Federal jurisdiction. Other jurisdictions they don't pros
ecute 10 percent.
There is no standard uniform declination policy, and it all re
lates to the lack of resources. This problem is at the very heart of
why this legislation has a threshold of ten credit cards or $ 5,000.
We know that if wedon't have a threshold, the U.S. attorneys are
going to determine their own thresholds. We think we the Congress
should have something to say about what the threshold should be.
That is one factor.
The second factor is we want to reach basically transactions that
impact interstate commerce. We are not interested necessarily in
the individual who bilks $250 out of aa credit card company. We are
interested in the individual who is running a scam , who has an
impact upon interstate commerce. The States have the authority
generally to handle the person that is running a scam that has a
small impact. States have in many instances the resources to do
that. It is where the transactions begin to cross State lines, where
they begin to impact interstate commerce where the Federal juris
diction should be triggered, in my judgment. That is why we have
the threshold .
Can any of you gentlemen tell me, give me any reasons why we
should not be thinking in terms of a threshold ?
Mr. NELLIS. May I speak, Mr. Chairman ?
Mr. HUGHES . Yes. Yes, Joe.
Mr. NELLIS. I have been thinking about this problem a good deal,
Mr. Chairman . As you are well aware, in the case the drug laws,
 134

there is possession which constitutes a misdemenaor, with a 1-year

sentence and possibility of fine up to $5,000. But then there is also
possession with intent to distribute which makes it a felony. Why
could we not incorporate the same theory into your bill?
If an individual has five cards and no more, and bilks somebody
out of $250, he is guilty of possession of fraudulent credit cards,
and could be charged with a misdemeanor under Federal law , as
suming the prosecutor would go along with it and so on . But I
think the law should be broad enough to include even the slightest
possibility that some prosecutor somewhere would grab somebody
with five cards.
Mr. HUGHES. There is a precedent for that, Mr. Nellis.
Mr. NELLIS . Yes.
Mr. HUGHES. In fact, we included a very similar provision in the
false identification legislation.
Mr. NELLIS . I saw it.
Mr. HUGHES. Which we passed last year and the President signed
intolaw .It has that very same threshold. And we could very easily
do that. That is something we have not ruled out as a possibility.
Mr. NELLIS. I hadn't heard it mentioned.
Mr. HUGHES. The question is what arguments can you advance
that in some way suggest that we shouldn't have some kind of a
threshold.
Mr. NEUMANN. Mr. Hughes, I would like to make a comment on
that. As you know , there are Federal statutes which do have
thresholds. For instance, interstate transportation of stolen proper
ty has a $ 5,000 minimum on it. I find that U.S. attorneys across
the country will immediately raise that amount, because of prior
ities in their particular districts. So, one U.S. attorney may auto
matically raise it to $ 50,000, or $75,000. The mere presence of the
threshold encourages the U.S. attorneys and the Federal law en
forcement agencies which are pressured with what they consider
higher priorities to simply increase that amount.
Mr. HUGHES. I don't find they need any encouragement. The fact
of the matter is they are going to do it anyway. I think, as a matter
of policy, we ought to say what the threshold should be. If we say
the threshold should be $5,000, or 10 credit cards, then that ought
to trigger Federal jurisdiction. We, as part of our oversight respon
sibilities, can question why it is not being done.
But, I think that what your suggestion is, don't mention thresh
old and hopefully they will end up at 10. I find that that doesn't
necessarily mean that is where they are going to end up . I think,
however, if we determine what we think should be Federal jurisdic
tion, and then provide the resources to carry out the Federal re
sponsibility, we will have done our job as a Congress .
What I am saying is, we should develop the very best legislative
mechanism, and say that that is what we intend to enforce at the
Federal level .
Mr. NEUMANN. One other problem I have experienced with the
threshold is when an investigativeagency comes up with an orga
nized, ongoing criminal activity. They can move in and make an
arrest, but it becomes a proof problem if you have already set a
minimum requirement that must be met in order to prosecute that
case . I think it should be left to the discretion of the prosecutor to
 135

look at a specific case and determine whether or not to prosecute.

In addition, where there is organized criminal activity, even
though it may involve less than five cards, or less than $5,000, the
prosecutor then has the option to go ahead and prosecute if he con
siders it to be a complex and important case.
I think in H.R. 3570 the threshold really modifies the entire bill
because it applies to all aspects of the proposed legislation .
Mr. HUGHES. Mr. Sawyer ?
Mr. SAWYER. You know I think that is a legitimate observation .
Nothing is all good or all bad. But we have a Federal law and have
had foryears. II forget now the name of it, but transporting stolen
automobiles across State lines. Unless you have a massive drain,
the Feds decline jurisdiction and under the declination policy leave
it to the States. They do the same thing with drugs and almost all
bank robbers unless it gets big headlines. Then they will sometimes
get in it.
I am a little biased, having been a State prosecutor. But I think
there is some value to fixing a minimum which doesn't make them
adhere to it but certainly carries a strong suggestion that they
ought to get in if it is over that amount, and Iwould feel a little
more comfortable with it .
The Justice Department has indicated that the Federal bank se
crecy laws prohibit banks from informing authorities when they
have been a victim of this kind of thing. Do you have any view of
that, or is that true ? Are you prohibited from advising authorities
when you sustain losses under the bank secrecy
Mr. NEUMANN. If it is a bank fraud embezzlement case, it is my
understanding, that the bank is required under Federal law, to fur
nish the FBI with a report. The problem encountered is that when
the investigation gets underway the investigating official may very
often find it difficult to obtain information from the bank simply
because they fear violating the Financial Privacy Act. That act
does not apply to the credit card industry. So the bank does not
have that same situation with the dissemination of the Credit Card
Act numbers, which is another reason we favor the inclusion of
those account numbers into the bill .
Mr. SAWYER. So if the Justice Department indicates that, they
are not correct vis- a -vis the credit card problem?
Mr. KELLEHER. I think as far as the credit card problem goes, Mr.
Sawyer, that that has pretty well been established through past in
vestigations, that there has been no serious difficulty on the part of
certainly the Postal Service or any other organization that has
come in looking for that type of assistance. I think as Mr. Neu
mann pointed out, it may be where you are actually into bank em
bezzlement and the Privacy Act or other considerations similar to
that bring about disclosure of an individual's accounts, then they
had-as an innocent individual with an act being perpetrated by
an officer of the bank, that they do have a right of privacy.
But I don't think in this situation that that has held, sir.
Mr. SAWYER. One thing occurred to me, particularly as I listened
to the testimony of the fact that many merchants are at least sus
pected of deliberately or knowingly accepting forged cards or false
cards, why don't we under the law impose the same risk on some
 136

body taking a false credit card as we do on taking false currency or

a forged check ?
There is no right against either the bank or the maker of the
check if somebody takes a forged check. The same is true with bad
currency. Whoever takes it is stuck with it and the Government
doesn't redeem it. Now it strikes me that if you were to put that
obligation on the merchant, that he would at least be required then
to get additional identification from the person using the card. And
these scams I heard that were being operated would not work if
somebody came in with James Jones credit card and correct
number,but can't identify himself as James Jones.
Why wouldn't that be a practical thing to cut down ? Nothing
cureseverything, but wouldn't that greatly reduce the amount of
merchant participation in this kind of fraud ?
Mr. NEUMANN . Our concern is that it could reduce participation
to the point where the consumer wouldn'tbe able to use his credit
card at many stores because of the fear that the merchant would
be liable as an innocent victim of a counterfeit card .
Mr. SAWYER. Not if he had ample other identification .
Mr. NEUMANN. Even with valid identification you can emboss a
name and a valid account number on a card and pass it at the
point of sale.
Mr. SAWYER. You see, I can use American Express checks or Citi
Corp checks, traveler's checks, easier than I can use a card. And
there if my name is forged on it by somebody else, the merchant
who takes them eats them . I don't see why one argument, why it
isn't valid as to credit cards, too. You are guaranteeing the credit
of the individual. In other words, you willpay it so it is not like
them giving you a check with insufficient funds or a check that
bounces. All they have to do is determine the identity of the indi
vidual using the card. They have to do that with a traveler's check.
I have never had any trouble all around the world using travel
er's checks.
Mr. NEUMANN. Mr. Sawyer, somebody earlier used the phrase
“ charge back .” In the industry that means that when the sales
draft goes through, if there is something wrong with it it is actual
ly charged backto that merchant. Just like a traveler's check ; if
the signature, for instance, didn't agree with the signature on the
credit card , it would be a charge back and it would be returned and
the merchant would have to suffer the loss.
In the case of a counterfeit card , if there is any indiciation of col
lusion or knowledge on the part of the merchant, then it goes back
and he does suffer the loss .
Mr. HUGHES. Will the gentleman yield to me?
Mr. SAWYER. Yes, sure.
Mr. HUGHES. I would suspect, and I don't know for sure, that the
industry figures they have got a certain percent loss of fraud, 6
percent, 7 percent, whatever. That if a charge back is made to mer
chants,they would end up with fewer merchants and end up with
higher losses because they wouldn't take more business.
Mr. KELLEHER . Somewhere along that line, sir. You have, as Mr.
Sawyer mentioned, the differences between currency and plastic
money in a sense. Currency began with a lot more protection to it
than did the plastic card because I don't think the industry per
 137

ceived the threat at that time of the plastic card being used in a
counterfeit mode.
What we are looking at now is an attack from an area that was
not expected in the sense that over the past few years we have
seen a dramatic increase in counterfeit. Now, the response is form
ing, but ithas not been fully applied and never can be applied fully
because of the process of counterfeiting and the fact that these in
struments were never recognized as possibly instrumentalities of a
crime.
Mr. SAWYER. Well, the only reservation I have is, you know , if I
have a bank draft or cashier's check or letter of credit or what not,
and it is made payable to me and somebody else cashs it, it is the
person who takes it that has the problem, not the bank, or not me.
Why don't we put the same onus on the one that takes the credit
card to make sure that, now nobody worries about a cashier's
check notbeing good, but they do have to worry if it is payable to
me, that I am the person that endorsed it to them . And they are
the only one that is really in a position to make that determina
tion .
Mr. KELLEHER . Right.
Mr. SAWYER. Yet they don't seem to have any hesitancy to take a
cashier's check . So as long as I have ample identification, as most
people do, because they are not worried aboutgetting their money,
I don't know why this would so impede credit cards, just putting
that same onus that is put on them with traveler's checks or cash
ier's checks or anything else to make sure the thing is not a for
gery . That the person who has it has the identification that is
the same that is on the card .
Mr. KELLEHER. Yes, sir. Well, there are rules within , the Master
Card Association , that this was a fraudulent transaction, that he
can be charged back .
Mr. SAWYER. Apparently it isn't done very much based on the
testimony I heard from Mr. Ortega. They have 300 on the list that
they are satisfied are doing this and apparently they are getting
paid for it by the bank .
Mr. KELLEHER . Well, to date that has not been enforced because
the problem has not existed before and the mechanism wasn't in
place. I think that mechanism is being formed now and will be ap
plied. Not so that it can entirely cover the area, though. There still
will be sophisticated scams similar to those Mr. Ortega's associate
was discussing this morning that are pretty fancy that go beyond
your normal defenses.
But I think what we are seeing as a part of industry response
now is much more emphasis being put on the merchants accepting
of the draft or of the card as being legitimate. Now , as to what
degree we can do that without killing the system is a matter of
business judgment. I think that is currently being assessed .
Mr. SAWYER. Thank you. I yield back, Mr. Chairman .
Mr. NEUMANN. I would like to point out that we often find that
professional counterfeiters that are in the business of selling coun
terfeit cards that often sell the cards along with false identifica
tion, such as a driver's license or passport. Although we have un
covered fraudulent merchants, the vast majorityof merchants are
honest. We would really have a very chilling effect on the whole
 138

credit card industry if honest merchants were held responsible for

truly counterfeit cards with false identification .
Mr. HUGHES. Mr. Farnon , your comments on computer crime
have me somewhat puzzled . In one part of your statement you indi
cate while banks, and I quote, “ have not yet experienced signifi
cant fraud losses with respect to electronic funds transfer activi
ties, we can expect that this area of criminal activity will grow
over the years as electronic funds transactions become more
common .”
You go on to say, “This criminal activity will obviously be of a
very sophisticated nature often beyond the resources of many law
enforcement agencies. The obvious interstate nature of electronic
funds transfer requires some Federal response to this kind of activ
ity. H.R. 3181 and 3570 would lay a sound foundation for Federal
prosecution of this activity.”
In another part of your statement you state, “ However, computer
fraud law is not needed and is too broad .” Then you go on to rec
ommend “ to give further study in a broader senserather than as it
relates just to credit card and debit fraud.”
I am sort of puzzled.
Mr. FARNON. Mr. Chairman, I think what I am trying to say in
there is that we recognize, although we have not experienced a
great deal of computer crime, we recognize that this will be an
area that is going to have to be addressed and we appreciate this
subcommittee's approach to that. But we do feel that we just don't
have enough information. Computer crime is not going to only
affect thebanking industry. It is going to affect many different in
dustries . We don't feel that we are the experts on computer crime
yet. That we have all the answers. And we would not like to see a
bill enacted which may have the effect of deterring legitimate
transfer of business.
Mr. HUGHES. We could and will bring other witnesses to testify.
This is just the first in a series of hearings. Our question is wheth
er we shouldn't be dealing with the entire problem . I don't know
how long plastic cards are going to be around. It might be 3 years
from now they will be obsolete and we will be into a new form of
transfers.
The question is shouldn't we be talking in terms of the types of
frauds that we can at least contemplate, talk in terms of the diver
sion of information , diversion of electronic transfers, interception
of transfers of property of all kinds, as well as devices. Whether
these transactions are via computers or other attempts to benefit
illegally from those transactions. We should anticipate as best we
can now.
We can talk in general terms without even talking specifically
about computers. Whatever the device is to attempt to enrich one's
self by transactions, electronic or mechanical in nature. Why
shouldn't we be doing that and try to anticipate as best we can ?
Obviously we are going to fall short but why shouldn't we make an
effort to do that instead of trying to play catch -up a few years from
now, having Federal statutes once again that really aren't totally
relevant and having the state of the art move ahead of us again
with another hiatus?
 139

Mr. ALEXANDER. Mr. Chairman , if I may, your points are not

easy to rebut nor do I particularly care to do that, because I com
mend your interest in computer crime. It needs to be addressed.
The concerns I would address, probably selfish, is that the problem
today is in what I will call the manual environment, the nonma
chine readable environment. The $20 million of fraud, counterfeit
and audit fraud last year. Close to $40 million we will see for the
year for VISA and MasterCard are just ending. It is in the manual,
nonmachine readable. It is not EFT fraud today.
That certainly doesn't say we should put our head in the sand
and not consider EFT fraud. We need to consider it. ABA is going
to move ahead with a task force similar to the one we have just
utilized, and address it before it becomes a problem. My problem
would be that we need legislation to combat the problem we have
today, and-
Mr. HUGHES. But tomorrow's problems are going to be on us real
fast, and I suspect that part of your concern is that in some way
credit card legislation will be held up because we have interjected
other issues in it. I can say to you that that is not going to be the
case, because frankly the credit card fraud bill will move as fast as
we are able to look at the entire picture. Computer and other types
of frauds, whether you are talking in terms of electronic transfers
or other would not-be excess baggage and would not hold it back .
I suspect your concern is you want the bill focused on your im
mediate problem today although the result may be that it won't
deal with the problems of tomorrow and we may be playing catch
up ain. So why not anticipate where we are going and frame the
issues in such a way that we catch not just the scams that we see
today but the scams that at least we can anticipate tomorrow?
Mr. NELLIS . Mr. Chairman, may I briefly suggest that H.R. 1092
is an attempt to tackle the overall problem of computer fraud
which if you narrow it down would include credit card fraud with
out any specific language in the bill to so include . But we are faced
with this problem . It is a jurisdictional problem in the Committee
on the Judiciary. Congressman Edwards asserts jurisdiction over
1092. This committee really ought to have jurisdiction over it.
Mr. HUGHES. I think we do have jurisdiction. I think there is con
current jurisdiction. I don't think it is either/or.
Mr. NELLIS. Then what we ought to do probably is get both sub
committees together
Mr. HUGHES. This committee has jurisdiction to enact statutes
dealing with fraud basically. That is what we are talking about,
whether it is committed by computers, whether it is committed by
devices people manufacture, whether it is committed by electronic
eavesdropping devices that intercept wire transfers such as pick up
nurnbers and then trigger their own transfers. Whatever the device
or instrumentality used would fall within this subcommittee's juris
diction .
Mr. Nellis. Thatwas my understanding.. But with Mr. Edward's
subcommittee involved, you can see how there is confusion in
trying to respond to your question . I do agree that credit card fraud
which we have just thought about as far as DPMA is concerned in
ancillary terms since we are not involved is but a part of the over
 140

all problem of the penetration of computers. That ought to be ad

dressed.
Now , whether it is addressed through H.R.1092 or some other bill is,
of course, for you gentlemen to decide. But we are very anxious
that that issue be addressed because Congress is lagging further
and further behind the technology every day.
Mr. HUGHES. I appreciate that. And there is overlap as you well
know . There is overlap between this subcommittee and criminal
justice, overlap between this subcommittee and courts.
Mr. NELLIS. I remember too well.
Mr. HUGHES. The state of the art has just fused it all. There is no
problem with jurisdiction between Don Edwards and this subcom
mittee because we are working together. Indeed I had hoped that
Don could join us today, because this is just one aspect of the over
all problem
Mr. NELLIS. Correct.
Mr. HUGHES [ continuing ]. That Don is concerned about. Let me
just, if I might, recognize Hamilton Fish at this point.
Mr. Fish .Thank you, Mr. Chairman .
Mr. Neumann,you are vice president for security, VISA Interna
tional; is that right ?
Mr. NEUMANN. Yes, sir.
Mr. Fish. In the course of your testimony and in expressing your
approval of H.R. 3181, you ticked off several areas without too much
elaboration . Onedealt with the possession offense, which is includ
ed in H.R. 3181. I would like to ask you why you think a possession
offense is necessary .
Mr. NEUMANN . There have been several instances that we have
come across where it was actually a very complicated counterfeit
type organization, where possession alone was the basis for a law
enforcement action . So, if we are looking at vouchers that are
being counterfeited for the purpose of fee splitting with the collu
sive merchant, as was described this morning by the two witnesses
from Florida, it would be covered under the possession provision of
your bill. That is why we favor it.
Mr. FISH. Thank you. Further , you spoke approvingly of the defi
nition of financial institution in H.R. 3181 .
Mr. NEUMANN. Ithink that would clearly delineate the jurisdic
tion of the Federal Government in the banking system which is
covered under the insurance laws. It would strengthen the United
States Attorney's hand in prosecuting these cases.
Mr. Fish. Finally, Mr. Neumann, H.R. 3181 defines " device
making equipment” to include equipment used or that can be used
to create a counterfeit card. H.R. 3570 requires equipment be pri
marily used or specifically designed for counterfeit use. Which ver
sion would you prefer, andwhy ?
Mr. NEUMANN .I prefer H.R. 3181 simply because it is more encom
passing. We wouldn't have these cases slipping through the cracks
simply because it wasn't covered in the statutory language which is
the case now .
Mr. Fish. This goes to either Mr. Kelleher, vice president of secu
rity of MasterCard International, or Mr. Farnon . Is there anything
you gentlemen would like to add to the difficulties the industry is
experiencing in dealing with the fraud problem ? Would improving
 141

your own billing bureaucracy or watching credit extension or im

proving your antifraud protection be steps to be taken in addition
to thislegislation ?
Mr. KELLEHER. I think, Mr. Fish, that there is an educational
problem within our associations in that we are made up, as you
know, of individual issuers and merchant banks, and some of these
are not under any immediate attack. Much of thefraud situation is
localized , not with any fence around it, not that it can't move. We
are concerned about this. We are considerably concerned that it is
moving interstate. There are regions in the United States whereit
proliferates. We feel we have to have an educational program . We
are calling to the attention of all of our members fraud preventa
tive measures that must be put in place regardless of whether they
have a high incidence of fraud in their areas or not.
And I think part of the problems that have been recognized by
this committee and part of the attendant publicity that has been
given to the high fraud areas that we have been picking on, south
east Florida and adjacent areas, and the Los Angeles area, we are
letting these people know that this situation can fall on them , too.
And Ithink the work that has been done by the American Bankers
Association Task Force on Fraud is a great beginning in what has
to be a continuing effort to make ourmembers realize, make the
banking community realize that they must protect themselves.
A great deal of this has to come from a reduction of exposure.
Mr. Fish. Thank you very much.
Thank you , Mr. Chairman.
Mr. HUGHES. I suspect another problem is trying to educate card
holders not to give their own numbers out over the telephone, for
instance .
Mr. KELLEHER. Yes, sir, and education programs including the is
suance of personal identification numbers, for example, or PIN
numbers. When these cards are used here unfortunately some of
the cardholders have taken to writing the PIN numbers on the
credit card. So this type of education isnecessary to teach them not
only to look at their statements and notify us rapidly of any dis
crepancy so that they don't wind up just going ahead and paying
for something that was slipped onto their account without their
knowledge.
Mr. HUGHES. Your industry obviously is endeavoring to look
ahead. You have your own R&D. Can you give us someidea how
long you think credit cards as such will be relevant as a form of
payment transactions ?
Mr. KELLEHER. As far as credit card relevance goes, the addition
al services and increasing use of credit cards by the public indi
cates that they prefer this to the risk of carrying cash and other
forms of currency. They like the convenience. Anyone of us, of
course, in your own experiences traveling on business, you realize
that they are almost irreplaceable now because they have been ac
cepted as a safe means of conducting your business without expos
ing yourself to violence by someone who might take on somebody
with a rather large walletor who appeared to be affluent.
In my own experience in technology, for example, in the FBI lab
oratory, saw many promising things coming up that might ulti
mately replace the current tools of the trade,you might say. But I

38-178 0 - 85 - 10
 142

feel that they are not going to immediately replace some type of
identification, whether it be a modification to a card, a change in
the card in that it might have a smart chip in it or might beable
to do more to identify the cardholder. But as far as being some
type of identification mechanism , especially when you go to ma
chine to machine interface, you have to have something
Mr. HUGHES. So you think even when we move more rapidly into
electronic fund transfers that there will be some type of device or
form of identification a person can carry with them to trigger that
transfer ?
Mr. KELLEHER. Yes, sir. What we are looking at are the changes
that we are making now , for example , the ones MasterCard has
made and VISA will be making to their cards are things we are
doing for the near term. As Mr. Alexander pointed out, the non
machine readable mode. But as we get into machine readable situa
tions where you are getting large sums of money being transferred
into cash management accounts and so forth, at that point more
identification is going to be requested. It is going to require that
both the card be verified and that there be something to back into
it that says that the person holding the card is the true account
holder.
Now, the technology now is on the drawing board for that type of
thing. Many promising technologies are being investigated. We are
holding meetings almost daily on systems for verification of biosys
tems and so forth for verification of individuals. But in fact, be
tween the drawing board stage and actually getting it out into
common usage, there is a considerable lead -time. And I feel that
the card or some facsimile of it, something similar to it, is going to
be with us for quite a while .
Mr. HUGHES. You are talking in terms of 10, 15 years?
Mr. KELLEHER. Ten to 15 years at least. Then at that point we
are talking about things that we don't know about yet. Things we
haven't begun to consider yet for identification.
Mr. NEUMANN. I would like to elaborate to point out that the
general trend today in the industry is toward the debit card. This
means that we are looking for on-line settlements of accounts.
Therefore, it is not the card itself that is as important as it is
access into the system where you can have your settlement within
a matter of hours.
I think this is where the banking industry is going.
Mr. HUGHES. I was honestly surprised at the ease with which
somebody like the convicted felon who testified today was able to
run his scam and bilk credit card companies of $ 250,000, I think he
said, in what? Seven days? Eight days? And that it was easy for a
merchant to institute that type of a scam . It sounds as if there
were very few checks.
Mr. NEUMANN. Both MasterCard and VISA are now implement
ing a standard for a merchant to sign into the system where it will
be mandated that each member before he signs a merchant is
going go have to check central file index wherewe will have listed
not only merchants but the principals involved, the individuals
that have been involved in scams in order to prevent this very
thing you mentioned.
 143

Mr. HUGHES. It sounded like nobody even checked to see whether

or not he was a legitimate businessman.
Mr. NEUMANN. I think he indicated that he bought out a legiti
mate business and this is how-
Mr. HUGHES. The second scam , not the first one. The first, appar
ently, he just opened up the doors.
Mr. NEUMANN. It varies from member to member. Some are very
careful. They will go out and examine the premises, interview the
person who has applied for membership. Unfortunately there are
some that are very careless in signing-
Mr. HUGHES. Getting back to Hal Sawyer's line of questioning,
what is the incentive of a bank to really make that kind of a check
if they are not going to be back charged ?
Mr. NEUMANN. That is a very good question. They are “ charged
back ” in many instances. I think one of the dangers we see is that
a bank will occasionally if they are making money on a merchant
because of a high discount, not look as carefully as they should.
This is why the systems are going to mandate that members not
sign a merchant until they have met certain requirements.
Mr. HUGHES. Are those procedures being implemented right
now ?
Mr. NEUMANN. They are being implemented right now.
Mr. KELLEHER. Mr. Chairman , I think just recent experience, our
board of directors took rapid action when they realized that there
were not immediate financial pay backs or charge backs to banks
that were not taking the - or to issuing members that were not
taking the proper steps and looking over their merchants and
qualifying them . We have recently instituted a series of require
ments, not only for the on -site visitation of merchants, but in pre
screening deposits and doing a number of other things. Unless
proper action is taken , all ofthe fraudulent transactions that take
place at that particular merchant, the bank that signed them is
liable for. So you are starting—the incentive is there now to take
these people under control.
But it takes a while to turn this ship. Basically we won't know
how effective they are until we havehad a little history.
Mr. NEUMANN. Another thing VISA has just enacted is a proce
dure whereby we will go back to a signing member that signs the
merchant and assess that bank 10 percent of every counterfeit
transaction that went through its merchants. Again like Tom Kel
leher mentioned, this is going to force the signing bank to take
more responsibility in handling those merchants.
Mr. SAWYER . Will the gentleman yield ?
Mr. HUGHES. The gentleman from Michigan?
Mr. SAWYER. I would just make a guess, too, that in addition to
the amount of loss imposed on financial institutions that a lot of
people don'tvery carefully check their billings and end up paying a
lot of false charges, do you think?
Mr. KELLEHER. That is correct, sir.
Mr. NEUMANN . That is very true.
Mr. KELLEHER. We in our advertising and whenever we have the
opportunity to educate the public through media will advise them
that they should check their statement as soon as they get it, be
cause if they act like I did before I became very conscious of it, I
 144

would wait until about 5 days before I had to pay it and then open
it up and the first thing I would look at is my balance, and the
second thing I would look at is my monthly payment. Then after
that I would give a cursory glance down the line to see where I
spent my money.
But I find nowthat that one line billing which is something that
for both cost and convenience has to be done has to be looked at
very carefully. We are seeing more scrutiny on the part of card
holders in that regard.
Mr. SAWYER. I can tell you there is going to be considerably more
on my part in listening to the testimony here today .
Mr. NEUMANN. I thinka common thing individuals assume when
they are going over a bill and don't recognize certain purchases, is
that the spouse made the purchase, and drop it.
Mr. HUGHES. I can assure you that doesn't happen in the Hughes
household. The chancellor of the exchequer is pretty good. When
she is not sure , she calls. In any event, Ithink the panel has made
significant contributions today. I still am of the mind that we
should look at the entire picture, not just one facet. I think it
would be a mistake not to try to approach it from a multifaceted
point of view . I believe you should look at all the devices that are
used, whether computers or whatever they are, or machines such
as we saw here today that emboss. Whether or not you are talking
about the interception of electronic transfers through devices, in
strumentalities or whether you zero in on the information which
also is of measurable value which is translated into dollars, I feel
you have to approach it from a number of different standpoints to
make sure that you reach not just what is the problem today, but
what may be the problem tomorrow .
If we don't do that, we would be back here next year tryng to
play catchup ball again . I think that we can be broad enough that
we catch whatever the new generation is, whatever they call them
computers or widgets. Whatever device is developed to effect these
transfers and transactions, I think can be captured in general
enough terms to ensure that some court 5 years from now can
apply the same law to some character that thinks he is smarter
than eveybody else and is going to try to bilk you or somebody else
out of money .
Mr. NEUMANN. I discussed this particular point with Don Parker
who was mentioned earlier today. He is with Stanford Research
and he is a computer expert, as it applies to the application of your
bill . I understand he was invited here today and it is unfortunate
he wasn't here. I got the impression from speaking to him and
some other authorities in the field that we are having such a diffi
cult time even defining what computer fraud is that legislation
along these lines really just needs a little more work before it could
beeffectively applied tothe technology.
Mr. HUGHES. Well, I agree and appreciate your contributions.
Just one more observation , and that is that the basic problem is
still one of lack of resources. Federal prosecutors today are not
prosecuting cases where it does fit within our statutes simply be
cause we don't have the resources . Just because we make statutes
relevant doesn't ensure that we are going to get where you want us
to go unless we provide the resources tothese Federal law enforce
 145

ment agencies. Otherwise you just become another competing

aspect of the criminal justice system , and you may still be left out
in the cold if we don't have resources and some U.S. Attorney de
cides that computer fraud or credit card fraud is not a priority or
that the State can handle the matter.
Mr. HOADLEY. Mr. Chairman, I would like to compliment you on
your comments just prior to the ones about resources, because I
agree with you completely on those comments. And I would like to
make one additional comment related to those. While my associa
tion is very much interested in getting Federal legislation for com
puter crime, we have today talked about the future. We have
talked about credit card relevance in the future. We have talked
about the state of the art in the 1990's. And I would like to reem
phasize a comment made earlier this morning, that perhaps what
we really needed to deal with was the unauthorized or fraudulent
use of information .
I think that is a valid point. The credit card problem today deals
quite a bit with unauthorized use of information . And I think that
fact should not be forgotten .
Mr. KELLEHER. Mr. Chairman , might I add, though, I feel your
efforts now and those of this committee, will immediately impact
on the criminal element now in action in the bankcard community,
because first off, one of their main areas of cover was that it was
not a Federal crime and the violation is not written down any
where. So even though the law enforcement assets may be scarce
as far as the fact that it is a Federal crime and the potential exists
for prosecution , it will have a substantial impact on them. So any
thing along these lines, particularly the well-drafted H.R. 3181 and
H.R. 3570 that we have before us now I think will do us a lot of
good the minute they get on the books.
Mr. HUGHES. Well, thank you very much . I would invite all of
you, even though you have submitted comprehensive statements, to
give us any other suggestions or observations in this area after you
have reflected upon this hearing. We will keep the record open,
and if you have some other recommendations or suggestions. We
are trying to deal with a myriad of problems with this legislation
and we are trying to be as comprehensive enough to embrace not
just the problems today but the problems as we can contemplate
them which will occur tomorrow.
We are never going to be able to contemplate them all, obviously.
It seems to me we should make an effort , however, and hope that
we can even do a reasonably good job.
Thank you very much. Again I apologize for the delay. We have
gone way over the scheduled time that we projected today, but
your testimony has been most helpful and we appreciate it. Thank
you .
The subcommittee stands adjourned.
[Whereupon , at 4 p.m. , the subcommittee was adjourned, to re
convene subject to the call of the Chair.]
COUNTERFEIT ACCESS DEVICE AND COMPUTER
FRAUD AND ABUSE ACT

THURSDAY, NOVEMBER 10, 1983

HOUSE OF REPRESENTATIVES,
SUBCOMMITTEE ON CRIME,
COMMITTEE ON THE JUDICIARY,
Washington, DC .
The subcommittee convened at 10:30 a.m. , in room 2237 of the
Rayburn House Office Building, Hon. William J. Hughes (chairman
of the subcommittee) presiding.
Present: Representatives Hughes, Feighan, Sawyer, Sensenbren
ner, and Shaw .
Also present: Hayden W. Gregory, chief counsel; Edward O'Con
nell and Eric Sterling, assistant counsel; Charlene Vanlier, associ
ate counsel; and Theresa Bourgeois, professional staff.
Mr. HUGHES. The Subcommittee on Crime will come to order.
The Chair has received a request to cover this hearing in whole
or in part by television broadcast, radio broadcast, still photogra
phy, or by other similar methods. In accordance with Committee
Rule 5 - A , permission will be granted, unless there is objection .
Is there objection ?
[No response .]
Mr. HUGHES. Hearing none, permissionwill be granted.
The Subcommittee on Crime meets today to continue its inquir
ies into the problems of credit card and computer fraud and their
proposed solutions as outlined in H.R. 3570, the Counterfeit Access
Device and Computer Fraud Act of 1983, and H.R. 3181, the Credit
Card Counterfeiting and Fraud Act of 1983.
On September 29 of this year, we heard from various private and
public witnesses about the vast increase in criminal fraud losses,
particularly in the credit card counterfeiting area and the relative
ease, for example, by which one person could defraud a credit card
company of a quarter of a million dollars in some 8 days. We also
heard of some of the steps which the banking and credit card in
dustry are taking to prevent this new sophisticated approach in the
illegal use of account numbers, access codes and other technologi
cal innovations in criminal fraud.
There was also testimony that these problems are tied to similar
problems with electronic fund transfers and the general area of
computer crime. In regard to computer crime, it has been reported
that there were an estimated 5,000 desk -top computers in 1978,
over 5 million today and 80 million projected in use by 1990.
This has broad ramifications for future misuse by the criminal
element.
( 147 )
 148

It seems clear, therefore, that we must not only bring our laws
up to date to protect our institutions now , but alsogive serious con
sideration to deterring the criminal element from using this rapid
ly changing technology in the future.
As we move into this cashless society, we cannot ignore the fact
that the incidence of counterfeit access devices and computer
crimes will continue to rise and the losses to financial and all other
institutions will continue to grow with a resultant loss to consum
ers. These high tech criminals are one step ahead of the legal
system and it's time that the legal system caught up.
We have a most distinguished list of witnesses, but before we call
our first panel, the Chair recognizes the gentleman from Michigan .
Mr. SAWYER. Thank you , Mr. Chairman. Well, I join in welcom
ing the witnesses here today. This credit card fraud is of tremen
dous scope, and growing. It's about time we came to grips with it.
It's sort of high tech merging into criminality, if you will, and it's
not just a little individual doing some shopping with a stolen or fal
sified or counterfeit credit card. As the chairman mentioned, we
had an instance where one individual bilked about $250,000 in the
course of not more than a week and then moved on to set up shop
somewhere else and could have continued for some considerable
period of time.
I'm sure that is not an isolated, single instance. So I hope the
witnesses can contribute to our fine-tuning legislation and perfect
ing the language we want, promulgating it, and I commend the
chairman for pursuing this matter.
I yield back .
Mr. HUGHES. I thank the gentleman . I wonder if our first panel
will come up. Our first panelis made up of administration officials.
We have with us today Richard Shriver, who is the Assistant Sec
retary of the Treasury for Electronic Systems and Information
Technology. He was appointed to this position effective October 12,
1983. In this capacity , he reviews all the Department's information
systems and provides oversight over their modernization . Mr.
Shriver was previously chairman of the board and president of R.
Shriver Associates, a diversified firm in various fields of informa
tion technology. Mr. Shriver, like many other members of the
panel, has had a most distinguished career, both in the private
sector, as well as in government.
Mr. HUGHES. Our next panel member is John C.Keeney, Deputy
Assistant Attorney General in the Criminal Division of the Depart
ment of Justice, a position that he has held since 1973. Mr. Keeney
is a graduate of the University of Scranton. He joined the Depart
ment of Justice in 1951 and has held various supervisory positions
since that time.
I might say also that he has graduate degrees from Dickinson
School of Law and George Washington University Law School.
Our third panel member is Mr. William J. Maisch , who is gener
al manager of criminal investigations of the U.S. Postal Service.
Mr. Maisch has been in the postal inspection service for some 17
years, where he has conducted various investigations and audits,
the majority of which have been in the criminal area . He served
some 10 years as a field inspector in the Postal Service and has
 149

held numerous assignments as program manager of criminal inves

tigations in variousdistricts throughout the country.
Next on our panel is Mr. FloydClarke who is Deputy Assistant
Director of the Federal Bureau of Investigation, of the Department
of Justice. Mr. Clarke has, likewise, served in various capacities
and field offices of the FBI until his transfer to headquarters,
where he served in a supervisory capacity in the Administrative,
Identification , and Inspection divisions.
Our final panel member is Joseph R. Carlon , who is currently
the Acting Assistant Director of the Office of Investigations with
the U.S. Secret Service. During the 15 years Mr. Carlon has served
with the Secret Service he has performed in a variety of assign
ments such as, supervised the counterfeit squads in Los Angeles,
Boston, and New York City, and has served as special agent in
charge of the headquarters counterfeit division. Prior to his cur
rent assignment, he was Deputy Assistant Director of Investiga
tions ,
Gentlemen, we welcome you here this morning and we thank
you for your participation. We have your very excellent statements
which, without objection, will be made a part of the record in full
and you may proceed as you see fit.
We hope, however, that where you can summarize, we hope you
will. We have read your statements and you can assume that we do
have your statements, so that we can get to pertinent questions.
We would appreciate your making some effort to summarize for us.
Let's start with you, Mr. Shriver. Welcome.
TESTIMONY OF RICHARD SHRIVER, ASSISTANT SECRETARY OF
THE TREASURY FOR ELECTRONIC SYSTEMS AND INFORMA
TION TECHNOLOGY
Mr. SHRIVER. Thank you , Mr. Chairman. Treasury is delighted to
be represented here by Mr. Carlon and myself. I would hasten to
say that I am the only nonlaw enforcement member of this panel
and represent the systems or technology side of Treasury , which
has a great interest in the movement of money electronically and
by other means.
The subject, of course, is credit card, debit card crime and com
puter crime. And related to these of course, electronic funds trans
fer. Computers are involved when a credit card is authorized and,
of course, with debit cards there is a connection via telecommunica
tions directly to the computer that retains the account on that par
ticular customer.
EFT, the electronic side, represents a growing target for crime
and that's really the topic that I would like to stress here today,
since you will likely hear a great deal from other witnesses about
the specifics of credit card abuse.
EFT shows greatly increasing vulnerability due to much greater
dollar volumes and advances in technology, and it's really very dif
ficult to predict what the state of affairs will be, even in the next
term . However, key changes worth watching are the rapidly in
creasing use of EFT point-of-sale activities and debit cards, cash
cards, and ATM's, which, of course, lack the personal contact of
previous banking activities.
 150
Electronic funds transfer has already been a serious target for
criminal activity. What distinguishes it from other targets ofcrimi
nals is the speed with which a crime can be committed and there
fore, the difficulty of detecting it and following up on it. Also, the
dollar amounts per pure EFT crime may vastlyexceed those crimes
that deal specifically with debit and credit cards. Although much
EFT is probably not reported for a variety of reasons, I believe it to
be a very serious and growing crime problem .
Communications networks that provide access to computerized
accounts are, of course, a source of vulnerability. Terminals them
selves, and the data bases they are connected to have value to
criminal elements. Access to these data bases is, of course, the area
that is of great concern to us.
Industry and government have a great deal to gain by sharing
their experiences and keeping one another posted on a regular
basis as to what is happeningin this area, from the standpoint of
being able to measure current criminal activity and to devolve ade
quate counter -measures.
As you are aware, it's a rapidly changing field . Patterns of crimi
nal activity seem to be adapting as quickly as the technoloy
evolves. Industry is very interested in new legislation to deal with
this problem and, as you will certainly determine in your second
panel , has many suggestions to offer. There's so much to be done to
protect our systems that much can be gained through such indus
try / government cooperation.
At Treasury, we have had several industry / government discus
sions on an informal basis to share informationabout what is hap
pening in this very important area.
I certainly commend you and your committee on your interest in
trying to improve the tools available to law enforcement in dealing
with the evolutionary crime patterns we are beginning to see.
Thank you.
Mr. HUGHES. Thank you very much, Mr. Shriver. Mr. Keeney,
welcome.
[Statement of Richard H. Shriver follows:]
OPENING STATEMENT SUMMARY OF RICHARD H. SHRIVER, ASSISTANT SECRETARY OF
THE TREASURY, ELECTRONIC SYSTEMS AND INFORMATION TECHNOLOGY
PROBLEMS

Credit cardfraud, especially counterfeiting, is rising .

However, the longer-tern threat could shift toward financial crimes committed
through electronic means.
TRENDS

Use of EFT is increasing as costs decrease, while check processing costs continue
to rise.
By 1990, computers will be in 33% of American homes; homes banking and tele
shopping will be a reality.
Use of AMT's and POS terminals will continue to grow.
By 1990, businesses will use computers to transact almost all financial business.
Financial crime patterns will likely shift from passing bad checks and fradulent
use of credit / debit cards to committing financial crimes through electronic means.
 151

THREATS

Unless system security begins to get much more attention, vulnerability will in
crease in the future for 5 outof 9 categories of threats to financial systems.
WHAT CAN BE DONE
Better law enforcement tools would help .
More need to be brought to trial and stiffer sentencing is needed .
More sophisticated security measures are needed in the financial industry.
Consumers will need to be tolerant of minor inconveniences caused by additional
security measures.

Mr. Chairman and members of the subcommittee, I am pleased to be with you

today to discuss threats to this country's financial systems stemming from credit
card and computer fraud. Industry witnesses called by this subcommittee will no
doubt describe the large and growing losses resulting from counterfeited cards and
improper use of lost or stolen cards. The thrust of my testimony will be on the rapid
development of computer and communications technologies in the financial market
place and how these could lead to even more sophisticated and costly threats to fi
nancial sytems. At the completion of this prepared testimony, I will be pleased to
answer any questions that you or the members may have.
CURRENT PROBLEMS
Some recent figures I have seen indicate that over $70 billion in sales is now gen
erated each year through use of bank cards. While the number of new card is
suances seems to be leveling out, banking industry losses from illegal use of cards
and credit care account information continues to show a staggering increase. For
example, new accounts at one of the largest bank card associations grew by only 3%
in 1982, while losses due to counterfeiting grew by 1,460% . The American Bankers
Association puts the total annual loss for counterfeiting at $40M, plus another
$ 200M for illegal sue of stolen cards. In addition, losses from cards intercepted in
the mail or from lost cards represented almost 50% of the total annual loss incurred
by one of the major card systems in 1982. However, as serious as these current loss
figures are, I am concerned that a greater long-term threat may be improper and
illegal financial transactions effected by electronic means.
UNDERLYING TRENDS
Most people are unaware of the significant volume of electronic funds transfers
that are now taking place . A large commercial bank may transfer $30-60 billion
each day, while the Federal Reserve transfers electronically an amount equivalent
to the entire national debt every four days. At Treasury, approximately a quarter of
our 800 million financial transactions per year are now completed electronically .
Treasury's goal is to develop, as quickly as possible, electronic mechanisms to ulti
mately handle 80% of our payment volume. Our experience parallels that of the pri
vate sector - payment by check is becoming a very expensive way to move money,
especially when compared to much less costly electronic means. At Treasury , we es
timate that it costs upwards of $0.50 to process a check, while we can complete an
electronic funds transfer for about $0.20.
Societal movement toward acceptance of completing financial transactions by
electronic means can be anticipated from looking at some interesting projections. By
1985, it is estimated that 10% of the 88 million American households will have
home computers. By 1990, this percentage is expected to rise to 33 % (32 million out
of 96 million households). The number of electronic financial transactions completed
through home terminals is expected to grow from 900 million in 1985 to over 3 bil
lion in 1990, while financial institutionsoffering in-home banking services will grow
from : ,000 to 6,000. In addition to banking, home computers combined with cable
TV hook-ups will be used to support an entirely new approach to shopping at home,
the video equivalent of mail order catalog shopping.
Automated teller machines, which are now used primarily to dispense cash, can
also accept deposits, effect transfers between accounts and complete queries about
account balances. At the end of 1981 , it was estimated that there were 25,000 ATM's
in operation, a figure that could easily reach 120,000 by 1990.
Some postulate that point-of-sale transactions may be tomorrow's replacement for
checks in completing retail sales. With movement toward electronic cash registers
and store-wide computer controlled register systems, the retail community is laying
the groundwork for direct telecommunications links between retail outlets and cus
 152

tomer accounts in banks. The present lack of a consolidated network is all that is
slowing development of the point-of-sale concept. At present, it is just too costly for
merchants to interface with a host of different banks and credit card companies.
This problem may vanish in the next two to three years.
With regard to businesses, 100 % of all firms with over $ 50M in annual revenues
are expected to use computers in making their financial transactions by 1990, up
from an estimated 90% in 1983. Medium -sized firms having between $ 1M and $50M
in annual revenues are expected to show an increase from 10% to 95% during the
same period . Even 60% of smaller businesses, those with annual revenues of less
than $ 1M , are expected to use computers for financial transactions by 1990.
Much debate has dealt with the question of whether or not we are moving toward
a cashless society. This debate tends to obscure the following points:
While the total number of cash transactions is high , the combined dollar value of
cash transactions is actually quite low .
Check use is expensive, and is becoming much more so.
A computer and telecommunications system infrastructure that will support less
expensive and much broader electronic financial transactions processing will soon
be widely available; and,
As a result, crime patterns could show a pronounced shift from bad checks and
credit transactions completed through use of lost, stolen or counterfeited pieces of
plastic toward fraudulent transactions committed through electronic means.
POTENTIAL FINANCIAL SYSTEM THREATS

Public awareness of computer and telecommunications system vulnerability has

been raised recently by well-publicized dial-up computer system break-ins. Å few
weeks ago I testified attwo congressional hearings on computer and telecommunica
tions systems security. Even this recent public and congressional interest, however,
could still be understating the possible extent of financial system vulnerability in
the future .
Work done by one research organization points toward increasing threats to fi
nancial computer systems if valid financial system security concerns are not ad
dressed. Mr. Donn B. Parker, of SRI International, has evaluated a wide range of
potential threats and developed the following matrix comparing nine threat sources:

Threat Past 1 Future 2

Amateur white-collar criminals................ High Low .

Deranged individuals .......... Low Medium .
Unethical business enterprises High High.
Career criminals ....... Low Low .
Organized criminal groups.... Low Medium
Extreme economic advocates....... Low Medium .
Extreme religious advocates. Low Medium .
Extreme political advocates. Medium High.
Foreign powers .... Low High.
1 All computer crime.
2 Massive electronic funds transfer losses.

While I might personally question Mr. Parker's evaluation of the future threat to
electronic funds transfer systems from organized crime as only being medium, I be
lieve we could safely summarize his analysis by saying that in the future, greater
reliance on electronic means for making financial transactions will bring more vul
nerability if we do not begin paying much more attention to security precautions
covering our financial system computers, the telecommunications networks that
link them together, and the employees who work with these systems.
WHAT CAN BE DONE

I do not intend to comment on specific legislation now pending before the Con
gress. The law enforcement officials who will be testifying before this subcommittee
are far better qualified to deal with the specifics of proposed legislation. Generally, I
favor any enforcement tool, whether statutory or otherwise, that makes it easier to
investigate and prosecute criminals who commit offenses through illegal use of com
puterized financial systems or illegal use of the means, such as credit cards, of get
ting financial transaction data into computerized financial systems.
 153

A rather disturbing observation, however, involves the sentencing of those con

victed of computer fraud. An average bank robbery nets around $ 20,000. If caught,
bank robbers are prosecuted around 90 % of the time and, if convicted , will on the
average be sentenced to 4-6 years in prison. The average crime involing electronic
funds transfer is somewhere around $500,000. If caught, such perpetrators are prose
cutied only 15-20 % of the time and, if convicted , can expect to spend only 4-6
months in prison . This problem is only partially due to limitations in our judicial
system , as financial institutions are oftenreluctant to press charges.
Of course, the credit card and banking industry cannot sit back in the face of such
current and potential future threats and expect the Federal Government to solve
the entire problem through legislation. Tighter security measures are needed and
are apparently now being stressed by the industry.
Experts have stated that over 80 % of current computer and electronic funds
transfer crimes could be prevented if comprehensive security measures in the fol
lowing categories are implemented: Organizational secuirty; access control; person
nel security; hardware secuirty; software security; data controls; and, terminal secu
rity.
Having worked around computer and telecommunications systems virtually my
entire working life, I feel that development of improved systems to verify and au
thorize computer andcredit card transactions would go a long way toward reducing
threats involving individual financial transactions. At the systems level, much
greater use of sophisticated system entry security mesures and data encryption may
be needed to keep intruders with criminal intent out offinancial computer and tele
communications systems. In short, to help ensure that future threatsare contained ,
we will need an investment by industry in hardened systems, a stronger investiga
tive and prosecutorial presence by law enforcement, and a willingness by consumers
to tolerate the minor inconveniences that more emphasis on financial system secur
tiy measures might bring.
This concludes my prepared statement. Mr. Chairman , I would be pleased to
answer any questions you or the members might have.
TESTIMONY OF JOHN C. KEENEY, DEPUTY ASSISTANT ATTORNEY
GENERAL , CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE
Mr. KEENEY. Mr. Chairman , I'm sure that there will be a lot of
questions from the panel, so I will be very brief. In my statement, I
do not discuss the computer crime problem or legislation in that
area because, frankly, the administration has not reached a posi
tion with respect to it.
What I do is focus on, and I'm sure the subcommittee will have
some questions in that area - are the four areas of concern. The one
area iscounterfeiting of credit and debit cards, and we feel that both
bills adequately address the counterfeitingproblem .
We also focus on the need to clarify 15U.S.C. 1644, so as to reach
the misuse of another person's card number in addition to the plas
tic card itself. We focus also on the gap in the present credit card
provisions in Truth -in -Lending Act which have been construed not
to reach transactions in which a credit card is originally obtained
without fraudulent intent from a card issuer, but subsequently
transferred to another person with the knowledge that it will be
fraudulently used .
And our last area of concern is the difficulties arising from the
current monetary jurisdictional limitation in the acts, which , as
presently written, allow a person to use unlawfully one card, accu
mulate just under 1,000 dollars' worth of purchases, discard it, and
use another card to do the same thing without committing a Feder
al violation .
Mr. Chairman , that's the summary and I'm prepared to answer
questions when the other gentlemen have spoken.
Mr. HUGHES. Thank youvery much, Mr. Keeney. Mr. Maisch .
 154

[Statement of John C. Keeney follows:]

STATEMENT OF JOHN C. KEENEY, DEPUTY ASSISTANT ATTORNEY GENERAL, CRIMINAL
DIVISION

Mr. Chairman and Members of the Subcommittee, I am pleased to be here today

to present the views of the Department of Justice on two bills, H.R. 3570, the " Coun
terfeit Access Device and Computer Fraud Act of 1983," and H.R. 3181, the " Credit
Card Counterfeiting and Fraud Act of 1983.” The Department supports in concept
the portions of the two bills that deal with various crimes involving credit and debit
cards although we will suggest various drafting changes along the way.
We can also understand the desire to provide a federal sanction against computer
fraud as is done in H.R. 3570, since, to a certain extent, computer fraud and credit
and debit card offenses are related . Nevertheless, at this juncture, we believe that it
would be preferable to sever the two issues and process legislation relating solely to
credit and debit card crimes. The reason is that, quite frankly, the Administration
has not reached a position on the desirability and scope of specific computer crime
legislation, although from what we have been able to determine preliminarily, fed
eral legislation may indeed be necessary. The Department of Justice and other de
partments and agencies are now actively studying this issue and we hope to have a
set of recommendations for the Congress in the relatively near future. That consid
eration of specific computer crime legislation may be premature at this time is un
derscored by the action taken by the House in its passage on October 24th of H.R.
3075, “ The Small Business Computer Crime Prevention Act.” As you probably
know, Mr. Chairman , that act does not create any new offenses but requires the
Small Business Administration to establish a task force to study several aspects of
computer crime .
Consequently, today I will confine my remarks to credit and debit card crimes, an
area which has received a good deal of attention in the Congress, and on which
there is a general consensus that new federal legislation is needed . I might also add,
Mr. Chairman , that we think the need for legislation in the card area is such that it
should not be delayed pending futher study.
Turning then to the question of credit and debit card offenses, I think it would be
useful first to describe for the Subcommittee the recent efforts of the Department in
attempting to deal with the problems of credit card and debit card counterfeiting
and fraud . For more than a year, officials of the Criminal Division and of the feder
al Bureau of Investigation have been meeting with bank and bank card industry
representatives concerning problems that have developed with the enforcement of
the criminal provisions of the Truth in Lending Act, 15 U.S.C. 1644, which covers
credit cards, and with the similar criminal provisions in the electronic Fund trans
fers (EFT ) Act, 15 U.S.C. 1693n, which covers debit cards. These contacts with the
industry have made us very much aware of the dramatic increase in the counterfeit
ing and the fraudulent use of credit cards. We are also familiar with the major in
crease in EFT activity through a preliminary study done by the department's
Bureau of Justice Statistics in June of 1982, and our conversations with industry
representatives. This increase creates the distinct possibility of a sharp upswing in
crimes involving EFT systems and their accompanying debit cards.
Our concern in this area, however, is not with the high volume, low dollar losses
of present or future credit or debit card transactions. The average credit or debit
card fraud loss is so small that the crime can generally be prosecuted on a local
level where personnel resources are much greater than those available to the feder
al government.
Rather, our concerns have focused primarily on four issues. They are: ( 1 ) the lack
of current statutory coverage over the burgeoning problem of counterfeiting credit
and debit cards; (2) the need to clarify 15 U.S.C. 1644 so as to reach the misuse of

1 To do our part in ensuring that these matters are , in fact, handled by state or local prosecu
tors, officials in the Department of Justice have worked closely with the state Attorneys Gener
al and local District Attorneys through our Executive Working Group of Federal, State and
local Prosecutors on a national level, and the Law Enforcement Coordinating Committees on a
state and local level. Our contact with our state and local counterparts have convinced us that
while some improvements in existing federal laws are needed, there is no need for the massive
federal involvement in areas of traditional local concern, such as minor fraud cases, that could
result if virtually every credit card crime were made a federal offense, the approach of some
early draft bills prepared by the banking and credit card industry.
 155

another person's card number, in addition to the plastic card itself; 2 (3) the gap in
the present credit card fraud provisions in the Truth in Lending Act which have
been construed not to reach transactions in which a credit card is originally ob
tained without fraudulent intent from a card issuer but subsequently transferred to
another person with the knowledge that it will be fraudulently used; 3 and (4) the
difficulties arising from the current monetary jurisdictional limitation in the Acts
which , as presently written, allow a person to use unlawfully one card, accumulate
just under $ 1,000 worth of purchases, discard it, and use another card to do the
same thing without committing a federal violation.
In our view , both H.R. 3181 and H.R. 3570 effectively cover the counterfeiting of
credit and debit cards, and also contain important provisions prohibiting the sale,
transfer, or possession of equipment used in making phony cards. Thus, both bills
take a substantial step in dealing with card counterfeiting, the most important of
fense in this area.
However, these bills only partially overcome the problems created by the Kasper
case concerning the meaning of the phrase " fraudulently obtained ” and the prob
lems created by the Callihan case concerning the existing statutes' lack of coverage
of card numbers. We note parenthetically that the two bills do not deal with the
" accumulation issue”, the gap in the present law whereby a person can purchase
just under $ 1,000 worth of goods with one stolen or lost card, then purchase just
under $ 1,000 worth of goods with a second such card, and continue this activity in
definitely without violating the statute. We do not mean this as criticism of the
scope of H.R. 3181 and 3570, for as you know the issue of the fraudulent use of a
card number and the accumulation issue are dealt with in H.R. 3622, a bill reported
by the Banking Committee on October 6th and presently awaiting floor action .
Inasmuch as H.R. 3622 does not, however, deal with the issue of the judicial con
struction of the phrase " fraudulently obtained " in the Kasper case, I would like to
explain briefly how the two bills pending here, H.R. 3181 and H.R. 3570, in our view
require some modification in order to effectively overcome the holding in that case .
Both bills add a new section 1029 to title 18. In H.R. 3181 , the section would pro
scribe the knowing production, sale , or transfer of a “ fraudulent payment device ,”
while in H.R. 3570, the section would prohibit such production, sale, or transfer of a
" fraudulent access device.” The two terms are defined virtually identically .4 Howev
er, the actual use of the credit card to obtain goods by the person who purchasesthe
card from , or is given it by, the original holder - one of the offenses charged in
Kasper - is not covered in either bill. Moreover, neither bill would directly cover a
person who obtained a card for no consideration 5 although it would cover a person
who bought the card from its original owner and the original cardholder who sold it
orgave it away knowing it would be used for fraudulent purposes.
These problems may be resolved by minor amendments to H.R. 3181 and H.R.
3570, and we would be pleased to work with the Subcommittee and its staff to ac
complish this goal. We also suggest that the Subcommittee may wish to review the
question of whether to address the issue of clarifying the coverage of the misuse of

2 The Ninth Circuit, in United States v. Callihan, 666 F.2d 422 ( 1982), held that only misuse of
a card, not the card number, is prohibited by the statute. By contrast, the Fourth Circuit has
held that the fraudulent use of a credit card number is covered by 15 U.S.C. 1644(a). See United
States v. Bice-Bey, 701 F.2d 1086, 1091-1092 ( 1983).
3 15 U.S.C. 1644(a) criminalizes the actions of one who “ knowingly in a transaction affecting
interstate or foreign commerce, uses or attempts or conspires to use any counterfeit, fictitious,
altered , forged, lost, stolen or fraudulently obtained credit card to obtain money, goods,services,
or anything else of value which within any one-year period has a value aggregating $ 1,000 or
more.” (Emphasis added) 15 U.S.C. 1693n (b )( 1 ) tracks this language for debit cards. In United
States v . Kasper, 483 F. Supp. 1208 (E.D. Pa., 1980), the court held that 15 U.S.C. 1644 (a) did not
cover the situation where credit cards were obtained by the original cardholders without the
intent to defraud the issuing companies, subsequently sold or given to the defendants with the
knowledge of the original cardholders that the defendants would use them to make charges
without paying forthem , and the cards then reported as lost or stolen.
4 In H.R. 3181, the term “ fraudulent payment device ” is defined as “ (A ) any payment device
or a representation, depiction, facsimile, aspect or component of a payment device that is coun
terfeit, fictitious, altered, forged , lost, stolen, incomplete, fraudulently obtained or obtained as
part of a scheme to defraud; or (B) any invoice, voucher, sales draft, or other reflection or mani
festation of such a device."
In H.R.3570, the term “fraudulent access device” is defined as “ any access device or a repre
sentation , depiction, facsimile, or component of an access device that is counterfeit, fictitious,
altered, forged, lost, stolen, incomeplete, fraudulently obtained or obtained as part of a scheme
to defraud .'
5 The person might be chargeable under 18 U.S.C. 2 as an aider and abettor of the transferror,
but this seems a peculiarly oblique method of punishing the conduct.
 156

card numbers, in view of the adequate resolution of this issue in the Banking Com
mittee bill .
A final suggestion, Mr. Chairman, is that while we believe it is both important
and appropriate to cover card counterfeiting in title 18, we would prefer that the
description of the device counterfeited or altered be set out by cross-reference to the
existing definitional sections of the Truth in Lending and EFT Acts (15 U.S.C.
1602(k) and 15 U.S.C. 1693n(c)). This approach avoids the problem of introducing
into the law multiple and confusing definitions of credit and debit devices in two
different titles of the United States Code.
In sum , Mr. Chairman , we support the thrust ofthese bills to the extentthat they
proscribe debit and credit card counterfeiting in title 18, but suggest that the objects
counterfeited be defined by reference to the definitional sections of the Truth in
Lending and EFT Acts. The three other problems in the enforcement of those Acts
which I have discussed can perhaps best be overcome by amendmentsto those Acts,
as is proposed with respect to two of the three issues in the pending Banking Com
mittee bill. If, however, the Subcommittee decides to attempt to deal in its legisla
tion with the problem caused by the Kasper case whereby a card is not considered
" fraudulently obtained ” unless it was so obtained by the original holder, we think
that an amendment is needed to cover the actual use of such a card to obtain goods
or services.
Mr. Chairman, that concludes my prepared testimony, and I would be pleased to
try to answer any questions the Subcommittee may have.

TESTIMONY OF WILHELM MAISCH , GENERAL MANAGER, CRIMI

NAL INVESTIGATION DIVISION , OFFICE OF CRIMINAL INVESTI
GATIONS, U.S. POSTAL INSPECTION SERVICE
Mr. Maisch. Mr. Chairman, I'm Bill Maisch.
Mr. HUGHES. Can you pull the microphone in front of you, Mr.
Maisch?
[Pause .]
Mr. Maisch. I'm Bill Maisch, General Manager, Investigations
Division, Office of Criminal Investigations, U.S. Postal Inspection
Service.
Thank you for the opportunity to appearbeforethis subcommit
tee to express our views on H.R. 3181 , the Credit Card Counterfeit
ing and Fraud Act of 1983, and H.R. 3570 , the Counterfeit Access
Device and Computer Fraud Act of 1983.
My formal written testimony has been submitted for the record ,
andas you've suggested, I'll present a brief summary ,
The growth of the credit card industry in the late 1960's led to a
corresponding growth in credit card fraud, along with an increase
in our investigative activity in this area. In addition to responding
to the industry's problems through an aggressive investigative
effort, we strongly urged and encouraged the creation and expan
sion of the security and investigative efforts within the industry.
During the 1960's and 1970's, many successful prosecutions were
obtained under the Mail Fraud statute. The highest volume of mail
fraud cases involving credit card offenses was in 1972, when we
conducted over 2,000 investigations. These cases were relatively
simple compared to the more complex ones we investigate today.
All this changed on January 8 , 1974 , when the U.S. Supreme
Court, in a 5 to 4 decision, affirmed a Sixth Circuit Court of Ap
peals decision in United States v. Maze. Following this decision, the
number of mail fraud credit card investigations decreased signifi
cantly.
The enactment of the Truth-in-Lending Act, with its credit card
fraud provisions, did help to some extent to fill the void created by
the Maze decision. However, the current surge of credit card fraud
 157

suggests that the present arsenal of prosecutive tools and preven

tive techniques need reinforcement.
I believe some special legislation, such as H.R. 3181 , would pro
vide additional help by clearly outlawing the latest credit card
schemes and imposing stringent penalties upon credit card swin
dlers.
The Postal Inspection Service will continue to work with the in
dustry in its effort to prevent and combat credit card fraud.
Necessarily, we must channel our investigative resources to the
most productive use, consistent with our law enforcement mission.
We will become involved in stolen credit card investigations where
the theft occurred from the mail . For us to become involved in an
investigation relating to the fraudulent use of credit cards acquired
through other means, such as false applications or cards lost by or
stolen from card holders, there must be a substantial number of
victims substantial monetary loss, and no adequate local remedy
available.
H.R. 3570, if enacted into law, would provide a means to pros
ecute individuals employing computers to commit crimes against
the government, financial institutions and the general public. It is
verylikely that the use of the mails would also be an integral part
of many fraudulent schemes involving the use of computers, and
the proposed legislation will enhanceour efforts to combat these
types of crimes.
Mr. Chairman, it's been my pleasure to tell you something about
our efforts to combat credit card fraud and how the proposed com
puter fraud legislation will benefit our Service. We believe that
specially tailored legislation of this character can help to deal more
effectively with these types of problems, and we support them.
I'll be happy to answer any questions at the conclusion of our
presentations.
Mr. HUGHES . Thank you, Mr. Maisch. Mr. Clarke, welcome.
[Statement of Wilhelm J. Maisch follows:]
STATEMENT OF WILHELM J. MAISCH
Mr. Chairman, I am Bill Maisch, general manager, Investigations Division, Office
of Criminal Investigations. Thank you for the opportunity to appear before this sub
committee to express our views on H.R. 3181 , the Credit Card Counterfeiting and
Fraud Act of 1983 and H.R. 3570, the Counterfeit Access Device and Computer
Fraud Act of 1983 .
I would like to begin by telling you briefly about the Postal Inspection Service.
The Postal Inspection Service is the investigative and audit arm of the United
States Postal Service. We have investigative jurisdiction and enforcement responsi
bility over all violations of Federal law relating to the integrity and security of the
mails and the safety of all postal property and personnel. Our law enforcement in
vestigations consist of two major categories: criminal attacks upon the mails, postal
facilities or postal employees and those violations which involve the misuse of the
postal system itself such as mail fraud and misrepresentations or the mailing of
bombs, pornography, narcotics or other nonmailablematter.
The magnitude of these responsibilities is in direct proportion to the size of the
Postal Service itself which last year handled over 100 billion pieces of mail, has
about 670,000 employees, over 39,000 postal facilities and cash income of about $ 23.3
billion .
With that introduction , let me move to the topic of credit card fraud .
The growth of the credit card industry in the late sixties led to a corresponding
growth in credit card fraud along with an increase in our investigative activity in
this area. In addition to responding to the industry's problems through an aggres

38-178 0 - 85
-
ll
 158

sive investigative effort, we strongly urged and encouraged the creation and expan
sion of the security and investigative efforts within the industry.
As has been the case for fraud activity affecting other industries, the mail fraud
statute (title 18, United States Code, section 1341), until approximately 10 years ago,
was the basis for most Federal investigative activity in the credit care field. The
mail fraud statute is violated by devising or intendingto devise a scheme to defraud
which involves the use of the mails in furtherance ofthe scheme.
During the 1960's and 1970's, many successful prosecutions under the mail fraud
statute were obtained on thebasis of twomisrepresentations: (1) that when the card
was presented, the individual represented himself as the rightful owner of the card
or that he was authorized to use it, and (2) that payment for the product, services,
etc., obtained with the card would be made in accordance with the terms specified
by the issuer of the card. The only use of the mails in many of these cases was the
mailing ofthe invoicesback to the issuer of the card.
In addition , we obtained convictions under the mail fraud statute where false in
formation was furnished on credit card applications. We also investigated and pros
ecuted many other cases where the credit card itself was stolen from the mails.
The highest volume of mail fraud cases involving credit card offenses was in 1972
when we conducted over 2,000 investigations. These were usually relatively simple
cases compared to the more complex ones we investigate today.
All this changed on January 8, 1974, when the United States Supreme Court, in a
five to four decision, affirmed a Sixth Circuit Court of Appeals decision in U.S. v.
Maze. In this landmark case , the Supreme Court held that mailings of credit card
invoices between merchants providing services and credit card issuing agencies are
not sufficiently related to a scheme to defraud to bring them within the purview of
the mail fraud statute . The court held that a scheme to defraud reaches fruition at
the time the credit card is used and that the subsequent mailings of the invoices are
not essential to or in furtherance of the scheme. Following this decision, the number
of mail fraud credit card investigations decreased significantly.
Section 1644 of the Truth in Lending Act makes itunlawful to utilize or transport
in interstate commerce lost, stolen , counterfeit, fictitious, altered or fraudulently ob
tained credit cards with intent to defraud. The Act required purchases totaling at
least $ 5,000 on a credit card in one Federal judicial district in one year to constitute
a violation. In 1974, Congress amended the statute so that it applies when $1,000 in
fraudulent purchases are made in a Federal judicial district in a one-year period.
The current surge of credit card fraud, however, suggests that the present arsenal
of prosecutive tools and preventive techniques need reinforcement. I believe some
special legislation such as H.R. 3181 would provide additional help by clearly out
lawing the latest credit card schemes and imposing stringent penalties upon credit
card swindlers.
I do not mean to suggest that such schemes can now operate with impunity. Many
do not. Let me give you examples of some of our more recent investigations where
existing laws have been used to deal with major credit card frauds.
In California , an international credit card fraud ring has defrauded several banks
out of at least five million dollars as a result of its activities. The gang, unfortunate
ly, has members inside the Postal Service as well as the banking industry who are
supplying credit cards to other members. The members have merchants who are
working in collusion with them submit fraudulent vouchers imprinted with stolen
credit card numbers to the banks. They run up charges to the credit limit and then
move the cards out of the country. Even though the cards have already been run to
their maximum financial limit, this does not prevent them from being used in for
eign countries where the verification procedures are less stringent. To date , ten in
dividuals have been indicted, and five of those indicted have been convicted. Three
others are fugitives in foreign countries.
A series of investigations which began in New York City about four years ago has
been of significant benefit to the credit card industry.
It all began with a family of seven individuals who operated a major credit card
scheme in the New York metropolitan area. The family distributed sales slips im
printed with account numbers and other data obtained from lost or stolen credit
cards to merchants who participated in the scheme. These merchants would then, in
turn, send the fraudulent vouchers to the banks.
The involvement of 104 merchants was detected through developing the fraudu
lent credit card usage history in connection with the cards seized at the family's
residence. With these identifications, further investigation disclosed 750 additional
stolen credit cards had passed through these stores.
Initially, three family members were arrested and released on bond. Soon thereaf
ter, these three and three others fled the United States. One family member who
 159

cooperated in the investigation was released . Outstanding arrest warrants are still
in effect for six members of the family . Credit card losses attributed to this family
are estimated at two million dollars. This investigation also led to the arrest and
conviction of twenty other individuals and merchants involved with the family.
Another investigation turned up what was commonly referred to as the “ counter
feit white plastic scheme.” The ten individuals involved in this scheme defrauded
the industry out of $559,000. After information from legitimate cardholders and ac
counts wasobtained, pieces of white plastic imprinted like a credit card were used
on credit invoice slips. The slips were then sent through merchants working in col
lusion with the operators of the scheme to defraud the banks. All ten of those in
volved have been convicted and sentenced .
A very recent investigation involved perhaps the most sophisticated covert oper
ation against the credit card industry discovered to date. This involves the actual
counterfeiting of credit cards. Twenty -one arrests and convictions have been ob
tained , while one of the people involved in this operation has been the victim of a
gangland style murder. We have evidence that organized crime has been responsible
for financing this counterfeiting operation. Recovered during this investigation was
approximately $ 500,000 worth of equipment which was used to produce the fake
credit cards. This activity has now moved into a stage where the counterfeiters are
using an offset printing process to counterfeit the credit cards. Equipment utilized
by these counterfeiters is identical to that used by the credit card industry itself.
The quality of the cards is excellent and poses a severe threat to the entire bank
card industry.
In another case recently concluded at Atlanta, GA, a husband and wife team
pleaded guilty to fraudulently obtaining credit cards andother credit used to pur
chase merchandise subsequently sold for personal gain. They use fictitious names,
false employment information, false income figures and false financial references. A
telephone system was set up in several business names and in the name of a bank
with call forwarding service on all telephones. Through this arrangement they were
able to verify the false information provided on credit applications. The public loss
in the case was in excess of $ 1 million . On September 16, 1983, the husband was
sentenced to 25 years in prison followed by five years probation. His wife was sen
tenced to ten years in prison followed by five years probation.
These cases show that while law enforcement authorities have not been powerless
to deal with credit and debit card swindles under present law, this type of fraud
nevertheless remains a problem. We believe that more specific legislation such as
H.R. 3181 would provide an important additional deterrent which would assure po
tential offenders that the Government has the means at hand to prosecute and
punish this particular brand of consumer fraud.
The Postal Inspection Service will continue to work with the industry in its ef
forts to prevent and combat credit card fraud. Necessarily, we must channel our in
vestigative resources to the most productive use consistent with our law enforce
ment mission . We will become involved in stolen credit card investigations where
the theft occurred from the mail. For us to become involved in the investigations of
fraudulent use of credit cards acquired through other means such as false applica
tions or cards lost by or stolen from the cardholder, there must be a substantial
number of victims and monetary loss and no adequate local remedy available.
H.R. 3570, if enacted into law , would provide a means to prosecute individuals em
ploying computers to commit crimes against the Government, financial institutions
and the general public. It is highly likely that the use of the mails would be an
integral part of many fraudulent schemes involving the use of computers, and the
proposed legislation will enhance our efforts to combat this type of crime.
Mr. Chairman, it has been my pleasure to tell you something about our efforts to
combat credit card fraud and how the proposed computer fraud legislation will ben
efit our service. Webelieve that specially tailored legislation of this general charac
ter can help to deal more effectively with these types of problems, and we support
them . At this time, I will be happy to answer any questions you may have.

TESTIMONY OF FLOYD CLARKE , DEPUTY ASSISTANT DIRECTOR,

FEDERAL BUREAU OF INVESTIGATION
Mr. CLARKE. Thank you, Mr. Chairman. The statement that I
have prepared will be submitted for the record. I'd like to just take
a couple of excerpts from that for emphasis that will summarize
our position .
 160

The first area dealing with computer related crimes — since the
1970's, the FBI has been involved in investigating crimes which are
computer related. We cannot say with certainty whether or not
there has been a rise or a decline in this type of crime. This is, in
part, due to the fact that the FBI presently keeps its records and
its statistical compilations based upon criminal violations . For ex
ample, our statistics would reflect our involvement in investiga
tions of fraud -by -wire statute, interstate transportation of stolen
property, bank fraud, embezzlement, et cetera.
The computer may be an instrumentality of these or other
crimes. However, since there is no Federal statute specifically ad
dressing computer crime, the FBI is unable to provide statistics to
reflect whether or not computer-related crime is on the increase.
Although the Bureau has no statistical basis to evaluate the
extent of computer-related crime, logic would indicate that in view
of the increasing number of computers in use today, there ought to
be a corresponding increase in computer-related crime. Because of
extensive use of computers in our society, the possibility of extreme
losses due to computer fraud is very high. Most financial institu
tions in the United States and abroad utilize computers to facili
tate their operations. This is also true of many other business en
terprises and there is potential for abuse by persons who have the
necessary knowledge, time, access to the correct hardware and soft
ware. In a very short period of time, programs, high technology in
formation , proprietary information or classified information can be
taken from a computer without leaving much evidence of the
crime.
This is to say nothing of the theft of large amounts of money
transferred by wire between financial institutions.
We in the FBI have not to date had any significant problems in
the prosecution of computer-related crime under already existing
statutes over which we have jurisdiction, such as the fraud -by -wire
statute. However, our experience indicates that there could be
some future problems in investigating or prosecuting under exist
ing Federal law certain types of activity.
For example, the definition of " property ” with regard to a com
puter crime could be clarified. It's not clear whether the theft or
destruction of property would extend to information on a computer
disk as opposed to thetheft or destruction of the disk itself.
The question of trespass into another computer should also be
considered, particularly where the individual having access to the
computer system had no criminal intent and meant no harm, and
yet, information was modified or even destroyed.
The FBI will be glad to work with the subcommittee in analyzing
the potential crimes that can result from the computer.
In the area of credit and debit card fraud, because they are play
ing an ever -increasing and important role in our society, there is,
again, a very high potential for large losses resulting in misuse of
these cards or the numbers that are embossed thereon .
The Department of Justice has given the FBI primary responsi
bility for investigating debit card fraud. These are the violations
set forth in the Electronic Funds Transfer Act . And we are cur
rently exploring the possibility of sharing this responsibility with
the U.S. Secret Service by means of a memorandum of understand
 161

ing between our agencies. A draft memorandum of understanding

and attendant legal issues are now being reviewed by the Depart
ment of Justice.
The U.S. Postal Inspection Service has primary investigative re
sponsibility for credit card fraud, since the fraud usually involves
the use ofthe mails. The FBI has secondary investigative responsi
bilities in these matters and that's to say that when we develop
evidence of a credit card fraud during an investigation of a matter
within our primary jurisdiction , we would pursue the credit card
fraud violation to its logical conclusion.
We have developed a close working relationship in matters of
mutual interest with the Postal Inspection Service.
In investigating credit and debit card fraud, it's not unusual that
the criminal act would also be a violation of other Federal laws.
Such statutes as the bank fraud and embezzlement, bank larceny,
interstate transportation of stolen property , and fraud-by -wire.
To my knowledge, no prosecutions have occurred using the Elec
tronic Funds Transfer Act. This is in part due to the fact that pros
ecutors and law enforcement officers are more familiar with the
other statutes mentioned previously, which are court tested .
I'm not aware of any credit or debit card losses, which a U.S. at
torney believed to be a significant loss that warranted Federal
intervention, where some Federal statute could not be used for
prosecution. This is not to say that problems do not exist. There
are problems and we believe that they can be rectified by amend
ing existing tested statutes to close the loopholes. Our concerns and
recommendations are along the lines of those expressed in Mr.
Kenney's statement and his remarks today and in prior congres
sional testimony.
One other area that I would also like to take the opportunity to
bring to the committee's attention is a matter which often hinders
our efforts to investigate card losses, as well as other banking viola
tions.
Financial institutions are restricted by the Right to Financial
Privacy Act concerning the reporting of crimes, even when the fi
nancial institution is the victim . Since the financial institutions
may be the object of civil actions for a mistake in releasing the
records, institutions often go far beyond what is required by the
Right to Financial Privacy Act in order to protect themselves from
producing records.
Resorting to legal process to obtain financial records almost with
out exception takes considerable time from other investigations
and is a tremendous drain on our resources, as well as the re
sources of the respective U.S. attorneys.
The FBI is actively investigating computer-related fraud and
credit and debit card fraud when these cases involve violations of
federal statutes within our jurisdiction and when the U.S. attorney
agrees to prosecute. And thus far, I believe that our efforts in this
regard have been successful.
However, we do recognize that there are certain loopholes in cur
rent laws pertaining to these activities and we support your efforts
to address these problems.
I'll be happy to answer any questions that you may have.
 162

Mr. HUGHES. Thank you very much , Mr. Clarke. Mr. Carlon , wel
come .
[Statement of Floyd I. Clarke follows:]
STATEMENT OF FLOYD I. CLARKE, DEPUTY ASSISTANT DIRECTOR, CRIMINAL
INVESTIGATIVE DIVISION , FEDERAL BUREAU OF INVESTIGATION
Mr. Chairman and members of the subcommittee, I am pleased to be here today
to discuss with you the nature of the Federal Bureau of Investigation's involvement
with , and investigation of, computer related crime and debit and credit card fraud .
Let me first address computer related crime. Since the 1970's the FBI has been
involved in investigating crimes which are computer related . We cannot say with
certainty whether or not there has been a rise or decline in this type crime. This is
in part due to the fact that the FBI presently keeps its records and statistical compi
lations based on criminal violations . For example, our statistics would reflect our
involvement in investigations of the fraud by wire statute, interstate transportation
of stolen property, bank fraud and embezzlement, etc. The computer may be an in
strumentality of these other crimes; however, since there is no Federal statute spe
cifically addressing computer crime the FBI is unable to provide statistics to reflect
whether or not computer related crime is on the increase.
Although the Bureau has no statistical basis to evaluate the extent of computer
related crime, logic would indicate that in view ofthe increasing number of comput
ers in use today, there ought to be acorresponding increase in computer related
crime. Because of the extensive use of computers in our society, the possibility of
extremely large losses due to computer fraud is very high . Most financial institu
tions, in the United States and abroad, utilize computers to facilitate their oper
ations. This is also true of many other business enterprises. There is a potential for
abuse by persons who have the necessary knowledge, time and access to the correct
hardwareor software. In a very short period of time, programs, high technology in
formation , proprietary information or classified information can be taken from a
computer without leaving much evidence of the crime. This is to say nothing of the
theft of large amounts of money transferred by wire between financial institutions.
The FBI does however actively investigate many crimes which are computer relat
ed, and which are within our jurisdiction. The FBI's responsibilities in computer re
lated crimes are derived from jurisdiction previously assigned to the FBI by Con
gress or the Attorney General of the United States in more traditional areas. The
statutes most frequently used by the Department of Justice and the FBI to pros
ecute and investigate computer related crimes are fraud by wire, interstate trans
portation of stolen property, bank fraud and embezzlement, destruction of govern
ment property, and theft of government property. However, computer related
crimestranscend all the crime categories.
I would like to bring to your attention some of the types of cases which we have
investigated :
( 1) In 1979, the New York Division of the FBI identified a computer information
service company (which is a company that enters, edits, stores, and retrieves infor
mation in a text format) that was, without authorization, accessing and modifying
records of a similar computer information service in the State of California. The
second computer service was the primary competitor to the first and the actions of
the first computer service caused an estimated loss of $7.5 million.
(2) In 1980, the New York Division identified a group of children of middle school
age who accessed without authorization, over 20 computers from the computer locat
ed at their school. The unauthorized accesses by this group in both the United
States and Canada not only caused the loss of computer time and disrupted comput
er services, but caused the destruction of inventory and billing figures of a Canadian
firm , which necessitatedsubstantial effortsby that firm to duplicate.
(3) In late 1982, our Washington field office indentified a former employee of the
Federal Reserve Bank who was then employed privately as a financial analyst, who
attempted to continue to access information in the Federal Reserve Bank's money
one file without authorization, Any information he might have obtained from this
file would have been useful in the analysis of his client's holdings.
( 4) Early in 1983, our office in Alexandria, Virginia, identified an individual who
without authorization accessed computerized consumer credit information to obtain
credit account information on over 80 people. Thereafter he used this information to
charge goods, including additional computer equipment, to the major credit cards of
the people whose credit information he had accessed.
These examples are certainly not all inclusive of our efforts in computer related
crimes, but they give a broad view of the types of computer related crimes that are
 163

presented to the FBI for investigation. We have so far been able to identify and
locate the person (s) committing each of the beforementioned crimes. We hope to con
tinue to due so .
We in the FBI have not had, to date, any significant problems in prosecution of
computer related crime under already existing statutes over which we have jurisdic
tion , such as the fraud by wire statute. However, our experience indicates that there
could be some future problems in investigating or prosecuting under existing Feder
al law, certain types of activity. For example, the definition of " property ” with
regard to computer crime could be clarified . It is not clear whether a theft or de
struction of " property ” would extend to information on a computer disc as opposed
to a theft or destruction of the disc itself. The question of trespass into another's
cornputer should also be considered particularly where the individual having access
to the computer system had no criminal intent and meant no harm , and yet infor
mation was modified or even destroyed. The FBI will be glad to work with the sub
committee in analyzing potential crimes that can result from the use of a computer.
I will now address credit and debit card fraud. To assist you in analyzing these
types of cases, let me take a moment to define and distinguish “ credit card” and
debit card” . A debit card is one form of " access device" to a consumer's account
that may be used by the consumer for the purpose of initiating an electronic trans
fer of funds. An example of the debit card is the bank card many financial institu
tions provide customers which enables customers to withdraw money from their
bank accounts through the use of teller machines. Other examples of such access
devices are the telephone, computer, and magnetic tape. A credit card is a device
that may be used by a consumer to purchase goods and services utilizing the tradi
tional paper receipt invoice. The debit card appears to be rapidly replacing the
credit card as an exchange of value. A debit cardmay also be used to make a credit
card purchase using the invoice receipt.
Because the credit and debit cards are playing an ever increasing and important
role in our society there is, again , a very high potential for large losses resulting in
misuse of these cards or the numbers embossed thereon. The Department ofJustice
66
has given the FBI the primary responsibility for investigating “ debit card ” fraud.
( These violations are set forth in the Electronics Fund Transfer Act, 15, USC , 1693
through 1693R), and we are currently exploring the possibility of sharing this re
sponsibility with the U.S. Secret Service by means of a Memorandum of Under
standing between our agencies. A draft Memorandum of Understanding and the at
tendant legal issues arenow being reviewed by the Department of Justice. The U.S.
Postal Inspection Service has primary investigative responsibility for credit card
fraud since this fraud usually involves use of the mails. (Criminal penalties for the
fraudulent use of credit cards are set forth at 15, USC, 1644). The FBI has secondary
investigative responsibilities in these matters. That is to say, when we develop evi
dence of credit card fraud during investigation of a matter within our primary juris
diction, we would pursue the credit card fraud violation to a logical conclusion. We
have developed a close working relationship in matters of mutual interest with the
Postal Inspection Service.
In investigating credit and debit card fraud, it is not unusual that the criminal
act would also be a violation of other Federal laws, e.g. , statutes relating to bank
fraud and embezzlement, bank larceny, interstate transportation of stolen property
and fraud by wire. To my knowledge, no prosecutions have occurred using the Elec
tronics Fund Transfer Act. This isin part due to the fact that prosecutors and law
enforcement officers are more familiar with other statutes, mentioned previously,
which have been court tested .
Below are examples of the types of cases that have been investigated and pros
ecuted .
( 1 ) A subject was recently convicted in Albany, New York and Boston , Massachu
setts, of fraudulently withdrawing over $150,000 from customer accounts using auto
matic teller machines . The subject duped over 300 bank customers into believing he
was a bank security officer who needed assistance in apprehending a dishonest bank
employee. The customers were convinced to leave their bank card under the locked
door of the bank after which the subject would “ fish ” the card from under the door.
The subject would then telephonically contact the legitimate customer and through
a telephone ruse, develop a confidential personal identification number to make un
authorized withdrawals from the customer's account. He was convicted of bank lar
ceny and interstate transportation of stolen property and was sentenced to one year
incarceration .
(2) Our Los Angeles Office recently concluded an investigation in which a bank
employee and her boyfriend conspired to withdraw $26,000 from four separate ac
counts utilizing authomatic teller machines. Fingerprint analysis assisted in deter
 164

mining that the suspect bank employee assisted in fraudulently transferring money
from legitimate customer accounts into three fictitious accounts set up by the sub
jects after which it was withdrawn using automatic teller machines. Both subjects
were convicted of bank fraud and embezzlement. They were both placed on proba
tion and ordered to make restitution of $8,500.
(3) Another investigation by our Los Angeles Office, in conjunction with the Los
Angeles Police Department, involves a credit card related fraud which has resulted
in bank losses of approximately $13 million. On October 7 , 1981 , a credit card manu
facturing company in Los Angeles was the victim of an armed robbery in which
6,500 blank Visa - Bank of America credit cards were taken . Many of these credit
cards were embossed with legitimate bank customer account numbers and names
and used in conjunction withphony identification obtained by subjects to purchase
merchandise and obtain cash advances from banks. It is believed that the legitimate
bank customer information embossed on the stolen credit cards is being furnished to
the subjects by one or more dishonest bank and/or credit bureau employees. To
date, over 250 subjects in 42 states have been arrested by Federal and local authori
ties. This investigation is being pursued by the FBI under the bank fraud and em
bezzlement statute.
These examples illustrate that significant prosecutions are occurring where the
respective U.S. Attorneys determine the criminal activity warrants Federal inter
vention . I am not aware of any credit or debit card loss which a U.S. Attorney felt
was significant and warranted Federal intervention where some Federal statute
could not be used for prosecution . This is not to say problems do not exist. There are
problems and we believe these can be rectified by amending existing tested statutes
to close loopholes. Our concerns and recommendations along these lines are similar
to those expressed by Mr. Kenney today and during previous congressional testimo
ny.
For example, we support legislation which would makethe possession of fraudu
lent credit or debit cards, with unlawful or fraudulent intent, a criminal violation.
Further, we believe that many of the concerns of the credit card industry, as well as
law enforcement may be addressed by criminalizing the fraudulent use of, or unau
thorized disclosure of account numbers and information .
I would also like to bring to the committee's attention a matter which often
hinders our efforts to investigate card losses, as well as other banking violations.
Financial institutions are restricted by the Right to Financial Privacy Act concern
ing the reporting of crimes, even when the financial institution is the victim . Since
the financial institutions may be the object of civil actions for a mistake in releasing
records, institutions often go far beyond what is required by the Right to Financial
Privacy Act in order to protect themselves before producing records. Resorting to
legal process to obtain financial records almost without exception takes considerable
time from other investigations and is a tremendous drain on our resources as well
as the resources of the respective U.S. Attorneys.
In summary, the FBI is actively investigating computer related fraud and credit
and debit card fraud when these cases involve violations of Federal statutes within
our jurisdiction , and when the U.S. Attorney agrees to prosecution. Thus far I be
lieve our efforts have been successful. However, the FBI recognizes certain loopholes
in current laws pertaining to these activities. We support your efforts to address
these problems.
Mr. Chairman, that concludes my opening statement. I would be happy to answer
any questions at this time.

TESTIMONY OF JOSEPH CARLON, ACTING ASSISTANT DIRECTOR,

OFFICE OF INVESTIGATIONS, U.S. SECRET SERVICE
Mr. CARLON . Thank you, Mr. Chairman. I would like to very
briefly summarize the position of the Secret Service in this area.
There has been a dramatic increase in the area of credit and debit
card fraud, particularly in the area of counterfeiting. And all indi
cations are that this is going to continue at an alarming rate.
We are, in a sense, facing a situation where the technology of
crime is advancing. And it is incumbent on us in the federallaw
enforcement community to take steps to keep pace with this tech
nology.
 165

It is our view that efforts in this area, particularly legislation as

proposed, would do much to close loopholes which presently exist
in Truth -in -Lending. We support any effort in this area.
That concludes my summary.
[Statement of Joseph Carlon follows:]
STATEMENT OF JOSEPH R. CARLON , ACTING ASSISTANT DIRECTOR, OFFICE OF
INVESTIGATIONS, U.S. SECRET SERVICE
Mr. Chairman and members of the subcommittee, thank you for the opportunity
to testify before your committee concerning H.R. 3570, the " Counterfeit Access
Device and Computer Fraud Act of 1983, ” and H.R. 3181 , the "Credit Card Counter
feiting and Fraud Act of 1983.”
I will be pleased to answer any questions you might have at the conclusion of my
statement.
The U.S. Secret Service has been meeting with bank and credit card industry rep
resentatives at their request on the issue of credit and debit card fraud for the last
ten months. As a resultof these meetings and others with federal and local investi
gators, we have studied the operational systems of the bank and credit card indus
try and how they are being victimized by the criminal element. This effort has led
us to five basic conclusions about credit and debit card fraud and, for the purposes
of today's testimony, I would like to briefly address each.
1. MAJOR INCREASES IN CREDIT AND DEBIT CARD FRAUD

There has been a dramatic increase in card fraud, particularly in the area of
counterfeiting. All indications are that it will continue to escalate at an alarming
rate. The present magnitude of credit and debit card fraud and the statistical pre
dictions of future growth , as well as the methods in which criminals perpetrate this
fraud, has been adequately expressed to this committee by others and warrants no
additional elaboration .

2. IMPROVED FRAUD CONTROL BY CARD INDUSTRY

Until recently, the bank and credit card industry appeared to have little need to
protect the security of the credit card system . The losses were not great enough to
warrant sizeable investment in new security programs. However, because the
system came under a major criminal attack in 1981 , and again in 1982, and as losses
multiplied , the industry had little choice but to make a commitment towards fraud
control both inside and outside the system .
Security staffs were expanded with former federal and local criminal investiga
tors. In conjunction with the American Bankers Association (ABA), a task force was
formed to identify and recommend methods to reduce altered and counterfeit card
fraud losses. The Battelle Research Institute of Columbus, Ohio, was commissioned
by the task force to conduct research into “ card secure” properties which could be
added to make altering and counterfeiting more difficult. The work of the ABA task
force has recently been presented at a card fraud management seminar. The card
industry has already adopted many of the task force recommendations, and is edu
cating their personnel on methods to detect and report fraud.
In addition, the card industry is educating the law enforcement community on
card systems and fraud and provides financial aid in support of these investigations.
3. ABSENCE OF EFFECTIVE FEDERAL LEGISLATION
Both bills (H.R. 3570 and H.R. 3181) as proposed, would do much to close the loop
holes which presently exist within the Truth in Lending Act, 15 U.S.C. 1644, and
the Electronic Fund Transfer Act of 1978, 15 U.S.C. 1693n .
These Acts have a number of weaknesses. Some are built in, whereas others are
the product of judicial interpretation. These weaknesses have certainly contributed
to the growth of card fraud.
Differing case law in the circuits has impededeffective prosecution of card fraud.
In United States v. Callihan 666 F.2d 422 ( 9th Cir. 1982), the court held that credit
card account numbers were not the same as credit cards for the purposes of this
statute. The Fourth Circuit, in United States v. Bice-Bey, 701 F.2d 1086 (4th Cir.
1983), reached a different conclusion and upheld the prosecution of an individual
under this statute for using just the credit card numbers. The court stated that “ the
core element of a credit card is the account number, not the piece of plastic." How
 166

ever, there are other limiting decisions. The court in United States v. Mikelberg, 517
F.2d 246 (5th Cir. 1975), confined the aggregation of purchases only to those made in
transactions affecting interstate or foreign commerce, excluding any transaction in
intrastate commerce. In United States v. Kasper, 483 F. Supp. 1208 (D. Pa. 1980), the
court held that where credit cards were obtained by original card holders without
any intent to defraud issuing companies and were, thereafter, sold or given to de
fendants with the knowledge that defendants would use the card to make charges
without paying them , the credit cards were not " fraudulently obtained" within the
meaning of this section which prohibits using or transporting in interstate com
merce any “ fraudulently obtained " credit card .
The proposed statutes, on their face and to the extent necessary through the legis
lative history, provide excellent vehicles to correct these loopholes and clarify the
intent of Congress. If either bill becomes law , federal investigators and prosecutors
would be equipped with additional tools to combat the real and growing problems of
card fraud .

4. FUTURE CREDIT/DEBIT CARD ROLE

Credit and debit cards are paying an increasingly important role in our national
payment system . Approximately 35 percent of all retail transactions are made via
the credit card and all indications are that these cards will be the consumer's pri
mary means of financial exchange in the future.
Today, most cards function as either a credit or debit instrument. However, the
present trend is towards providing a card that offers both credit and debit services.
This kind of card offers the best of both the credit and debit world, to the consumer
and to the criminal element alike.
The " electronic card ” is still in a developmental stage in terms of technology and
functional use, and may be the plastic card of the future. This card features embed
ded microcircuitry which contains both memory and logic, giving it a certain
amount of intelligence. Some areas which have emerged as applications for the card
are point-of-sale transactions, home banking, and portable medical files. As techno
logical developments continue to take place in microcircuitry, telecommunications
and production capabilities, new applications will be developed for the use of card
payment mechansims.
We are headed toward a cashless society. Already, cash payments represent only
one percent of the total value of payments made in this country. Experts believe
that in the not too distant future, cash and check payment systems will be largely a
thing of the past.

5. NEED FOR AN EXPANDED FEDERAL INVESTIGATIVE PRESENCE

The present magnitude of card fraud and the real potential for continued dramat
ic growth, warrants an expanded federal investigative and prosecutive effort. As
this nation's payment systems rely more heavily on credit and debit cards, we can
expect to see an increase in sophisticated fraudulent schemes having national and
international ramifications.
The major credit card fraud investigations show there is a substantial problem
with criminal ring activity. The activities of these groups are often interstate and
international in nature. From a practical standpoint it is frequently beyond the re
sources of local and state officials to deal effectively with this problem .
The credit card industry reported that losses from counterfeit cards rose from $15
million in 1981 , to over $50 million in 1982, an increase of over 230 percent in one
year. Of the total, all but $3 million of the losses occcurred in the United States.
We believe that counterfeit credit and debit card fraud represents the main threat
to the card system and that the proposed legislation would effectively deal with the
counterfeiting of credit and debitcards.
We appreciate the opportunity to share our views with you . At this time, I would
be happy to answer any questions that you may have.
Mr. HUGHES. Thank you very much, Mr. Carlon.
First,in my opening statement, I quoted some statistics from the
book, “ The Electronic Life ” by Michael Crichton ,, the author of
" The Andromeda Strain ” and “ The Great Train Robbery ,” in
which he states that there were 5 million computers in 1982 and 80
million projected for 1990. Does that conform with what you per
 167

ceive is happening in the computer world? Let me begin with you,

Mr. Keeney.
Mr. KEENEY. I think I should defer to my colleagues in the inves
tigativearea .
Mr. HUGHES. All right. Anyone.
Mr. Shriver. Or Mr. Clarke .
Mr. CLARKE. In the absence of any other response, our position
on that is that we-I think in looking at what's going on around
us--would certainly indicate that there is a growth. But as far as
any hard data or statistics that would support that, we in the FBI
donot have that kind of data that could speak with certainty to
that question.
Mr. SHRIVER. We certainly have a lot of evidence that your num
bers are roughly correct. There are about 100,000 computer devices
being shipped per month today, which indicates tremendous
growth . And that number is estimated to increase to 1 million com
puter devices per month by 1990.
Mr. HUGHES. Several weeks ago, I had a discussion with Don
Parker, who, you may know, is a national expert in the field of
computer crime, and he suggested that the Congress would be well
advised to move away from describing computers as the vehicle for
crimes and emphasizing instead the objects of such crime — that is,
information or information services.
How do you feel about that? Anybody ?
Mr. KEENEY. Mr. Chairman, speaking for Justice, I would repeat
what I said previously. We are really not prepared—the adminis
tration doesn't have a position with respect to computer crime.
Studies are being presently conducted in the Department of Jus
tice, in Commerce, in SBA , and in the IG's office at HHS. And,
hopefully, the administration , sometimes in , again , hopefully, the
near future, would be in a position to comment more intelligently
on the scope of the problem and what we feel should be done to
address it .
Mr. SHRIVER. I agree with Mr. Parker's assertion on that topic. I
would also say that interception , modification, and diversion of
communications certainly should be added to that list, as well as
actual abuse through an input device.
Mr. HUGHES. That would make sense to me. We're talking about
computers today, but who knows what we're going to be talking
about tomorrow with regard to electronic transfers. We should be
talking in terms of the object of the crime, that is, the question of
what a criminal seeks .
If we were to just define or use as one of the triggering variables
in a statute the term " computer ” without more, isn't it conceivable
in 3 to 5 years, perhaps even sooner at the rate we're going, that
we will not havecovered the nature and extent of the crimes being
committed in the electronic transfer field ?
Mr. Keeney , would you care to comment?
Mr. KEENEY. My comment on that would be, based upon my own
observation-I'm not an expert in the field — the proliferation of
computers is going to create, I would estimate, substantial prob
lems for law enforcement. And that, I assume, is one of the reasons
that the administration is trying to study the problem and come up
with something in the way of suggested legislation that would not
 168

only cover the existing situation, but would carry us down the
road, and would cover such things as making access a crime,
making vandalism through access a crime, making access for the
purpose of acquiring information a crime, and whatever else the
experts would come up with , Mr. Chairman.
Mr. HUGHES. There have been some discussions, I gather, with
the computer industry about this whole area of computer crime,
electronic transfers. Is that an ongoing process?
Mr. KEENEY. We've been periodically having meetings with the
industry with respect to the credit card and debit card fraud area,
yes, sir .
Mr. HUGHES. How about these meetings, Mr. Shriver ? You
touched upon that just briefly in your testimony,
What is coming out of these meetings? Is there anything con
structive that you can convey to us ?
Mr. SHRIVER. Well , we've had two such meetings, Mr. Chairman .
And the makeup of the participants from Government included the
Justice Department, Treasury, and the Secret Service. Private
sector representatives included bank security personnel, insurance
companies representatives, and others who help protect against
computer crimes.
In both of the meetings, we have discussed the problems of meas
uring the extent and trends with regard to these kinds crimes.
We concluded that there are seriousproblems in measurement, as
several other witnesses have already mentioned today,
We also discussed what is happening in the legislative area and
what industry feels would be useful to them. Finally, we discussed
what kinds of protection all of us - Government and private indus
try — can use to protect computerized information and deter its
abuse.
Both of those sessions ended with everybody being aa little frus
trated that we didn't block out enough time. So wewill continue
those discussions and I think all of the participants felt that they
gained a great deal from this mutual information exchange.
Mr. HUGHES. My final question, and then I'll recognize the other
members, is, are we premature in attempting at this point to an
ticipate the trends? Should we just be talking about dealing with
the loopholes now in the credit card statute dealing with credit
card and debit card transactions, or should we endeavor to deal
with the whole panorama of problems that are developing with
regard to electronic fund transfers, trespass upon information and
information service systems?
What should we be doing at this point to deal with the problems
that exist now and the problems that we envision that we're going
to have 2 to 5 years from now?
Mr. KEENEY. Mr. Chairman, as far as the Department of Justice
is concerned, we've actually suggested in our statement that you
segregate out the computer fraud problem and address the specific
problems which have been highlighted with respect to credit and
debit cards .
We think that there is a major problem and that legislation is
going to be needed in the computer fraud area. But wethink that
we would suggest to the Congress that you go ahead with the iden
 169

tified areas in credit and debit and address the broader computer
fraud problem at a later date.
And when I say a later date, I'm not talking about 10 years from
now . I would hope that the later date would be a relatively short
term coming
Mr. HUGHES. Let me state to you-we can do that, Mr. Keeney,
but isn't Don Parker perhaps correct ? Can we agree upon , basical
ly, the nature of the property that is going to be the subject of at
tempts to defraud ? Can we agree upon the basic parameters and
work from there, without talking about the specifics of the type of
equipment that is used to gain access?
Mr. KEENEY. Mr. Chairman , I'm not an expert in the area, but
off the top of my head, I would say that from the Department of
Justice's standpoint, we would be interested in protecting both the
property that is being sought by the entry into the computer
system and in protecting at least part of the equipment itself.
We could have major destruction of equipment which might be
very important, but that's just an off-the-top -of-the-head comment
by someone who is not an expert.
Mr. HUGHES. Well , we can deal with that, can't we? We've done
that in the past. We can deal with the physical destruction of the
equipment, that's relatively easy .
You see, my problem is that if we're going to address an area ,
rather than try to do it in a compartmental or fragmented manner,
why not deal with the problem as we see it now and as we envision
it's going to occur ?
Mr. KEENEY. The administration feels that it's not in a position
to intelligently assess the problem and therefore, make recommen
dations with respect to how it should be addressed, Mr. Chairman.
Mr. HUGHES. I realize that.
Mr. KEENEY. And they seem to be moving-
Mr. HUGHES. In all due deference to you, because you've done a
good job in presenting testimony today, if we waited for the Justice
Department to present evidence or testimony, on many of the sub
jects that have already been signed into law, we'd still be bouncing
it around .
On many subjects, we have a hard time getting Justice to take
definite positions.
Mr. KEENEY. I think we've taken some pretty clear-cut positions
on the two bills you have here today, Mr. Chairman.
Mr. HUGHES. I appreciate that. The gentleman from Michigan.
Mr. SAWYER. H.R. 3570 gives the Secret Service, as I read it, ju
risdiction over computer fraud, as well as the general credit card
fraud. Does that pose any problems? It's somewhat of an expansion
of the jurisdiction of Secret Service. The counterfeit cards are close
enough to counterfeit money that it isn't a problem . But computer
fraud could be a lot of things different than that.
Mr. CARLON . I think, sir, the statute itself gives the Secret Serv
ice concurrent jurisdiction with those currentlyhaving authority in
this area. The Secret Service considers the whole gamut of changes
in the legislation as somewhat of a technological extension of what
we currently do. The Secret Service is responsible, for example, for
investigating the counterfeiting and forgery of Government obliga
tions. The medium by which these payments are made whether
 170

cash or checks, is changing through the transfer of electronic data.

We would consider these statutesan attempt to really update what
is taking place in society as a result of advances intechnology.
So rather than an expansion of our jurisdiction, I would say it's a
technological correction of the way in which our system is begin
ning to function.
We are headed toward, by all predictions, a cashless society. Less
than 1 percent of retail payments are currently made using cash as
the medium of exchange. We see credit cards reaching a position
where they are used both as debit and credit instruments.
So the whole area of protecting the integrity of our currency and
our financial system is an area that we feel we have an interest in.
And again , to reemphasize, I don't really consider it an expansion
of our jurisdiction, but really an updating of outdated statutes.
Mr. SAWYER. Well, of course, you have, for example, this young
man out at UCLA that I've read about in the newspaper that ac
cessed one of the major Government computer systems. I don't
know that he stole anything, or I'm not clear just what he did . But
he's being prosecuted for it on some kind of a trespassing thing on
a Government information bank.
Would that sort of thing be within the jurisdiction of computer
fraud, do you think, in your view ?
Mr. SHRIVER. Yes, I think it should. Credit card fraud was a trivi
al problem , as you know, just aa few years ago. We're now attempt
ing to get on top of it, after it has become a $300 or $400 million
problem . In conclusion, counterfeit money that got through the
Secret Service represented about a $7 or $8 million problem last
year.
With today's rapidly advancing technology, the potential EFT
crime problem could grow rapidly to a verylarge number. Today,
there may be less there than meets the eye in terms of actual re
ported problems. However, the size of an EFT crime, on the aver
age, vastly dwarfs almost any kind of credit card crime. And, there
is the problem of gaining illegal access to sensitive information.
You can enter a system and not steal anything, yet have improper
ly gained some very valuable information. For example I nevergot
to the data base, but I saw that somebody was shipping $50 million
abroad and that they're involved in a bidding activity on some
thing. I now have intelligence that I got through microwave or
satellite -transmission interception or whatever, that tells me that
the maximum that they're going to bid on something is $50 million
because that's all the money that they shipped over.
This is not a totally hypothetical scenario . These kinds of things
do happen . And we're talking very , very large amounts. What it
was is that we often don't even know when we have been hit.
Mr. CLARKE . If I may speak to the issue of jurisdiction, I would
just like to point out a couple of areas of concern to the FBI.
As I mentioned, because of the absence of any hard data we
haven't been able to detect trends or increases, but we certainly
recognize the increased and proliferated use of the computer. With
the statutes that we currently have, we have not been presented
with a case involving computer fraud or credit card fraud that we
have not been able to adequately investigate and prosecute. But we
see some potential problems.
 171

And in keeping with that, we have several ongoing investigative

programs that a broad computer crime statute that would give con
current jurisdiction could very well overlap into areas that we are
currently addressing and are addressing under the existing statutes
and the existing programs.
So we would wantthat to be viewed very carefully. And the sug
gestion would be that in the area of computer crime, that jurisdic
tion be given to the Attorney General and then , through his negoti
ations with the heads of the other investigative agencies or agen
cies who have responsibility, could delegate that responsibility.
In trying to fulfill our responsibility in monitoring these types of
criminal activity, recently we have implemented as part of our
White Collar Crime Program an identifier to identify cases that in
volve computers as either the instrumentality or the target of the
crime.
And what we found is that that is not giving us a sufficient data
base, that these types of crimes transcend many other programs
organized crime, property crimes, where computers are being used.
And so in order for us to have an adequate data base toassess
this problem, we are in the process now of expanding this survey so
that we will require our field offices to identify those cases that are
being investigated and report that to us in an aggregate under this
one heading so that we can make an assessment and furnish that
information to the Department in their deliberations as to what ap
propriate steps need to be taken to correct any problems that are
identified .
Mr. SAWYER. Thank you. II yield back.
Mr. HUGHES. The gentleman from Ohio.
Mr. FEIGHAN. Thank you, Mr. Chairman. Mr. Clarke, you made
reference to the Electronic Funds Transfer Protection Act and indi
cated that there have been no prosecutions under that act.
Could you give us a little bit more information and certainly
your opinion as to why you think that that has been the case and
what have been the specific statutes that prosecutors have relied
on for prosecution of the criminal activity that we're discussing ?
Mr. CLARKE. Basically, they have used the more well-known stat
utes that both the investigators and the prosecutors are familiar
with, such as wire fraud or mail fraud. And I guess that that would
be a partial answer. I'm not sure that anyone knows for sure the
total answer.
In looking at the numbers of actual investigations under that
particular statute, they have also been limited. I believe that there
has only been in the neighborhood of about 16 or 20 investigations
that have been initiated using that statute.
And I can't say with certainty that there have been no prosecu
tions. I am unaware of any prosecutions under that statute.
Mr. FEIGHAN. Well, was that sort of a superfluous piece of legis
lation? Would you contemplate in the future that it will have more
validityor more vitality, Ishould say?
Mr. CLARKE. I think that there is certainly the potential there
for use in the future. And I think that it gives us a tool that should
be in the arsenal available to investigators and prosecutors.
I don't see it as a superfluous law . I do think that it has the po
tential for utility in the future.
 172

Mr. FEIGHAN . Thank you. Mr. Keeney, I was a little bit con
cerned initially about your response about the Department's prepa
ration of commentary to the Congress on computer fraud , general
ly. This is a field that is predictably going to have substantial
change over the next several decades, as it has over the past recent
decades.
Canwe anticipate from the Department some recommendations
at a date certain ?
Mr. KEENEY. You can anticipate some recommendations, Mr. Fei
ghan , but I'm not prepared to give you a date certain with respect
to them, because it's a Governmentwide problem as far as the exec
utive branch is concerned. They're trying to address it by bringing
in the various people who are seriously concerned — the Social Secu
rity Administration , for one.
We are working at it. We're going to be back to you . But I'm
really not prepared, Mr. Feighan , to give you a time. I'd like to say
that we're going to be back to you in 3 months or something like
that, but I just can't.
Mr. FEIGHAN. Do you think that you might be able to at least
discuss with some of your colleagues at theDepartment the possi
bility ofgivingsome indication ofthis subcommittee subsequently by
letter within the next couple of weeks—
Mr. KEENEY. Yes, sir, we shall do that.
Mr. FEIGHAN [continuing ]. As to the kind of timeframe we might
be operating under in that respect.
Let me also ask you with respect to the establishment of a Feder
al threshold in this legislation . Both bills before us have thresholds
of varying degrees. And without reciting them , you're probably
very familiar with them .
But I just would like to get your opinion on how practical it is to
pass a bill in either of these areas without a Federal threshold .
Mr. KEENEY. Without a Federal threshold ?
Mr. FEIGHAN . Yes.
Mr. KEENEY. Well, let me just, if I may, take your question and
answer it in my own way and come back if I haven't adequately
answered it. Between thetwo bills, Chairman Hughes' bill actually
is a pretty fair reflection of what would be the prosecutive policy of
the Department of Justice. He's got thresholds in there with re
spect to either $5,000 in loss or 10 credit cards.
As a prosecutor, I would prefer to go without the thresholds and
let us make the determination with respect to — as a matter of pros
ecutive policy, whether or not we're going to go without the $5,000
or without the 10 credit cards.
My personal preference would be without it and with the credit
card requirement reduced to 5. But the chairman hasvery well rec
ognized , being a former prosecutor, that the Federal Government
in the normal situation would not go, would not normally go if
those threshold figures either on the number of cards — well,maybe
not so much on the number of cards, but on the amount - unless
they were present.
But we would like to have the flexibility of being able to go in
the unique situation where we have somebody who is involved in
credit and debit card fraud and for evidentiary reasons, we can't
meet the threshold figures.
 173

I don't know whether that answers your question .

Mr. FEIGHAN. It does. It's a very direct answer. I appreciate it.
Thanks very much. I have no further questions.
Mr. HUGHES. Let me just follow up on that. The problem, Mr.
Keeney is I believe, we in the Congress are called upon to deter
mine, as a matter of policy, where we want the Federal jurisdiction
to be triggered.
Mr. KEENEY. I understand that.
Mr. HUGHES. We desire to exercise jurisdiction inthose areas
where there is an impact upon interstate commerce. How can you
-

do that unless you have a threshold that - aside from the resource
allocation question and the declination policy issues, is the issue of
when Federal jurisdiction should be triggered .
California, for instance, is prosecuting that young man under
State statutes. Many States have statutes, and enforcement proce
dure that are better than the Federal Government's.
Mr. KEENEY. Mr. Chairman, I think you're familiar with our pro
secutive policy and, for the most part, we leave to the States and
local prosecutors the situations which involve a relatively small
amount of money or a relatively small operation.
The advantage that I see in lowering the threshold is that it en
ables us to pick up the ring that evidentiary -wise we can't meet the
threshold, but we know that they're involved. That's the only dif
ference. I recognize the federalism problem that is involved, Mr.
Chairman .
Mr. HUGHES. Mr. Keeney, let me just ask you a question. In this
whole area of what we should be doing in this legislation, your sug
gestion is that we should deal with the credit card and debit card
problems that exist today and not attempt to deal with this legisla
tion on the broader issues, which are going to be more relevant, in
my judgment, 2 to 55 years from now.
Is it a problem of attempting to determine the approach in legis
lation to deal with the problems of trespass, of perversion of infor
mation or information services, or the destruction of valuable ma
terial contained on disks, or is it a whole host of problems that ob
viously we can deal with if we can agree upon a definition of, say ,
property, for instance, and access, and a whole host of new terms
that are not totally compatible with the manner in which we have
dealt with property crimes in the past?
What is the problem ? Is it a problem of definition that you are
grappling with ? What is the problem?
Mr. KEENEY. The problem , as I view it, Mr. Chairman, is that we
are trying to define the scope of the problem . And we are dealing
with a burgeoning situation with respect to the use of computers
and we want to get the benefit of the views of all the experts that
are available in the executive branch and then come up here to
youwith legislation which we think will address the problem .
We just don't think that we're ready for it. And the reason that
I've suggested that we go, that you go in the credit card and debit
card area and perfect the amendments are that I think they're
needed .
And I think that in the debit card area, Mr. Chairman, we are
entering into an era that is going to be very similar to the explo
sion of the use of bank credit cards maybe 10 , 12 years ago, and
-

38-178 0 - 85 12
 174

that if we perfect the debit card statute, we will be in a position to

handle those more readily.
Mr. Feighan put his finger on it. We haven't used that statute
very much . One of the reasons we haven't used it very much is
that the amount of the loss, for the most part, in the debit card
area has been rather small and more appropriate for local prosecu
tion .
I don't think that's going to continue because I think that there
is a potential for tremendous fraud in the debit card area.
Mr. HUGHES. Let me just ask you another question and maybe
it's something that Mr. Clarke, or Mr. Shriver may want to com
ment on.
I see us once again, as we move into this whole area of electronic
transfer, trespass, and the whole realm of problems that we see in
this area of computer crime, that we're going to have jurisdiction
problems once again. I wonder whether or not the Congress
shouldn't be addressing those issues.
I wouldn't want to see, for instance, overlapping jurisdiction,
with all the problems that that brings. The question is,as a matter
of policy, shouldn't the Congress decide which agency is going to be
the agency to investigate these offenses ?
Mr. KEENEY. I've got a parochial response to that. I think, Mr.
Chairman, that, and you'llhave to forgive me with my background,
that is a determination that the Attorney General is in a better po
sition to make .
Mr. HUGHES. Well, I find the Attorney General, and it's no criti
cism of this Attorney General - every attorney general — that I've
worked with , is hesitant to step on turf. We get right back to the
same problemwe have today with who's goingto follow up on drug
investigations? Is the Customs Service going to follow up where
they get some leads or is it something that should be turned over
to DEA ? Oris it a matter that the FBI should follow up on where
there's overlapping jurisdiction, let's say, with the Border Patrol?
You know , I find that often , cases fall through the cracks be
cause we often end up in turf battles. The Attorney General is
under immense pressure at times, and we saw that with the posse
comitatus law, from , for instance, the Department of Defense when
they got very concerned about treading on their turf, to the point
where the Department of Defense neutralized the Justice Depart
ment. We couldn't get them to come in and take a position on the
modification of the posse comitatus law.
They love it now, but it was basically a turf battle.
Shouldn't we deal with that policy issue here ? Isn't that some
thing that we should decide as a matter of policy ?
Mr. KEENEY. Well, certainly, it's within your right to decide as a
matter of policy.
Mr. HUGHES. I understand that. I understand that we're the pol
icymakers. But in your testimony you're saying, leave it to the At
torney General .
Mr. KEENEY. He's the chief law enforcement officer, Mr. Chair
man, and he's in a position to evaluate that and make adjustments
as we go along.
Mr. HUGHES. But he has to also live with the other members of
the Cabinet.
 175

Mr. KEENEY . He does . He does.

Mr. CLARKE. I think that there are some special considerations
here, Chairman Hughes. I share your concerns about overlapping
jurisdiction. And when you look at the issue of computers, it's anal
ogous to a gun or a pen because you can use the computer as an
instrumentality in the crime and while you have an individual - if
you passed a law that says anybody that commits a crime with a
gun, it's a Federal law , it would become very difficult to handle
that issue .
The same thing with a computer. As I mentioned earlier, the
computer can become involved in the organized crime program , can
become involved in the personal crimes program , areas that have
been traditionally carved out for a particular agency and have on
going programs.
And those kinds of issues, I think, present problems in dealing
with defining specifically the area of jurisdiction. And therefore,
with the Attorney General making those decisions, I think that
they can be accommodated.
Mr. HUGHES . Is the Department of the Treasury in accord with
that ?
Mr. CARLON. I don't think, Mr. Chairman, that I would touch the
question of who should decide .
Mr. HUGHES. I think you're wise to just take the fifth . [Laugh
ter.]
Mr. CARLON . But I would like to make an observation . Probably
now more than in the past, the law enforcement community in
general has realized that we have limited resources. There is a
need to maximize those resources to deal with specific problems.
We , for the first time, are involved in memorandums of under
standing with the FBI and with the Postal Service in an attempt to
deal with these problems.
And I think that there are a number of issues where we're not
treading on each other's turf. I think we have progressed to the
point where we can recognize that we all have a contribution to
make in the area and that, in a sense, out of necessity, we have to
work together and try to get over the turf issues.
Mr. HUGHES. I agree with that. The unfortunate thing is, howev
er, that, for instance, when you have three wiretaps in one commu
nity by three separate agencies on the same issue without anyone
talking to one another, we're not maximizing our resources.
Mr. Carlon. I could not agree with you more.
Mr. KEENEY. Mr. Chairman , with respect to wiretapping, wire
tapping is highly centralized within the Department of Justice, so
the overlap is readily picked up. I recognize that there is a problem
in some areas, but I suggest that in the wiretap area, the problem
is rather minimal .
Mr. HUGHES. I agree, it's probably less so than in other areas.
But we find that various State police forever are running wiretaps
and the Feds are running wiretaps on the same subject. They're
often not talking to one another. Sometimes another agency is run
ning a wiretap that overlaps with a drug investigation and that's
notbeing picked up. We're not maximizing resources.
 176

Shouldn't we, as a matter of policy, be making an effort, even

though it's very difficult, as Mr. Clarke, has very vividly pointed
out, to try to coordinate everybody ?
The answer would be if we could get all you fellows talking to
one another a little more, we wouldn't perhaps have that problem .
But, unfortunately, with these institutional barriers that we have
created over the years, that's a very difficult task. The question is
whether we should exacerbate the existing problem as we go into
new areas of investigation.
Mr. KEENEY. Mr. Chairman, as Mr. Carlon pointed out, we are
doing a lot more talking than we've done in the past.
Mr. HUGHES. I agree that has improved but not enough.
Mr. KEENEY. Maybe not enough. You're probably right.
Mr. HUGHES. OK . Thank you .
Mr. MAISCH . Mr. Chairman . Excuse me .
Mr. HUGHES. Yes, sir.
Mr. MAISCH . In reference to the jurisdictional features, I think
each of the law enforcement agencies can see ways in which com
puters are being used or can be used to commit crimes which are
currently under its investigative jurisdiction. Investigating the ma
nipulation of computer or electronic data information is conducted
as an extension of existing laws which we're looking at. This would
also allow any agency the flexibility to pursue these investigations
in conjunction with current enforcement activities and would also
help, in the prosecution of these cases.
Mr. HUGHES. I think that that's a good suggestion .
Thank you very much. I think that we have highlighted one
thing — we've got to look at coordination a lot more closely than we
have in the past. I would encourage the ongoing discussions to con
tinue with the private sector, and we would welcome informal
meetings, not in the context of these hearings, so that we could de
velop the very best piece of legislation. We're obviously not going
to do anything this year. We're just about finished here.
We're going to have someadditional hearings next year. I think
it's an important area and I'd like to be able to develop a compre
hensive bill, one that would address as many of the problems as we
can in the context of this legislation.
So, to that end, we look forward to working with you.
Mr. KEENEY. Thank you, Mr. Chairman.
Mr. CLARKE. Thank you.
Mr. HUGHES. Thank you very much. Our next panel consists of
Ms. Susan Nycum . Ms. Nycum has practiced in the area ofcomput
er law for some 20 years and has been involved in the legal aspects
of computer abuse for some 13 years. She's a partner in the law
firm of Gaston , Snow & Ely Bartlett in California. Ms. Nycum has
authored numerous articles on the legal aspects of computer crime,
has performed studies of computer abuse for the National Science
Foundation, the Bureau of Justice Statistics in the Department of
Justice and the Office of Technology Assessment.
She has had a most distinguished career and is quite an expert
in this whole area of computer abuse.
Our second panel member is Mr. Donald Johnson, who is chief
counsel to the Pennsylvania Crime Commission, a position that he
has held since 1981. He's a graduate of LaSalle College and has a
 177

doctorate in law from Villanova. He's been a senior trial attorney

with the attorney general's office of Pennyslvania and has had a
most distinguishedcareer with the bar over the years and we're
just delighted to welcome you to our subcommittee hearing today.
We have one additional panel member. Mr. Peter Waal, of GTE
Telenet, Vienna, VA. Mr. Waal is the vice president of marketing
and plans for network services at GTE. He's worked in the field of
computer software systems development and telecommunications
for over 25 years. Prior to his association with his present firm , he
was vice president of technical services for Applied Data Research,
Inc. of Princeton, NJ. Likewise, he's had a most distinguished
career and we're just delighted to welcome you to our panel today.
We have your statements which , without objection , will be made
a part of the record in full and we hope that you can summarize
for us.
Why don't we begin with you , first, Mr. Johnson.
TESTIMONY OF DONALD E. JOHNSON, CHIEF COUNSEL,
PENNSYLVANIA CRIME COMMISSION, ST. DAVIDS, PA
Mr. JOHNSON. Good morning, Mr. Chairman .
Mr. HUGHES. Welcome.
Mr. JOHNSON. Mr. Chairman , I'll be very brief in my remarks.
Obviously, in attempting to answer the question, is there a need for
Federal computer law , I think that we've come to the point that we
appreciate that the legal system is incompetent or not competent
to address the issue.
In Pennsylvania, 1981, I had the pleasure and misfortune of pros
ecuting the first computer crime. It involved theft of service of $3
million, theft of tangible property in excess of $100,000. Seven de
fendants were involved. The youngest were juveniles, the other five
very young adults, the oldest being 21 years of age. They were all
at the top of their class, all from very fine homes, two matriculat
ing on scholarships to graduate school.
Because Pennsylvania had no law dealing with computer crime
or computer-assisted crime, we did , or we had to do, what prosecu
tors across the country do — we shoehorned it into a statute de
signed for stealing horses and cars.
The people that stole in excess of $3 million were tried, Mr.
Chairman , and convicted for the theft of $16,000 in computers
simply because Pennsylvania's criminal statutes, not unlike the
other States, are anachronistic. Seventeen of the States have
passed computer legislation.
Appreciating the difficulty in charging in the computer investi
gation, we sat down and drafted a.computer statute . We'd like to
think that it represents the highest degree of intellectual theft. We
cannabalized everything that we could lay our hands on.
From a technological point of view , we sat down with members
in the private sector, Ph.D's in engineering and related fields, and
they helped us draft the definitional section. I was present earlier
when you posed the questions to the first panel regarding techno
logical longevity. It was suggested to us by the people in the pri
vate sector who drafted the definitional section that that section
 178

had a life expectancy of 40 years , and that was the most that you
could hope for.
In fact, we drafted the definitional section , I believe, April 1 , and
later that month they called us back for a redraft because they re
alized that they were about to begin communicating and transfer
ring funds on light beam and light beam was not part of the defini
tional section .
Second, regarding my prepared remarks, Mr. Chairman, is H.R.
3570, subsection (a)(3), competent to deal with computer fraud ?
Very respectfully, sir, it is not, and I could not help but shake my
head in agreement when I heard earlier this morning the sugges
tion that that be separated out and treated apart, separate and dis
tinct from credit card and other fraudulent behavior.
Thank you, sir.
[Statement of Donald E. Johnson follows:]
STATEMENT OF DONALD E. JOHNSON
Mr. Chairman and members of the subcommittee, good morning. It is a pleasure
to be here today to present Pennsylvania's experience in investigating and prosecut
ing computer crime, and to assist in answering two questions, i.e. is there need for a
federal computer law and if so, is H.R. 3570, specifically Section 1029(a )(3 ), the
proper vehicle for such law. In a broad sense these two questions actually ask if our
present judicial system is competent to deal with computer crime—the answer is no,
it is not. The question of judicial competence, computer crime, and if there is a need
for federal computer law evolve from the simple fact that the modern criminal has
kept pace with advances in technology and has found ways to apply such innova
tions as the computer to criminal ventures. Unknowingly and probably unintention
ally, he has alsorevealed the difficulties of the legal system in applying older tradi
tional laws to situations involving non -traditional crime.
To the first question, is there a need for federal computer law-yes. The United
States is heavily dependent on computers. A few examples support this conclusion,
e.g. computers oversee our monetary and banking institutions (600 billion dollars
are transfered on a daily basis), all air traffic control, the military, the treasury;
computers run complex industrial plants including nuclear powerplants; they playa
key role in our defense, maintain accounts receivable, stock brokerage businesses ,
business inventory; they operate power and communication systems, billing systems,
maintain trade secrets and medical/psychiatric records, and all criminal history
record information .
Prosecutors distinguish between two types of computer criminals. On the one
hand, are those who use computers as a tool to defraud banks or other businesses,
often using modern technology to cover their tracks.
On the other hand are the new computer criminals who seek to obtain or destroy
information , sometimes confidential, that is stored in networks of interlocking com
puter systems. These new computer criminals are known as hackers — who have a
culturethat says it is all right to do anything in computer technology.
Statistics compiled by various government agencies project computer crime at a
yearly cost of $1 billion to $ 5 billion. The statistics suggest that only 1 % of comput
er crime is reported; only 7 to 12% of that 1 % is formally investigated by law en
forcement authorities; a lesser percentage of those crimes investigated result in
arrest, with a lesser percentage of those arrested brought to trial, with a lesser per
centage of those brought to trial convicted, and with a lesser percentage of those
convicted receiving incarceration. Statisticians conclude that only 1 out of every
23,000 computer crimes is punished by jail . A number of reasons are responsible for
such statistics, but of major importance is that technology has outgrown the crimi
nal statutes which exist for society's protection. We are now linking unauthorized
computer use and computer assessed crime to general criminal statutes that never
contemplated the computers' existence, and the results are less than good.
Look at Pennsylvania's experience - two juveniles and five adultsstole 2-3 million
dollars in services and in excess of $ 100,000 in tangible property. We had no appro
priate statute under which tocharge them so they were charged with common theft
of property with valuation of $ 16,000.
Is H.R. 3570, Section 1029(a )(3) fit for its purpose, i.e. define prohibited conduct,
define what is criminal. No, it is not. Subsections ( a )( 1)(2 )( 3) of H.Ấ. 3570 attempt the
 179

extrernely difficult task of articulating the general mens rea required for the estab
lishment of liability. As our criminal law has evolved, we have identified and de
fined at a minimum, four different kinds of culpability, i.e. intentionally, knowingly,
recklessly and negligently. Each of these kinds of culpability and their definitions
should be acknowledged by H.R. 3570. By doing so, the bill would recognize that the
material elements of offenses vary in that they may involve (1 ) the nature of the
forbidden conduct or (2) the attendant circumstances or (3 ) the result of conduct.
With respect to each of these three types of elements, the bill should attempt to
define each of the kinds of culpability that may arise. The resulting distinctions are
necessary and sufficient for the general purposes of penal legislation.
The purpose of articulating these distinctions in detail is, of course, to broadly
and completely define the prohibited conduct, promote the clarity of definitions of
specific crimes and to dispel the obscurity with which the culpability requirement is
often treated when such concepts as "general criminal intent," " mens rea,” “ pre
sumec intent," "malice," "wilfullness," " scienter” and the like must be employed.
what Justice Jackson called "the variety, disparity and confusion ” of judicial defini
tions of " the requisite but elusive mental element” in crime (Morissette v. United
States, 342 U.S. 246, 252 ( 1952)) should, insofar as possible, be rationalized by the
bill. For a historical perspective, see Remington and Helstad, The Mental Element
in Crime-A Legislative Problem ( 1952) Wis. L. Rev. 644; Perkins, A Rationale of
Mens Rea , 52 Harv . L. Rev. 905 ( 1939).
As an aside, the definitional section of H.R. 3570 appears inadequate to accom
plish the purpose of 1029 (a )(3 ). Please see Pennsylvania Crime Commission computer
crime bill submitted earlier to this Body.
Mr. Chairman, that concludes my prepared testimony and I would be happy to try
to answer any questions the Subcommittee may have.
Mr. HUGHES. Thank you very much. That's a vote - bells ring
ing-so we're going to recess for 15 minutes .
[Recess.]
Mr. HUGHES. The subcommittee will come to order.
I wonder if the panel will come forward again . I apologize for the
delay, but besides the vote, we've had some difficulties tryingto ac
commodate other things that are happening on the floor . SoI hope
you'll bear with us.
I believe that, Mr. Johnson, you had concluded your testimony.
Ms. Nycum, welcome.
TESTIMONY OF SUSAN NYCUM, GASTON, SNOW & ELY BARTLETT,
PALO ALTO, CA
Ms. NYCUM. Thank you, Mr. Chairman . Good morning. I'd like to
confine my spoken remarks to three issues that I addressed in the
written remarks. And I'd like to also comment that I am here as
an individual and do not represent any organization in my testimo
ny. Therefore, it does not necessarily reflect the views of either my
colleagues at Gaston, Snow & Ely Bartlett or any of our clients.
First of all, I'll comment on H.R. 3570. I feel it speaks directly,
simply and clearly to a number of types of computer abuse that
have been reported. And I particularly commend it for avoidingthe
pitfalls of certain other proposed legislation which include defini
tions of technical terms. As the last testimony shows, it's very diffi
cult to freeze technical definitions at a time when the technology is
constantly changing.
However, I would like to point out that there are a number of
types of abuses which would not be denoted as crime under H.R.
3570. These would include misuses of computers other than for the
purpose of executing a scheme to defraud and damaging, destroy
ing, or altering assets within computers other than for that pur
pose .
 180

Some of those activities which would not be included would be

vandalism to computer systems and software, system hacking
that is, the act of looking around inside computer systems— and
also, privacy intrusions by what we might refer to as electronic
peeping toms .
I would also like to comment on what I think the best approach
for the future would be. I think it might tie in somewhat to the
testimony earlier this morning.
I think that H.R. 3570 is a good step forward, but I would also
recommend that the Congressconvene a national commission on
information crime with a charter similar to that of the Privacy
Protection Study Commission that had been previously convened .
There are a large number of issues to be aired, points of view to
be heard. In my experience in 14 years in studying this area, I can
identify a number of issues. It's very much more difficult to identi
fy the proper resolution of those issues.
There are broad questions as to whether or not it's necessary to
have a law at all. I personally feel that it is. And if so, whether it
should be one omnibus law or a number of individually directed
laws.
There's also data to be gathered on the technology, including
trends of development of new technologies.
The present computer crime laws in place in the States and the
proposed Federal legislation tends to focus on the medium and not
the message. And I feel rather strongly that in the future, it is in
formation and information processing that has to be the focus of
protective legislation , not just the technical mechanisms or compo
nents that constitute the processing function .
I think a national commission can look at some legal and policy
considerations in this respect. What is information ? Is it property ?
Is it a resource? A public good ? Some or all of these things?
I'd also like to urge that in addition to a national commission
that there be a center established for sharing of information and
advice on computer and information abuse and security within the
Federal Government. That also was discussed this morning .
One of the difficulties we have now is just finding out what
crimes involving computers have been reported. The statistics are
not kept ina helpful way at the moment.
I know that there is good work going on, particularly from my
own experience in the Bureau of Justice Statistics and other parts
of the Government. It think it would be very helpful, both to the
Federal Government and to the State and local, and also to the pri
vate sector, to have that information available.
That concludes the summary of what I wanted to say this morn
ing. Thank you .
Mr. HUGHES. Thank you, Ms. Nycum . Mr. Waal.
[Statement of Susan Hubbell Nycum follows:)
TESTIMONY BY SUSAN HUBBELL NYCUM ON COMPUTER CRIME

INTRODUCTION
My name is Susan Hubbell Nycum. I have practiced computer law for 20 years
and have been involved in the legal aspects of computer abuse for 13 years. I am a
partner in the national law firm of Gaston, Snow and Ely Bartlett and am resident
 181

in the firm's Palo Alto, California, office. I am the partner in charge of the firm's
Computer and High Technology Group.
I authoried the first articles on the legal aspects of computer crime, which ap
peared in the " American Bar Association Journal,” the " Rutger's Journal of Com
puters and the Law ,” the “ University of Pittsburgh Law Journal,” and others. I
have performed studies of computer abuse for the National Science Foundation , the
Bureau of Justice Statistics in the Department of Justice, the Office of Technology
Assessment, the Internal Revenue Service, the Social Security Adminsitraiton, and
the Canadian Department of Justice, as wellas for private organizations.
I am a past chairman of the American Bar Association Section of Science and
Technology, and currently Vice President of the Computer Law Association and one
of three American Bar Association members of the National Conference of Lawyers
and Scientists. I have represented the United States as one of a three person State
Department led delegation to the OECD meeting on national vulnerabilities, which
focused heavily on computer crime. I have lectured extensively on the subject at
universities and professional symposia throughout the world .
THE NATURE AND EXTENT OF COMPUTER CRIME AN ABUSE
For purposes of the study of computer crime for criminal justice, computer crime
is defined as any illegal act where a special knowledge of computer technology is
essential for its perpetration, investigation, or prosecution. Computer crime is not a
single type of crime different from other crimes. Rather, nearly all kinds of crimes
can be committed through computers. In fact, we have documentation of crimes of
most known types involving computers.
In the work that I havedone over the years with Donn Parker, my colleague at
SRI International, we have found that computer abuse falls into four categories:
Financial fraud and theft.— These can be incidents of theft of money from finan
cial institutions or goods from businesses.
Information fraud and theft. - Information can be data such as business secrets
stored in computer systems, valuable computer programs and data about individ
uals.
Theft of services.-Systems hackers who use computer time to " look around ” or
employees who run entire profitable computer enterprises such as service bureaus
onthe company or agency computer system are examples of this kind of abuse.
Vandalism . - Computers have been damaged or destroyed as have data bases and
programs.
Computers can be involved in four ways to perpetuate crimes :
A computer can be the object of attack . For example, international terrorists have
used bombs and submachine guns to attack at least 28 computer centers of multi
national companies and government agencies in Italy and France over the past 4
years. A misguided employee of a U.S. company firebombed a computer of a compet
ing company for the purpose of giving his employer a competitive business advan
tage.
A computer can be the subject of a crime by providing the automated mechanisms
to modify and manipulate new forms of asets such as computer programs and infor
mation representing money. For example, bank frauds have been accomplished by
manipulating the system to transfer small amounts of money from many accounts
into one account which is later withdrawn (the Salami techique ). Bogus accounts
have been created in computerized delivery or accounts payable systems to which
goods have been shipped or money paid by financial institutions and retailers.
Changes to computerized data have resulted in inflation of inventories of credit rat
ings, employment reviews, college and school grade records, etc.
A person can sue a computer as a tool or instrument for conducting or planning a
crime. A perpetrator modeled his projected crime on a computer to alert him to the
amount of actitivies he could engage in without attracting attention to his deeds
and later used the computer as a management tool to keep track of the activity. A
car theft ring used the computer in a government agency to mask the theft of cars.
A stockbroker used a computer to produce forged investment statements showing
huge profits to decieve his clients and steel $53 million.
A person could use only the symbol of the computer to intimidate or deceive. The
same stockbroker told his clients that he was able to make such huge profits on
rapid stock option trading by using a secret computer program in a giant computer
in a Wall Street brokerage. He had no such program nor access to the computer,
but hundreds of clients were convinced enough to invest a minimum of $100,000
each .
 182

No one knows the extent of computer crime and abuse. I, along with others, am
constantly asked for statistics oncomputer crime. For a numbr of reasons this ques
tion is not possible to answer. Many crimes are never reported . They are not pur
sued by the victim or are dealt with by the victim internally. In other situations,
prosecution is declined by the cognizant law enforcement agency. Furthermore sta
tistics on reported and prosecuted crimes are not categorized law enforcement
agency . Furthermore statistics on reported and prosecuted crimes are not catego
rized in ways so that they are easily identifiable as computer crimes.
The information collected in my work , and that of Donn Parker are kept at SRI
International. The file includes 1100 cases and is the largest collection of the docu
mentation of reported incidents categorized by the definition used for criminal jus
tice research . We have, in addition, a new joint project underway for the Bureau of
Justice Statistics of the U.S. Justice Department to enumerate all cases charged
under the 21 existing state computer crime statutes.
H.R. 3075

H.R. 3075, 1029(a)(3) speaks directly, simply and clearly to a number of types of
computer abuse that have been reported. It also avoids the difficulties of certain
other proposed legislation in that it does not attempt to create technological defini
tions. Other proposed legislation has suffered from the inclusion of definitions that
are tied to today's technology when that technology is not static but constantly
changing
However, there are a number of types of abuses perpetrated in connection with
computers and information processing that would not be within the purview of H.R.
3075. These include misuse of computers other than for the purpose of executing a
scheme to defraud and damaging, destroying or altering assets contained in comput
ers other than for the purpose of executing a scheme to defraud. Some of these ac
tivities are vandalism to computer systemsand software, system hacking and priva
cy invasions by electronic “ peeping toms.
RECOMMENDED FUTURE ACTION
H.R. 3075 is a good step forward in combating computer abuse. It must, however,
be accompanied by further steps.
I recommend that Congress appoint a National Commission on Information Crime
with a Charter similar to that of the Privacy Protection Study Commission. There
are points of view to be heard on technical legal issues such as intent. There are
broader questions as to whether we need a law at all and if so whether it should be
an omnibus law or a number of individually directed laws. There is data to be gath
ered on questions related to the technology including the trends of development of
new technologies.
The present Computer Crime laws and the proposed legislation continue to focus
on the medium and not the message. In the future, it is information and informa
tion processing that will have to be the focus of the protective legislation, not just
the technical mechanisms or the components of that processing function. A Nation
al Commission can address the legal and policy considerations to be raised regard
ing information: It it property, a resource, a public good or all of these and more.
A good stimulus to the assessment is the proposed legislation sponsored by Con
gressman Bill Nelson, House Bill 1092 " Federal Computer Systems Protection Act."
Representative Nelson has expertise and experience in this area of legislation and
the concepts contained in thatbill reflect throughful consideration of the issues.
In addition to creating a National Commission, I am also in favor of establishing a
center for exchange of information and advice on computer and information abuse
and security. This center would directly benefit the government agencies and de
partments at all levels and could be helpful to the private sector as well.
From my work with the Department of Justice, Bureau of Justice Statistics, the
Office of Technology Assessment, the Internal Revenue Service and the Social Secu
rity Administration, as well, as NBS that has issued a new security certification
guideline, I know of the excellent work that these and other government organiza
tions are doing. It would be a service to all of government and to the private sector
to share that experience and advice.
Representative Ron Wyden has proposed a plan very similar to these ideas in
House Bill 3075 " Small Business Computer Crime Prevention Act." That concept
has great merit and should be expanded to all areas of Computer and information
crime.
 183

TESTIMONY OF PETER WAAL, VICE PRESIDENT, MARKETING ,

GTE - TELENET, VIENNA, VA
Mr. WAAL. Thank you , Mr. Chairman. On behalf of GTE - Telenet
Communications Corp., I'd like to express my company's apprecia
tion for the opportunity to appear before your subcommittee today
on the proposed legislation in H.R. 3570.
As the witnesses preceding me did, I intend to summarize these
remarks very briefly.
Our particular area of concern is with section 1029 (a )( 3) relating
to computers. We certainly applaud this effort to deal with comput
er fraud. However, we believe that this bill, or any other compan
ion legislation, must come to terms with what migh be called
“electronic trespassing .”
The area of trespassing is one that has been discussed in earlier
testimony: We have, as a provider of data communications services
to a broad -based segment of industry and government, experienced
a number of incidents of electronic trespassing which have used
our facilities to access computers owned or operated by our custom
ers and, as a result, have acquired some insight into the relevance
of electronic trespassing to the other offenses which are encom
passed by the more traditional definitions of crime.
The activities which have been generally called hacking have
constituted a major precedent condition to the kinds of crime that
can be conducted by using computers. But I think focusing on the
computer itself is a distraction away from the primary offenses
which are taking place against the information contained in those
computers or which is being manipulated, managed, or transported
by those computers.
I think part of that concern has to do with the need to equate
information with property in terms of some of the definitions of
these types of offenses that are taking place.
We note that as long as 16 years ago, the gross national product
consisted of nearly a 50-50 split of information services and tradi
tional goods production. And I would suspect that if one took a
more recent view of the GNP, one would find that the information
economy is dominating it today.
The fact that we have a number of youngsters who have become
technologically precocious and able to use instruments such as
computers to perpetrate incidents of electronic trespass against in
formation resources is, of course, of great concern to us. We have
made a number of comments in our prepared testimony which
relate to specific concerns that we have in that area .
The primary one that occurs to me now is that the hacking inci
dents are certainly newsworthyand are getting a great deal of play
in the press. But they tend to be of the nature of masking poten
tially more serious activities that are underlying, or result as a
consequence of, hacking-type activities.
Therefore, I would like to suggest that our position is that the
proposed legislation doesn't quite fully address today's problems in
terms of the concern about electronic trespass, in that the electron
ic trespass, as we have defined it, has a significant adverse effect
on the valid use of computers and computer networks. Further,
that electronic trespass is a byproduct ofthe growth of the ability
 184

of computers to communicate and has been fueled by the prolifera

tion, the recent proliferation, I might add, of personal computers.
And that crimes such as fraud , which are committed while using a
computer, cannot be adequately contained until there is effective
law regardingelectronic trespass.
With that,I'd like to conclude my informal remarks concerning
this testimony.
Thank you very much.
[Statement of Peter C. Waal follows:)
TESTIMONY BY PETER C. WAAL

GTE Telenet appreciates the opportunity to appear before the Subcommittee on

Crime relative to the proposed legislation in H.R. 3570. Our own particular area of
concern is with proposed § 10029 (a )(3) relating to computers. We applaud this effort
to deal with computer fraud. However, we beleive that the bill must come to terms
with what might be called electronic trespassing. GTE Telenet provides data com
munications services in every one of the 50 United States and also serves 51 foreign
countries. The Telenet network provides the physical and logical linkage between
computers and terminals which enables them to " exchange" information .
I have worked in the fields of computer programming, systems and telecommuni
cations for 25 years. Since 1976, I have been affiliated with GTE Telenet Communi
cations Corporation, a leading supplier of data communications services and sys
tems, where I have been responsible for the application of data communications
technology to the computer networking requirements of government agencies, edu
cational institutions, business organizations and industrial corporations. I am cur
rently Vice President of Marketing and Plans for the Network Services group of
GTE Telenet, based in Vienna, Virginia.
The proposed legislation, to some extent, reflects the concern with what is popu
larly referred to as “ Computer Crime” . I believe that this bill, while admirable in
its intent, does not fullyaddress all the problems facing us today.
A computer, in and of itself, is incapable of being used or abused in any criminal
context any more than an automobile or any comparable machine. What has al
lowed the computer to lead us into the “ Information Age" is the ability of comput
ers to communicate with one another and with society at large. Unfortunately, a
byproduct of the spread of this communications ability has been the advent of the
misuse of computers and of the information stored in them. This trespass against
information resources (which resources are rapidly becoming more valuable than
physical resources) is a serious threat. It is my opinion that this form of electronic
trespass, in the long run, is a greater threat than the fraudulent use of computers
to which apparently the proposed bill is addressed.
To help explain the problem some historical background is needed:
We are today well along into the so -called post-industrial society, or “ Information
Age ” . This era is generally considered to have begun in 1956 when, for the first time
inAmerican history, white collar workers outnumbered blue collar workers. Sophis
ticated technologies, such as the computer and telecommunications, have not caused
this profound transition, but have contributed substantially to its accelerating pace
with the rampant proliferation of computers into nearly every facet of our society.
From the beginning of time until 1980, there were less than a million computers
in the world. Today, about that many arebeing added every year! This technological
revolution has produced awesome challenges to our economy, our educational
system and to our criminal justice system .
In the early 1960's, computers were generally huge machines which were installed
in air-conditioned " bunkers” and accessible only by a very limited group of techni
cians who attended to their operation and maintenance requirements. Physical secu
rity was the only form of protection needed since there was no possibility of remote
electronic access. Computer resources were thus inaccessible to the general public.
By the mid -1960's, computers had become remotely accessible in a very limited
way through the connection of remote terminals which provided means to enter
data, usually via decks of punched cards, and to retrieve output, usually in the form
of printed listings. These remote terminals were permanently connected to the main
computer with elecrical control cables and were usually attended by operators.
Therefore, the threat of unauthorized access was still very slight because both the
main computers and their remotely connected terminals were in the physical custo
dy of their owners or operators who could prevent intrusions.
 185

By 1970 it had become quite common for computers to be accessed remotely from
many interactive, user-operated (i.e. keyboard /display) terminals thereby fostering
the rapid growth of combination computing and communications oriented systems.
These systems were still generally constructed in such a way that the terminals
were permanently connected to the central computer via telecommunications cir
cuits. The threat of unauthorized access was thereof still primarily related to the
physical security of the central computer and the remote terminals which were gen
erally located on premises controlled by the same organization which owned the
central computer.
During the 1970's, however, computer networking began to increase. In the first
three scenarios described above, the computers and their associated remote termi
nals were interconnected on a private basis so that generally a single organization
had custody and control of both central and remote network elements. With the in
creasing demand to share information and the availability of technology which en
abled the sharing of expensive communications facilities, computernetworking
flourished . Rather than privately controlled facilities, the network elements were
shared among many, often unrelated users with significant cost saving benefits.
Companies were formed to serve this new demand for low cost worldwide
networking. GTE Telenet, a leading supplier to this market, began operations in
1975. The Telenet network , as an example of this technology, functions very much
like a world -wide electronic conveyor belt which currently serves more than 1,200
computers in the United States and more than 200,000 terminals. GTE Telenet's
customer list is a representative cross section of our society, encompassing govern
ment agencies, educational institutions, major corporations and small businesses.
The computer networking era brought dramatic new capabilities to the data com
munications marketplace. For example, networks enable otherwise incompatible
computers and terminals to communicate with one another by translating codes and
protocols between these devices in real time, very much like the United Nations
providing simultaneous translations to a multilingual diplomatic constituency. An
other example is the accessibility of computers which are connected to networks
from local telephone exchanges via dial-in facilities. With this capability, every com
puter which is connected to a modern computer network can be reached from any of
the 100 million telephones in the United States by means of a local telephone call to
the nearest network access point. It is this very capability which has also enabled
the recent flurry of electronic trespassing incidents. By combining the ubiquity of
the telephone with the capability of the personal computer, a whole new dimension
of criminal activity becomes possible.
As computer networking and distributed data processing has grown so has the
" user-friendliness” of accessing computer resources through the networks. The re
quirement of user-friendliness is a natural outgrowth ofa desire to allow large num
bers of authorized users access to computer resources. Most systems use some sort of
variant of an Identification Code /Password system . This generally consists of simple
codes which are easy for users to remember and simple to type. Until recently, this
form of security was sufficient, since most users only had the ability to use “ dumb"
terminal devices for access. Within the last two years this has changed with the
advent of the personal computer. The personal computer allows its user to employ
the power of the computer to break into other computer systems by systematically
speeding up what would otherwise be a slow, hit or miss process. For example, the
motion picture “ War Games” showed a realistic representation of the automatic di
aling and access capabilities of the personal computer. Another way of saying this is
that prior to the personal computer, password codes were generally satisfactory due
to the security inherent in the tedious trial of combinations necessary to break the
passwords manually. This aspect is now gone.
The reality that the personal computer makes breaking or " hacking" a viable
course is now fairly well known. Recent press accounts dealing with the 414 group
from Wisconsin, the recent breakin to ARPANET, etc. merelyhighlight a problem
which has grown rapidly. It is our feeling that this trespass problem is of equal or
perhaps even greater national importance than that of the use of computers in
fraudulent transactions. Today, there are approximately 3.5 million personal com
puters in use. Only about 200,000 of them have communications capability to access
remote computers via data networks. Market projections indicate that there will be
over 7 million personal computers in use within 3 years. Of these, nearly 2 million
will have the ability to communicate with remote computers. At this rate of growth
there will be ten times the number of potential “ hackers” in three years than there
are today. In parallel with this phenomenal growth in personal computers will be a
concurrent increase in general computer literacy.
 186

Computers and their communications networks represent substantial investments.

These systems are designed and sized to perform specific tasks for their owners.
Many are “ life-line ” applications. Computer " hacking” is an unauthorized and un
planned use of these systems which consumes resources and thereby diminishes the
availability of these systems to perform their intended functions. Únless curtailed,
the practice of hacking will accelerate and eventually result in the obstruction of
performance of legitimate work due to contention with hackers for critical computer
and network resources. Thus the hacker's hobby will inevitably induce cost growth
in our economic system due to the necessary overdesign of systems to handle intend
ed work in addition to the load imposed by hackers. Of the many possible conse
quences of hacking, this one is the most innocuous since it " only ” forces our whole
economic system to bear the costs of an electronic playpen for the hackers.
There are many more serious potential consequences which can result from hack
ing, but all have the common origin of beginning with basic hacking. An example,
much of the software in use today on personal computers has been stolen or at least
permanently “ borrowed ” by people who originally started out as mere hackers. This
is piracy and undermines our copyright laws and economic rights of the affected
parties.
Computer hacking also leads to more serious computer abuses, such as malicious
destruction of data and " true" fraud. Unfortunately there is a widespread percep
tion that computer trespass is not wrong. So long as thereare no directly applicable
Federal laws on electronic trespass, the problem will continue and will stand as a
barrier against solving other problems.
With respect to true fraud, we believe the proposed legislation as it deals with
computers is helpful. There is, however, no directly applicable federal law on elec
tronic trespass. Such a law would be appropriate and serve to substantially reduce
the hacking and allow a concentration of effort on more destrictive abuse ofcomput
er resources.
It is our opinion that an effective law cannot be legislated against fraud unless
the trespass problem is first addressed .
We believe anelectronic trespass statute will dispel the notion that these actions
are not wrong. We would advocate that an appropriate law would vary its penalty
with the nature of the harm, with fraud beingseverely punished, and trespass less
so. We believe that this is truly a Federal problem because of its interstate nature.
We will be happy to work with the Subcommittee to draft appropriate language.
One final note is in order. There is an undercurrent in the press that those in
volved in “ hacking” are technical innovators, "whiz kids ” , who should be commend
ed rather than prosecuted. This is simply untrue. In our experience, over half the
people involved are NOT minors. The technical ability needed to commit the tres
pass is not great. The personal computer does all the work. The skill involved is the
computer age's equivalent of " hot -wiring" an automobile.
Thank you for allowing me to make these comments. I would, if you desire, be
willing to elaborate further.

Mr. HUGHES. Thank you. You probably heard my questions and

my statement about dealing in legislation with the entire range of
problems, including credit card fraud, debit card fraud, electronic
transfer fraud, problems with the intrusion into an electronic
system , intercepting information and information service, and the
whole range ofproblems discussed in these hearings, as opposed to
just dealing with them on a fragmented basis.
Do the members of the panel have any opinion as to how we
should approach it? I gather, Mr. Johnson, that you would separate
them?
Mr. JOHNSON. Yes, sir.
Mr. HUGHES. How about you, Mr. Waal? How do you feel about
that?
Mr. WAAL. Well, I think that the thrust of the legislation would
need to address the basic concern , that information , as the object of
certain types of criminal activity, regardless of the form in which
it's stored or transported, usually today, for purposes of this par
ticular legislation, identified as computers, needs to be refined and
dealt with in a way that allows some more traditional statutes that
 187

govern property in a tangible form to apply equally to the assets

represented in information resources.
Mr. Hughes. How about you, Ms. Nycum ? How do you feel about
it? Do you have any opinion on the scope of any anticipated legisla
tion?
Ms. Nycum. Well, I definitely feel that it should be broad enough
to encompass the activities that now would not be against the law
because of the intangible nature. I know of at least two cases in
which a judge has dismissed a count because the asset was con
tained in an electronic medium .
Mr. HUGHES. I thank you for that . I take it that Telenet is in
somewhat of a quandry. First, your job is to facilitate information
exchange via your dial-in facilities. Now, with the great increase in
personal computers, you have a corresponding security problem.
Mr. WAAL. Well, we agree that there is a tradeoff between what
we describe as “ user friendliness ” and security. One could probably
liken it to the analogy of a public library, where you could have an
absolutely secure library with no possibility of publication theft if
you never let any books out of the library.
We would certainly observe that the exploding use of computers
today and the application of computer technology to our informa
tion economy would be greatly hamstrung if it were not possible to
broaden the accessibility of computers to the user's fingertips. Com
puters as recently as 20 years ago were generally not accessible to
end-users. And, of course, one of the byproducts of the changes in
technology that have taken place is that more computer power is
now at the fingertips of the users, end-users, than was ever previ
ously possible.
That tends to equate with the need for accessibility or user
friendliness. I'm not sure that there is a quantitative way to ex
press the dimensions of the tradeoff as between security and user
friendliness. But I believe that they do have certain mutual exclu
sivity properties that come to mind as we consider that.
Mr. HUGHES. You make a statement in the text of your prepared
statement that over half of the “hackers” are not minors. Who are
they?
Mr. WAAL. Well, by legal definition, they're adults. I'm not sure I
can quantitatively express the exactly up-to-date current status.
But in one particular recent set of incidents that we have been in
volved in, out of 17 perpetrators, 10 were adults. Some may have
been marginally adult, 18.1 years of age, perhaps. I don't have
those statistics at my fingertips. But from a legal definition stand
point, less than half of that group were juveniles.
Mr. HUGHES. Do we havea body of evidence that would suggest
who they are? Do we know who really is doing the hacking ? Do we
have enough data base to be able to determine who is doing the
hacking ?
Mr. WAAL. Well , this is a computer-literate society and that
trend is accelerating. I think that our educational system and our
society at large is encouraging and fostering the growth of comput
er literacy. Itprobably represents a reasonable cross section of our
overall society. They tend to be upscale, privileged people, and gen
erally very bright. It certainly doesn't require a doctorate-type edu
 188

cation to accomplish some ofthe mischief that we have seen publi

cized and have experienced directly.
Mr. HUGHES. Will yoube more specific ? Any evidence that orga
nized crime is moving in?
Mr. WAAL. I have no such evidence, sir.
Mr. HUGHES. Mr. Johnson, did you hear some of the questions
that I asked earlier as to whether if we were to broaden this legis
lation and attempt to reach electronic transfers and other trespass
upon information and information systems, rather than the com
puters themselves.
What's your feeling on that?
Mr. JOHNSON . Perhaps, Mr. Chairman , it's my traditional back
ground, but I would attack this problem as I was trained to attack
it and as I have done for the last 12 years. I would define what con
duct you wish to prohibit, that you want to define as criminal. I
would try to make the definitions as technologically complete as
humanly possible. And I would apply it as a template, as we have
since Anglo -Saxon law.
Mr. HUGHES. You've done that fairly well in Pennsylvania.
Mr. JOHNSON . Yes, sir.
Mr. HUGHES. In the proposal that is being circulated.
Mr. JOHNSON. We tried to, Mr. Chairman .
Mr. HUGHES. OK. The gentleman from Michigan.
Mr. SAWYER. Yes. Do you think that we should broaden the pro
posed statute to eliminate the need of intent to defraud, so as to
include this hacking and that sort of thing?
Mr. JOHNSON. Is that question directed to-
Mr. SAWYER. To either. Anybody.
Mr. JOHNSON. I would say , sir, that I would like to see as a pros
ecutor in the field , accepting an investigation for prosecution. I
would like to have a statute that identifies at a minimum the four
levels of culpability that the criminal system has identified in our
country the last 200 years.
If someone knowingly does something, that should expose them
to criminal liability. If they intentionally do something, likewise,
the same result. But what about the person who is simply reckless
and negligent?
Mr. SAWYER. What's the difference between knowing and inten
tional?
Mr. JOHNSON. Lots of times the difference is inconsequential.
And I don't know at this point if I have the time or the ready back
ground to discuss the semantics of it. In my prepared text, I cited a
treatise on the difference between the act motive or intention . The
hairline differences, the fractures between the two are set forth
there.
But at different times during trial, defense counsel are successful
in arguing that the statute says that if they knowingly did A and
caused B, they are guilty. And they submit to the court and the
jury that their client knowingly did A, but had no idea that B
would occur. He did not intend the result.
So although you have part of it, you don't have all of it. And it's
what people in the field refer to as “ smoke.” It litters the prosecu
tion with a number of side issues.
 189

But especially reckless and negligent. In Pennsylvania, when we

looked at the theft of $3 million, the defense attorneys, their only
defense was these people neverintended to do what was done. They
were simply intellectually curious. They are contemporary Robin
Hoods — they steal from the rich and keep it. [Laughter.]
Mr. SAWYER. Well, if I can observe, it would just kind of strike
me that it would take a Philadelphia lawyer to tell me the differ
ence between intentionally and knowingly. And I was a prosecut
ing attorney, too. We debated that issue ad infinitum with the sub
committee drawing and redrawing the criminal code, chaired by
Bob Drinan here a Congress or two ago , and finally decided that
there wasn't any difference, after we had listened to professors and
professors on semantics and whatnot
So I was just curious when I heard you. I didn't mean to get di
verted, but when you made that distinction, I thought maybe you
could have contributed something that we weren't able to find out.
Mr. JOHNSON . Positively not. [Laughter.]
But as to the level of negligent criminal conduct and reckless
criminal conduct, as a prosecutor, I would love to see that mens rea
in any computer fraud statute.
Mr. SAWYER. Should any legislation be broad enough to include
things like word processors and mathematical calculators, that
kind of thing ?
Mr. JOHNSON . That was another problem in the definitional sec
tion. Once the term “ computer” was defined, people realized that it
covered things as electronic watches, table -top calculators, red traf
fic standards on the highway.
And I believe we successfully limited the definition . It's not total
ly acceptable right now . But by including a disclaimer that the
computer is such, but this is not meant to include consumer -like
devices such as calculators and wristwatches, whatever.
Mr. SAWYER. I need all the help I can get in the computer area . I
think I know a little bit about the law and the semantics. But this
computer - like most of my generation, I'm absolutely ignorant
about it. So that's where—yes?
Ms. Nycum . I was just going to interject that the legislators in
California had a problem with drawing a line at what would consti
tute a computer or computer system . And in the discussions, what
resulted was the following language. It would be a computer,
except for hand-held calculators that were connected to other com
puters. In other words, could transmit.
So they effectively came around to where they had started. It's a
difficult process of doing it in terms of drafting. There has been
some discussion that suggested that what you really ought to do is
include everything and then as a matter of practice, just use the
discretion in prosecuting where it's obvious it's not a wristwatch
that's doing nothing except telling time.
But there are wristwatches that can do other things and increas
ingly, will be able to surprise us with their capabilities.
Mr. SAWYER. Did I understand you, Mr. Johnson, to say that the
definition that you had had a longevity of up to 40 years?
Mr. JOHNSON. That's what the people in the private sector, sir,
projected.

38-178 0 - 85 13
 190

Mr. SAWYER. Boy, that's encouraging if they prove to be accu

rate .
Mr. JOHNSON . If they prove to be accurate.
Mr. SAWYER. You know , we redrafted or drew a new copyright
law in another subcommittee in 1976 and that's already down the
tube because of the evolution in the electronics and the satellites
and the cable, you name it. So we're now starting all over , almost
from scratch . And it's being predicted to us that whatever we turn
out now, we'd better be prepared to redo again in about 4 years.
So that I'm delighted to hear about something that has any hope
ofstaying around for something like 40 years .
Mr. JOHNSON . I would have to say that it's hearsay to me. I'm
just repeating what they said .
Mr. SAWYER. I understand that. Well, the fact that experts are
saying that, because they sure say the other in the communications
field. That's moving so fast that they don't even, can't even get a
handle—even the people in it can't get a handle on where it's going
to be 4 or 5 years from now . And unfortunately, copyright, the
whole doctrine was basically established for printed media and
that's almost becoming passe now . We're trying to adapt old con
cepts to something that is changing so fast, you can't get a fix on it
to do it.
I'm pleased to hear that.
Incidentally, when you were in law school, you didn't know a
Professor McNamara there, did you?
[Pause .)
Mr. JOHNSON . No, sir.
Mr. SAWYER . Well, does anybody have anything else that they
want to contribute or that you think we haven't covered ?
[No response.]
Mr. SAWYER. If not, then we'll stand adjourned . Thank you very
much for coming and taking your time to attend.
[Whereupon, at 12:33 p.m., the hearing was recessed .]
 ADDITIONAL MATERIAL

[From the Miami Herald, May 31 , 1983]

CREDIT -CARD FRAUD THRIVES IN SOUTH FLORIDA

(By Joe Starita)
In June 1982, shortly after they opened a makeshift office in Naples, Arthur
Hoyos and Felix Suarez placed a small ad in The Wall Street Journal. It proved to
be quite a boon for the two Miamians.
Before long, hundreds of total strangers from New York to California had helped
Hoyos and Suarez buy $ 500,000 homes complete with swimming pools, plush fur
nishings, paintingsand statues. The pair bought gold jewelry, a fancy Mercedes and
a sporty Jaguar . They bought their secretary a new BMW. There were gambling
junkets to Las Vegas and fat overseas bank accounts.
In one eight-day stretch alone, Metro -Dade police detectives estimate, the two
men's elaborate credit -card scam netted $250,000 in cash.
“ They acquired a helluva nest egg in a very short time - possibly inthe millions
and none of it was ever recovered,” said Detective Alex Ortega, one of several inves
tigators who helped convict the two men on numerous federal and state charges.
Last December, Hoyos, 34, and Suarez, 35, began serving eight- and six -year
prison terms respectively.
Although caught and convicted, the two men and their rags-to -riches scheme un
derscores what has becomea national nightmare for many banks, business people,
credit card companies and their customers.
In 1982, according to a Congressional subcommittee that opened hearings on the
issue last week, nationwide losses from credit -card fraud totaled a staggering $1 bil
lion.
“ This year, the projected loss in Dade County alone is expected to be between $6
million and $7 million ,” said Metro -Dade Sgt. Arthur Stack , who heads the depart
ment's four-member credit-card squad.
“ It is a tremendous problem and one that is blossoming rapidly. I don't see an end
in sight at this time."
Police and prosecutors are quick to list a number offactors contributing to the
phenomenal growth of America's illicit plastic empire. Without costly and extensive
undercover investigations, credit-card swindlers often are difficult to detect and dif
ficult to prosecute. Penalties frequently are lax. In South Florida, victimless crimes
seldom warrant top priority.
Another key factor, authorities say, is the unwieldy credit-card bureaucracy itself.
It allows slick white -collar criminals, like Hoyos and Suarez, to keep their oper
ations one step ahead of the traditional 30- to 60 -day billing cycles.
THE NEWSPAPER SCAM
In the Hoyos -Suarez scam , for example, the two men offered readers of The Wall
Street Journal cut-rate deals on Sony Walkmans and Atari video games.
Within two weeks, more than 600 customers placed their orders . . . credit-card
numbers.
The two men took the information , bought sheets of plain white plastic and an
embossing machine and opened a Rent- a-Car business near Miami International
Airport.
Using the names and numbers gathered from The Wall Street Journal ad, Hoyos
and Saurez used the plastic to fashion phony credit cards embossed with legitimate
names and numbers. The two men then sent American Express hundreds of invoices
for rental-car bills. American Express paid the two men, then billed unwitting card
holders across the country, many of whom had never been to Florida.
( 191 )
 192

" By the time American Express got word of what had happened - boom - the
whole thing was a bust and they [Hoyos and Suarez) were gone,” said Detective
Ortega.
Meanwhile, the losses for American Express piled up.
And with the exception of New York , nowhere are credit -card losses piling up
faster than in Florida - particularly in Dade, Broward and Palm Beach counties.
FLORIDA NO. 2

Officials representing the major credit card companies report that Florida ranks
No. 2 in the nation - ahead of California and behind New York-in volume of dol
lars lost to fraudulent transactions.
For example, of the $40 million lost in counterfeit transactions by Visa and Mas
terCard nationwide in 1982, $ 8 million-or 20 percent - occurred in Florida, said
Arnold Wenzloff, vice president for security and recovery at Southeast Bank.
Of the $25 million lost nationwide by American Express last year, about $4.2 mil
lion-or 17 percent — was racked up in Florida, a company spokesman said .
“ Probably a good 80 percent of the statewide losses are in South Florida, ” said
Michael Quackenbush, president of Southeast Bank's Southeast Services.
Credit- card fraud in Broward County is responsible for losses of at least $2 million
a year to local businesses, police and prosecutors estimate.
Last year, only 64 persons were arrested in Broward for using stolen or counter
feit credit cards. Although that was nearly double the 35 arrested in 1981 , police
concede that the arrests represent only the tip of the iceberg.
“ Theoretically, there should have been at least 250 arrests last year and maybe a
lot more than that,” said Lt. Joseph Desantis, director of the Broward Sheriff's
fraud -investigations unit.
“ They're just very tough to get, and when you get them , nothing happens to
them ," he said .

SOME RECENT CASES

The credit card losses are the work of both polished, professional gangs and crude,
small-time amateurs. Some of the recent losses involved :
Thirty -two Broward County merchants arrested in March and charged with deal
ing in phony credit cards distributed by multimillion -dollar fraud rings in South
Florida and New York. Broward authorities said the group transacted more than $2
million a week in credit-card frauds in 1982.
At least six Washington -based reporters covering President Reagan's Nov. 16 visit
to Miami reported that they were billed for unauthorized charges of several thou
sand dollars at Dade jewelry and clothing stores.
U.S. postal inspectors in Miami and Broward police received nearly 200 com
plaints in the last six months from Dade and Broward doctors whose names, office
phone numbers and addresses were used on phony credit -card applications.
“ We've apprehended people with 12 to 15 credit cards on them,” said Palm Beach
Sheriff's Detective Liz Kline. Most of the credit card thieves, she said, "are plain old
street people on drugs” who often sell merchandise obtained fraudulently for cash
to buy more drugs.
" Credit -card fraud is one of the easiest crimes in the world to commit, and the
people on the street are well aware of it," Detective Kline said.
Jack Levett, manager of the Surrey's men's clothing store in the Broward Mall,
was one of the 32 arrested in Broward earlier this year.
He was confronted by an undercover policeman and a confidential informant.
Police said the two men told Levett that they had a bogus credit card and wanted to
buy some clothing with it.
Levett told the men to go right ahead, police said.
In the plea -bargain agreement reached last week, Levett pleaded guilty to the
fraud charge. He was ordered to pay $1,000 in restitution, $ 240 in court costs and
put on probation.
Levett still works at the store. “ I don't have anything to say about it,” he said
Thursday.
“ This is the classic slap on the wrist and nothing has changed ,” said Paul Levy,
head of the Business Crime Prevention and Education unit in the Broward Sheriff's
Office. “When people see this, maybe they'll start to know what the hell is going
on . '
What's going on is a lot of lost time and money spent to track down credit -card
fraud . It creates headaches not only for the banks and credit card companies, but
for thousands of their customers .
 193

“It was apainin the rear end to get a new card and to sign affidavits and to give
depositions ,” said a ...
"But in a way, I didn't mind because I wanted to do everything I could to see
these people in jail.”
Florida's No. 2 ranking in credit -card fraud has not been achieved by happen
stance. The state's geography makes it convenient for swindlers to take advantage
of the 60 -day billing cycles for Latin American and Caribbean customers who pur
chase goods here.
The state's highly mobile, transient population and a heavy influx of tourists
steeped in plastic also appeal to scamartists.
Yet even after chargeshave been filed, prosecuting fraud cases can be tricky.
" There are no face-to -face transactions; it's all done on paper. So usually you're
dealing mostly with circumstantial evidence," said Fred Kerstein, an assistant Dade
state attorney who specializes in prosecuting credit card fraud.
" That (credit-card fraud is a low -risk, high -yield criminal investment), unfortu
nately , is accurate,” Kerstein said.
Joe Dawson, Visa International's head of security for Latin America, the Caribbe
an and the Southeastern United States, put it another way.
The question everyone always asks,” he said, " is: 'is it easy to forge a credit
card ?' Well, unfortunately, you have to say it is fairly . . . August in the wake of
mounting outcries from local banks, outlined other problems contributing to credit
card fraud in South Florida .
Although his squad has made perhaps a dozen busts since August, " we haven't
recovered a single dime,” Stack said .
Currently, his department has a warrant out for a New Jersey man who fraudu
lently purchased $ 47,000 worth of motorcycles and video equipment.
“ Although we have an outstanding warrant for his arrest, the State Attorney's
Office budget is not big enough to cover the cost of flying him down,” Stack said .
In such cases, the common denominator is money . “ In the past, property crimes
haven't been cost -effective, so it hasn't been done,” said Stack.
And as a deterrent, state and federal fraud laws pack little wallop.
Said Stack : “ We can arrest a guy for stealing $ 5,000 and another for $ 250,000, and
the penalities are about the same.
“ Actually, you'd be crazy to go out and rob a 7-Eleven and risk seven or 10 years
in prison when you can pull a $ 150,000 credit-card scam and maybe end up with a
year's probation andadjudication withheld .”
In Washington, a bill sponsored by Rep. Frank Annunzio would significantly in
crease federal penalties for fraud while shoring up a number of loopholes in existing
statutes.
The proposed legislation would restrict the distribution of credit -card numbers
and make it a felony to possess 10 or more stolen or counterfeit credit cards or to
use stolen credit cards to obtain $ 1,000 in cash or merchandise in a one- year period.
If the law is enacted, anyone convicted of illegally giving out credit-card numbers
could be sentenced to ... now , anybody can give out your credit-card number to
anybody else with no fear of criminal orcivil prosecution ,” said Ken Swab , a House
Consumer Affairs Subcommittee staff member.
Under the proposed law, anyone convicted of using a stolen credit card to obtain
more than $ 1,000 in cash or merchandise or for possessing 10 or more stolen credit
cards could be sentenced to 10 years in prison and fined $ 10,000.
The Annunzio bill, which opened for hearings last Monday, is expected to go to
the House floor for a full vote by mid - June.

How To PREVENT CREDIT

CARD RIPOFFS
(By Joe Starita )
Although credit -card fraud probably will never be eliminated , card holders can
take precautions to minimize their risks.
Under federal law , a card owner is liable for $50 after a credit card is reported
stolen . If the card is not stolen but the number is used without authorization, the
owner is not liable for any charges made. But the owner must prove that he or she
did not make the purchases.
To avoid fraudulent use of your card :
Report all lost or stolen credit cards immediately.
Destroy all carbons from sales receipts to avoid someone rummaging through the
trash, getting your name and card number and using them to manufacture a coun
terfeit card .
 194

When you present your card to a merchant, check the card he gives you back to
make sure it's yours.
Keep your eyes on your card to be sure that the merchant imprints only one sales
receipt.
Do not give you card number to callers who say they represent your bank or
credit-card company. If they really are who they say they are, they should know
your number.
Open credit -card bills as soon as they arrive and check to make sure that all
charges are legitimate. Keep sales receipts so you can reconcile the dollar amount of
each purchase with the final bill.
Many banks and credit -card companies have initiated tough new policies to cut
down on the amount of credit -card fraud.
Before signing up new merchants for Visa and MasterCard accounts, Southeast
Bank officials in Miami now insist upon thorough background checks to assess the
financial stability and legitimacy of those merchants.
" Before, our requirements were pretty dog -gone easy ,” said Arnold Wenzloff,
Southeast vice president for security and recovery. “ But we are much more strict in
signing up new merchants now ."
Thesecurity department for Southeast Bank, which handles 500,000 Visa and
MasterCard accounts through Florida, employs a full-time staff of 33 whose sole
task is to track down credit card scams. In 1983, the security department will spend
more than $1.5 million to combat fraud, Wenzolff said.
An increase in undercover police work and computerized check lists that raise red
flags on questionable purchases also are helping to reduce fraud, said Sergio Pinon,
the American Express Co.'s chief special agent for security in Florida.
" After a certain number of purchases, the computer automatically picks it up and
the card owner is contacted personally to verify that the purchases are legitimate,”
Pinon said.
On yet another front, several credit-card companies are designing new cards that
will be more difficult to counterfeit.
In about a month, Visa International will begin issuing its customers an electron
ic card. Instead of embossed names and numbers, each card will have a bar -coded
magnetic stripe. An optical scanner will be needed to deciper the code, a process
similar to the one many supermarkets use to compute the price of its merchandise.
Some of these new techiques appear to be paying off.
During the first three months of 1983, American Express' fraud loss in Florida
was down 28 percent compared to the same period a year ago, Penon said.
“ The amount of counterfeiting has definitely decreased here in the last 60 days,"
agreed Michael Quackenbush, president of Southeast Bank's Southeast Services. “I
think there are some positive signs that a helluva lot of progress is being made on a
number of fronts. "
Should Visa International spokesman Joe Dawson : "We are, quite honestly, really
geared up right now on this fraud problem and I think that the ax is going to fall.”

STATEMENT OF E.J. CRISCUOLI, JR. , EXECUTIVE VICE PRESIDENT, AMERICAN SOCIETY

FOR INDUSTRIAL SECURITY

Mr. Chairman , in conformance with your request, I am pleased to submit this

written statement on H.R. 5112 before the Committee. The proposed legislation
could, I believe, serve to address a serious and growing problem : computer -related
crimes .
We are increasingly becoming a cashless society; paper is giving way to electronic
blips. Rudimentary Electronic Funds Transfer Systems (EFTS) are part of our daily
lives; for example, direct deposits, automated teller machines, and point-of-sale sys
tems. They are all dependent on computer technology; without the latter, corporate
America would find it difficult to function .
In large part, the EFTS revolution was made possible by thecomputer. It lies at
the heart of these systems; yet it is also the “ Achilles heel” of the cashless society.
There are presently more than 25,000 computer sites in the United States. These
serve to transfer more than $400 billion daily and transmit other critical financial
data. By simply manipulating these computers, criminals could wreak havoc on our
financial system .
Crimes by computer are already a reality; they are said by the U.S. Chamber of
Commercetoaccount for morethan $ 100 millionin annual losses.Somelaw -en
forcement sources place these losses at more than $ 1 billion. The theft of data and
an assortment of financial frauds, are now daily occurrences.
 195

While frauds involving the counterfeiting of access devices pose a problem for the
financial sector, frauds involving computers are also of paramount concern. For ex
ample, more than 100 customers of a New York City banklost $ 30,000 in an elec
troniccash machine caper; while a bank consultant ripped -off his employer for more
than $ 10 million . The very integrity of these systems is dependent on our ability to
deter computer-related crimes.
The needed technology to subvert computers in now readily available; the comput
er revolution has made it possible even for the young to access a company's comput
ers. The equipment needed to wiretap these networks can presently be purchased
for less than $ 1,000 from a local electronics store. We at ASIS are concerned that
professional criminals may increasingly enter this area. Presently, there exist little
or no deterrence.
Unlike traditional street crimes, computer-related offenses can prove difficult to
investigate and prosecute; in addition, the likelihood of going to prison is the excep
tion. In street crimes, it is often the norm .Thus, why steal a bicycle if you can steal
a king's fortune and get away with it ? We would do the public a disservice if we
failed to point out that the real criminal threat to business in the community lies
with its computers. Legislation dealing with computer crime should thus be of para
mount concern to this Congress. We believe that H.R. 5112 addresses this problem .
However, H.R. 5112 must be viewed as only a beginning in this direction . Wealso
need to train our law -enforcement officials in the area of computer crime. Especially
many of our local police and prosecutorial forces; for these are called upon daily to
investigate and bring these crimes to prosecution. Unlike street crimes, these of
fenses can prove costly and difficult to investigate and prosecute. They can bank
rupt the limited resources of some of our local police agencies.
Efforts must also be made to sensitize our judges to the need to adequately ad
dress these crimes. Even the best of laws is of little value if the computer criminal
continues to receive a “ slap on the wrist.” We need also to encourage greater coop
eration between the private and public sectors; in its absence, computer crimes can
only thrive. The public's perception of the computer criminal also needs to be
changed. The computer criminal is no Robin Hood; he/she poses a threat to our soci
ety. The public must be made to realize that it picks up the final tab for these
crimes.
Mr. Chairman, we presently live in the dawn of a new economic reality; a society
where paper currency will increasingly give way to electronic blips. The check is
being replaced by EFTS access devices; we at ASIS believe that H.R. 5112 consti
tutes a step in the right direction . In closing, Mr. Chairman , I would like to thank
you and the Committee for offering me an opportunity to testify on this important
area. Thank you.

[From the Security Management, July 1977]

LEGAL PROBLEMS IN PROSECUTING COMPUTER CRIME
(By August Bequai)
Recently an employee at one of the nation's largest brokerage firms embezzled
more then $ 250,000 from his company by simply arranging for the firm's computer
to transfer money from its account to that of his wife. A bookmaker in a large state
used unauthorized time on a local university's computer system to calculate his
handicaps. Experts estimate the likelihood that a computer felony will be uncovered
as being only one chance out of a hundred.
In one of its studies, the U.S. Chamber of Commerce concluded that computer
frauds cost the nation more than $ 100 million each year. Another study determined
that the average " take" in a computer crime exceeds $ 400,000. With more than
100,000 computers in this country, manned by more than two million individuals,
the opportunities for criminal actions are vast and growing in number.
WHY THE LAW IS NO DETERRENT
Much has been said about the lack of security in computer centers and systems.
Critics also have pointed out that no training programs are, at present, available
either at the federal or local governmental levels to prepare investigators for deal
ing with computer-related crimes.
A recent U.S. Senate study, prepared by the Committee on Government Oper
ations, discovered that programs to prepare such a cadre are far in the future. Little
attention has been focused , however, on the ability of our criminal justice system to
handle the problem of computer frauds. Recently, the Federal Deposit Insurance
 196

Corporation, concerned with computer crime, asked the FBI to prepare a list of laws
that could be employed against perpetrators of such crimes. The list was short, and
of the few statutes that were listed, none applied directly to the problem .
To deter criminals, prosecutors need an adequate arsenal of laws to bring offend
ers to justice. Even the best of security measures fall short of prosecution isn't possi
ble. Prosecution can take either of two forms: (a) federal, or ( b ) local. On the federal
level, the “mail fraud ” statutes have posed, for a long period of time, one of the
most formidable and pragmatic weapons in the prosecutor's arsenal.
What makes these statutes formidable is that the requisite proof to show their
violation is simple: one need only show that a mailing took place from point X to
point Y and that the U.S. Postal Service was used. However, the problem with com
puter crime is that felons rarely use the postal system in perpetrating frauds. In
fact, if the felon is an insider , little need, if any,exists for usingthe mails to manip
ulate the computer system . Thus, unless the USPS is used in some manner, mail
fraud statutes prove of little value.
Application of the federal “robbery” statutes also proves limited . They apply only
to an attempt or forcible taking with intent to steal money, property or anything of
value from a federally-insured or regulated institution. Organizations not federally
insured or regulated would not be covered. In addition , most computer crimes in
volve no forcible taking.
WIRE COMMUNICATIONS PROVISION
Title III of the Omnibus Crime Control and Safe Streets Act of 1968 makes willful
interception of any wire or oral communication a federal crime. The Act defines
" intercept” as the acquisition of the contents of any wire communications through
the use of electronic devices. The objective of the Act was the preservation of the
privacy of individuals' wire or oral communications. The intent to protect the secu
rity of data transmitted between computers or computers and terminals was not in
cluded. Interception of such data may prove not to be in violation of the Act since it
will be coded, and not in violation of the “ aural acquisition” requisite of the Act.
BANK STATUTES

Federal bank statutes provide for imprisonment up to five years and fines up to
$5,000 or both, for anyone involved in the embezzlement or theft of “ funds” from a
federally - insured institution. However, the offender must be an employee, officer or
agent of the institution . Institutions not federally -insured will not be covered . A
felon who is neither an employee, agency or officer of the institution and who pene
trates its computer system from the outside probably would not be covered by these
statutes. Further, the bank statutes provide for the “ unlawful taking or concealing
of funds.” Computerized transactions, however, will require re-definition of what
" funds ”are. Theconcept of paper currency has little relevance to electronic trans
fers.
The Bank Protection Act of 1968 requires the federal financial regulatory agen
cies to promulgate rules for adequacy of security devices and procedures at federal
ly -regulatedinstitutions. The objective of these safety measures is the securing of an
institution from the threats ofburglaries and robberies. No provisions in the Act
require institutions to establish security measures against electronic frauds. Legisla
tion in this area could play a major role in ensuring that such measures are taken.
The Federal Consumer Protection Act makes criminal the use of any credit card
that is counterfeit, fictitious, altered, forged, lost, stolen or fraudulently obtained.
The objective of the Act is prohibition of the use of such devices to obtain goods or
services on credit. Thus if no credit card is involved, and the transaction isnot one
for credit, this Act could not apply.
Federal “ counterfeiting” and “ forgery” statutes are also of little assistance to the
prosecutor, unless the felon forged a pass or entry device. Even in such an instance,
one could argue that the drafters never intended to cover such cases. Computer
felons could easily evade these statutes simply by obtaining entry devices and passes
from " insiders.” Too, if they are themselves employees of the firm , these statutes
would have little applicability.
EXTORTION STATUTES

Obtaining property, with the consent of the owner, through the use of force or
fear might bring the federal extortion statutes into play. These statutes might
apply, for example, if a group of terrorists occupied a key computer complex and
 197

threatened to destroy it unless a ransom was paid. However, unless “ fear or force "
is used, these statutes, even local ones, would not pertain .
Section 1343 of Title 18 of the United States Code makes the use of " wire, radio or
television communications in interstate commerce” for illegal means a felony. Sec
tion 1343 could prove potent. However, if the felon avoids using wore, radio or tele
vision, and he could easily do so , then this statute to , would prove useless.
STATES ALSO LACK MEANS

Local prosecutors are also handicapped. No state has a statute that specifically
deals with crimes involving the computer. Some jurisdictions have " theft of serv
ices” statutes, but these have as their objective the illegal use of credit cards, serv
ice charges and utilities without the supplier's consent. Further, a violation of these
statutes is usually a misdemeanor. The deterrence is thus limited to a short prison
sentence. Local prosecutors may rely on the arson , burglary and larceny statutes,
but even these are limited . Arson statutes apply only if an actual burning of a
dwelling occurs; burglary statutes can be used only if a breaking or entering of the
dwelling of another takes place, in the " nighttime”; and the larceny statutes per
tain only if the “ taking and carrying away” of the personal property of another
happens. Computer frauds have shown that these statutes have , at best, limited ap
plication. It is like charging someone who breaks into another's house and shoots
him in his bed, with burglary. We need, both at the state and federal levels, laws
that are specifically addressed to the problem of computer crime. At present, such
laws are lacking.
THE DIFFICULTY IN PROSECUTION
To further augment the problem , our present rules of evidence make the introduc
tion of computer-generated evidence into a trial difficult. Computer reels or print
outs fall under the " hearsay rule .” They are evidence of a written statement made
out of court. To be allowed to introduce these into a trial, the prosecutor must bring
them in under one of the exceptions to the rule. The purpose of exceptions to the
rule is allow reliable evidence into court. One such exception is the “ shop -book
rule .” Under the common law, regular business entries were brought into court
under this exception. This rule has been codified at both the federal and state
levels.
However, to be brought into court as a business record, a document must meet
the following criteria: (a) it must have been made routinely during the course of
business; (b )it must have been entered within a reasonable period of time after a
transaction is recorded, preferably contemporaneously; (c) it must be entered by an
individual who is not availableasa witness, and (d) by a person who had knowledge
of the event transcribed ; and (e) the person must have had no motive to misstate.
Computer-generated evidence may prove difficult to bring into a trial under this ex
ception because it is not entered routinely as regular course of business; it is not
ertered contemporaneously ; and it may have been entered by a number of individ
uals, none of whom had any knowledge of the event from their own personal con
tact.
Courts have been reluctant to allow computer- generated evidence into a trial.
Cases involving such evidence have been few , and have usually been settled out of
court. Further, it is not clear as to what testimony is needed to provide an adequate
foundation for their admission into court. Nor has the personal knowledge require
ment been eliminated. Serious constitutional questions also arise. For example , does
the admission of computer -generated evidence violate the confrontation of due proc
ess clause? One prosecutor recently told me, " we have our work cut out.”
CONCLUSION
The computer age is upon us. With it come blessings and horrors. Electronic
criminals have taken advantage of the void left behind by an ill- prepared criminal
justice system . The problem is not so much with computer technology as it is with
our legal system's inability to adequately adapt to a rapidly changing environment.
The electronic criminal poses a challenge and a question - can we afford the luxury
of moving at a snail-likepace any longer?
 198
NATIONAL RETAIL MERCHANTS ASSOCIATION ,
Washington , DC, October 27, 1983.
Hon . WILLIAM J. HUGHES,
Chairman, Subcommittee on Crime, Committee on the Judiciary, U.S House of Repre
sentatives, Washington, DC .
DEAR MR. CHAIRMAN: I am writing on behalf of the National Retail Merchants
Association to request that our statement on H.R. 3181 and H.R. 3570, regarding
credit card fraud, be included in your hearing record on that legislation.
By way of background, NRMA is the largest trade association for the general mer
chandise retail industry. Our members operate approximately 45,000 leading chain ,
department and specialty stores in the United States, and an additional 1,000 retail
firms in 50 nations abroad. Their annual sales are in excess of $ 150 billion and they
employ nearly 3 million workers.
Many thanks for your consideration of this request.
Sincerely,
VERRICK O. FRENCH ,
Senior Vice President, Governmental Affairs.
Enclosure.

STATEMENT OF NATIONAL RETAIL MERCHANTS ASSOCIATION

The National Retail Merchants Association is pleased to have this opportunity to
present its views on the question of what legislative action should be taken in the
area of credit card fraud.
The National Retail Merchants Association (NRMA) is a not-for-profit organiza
tion devoted to research and education in general merchandise retailing. NRMA
represents approximately 45,000 stores in the United States, distributing about $150
billion annually in goods and services to the American consumer. NRMA's members
range from the largest chain and department stores and mass merchandisers to
small specialty shops and independents. Virtually all of NRMA's members operate
their own proprietary credit card systems and / or accept third party credit cards
that are issued by financial institutions and companies that issue travel and enter
tainment cards. In view of the fact that over 50% of our members' sales are made
by means of credit cards, we are vitally concerned with the issue of credit card
fraud and related practices such as the use of account numbers to obtain goods and
services without the customer's authorization .
At the outset, NRMA wishes to make it clear that we strongly support the enact
ment of federal legislation to provide penalties for credit card counterfeiting and re
lated fraud. For this reason , we fully endorse S. 1555, a bill introduced on June 28,
1983 by Senator Hawkins to amend Title 15 of the United States Code (specifically,
section 134(d) the Truth -in -Lending Act and section 916 of the Electronic Fund
Transfer Act) to strengthen fraud provisions of existing law. We also support
amending Title 18 to provide a betterstatutory framework for fighting the criminal
element involved in credit card and related fraud.
For the reasons expressed below , we recognize the need on the pari of the credit
and debit card industry to improve the security of account numbers as well as the
physical devices which are used to credit and debit customers' accounts . We are
gravely concerned, however, about the enactment of legislation which , under the
guise of " anti-fraud” legislation, in fact, would have the primary effect of impeding
creditors' legitimate business activities.
Over a decade ago , Congress decided to allocate the risk of loss from fraudulent
transactions by means of a credit card to the credit card issuer. Thus, pursuant to
section 133 of the Truth - in -Lending Act, as a general rule the cardholder has no li
ability for unauthorized use of a credit card or, under limited circumstances, the
liability can amount to no more than $ 50 per card. We do not advocate changing
this allocation of risk because, on balance, we recognize that to do otherwise could
subject consumers to potentially crippling financial losses. Even negligent consum
ers are protected from substantial economic loss, although all consumers ultimately
pay for credit card fraud as a component of the cost of credit and the cost of goods
and services. This system also makes practical sense because it carries a built-in in
centive for credit card issuers to strive to reduce fraud losses. While that effort is
being made on several fronts, the recent increases in the amount of credit -related
fraud is alarming.
During the hearing on this issue held by the Subcommittee on Consumer Affairs
of the Senate Banking Committee in June 1983, and again in testimony before this
Subcommittee, it has been well documented that beginning around 1980 the bank
card industry began to experience a tremendous increase in the incidence and
 199

amount of credit - related fraud, as well as a significant shift in the nature of this
fraudulent activity. Data has been submitted by VISA U.S.A. Inc., MasterCard
International Incorporated, and the American Bankers Association , documenting
that in the bank credit card industry alone losses due to fraudulent use of credit
cards rose from approximately $11 million in 1972 to over $ 125 million in 1982
over a 1,000% increase. While the limited data available to us indicates that the
amount of credit card fraud involving retailers' proprietary systems is not substan
tial in relation to total credit sales (under one-tenth of one percent), retailers are
concerned about the increase in bank credit card fraud. This is because while, as
noted, some of the cost is ultimately passed on to the consumer, the merchant is
subjected to an increase in costs initially by paying more in discount fees to issuers
of third party cards. In addition , depending upon the contract between the mer
chant and the bank card issuer, the merchant does bear certain fraud losses direct
ly. For example, merchants accepting mail orders charged to third party credit
cards are often charged back for fraudulent orders. Thus, we heartily endorse this
Subcommittee's efforts to find solutions to the mounting problem of credit -related
fraud .
NRMA believes that a number of steps should be taken to address the problem of
credit-related fraud , some of which are being undertaken by the industry at the
present time. For example, associations representing bank card issuers are taking
steps to control fraud by changing the physicial properties of the credit card itself.
The credit card is being redesigned to contain a number of anti -counterfeiting fea
tures such as fine line printing, ultraviolet ink printing, and a unique hologram cov
ering part of the embossed account number. Among other things, these steps will
make alteration of the embossed account number digits harder to accomplish and
easier to detect. The bank card industry is working to reprogram authorization sys
tems to enable those participating in the systems to better identify cardholders at
the point of sale. Also, bank card issuers have added a provision to their operating
rules which prohibit a merchant from providing, selling or exchanging account
number information, in any medium , to any other party unless connected with the
merchant's legitimate bank card business. These and other steps are being taken by
the industry in an effort to reduce current credit card fraud activities.
NRMA's members are continuing their efforts to develop ways to improve their
own point-of-sale authorization systems and the properties of the credit cards issued
in their proprietary systems in an effort to combat credit card fraud. NRMA's mem
bers are aware of their responsibility to safeguard the account numbers of their cus
tomers and they currently take steps to restrict access to account information in a
number of ways. Merchants are to a greater extent using sales slips which do not
involve the use of carbons and they are taking precautions in disposing of duplicate
sales slips. It is essential, however, that merchants not be required to use any one
particular method of effectuating sales, because of the increased operating costs that
would thereby be imposed. The difficulty of operating a small business profitably
today is well-known and need not be documented here.While we recognize that nei
ther bill presently before this Subcommittee contemplates the imposition of such re
strictions, we want to make clear our opposition to any legislation that would have
the direct or indirect effect of standardizing the way in which credit is extended , or
the way in which credit transactions are written at the point of sale, because of the
additional costs that would thereby be imposed upon the merchant.
As we stated at the outset, NRMA does support legislation which is aimed specifi
cally at the criminal element that is responsible for perpetrating credit-related
fraud. Thus, NRMA has endorsed the approach of S. 1555 to amend the Truth -in
Lending Act and the Electronic Fund Transfer Act to fill certain gaps in that legis
lation .
NRMA also supports the bills presently under consideration by this Subcommittee
to amend Title 18 of the United States Code to impose stiff penalties for producing,
using, selling, transferring or possessing a “ fraudulent payment device” or equip
ment used toproduce such a device.
Given the interstate nature of today's evolving nationwide payments system and
the interstate nature of significant fraud cases , we recongnize that this situation
warrants a federal response. This is reinforced by the fact that much of the recent
increase in credit-related fraud can be attributed to organized crime or, at least, to a
criminal element that is highly sophisticated. For these reasons, we believe that
Title 18 of the United StatesCode should be revised to include proscriptions aimed
specifically at credit -related fraud . This will enable federal enforcement authorities
to deal effectively with interstate credit-related fraud, including the manufacturing,
counterfeiting or altering of credit cards and the fraudulent use of payment devices
such as debit cards.
 200

NRMA believes that the industry's concern with the problem of credit -related
fraud and the technological steps that are being taken to curb these practices, cou
pled with the legislative actions to amend Titles 15 and 18, provide the best solu
tions to this problem . Because of the potentially serious adverse consequences for
retailing that would arise in the event of enactment of other proposed " anti-fraud”
legislation currently being considered in the House Banking Committee, we will
briefly note our concern about such proposed legislation so that the record will be
clear on this point.
We do not believe that legislation which restricts the merchant's ability to obtain
account numbers from credit bureaus or to disclose account numbers to third par
ties in business related activities is the way to combat credit- related crime.
There are a number of areas in which account information must be disclosed in
connection with the legitimate business needs of the merchant. In addition to ac
count authorization and other activities which would be permitted on an " excep
tion ” basis, furnishing account numbers for other purposes would be prohibited. For
example, retailers sometimes use third parties to mail promotional material - par
ticularly during peak business periods — and it is necessary that the account number
appear on thismaterial under certain circumstnaces, such as when the customer is
asked to present the promotional material at the store and no credit card is issued
or regularly carried for the particular account. Merchants may also disclose account
information to their licensees, to companies engaged in joint ventures with the mer
chant, and to related companies such as a subsidiary as well as to unrelated compa
nies in order to provide the cardholder with an opportunity to purchase new prod
ucts or services. Account numbers provided by credit bureaus are extremely impor
tant to creditors for purposes of account verification (both to delete duplicate ac
counts held by the creditor receiving the application and to verify the applicant's
credit references) as well as to locate customers in connection with legitimate debit
collection activities.
These examples give some indication of the complexity involved in specifying with
completeness and accuracy all of the legitimate business reasons for the communica
tion of account information. The importance of the merchant's ability to use and
communicate account information for legitimate business purposes cannot be over
emphasized . Any legislative effort to list the permissible uses of account informa
tion, and to bar all other uses, such as that embodied in H.R. 3622, is frought with
problems and, we believe, is the wrong approach to fighting credit card fraud. We
are convinced that the better approach is to close loopholes in existing statutes and,
after careful review by the Judiciary Committees of the House and Senate, to enact
any new provisions to the Criminal Code that are deemed necessary to combat the
upsurge in credit -related fraud .
NRMA commends the Subcommittee for its concern with the serious problem of
credit card fraud and appreciates the opportunity to express its views on this sub
ject.
 COUNTERFEIT ACCESS DEVICE AND COMPUTER
FRAUD AND ABUSE ACT

WEDNESDAY, MARCH 28, 1984

HOUSE OF REPRESENTATIVES,
SUBCOMMITTEE ON CRIME
OF THE COMMITTEE ON THE JUDICIARY,
Washington, DC .
The subcommittee met, pursuant to call, at 2:15 p.m., in room
2226, Rayburn House Office Building, Hon. William J. Hughes
(chairman of the subcommittee) presiding.
Present: Representatives Hughes, Sawyer, Shaw, and Sensen
brenner.
Staff present: Hayden W. Gregory, counsel; Edward O'Connell,
assistant counsel; Charlene Vanlier, associate counsel; Phyllis N.
Henderson , clerical staff; and Teresa Bourgeois, professional staff.
Also present: Representative Wyden .
Mr. HUGHES.. The Subcommittee on Crime will come to order..
The Chair has received a request to cover this hearing in whole
or in part by television broadcast, radio broadcast, still photogra
phy or by other similar methods.
În accordance with committee rule 5(a), permission will be grant
ed unless there is objection .
Is there objection ?Hearing none, permission is granted.
Today we continue our hearings on the problems of credit card
and computer fraud which we initiated in the first session of the
97th Congress. We will focus today on H.R. 5112, the Counterfeit
Access Device and Computer Fraud and Abuse Act of 1984, which
evolved from our hearings on H.R. 3570, which I introduced, along
with the ranking Republican, Mr. Sawyer of Michigan , and on H.R.
3181, which was introduced by Mr. Fish , and which Mr. Sawyer
and I cosponsored last year.
Our prior hearings documented, among other things, that finan
cial institutions had lost up to $100 million in 1983due to credit
card fraud, a 500 -percent increase since 1980. This exponential in
crease in credit card fraud can be attributed to an increasingly so
phisticated use by the criminal element of account numbers, access
codes and other technological advances.
There is further evidence that this sophistication is moving into
the problem of criminal misuse of computer technology as the
credit card industry enlarges its capacity in the use of this technol
ogy. Since the computer industry is itself expanding to the point
where some 80 million home computers will be in existence by
1990, it seems clear that we not only must bring our laws up to
(201 )
 202

date in the credit card area, but also give serious consideration to
deterring the criminal element from abusing this technology in
future frauds.
One aspect of this new criminal conduct which has received
much media attention lately has been the activities of the so-called
“ hackers,” who have been able to access both private and public
computer systems, sometimes with potentially disastrous results.
H.R. 5112 covers such conduct where it causes losses of a signifi
cant nature. It appears that our high-tech computer society of the
future will have enormous benefits for our Nation. However, in
this so -called cashless society , we cannot ignore the fact that the
incidence of counterfeit access devices and computer crime will
continue to rise and the losses to financial and other institutions
therefore, losses to all of us — will continue to grow.
This new brand of criminal is one step ahead of us in the legal
system , and it is time that we began to catch up.
[A copy of H.R. 5112 follows:]
 203

98TH CONGRESS
2D SESSION
H.R.5112
To amend chapter 47 of title 18 of the United States Code to provide penalties
for fraud and related activities in connection with access devices and comput
ers, and for other purposes.

IN THE HOUSE OF REPRESENTATIVES

MARCH 13 , 1984
Mr. HUGHES (for himself, Mr. SAWYER, and Mr. Nelson of Florida) introduced
the following bill; which was referred to the Committee on the Judiciary

A BILL
To amend chapter 47 of title 18 of the United States Code to
provide penalties for fraud and related activities in connec
tion with access devices and computers, and for other pur
poses .

1 Be it enacted by the Senate and House of Representa

2 tives of the United States of America in Congress assembled,
3 That this Act may be cited as the “ Counterfeit Access
4 Device and Computer Fraud and Abuse Act of 1984 ” .
5 SEC. 2. ( a) Chapter 47 of title 18 of the United States
6 Code is amended by adding at the end thereof the following:
 204

1 “ 8 1029. Fraud and related activity in connection with

2 access devices

3 “ ( a) Whoever
4 “ (1) knowingly and without lawful authority pro
5 duces, buys, sells, or transfers a fraudulent access
6 device; or
7 “ (2) knowingly produces, buys, sells, transfers, or
8 possesses device -making equipment, with the intent
9 that such equipment be used in the production of a
10 fraudulent access device;

11 and thereby affects interstate or foreign commerce, and either

12 obtains by means of such conduct anything of a value aggre
13 gating $ 5,000 or more during any one year period, or pos
14 sesses ten or more fraudulent access devices in connection

15 with such conduct shall be punished as provided in subsection

16 (c) of this section .

17 “ (b) Whoever attempts to commit an offense under sub

18 section (a) of this section shall be punished as provided in
19 subsection (c) of this section .
20 "(c) The punishment for an offense under subsection (a)
21 or ( b ) of this section is
22 “ (1) a fine of not more than $ 10,000 or imprison
23 ment for not more than ten years, or both , if the of
24 fense is a first offense under subsection (a)( 1 ) of this
25 section or an attempt to commit such an offense;

HR 5112 IH
 205

1 “ (2) a fine of not more than $ 50,000 or imprison

2 ment for not more than fifteen years, or both, if the
3 offense is a first offense under subsection (a )(2) of this
4 section or an attempt to commit such an offense; and
5 “ (3) a fine of not more than $ 100,000 or impris 1

6 onment for not more than twenty years, or both, in the

7 case of a second or subsequent offense under this sec
8 tion .

9 “ (d) The United States Secret Service shall, in addition

10 to any other agency having such authority, have the authori
11 ty to investigate offenses under this section.
12 “ (e ) As used in this section
13 “ ( 1) the term 'access device' means any card ,
14 plate, code, account number, or other means of account
15 access existing for the purpose of obtaining, alone or in
16 conjunction with another access device, money, goods,
17 services, or any other thing of value, or for the purpose
18 of initiating a transfer of funds (other than a transfer
19 originated solely by paper instrument);
20 “ ( 2) the term ' fraudulent access device' means
21 any access device or a representation, depiction, fac
22 simile, or component of an access device that is coun
23 terfeit, fictitious, altered, forged, lost, stolen, incom
24
plete, fraudulently obtained, or obtained as part of a
25 scheme to defraud;

HR 5112 IH

38-178 0 - 85 14
 206

1 “ (3) the term “produce includes design, alter, au

2. thenticate, duplicate, or assemble; and
3
“(4) the term "device-making equipment means
4
any equipment, mechanism , or impression specially de
5 signed or primarily used, for making an access device,
6 a false access device, or any component thereof.
7 “ 1030. Fraud and related activity in connection with
8 computers
9 “ (a) Whoever
10 “ (1) knowingly accesses a computer without au
11 thorization with the intent to execute a scheme to de
12 fraud, and by means of such conduct obtains anything
13 of value (other than the use of the computer) aggregat
14 ing $5,000 or more during any one year period; or
15 “ (2 ) knowingly accesses a computer without au
16 thorization and by means of such conduct
17 “ ( A ) knowingly uses , modifies, or discloses
18 information in , or prevents authorized use of, such
19 computer ; and
20 “ (B) obtains anything of value or creates a
21 loss to another of a value aggregating $ 5,000 or
22 more during anyone year period;
23 and thereby affects interstate or foreign commerce, shall be
24 punished as provided in subsection (c) of this section.

HR 5112 IH
 207

1 “(b) Whoever attempts to commit an offense under sub

2 section ( a) of this section shall be punished as provided in
3 subsection ( c) of this section .
4 " (c) The punishment for an offense under subsection (a)
5 or ( b) of this section is
6 “ (1) a fine of not more than $ 10,000 or imprison
7
ment for not more than ten years, or both, if the of
8 fense is a first offense under subsection ( a )(1) of this
9 section , and a fine of not more than $ 100,000 or im
10 prisonment for not more than twenty years, or both, if
11 the offense is a second or subsequent offense under
12 such subsection (a)( 1 ) ; and
13 “ (2) a fine of not more than twice the value ob
14 tained or loss created by the offense or imprisonment
15 for not more than one year, or both, if the offense is a
16 first offense under subsection (a)(2) of this section, and
17 a fine of not more than twice the value obtained or loss

18 created by the offense or imprisonment for not more

19 than twenty years, or both, if the offense is a second or
20 subsequent offense under such subsection (a)(2).
21 “ (d ) The United States Secret Service shall, in addition
22 to any other agency having such authority, have the authori
23 ty to investigate offenses under this section .” .

HR 5112 IH
 208

1 (b) The table of sections at the beginning of chapter 47 :

2 of title 18 of the United States Code is amended by adding at
3 the end the following new items:
"1029. Fraud and related activity in connection with access devices.
“ 1030. Fraud and related activity in connection with computers.".
O

HR 5112 IH

1
 209

Mr. HUGHES. The gentleman from Michigan .

Mr. SAWYER. Yes, Mr. Chairman, I thank you and I commend
you for holding these hearings on H.R. 5112. The hearings will
highlight the new technology which gives rise to the so -called com
puter crime.
Believe me, I have been dealing with a similar subject in another
subcommittee dealing with the copyright laws, which were basical
ly designed for printed material. When you interject into the pic
ture satellites and cable and television and professional sports, and
the whole myriad of a fast-developing technology, you have your
problem cut out for you.
I am interested, but a little apprehensive, to hear what our prob
lem is going to be here to try toadopt laws which never dreamed of
such aproblem when they were conceived so that they will solve
the problem here.
I know that H.R. 5112 represents a lot of thought on the issue
and I will be very interested to hear what people who understand
the technology can tell us about it.
Thank you, I yield back.
Mr. HUGHES. Our first witness today is Dr. Wilbur Miller, who is
president of Drake University, a position he has held since 1972.
Dr. Miller's educational background includes attendance at Drake
University, St. Louis University, and the University of Denver. He
received his bachelor of science degree in business administration
in 1948, his M.A. degree in psychology in 1949; and his Ph.D.
degree in experimental psychology in 1953, all from the University
of Denver.
As a Senior Stipend Fellow of the National Institute of Mental
Health, he did postdoctoral work at the University of Michigan in
1963 and 1964. After receiving his Ph.D. degree, he was appointed
as assistant professor of psychology at the University of Denver. In
1957, he was named associate professor, attained a rank of full pro
fessor in 1963, and was made dean of the university's graduate col
lege in 1964 .
In 1965, he was appointed vice chancellor for academic affairs
anddean of the faculty, a position he held until his appointment at
Drake. In 1966-67, he also served as acting Chancellor at Denver.
Dr. Miller has had a most distinguished record in the academic
and research world and his literary endeavors include, among
others, a coauthorship of the book, "Personality, Social Class, and
Delinquency .”
Dr. er, we are just delighted to have you with us today. We
have your statement, which, without objection , will be made a part
of the record in full, and you may proceed as you see fit.
Welcome.

TESTIMONY OF WILBUR C. MILLER, PRESIDENT, DRAKE UNIVER

SITY, TESTIFYING ON BEHALF OF THE AMERICAN COUNCIL ON
EDUCATION
Mr. MILLER. Thank you, Mr. Chairman. I am delighted to be
here. I am speaking for Drake University, although, as I see on the
program, the American Council on Education did contact me in
hopes that I would make the statement generic enough that it
 210

would be appropriate, I think, to higher education and to the prob

lems universities are starting to experience in this area, and I say ,
"starting to experience,” because I think we have experienced some
unauthorized computer entry in the past, but I think we have
thought of it as relatively minor, a little bit like game playing, and
I think, by the way, we made some serious mistakes by doingthat.
I think by almost honoring as intellectual geniuses some of those
people who played those little games, we probably encouraged it
more than we hurt it. So I think we have to share in the responsi
bility of maybe inappropriate punishment to fit the crime.
I think one reason I was asked to submit a statement is that we
were in the unfortunate position of directly experiencing hackers
making access to our computer system . We have three computers
on campus, each one serving a different function , and the one that
was accessed was very serious to us, but fortunately , was not the
one that had a lot of financial records and things of that sort that
could have been an almost near disaster, I think, for us.
To just give you maybe a bit of information about that proce
dure, because it seems to have been of interest, nationally atleast,
it started with a television station reporter wanting to do a story
on hacking. This television station reporter somehow ended up
picking Drake University. I don't exactly know why, but I have a
hunch , because we have a lot of journalism graduates around the
State who are affectionate toward us, but also know some of the
things that are going on, and maybe they looked in that direction
in terms of wanting to do stories.
This elevision reporter in the story on hacking did make contact
with hackers. We don't know where they came from or how he got
hold of them , although everyone, I suppose, has suspicions about
where things like this do happen . They were able to get an access,
student access number, to the academic computer from one of our
students. That happened, I think, to be about as innocent as it
could be, even though that is contrary to our policies—that those
numbers are not given out to others.
Once this was done, they set up the hacking procedure through
the telephone lines, I understand, in a downtown hotel someplace,
and started to work. After 6 hours — at least, according to the re
porter — did have free and easy access to all levels of operation of
the computer and had the ability to wander quite freely through
the entire system .
This was unknown to us, and in giving credit to the reporter, the
eporter, I think, became quite frightened at the whole process
and I think rightfully so — and did then come and report to us that
this had taken place, so we immediately had to shut down the com
puters; we had to spend much time going through all of the
records, what had been there for the last 2 or3 days.
We are still checking things that we are not sure about. The
amount of scarce resources—we have had to allocate for this - has
been relatively serious. We are still making access more difficult to
this computer by checking more thoroughly the people that do
have access to the computer, and I must tell you, in the academic
world, this if very tragic. The reason you have a library and the
reason you have a computer is so students and faculty and others
with authorization can use these things, and as a consequence,
 211

when you make the use more difficult, you do deter a lot of the
learning process and availability that should be there.
So much of the academic community , you know, is based on
trust, whether you are talking about checking out library books or
you are using equipment or whatever you are doing. The use has
generated so rapidly in the last few years that it is even difficult
for us, I think, to keep track of, but when that trust is violated,
then you have to put in security measures that really make your
campus rather unlike a university campus - rather make it unlike
an educational institution, I think, that is built basically on trust
and faith and cooperation .
I must say that when our own people violate this trust, we have
some avenues of approach we can use and I think this goes back to
my beginning statement, " Maybe we have not been strict enough
ourselves,” so I plead a little guilty here of making more appropri
ate punishment for those of our community that may violate this
trust .
I think we are starting to take those steps, but when someone
from outside the community violates the trust and has had unau
thorized penetration, we are helpless. There is almost nothing we
can do.
As a consequence, this is one of the reasons we have great force
behind us, at least now in terms of wanting some kindof legisla
tion that will bring some kind of punishment, or at least threat of
punishment, some vehicles, you know, something we can reach out
and grab that will help us in terms of cutting down what I think is
a very growing concern and a very growing activity.
[The statement of Mr. Miller follows:]
STATEMENT OF WILBUR C. MILLER
BIOGRAPHY

In June, 1972 Dr. Wilbur C. Miller was appointed as the ninth president of Drake
University
Dr. Miller attended Drake University and St. Louis University before attending
the University of Denver. He received his B.S. degree in business administration in
1948, his M.A. degree in psychology in 1949 and his Ph.D. degree in experimental
psychology in 1953, all from the University of Denver . As a Senior Stipend Fellow of
the National Institute of Mental Health, he did post-doctoral work at the University
of Michigan in 1963-64.
After receiving his Ph.D. degree, he was appointed as Assistant Professor of Psy
chology at the University of Denver. In 1957 , he was named Associate Professor, at
tained the rank of full Professor in 1963 and was made Dean of the University's
Graduate College in 1964. In 1965, he was appointed Vice Chancellor for Academic
Affairs and Dean of the Faculty , a position he held until his appointment at Drake.
In 1966-67, he also served as Acting Chancellor at Denver.
He has served as a consultant for the Danforth Foundation , for the Ford Founda
tion in Venezuela and for the United States Air Force Academy. From 1960 to 1971
he was co -director of the Research Project in Maladaptive Behavior at the Universi
ty of Colorado's Medical Center in Dever.
Dr. Miller's research efforts have concentrated on the behavior of persons in auto
mobile accidents and on factors that contribute to juvenile delinquency. He is the
co-author of the book, Personality, Social Class, and Delinquency, has written chap
ters for several other books and has authored numerous articles in psychology and
other professional journals.
He is a fellow of the American Psychological Association and a past president of
the Rocky Mountain Psychological Association and the Colorado Psychological Asso
ciation. He is a member of the Phi Beta Kappa, Sigma Xi , Psi Chi and Omicron
Delta Kappa scholastic honorary societies.
 212

INTRODUCTION

On the evening of January 31, 1984, one of the computers at Drake University
was penetrated by hackers. These individuals were not members of the Drake com
munity and the intrusion was accomplished despite the existence of security meas
ures and computer systems protections that were in place.
The incident at Drakeis probably not important in its uniqueness nor are the cir
cumstances which provoked the intrusion of importance here. What is important is
that the event did occur; that it is considered as a serious intrusion and violation of
University property, access, and trust; and that it happened despite the existence of
reasonable and extensive protection measures that were in place to discourage such
attempts. The latter point is particularly important. Just as our homes cannot be
made totally secure and burglar proof by affordable security measures, in this day
of electronic innovation and enterprise , computer security measures cannot be
relied upon to stop the determined intruder. University computer systems are par
ticularly vulnerable to such intrusions. Ready access for legitimate users must be
maintained. If learning and research are to take place, university computer systems
must be reasonably available, accessible and userfriendly to members of the univer
sity community. If trust in the system is to be maintained those same users must be
able to be confident that the materials that they put onto the system are not subject
to access and manipulation by unauthorized individuals.
As stated above, the persons involved in the computer break-in at Drake Universi
ty were not members of the University community. They penetrated and used the
computer system in an unauthorized manner. They exploited an essentially user
friendly system and in so doing not only used computer time, a resource with some
value, but of greater consequence, the result of the penetration required the expend
iture of computer resources and computer center staff time, made necessary the im
plementation of additional and more expensive security and monitoring procedures,
and created within the university community an aura of concern and doubt regard
ing the security of the content of personal materials stored on the computer. Be
cause the " hackers” are not members of the university community, they are not
subject to internal university sanctions. The lack of adequate and specific laws gov
erning computer crime means that despite the loss suffered by the University and
its students andfaculty, and despite the addition of increased security measures, the
hopes of maintaining a secure computer system are slim .
If a hacker can penetrate and roam a computer system at will, without fear of
punishment, and without his or her acts being defined as criminal, this emergent
and pervasive problem will continue to haunt university computer centers and com
puter users. This, simply put, means that the university becomes less effective in its
attempt to fullfill the educational needs and demands of society. This is a serious
problem .
To date, there has been a tendency, on the part of the public, to view such viola
tions as intellectual pranksterism . This is simply not the case. The ubiquity of com
puters in virtually every dimension of our everyday lives underlines this point and
dictates our concern. Concern , however, is not enough . University leaders must con
tinue to assume and pursue the responsibility of providing secure computer access
to legitimate users. We must be prepared to take strong measures in response to
inappropriate behavior by those who are members of our user communities. That,
however, is not enough. Societal definitions, deterrents, and punishments are
needed to control external violators. More states must move to provide laws that
define computer damage and theft as criminal acts and appropriate sanctions must
be provided. In addition , given the interconnectedness of the enterprise of higher
education, federal legislation to these same ends is essential. We have a problem .
The problem is computer theft and damage. We feel that the problem is a serious
one, one that we cannot address by ourselves. We need your help . We need legisla
tion that will aid us in our attempts to secure and maintain a quality education for
this generation of students and for generations of students to come.
STATEMENT
Mr. Chairman. Members of the Subcommittee on Crime. My name is Wilbur C.
Miller. I am the President of Drake University, which is located in Des Moines,
Iowa. I am here today, by your invitation, to share my views on the “ . . . future
problems with electronic and computer fraud and the effect such innovations will
have on educational institutions." At Drake, as with many institutions of higher
education, this issue is not and has not been a consideration merely of problems for
the future but has, in fact, been of great concern since the initial use of computers
on the university campus. The views that I will be sharing with you are not hypo
 213

thetical nor are they totally philosophical. On the evening of January 31 , 1984, one
of Drake University's computers was penetrated by hackers. These individuals had
no connection with the University as students, faculty or staff and gained access to
the computer through a telephone connection from an off-campus location. As a
result ofthis unauthorized intrusion into the system , the University has been forced
to dedicate scarce resources to the task of determining the extent and the effect of
the intrusion. Many students and faculty members have been seriously inconven
ienced by having their research and curricular efforts restricted. While new and ad
ditional security provisions have been introduced following the intrusion, it must be
understood that it is probably not possible to make an academic computing system
totally secure against penetration by hackers. Use of the computer system in ques
tion goes on , but there is a new aura of concern. Users wonder, " Are my materials
thatI have stored in the computer system secure or have they been compromised ?"
Prudence dictates that the integrity of the system must be viewed as suspect and
the use of the system for sensitive purposes must be curtailed . Indeed, this is the
nature of the problem .
For those of you who may be unaware, Drake University is an independent com
prehensive university. This fall, we enrolled in excess of 6,000 students. While the
computing systems at Drake University are not as extensive as those at many large
research universities, these systems are integral to carrying out the mission of the
university. Wehave three central computer systems, a Digital Equipment Corpora
tion VAŇ 11/780 dedicated to instruction and research; a Honeywell Level 64 DPS
320, dedicated to administrative processing activities such as maintenance of facul
ty , student and alumni data bases, and a Burroughs B800 on which many of the
Üniversity's accounting and financial records are maintained. In addition to those
which are owned by individual students and professors, the university has in excess
of 50 personal computers. Current plans call for a substantial increase in this
number.
Drake University expenditures for computing represent approximately 2% of the
annual budget. This level of spending is typical for comprehensive universities in
the United States. According to Robert G. Gillespie, Computing and Higher Educa
tion: an Accidental Revolution , expenditures on computingin higher educationwere
in excess of $ 1.3 billion in 1980. Since that time, higher education computing budg
ets have increased at a greater rate than overall expenditures.
Computer use by Drake faculty and students is heavy and growing. During the
current year, instructional and research computer usage is three times greater than
it was two years ago. This growth pattern is comparable to that experienced by
other institutions of higher education. This year, 39 % of our new freshman class
indicated that they had written a computer program in the past year. This was an
increase of nearly 10% over the previous class, and given the experiences that stu
dents are havingwith the estimated 325,000 computers now in the public school sys
tems of the nation , this is a pattern that will continue.
In summary, computers have, in a very short period of time, become an essential
element in the instructional, research and service missions of Drake University and
of higher education in general. Investments in equipment and personnel are sub
stantial and the need to maintain secure systems is critical. What has in large part
to date been viewed by the public as intellectual pranksterism on the part of com
puter hackers must be viewed as a serious intrusion on the rights of individuals to
pursue the enterprise of their education in an accessible and reasonably secure aca
demic environment.
It is a policy at Drake University thatthe use of computing facilities is as integral
to the educational process as the use of library facilities. Therefore, computing fa
cilities must be as readily accessible to faculty and students as those of the library.
Accordingly, any currently enrolled student or member of the general faculty may
use the academic computer for instructional or research purposes.
Minirnal restrictions are placed upon the actions of computer users consistent
with the effort to provide quality service to all users of the system . It is a mode of
operation which relies upon the cooperation and trust of theparticipants . Few au
thorized computer users have taken advantage of this lack of restraints. However,
when such advantage is taken, it can be readily recognized and for those who are
charged with the responsibility of maintaining the system , the relative vulnerability
of the system is reaffirmed . It is at this point that administrative action has been
and must continue to be taken to enforce the prescribed standards of conduct for
authorized users. We must also be willing to prosecute the criminal misuse of our
facilities. Legislation at both the state and federal levels is required to permit such
criminal prosecution .
 214

On the morning following the recent penetration incident, Drake Computer

Center personnel were notified that the security of the academic computer system
had been compromised by “ hackers.” In response, members of the computer center
staff took a series of actions designed to identify the nature and seriousness of the
intrusion, to guarantee that the system would be immune to additional intrusion
attempts via the route taken by the “ hackers,” and to verify that the security mech
anisms built into the computer by its manufacturer had not been altered or deacti
vated. Finally, provisions were made to gather more detailed data on the activities
of each user of the system so that unauthorized use of the computer could be detect
ed in a more timely manner.
These actions involved the participation of many computer center staff members
and resulted in denial of access to the computer to students and faculty for over
seven hours . The effect of these actions continued well beyond that day, however,
since the computer resources required to monitor the detailed actions of each user
reduced the number of users who could access the computer at any one time by
30% . Were we to continue this detailed monitoring indefinitely, it would require the
purchase of additional equipment to restore services to the previous levels. Needless
to say, the costs in terms of denied access and lost personnel time due to this inci
dent have been considerable.
In retrospect, itappears that the individual(s) who penetrated the Drake academic
computer system had no desire to modify or permanently damage either the securi
ty of the computer system or any of the information stored in it. However, once the
security of the system had been compromised, the “hackers” could return to search
for targets of opportunity. Or worse, the “ hackers” could return to deliberately
erase or modify the programs which control the computer system or to erase or
modify any or all of the information which is stored within it. That is, in a single
session, the “ hackers” could negate the labors of any of the 2,900 authorized users
of the system .
The incident at Drake University is probably not important in its uniqueness nor
are the circumstances which provoked the intrusion particularly at issue. The point
to be emphasized here is that this unintended and unauthorized use of the Drake
computer acted to deny access to the facility to authorized users and the University
was, because of the intrusion, forced to expend time, energy and funds to restore
what was viewed as reasonable security to those users. A university community is
based on trust. When that trust is violated , there is damage done to that communi
ty, damage that limits the ability of the community to accomplish its mission . Due
to the threat of penetration by persons external to the university, Drake University
faces the need to increase security to the extent of incurring both additional costs
and loss of service to its constituents. The costs are real, both in monetary and in
programmatic terms. And as I have indicated before, actually achieving the goal of
increased security may in no way be viewed as certain .
With this view in mind, it is instructive to note that penetrating an academic
computing system is not particularly difficult for a skilled and determined hacker.
By analogy, neither is stealing or damaging a book in a library. Books are placed in
a librarywiththeidea thatthose who need them will use them and return them for
futher use and that they will be returned in a condition that will make that future
use possible. Reasonable security measures are taken to insure that books borrowed
will be returned and copying equipment is made accessible so that the temptation to
remove pages is reduced. Still, books are stolen and books are mutilated. In a simi
lar vein, ready access to academic computing facilities is deliberate. Programs are
designed to encourage and facilitate computer usage and only reasonable and afford
able security measures are taken to ensure privacy and appropriate usage. When
the conventions of trust are violated in use if the computer system, as is the case
with the library, the members of the university community are those who suffer
loss. The analogy breaks down when issues of potential extent and impact of com
puter damage are introduced .
Public awareness of the potential for computer abuse by unathorized individuals
has only recently been heightened. There was, for example , the movie. War
Games .” Many smile at the antics of the newspaper comic strip character in “ Boone
County,” and the Washington Post carried a story entitled “ Teen Computer Break
Ins: High - Tech Rite of Passage.” Peter Denning observed that “In their fascination
with the 'whiz kids', many media writers avoidthe fundamental question: Is break
ing into a computer system wrong ? When it was determined that hackers had tam
pered with the Sloan-Kettering Cancer Institute computer, many began to realize
that there were serious implications and that people's lives may be at stake.
While it is difficult to argue that the intrusion into the Drake computer system
put lives at stake, it does have serious implications for the students, the faculty, and
 215

the administration of the institution . Clearly, then , it is the task of university ad

ministrations to provide adequate measures to protect the security of the systems
from inappropriate use by those who have legitimate access to the computer. We
can and must accept and assume the responsibility of internal discipline and we
must in addition be willing and able to prosecute those who engage in fraudulent
activities. We cannot, however, given the academic environment of trust, totally
protect ourselves from outside intrusion . Legislation is needed to define inappropri
ate and unauthorized use of computer systems as a punishable crime.
While the events of January 31 were both costly and annoying to us, they may
also be taken as instructive. Based on the following quotes, which were made by the
individual who helped to arrange the computer penetration, it seems certain that
without extraordinary security precautions and the availability of laws that permit
prosecution , we will not be able to maintain that essential element of trust that is
so critical to an academic computing environment.
“ Our agreement (with the hackers] was that we wanted to prove that we could get
in, and stop there. But after spending the night with these guys, I knew they
weren't going to walk away from it ... I had a lot of people tell me hackers are
amoral. I didn't believe it until I saw these guys in action. . . . They were very arro
gant. And they said all they wanted to do was work with computers. I'm not sure
that I'd call it an addiction, but it was a fetish .”
There is a need for computer crime legislation on both the state and national
level. A number of states have responded to the threat to the functioning of higher
education and to other societal institutions by enacting computer crime legislation
which defines a variety of levels of computer theft and damage and prescribes pen
alties for offenders. In the State of Iowa, for example, such legislation is currently
under consideration . Had this legislation been in force at the time of the penetra
tion of the Drake University computer, and had appropriate public information ac
tivities occurred , criminal prosecution of the perpetrators could have been pursued
and perhaps knowledge of the existence of the law would have operated as a deter
rent.
These comments emphasize an incident which occurred within a state. There are
other processes operating in higher education embracing factors which require fed
eral attention. I have emphasized the need for secure computing services to support
the mission of Drake University. A portion of these services is delivered by comput
ing systems at universities in otherstates via computer networks. The existence of
computer networks which cross state boundaries, and which are vital to the oper
ation of institutions of higher education, indicates that the federal government must
also respond to the problem. The " interconnectedness ” of institutions of higher edu
cation is essential to their proper functioning. It is difficult for officials of an indi
vidual state to pursue the perpetrators of computer crimes which may actually be
committed in another state through use of an interstate network .
Federal response to the problem will have an important secondary benefit. By fo
cusing public attention on the problem, the people of the United States can be edu
cated regarding the seriousness of these issues. This will in turn lead to the recogni
tion that "hacking ” is not simply a phenomenon like "streaking, ” but is, in fact, a
practice which seriously impedes theeffective functioning of societal institutions.
Public and legislative awareness of the problems posed by security breaches of
computer systems due to hackers and other individuals is growing. As we enter the
“ Information Age ,” societal institutions have grown increasingly dependent on the
availability of secure computing services. If we continue to treat computer crime as
intellectual pranksterism , we threaten the effective functioning of these institu
tions.

Mr. HUGHES . Thank you , Dr. Miller.

You indicate that Drake University is in a paradoxical situation
because their computer has to be user-friendly enough so that
those that should be using it can learn from the experience, and
yet should be somewhat unfriendly in order to protect it against
those who would abuse the system . You have indicated that you
have administrative recourse to deal with those within the univer
sity community who abuse the computer. But those outside that
orbit, you are powerless to descipline abusers.
I take it that you suggest legislation is necessary to deal with the
others. My question is , do you envision that educational institu
 216

tions, such as yours, would cooperate with authorities in prosecut

ing those who do abuse the system?
Mr. MILLER . I think I have to speak for Drake University. Our
answer is yes, very much yes. I think there are a lot of analogies
here. There are certain kinds of maladaptive behavior episodes
that you deal with internally on a campus day after day, and I
think you know what the limits of those dealings are.
There are also things that happen on a campus that are serious
enough that you must involve outside authorities and you must, in
a sense, prosecute. If we catch individuals stealing; if we catch indi
viduals doing things that would have serious consequences, we
have no hesitancy about being on the prosecution end of that and I
think that is a necessary thing, even for some of the internal com
munity, to know that that is a possibility when you are talking
about computers.
I think many people in higher education think this way. I can't
speak for all of them.
Mr. HUGHES. I think you realize it would be important because
quite often access is gained because people on the inside share the
information . In a similar fashion bank fraud is committed because
those in an institution are cooperating with those outside the insti
tution to defraud the institution. I think , therefore, that coopera
tion by the educational institution would be essential .
In your judgment, that would be available ?
Mr. MILLER. I am sure it would be available . If you would have
asked me that 5 years ago , I would have had a great question. I
don't think so any more. We now realize the damage that can be
done-sometimes irreparable damage that can be done to very sig
nificant operating procedures at universities, so I think sometimes
we would almost be up front doing that.
Mr. HUGHES. I was interested in something you stated in your
prepared text. You indicated that penetrating an academic comput
ing system is not particularly difficult for a skilled and determined
hacker, I think that is the way you put it. I am of the impression
that sometimes even an unskilled hacker can do a lot of damage.
Mr. MILLER . I think that is true. When you are talking about a
skilled hacker, I guess you are talking about how secure the system
is and how difficult it would be to penetrate the various levels of
operation of the computer. I think in many instances, you would
have great differences between those abilities and those possibili
ties
But you are right; sometimes at certain levels, you wouldn't have
to be very skilled to get some of this done. I am convinced , Mr.
Chairman , that sometimes we have given too much intellectual
credit to hackers , and maybe that is a point we are making togeth
er, that that is part of the aura, I think, and it is part of the halo
we have almost given some of these, especially young people, and
we say, " Aren't they bright because they know how to do all of
these things?” I don't mean they are below average intelligence
and some of them, indeed, are probably quite intelligent - but
someone with a lot of knowledge and skill with a computer - it may
not be related necessarily to high intelligence - could do a lot of
damage to a whole operation system .
 217

We, along with, I think, the popular media, have really almost
made thosepeople intellectual giants because they have been able
to do this. I am not sure that is really one of the necessities.
Mr. HUGHES. I gather from your prepared text and your oral
statement that you, too, feel the incidence of computer crime - and
that would include electronic transfer - is going to be on the up
swing and that as we see more and more personal computers - I
cited a figure 80 million computers projected by 1990 — that would
suggest that the problem that looms ahead of us is huge. This com
bined with the easy access that is often available, thepotential for
criminal activity would make the usual bank robberies pale by
comparison.
Mr. MILLER. Absolutely, and I think that is why we feel you are
on the right track , that something has to be done.
Also, Ipoint out in the paper, and I think everyone would know
this, there is no way of making a computer completely secure. Not
unless you keep track of every single user and have a check on the
user, and then that cuts down on the efficiency of the system and
you have lost the whole benefit you should have, at least in the
educational institution .
So these things can happen ; they will probably continue to
happen , but it appears to me that if there is legislation on the
books and the public knows about the legislation and knows about
the punishment and is put in that kind of perspective, at least
people will no longer think of it publicly as a game that people
should be trying.
I think it would change the whole psychological image of an indi
vidual who then still wants to be a computerhacker. Ithink that it
will be one of the big benefits of legislation like this.
Mr. HUGHES. Thank you .
The gentleman from Michigan.
Mr. SAWYER. Just as a matter of curiosity, what kind of informa
tion was in this computer that was accessed?
Mr. MILLER. The academic computer-it was primarily a working
computer for the academic side and for faculty and graduate stu
dents. A lot of the faculty had lesson plans in there; had grading in
there; had some of their own research there. The graduate students
had most of their research there. It was that kind of computer, not
the permanent storage of university records, but more the working
part of the academic side.
We still run onto people who are going back and using their re
search data and still wondering — you know , this is the long-term
result-still wondering, you see, if anything might have happened
to some of that information that was there.
We are now convinced that probably nothing did, but there is
always the question now every time you draw something up from
that computer.
Mr. SAWYER. When they access it like that, can they change
things in it ? I don't understand much about this technology.
Mr. MILLER. Yes, yes , they can change it and they can completely
wipe it out. They could have spent enough time wiping out what
2,900 computer users had put in that machine.
Mr. SAWYER. Did you find out who the people that actually ac
cessed it were ?
 218

Mr. MILLER. No. No, we know the television, but they have pro
tected their hackers. I was going to give it a worse name, but their
hackers.
Mr. SAWYER. I can see, particularly as the chairman mentioned ,
when we get highly developed in this electronic transfer of funds
and everything,we could have some horrendous problems, and of
course, with some of the national computers, I am sure we could,
too.
Mr. MILLER. Oh, absolutely. Of course, laws here would help
interstate and Iowa is working on a law now, and it seems to be
moving along reasonably well, that would help us within the State,
also .
I will mention that I think what happened at Drake has moved
that bill along quite rapidly because everybody became very aware
of some of the potential problems. There are still people who don't
want to take it seriously and frankly, I think those are the people
who really don't understand very much what computers are doing
these days and what the use of computers really allows you to do
and what really is stored in the computer.
They think of it, you see, as more of a television game where you
are using the computer access or something — or as I mentioned in
my paper, you know, they think that it is kind of a fad like streak
ing. I must say to you, as an observant college president, streaking
was much more fun to me than computer hacking. [Laughter.]
Mr. SAWYER. Well, particularly when you alsotake into account
that a good deal of our national security and defense material and
everything is all in computer programs that could be accessed, I
guess. I suppose none of them, if they are going to be used, can be
100 percent secure.
Mr. MILLER. Not 100 percent, but of course, there are computers
where you can make them more secure than others and you can
limit access more than others. My guess is that among the most
venerable would be the academic computers because they are there
for that reason, to encourage learning and to encourage research
and to have access. So we may be the biggest game in town some
times.
By the way, a lot more of this has happened, I am convinced,
than you read about, even though you read a great deal about it. I
will give you an example of the hackers and Drake University.
We were almost hoping at first that there would be no publicity
about it. Now that sounds wierd that I am here, you know, making
public statements, but my opinion has changed greatly since that
initial happening. I know now that it must be public and we must
make these things known and we must educate the public and find
some avenues of correction for it.
But the reason we were hoping it might not be made public is
because it gives everyone else in town the same idea . They want to
try it also to see if they can do the same thing someone else did .
My hunch is—and I know a few facts where it has happened more
at some places than you would know because they do not want it
made public .
So I think right now, it is a bigger problem than most of us real
ize.
 219

Mr. SAWYER. I am sure it is. We have had the same problem here
with the bomb situations that you never read about in the paper,
that a couple of us are aware of. There is that unfortunate tenden
cy to copycat, as well call it, on that kind of thing .
It reminds me of the kid , the young fellow who designed a work
ing atomic bomb, if you will recall here, not too far back, that star
tled everybody. It frightened them that he picked up, just by put
ting together material that was in the public domain , really, and
designed a workable bomb.
Thank you , I yield back , Mr. Chairman.
Mr. HUGHES. The gentleman from Wisconsin .
Mr. SENSENBRENNER. Thank you, Dr. Miller, for your very excel
lent testimony and I agree with practically everything that you
have said. I do have a couple of questions.
It appears that in your instance a television station in Des
Moines acted as the catalyst for the hackers to go into your com
puter and to get unauthorized information .
Mr. MILLER. It wasn't in Des Moines, by the way, I should be fair
about that.
Mr. SENSENBRENNER. OK, well, someplace else-
Mr. MILLER. Yes.
Mr. SENSENBRENNER [continuing). But that was a TV station that
did it. Have you considered proceeding against that television sta
tion civilly for the damage that it has done to the university, the
extra cost that the university has had to incur, as well as its facul
ty members and students in trying to make sure that the research
and other information that they have stored in there has not been
tampered with?
Mr. MILLER. Absolutely. Well on our way to that, and I think,
you know , I think we are going to reach a reasonable understand
ing. I hope so. It has cost us money and it has cost us time. I think
the television station realizes that. I can't speak for them, but I
would rather just say yes to answering your question.
We have given it much thought and we are busy trying to deter
mine in monetary terms what really has been involved and we will
be in touch with the station .
Mr. SENSENBRENNER. Well, I am sure we will be reading and
hearing about that lawsuit quite a bit, but I do think that that is
important; that when an agency of the news media does get in
volved as a coconspirator to illegal, unethical, and costly activity,
they ought to be forced to pay damagesjust like anyone else in so
ciety who ends up being adjudicated guilty or whatever the verdict
is in Iowa in a civil suit when damages have been caused by activi
ties like that .
The second question that I have is what kind of internal proce
dures have you impressed upon these students and faculty mem
bers who have access to the computer that they are not, under any
circumstances, to give out the code access numbers to people who
are not authorized to use the computer?
Mr. MILLER. We are checking our monitor system more thor
oughly. We are changing the form that faculty and students must
sign to get a user number, user code, and we are doing it also by a
little more public instruction, making people more aware of what
can happen.
 220

I said, you know, that one of our students was involved. No stu
dent is innocent, obviously , if this happened, and yet, the student, I
don't think, was very much aware of all the things that might be
going on from the use of that particular number, so it is a little
different situation than if we had had a student, in cooperation
with the group trying to get into the other parts of the system .
But we are making this known and we are making known the
fact that it is serious. We have treated it very seriously with this
student and I think beyond that, again, there is not a lot we can
do, but it is related to the statement I made earlier: I think we
have to clean house ourselves and make sure that we know what is
going on as much as possible and that we become more sensitive to
the types of actions we should be taking with our own group.
Mr. SENSENBRENNER. When someone gets the access code num
bers to that part of the computer that is relevant to their course of
endeavor, do you make them sign a statement that very bluntly
states that if they give out that access code number to an unau
thorized person their employment is terminated or they are kicked
out of school?
Mr. MILLER. No; we have not gone that far. We have, up to now,
threatened their loss of the computer for a period of time, which is
pretty serious in terms of their academic work, but as I say, we are
changing the form and making it a little more threatening than we
had in the past.
Mr. SENSENBRENNER. Thank you, Mr. Chairman.
Mr. HUGHES. Thank you.
Thank you very much, Dr. Miller, for a very well-balanced state
ment. I think that you framed the issue. I think the emphasis you
place in the private sector, in your sector, taking those steps that
will provide security for the computer is extremely important and
from our perspective , I think that we have got to very clearly send
a signal that the hackers are not the innocent little geniuses; that
they are basically people that are doing essentially the same thing
that those who break into a home to take property; that they are
essentially criminals when they do that for whatever purpose , to
destroy material, to access it or done in an authorized fashion. We
have to send a very clear signal to those that would do that that
they are going to be dealt with harshly.
Mr. MILLER. Thank you.
Mr. HUGHES. Thank you much.
Our next witness is Mr. James Falco, who is an assistant State
attorney from Miami, FL. Mr. Falco graduated from Villanova Uni
versity Law School in 1968. After graduation, he entered the De
partment of Justice's Honor Program as a trial attorney in the
antitrust division, where he stayed for some 5 years. He then spent
some 3 years as counsel with the Subcommittee on Monopoliesand
Commercial Law of the Judiciary Committee, at a time, when I
might say, that I served with him. It is good to see him again .
From 1976 until 1979 , he was a trial attorney in private practice.
From 1980 to 1982, he taught at Temple University during which
time he received an LLM degree from Temple University.
Since 1982, he has been a special prosecutor in Miami, FL. Mr.
Falco, we are just delighted to welcome you before the Subcommit
tee on Crime. We have your very complex, comprehensive, and I
 221

might say, complete statement which will be made a part of the

record in full and we hope that you can summarize.
Welcome . It is good to see you.
TESTIMONY OF JAMES FALCO, ASSISTANT STATE ATTORNEY,
MIAMI , FL
Mr. Falco. Chairman Hughes and Congressman Sawyer, it is a
pleasure to be here today. I extend the apologies of Janet Reno, the
State attorney from Miami, who couldn't be here, but it ties in,
perhaps, before I summarize , with something you said, Chairman
Hughes. Florida enacted the first Computer Crimes Act in 1978, so
we don't think there is a new type of criminal who is only one step
ahead of us. Our planning, for example, tonight, which has been
planned for some time, we have all 175 prosecutors going through
computer crime training with a computer audit partnerfrom one
of the big accounting firms, so Florida has been into the business
for some time, and I hope to summarize the statement right now.
As I understand the scope of my invitation and Ms. Reno's to tes
tify today, as I understand it, is twofold : To present the views as a
State prosecutor, who in 1983 prosecuted a computer fraud crime
under Florida's extant computer crime legislation; and second, to
share the experiences and insights gained as a State prosecutor in
fully readying a computer crime case for trial that included a post
plea sentencing evidentiary hearing.
I would note that the focus — I am not addressing credit card leg
islation, but Florida has had the lead in that, also. We have at
least one major credit card fraud prosecution underway right now
in which we were assisted by the Secret Service, which is also cov
ered by part of your bill.
My experiences in learning in this area of criminal activity have
convinced me about the unquestionable need for and propriety of
Federal computer crime legislation. Most of the elements of my
statement are taken from the public records in the Miami prosecu
tion, The State v. Diane Smith Torres.
I would point out that one of the factors that involved a comput
er operator in Miami illegally accessing a computer in the Miami
field office of ConnecticutGeneral Life Insurance Corp. One of the
statements in my - reasons for my saying we need Federal legisla
tion - I included a geographic exhibit of the 25 field offices of Con
necticut General that were potentially involved in the case and
there were over 2,000 terminals involved and includes 25 officers.
I think the geographic display in exhibit 4 of my statement
shows you why I think it is a nationwide problem and the problems
that confront the prosecutor who gets involved in any type of com
puter crime, and I might add, credit card fraud and the counterfeit
ing of credit card fraud, with its national and international aspects,
as we found out in Miami.
Diane Torres — when the case was referred to me in January,
1983, there had been considerable investigation in-house by the
Computer Security Team and the Computer Audit Team Con
necticut General in Connecticut and they had just about nailed the
case and came to Miami to make the arrest and present their case
-

38-178 O - 85 15
 222

to us after they had interviewed Diane Torres to ascertain the

statement of their facts.
One of the reasons why Federal legislation is needed in this day
of high technology is the speed with which to act. The company in
this situation acted with tremendous speed, incurred tremendous
expenses assisting me to prepare for trial, and yet, of the $209,000
that we could prove she took , we only recovered $3,000, so there is
something else you have to worry about: The kind of token sen
tences and then they enjoy it down in the Bahamas with the rest of
the money that they have taken that we don't recover.
Federal legislation, I think, would make the likelihood—the ur
gency more manageable in a computer crime, or, in fact, a credit
card fraud situation more manageable, reduce injuries and enhance
the likelihood of successful prosecution. In Miami and in south
Florida, we have unique Federal and State cooperation, as I am
sure you know, in our joint task forces, so I am well aware of per
haps the shortcomings under which Federal prosecutors in south
Florida are trying to act against credit card fraud and computer
crime in the absence of Federal legislation.
In fact, in my statement, as I have told you, I think one of the
reasons you need Federal legislation is that the very existence of
the statute becomes a “ power on ” switch for the prosecutor and
without it, you don't have any power on. The Federal prosecutor
needs to be aware of it.
Toward the end of my statement, I would like to - I brought up
what happened just recently in Florida in a Federal case and
would like to mention it just to show you-to keep the balance be
tween my statement.
One of the problems is quantifying how much computer crime
exists in the Nation right now , and the problem in the Federal
system and in the 30 States that have not enacted Federal comput
er crime legislation. They don't know what to callit; they are not
classifying it, but in the Federal system in Miami, we just had a
U.S. customs officer illegally accessa computer of the Federal DEA
and then took narcotics surveillance data and sold it to drug smug
glers.
There was a trial and there was a conviction, but she was not
tried under computer crime because there is no Federal law; she
was under archaic laws and when the time camefor sentencing, all
she got out of it was 6 months' confinement with custody at night
and a $ 15,000 fine. I am sure if you asked the DEA people and the
drug surveillance people and the narcotics undercover agents and
all the rest of the house that Jack built when you get into narcot
ics, the kind of problems that were facing the Federal people in
Miami, and I was very grateful that when we bring computer
crime cases, we don't have to labor under the shortcomings and the
hardships that the Federal prosecutors have to do in south Florida
and elsewhere.
I would like to mention that one of the things about the need for
Congress to act is to get the corporations on board. In my case , it
wasvery unusual, asI will discuss later, to have the corporation
spend ail of the money through its computer security people and
its computer audit personnel and then make them available to me
at my convenience throughout the preparation for trial. It was a
 223

tremendous help from Connecticut General and I think, as they

were later commended, for our Nation for perhaps taking a unique
corporate act.
IthinkCongress needs to encourage that from the other corpora
tions, as I will talk about. I made a recommendation for an amend
ment that, since the bill doesn't talk about the uses of mails, but it
talks a lot about interstate commerce, I think there should be an
amendment to include use of the mails. The checks, in my case ,
were mailed from Connecticut to Miami , so we had the kind of
interstate mail, but the updating of the mail-fraud statute from the
days when the Pony Express kind of robbery was the threat, that
the Federal Government faced to the kind of threat that it faces
now , you need, perhaps, the intrastate mailing, which would give
Federal jurisdiction on, perhapslike Dr. Miller's intrastate comput
er system , and perhaps have a Federal crime.
I think the use of the mails should be included as well as your
nexus of an effect on interstate commerce .
One of the problems, as I mentioned, was that when the case was
presented to us, there were numerous instrumentalities of inter
state commerce involved in the case that was presented to me.
Being an ex -Federal prosecutor, one of the first things we decided
was, should we turn this over to the Federal people because of the
potential geographic scope and the expenditure of resources that
were likely toconfront us?
Of course, after inhouse review with our seniors, especially Ms.
Reno, we decided that since the Federal Government didn't have a
statute, it was kind of silly to try to turn this over to the Federal
prosecutors. One of the other things I did do was talk to the Feder
al prosecutors, and they were trying to carry through one of their
bootleg computer operations since there is no Federal statute under
either mail fraud, wire fraud, or one of those other antiquated stat
utes, but they are not in the position to help us prepare for a case.
I also contacted the FBI and I was informed that they had only
one computer security specialist in the Nation. That person was in
California and unavailable to help the State of Florida prosecute.
I would like to return to the FBÌ later, and perhaps the role they
can play historically in nationwide enforcement and the Federal in
terest is having uniform enforcement. I would point out that Iowa,
like Dr. Miller , doesn't have a computer crime statute, and Florida
doesn't take the position that hackers are joyriding teenagers. We
treatthem as felons if they are prosecuted under Florida law, and
they have been eligible to be convicted as felons since 1978.
I did want to put one footnote in, that, as you know, Congress
man , my background is in English literature and law and not on
computers. As I told all the computer experts I dealt with, I can't
even spell IBM , so it is one of the coups, I think, of Connecticut
General and their staff that they brought me on board and that we
were ready to prosecute and announced ready to the court after ex
tensive investigation, pretrial discovery and all of the rest that
goes into that, with its subsequent extensive sentencing hearing.
One of the reasons, I think, that you need—I have mentioned,
one of the reasons you need Federal legislation is there is a wide
spread belief out there, mainly written by nonlawyers, that in
order to prosecute a computer -crime case or a counterfeit credit
 224

card case, you need some type of engineer / lawyer. My experience

was, and in fact, we filed our secondcomputer crime case 2 weeks
ago, and we have a third major one under investigation right now ,
is that you don't need that and that the literature has confused the
roles of the lawyer and the expert witness and that if Congress
took the position, they would be able to bring this onboard and say
it is not too complex for lawyers to try nor too complex for juries to
reach a verdict on.
At least, we feel that way in Florida, and I think we are increas
ing. I might add that in Tampa, we have another major - not " we, ”
not out of Miami, but Tampa has a major computer -crime trial
under way as of this week, I believe.
So, I think the literature itself has been a deterrent to enact
ment of Federal computer -crime legislation about the unique quali
ties of a prosecutor, that you need to have. I am not reticent in an
nouncing that I can't spell IBM, but I think I was a good prosecu
tor, and once I was able to communicate that to my computer in
dustry people, they were easily able to deal with me in any way
that a lawyer is able to deal with an expert witness in any field .
I mentioned the FBI. I would like to digress for a minute on
them and I did deal with them. The FBI does say and take the posi
tion they have been involved with computer crime in some way
since 1970, which is true — which is a little bit true and a little bit
false, and that since 1976, at the FBI Academy in Quantico, they
have been training State personnel, including people from the
Miami office, but that is true, again , only in a limited sense.
If you remember that the first Computer Crime Act was in 1978
in Florida, you can see the thrust of whatever FBI involvement is
in its cooperation with the State is not toward effective, efficient,
and multiple computer -crime prosecutions.
I would point out that the first computers that came into use
were Federal in 1970, so you didn't have for 25, 26 years FBI in
volvement until the Federal Government's own computers had
been on the street subjectto illegal access for over 26 years and in
my opinion, they arestill vulnerable to access, which is one of
the - as Congressman Sawyer pointed out, the kind of information
and data that goes into Government-owned computers or Govern
ment-leased computers and all of the computers in the military in
dustrial complex to which the Government necessarily relies,
which, fortunately, State prosecutors don't worry about.
I would point out, too , that how much I know that one of the
questions that faces you is how much computer crime, and I would
point out that, of course, this committee, and probably this subcom
mittee is used to oversight hearings with the FBI in which they are
able-since there are Federal statutes in existence, they are able to
quantify the data and you are able to measure both the FBI effec
tiveness in enforcement and the Congress' validity in enacting the
legislation. But that is all skewed data since there is no ability to
quantify the data and there is no statute for which this subcommit
tee or the Congress can hold oversight hearings and elicit the kind
of quantifying data that you need to answer the question if it is put
to you, how much computer crime exists in the Nation.
Other factors that I think explain the lack of prosecution in the
Federal System, and in the 30 States that have not enacted—the
 225

minds of the judges that you have to confront. There are barriers
to prosecution that arisein the minds of judges when they get a
high -technology case and I have quoted several of them in my
paper and won't bother to repeat that right here.
These judicial barriers are considered by prosecutors and have
impacts on the discovery, pre-trial conference, the trial and plead
ing stages, and of course, the crucial sentencing phase of any com
puter crime case . In my case, the woman was eventually sentenced
to 7 years out of a possible 15 on the computer crime case, and she
received two 5 -year concurrent terms on the insurance fraud and
the grand theft with which she was charged. There is no way that I
would have been able to have gotten a good sentence in this case
against the mother of three with no prior record without a statute,
without legislative findings and extensive legislative history in the
reports that I was able to use at the sentencing hearing to turn
around what I think was obviously in the state of the mind of the
judge at that time.
But with the backup of the Florida legislators, I was able to get
what I thinkis considered probably the stiffest sentence in comput
er crime in the Nation . It is all due to one of the cosponsors of this
bill, by the way, Congressman Nelson, who was a legislator from
Orlando and wrote the bill for Florida, which I-in 1978, which I
prosecuted in 1983.
The way I feel, and as I have documented in my paper, I believe
a complete raison d'etre for this bill can be found in trying-the
Congress can provide guidance to judges in the Federal System on
interpreting and applying Federal law in complex white -collar
crime cases. I think, without renewing it, I obviously think there
was a mistake in Miami in the Customs official case when illegally
accessed narcotics surveillance data is sold to drug smugglers and
there is no stiff sentence at all in there, and that the absence of
legislative direction is critical .
I have taken the position in my paper, and I have enumerated at
least five or six reasons why I believe computer crime not only
exists, but it is also the most underreported of all crimes in the
Nation. According to one researcher, the first detected case of com
puter fraud occurred in 1966 in a bank case in Minnesota . I would
take the position that that was the first time in which a computer
crime was reported by corporate officials to prosecutors for enforce
ment, because, as I have documented, and Dr. Miller also indicated,
the victims of computer crime do not like to have publicity . Histori
cally, they have taken measure to suppress publicity and do not
want the public to see that crimes have been committed.
It has been said that corporations, and I do not mean to pick on
corporations, but I believe that personal computers, Government
computers, academic computers and commercial computers are all
subject to the same problem of the insider and the lack of due pub
licity, but one of the deterrents has been the so -called unwritten
law of business that corporations should absorb the loss, if only an
individual has been involved in an embezzlement, but if it is a con
spiracy, then the corporation can go public because then somehow,
magically, they are absolved from some kind of stigma.
This unwritten law persists and in my view costs the American
public enormous financial losses. In the Torres sentencing proceed
 226

ing, for example, one of the State's witnesses was its chief investi
gator for the Statewide Florida Insurance Fraud Division , who esti
mated that $ 1 out of every $4 of insurance premiums paid in Flori
da was assessed by insurers to pay off fraud and insurance fraud
and computers are being now used rapidly to escalate insurance
fraud frequency and thetype of financial injury with each type of
insurance fraud.
Without being able to disclose it, another one just hit my desk
and I just reviewed it this week. As everybody becomes aware of it,
more and more could be pinpointed with some type of remedy
sought.
I take it as a given that business entities are not reporting com
puter crimes, even when the crimes are detected. In my case, after
the case was over, a computer industry publication editorial recog
nized Connecticut General's decision to go forward with the case
and report it to public officials as an unusual aspect of the Torres
case. I have presented the entire editorial for your consideration
and it does tell you how unusual that the unwritten law discussed
in the business sphere of adverse publicity exists and is true. In my
opinion, these are two separate and independent factors that the
Congress has to consider.
The third factor that contributes to underreporting is the shock
and depression that top corporate officials, and I might add, Gov
ernment officials understandably feel when informed that a trusted
employee has abused the position of trust.
This is not confined, asyou know , Congressman, to the tradition
al perfidious employee of agency, but when you bring 20th century
technology to the perfidious employee, you have almost a kind of
Star Wars type of threat to the institution whose computers have
been illegally accessed .
Another factor is a belief that corporate computer personnel are
deterred from committing computer crimes by the very nature of
their calling. I consider this an outmoded, if ever accurate, belief
that has been expressed by agencies such as the National Chamber
of Commerce, that the mere possibility of exposure represents a
real threat to the computer criminal. That was written in 1973; it
is still written as doctrine 3 years before the first computer act,
and it was outmoded, I think, even when printed, and has never
had any reality today.
Corporate managers, as I have talked about — the threat today is
only 3 percent of them are trained. It is estimated that by 1990, 65
percent of them will be computer -literate and computer users.
These people are trained as risk-takers. They are trained to take
the risk if the reward is high enough and the rewards of computer
crime are truly high enough. This subcommittee, I know, has re
ceived reports of the staggering amounts of money that have been
taken through computer crimes nationally and internationally,
which make my $209,000 case look penny ante by them in compari
son since the average estimate, as I understand it, of computer
crime take is $415,000.
Translated, though , you might remember, in my case, that is the
equivalent of 21 burglaries, which gives you some kind of another
yardstick to measure the gravity of computer crime.
I will keep on going, Mr. Chairman, if this summary is helpful.
 227

[ The statement of Mr. Falco follows:)

STATEMENT OF JAMES F. FALCO , ASSISTANT STATE ATTORNEY, CONSUMER FRAUD AND
ECONOMIC CRIME DIVISION, 11TH JUDICIAL CIRCUIT OF FLORIDA
Mr. Chairman and distinguished Subcommittee members, I appreciate the oppor
tunity to comment concerning H.R. 5112, a bill to amend title 18, United States
Code, and having the short title of the, " Counterfeit Access Device and Computer
Fraud and Abuse Act of 1984 ” .
At the outset I should make it perfectly clear that I am testifying solely as an
individual prosecutor in oneof thespecialprosecution units within one of Florida's
State Attorney's Offices; and, that may remarks do not constitute an official state
ment of the State Attorney of the Eleventh Judicial Circuit of Florida or any public
official thereof. However, as one the House Judiciary Committee's ex -staff attorneys,
I do take a personal pleasure in appearing here today.
The scope of this distinguished Subcommittee's invitation to testify today is, as I
understand it, twofold: (1 ) to present my views, as a State prosecutor who, in 1983,
prosecuted a computer fraud crime under Florida's extant computer crime legisla
tion and , (2) to share the experiences and insights gained as a State prosecutor in
fully readying a computer crime case for aa trial that included a post-plea sentencing
evidentiary hearing; as aids to definingthe contents of proposed federal legislation.
Since my experiences and learning in this area of criminal activity have convinced
me of both the unquestionable need for and propriety of federal computer crime leg
islation, I am truly pleased to respond today to this invitation by the Subcommittee.
The enclosures to my statement are taken fromthe public records in this State
prosecution, The State of Florida v. Diane Smith Torres. 1 A summary of the Torres
case would , I think, not only make my statement more intelligible to this Subcom
mittee; but also, the Torres case's procedural, criminal discovery , evidentiary, sub
stantive, and sentencing phases; all confirm the need for federal computer crime
legislation.
Early in January 1983, The Miami Herald ran a story reporting the arrest of a
female insurance company computer technician for grand theft involving sums in
excess of $ 100,000.2 The arrest had been made, the newspaper reported, by special
agents of the Insurance Fraud Division of Florida's Department ofInsurance, a spe
cialized unit in that regulatory agency with statutory powers and duties that are
not commonly found inthe other forty -nine States. The involvement of non-pros
ecutor specialists within Florida's Insurance Fraud Division at the investigation and
arrest stages of the prosecution could not have occurred in most other States since
the latter have not created such insurance industry specialists as Florida has nor
borne the expenses and costs thereof.
The short newspaper article tangentially observed that Ms. Torres was an employ
ee in the Miami, Florida, District Office of Connecticut General Life Insurance Com
pany, a subsidiary of Cigna Corporation. Connecticut General is headquartered in
Connecticut and Cigna Corporation is or will be headquartered in Pennsylvania.
District offices with computer terminals existing in twenty -five States!
On the basis of this newspaper article, I was assigned the case by the State Attor
ney, Ms. Janet Reno, herself . An unusual aspect of the article -arrest was that the
arrest had been made without an arrest warrant and without prior contact and /or
joint investigation with the Economic Crime Unit of the State Attorney's Office.
Procedurally, this lack of prior involvement by the prosecutor was disturbing since,
under Florida law, the State, within twenty -one days from the date of the arrest,
must charge an arrestee if bail is to be set or maintained; and, in any event, no
later thanthirty -five days after the arrest with the arrestee on his or her own re
cognizance during the period from the twenty-second through the thirty -fifth day
after the arrest when the charging instrument is not filed on the twenty -first day
after the arrest.
Thus, from the prosecutor's point of view, the clock had already commenced run
ning for the period in which to decide with which crimes to charge the arrestee. As
this Subcommittee knows, the probable cause to make an arrest specified in a war
rant and the recitals of crimes committed in an arrest warrant; do not restrict the
prosecutor's discretion as to the crimes to be charged at arraignment. Crimes listed
on an arrest form or warrant actually have significance only with respect to the
amount of bail to be imposed shortly after the arrest on the warrant is made.

1 Case No. BO - 883-432, Circuit Court, Eleventh Judicial Circuit of Florida, Dade County.
2 The Miami Herald, January 8, 1983, p. A5, col. 4.
3 Florida Statutes (F.S.) 626.989.
 228

In addition to this pressure created by the running of the clock for charging deci
sions tobe made and appropriate charging instruments cleared, prepared andfiled;
an additional pressure was created by the lack of investigator and prosecutor inter
action prior to arrest, which interaction produces prosecutorial knowledge and files
of the crimes recited in the warrant, leaving the prosecutor free to use the thirty
five day period after arrest to investigate other aspects of the case and assure that
all crimes committed are properly and actually charged at arraignment. Experience
has shown that this thirty -five day period is not that much of a boon for investiga
tive activity by the prosecutor in a case involving street crime; but, the opposite is
true in a case involving economic crime because of the nature and complexities of
economic crimes themselves as well as the nature andbackgrounds of the perpetra
tors of economic crimes too. A third pressure of the Torres arrest was the normal
one triggered by Florida's Speedy Trial Act, which gives the State one hundred and
eighty days from the date of arrest to try the case or else be barred therefrom .
The lack of communication between the government's investigator and prosecutor
prior to arrest; and, the build-up of pressures on prosecutorial discretion ; now both
seem avoidable or attenuated if federal law enforcement personnel were involved .
Most importantly, however, as discussed more fully below , the Torres case demon
strated how quickly law enforcers must act when high technology crime is involved .
Federal legislation would make this inevitableurgency more manageable; reduce in
juries; and, enhance the likelihood of successful prosecution.
When I actually received the file, including the arrest report, I learned that Diane
Torres had been arrested on a single count of grand theft; that she had been re
leased on $ 1,500.00 bail; and that she had supposedly given a confession to special
agents of the Insurance Fraud Division. Upon contacting the Insurance Fraud Divi
sion, I was informed that, in reality, the entire investigation had been performed by
Connecticut General employees in both the computer audit and the computer securi
ty units of that private company; that the computer was located in Connecticut but
that the computer terminal used to effectuate the theft was in Miami; that the
entire investigation but for events occurring on the day of arrest, was conducted in
Connecticut; that most of the evidence and all of the victim corporation's computer
experts were situated in Connecticut also; and, that, the the accused had not given
one confession but two: the first had been given to Connecticut General computer
security and Miami District Office personnel and only hours before the arrest;and,
a subsequent, second confesssion that was given to Florida Insurance Fraud Division
agents. The checks that Torres had cashed had been mailed from Connecticut to
Florida automatically as a result of the false and fraudulent inputs that had been
made by Torres from her Miami computer terminal.
Upon ascertaining that instrumentalities of interstate commerce and the use of
the United States mail were involved in the crimes for which Ms. Torres had been
arrested, I undertook a review of the situation with my seniors in the State Attor
ney's Office. The issue, of course, was whether Ms. Torres would be more appropri
ately prosecuted by federal law enforcement officials. For many reasons, including
the usual legal, practical, and political questions that inevitably arise in determin
ing whether a criminal has simultaneously committed both federal and State
crimes, the decision was made to proceed with a State prosecution.The predominant
reason underpinning this decision were the facts that Florida had State legislation
specifically creating computer crimes and that the federal government hadno com
parable or equivalent legislation. A copy of Florida's Computer Crimes Act of 1978,4
is attached as enclosure 1 to my statement.
It was a result of this review with senior officials in the State Attorney's Office
that I learned that Florida had computer crime legislation. As Alexander Pope
wrote centuries ago, “ A little learning is a dangerous thing.” My new "learning”
was a source of great anxiety for me since I had degrees in liberalarts and law and
not in engineering and the sciences. Throughout the case , subsequently, in any com
munication with computer specialists and experts, I would early on advise them of
my ignorance in their fields by declaring that my knowledge of computers was com
pressed into the admission that I could not even spell “ IBM ” !.
I mention this to the Subcommittee today because my initial uneasiness is reflect
ed in the legal literature addressing computer crimes. My research has led to the
conclusion that one of the reasons that, despite widespread and serious computer
crimes, there are few and rare computer crime prosecutions, is the mistaken belief,
created or reenforced by legal literature on the subject, that successful criminal
prosecutions require highly skilled lawyer-computer experts. My experience indi

4 F.S. 815.01-815.07.
 229

cates the contrary but I urge this Subcommittee to consider these present beliefs as
further reasons for enactment of federal computer crime legislation; namely, to
dispel this deterrrent to prosecution and to place the relaistic, “ probability of suc
cess" factor in a computer crime prosecution into a proper prosecutorial perspective.
As I shall endeavor to present to you today, there are additional reasonswhy perva
sive criminal offenses are both under -reported and under -prosecuted.
H.R. 5112 does not make reference to the use of the mails. Perhaps an amend
ment to H.R. 5112 would be appropriate for offenses involving use of the mails as a
result of interestate computer inputs; and, to clarify that the modern and clear fed
eral computer crime statute is to be utilized and not the antiquated and ambiguous
federal mail statute.5
I would like to stress that, in the internal review within the State Attorney's
Office that I have mentioned, the determinative factor was the very enactment of
specific legislation by Florida's legislators. This, of course, reflects a fundamental
truth in both the federal and the State systems of criminal justice, that, from pros
ecutors' perspectives, the existence of a specific criminal statute is a “ Power On ”
switch . The absence of such a "Power On" switch in the fedeal system and in a ma
jority of the States is, I'm confident, another reason that explains the under-pros
ecution of pervasive crimes against or using computer systems in both systems of
criminal justice .
After the decision to charge Diane Torres with computer crime and insurance
fraud in addition to grand theft, I contacted federal investigative agencies and feder
al prosecutors in South Florida for the purposes of borrowing from these sources
that knowledge and confidence that would be required to put a successful computer
crime trial together. I met with the Assistant United States Attorney that was han
dling a computer crime investigation and was informed that a federal case , if any,
wasyears away. No guidance was, thus, available from this source; and, in truth,
my judgment was that, despite my own personal shortcomings to qualify as a com
puter crime prosecutor, Florida was light years ahead of the federal criminal justice
system .
I contacted, also, the FBI, in Miami. I was advised that the entire agency had a
single computer crime expert who was on assignment in California and, thus, un
available to counsel, guide, advise, etc., for a long, long time, if at all. The FBI, in a
sense , has been involved in investigating crimes which are computer related since
the early 1970's; and, has offered some training to State law enforcement personnel
at the FBI Academy in Quantico, VA, since 1976. Without federal computer crime
legislation, the FBI, like others, can neither provide data as to the amount of com
puter crime in the Nation nor provide the Congress with the data usually supplied
it in legislative oversight hearings on the effectiveness of federal enforcement ef
forts in controlling or reducing specific types of crime. If H.R. 5112 were enacted,
the FBI's role and leadership in computer crime law enforcement should rapidly
expand with apparently little increase in expenditures or resources over those al
ready in -place. As in stands, however, the FBI has toolittle that is already too late;
and, is without a congressional mandate to assist the States. Moreover, the inability
to quantify the amount of computer crime is a particularly unfortunate and hidden
barrier to the enactment of federal legislation to cure a national problem that needs
a nationwide uniformity of enforcement effort to combat.
In addition to the lack of a legislative Power On switch; prosecutors' appraisals of
lack of success in prosecuting computer crime; and, the myth that prosecutors of
computer crime must be lawyer-engineers;6 which I have already discussed as fac
tors explaining the lack of prosecution in an area of widespread crime; added rea
sons for enacting federal computer crime legislation is found in the need to elimi
nate barriers to prosecutions that arise in the minds of judges.? These judicial bar

518 U.S.C. 1341 .

6 But, see, e.g. Nathaniel Kossack, Presentation Before the National Computer Conference,
June 6, 1979, p . :
2:
" It is enough for the litigator to know the basic functional elements of a computer system- (1)
the input devices, e.g., punch card, (2) Memoryor storage capacities, (3) processing orcomputing
abilities, and (4) output devices. The makeup of elements of these functions should be familiar to
the litigator because he must test each of these functions to support or oppose the validity of the
data , i.e., the evidence ."
7 For example, consider the quote from United States District Judge Joseph Weis, Jr.: “ There
are a lot of meat-and- potato lawyers out there who haven't heard of videotapes and they still
haven't heard of them . . . Lawyers andjudges still think of the old -fashioned way of doing
things. We can become completely baffled by this new technology .” Article, "Computing the Evi
dence", 69 A.B.A.J. 882,883 ( July , 1983 ).
 230

riers are both considered by prosecutors and have impacts on the discovery, pre -trial
conferences, trial/pleading, and sentencing phases of a computer crime prosecution.
In my opinion, a complete raison d'etre for H.R. 5112 can be found in the guidance
that Congress would give judges in both interpreting and applying federal criminal
law; and, not just in the area of federal computer crime law. I willhave more to say
on this subject later in my statement.
Returning to the Torres case for a moment, I would like to touch upon the confes
sion aspects of the case . I have been asked, for example , by newspaper reporters
why I went to the trouble of preparing the case for trial on all three Counts when I
had two confessions from the accused . First, as you know, a conviction for a crime
cannot rest wholly upon the confession of an accused. Secondly, no prosecutor that I
know, federal or State, relies completely on a confession for whatever values a con
fession has because ofthe seemingly ever changing contitutional law relating to the
suppression of confessions. Thirdly, itis far to easy for a person of confessions. And
this contingency materialized in the Torres case.
In her first two confeesions, one to corporate personnel and one to Insurance
Fraud Division agents, Diane Torres confeesed and explained that her motives arose
from gambling debts of her father and threats of life from both gamblers and loan
sharks. Months later, at the protracted sentencing hearing, DianeTorres was one of
four defense witnesses. Under oath , Ms. Terres repudiated her earlier two confes
sions and announced that she had committed the three crimes in order to pay off
narcotics' dealers who had supplied her herion addict brother with drugs. This repu
diation was fully explored on cross examination. Frankly, I consider myself fortu
nate that this " about face” -repudiation occurred at a sentencing hearing before an
experienced trial judge and not a trial in front of a jury.
Fourthly, however, the very existence of Florida computer crime legislation in
volved legislative mandates for me as a prosecutor which had to be incorporated
into may role as a prosecutor. And, it was quite easy for me to explain this to Con
necticut General's computer audit and computer security personnel on who I had to
rely.
From the foregoing can be distilled one of the primary and most important rea
sons for the enactment of federal computer crime legislation , namely, without such
federal legislation victims of computer crime, privatecomputer audit personnel, and
private computer security personnel will not report computer crimesto law enforc
ers in detecting, prosecuting, sentencing, and otherwise deterring computer crime.
At first blush, this may seem to be either a placing of the cart before the horse or a
paradox that does nottrigger a need for remedial and preventative federal comput
er crime legislation . But, from my view, one of the reasons that this Subcommittee
may be pondering the need for federal computer crime legislation in quantitative
terms of how much computer crime is occurring, this Subcommittee needs, I think,
to perceive computer crime as the most under -reported crime in the United States
and the reasons therefor.
According to one researcher, the first “detected case of computer fraud” occured
in 1966 and involved a Minneapolis bank.8 My disagreement with this conclusion is
that I would substitute " reported to prosecutors” for “ detected " : for more computer
crime exists and is detected than is reported to prosecutors or, even, to the press. I
would, for example, totally agree with another of this author's observations, " Corpo
rations act as ifthere were some unwritten law of business that holds them respon
sible for embezzlement losses incurred by single individuals but leaves them blame
less if such losses are due to collusion.” 9 This “unwritten law ” persists and, in my
view, costs the American public enormous financial losses. In the Torres sentencing
proceeding, for example , one of the State's witnesses was the chief investigator for
the statewide Florida Insurance Fraud Division who estimated that one out of every
four dollars of insurance premiums was assessed by insurers to pay off fraud in in
surance claims. When one considers that Ms. Torres had obtained at leasts $206,000
by inputting false medical claims or false beneficiaries of genuine medical claims
under a master group disability or health insurance program of a large corporation
insured by Connecticut General, one cannot avoid questioning how much computer
crime contributes to runaway health and medical costs that afflict the Nation? Con
sider, too, that despite a speedy resolution of a case from detection to arrest and
sentencing; only $ 3,000 of the $ 206,000 involved in Torres was recovered.
I take it as a given, therefore, that business entities are not reporting computer
crimes even when these crimes are detected. Fortunately, the usual practice did not

8 Allen, " Embezzeler's Guide to the Computer," July -August 1975 Harv. Bus. Rev. 79, 88.
9 Id.
 231

prevail in my Torres prosecution . In a trip to Connecticut to interview witnesses,

collect evidence, and to " see” the computer (and asist in gaining a personal under
standing of the computer (system involved), corporate officials confirmed that, fol
lowing an internal corporate review of reports received from computer security
teams, a major decision involved whether to inform government law enforcers of the
crimes that corporate personnel had detected . After the case was over, a computer
industry publication's editorial recognized Connecticut General's decision to go for
ward with the case and report it to public officials as an " unusual” aspect of the
Torres case :
“ Three unusual things happened in Florida and Connecticut recently-three things
that should always happen when a company falls victim to a computer crime but
usually do not.

" When Connecticut General's internal investigation departments discovered the

fraud, they went directly to Dade County officials. Unlike many companies that be
lieve it is unwise to open themselves to adverse publicity, Connecticut General had
the courage to come forth with its discovery ." 10
A point that I want to stress here-at is that the “ unwritten law” discussed above
and business fear of “ adverse publicity ” are two, separate and independent, factors
that contribute to the under -reporting of computer crime. A third factor that con
tributes to underreporting is the shock and depression that top corporate officials
understandably feel when informed of the “ trusted employee" who has abused his
or her position of trust. Again, in Torres, I was most fortunate in having top man
agement experience these normal reactions but who did not permit these human
reactions to paralyze company reaction . I call these normal reactions “ insider ef
fects ” in recognition of the diverse harm a perfidious employee / insider wreaks.
Another factor contributing to the under-reporting of computer crime is the belief
that, despite the enormous temptations to use or abuse computer systems for rapid
and substantial illegal gains, corporate computer personnel are deterred from com
mitting computer crimes by the very nature of their calling. -This outmoded-if ever
accurate-belief has been expressed in this manner: “ the 'possibility of exposure rep
resents a real threat to the computer criminal, who has an investment in his profes
sional life that would be ruined if his acts become known to his associates'. " 11
I have been dwelling on the under-reporting of computer crime because of my per
ception that computer crime legislative history should focus on corrupt “ insiders”,
this is, “ insiders” of the computer systems covered by H.R. 5112. This may jar with
recent headliness concerningpre -teen and teen -age “ hackers”. For example , " Crack
ing down on computer tampering will also require more vigilance from law -enforce
ment authorities, many of whom are unfamiliar with hacker subculture and the
damage that malicious hacking can cause. ”' 12 Again , this friction may derive from
the inevitable conflict of perception that a prosecutor has a situation that a newspa
per reporter has when examining the same subject for newsworthiness. In fact, the
recent headlines about juvenile “ hackers” that treat these computer criminals as
merely wayward, innocent harmless youths rather than as criminals, is but a recent
variation of media views on computer criminals. Another common examplemay suf
fice: “ The mass media seems quite willing to play a role in the creation of a myth .
This myth sees computer criminals as weird geniuses, who in some way beat the
system , and thus deserve both criticism and acclaim .” 13 Thus, this Subcommittee,
I'm sure, has had occasion to wonder whether innocent teen -age “hackers” or rare
" weird geniuses” and not genuine criminals are the problem so that federal comput
er crime legislation is unnecessary. I urge this Subcommittee to pierce the publicity
and see the reality: frequent computer crimes are occurring and criminals are going
unpunished despite massive injuries and enormous losses inflicted.
" Computer embezzlement” 14 is to traditional embezzlement as a tactical nuclear
device is to a slingshot. Thus, I disagree with those who conclude, for example,
“Most computer-related crimes are, at their core, the same crimes that have been
prosecuted since the apple was plucked and Cain was banished. ” ' 15 The fact of the

10 Computerworld, April 25, 1983, p. 48, col. 1 .

11 A Handbook on White Collar Crime 69 (Chamber of Commerce of the United States, 1974).
12 Newsweek . “Beware Hackers at Play,” 42, 46, September 5 1983. See also, Time, " The 414
Gang Strikes Again ,” p. 75, August 29, 1983.
13 Becker, " The Trial of a Computer Crime", 2 Computer L.J. 441 , 449 ( 1980).
14 Allen, supra note 8.
15 Ingraham , “ On Charging Computer Crime, ” 2 Computer L. J. 429, 438 (1980 ).
 232

matter is that, in computer crime, the " culprits are usually insiders” 16 and not
teen -agers committing " joy riding” (and not car theft) or " shoplifting" (and not
grand theft). Computer crime is a “ government problem” and not a “management
problem ” as some have suggested. 17
Unfortunate, also, is the misleading, and innocent label affexed to the simplest
and most common of the four traditional categories of computer crime; 18 namely,
" data diddling”, which involves the modification of data before and during the
input phase by any person who has access to the process of creating or encoding
data ." 19
Thus, if this Subcomittee accepts thepositionthat computer crime is widespread
and incredibly under-reported, 20 then, H.R. 5112, will be seen as long overdue, nec
essary federal remedial legislation. Moreover, because of the rapid growth and de
velopment of sub-industries within the computer " industry ”, prompt enactment is
necessary to prevent engulfing of investigators and prosecutors. Perhaps a brief
comparison of legal and industry developments will illustrate my point more clear
ly.
Twelve years afterthe first reported computer fraud, that is, in 1978, the State of
Florida enacted the first computer crime legislation. Florida rejected a common non
prosecutor belief that most computer crime would fit the crimes of theft or mali
cious mischief,21 and, Florida's computer crime contains an express legislative find
ing, “ (4) While various forms of computer crime might possibly be the subject of
criminal charges based on other provisions of law, it is appropriate and desirable
that a supplemental and additional statute be provided which prescribes various
forms of computer abuse." 22 H.R. 5112 should be amended to include a similar legis
lative finding.
In any event, Arizona and Virginia also enacted computer crime legislation in
1978. In 1979, Ohio , New Mexico, Rhode Island, Utah , Colorado, and Illinois acted;
in 1980, California , North Carolina, and Michigan; in 1981, Georgia and Montana; in
1982, Wisconsin , Delaware, and Minnesota; 23 and, in 1983, Alabama.24
Industry developments forroughly the same period are shocking. In 1976, sales of
software for personal computers were virtually zero. By 1981, such sales had zoomed
to $600 million and, then ,at year -end 1982, to $1 billion. Sales for 1983 are estimat
ed at $ 1.5 billion with sales of $12 billion projected for 1990.25 With particular sig
nificance for the federal government and the federal interests that underlie much of
H.R. 5112 there are an estimated seventy -four (74) supercomputers now in oper
ation.26
Thus, sub -industries have both mushroomed and exploded. State legislatures have
been responding but in an obviously too slow pace. And, when one considers that, in
some of the States, computer crimes are misdemeanors, the added urgency for feder
al legislation on the familiar ground of a need for nationwide uniformity in resolv
ing a problem , is substantiated . Therefore, federal computer fraud legislation such
as H.R. 5112 is like a necessary updating of the federal criminal legislation against
the false personation of a Federal officer or employee that was upheld in United
States v. Barnow, 239 U.S. 74 ( 1915 ). In gaining access and/or in making entries to
computer systemsencompassed by H.R. 5112, outsiders and insiders will necessarily
be using false and fraudulant color of federal authority: federally owned computers
are a primetarget of criminals as well as spies.
In 1909, the Congress made it a crime for a person to falsely assume or pretend to
be an officer or employee acting under the authority of the United States, or any
department, or any officer of the government; and ,acting as such, with the intent to
defraud the United States or any other person . Congress also made it a crime if,
with the intent to defraud either the United States or any person , and falsely as

16 Smart, " ComputerWorld Costing Business Millions,” March 28, 1983, p. 6 .

17 E.g., Interview of the Honorable William Nelson, Computerworld, March 28, 1983, p. 6.
18 Namely, “( 1) theft of money, financial instruments, or property; (2) misappropriation of
computer time; (3) theft of programs; and (4) illegal acquisition of information,” Comment,
" White -Collar Crime: Computer Crime,'' 18 Am. Crim . L. Rev. 370, 371 (1980).
19 Id ., at 372, n. 1971.
20 The standard figure of fifteen (15) percent as the amount of computer crime reported , e.g.
L.E.A.A., The Investigation of Computer Crime 5 (1980); is, in my opinion, a gross overstate
ment; and , I would peg the figure at substantially less than fifteen ( 15 ) percent.
21 E.g., id ., at 15.
22 F.Š. 815.02 (4).
23 " IIA Backs Legislation on Computer Crime," IIA Today, October, 1983, p. 1 .
24 Computerworld, March 28, 1983, p. 6.
25 Time, June 20, 1983, p. 60.
26 Newsweek, July 4, 1983, p. 58.
 233

suming or pretending to be an officer of the United States or any of its departments

and acting under the authority thereof; any money, paper, document or other valua
ble thingis demanded or obtained from the United States or from any person , by
the person with the pretended federal authority and position. Both crimes were
upheld by the United States Supreme Court as anti-fraud legislation within the
power of Congress to prevent “ actual loss through reliance on false assumptions of
Federal authority' and, as well, “ to maintain the general good repute and dignity of
the (Federal) service itself.” 27
Florida's Computer Crimes Act, unlike H.R. 5112, makes two types of acts comput
er crimes. The modification, destruction , or unauthorized disclosure or taking of
computer data, programs, or supporting documentation is a felony punishable by
five -years, a$ 5,000 fine, or both.28H.R.5112 has no comparable provision. However,
if the Congress is concerned about damages from computer " hacking” or the unau
thorized disclosure of classified information from the computer systems within the
scopeof H.R. 5112; then , an appropriate amendment seems necessary .
In Florida, if this modification , destruction, or unauthorized disclosure is, addi
tionally, " committed for the purpose ofdevising or executing any scheme or artifice
to defraud or to obtain any property ”, then , a conviction is punishable by fifteen (15)
years, a $10,000 fine, or both.29 I recommend that H.R. 5112 be amended to conform
to the two-step, two-crimes 1909 federal antifraud legislation and present Florida
computer crime legislation. On the punishments presently authorized by H.R. 5112,
I recommend a drastic increase but reserve comment for later in my remarks. More
over , if so amended, the legislation will create in effect, a lesser included computer
crime offense for the main computer fraud offense . From my experience in Torres,
this flexibility is both indispensable and invaluable for a government prosecutor.
Having submitted testimony on the need for federal computer crime legislation
from the crime detection and crime reporting phases, I would like to turn to a need
for federal legislation from the post-arraignment or “ at trial” phases of a prosecu
tion. In doing so, I necessarily direct my attention to the jury, just as any trial
lawyer would do: the Congress creates but the jury convicts.
Through the Torres criminal discovery30 and pre-trial conference phases, the bur
geoning legal literature on the trial of computer crimes was researched . With the
exception of a truism , namely, jurors with knowledge of computer technology would
be weeded out during voir dire, 31 a virtual vacuum exists on pre-trial and trial as
pects that must take the jury into account. Two major concerns in pre-trial confer
ences in white collar crime cases in Florida are to submit, pre-trial, memoranda of
law on unusual evidentiary issues likely to arise at trial; and, to submit, also pre
trial, requests for Special Jury Instructions that are foreseeable or likely. Attached
is the Torres pre-trial memorandum of law on evidence issues in a computer crime
case. Due to the development of modern codes of evidence , many of the problems
with computer records discussed a scant decade ago , are no longer formidable prob
lems. Thus, except for certain aspects of key cases, I do intend to let the memoran
dum speak for itself at these hearings. Concerning jury instructions, however, I
would like to spend some time because my experiences in this area provide more
direct and indirect support for federal computercrime legislation.
In Florida, as elsewhere, if a Standard Jury Instruction for a crime has been ap
proved, then, that instruction must be used . Not surprisingly , no standard jury in
struction for computer crimes exist in Florida. Whatwas a surprise to me was the
absence of recommended jury instructions in all of the literature purporting to ad
dress the trial or certain trial aspects of a computer crimes case . Perhaps, prior to
now, such a vacuum is understandable ; but, certainly, one wonders how seriously
writers envisioned the likelihood of trials actually occurring in computer crime
cases. In any event, in a substantial minority of States, that time is upon us .
When no standard jury instruction exists for a crime, then, a paraphrase of the
criminal statute can lawfully comprise the jury instructions. In all federal courts
and in the majority of states where no computer crime legislation exists, if a “ com

27 239 U.S., at 80.

28 F.S. 815.04 ( 1) - (4 )(a ).
29 F.S. 815.04 (4 )(b ).
30 State discovery in acriminal case isincredibly expansive compared to federal criminal dis
covery 30 (continued). Compare, Federal Rule of Criminal Procedure 15 (depositions can be
taken of prospective witnesses only and when exceptional circumstances present and purpose is
to preserve testimony that can otherwise be lost); with, Florida Rule of Criminal Procedure
3.220 (d) (discovery depositions may be taken by a defendant at any time after the filing of the
indictment or information of any person who may have relevant information ).
31 Ingrahan, supra note 15, at 438.
 234

puter crime" case does go to trial, this means that the jury will be instructed on
paraphrases of grand theft or trespass statutes. Can you imagine how befuddled a
jury would be to " hear ” a twentieth-century case, in language as well as in evi
dence, and, then, be instructed at the close of trial on the basis of common law
(Stone Age?) statutes of trespass and larceny? Conceptually, to a prosecutor, this
necessarily must signal an adverse factor on the chances of having the jury return a
verdict favorable to the government. From a practical view of assessing juries' reac
tions, my feelingis thatjuries would feel that the crimes couldn't be that serious if
the language of the trial did not equate with the language of instructions.
In Torres, two special jury instructions were requested pre-trial and, since Florida
had computer legislation, these special jury instructions were composites of statuto
ry language and statutory definitions. From language and definitional perspectives,
very practical reasons for enacting H.R. 5112 can be adduced, it seems to me, if
trials are really wanted or expected. Copies of both special jury instructions request
ed in Torres are attached .
One of the words used in the Torres special jury instructions became a problem
during the pre-trial conference phase of the case, namely, the meaning or definition
of the word “ data ” that would be provided to the jury. This problem arose one week
before the trial was scheduled to commence and after all defense requests for a con
tinuance had been denied. Thus, from my point of view , almost the very last step
necessary for the State of Florida to report " Ready" when the case was called at
trialcalendar, seemed affected. And, it was very small step, indeed, viewed abstract
ly. However, in the frenzy of trial preparation in a major prosecution when the case
is one week from trial, even small steps get blown out of proportion and have an
exaggerated impact on the litigator.
When the enigma of the four-letter word, " data ", was raised, my initial and
record reaction was, “No problem ” . My publicreaction was based on the assumption
that either a definition in the structure had been overlooked; or, one of the many
glossaries contained in the extenisve file on computer crime that had been assem
bled in the course of the prosecution , would supply the needed definition. My as
sumption proved erroneous as I found out to my dismay in the privacy of my office
and files during a recess of the final pre -trial conference.
I panicked. I pictured the case crumbling; and, I heard, in my mind, the words
from the nursery rhyme, “ For want of a nail a shoe was lost; for want of the shoe, a
horse was lost; for want of the horse, a rider was lost; etc.”. All of this occurred
before " calm ” wasrestored : my secretary's desk dictionary contained a definition of
the term " data " . Eureka! This definition was hastily typed in at the end of the pro
posed jury instruction - where it still appears. I think this Subcommittee can sur
mise the irony I experienced at having to submit such a common definition in such
an uncommon and, supposedly , high -powered case! Well, this memory is comic in
hindsight, and , hopefully, my sharing it with you today provides an added insight
into the need for clear federallegislation so that dictionary definitions of modern
terms can be used under ordinary canons of statutory construction.
From a trial advocate's point of view, the very existence of a computer crime stat
ute is nearly as important at the start of the trial as it is at the close of one. As you
know , a prosecutor's opening statement must express a prima facie case and the
failure to do so can (and does) give rise to a defense motion to dismiss at the close
thereof. And, unlike civil practice, courts rigidly hold prosecutors to this standard.
Thus, to avoid a dismissal at the close of his or her opening statement, a prosecutor
liberally reads from the charging instrument. If the computer crime is charged in
the language of a modern statute, the prosecutor's duty to educate the jury can
properly begin with the vital opening statement. Moreover, in a computer crimes
case, the charging instrument filed in a jurisdiction with computere crime legisla
tion; could , also, probably be used during voir dire: most trial lawyers agree, the
process of " educating” a jury begins at the jury selection stage.
Certaintly if federal computer crimes legislation is enacted; and, if more computer
crimes actually go to trial ; then, the question of whata jury can absorb will certain
ly be raised. Under modern legislation such as H.R. 5112, the already unsound argu
ment that computer crime cases are too complex for juries, will receive a fatal blow .
Another advantage from the trial advocate's perspective of having a modern piece
of computer crimelegislation is the ease with which demonstrative evidence can be
prepared and admitted when the inevitable computer witnesses, private and govern
mental alike, testify. Concededly, demonstrative evidence already is fairly easy to
use at trial if the two foundational questions are properly answered; namely, (1)
Does the graph, charts, etc., depict accurately the subject of the testimony ? and (2)
Will it assist you (the witness) in explaining your testimony to the jury? In a com
puter case, however, the blueprints, schemetics, etc., will have to be simplified even
 235

further for both the jury's and the witnesses proper usage. This simplification
through composites should be approved in the legislative history if this Subcommit
tee approves federal computer crime legislation.
T'wo charts especially prepared for trial by Connecticut General computer experts
were intended to be used as demonstrative evidence when these experts testified.
Because of the plea accepted when the case was called for trial, these charges were
attached to my sentencing memorandum and used at the sentencing hearing to
demonstrate, inter alia, the scope and impact of the crimes to which Diane Torres
had pled guilty. A copy of my sentencing memorandum's two key exhibits are at
tached to this statment.
The necessity for modern computer crime legislation at the sentencing stage of a
prosecution was made perfectly clear at the Torres sentencing. This necessity has
increased in the light of Florida's new Sentencing Guidelines that took effect on Oc
tober 1, 1983. Diane Torres received seven years on the computer crime count; and
two concurrent five -year terms on the insurance fraud and grand theft counts. Had
she been sentenced after October 1 , 1983 , by my calculations, she would have re
ceived, at most, probation or twelve months. The subject of the trend to Sentencing
Guidelines and the leniency given thereunder to white collar crime is remote from
the Subcommittee's invitation to me. I cannot, digress and really confine my re
marks to two observations. Sentencing guidelines have too much input from judges
and lawyers and too little from legislators; and, samplings and statistics based on
extant statutes and prosecutions are skewed prejudicially and unavoidably against
computer crime. Florida's new Sentencing Guidelines, in my opinion, reflect these
two gaping deficiences and seriously undermine the Florida legislators' intents and
purposes in enacting modern computer crime legislation.
Legislative findings and intent expressed in H.R. 5112, and the legislative history
surrounding enactment; are both necessary for the sentencing stage of a computer
crime prosecution if a Pyrrhic victory is to be avoided . Catching and convicting com
puter criminals will be at least as difficult to accomplish as it is for other types of
white collar criminals.Typical white collar defense arguments at sentencing charac
terize the convicted criminal as both a pillar of the community and a first time of
fender, for whom leniency is appropriate and merited. Both of these arguments
were advanced in Torres; and, without Florida's computer crime statute and its leg
islative history, these arguments would have been difficult to overcome.
In Torres, the State first conceded that Diane Torres, factually, was (1) a woman ;
(2) a mother; ( 3) young (35 years old); and (4) without a prior record. However, these
" concessions” were actually illusory. It was argued to the Court that, although Flor
ida's new Computer Crimes Act was designed to detect and to deter new kinds of
serious criminals, namely, those who either use computers to commit fraud and
theft or abuse information stored in the computer system , a “ profile” for computer
criminals had been used, known, and relied upon by Florida's legislators. This com
puter criminal profile" consists of:
(1 ). An amateur rather than a professional criminal, (although the head of the Illi
nois Bureau of Investigation hasreported that organized crime has now moved into
computer crime):
(2 ). Young, between the ages of 18 and 36;
( 3 ). Married with two children ;
( 4 ). Bright and possessing technical skills;
( 5). Most often male but if female probably a key punch operator;
(6 ). In aa position of responsibility or trust within the company.
(17). May very well be disgruntled employees or one who has large debts.32
Thus, the State concluded , defendant Torres fit the computer criminal profile per
fectly and was precisely the type of person designed to be deterred and punished by
modern computer crime legislation. Instead of being an atypical felon , Diane Torres
was the felonious computer criminal par excellance. She was a predator of the com
munity and not one of its pillars.
Concerning the first offender argument, the State made the familiar prosecution
sentencing argument that no crime of passion was involved; and, a criminal course
of conduct over a protracted period of time was at issue and not a single isolated
shooting, stabbing, shooting up, etc. Diane Torres had used Connecticut General's
computers to have forty -two (42) checks, for $ 206,000, issued to her over an eighteen
month period . In dollar amounts alone, she had committed the equivalent of 206
burglaries or 21 armed robberies. Moreover, in order to gain access to the computer
to input the false data, she disguised her entry by using fellow workers' access

32 G. Miller, Prosecutor's Manual on Computer crimes 12 ( 1978).

 236

codes. Any other computer criminal would have attempted to conceal an unauthor
ized accessing in the same or similar manner. However, this Subcommittee should
note as the Torres Court did: she viewed this as concealment but, actually, on forty
two occasions, she fabricated false evidence to frame other persons, her colleagues
and co -workers. Cold-bloodedly .
I would like to make an additional recommendation for an amendment to H.R.
5112. Predicate acts for the federal Racketeer Influenced and Corrupt Organization
Act (RICO ) 33 should be amended to include new federal computer crime legislation
asa type of “ racketeering activity ”. Given the capacity computers have for quickly
inflicting substantial injuries and losses; and , given the legislative purposes of the
federal RICO legislation ; an amendment to H.R. 5112 amending the former seems
appropriate. This amendment would find support, I think, in my documentation
today for the Subcommittee of the reasons why present, pervasive computer crime is
under-reported; and, in projections for explosive growth in access to computers by
business and professional people. For example, in 1983, “ only a miniscule 3 to 10
percent of all professional, managerial, administrative and technical workers now
use computers. (Estimates vary depending on how the workers and their equipment
are defined.) International Data predicts that 65 percent of those workers will use
computers by 1990." 34
Florida's Computer Crime Act, like H.R. 5112, makes unauthorized access to a
computer a felony if such access was done with the intent to execute a scheme to
defraud. However, H.R. 5112 is much clearer in separately punishing the produc
tion, purchase, sale, or transfer of fraudulent access devices without lawful author
ity which can only be reached under State law by a dubious interpretation of the
phrase "any scheme or artifice to defraud.” H.R. 5112's specificity, moreover, depicts
more accurate federal interests, e.g. interstate manufacture, sales, transfers, etc.
Under both H.R. 5112 and State law, however, " authorization evidence" ; that is, evi
dence relating to authorized accessing of computers is " relevant” in an evidentiary
sense. I urge this Subcommittee to ensure that the Committee Report adopts
present case law 35 providing very broad standards for the prosecutor to introduce
evidence of lack of authorityto access a computer: in computer crime, as elsewhere,
proofs of a negative, such as lack of authority to access a computer, can become very
confusing during the trial and in the minds of lawyers and judges alike.36 In a
recent Miami federal case that was brought underexisting(but antiquated) federal
fraud statutes, a United States Customs Officer accessed government computers
without authority and sold the computerized secret federal intelligence on narcotics
surveillances to a drug smuggler. After trial and a conviction , the federal judge sen
tenced the former Customs officer to an incredibly lenient sentence: of spending
every night in custody for six months and a $15,000 fine. 37 It seems to me that both
an absence of federal computer crime legislation such as H.R. 5112 and a profound
confusion about genuine federal interests relating to unauthorized access of comput
erized non -commercial information and data; can be the only explanation for the
result in this recent federal case.
A feature of H.R. 5112 that further favors its enactment is a lack of definitions. It
is axiomatic that judicial interpretations are needed only for ambiguous statutes.
H.R. 5112 is clear; and, its terms are all locatable and defined in a modern, non
legal dictionary. Moreover, it seemsto me, arguments about the need to incorporate
extensive technological and technical language into proposed federal computer
crime legislation erroneously seek to convert Congressmeninto technocrats rather
than legislators; and, account, in large measure, for the failure for Congress to act
earlier despite legislators; clear perception ofa need for remedial federal computer
crime legislation. Although passwords are still the most common method of gaining
unauthorized access to computers38 and protected by H.R. 5112; the proposed legis
lation's use of the term " device" is open -ended and covers both present so -called
"blue boxes” used to deceive telephone computers and future instruments that
would deceive personnel identity verification systems protecting against unauthor
ized access, such as fingerprint and handprint systems, voice verification systems,
signature verification and cardiac system , hand geometry and retina systems, etc.

33 18 U.S.C. 1961-69.
34 Ross, " Computers and Corporate Culture,” Republic Scene 76, 92-94 (October 1983 ).
35 E.g., United States v. Duncan, 598 F. 2d 839, 860–63 (4th Cir . 1979).
36 Seegenerally, J. Falco, “ Prerequisites for Successful Industry and Government Cooperation
in the Prevention and Prosecution of Computer Crimes,” An Address to the International Asso
ciation for Computer Systems Security, Inc., October 23, 1983.
37 TheMiamiHerald, December 15, 1983, p . 12D.
38 K. Englade, “ Can You Keep a Secret?", Savvy 65-66, January, 1984.
 237

I am aware that some opponents of federal computer crime legislation contend

that actions by States along the line of a uniform law would be preferable. Such
contentions seem misplaced to me and confuse Uniform Commercial Codes, Proba
tion Codes, Divorce Codes , Property Codes, etc., and other areas of civil legislation
with criminal statutes and the nature of the federal criminal justice system . Fur
thermore, such uniform laws do not create interstate subpoenas capable of compel
ling attendance of critical witnesses: although I had statewide subpoena power in
Torres case , that crucial procedural enforcement tool was confined to the State of
Florida in a case where potential witnesses from twenty -five or more States could
have been necessary. Moreover, these arguments misjudge public perceptions of the
role of the federal government. As I travelled interstate to interview witnesses, in
spect equipment, etc., most people found it difficult to accept that I was a State
prosecutor from Miami and not a federal prosecutor: The case seemed to them to be
interstate and, thus, by definition, a federal matter. Finally, such arguments fail to
perceive the international threats to United States businessmen . " Blue-boxes”, for
example, are being purchased abroad and used by foreign businessmen in the
United States to run -up staggering telephone bills. When these bills are unpaid,
some of the costs are absorbed adding to the cost of doing business for American
businessmen and competitively disadvantaging them; and, some costs are passed on
to American citizens, further reducing their purchasing power.
I hope that my prepared statement has been responsive to your invitation; and, I
am ready to respond to any questions you may have.

38-178 0 - 85 16
 238

sensi COAIPUTER -RELATED CRIMES Ch . 815

.
CHAPTER 815
COMPUTER -RELATED CRIMES
5.0 Sho : t title. (7) " Computer system services ” means providing
Legislative intent: a computer system or computer network to perform
8.5.05 Definitions. useful work.
: !3.64 Offenses againstintellectual property. (8) " Property " means anything of value as de
5 :5.05 Offenses against computer equipment or fined in s.812011 and includes, but is not limited to,
supplies . financial instruments, information, including elec
815.06 Oiienses against computer users. ' tronically produced data and computer software and
8 !5.07 This chapter not exclusive. programs in either machine-readable or hu
mån -readable form , and any other tangible or intan
815.01 Short title. The provisionsofthis act . gible item of value.
shall be lipown and may be cited as the "Florida (9) "Financial instrument" means any check,
Computer Crimes Act " draft, money order, certificate of deposit, letter of
History . - 51. ck 78-92 credit, bill of exchange, credit card, or marketable se .
curity.
$$ 15.02 Legislative intent.-- The Legislature
unds and declares that: (10) " Access” means to approach, instruct, com
municate with , store data retrieve
( 1) Computer -related crime is a growingproblems otherwise make use of anyin,resourcesofacomputer,
data from , or
in government as well as in the private sector ,
(2) Computer -related crime occurs at great cost computer
History
system ,or computer network.
, ch . 78-92
to the public since losses for each incident of comput
er crime tend to be fargreater than the losses associ. * 815.04 Offenses against intellectual proper.
ated with each incident of other white collar crime. ty :
( 3) The opportunities for computer-related (1) Whoever willfully, knowingly, and without
crimes in financial institutions, government pro authorization modifies data, programs, or supporting
grams, governmentrecords,and otherbusinessenter documentation residing or existing internalor exter
prises through theintroduction of fraudulentrecords nalto a computer,computer system , orcomputer
into acomputer system , the unauthorizeduse of network commitsanoffense against intellectual
computer facilities, the alteration or destruction of property.
computerized information or files,and the stealing of (2) Whoever willfully, knowingly, without
financial instruments, data, and other assets are authorization destroys data, programs, orand
supporting
great
· documentation residing or existing internal
(4 While various forms of computer crimemight nal-toa computer computer system , or computer or exter
pos y be the subject of criminal charges based on
other provisions of law , it is appropriate and desir- network commitsxan offense against intellectual
able that a supplemental andadditional statute be property :
( 3) Whoever willfully, knowingly, and without
providedwhich proscribes various forms of.computer authorization disclosesor takesdata,programs, or
abuse.
History.- 1. c 78-92. supporting documentation which is aa tradesecret as
defined in s.812.081 or is confidential as provided by
$15.03 Definitions.- As used in this chapter, law residing or existing internal or external to acom
unless the context clearly indicates otherwise: puter, computer system , or computer network com
(1) “Intellectual property" means data, including mits an offense against intellectual property .
programs. (4 )(a) Except as otherwise provided in this sub
(2) "Computer program ” means an ordered set of section, an offense against intellectual property is a
data representing -coded instructions or statements felony of thethirddegree, punishable as provided in
that when executed by a computer cause the comput- s . 775.082, s. 775.083, or s. 775.084 .
er to process data . (b ) If the offense is committed for the purpose of
( 3 ) " Computer " means an internally pro- devising or executing any scheme or artifice to de
grannmed, automatic device that performs data pro- fraud or to obtain any property, then the offender is
cessing. guilty ofa felony of the seconddegree; punishable as
(4) \ "Computer software ” means aset of computer provided in s. 775.082,s. 775.083, or s.775.084.
programs, procedures, and associated documentation History . - 5. 1.ch 78-92
concerned with the operation of a computer system .
(5) "Computer system ” means a set of related, 815.05 Offenses against computer equip
connected or unconnected, computer equipment, de- ment or supplies.
vices, or computer software. ( 1) (a) Whoever willfully, knowingly, and without
( 6 ) " Computer network” means a set of related, authorization modifies equipment or supplies used or
remotely connected devices and communicationfacil-. intended to be used in a computer, computer system ,
ities including more than one computer system with or computer network commits an offense against
capability to transmit data among them through computer equipment or supplies.
communication facilities . ( b )1. Except as provided in this paragraph , an of
 239

Ch ,815 COMPUTER -RELATED CRIMES F.S. 1981

fense againstcomputer equipment or suppliesas pro- offenderis guiltyofa felony of the seconddegree,
vided in paragraph (a) is a misdemeanor of the first punishable as provided in s . 775.082, s. 775.083, or s.
degree, punishable as provided in s. 775.082, s. 775.084 .
Historyki, ch . 78-92
775.083, or s. 775.084.
2. If the offense is committed for the purpose of
devising or executing any scheme or artifice to de 815.06 Offenses against computer users.
fraud orto obtain any property, then the offender is (1) Whoever willfully, knowingly, and without
guiltyof a felony ofthe third degree, punishable as authorization accesses or causes to be accessed any
provided ins. 775.082,s. 775.083, or s. 775.084. computer, computer system , or computer network;or
(2)(a ) Whoeverwillfully,knowingly, andwithout whoeverwillfully, knowingly, and withoutauthoriza
authorization destroys, takes,injures, or damages tiondeniesor causes the denial of computer system
equipment or supplies used or intended to beusedin servicestoan authorized user of such computer sys- .
a computer,computer system , or computer network; temservices ,which, inwhole or part, is ownedby,
or whoever willfully, knowingly ,andwithout au hori. under contractto, or operated for,on behalfof, or in
zation destroys, injures, or damagesanycomputer, conjunction with another commitsan offenseagainst
computer systera, or computer network commits an computer users.
offer:se against computerequipment or supplies. (2)(a) Except as provided in this subsection, an
(b)l.. Except as provided in this paragraph, an of- offense against computer users is a felony ofthe third
fenseagainstcomputerequipmentof or supplies es pro- degree, punishableas provided ins. 775.082, s.
vided.in paragfaph (a) isa misdemeanor ofthe first 775.083,ors. 775.084. committed for the purposes of
degree, punishable as provided in s. 775.082, s. devising offense is any
(b ) If ortheexecuting schereorartifice to de
775.083, or s . 775.084 .
2. If thedamage to such computerequipment or fraud
guilty or
of ato felony
obtain ofany
theproperty ,then the offenderas
second degree,punishable is
supplies or to the computer, computer system , or provided in s . 775.082, s. 775.083, or s. 775.084.
computer networkis greater than $ 200 but less than History - I, ch 78-92
$ 1,000, then the offender is guilty of a felony of the
third degree, punishable as provided in s. 775.082, s. 815.07 This chapter not exclusive. The pro
775.083, or s. 775.084. visions
of this chapter shall
not be construed pre
to
3. If the damageto such computer equipment or cludethe applicability of any other provision of the
supplies or to the computer ,, computer system , or criminallawof this state which presently appliesor
computer network is $ 1,000 or greater, or if there is may in the future apply to any transaction whichvio
an interruption or impairment of governmental oper- lates this chapter, unless such provision is inconsis
ạtior. or public communication,transportation , or tent with the terras of this chapter.
supply ofwater,gas, or other public service, then the History.me I, ch . 78-92.
 240

IN THE CIRCUIT COURT OF THE ELEVENTH JUDICIAL CIRCUIT OF FLORIDA ,

FALL TERM , 1982 .
IN AND FOR "DADE COUNTY
CASE NUMBER 83-482
JUDGE SALMON
STATE OF FLORIDA ,
Plaintiff ,

சைவது
VS. STATE'S MEMORANDUM OF LAW IN
SUPPORT OF THE ADMISSIBILITY
DIANE SMITH TORRES , 1 OF CERTAIN EVIDENCE AND OF
also known as JURY INSTRUCTIONS :

Vd
DIANE GOODY SMITH

E8!!. 782
H 21
also known as
D , TORRANCE
also known as
D. ROZIER ,

..15.:!"
13(
ir?
Defendant . '

COMES NOW JANET RENO ; State Attorney of the Eleventh

Judicial Circuit of Florida , by and through her undersigned
Assistant , and submits this Memorandum oi law, and states as
follows :

1:
EVIDENCE CONCERNING EACH STEP IN A
FRAUDULENT INSURANCE SCHEME IS
RELEVANT AND ADMISSIBLE

Florida's broad rules concerning the definition of

relevant evidence and the admissibility thereof , F.S : 5990.401
90.402 , apply the State's burdens of proof for each of the crimes
charged , including Count III , the submission of false and
fraudulent insurance claims .

Evidence is admissible and relevanė for each step in

the execution of an insurance fraud involving the submission of
· false proois of loss to an insurance company by an insured cr his
agents . United States v . Kenofskey , 243 U.S. 440 , 443 ( 1917 )
( beneficiary submitted false death claim for an insured who had
not died ) : The payment to the false claimant by the defrauded
insurer and the receipt of the fraudulently induced payment are
the final steps in the execution of a criminal insurance fraua .
10 .
 241

The falsity and fraudulence of an insurance claim can

be proved by showing that the loss claimed never occurred . Graff
Enterprises v .. Canal Insurance Company, 213 So. 2a 738 (Fla . Ist
DCA 1968 ) ( claimed theft of a motor vehicle had not occurred ) ;
Hartford Fire Insurance Co. v . Roger Wilson Inc. , 291 So. 2d. 852 ,
855. ( La . App . 1974 ) , cert . denied , 294 So.28 833 ( La . 1974 )
(claimed lease of a bulldozer did not exist ) ; Kenofsky, suora
(death claim while insured lived ) ; Williams v . Continental

Ins . Co. of New York , 152 F.2d 958 ( 9th Cir . 1946 ) (claimed crime .
of robbery had not occurred ).; Bethesda Salvage Co. v . Fireman's
Fund Insurance Company , lll A.28 472 (D.C.. App . 1955 ) ( property
claimed as lost in fire did not exist ) ; Hoffman v . Labutzke , 233
Wis . 365, 289 N.W. 652 , 656 " (1940 ( loss claimed for tortious
acts by a " non - existent person " ) ; Fisher v . United States , 324
F.2d 775 (8th Cir .. 1963 ); ( claimed crime of burglary had not
occurred ) ; United States v . Lane , 465 F.2a 408 , 409 (5th

cir . 1972) (claimed accident , theft and acts of vandalism had not
occurred ) ; cf. , United States v . -Johnson , 298 F.Supp . 58 ( N.D.
ilì . 1969) ( " staged " rather than actual motor vehicle and
personal accidents and injuries ) .

II .

THE FALSE DATA USED TO INDUCE THE

ISSUANCE OF THE CHECKS HAS MULTIPLE
RELEVANCE

" It is a false pretense and predicate for criminal

liability for a defendant to represent falsely that he is the
owne : of certain goods ...." 33 WHARTON'S CRIMINAL LAW $ 436 , pp .
485-86 (14th ed . 1981) (and authorities cited therein) . In
· Count I , the State has charged defendant with Grand Theft , which
:
includes theft by false pretenses .
The defendant presented false computer data for medical
claims which was relied on in paying the claims .
Aimonetto v . Fire Insurance Exchange, 417 F.2d 307 , 308 ( 10th
Cir . 1969 ) ( false ownership of a commercial building ; additional
materiality because of policy's terms ) . The " fabrication of
 242

false documents" is ; also , a " type of admission by conduct . "

MCCORMICK ON EVIDENCE $ 273 , p . 660 ( 1972 ed . ) . ·False statements

are additional admissions by conduct . Id .

III .
TESTIMONY OF NEGATIVE RESULTS OF
INQUIRIES AND SEARCHES IS NOT
HEARSAY

The State will offer extensive evidence of the non

existence of property and persons and of the non-occurrence of
events .

Analogous questions arise in

respect to testimony by a witness
that he has made inquiries among
the residents of a given place
where a certain person is alleged
to live , and that he has been
unable to find anyone who knows him
or has any information about him .
Upon an issue as to whether due
diligence has been shown in :
attempting to locate a missing
witness or other person , it is
clear that testimony as to results
of similar inquiries is not
hearsay , but is merely a narration
of the acts and efforts claimed to
constitute due diligence . However ,
the inquiries and the inability to
secure information , may be offered
as evidence of the nonexistence of
the person sought to be located , or
of the fact that no such person
lives at the place in question .
Then it can be argued that this is
merely an indirect way of placing
in evidence the statements of those
of whom inquiry was made for the
purpose of proving the truth of the
fact stated ; namely their want of
knowledge of such a person. The
evidence has occasionally been
excluded on this ground . It is
true that the residents of whom
inquiry was made could be brought
in to testify to their want of
knowledge of the person , but it
would usually be more convenient
and equally just to permit the
evidence of fruitless inquiries , as
most of the cases do , aná leave the
.adversary to bring in direct proof
of the existence or residence of
the person , which if his claim is
true he will most often be easily
able to do . An escape from the
hearsay objection is furnished by
the theory that fruitless inquiries
are evidence of inability of the
 243

inquirer to find after diligent

search and this in turn is
circumstantial evidence of the
nonexistence or nonresidence of the
person in question .

MCCORMICK, supra , at $ 249 , p . 594 . See also , Bethesda Salvage

Co. , supra , 111 A.2a , at 475 ( testimony of investigating fire

marshall when arson was cliameà ) .

IV .
EVIDENCE IS RELEVANT AND ADMISSIBLE
TO SHOW THAT INCORRECT POLICY DATA
WAS INTENTIONAL AND NOT AN INNOCENT
MISTAKE OR AN OVERSIGHT

To prove ' insurance fraud , erroneous serial numbers ,

descriptions , etc., must be shown to be intentional
misreprésentations inand not unintentional , innocent , or mistaken
acts . Gattiv. American Bankers Insurance Company of Florida ,

164 So.28 840 ( Fla . 3a DCA 1964 ) ; Smith Trucking, Inc. v . Cotton
Belt Ins .. Co.,, 556 F.2d 1297 ( 5th Cir .. 1977 ) ;; Lighting Fixture &
Elec . Sub . Co. v . Continental Ins. Co., 420 · F.2d 1211 ( 5th
Cir. 1969 ) ; Indepenõent Fire Insurance Company v . Horn, 343 $0,20
862 ( Fla : Ist DCA 1977 ) ; Bolling v . Westchester Fire Insurance
Co. , 309 F.Supp . 4 ( E.D. Tenn . 1969 ) . Such admissibility and
relevance applies to proofs of loss as well as to an application
for insurance . Badger Mutual Insurance Company v . Morgan , 313
F.2d 783 ( 5th Cir . 1963 ) ; Chaachow vi American Central Insurance
Company , 241 F : 2a 889 ( 5th Cir . 1957 ) ( at note 3 , a jury can be
charged that an intention to deceive can be implied from
knowingly false statements in a proof of loss ) .

V.

COMPUTER PRINTOUTS ARE NOT

OBJECTIONABLE UNDER EITHER THE BEST
EVIDENCE RULE OR THE HEARSAY RULE

The Florida Rules of Evidence expressly include

computer printouts within the definition of an ""original "

writing :
 244

If data are stored in a

computer or similar device , any
printout or other output readable
by sight and shown to reflect the
data accurately is an original .
F.S. 90.951 ( 3 ) .

Computer records are , also , excepted from the hearsay

rule as business records.by the Florida Rules of Evidence
irrespective of a declarant's availability :

( T ) he following are not

inadmissible as evidence even
though the declarant is available
as a witness :.
*** *** ***

(6) Records of regularly

conducted business activity .

( 2 ) ** A record ; ... data

compilation , in any form ... made at
or near the time ... from
information transmitted by , a
person with knowledge , if kept in
the course of a regularly conducted
business activity and if it was the
regular practice ... to make such
... record , or data compilation , all
as shown by the testimony of the
custodian or other qualified
witness .... F.S. 90.83 (6 ) ( 2 ) .

This current version of the Florida Rules of Evidence

expanded the former ' version which had provided within the
definition of a business record : "A record ... including a record
kept by means of electronic data processing ..." F.S. 92.36 ,

revised , F.s. 90.803 ( 1979 ) :

Moreover , retrieval of computerized data for trial
purposes are not subject to hearsay exception either :

The retrievals ... was made for

the purpose of trial . But , the
taped record and the information
and calulations thereon were made
in the usual course of business and
for the puſpose of the business
alone . Transport Indemnity v .
• Seib , 178 Neb . 253 , 132 N.W.2d 871 ,
876 ( 1965 ) .

1
 245

Specifically , it has been held that in a criminal fraud

prosecution , computerized insurance records are admissible to
prove fraud on the insurance company accomplished by the filing
of claims for medical services and treatment that had not been
performed . United States v . Fendley , 522 F.2d 181 ( 5th Cir .
1975 ) . Obviously , Fendley has direct and immediate relevance and
applicability to the case sub judice . See also , North

Carolina v . Springer ,, 283 N.C. 627 , 197 S.E. 2ả 530

( 1973) ( printouts of computerized accounts admissible for proving :
theft )) .

A. The " Voluminous Writing ". Rule Is Applicable .

When a computer printout is an extracted summary of
vast amounts of computer -kept data , the voluminous writings
exception , F.S. 90.956 , overrides any residual best evidence
objections since , in this case , in its Discovery Response filed

and served January 27 , 1983 , the State has made the underlying
voluminous data .available for inspection . cf. , United States v .

Greerilee, 380 F.Supp . 652 ( E.D. Pa . 1974 ) , aff'a, 517 F.2a 899
: ( 38 Cir . 1975 ) (defendant's request for access to computers three
days before trial denied as untimely ) . Court have recognized-
and rejected , defense counsel's variations on traditional defense
dilatory tactics founded on technologically -sounding but familiar
specious arguments offered merely to delay and postpone .
Greenlee , supra .

Respectfully submitted , .
JANET RENO
State Attorney

BY :
James F.4. Yaleo
JAMES F. FALCO
Assistant State Attorney
 246

IATRE CIRCUIT COURT OF TAC CCCVETIITSUŠITTAC CIRCUIT OF FLORIDA ,

IN AND FOR DADE COUNTY FALL TERM 1982

CASE NUMBER 83-482

THE STATE OF FLORIDA, ) JUDGE SALMON
Plaintiff , )

vs. )

DIANE SMITH TORRES ) REQUEST FOR JURY INSTRUCTION 11

also known as
DIANE GOODY SMITH :)
also known as :
C D. TORRANCE )
also known as
D. ROZIER , )

Defendant .

OFFENSE AGAINST INTELLECTUAL PROPERTY -

F.S. 812.014

Ladies and Gentlemen of the Jury :

Before you can find the defendant guilty of the particular
Offense Against Intellectual Property charged in Count II , the
State must prove the . following six elements beyond a reasonable
doubt :
1. Defendant knowingly ,
:- 2. Defendant willfully, and
3. ' Defendant without authorization
4. Modified data , programs , or supporting documentation -
.

5. Residing or existing internal or exteral to a

.computer , computer system , or computer network ..
of Connecticut General Insurance Company;
6. For the purpose of devising or executing any schere
or artifice :
a. To defraud ; or
b. To obtain any property
" Intellectual property " . means data , including programs .
" Computer" means an internally programmed , automatic device
that performs data processing .
" Computer program" means an ordered set of data representing
coded instructions or statements that when executed by a computer
cause the computer to process data .
"Computer software" means a set of computer programs , procedures>

3i and associated documentation concerned with the operation of a computer

it .
 247

" Computer system " means a set of related , cornected or

unconnected , computer equipment , devices , or computer software .
"Computer network" means a set of related , remotely
connected devices and communication facilities including more than
one computer system with capability to transmit data among them
through communication facilities .
" Property" means anything of value , and includes :
tangible or intangible personal property , including
rights , privileges , interest and claims;
services ;

financial instruments ; and

information , including electronically produced data
and computer software and programs in either machine
readable or hunan - readable form .
" Financial instrument" means any check , draft , money

order , certificate of deposit , letter of credit , bill of exchange ,

credit card, or marketable security .
" Access" means to approach , instruct , communicate with ,
store data in , retrieve data from , or otherwise make use of any
resources of a computer , computer system , or computer network .
"Value" means the same thing as it does in Count I , Grand
Theft - First Degree ..
" Data " means information , and includes :
information organized for analysis or used as the
basis for a decision ; or , numerical information in a form
suitable for processing by a computer
" Services " means the same thing as it does in Count I ,
Grand Theft -First Degree .
GIVEN :
DENIED :

Circuit Court Judge

Dated :

Respectfully submitted ,
JANET RENO
State Attorney

BY : 7. Fales
Gene ren JAMES F. FALCO
Assistant State Attorney
 248
!

IN THE CIRCUIT COURT OF THE ELEVENTH JUDICIAL CIRCUIT OF FLORIDA ,

IN AND FOR DADE COUNTY FALL TERM 1982

CASE NUMBER 83-482

THE STATE OF FLORIDA , :)

Plaintiff , JUDGE SALMON

)

VS.

DIANE SMITH TORRES , )

REQUEST FOR JURY INSTRUCTION # 2
also known as
DIANE GOODY SMITH ,
also known as
D. TORRANCE . )
also known as
D. ROZIER , )
Defendant . )

LESSER INCLUDED OFFENSE OF OFFENSE AGAINST INTELLECTUAL PROPERTY

F.s. 815.04

Ladies and Gentlemen of the Jury :

If you find that the defendant knowingly, willfully , and
without authorization , modified data , programs, or supporting
documentation residing or existing internal or external to a computer ,
computer system , or computer network of Connecticut General Insurance
Company but did not do so for the purpose of devising or executing
any scheme or artifice to defraud or to obtain any property ,
You mdy still find the defendant guilty of an offense against
intellectual property .

GIVEN :

DENIED :

Circuit Court Judge

Dated :

Respectfully submitted ,
JANET RENO
State Attorney

BY :
James 4.
JAMES F. FALCO
Tales
Assistant Statę Attorney
 249

DAILY
MEDICAL CARE PROCESSING
. MACH 29,1933
ON - Lli. E
PROCESSING

MSTER FILE

UNATTENDED EDIT / DATA CASL MYSTER FILE

BENEFIT DESCRIPTION FILE
PRINTING ACCUMULATION * COVERAGE FILE
MESSAGES CLIM CONTROL FILE

TO AMY FIELD
(LAIM OFFICE • PAYMENT TILE

CLAM CONTROL FILE

.CHEKS / VOUCHERS
PAYMENT DODIC HOLDES PAYMENT REPORTS
PROCESS • RECONCILIATION FILES

WEEKLY • OH.UNS TRANSACTION FILE

. MASTER PILE
• ALL PAYRINT NORMATION • CLAIM CONTROL TILE MASTER .
CLAIM • CLAN CONTROL TILE • PAYMENTS INFORMATION FILE
ACCOUNTING ( Ch :CK NUME3)

PROCESS
UPDATE

• CNCCK FILES CHECK • MASTER PRE

• CLAIM CONTROL FRE
RECONCILIATION FRAUD • CLAIM CONTROL TILL
• AUDIT PASIER FK
AUDIT
FCTV PROCESS.
ACTUARIAL
SYSTEMS

AUDITREPORTS

FONTHLY CORPORATE
UNDERWRITING BANKING
SYSTEMS SYSTEMS
(TREASURER'S
OFFICE)

drawn by : Reveals CDON

 gouuenta

CLAIM
OFFICES
ASMU
GIOR

NORT
DA KOHTA
MINNESOTA
ORICOM

SUN
WILCON PAOK
N
DAKOT
SOUTH A
KONING
CALI R O
FORN WIT
IA MIS

NEV
A DA
. CCT
NC
. AUSA пк ули

Cuando Amos o
4» .10
NISLOVAS
KANSAS
250

MUO
M neonina
WAIONWA
MOMCuc NC
o
ÖKLAHOMA orans
I NE
!14XW
TEXAS Muis

ma
BEATBI1 ycohuar
4

harun

sis
NOMIDA

Ксу
: C

3
0-
(Regional
Clalm
)OMC !
Claim
Onice
D)X-(istrict
ka
Alas
ispaid
Portland
Claim'QMcs
.by
.
Havaijia
paid
Francioco
San
by
Claim
Omco
Rico
•!:Purrio
Miami
by
inpaid
Office
Claim
 251

Mr. HUGHES. I think you have covered the main points. I read
your statement last night and it is very comprehensive. Why don't
we stop, if it is OK with you, right there because I know that my
colleagues have likewise probably read the statement.
We are about to vote, anyway. Why don't we just stop right
there, break for our vote, and then we will come back in 10 min
utes. OK .
[Recess.]
Mr. HUGHES. The committee will come to order.
First, Mr. Falco, let me just ask you , as I understand the Torres
case, the computer terminal was in Florida and the data base was
in Connecticut.
Mr. Falco. That is correct, Congressman.
Mr. HUGHES. And I gather that the defendant accessed informa
tion through codes that were available to her to identify policyhold
ers ?
Mr. Falco . Yes, it was a medical insurance-a corporate aggre
gate medical insurance policy against which she was inputting
false — either false claims for medical injury or genuine injury for
false beneficiaries, and she was making access. There were seven
people in the Miami office that access numbers. She used six access
numbers—and she used every one other than her own; she fabricat
ed evidence that on the computer data as we examined it, made it
look like the six other women committed the crime and not her.
Mr. HUGHES. I see .
When she manufactured the false claimants; does that not trig
ger an investigation by the field offices to check out the claims?
Mr. Falco. Well, yes, but there is a hidden assumption in your
question. How did they know it was false ? Exactly what happened
was, through the name of a beneficiary, one of the computer audit
people in Connecticut-they have a threshold amount-I am not
sure I am at liberty to discuss what Connecticut General's was, but
every check above a certain amount was run through the computer
people and there was happenstance, as all great cases are, on acci
dent, and I am not sure you ever find it, where a woman in Con
necticut happened to know the maiden name of a Miami terminal
operator.
Mr. HUGHES. I see.
Well, it is an interesting case, and you became an instant expert.
They did a good job of bringing you up to speed on computer tech
nology, andyou did a good job in prosecuting the case.
You touched on one of the problems that I have sensed, and that
is the incidence of computer crime; I think it is much, much higher
than is reported .
Organizations are very slow in seeking assistance. We experi
enced that when we attempted to line uptestimony for this hear
ing. There is almost a reluctance to go public in any way, including
sharinginformation with those who would want to try to develop
criminal sanctions at the Federal level.
I wonder, what do you think we can do to try to deal with what
is obvious reluctance on the part of the industry to share data so
that we have a better idea of the dimension of the problem and all
the nuances of computer crimes so that we can develop a legisla
tive structure to deal with what is occurring?
 252

Mr. Falco. I think my experience has shown , Congressman , that

the Congress needs to enact some computer crime legislation as
quicklyas possible. Some of the attitudes I have run into - corpo
rate officials feel that if the Congress doesn't take computer crime
seriously, why should they?
Second, the Congress has been saying, as I understand it in their
hesitation , that they are fully protected by the mail -fraud statute,
which maybe in Buffalo Bill Cody's days did protect the Federal
Government in some way, but I don't think it does today.
Mr. HUGHES. I would discount, you know , the suggestion, “Well,
you know, if the Congress doesn't take it seriously, why should
we?” I don't know that that really is a factor. I think it is more
that , “ Well, let's not talk about it because if we talk about it, more
people will find out that there is this computer crime available to
individuals who are so disposed ,” and theyjust think that by keep
ing it quiet, perhaps they can keep the lid on it.
Mr. Falco. Well, Congressman, again I respectfully disagree.
When I was working as one of your subcommittee counsel, I think
you will recall that we went to the position — this committee took
the position — that the President of the United States is required to
give whatever evidence of crime he has to the prosecutor, but you
are not going to find that principle in presidents of corporations be
lieving that their president has to turn over evidence of crime
when it is one of their insiders. It may be a requirement of the
Office of the President of the United States, but not as president or
chief executive officer of corporate America, and they are simply
not doing that.
In some of the attitudes in the literature I have cited, corporate
officials do not commit crime, and even if they do, we will hush it
up. That is one of the major problems. The computer profile, the
profile of the computer criminal that I mentionedin my statement,
was promulgated in 1978 after years of being put together by State
prosecutors, I might add and thanks, due to Federal funds, but it
was State prosecutors — it is an eight-point profile. One of the
points is high education . Considerable education or a substitute
work experience for formal education so that the educated, well-ex
perienced class does not want to say they commit crimes. That may
be part of – I have been to two graduate schools—three, graduate
school of English and law. I don't know what they are doing in
graduate school of business, but they do not admit it.
From my Antitrust Subcommittee work, I think you know that
that was generally recognized until the Federal antitrust electrical
conspiracy cases in 1960 was a given , even at the Harvard Business
School, which they then subsequently had to introduce into their
case that maybe corporate executives commit crimes.
Mr. HUGHES. You don't think that a major motivating factor for
not wanting to talk about it is the fear that by talking about it, it
will invite more crime? You don't think that isa major motive ?
Mr. Falco . No, I think it is because there is no corporate ac
countability . If they had the accountability the Government execu
tives and Government insiders had, it would be a much different
story.
Maybe I can draw on the old lawyer's technique of analogy. In
December 1983, on prime time television, there was a program
 253

called “ Found Money,” in which a bank corporate executive, com

puter expert, stole $ 800,000. He just gave it away. It belonged to
the State of New York, as I recall.
The corporate president forgave him because he thought if he
turned it around, it would be - and they didn't report it tothe pros
ecutor — they would just gain-they would not gain the bad publici
ty of an insider, andthey would gain some substantial prestige, but
$ 800,000; a major crime had been committed. So that out there, if
television would put this on prime time, the Nation knows what is
going on. There is just no Federal law to match up with that
awareness .

Mr. HUGHES. In your judgment, what percentage of hackers com

prise insiders as opposed to outsiders? My own perception is that,
sure, we are going to have misappropriation by use of computer in
ternally, butin my judgment, that is going to be a small part of
the overall computer crime problem in this country in the years
ahead.
It is going to be those that are accessing this information who
have no inside contacts.
Mr. Falco . My answer is that hackers are, by definition, outsid
ers. They are like the group of 13—the high school students in Mil
waukee who accessed computers outside of their group. They are
not part of the inside or the Government official with access to nar
cotic surveillance data, or the insurance company terminal opera
tor with access to the financial banks and to the beneficiary and
accident claims that would go into it.
So hackers, in my opinion, are the minority-
Mr. HUGHES. But my question-maybe you misunderstood my
question-my question is, is it your perception that the highest per
centage of computer crimes today are insiders ,
Mr.Falco. Yes.
Mr. HUGHES [continuing].Or outsiders?
Mr. Falco. Insiders, and I have taken that position . One of the
deterrents is this widespread publicity that hackers are the cause
and the hackers have given rise to the need of Federal legislation.
Only the Congress, that I know of, can penetrate that publicity
myth that exists, which is exactly 180 degrees out of phase with re
ality, in my opinion.
Mr. HUGHES. I don't share that perception. I think that by and
large the single most biggest threat from computer crime is going
to be from those that have no inside contacts, are not part of inter
nal management and are people who are going to try to gain access
to codes or otherwise access computers.
Mr. Falco. I think there is precedent for your disagreeing with
something I have said, Mr. Chairman .
Mr. HUGHES. Let me ask you something else. You indicate that
House Resolution 5112 does not specifically use the mail as a juris
dictional basis and that is correct. Don't you believe that anyone
who uses the mail in a fraudulent computer scheme, however, af
fects interstate commerce ?
Mr. Falco. No. I think you can have an intrastate network in
which false data would be inputted and then checks mailed by the
financial department in an intrastate mailing, and that use of the
mail would give Federal jurisdiction.

38-178 O - 85 - 17
 254

Mr. HUGHES. Thank you.

The gentleman from Florida.
Mr. Shaw. Thank you, Mr. Chairman .
I would like to join you and Mr. Sawyer in welcoming Mr. Falco
to this particular panel. I am well acquainted with yourgood office,
Janet Reno's office down in my neighboring county of Dade County
and congratulate you for doing a yeoman's job.
The State of Florida has pioneered in many areas of law, includ
ing this one. Unfortunately, we find that also in many areas of
crime, which I think has required us to become a leader in coming
up with new law enforcement techniques.
One area that I am somewhat concerned about, how would you
define the word “ computer” as far as the bill is concerned?
Mr. Falco. I would just go to a contemporary dictionary and just
take whatever is in the dictionary, the way I did in drafting jury
instructions for our computer crime. I needed to define the word
" data " and I just went to Webster's dictionary and put it in and
the judge bought it and was ready to charge the jury on that dic
tionary definition.
I think the idea that - getting back to some of the reasons why I
disagree with the distinguished chairman - this idea that the Con
gress has to write a bill that looks like a manufacturer's specs
manual in terms of definitions and procedures is one of the big de
terrents to enacting much needed Federal law . I think that the
computer data and all of the information I needed-of course, I
needed the experts to help me apply it in preparing for trial and in
evidence,
need.
but the dictionary contains as many definitions as you
Mr. HUGHES. Would the gentleman yield to me?
Mr. SHAW. I will be glad to yield to the chairman.
Mr. HUGHES. I don't know where the gentleman got the impres
sion that I would want to try to define terms such as a “ comput
er ”
Mr. Falco . No, I am aware that your bill—
Mr. HUGHES. On the contrary, I think that under the circum
stances, let the dictionary define " computer” because that is going
to be changing and my intention is to just use the term “ computer
in our bill .
Mr. Falco. I wholeheartedly agree. As you know, the-
Mr. HUGHES. On the contrary, you know, that is not my own
belief.
Mr. Falco. I learned in working for this committee that if you
write clear legislation, then the courts don't have anything to in
terpret and the first rule of — first canon of construction is that if it
is clear, go to the dictionary. I think we follow straight good legal
training by doing that.
Mr. HUGHES. I thank the gentleman .
Mr. Shaw. Thank you, Mr. Chairman.
Looking at it from a practical standpoint, of course, the computer
technology we are just really gettingstarted in. Yesterday, one of
the leading news stories was that AT&T was jumping in with both
feet into the area, and I think that we have seen just the very tip
of the iceberg as far as how far the technology is going to advance,
 255

and perhaps how much we are going to more and more rely upon
computer technology.
As this technology advances, do you see any substantial advances
in the area of notonly new laws which act as deterrents, but also
technology that can in some way stop the people breaking into
computers, particularly when you are talking about youngsters
being so well versed in the area that they can jump into a system ?
Mr. Falco. I think as long as the financial rewards are high
enough, there will be clever criminals trying to outwit whatever
state of the art the technology is. In my paper, Congressman , I
mentioned that passwords are still the major way of gaining access,
but there are personnel security systems based on voice, finger
prints, and all of that. I am sure all of us have seen at least one
movie where they use rubber to create the fingerprint of somebody
else to gain access into devices.
I think the threat is not the fact of technology; it is the number
of users, the number of people fitting or starting to build up to the
eight-point computer criminal profile that has existed since 1978.
That is the real threat that the data there is significant.
Again, maybe it is semantics why I thinkthe word computer
ought to suffice. Personal computers had zero sales in 1976. In
1981 , there were 600 million; in 1983, I believe the estimate was 1.5
billion. By 1990, it is estimated 12 billion sales of personal comput
ers. Those aren't really quite commercial computers and neither
commercial computers nor personal computers are of the 74 super
computers that only the Federal Government has access to right
now , and perhaps the embryo ones being built in Japan . Of course,
who is protecting the 74 super computers? Not the 20 States that
have enacted computer crime legislation .
So, I think the technology is here. It is the user problem . The
computers don't commit crimes. It is almost like talking about a
gun . It is the people who use the computer or gain access to it that
commit the crime.
Mr. SHAW . Of course, the technology is what makes us more reli
ant upon it, which gets it into new fields which are susceptible to
the crime. That is what I meant when I was talking about the ad
vancing technology in this area.
You made the point in your statistics from year to year in the
increase in the growth of the computer industry and number of
computers in use.
Mr. Falco. I am sorry I misunderstood, but I thought that you
just the sheer growth in users in computers says that the overdue
action by the Congress is now almost at the 11th hour.
Mr. Shaw . I quite agree and I know that the chairman agrees,
too .
I yield back, Mr. Chairman .
Mr. HUGHES. Thank you.
We are delighted to have with us today Congressman Ron Wyden
of Oregon, who is a distinguished member of the Energy and Com
merce Committee, and who was one of the primary motivating au
thors of the Small Business Computer Crime Act, which the Con
gress passed, I guess, about a month ago. We are just delighted to
have him with us today.
Ron, do you have anything?
 256

Mr. WYDEN. I don't have any questions at this time, Mr. Chair
man. I just want to tell you how grateful I am for the chance to sit
in with you. You have really been the leader in the Congress in so
many areas with respect to the criminal justice system .
I am just pleased to have a chance to sit in. We have a markup
in the Commerce Committee, so I will be running back and forth a
little bit. I thank you for the opportunity.
Mr. HUGHES. Thank you , Ron, thank you .
Mr. Falco , thank you very much. Congratulations again on the
Torres case . It was well presented, a good job, and we wish you well
in all your -

Mr. Falco. Thanks. Remember, we had a good legislator.

Mr. HUGHES. Thank you .
Our first panel this afternoon consists of Henry Dreifus, presi
dent of Corpra Research, Inc. , which he founded in 1983; and Dr.
Steven Weinstein , vice president, Corporate Strategy Technology,
American Express in New York.
Mr. Dreifus holds a BS degree in engineering from the Depart
ment of Computer Science at the University of Pennsylvania and is
presently pursuing his Ph.D. at the Wharton School. He has been
associated with various organizations involved in computer technol
ogy, as well as publications in the area of computer science.
Dr. Weinstein is employed by American Express Co. as vice presi
dent for technology strategy and advises management on thebusi
ness impacts of new technologies. He is an electrical engineer by
profession with a Ph.D. from the University of California at Berke
ley, and is a specialist in data communications and transactional
systems. He is chairman ofthe working group of Integrated Circuit
Cards of the American National Standards Institute and is a fellow
of the Institute of Electrical and Electronics Engineers.
Gentlemen, we are delighted to have you before the Subcommit
tee on Crime today. We have your statements, which, without ob
jection, will be made a part of the record, and it is good to have you
with us today.
Henry, it is good to see you. Welcome.
Mr. DREIFUS. It is good to see you, Mr. Chairman.
Mr. HUGHES. Why don't we start with you, Henry. We have your
statement and you may proceed as you see fit .
TESTIMONY OF HENRY DREIFUS, PRESIDENT, CORPRA RE
SEARCH , ROSEMONT, PA; AND STEVEN WEINSTEIN, VICE
PRESIDENT, CORPORATE STRATEGY TECHNOLOGY , AMERICAN
EXPRESS, NY.
Mr. DREIFUS. What I would like to do is to read some excerpted
paragraphs from my testimony and to make some additional com
ments based on my testimony .
Mr. HUGHES . That would be fine, thank you .
Mr. DREIFUS. As you pointed out, I have a company based in
Rosemont, PA, that is developing a U.S.-based microcomputer
credit-card-transaction system. We believe that these systems will
reduce the amount of crime and fraud committed in the financial
environment today, but an unfortunate part of our information age
 257

is that the crimes committed are not solely based on credit cards or
money ; there are crimes of information .
As I continue to track my industry, I note with great concern the
mass of increase in computer fraud. As I understand the legislation
proposed by House Resolution 5112, this will provide legal recourse
for the abuse of computers and should cover future computing tech
nologies.
It is important that the legislation encompass the entire United
States as many of the crimes committed aren't confined to one
State. In fact, it is much easier to commit a crime from another
State over computer networks than it is to do it locally. The track
ing of that criminal becomes a lot more difficult.
A major problem with computer and electronic information sys
tems today is the inability of individuals to recognize the impor
tance of information and treat it seriously. Whenelectronic infor
mation is compromised, often its effects are not immediately appar
ent. In many cases, the fraud is not directly monetary, as I have
pointed out, but is a fraud of information .
The need to properly value, assess and protect information as an
asset is in question. Information is a valuable commodity and is
sold illegally in the world today. It is sold in the forms of reports,
mailing lists, computer tapes and in other forms.
Emerging services such as “ shop at home” and “home banking,”
which are about ready to take place in the United States, will re
quire a more secure means of protection than is presently available
today.
For the record, I have included a short description of the process
known as encryption, which is a method used in the computer in
dustry to protect information. It is my opinion that this process
will be used by private industry for its own interests, preventing
the abuse of information in the future.
The rapid uptake of microcomputers and applications will have a
significant impact on the tactics private industry uses as well. As I
pointed out in my testimony, the personal computer is both a great
tool and a great weapon, and as the gentleman pointed out earlier
today, the computer is similar to a gun in that if it is fired or mis
used, it can have very serious damaging results. However, if used
correctly, has positive protection, and so forth.
One major point that I would like to make is one of education.
Educating the American consumer that information is valuable
and is serious, is private, and important to maintain, would be a
major step foward as we enter the computer age.
Computers encapsulated into credit cards will have extreme ad
vantage over conventional credit cards today. I believe Dr. Wein
stein has submitted for your review a few sample computers in a
credit card .
One function that these " smart cards” can perform in ensuring a
high level of protection is to process encrypted information within
the card . For the American consumer, this will mean a higher
degree of privacy than he has right now . The data bases and alſ the
information is currently at the issuers of these credit cards, or
credit reporting agencies and the consumer really does not have a
copy for his own records of his transactions. It is up to the issuers
to manage that information.
 258

The use of the computer on the credit card extends beyond

simple financial modes such as credit cards as we know them
today, but we will be able to open the door to new types of technol
ogies so that we can use them for better identification, medical
records, medical history, employment history, passports, and other
functions, where carrying a computer with the person will aid in
that person's productivity and utility through the coming years.
In concluding, there are many exciting things about to happen in
the technology with respect to automating the consumer. The prob
lem of data trespassing, which is one word that I have coined, is
becoming larger and larger, and unless Federal legislation such as
proposed by House Resolution 5112 is enacted and the consumer is
really educated that it is a serious problem , the situation will get
out of control .
I have some additional comments . There was a recent article
published in Today's Office, where Steven Leibholz , of Analytics
Corp., quotes: “ The average computer crime costs $630,000 per oc
currence. That, compared with the average bank robbery of $9,000,
is very significant.
Mr. Leibholz also states that the computer-related crimes, accord
ing to the FBI statistics, is about $3 billion a year. I personally feel
the number is higher. It is just that a lot of crimes are not report
ed , as pointed out earlier.
The value of information and the value of privacy will be issues
that in the future will be addressed, probably by private industry,
and hopefully solved to the benefit of the consumer. The legisla
tion, however, is the necessary first step in raising the awareness
and treating the problem in a serious manner.
Therefore, I am very glad to support and recommend that House
Resolution 5112 will go a long way to help solve this problem .
[The statement of Mr. Dreifus follows:]
 259

SUMMARY

Testimony of Henry N. Dreifus

CORPRA RESEARCH , INC .

Objective
The purpose of my presentation is to provide an
introduction and comments about future electronic and
computer technologies, and their effect on fraud and misuse .
New technologies , such as the " smart card " will be better
able to protect against fraud and other abuses . As personal
computers continue to gain acceptance , and new technologies ,
such as videotext , enter the marketplace , mechanisms will
have to be instituted to protect their integrity .

Scope of Presentation

An outline of the existing problems and an introduction

to new technology will be the focus of my testimony .
cards , or micro computers manufactured to the size of a
credit card , will provide high security and better protection
against electronic " data trespassing " .
There is a need to provide legislation to insure the
integrity of information within computing devices ; as we
move into the " information era " this commodity must be
properly safeguarded .

Corpra Research , Inc.

Corpra Research is a high technology Pennsylvania
corporation engaged in the research and development of new
fraud resistant portable electronic transaction devices ,
( patent pending ) , for both the industrial and consumer
market . One such device is the smart card .
 260

Henry N. Dreifus

CORPRA RESEARCH , INC

100 Chetwynd Drive

Rosemont , PA 19010

Mr. Chairman , Members of the Subcommittee , my name is

Henry N. Dreifus . I am a technical computer engineer , a
graduate of the Moore School of Engineering of the
University of Pensylvania and President of Corpra Research ,
Inc. This high technology company , based in Pennsylvania , is
involved in the research , design and development of improved
transaction systems in the United States for both financial
and information based applications. It is the intention of

our corporation to provide anti - fraud credit card size

computers for future applications in the US economy.

As I continue to track my industry , I note with great

concern the massive increase in computer fraud . AS I

understand the legislation proposed by HR 5112 , it will

provide legal recourse for the abuse of computers and should

 261

cover future computing technologies . It is important that

this regulation encompass the US , as many misuses of
computers are committed interstate . As the asset

( information ) is intangible in form , it is not necessary to

" physically trespass " to commit a crime . In addition ,

regulation should be uniform to cover all forms of computer

abuse ; and therefore I appreciate the intention of this
bill .

A major problem with computer and electronic

information systems is the inability for many individuals to
understand the importance of the information contained and
processed through these devices . When electronic

information is compromised , often its effects are not

immediately apparent . In many cases , the fraud is not

directly monetary , or represented by money equivalents , but

in information . Management Information Systems ( MIS ) and

Data Processing ( DP ) executives are extremely sensitive to

the vulnerability of their mainframe computer information .
Their fears that a computer abuser or " Data Trespasser " will
delete , modify or alter data or programs , have led their
organizations to take extreme precautionary measures . The

number of actual data trespassers may be small ; however the

abusers ' leverage is very great .

The US is in the process of changing over into an

information based society . The need to properly value ,
 262

assess and protect information as an asset is in question .

Information , as a valuable commodity , has its " sale " in the

form of reports , mailing lists , software programs as well as

other formats . As personal computers enter the households
of the nation , present fraud and abuse schemes must be
stopped and the public protected adequately . Emerging

services such as "Shop at home " and " Home banking " ( See
appendix A for a summary of articles on this subject ) will

require secure means of identification , recording and

authentication , not presently offered in the personal
computer environment . It is mandatory that private industry
develop the necessary security means .

A secondary issue addresses the protection of software

programs for personal computers . In some areas of the 'home

computer market ' , such as computer games , up to 80% of the

programs may be illegal copies . Schemes at present for

protecting mass distribution of software programs are

expensive and difficult to implement on a wide scale . It is

for this reason that many software program vendors " mark - up "
the price of a software package to cover this loss in

expected revenue .

Part of the difficulty in protecting information from

abuse is the notion of placing a value on said data .

Information such as a " stock tip" ,, "purchase agreement" ,
" inside information " , " personal data " or any confidential
 263

data stored or processed on a data processing device is at

times difficult to evaluate . The price is tangible when

the data represent " bank balances " or " credit lines " , but

becomes vague when the use or value is not specifically

defined . The majority of the abuses are of the intangible
nature , and their value is context dependent . This can

potentially place private industry in jeopardy if this

information is abused or altered to serve other than its

intended purpose ( s ) . Notice should be posted , similar to

private property notifications , of programs and data which

are private in nature . Remarkably , many abusers do not

realize they are committing an offense .

The rapid uptake of microcomputers and applications

will have a significant impact on the issues and tactics of
private industry to manage this " information situation " .
The personal computer is both a great tool and a great
weapon . This technology , as with most others , must be used
in a responsible manner . Educating the consumer , and

increasing his /her awareness that information is valuable ,

private, and important to maintain , will be a major positive
step forward to preventing abuse .

In the home , various kinds of services will open the

way to newer and more convenient lifestyles . Videotext ,

2 -way interactive television , will provide more

possibilities for shopping , working and leisure conducted

 264

from the home . One key to the effective changeover into an

information society is the ability to deliver timely,
accurate data . In addition , the home will see an

integration of the individual pieces . Specifically ,

television , personal computers and telephones will
interconnect , providing value added services , two way multi
dimensional communication with vendors in ways yet to be
determined .

Protection of information is essential to the success

of the information age . The responsibility of security and
protection of information will ultimately rest on the
suppliers of information and vendors of equipment . There
are a number of strategies to use , and there are even more
being developed , to protect the integrity of the
" information system " from unauthorized access , alteration or

deletion . There are a variety of mechanisms that can be

used to provide this protection . Below is a brief

introduction to the process of encryption and how this

process is used to protect data from theft or misuse .

Encryption is based on the notion of performing an

operation on a portion of data such that the data can be

transmitted without concern to its rightful owner . A " lock
box " provides a good analogue of how the encryption process
works : A message , or portion of information , is combined
with a key , as shown in figure 1 , through a mathematical
 265

encoding operation . The result of this mathematical process

is an encrypted message . By performing the complimentary

operation to the original encoding operation the original
message or information can be extracted . A lock - box would

work in the same manner . Both the vendor and the consumer

would have a set of keys . The vendor would place a message

into the lock box , lock it with his "key " , and ship the so
called sealed box to the user . The user would then " unlock "
the box and retrieve the contents . If the keys used are

complex enough in length the cost of " picking the lock " far
outweighs the value of its contents .

Private industry presently applies encryption to

protect its interests while transferring information from
one point to another ( or from one person to another ) . This

will insure the basic reliability of the message , and

establish its authenticity . The one drawback of this

encryption process is the initial management of the " keys ".

An alternative to conventional encryption processes ( such as

the National Bureau of Standards data encryption standard

DES ) is a public key cryptosystem . The manner in which this

system works is to apply two separate keys ( known as a key

pair ) in which one key is known publicly ( Public key ) , and
the second key is kept secret ( Private Key ) . The encryption
process uses one of the two keys ( figure 2 ) for encoding ,
and only the other key in the pair can be used to decode the
information . In this " one way " scheme public keys can be
 266

used to encode information meant for only the holder of the

private key , as his key will be the only one to unlock the
box ( examples of this process include the MIT Rivest - Shamir
Alderman RSA process ) .

Public key is attractive on a wide scale as the nature

of the encryption process lends itself to the mass market .
Software or information meant for an individual , or an

individual's personal computer can be encoded with the

information based on his public key . To read the

information , the consumer need only apply his private key to

unlock the data .

Emerging technologies will take advantage of encryption

and other means to secure the information placed within .
Security is a critical aspect of all future designs , as the
dependency and reliability of information used for and by

computers continues to grow .

Computers , encapsulated into credit cards , will have

extreme advantage over conventional , plain transaction

cards . One function these " smart cards " can perform is to
ensure a high degree of protection from counterfeiting by

making these devices unique with encrypted information

secured within the body of the card . The duplication
process becomes very expensive to the point where the

costs outweigh the potential benefits or return in

 267

investment .

Ultimately the responsibility of protecting the

integrity, privacy, security, and processing of the
information will be the vendor ( s ) of the information . The

smart card can achieve this by the nature of the device .

Transactions , information processing , encryption keys ,

and other aspects of our " information society " presently
lend themselves to processing by electronic means . The

technology of protecting the information exists .

The use of the computer on the credit card creates a

new type of financial transaction instrument . Today's

processing , presently passive , with much room for abuse ,

will become more secure through encryption and other means .
Credit cards today are supported by " on - line " databases for
recourse and checking against misuse . When the " on - line"

database is inside the card , additional protection measures

can be developed . The smart card for example can contain
the encryption key information necessary to authenticate and
process a transaction . Additionally, the generation of a

certified receipt and instantaneous recall are easy to

supply, since the card can provide all the necessary

information at the point of sale .

The smart card can also be effectively used to secure

 268

non- financial information . By providing an " electronic key "

with verification information placed onto the card , these

cards can unlock the information to its rightful owner . In

this way , a personal computer can be " authorized " to access

data by definition by being able to decode the data it
retrieves . Through careful management of the cards , and
designing the correct systems the threat of computer abuse
shall be reduced . The cards , by being active can record

their use , and if abuse is detected , or a card is lost or

stolen , the electronics need only recognize the situation ,
and "break " in such a way that the card itself need no
longer be a threat .

Other applications of the smart card extend to personal

identification , access control , electronic passports ,

medical records , employment history and other personal

" information data " .

In conclusion , there are many exciting technological

innovations emerging for the " information age " . The problem

of data trespassing and related electronic abuses will drive

the industry to implement anti - fraud measures . Federal

legislation , such as HR 5112 , as well as raising the general

awareness level will demonstrate the severity of the

situation and provide the protection electronic information
needs against theft and abuse .
Thank you .
 FIGURE
11
ENCRYPTION

T
PLAIN
-EXT
MESSAGE

ENCRYPTED

38-178 0 - 85 - 18
ENCODE
MESSAGE

KEY
269

ENCRYPTED
MESSAGE
PLAIN
-
TEXT
CODE
-
DE MESSAGE

KEY
 ENCRYPTION
METHOD 2FIGURE
2

KEY
CONVE NTIONAL

MESSAGE
MESSAGE
TRANSMISSION
ENCRYPT NSECURE CRYPT
-
DE
.
TRAN S
KEY KEY
OF

HANDSHAK
AS
KNOWN E
270

PUBLI
KEY C

MESSAGE MESSAGE
TRANSMISSION

ENCRYPT CRYPT
-
DE

PRIVATE
PUBLIC
KEY KEY
 271

APPENDIX A

Pertinant articles

Edwards ,, R. , " Home Banking Pilots Keep Coming, " United

States Banker , February , 1983 .

Gillard, Collen and Smith , Jim , " Computer Crime : A Growing

Threat , " Byte , October , 1983 .
Kent , Catherine , "High Interest in Home Banking ," PC World ,
Vol 1 ( 2 ) , 1983 .

Latamore, G. B .. " Putting intelligence in your wallet" , High

Technology , June , 1983 .

Matyas , Stephen , "Digital Signatures - An Overview , "

Computer Networks , Volume 3 , 1979 .

Mayer , Martin , " Here comes the smart card , " Fortune , August
8, 1983 .

McLellan , Vin , "Keeping Electronic Mail Private , " , Inc. ,

April , 1984 .

Mills , Mark , " Memory Cards : A New Concept on Personal

Computing, " Byte, January,, 1984 .
Smith , John , " Public Key Cryptography ," Byte , January , 1983 .
Weinstein , Stephen , " Smart credit cards : the answer to
cashless shopping , " IEEE Spectrum , February , 1984 .
Zaki. , Ahmet , " Regulation of electronic funds transfer :
impact and legal issues, " Communications of the ACM ,
February , 1983 .
 272

SAMPLE SMART CARDS

‫در‬

12345
Sle 54321
L. A. NEMO
12345
12.82

I
RRE
TEL 954-90-80 P626 3
SYSTEMES ET AUTOMATISMES
POUR L'INFORMATISATION
 273

17

Uniformed Services
Identification Card
BE TEST

20240 -98-66767101 840322

HITZER FREDERIK
FORN

SP5
DO

591005 EBR 37

Sample photographs furnished by Smart Card International

)
 274

Mr. HUGHES. Thank you.

Dr. Weinstein.
Mr. WEINSTEIN . Thank you very much for inviting me here
today.
Mr. HUGHES. We are delighted to have you .
We have your statement which , likewise, will be made a part of
the record in full, and you may proceed as you see fit .
Mr. WEINSTEIN . All right. I will read parts of my statement, and
perhaps I can make some side remarks.
Thank you for inviting me. It is a privilege to be here and say a
little more about “smart cards” in particular, an area in which
Henry Dreifus is one of our country's very interesting and promis
ing entrepreneurs. So far, though , the technology is mostly from
abroad, as I will describe a little later on.
Integrated circuit cards can be broadly defined as any personally
carried device containing one or more semiconductor integrated
circuits and means for coupling them to external systems. There
are companies that are making plastic keys and dogtags with chips
inside .
The Department of Defense is testing some of those. That is a
device that might broadly be called a card, but is really a different
shape.
More narrowly, the integrated circuit card is a piece of plastic,
like the ones you have in your hands, which looks like and may, in
fact, be a credit or debit card, though it isn't necessarily.
It will contain one or more integrated circuits and the means for
coupling them to external systems. This technology was pioneered
in France, and consumer trials of a debit system , of banking viz Vi
deotex terminals, and of pay telephones accepting “ smart cards,”
are being supported by a consortium of banks and the French Tele
communications Administration .
I read in a press bulletin from a week or two ago that in
Norway, the Telecommunications Administration is about to begin
some small-scale trials.
All of these cards that you have there for examination meet the
international standards on the dimensions of bank cards, which
was a problem for a long time. It was hard to encapsulate the
better part of a microcomputer inside a standard credit card, and
that is
Mr. Hughes. Let me just interrupt if I might.This seems to have
an integrated circuit right up here in the corner.
Mr. WEINSTEIN . Those are the electrical contacts. The circuit is
inside .
Mr. HUGHES. Inside?
Mr. WEINSTEIN . Yes.
Mr. HUGHES. But they both have the integrated circuit?
Mr. WEINSTEIN. Yes, underneath the contact plate. One of those
cards actually has the circuits encapsulated in a translucent mate
rial so you can see the two circuit chips, plus the connections to the
contact pads. It is that one, I believe.
An integrated circuit card is said to be “ smart” if it is capable of
internal execution of computer programs, such as comparison of a
personal identification number , or PIN , with a stored reference.
Most of the cards that I have shown you are “ smart” in that sense.
 275

The PIN comparison feature is one of the main security elements

of smart cards. It enables you to establish a connection between an
individual and a card without necessarily having to consult a cen
tralized data base.
The presently available smart cards contain from 4,000 to 16,000
bits of programmable read -only memory and a combination of
memory and computational capability brings them close to being
microcomputers, but they are not quite microcomputers; they don't
have power display and data entry elements. Those are in a termi
nal device: a telephone, whatever, into which the card would be
plugged.
So the card is only part of the system . You have to have a series
of terminals that accept these cards and that is why you can't just
take one of these cards and use it now in the United States. There
aren't any terminals that accept them.
But a more important difference is that smart cards are instru
ments which, like telephones, but unlike present day computers,
can be used by bearerswho are totally unfamiliar with computers,
computer programming, and electronics. This placing of portable
application -specific processing power into the hands of unskilled
users could be a significant milestone of the information age, and I
believe will become that as cost -effective applications are devel
oped.
Despite this great potential , I wouldn't hold out the smart card
as a cure for credit card crime. It won't be a substitute for the
many steps which credit and debit card issuers are taking in ex
tending online authorization systems to more and more purchases
and building antiforgery protections into cards. The smart card, as
a matter of fact, will have its own vulnerabilities that may have to
be confronted in the future.
It does, however, open opportunities, as Mr. Dreifus has said, for
new or enhanced services, both online and off-line, in configura
tions which are economic, convenient, enhance personal privacy
and havethe potential for a very high level of security.
I would like to give a capsule description of one rather generic
sort of application to show how the card might be used and what
its features would be. This example is the personalization of com
munication terminals. Imagine a future environment in which a
card bearer might wish to make electronic funds transfers from a
variety of home , office, and public access terminals, all equipped
with electrical interfaces for integrated circuit cards. The bearer
would insert his card and enter his personal identification number.
With successful comparison with the stored inside the card, the
card would release the financial institution's telephone number
and the bearer's account number to the terminal. It might also re
lease for the bearer's review, prior to establishing communications
with the financial institution, credit limits and past transaction
records .
After automatically dialing up the financial institution using the
number that was taken from the card, an automatic identification
computation would be made in the card, establishing the authentic
ity of the card and the identity of its bearer to the satisfaction of
the financial institution. Such a scheme has been developed in at
 276

least some of the French cards for use in home banking from Vid
eotex terminals in France.
This can be done without dependence on the physical security of
the terminal or the existence of a security management system
within the communications network, so it is a way of avoiding that
kind of complex online design.
The subsequently generated transactional data could be authenti
cated and possiblyencrypted for secrecy under the control of micro
programming executed inside the card. An electronically signed
record of the transaction could be stored in the card, eliminating
the need for a printer at the terminal, as Henry suggested.
At the conclusion of the session, withdrawal of the card would
depersonalize the terminal, leaving no trace of the user's private
codes and information and thus discouraging attempts at fraud by
other users or by personnel maintaining the terminal.
I have a couple of other examples which I submitted as an ad
dendum to my written notes. One is a medical smart card , and the
other is an electronic air travel ticket which you may want to read
for entertainment or whatever.
I hope this example illustrates some of the attractions of the
smart card for consumers and service providers alike, though there
are many near-term considerations of cost, reliability and con
sumer acceptance which are making its introduction slower than
expected .
Now, there are security vulnerabilities of the card. Although it
has a potential for increasing security, I think it is important to
consider possibilities within this new technology for perhaps new
types of fraud, or whatever.
One possibility is that since the card is a computer, its functions
could be emulated in some other computer. For all practical pur
poses with some computer communicating with this computer, it
would look like a card, although it wouldn't be a card at all. Here
we are talking not about a question of forgery, per se , but emula
tion.
There are other problems, also, with smart card transactional
systems that have a large number of members, since it operates, in
many cases, off-line, you would want to store a lot of information
about bad cards in each and every terminal, which is still perhaps
an expensive thing to do for a large card system.
I don't want to go any further into security problems, but I do
have a little more detail in my comments. I hope this brief review
of the nature, use, powers and vulnerabilities of smart card trans
actional systems has served to introduce a new and interesting con
sumer-oriented technology and provided useful information for
your deliberations.
Thank you .
[ The statement of Mr. Weinstein follows:]
 277

TESTIMONY OF
STEPHEN B. WEINSTEIN ,
ON INTEGRATED CIRCUIT CARD TECHNOLOGY

SUMMARY

This testimony introduces a new transactional systems

technology , that of integrated circuit or " smart " cards , which
can put portable computational power into the hanas of
untrained users . It could deter some kinas of computer and
credit card fraud and possibly give rise to others .
technology is defined , and a scenario is drawn of its use for
personalization of a communication terminal in making an
electronic funás transfer . This scenario illustrates several
of its capabilities for supporting new or enhancea services .
Several of its security attributes are describea , incluaing
bota strengths , such as achieving independence from the need
for secured terminals , and weaknesses , such as the possible
emulation of smart card functions in a computer or experimental
circuit boara .

Introductory Biography : Stephen B. Weinstein

Stephen Weinstein is employed by American Express Company as

Vice President for Technology Strategy , and advises management
on the business impacts of new technologies . He is an
electrical engineer , with a Ph.D. from the University of
California at Berkeley , and is a specialist in data
comniunications and transactional systems . ke is chairman of
the Working Group in Integrated Circuit Cards of the American
National standaras Institute and is a Fellow of the Institute
of Electrical and Electronics Engineers .
 278

Mr. Chairman and Members of the Subcommittee , I am Stephen

Weinstein , Vice President for Technology Strategy of American
Express Company , where I am responsible for investigations into
the impacts of new technology on the business of American
Express . Today , however , I am not testifying as a company
spokesman on provisions of HR5112 , but strictly as a technical
expert in a new technology , that of integrated circuit or
" smart " cards . This technology will have important
applications in future electronic transactional and information
systems , and may be of interest to framers of legislation on
computer and credit card crime . I am an electrical engineer
and am chairman of the Working Group within the American
National Standards Institute on Integrated Circuit Cards . Ι
have been following smart card technology since 1979 , when I
joined a former subsidiary of American Express , Payment
Systems , Incorporated . I previously worked at Bell
Laboratories in data and coded voice communications .

Integrated circuit " cards " can be broadly defined as any

personally - carried device containing one or more semiconductor
integrated circuits and means for coupling to external
systems . Devices such as plastic keys and dog tags with
imbedded integrated circuit chips are produced and used , at
least experimentally , in entry control and personnel
information systems .

More narrowly , the integrated circuit card is a piece of

plastic which looks like , and may in fact be a credit or debit
card , and contains one or more integrated circuits and the
means for coupling them to external systems . This technology
was pioneered in France , and consumer trials of a debit cara
system , of banking via videotex terminals , and of pay
telephones accepting smart cards have been supported by a
consortium of banks and the French telecommunications
administration . I have several examples with me , which I
herewith submit for your examination . All but one of them is
French and that one is Japanese . All of them meet the
internationally accepted dimensional standards including the
30/1000 inch thickness for bank cards . An article I recently
wrote for IEEE Spectrum magazine , which goes into many
technical and utilization details , is respectfully submitted as
an attachment to these comments .
An integrated circuit card is said to be " smart " if it is
capable of internal execution of computer programs, such as
comparison of a personal identification number ( PIN ) with a
stored reference . Most of the cards I have shown are smart in
The PIN comparison feature is one of the principal
security features of existing smart caras , but there are caras
with additional security microprogramming beyond PIN comparison .
The presently available smart cards also contain from 4000 to
16,000 bits of programmable read - only memory ( PROM ) , and the
combination of memory and computational capability brings them
 279

very close to being microcomputers . They are , however , not

quite complete microcomputers . The power , display aná data
entry components of a microcomputer are not in the card but in
the terminal to which a smart card must be attached , and the
card contains very little ranäom- access memory (RAM ) . But the
most important difference , as Jerome Svigals of IBM has pointed
out , is that smart cards are instruments which , like telephones
but unlike present - day computers , can be used by bearers who
are totally unfamiliar with computers , computer programming and
electronics . This placing of portable, application - specific
processing power into the hands of unskilled users could be a
significant milestone of the information age , and I believe
will become that as cost effective applications are developed .
Despite this great potential , the smart card is not a cure for
credit card crime , and I do not want to suggest that it will
substitute for the steps which credit and debit card issuers
are taking in extending online authorization to more and more
purchases and building anti - forgery protections into embossea
and magnetic - striped caras . The smart card has its own
vulnerabilities which I will describe shortly . The smart card
does , however , open opportunities for new or enhanced services ,
both oníine and offline , in configurations which are economic ,
convenient, enhance personal privacy , and have the potential
for a very high level of security . I would like to give a
capsule description of one of these new or enhanced services .
This example is the personalization of communication
terminals. Imagine a future environment in which a card bearer
might wish to make electronic funds transfers from a variety of
home , office and public access terminals , all equipped with
electrical interfaces for integrated circuit cards . The bearer
would insert his card and enter his personal identification
number (PIN) . With successful PIN comparison , the card would
release the financial institution's telephone number and the
bearer's account number to the terminal . The card might also
release , for the bearer's review prior to establishing
communications with the financial institution , credit limits
and past transaction records .

After automatically dialing up the financial institution , an

automatic identification computation would be computed in the
card , establishing the authenticity of the card and the
identify of its bearer to the satisfaction of the financial
institution . This would be done without dependence on the
physical security of the terminal or the existence of a
security management system within the communications network .
The subsequently generated transactional aata would be
authenticated , and possibly encrypted for secrecy , under the
control of microprogramming executed inside the card .
" electronically signea " record of the transaction could be
stored in the cara , eliminating the need for a printer at the
terminal . At the conclusion of the session , withdrawal of the
 280

card would " depersonalize " the terminal , leaving no trace of

the user's private codes and information and thus discouraging
attempts at fraud by other users or by personnel maintaining
the terminal .

Two other examples , of a medical smart card and an electronic

air travel ticket , are attached as an addendum to these
comments .

I hope this example illustrates some of the attractions of the

smart card for consumers and service providers alike , although
there are many near - term considerations of cost , reliability
and consumer acceptance which are making its introduction
slower than expected .
I have already suggested that some potential forms of computer
crime , such as posing as another individual from a
telecommunications terminal , may be discouraged by the
introduction of smart card access techniques . But smart cards
will also offer a new target for criminals . For example ,
attempts may be made to emulate - not exactly forge- a card by
building its electronic properties , and some of its critical
data content such as the PIN , into a communications terminal ,
or alternatively into a " breadboard " connected to a contact
plate which is inserted into an existing terminal. There are
software protections against such emulations , but use of an
emulating system or device for fraudulent purposes should ,
perhaps , be viewed in the same light as outright forgery , which
is also not impossible for smart cards . Other attacks might
involve the use of sensitive laboratory instruments for
reading of " secret " smart card contents .

If smart caras are given mass use in offline debit or credit

systems , which I did not include among my scenarios but is in
fact the perspective of the institutions sponsoring its use in
France , a serious security problem could arise from an
inability to store large " negative files " of stolen and
canceled caras in POS terminals . Even with the requirement of
a PIN comparison , there could be incidents of armed robbery in
which both a cara aná a PIN are extracted from a victim , and
fraudulently used at distant POS locations . With neither
online communications access to a negative file nor a daily
updated negative file stored in the offline POS terminal , the
fraud would be difficult to detect . We can expect relief from
this problem as the cost of mass storage continues to decline ,
but it is a weakness of present - day offline systems .
I hope this brief review of the nature , use , powers and
vulnerabilities of " smart card " transactional systems has
served to introduce a new and interesting consumer - oriented
technology , and provided useful information for your future
deliberations . Thank you .
 281

ADDENDUM : ADDITIONAL EXAMPLES

As a second example , consider a medical smart card which a

bearer would use when obtaining services from hospitals ,
physicians aná pharmacists . In addition to personal
identification and identification of insurance and social
service carriers and insurance and social service account
numbers , the card would carry basic information such as blood
type , drug allergies and name and address of a personal
physician ; an abbreviated medical history ; prescription
records ; and references , including data base telephone numbers ,
to sources of more extensive medical records . Emergency
information would be in an " open " part of memory , while other
information could be in PIN - protected memory , accessible only
with the cooperation of the card's owner . The card would
provide an " electronic signature " for insurance claims , and
potentially carry electronically signed medical prescriptions .
This system would facilitate automation , while enhancing the
bearer's privacy .

As a thira and final example , one which depends on development

of a smart card with reusable memory , I would suggest a travel
application in which the cardholder would , when making an air
travel reservation through a terminal personalized as in my
first example ( in my comments ) , receive an
electronically - signed electronic air travel ticket which woula
be stored inside the card . At an airport boarding gate , a
relatively low - cost offline boarding pass issuing machine ,
designed to accept smart cards , would read and cancel the
traveler's electronic ticket and issue a boarding pass . The
traveler might pick up electronic receipts , rather than paper
receipts , at major hotel and car rental agencies around the
worla , and store those , too , in the card . Returning home , the
card could be plugged into an office machine which would
extract the canceled tickets and the receipts anå begin
preparation of an expense voucher .
-
 282

Smart credit cards:

the answer to cashless shopping
Pioneered in France, microprocessor-based credit and debit cards
are being used in large-scale tests in three cities there
APPLICATIONS
You walk over to a special pay phone in a large air CONSUMER ing well. There is little doubt that technical and cost
port, insert your electronic -communication services .barriers will be overcome and that by the end of the
card, and enter your password. The telephone ac decade smart cards will be regarded by millions of
knowledges that a central computer has validated people as a convenient and highly secure medium
your identity by flashing a service menu on the lumi for interaction with personal computers, communi
nescent screen . You choose from “ Local directo cation devices, transactional terminals, and infor
ries , " " Long -distance directories,” “ Personal di mation systems generally.
rectory ,” “ Rates,” “ Place call, " and " Informa The smart card is already a commercial product
tion services." You press the number for " Personal in France. This year once -ordinary bank cards, in
directory, " and the screen changes to a numbered listing of a cluding the French Visa card (Carte Bleue), will be delivered con
dozen names and telephone numbers drawn from your card's taining chips, in synchronism with the deployment of card
memory. You punch in 9 for a certain friend's number, and the accepting terminals and pay telephones. In the United States,
screen dissolves into a pricing and payment schedule : visible activity has barely begun. Very few “ telepayment" cards
TOLL CALL. 75 cents for the first three minutes, are being used for home banking in аa videotex trial started in
10 cents each additional minute. North Dakota by the First Bank System of Minneapolis, Minn .
CHOOSE FROM FOLLOWING TO PAY The trial project was taken over this year by J.C. Penney. The
(1) AMERICAN EXPRESS 3712 xxxxx 1102 U.S. Department of Defense is testing several thousand smart
( 2) GOTHAM SAV & LOAN 9044025 9534172592 cards in its Real-time Automated Personal Identification System
( 3) MASTERCARD 5432 0622 0420 xxxx (Rapids) at Fort Lee, Va., where the cards are needed to enter
( 4) SEARS 64 82762 xxxxx 2 medical, recreational, and other facilities. The DOD is also
( 5) VISA 4328 0611 0500 XXXX evaluating electronic “dog tags" -microchips that contain a ser
You punch 2, and the call is automatically authorized and viceman's vital records. American Express Co., the Bank of
dialed. As you talk with your friend, the screen displays the America, the Chase Manhattan Bank , Citicorp , and the New
charges as they accumulate; at the end of the call, the date, the York Stock Exchange have all been considering how they might
credit - card identification number, and the charge amount are use smart cards and could announce pilot projects at any time.
entered into the “ electronic receipts" section of your card's What is the smart card made of? It is a piece of plastic ,
memory. The charge is automatically submitted to Gotham via preferably 85.7 by 54 by 0.76 millimeters (standard financial
the telephone network. You withdraw your card and then rush to transaction card dimensions), incorporating an integrated -circuit
catch your plane.
Scenes like this, for a variety of personal activities, may
become commonplace in a few years. Microchips are being
NOR

placed almost everywhere, and it is now the turn of the plastic

cards that we carry in wallets, purses, and shirt pockets (Fig. 1 ) . CARTE A MEMOIRE
" Smart " cards - cards containing microchips that can compute
as well as hold data - could open a new frontier to designers of SPHILIPS
-

informationsystems, distributing processing power directly into

the hands of the general public.
Bugs being eliminated 5413 3002 2301
As a concept, integrated -circuit cards have unique advantages
as identification and access passes, bearers of personal records, MME . ELISABETH LAMBERT
Dot
carriers of electronic authorizations and tickets, encryption SPECIMEN
devices, and " electronic money ." Packaging and security prob
lems are still being worked on, and there are unanswered ques
tions about the long-term durability ofthe cards and their ease of ( 1) A card with a microprocessor and a memory, produced by
manufacture, but cards now being tested appear to be work- Philips SA in Fontenay- Aus-Roses near Paris, represents an
emerging means for electronic payment and personal-record
Stephen B. Weinstein American Express Co. transfer and updating.
 283

chip or chips with memory and computational capabilities. The

memory is nonvolatile — it does not lose its contents when power Deblt cards for direct funds transfer
is shut off - and it is present either as a separate chip or in
tegra.ed with a microprocessor or with dedicated logic. The card Most financial-transaction cards are credit or charge cards;
electronics can be designed with security features that permit its monthly billing statements are issued . The card holder does
use with off -line terminals not permanently connected to a cen not pay until billed, and payment is usually by check. But
another kind of card , the debit card, is used for direct
tral computer, although many of the most promising applications transfer of funds without written instructions.
are communications-related . To U.S. inhabitants, the most familiar use of debit cards is
The electronic card as a transactional medium is an old idea in the cash -dispensing automatic teller machines (ATMS)
maintained by many banks and savings institutions. The
that has appeared in a number of articles and patents over the debit card, together with a user's personal identification
years, but it was given an important boost in the early 1970s by a number (PIN ) checked by the bank's computer, authorize the
French inventor, Roland Moreno. His contributions (see "The bank to automatically deduct the cash withdrawal from the
French smart -card establishment,” p . 47] were to publicize the user's account and credit it to the bank . This debit is usually
idea and to define security features based on dedicated logic that carried out within one day and is reported together with
checks on the user's monthly statement. It is called an elec
protect transaction records and discourage fraud. He founded tronic funds transfer (EFT) transaction because the pay
the Innovatron Co. in Paris to license his patents. ment instructions and the bank's changing of account
The card idea was adopted by the French government's Télé balances are entirely electronic.
matique program (see " Télematique: an information access Many Europeans already use debit cards for buying
program ," p. 49) as one of its efforts to develop new computer gasoline and groceries in addition to obtaining cash . The
smart-card point-of-sale tests underway in France are debit
and communications based products and industries. CII (Com systems. In the United States, one also can expect to see
pagnie Internationale pour l'Informatique) Honeywell Bull debit cards more available for retail purchasing as point-of
begar. its CP - 8 (portable computer for the 1980s) development in sale communication networks develop and cost allocation
1977 and later patented a microprocessor-based card that func questions in the payments industry are resolved . -S.B.W.
tioned like a microcomputer. Other French companies followed ,
all stimulated by government support and strong interest from
the tanking community. The result has been the current Paris -based companies — CII Honeywell Bull, Flonic - Schlum
commercial offerings of smart cards and associated systems and berger, and Philips SA - but other companies may enter the
terminals. field . Datakey Inc. in Burnsville, Minn ., a manufacturer of keys
Present IC cards and card systems are being produced by three and military dog tags with encapsulated memory chips, may
become a smart -card manufacturer. Smart Card Systems Inc. in
Cherry Hill, N.J. , a subsidiary of International Micro Industries
Inc., which manufactures equipment for bonding ICs onto film
carriers, and Corpra Research , a Philadelphia company
pubiphone specializing in smart -card applications, have also expressed in
terest in manufacturing cards and terminals. The IBM Corp. has
à carte held a patent on an information card since 1972 and is considered
a potential manufacturer of smart card systems.
Smart Card International Inc., a New York concern founded
in early 1983 to develop smart - card systems and applications, is
the only U.S. company licensed by Innovatron and authorized to
sublicense others and may or may not itself produce cards and
terminals. Motorola Inc. is producing custom chips for the smart
cards made by Honeywell Bull, and Siemens AG of Munich,
West Germany, is making the chips for Flonic's smart cards.
Several Japanese and West German manufacturers have made
prototype cards, including a Japanese 13 -kilobyte memory -only
card, considerably thicker than a financial -transaction card, for
use as a program cartridge in a portable microcomputer.
Once mass production begins, the card will cost an issuer (such
as a bank) $ 2 to $ 10, depending on the card's capabilities and the
quantities manufactured . The premium over the roughly $.75
cost of a magnetic -stripe card will cover the added value of the
smart card's " intelligence , ” as well as its transactional conve
nience and speed.

ca
Current applications and tests
Under present plans, smart cards are only components in
larger transactional systems. They are used with point- of -sale
(POS) and other terminals , and in home
banking applications they communicate with
12 ] A newly designed pay telephone pro special processing units attached to host com
duced by Flonic - Schlumberger in Paris ac puters. Terminals for POS service in retail stores
cepts smart cards. It is being deployed by the French govern . are available from all three French manufac
ment's Telecommunications Administration . turers of smart cards, and peripheral card readers are made by
 284

Flonic and Honeywell Bull. The French government's Telecom a separate customer keypad to protect privacy. The sales amount
munications Administration (PTT) has connected videotex ter entered by the sales clerk through the main keyboard is displayed
minals to external card readers and has ordered special pay on the customer's unit, and if it is acceptable, the customer enters
telephones that accept the card for payment and perform ab his PIN . If this PIN agrees with the one stored inside the card and
breviated dialing ( Fig. 2) . if the store's terminal has previously been activated by a
A debit type of POS system illustrates one way in which smart legitimate store -owner's card , the transaction can proceed.
cards can be used. Such a system , replacing cash and checks and Factory-entered microprogramming in the card carries out the
viewed in France as an " electronic checkbook," has been the PIN comparison entirely within the card , a significant security
main interest of the French consortium that has guided the advantage over memory -only cards, which require that the tran
smart -card effort. Called the Group d'Interet Economique Carte sactional terminal be secured .
à Mémoire, the consortium is composed of major banks and the The terminal determines whether the purchase amount, plus
PTT. Three separate POS experiments have been in progress in the sum of the past month's purchases read from the customer's
France since the beginning of 1983, with each manufacturer card, exceed the monthly authorization on the card . If there is
assigned a location : Honeywell Bull in Blois, Flonic -Schlum enough credit left, the transaction is completed, and the transac
berger in Lyons, and Philips SA in Caen . tion date and amount is written into the customer's card. A
The Blois trial is supposed to distribute 25 000 cards and the printed receipt may also be generated.
Caen and Lyons trials 50 000 cards each, for use in about 200 At the same time the date, amount, and the purchaser's ac
POS terminals in each location . It has taken much longer than count number are entered into an electronic memory inside the
anticipated to iron out administrative, marketing, and technical store's terminal. In this " store and forward ” terminal attach
problems, particularly arrangements with the sponsoring banks ment mode, an entire transactions file is delivered — daily or at
and getting consumers to use the cards. Only 55 000 of the pro any convenient interval — to the store's bank via a dialed tele
jected 125 000 cards were distributed as of last October. No phone line or by physically transporting the memory module to
results or use - statistics have yet been made public. the bank . The bank clears the transactions by the electronic
The implementation of these experimental electronic -payment transfer of funds from the purchaser's account to the store's
systems begins when the banks get the cards from the factory. account.
Each card contains a stored production -sequence number and a The systems developed by the three French manufacturers are
unique “ transport key " needed to write the data during a per presently incompatible — a card used in one manufacturer's ter
sonalization process. The bank issues the card to an account minals will not operate properly in those of another manufac
holder, personalizing it with that individual's account number turer. The companies, however, have agreed on common card
and choice ofpersonal identification number (PIN ) and inserting terminal interchange protocols for future use , based on a
a secret code word associated with the bank . The bank also sets a microcomputer architecture for the card .
monthly spending limit for the card. Only a bank official armed
with the bank's code word can make or change an authorization , Host computer relieved of tasks
and only someone knowing the card holder's PIN can draw This off -line transactional system performs virtually the same
against it. transactional functions as automatic teller machines (ATMs) and
At the point ofsale, the card is plugged into a terminal that has self-service travelers' check dispensers, but it differs fundamen

Terminal Customer Card

keypad Keyboard

Diaplay
E

Read -only memory

| Peripherals
Timing
Clock
011
Random
Data
roproce
datal
Serial dat
Microprocessor access
Interface
Reset memory

+ 5V

+21 to 25 Programming
PROM
Power
Modem invalid transaction supply Ground
voltage
pard ncords

Protected
memory

[3 ] A smart card exchanges information with

Battery and obtains its power from a terminal through a
Telephone backup six -contact interface. Permanent micropro
line
gramming and manufacturer-supplied datain a
card reside either in a read -only memory (ROM )
or in a section of a programmable read -only
memory (PROM ) thatcannotbe written on. The
-

terminal allows a sales clerk and a customer to

1

enter data for a transaction.

 285

ly from them by using the computational capability and memory with Honeywell Bull for 200 000 smart cards capable of both
of the smart card in place of the on -line capabilities of a host telephone and banking functions.
computer.
The smart card point-of-sale system does, however, have one Where is it going ?
unresolved security problem . The " hot list" memory provided in The smart card is not likely to replace existing financial-trans
the terminal, analogous to the file of canceled cards maintained action cards, although it could take on virtually all of their func
in on -line credit-authorization systems, cannot accommodate the tions. More probably it will be widely used as an access instru
megabytes of data that would be required for a worldwide card ment, computational device, and personal electronic file in ap
system , with tens of millions of outstanding cards. Even with plications that require portability and self-contained security or
PIN protection for lost and stolen cards, the risk of PIN com in applications that cannot be achieved cost -effectively in a total
prornise and bad - credit losses may be serious enough to limit off ly on -line configuration.
line transactional systems using smart cards to relatively small The card could , for example, carry or generate personal en
user groups and spending authorizations. cryption keys for secure transactions from a network of ATMs
The three other major applications of smart cards in France and other public -access terminals. The actual encryption of the
are home banking via a videotex system , pay telephones, and information could be carried out in either a semiprotected ter
scholastic -record cards for students at the University of Paris. minal or, for higher security, within the card itself, although new
More than 300 Teletel terminals installed in Velizy, a suburb of cards with special high -speed processors may be needed for wide
Paris, are equipped with smart -card readers. The telepayment ly accepted encryption algorithms, such as those specified in the
cards incorporate an encryption mechanism to preclude fraud U.S. Data Encryption Standard (DES).
and protect the privacy of banking transactions. The French The smart card could “ personalize" communications ter
PTTintends to order 50 000 smart-card readers to be connected minals, such as home terminals and telephones, acting both as
to videotex terminals, 50 000 terminals with integrated card the payment vehicle and the record keeper. It would be very
readers, and 100 000 telepayment cards, manufactured by helpful in the medical-services field, using its computational
Honeywell Bull. As of late 1983, 100 pay telephones for smart power to authenticate claims and carry personal medical histories
cards were operating in France. and treatment records between interdependent, but separate,
The PTT also plans to begin installing its new pay telephones medical- information systems. It could become a social-services
this year and to sell hundreds of thousands of smart cards to eligibility card, reducing the costs and errors of paper-based
telephone subscribers. Orders have been placed with Flonic for systems. It could replace identification documents, such as passes
850 000 pay-telephone cards, of which 350 000 are to be smart to secured areas, passports, and alien identification cards. It
cards and 500 000 simple 256 -bit, read -only memory cards, and could electronically replace legal papers and air -travel tickets. It
could also, of course, be used as a traveler's check or debit card,
the original conceptions of its inventors and designers.
But a proper perspective should be maintained. Magnetic
stripe cards and terminals are widely accepted and used, and the
Open memory wiring of points of sale to central computers is well advanced, at
least in Japan, Scandinavia , and the United States. However,
there may not be enough added value in the computational
capabilities of smart cards to justify an expensive conversion of
most existing POS terminals and payment systems to smart-card
compatibility. And for data accumulation and off -line identifica
tion , a digital optical memory card with a capacity of at least 2
megabits, under development by Drexler Technology Corp. in
Accossible for writing or Mountain View , Calif., might be preferable . Such a card's level
reading under conditions
determined by micro of security, performance, and ability to interface conveniently
programming and cheaply with microcomputer systems must still be estab
lished . Thus, the smart card may become widely used in remote ,
self-service applications before it is generally accepted at retail
store counters. A microprocessor card depends on an attached
terminal for power, display, and data -entry components (Fig. 3) .
Authentication code word Two paths to intelligence
Inaccessible from
Issuer code word There are two approaches to making cards intelligent :
outside of card Cardholder PIN
dedicated logic and a programmable microprocessor. Dedicated ,
or wired, logic puts fewer circuits on a chip and so allows a lower
Security microprogramming card price or more memory for the same price. Wired logic is ade
quate for password comparison and other narrowly defined
functions, but the programmable microprocessor card is capable
(4) For security, a card's memory has accessible, conditionally of more complex operations and is adaptable to many different
accessible, and inaccessible sections, eachfurther subdivided. applications.
For example, one section ofthe conditionally accessible memory The memory limitation in a microprocessor card can be greatly
allows a user to enter orread a transaction record bypunching in
apersonal identification number(PIN ) only. In another section, eased by two-chip versions, such as the Philips card employs, but
authorizations made by a card issuer, such as a bank, can only be at the risk of vulnerability to wiretapping of the connections be
written when a code wordpreviously issued by the bank is used, tween the microprocessor and memory chips.
although they can be readby usingthe PIN only. The computational capabilities of the smart card are used to

38--178 0 - 85 19
 286

but they do not have the full power of a device that can execute
The French smart-card establishment programming instructions internally.
The smart card is one of the foundations, albeit a smaller Six main security functions must be performed for successful
one, of a long-term national program in Franceto modernize application of smart- card systems. They are :
Its economy,particularly its informatics industries. A variety 1. Identification of the bearer (typically a PIN comparison ).
of companies, govermental agencies, and industry organi 2. Protection of authorizations carried in the card .
zations have taken on responsibilities fordeveloping, manu
facturing, publicizing, and using smart -card systems. 3. Protection of records stored in the card.
One of the first was Innovatron Co., a Paris -based firm , 4. Authentication of transactions involving the card , possibly in
formed by joumalist and inventor Roland Moreno to license cluding transactional records retained by terminals.
his chip -card patents. Although cards bearing electrical and 5. Encryption or deciphering of messages.
electronic circuits appearedin several earlier patents, Mr.
Moreno's mid -1970s patents (including four in the United 6. Protection against forged or simulated cards.
States) describe important security and utilization features Several techniques are already implemented in smart cards for
for transactional applications. Innovatron has granted non these functions, but there is room for further work. No one
exclusive production licenses to the three French manu claims absolute security for smart cards any more than for other
facturers (CII Honeywell Bull, Flonic - Schlumberger, and
Philips SA) and production and sublicensing rights to one computer systems, but clever and constantly evolving designs can
U.S. company (Smart Card International Inc.). Honeywell keep the security features one or two steps ahead of the efforts of
Bull and Flonichave bought interests in Innovatron . Many those trying to defeat them . Because the security is software
later and equally significant patents are owned by the based , upgrading will probably not make terminals or card inter
manufacturers and other parties. faces obsolete .
The Group d'Interet Economique Carte à Mémoire is a
users ' organization, consisting of all major French banks Everything depends on the segmentation of the card memory .
and the Direction Général de Télécommunications. It has PINs, security microprogramming, and secret code words for
had responsibility for the recent point-of-sale trials in Caen strictly internal use are entered into the card either when it is
and Blois, developed procedural and technical recommen manufactured or when it is initialized under issuer control. After
dations, and generally led the commercialization effort in that the data can be used only by the computational unit inside
France .
To internationalize its efforts, the GIE Carte à Mémoire the card : it cannot be read or changed from outside the card .
created Intamic , the International Association for the Micro There is some potential for access to forbidden memory locations
circuit Card . Many prominent financial institutions in through unusual power -up procedures and careful monitoring of
Europe, the United States, and the Far East are now current drains and electromagnetic fields, but the threat can be
members. Intamic publishes a quarterly English-language minimized through careful design . The Famos technology ( a
newsletter and appears to have taken on most ofGIECarte
à Mémoire's conceptual and technical development standard -cell placement and venting program for laying out
functions. MOS integrated circuits), with its high density, suits large
Afnor, the French national affiliate of the International memories and appears to be resistant to compromise through
Standards Organization (ISO ), is the official standards reading with the help of an electron microscope.
setting organization in France and has an active smart-card
working group. Afnor is the secretariat and chair for ISO The bearer is identified by the PIN in the card . The bearer
Working Group 97/1714 on the integrated -circuit card , which enters a PIN through a keyboard into the card's logic unit, where
has active members from the United States, United the PIN is compared with the stored card -holder PIN. The bearer
Kingdom , France, Germany, and Japan. The U.S. integrated
circuit-card working group within the American National is allowed only a prespecified number of attempts before the card
Standards Institute isa liaison group with ISO and reviews is " closed " to further use . It can be " reopened " only by the
ISO standards proposals -S.B.W. issuer with use of the issuer's secret code word. So long as the
card holder does not disclose his PIN to others and assuming the
card is protected against forgery ( as described further on ),
execute algorithms, such as the PIN comparison, message satisfaction of the PIN comparison test is strong evidence that
authentication , and data - encryption operations— all security the bearer is the person identified by the name or account
related — and to control use of the memory. These two major number of the card .
functions are tightly associated, with PIN comparison a required Other identification tests for smart cards are conceivable, in
prerequisite for most memory accesses . cluding matching of digitally compressed signatures, finger
The control of memory use is achieved by segmentation of the prints, eyeprints, and voice prints with versions stored in the
ROM or programmable ROM into three sections (Fig . 4 ): inac card . These physiologically linked identifiers are advantageous
cessible from outside the card , accessible for writing or reading because a card holder cannot transfer the identification secret to
under conditions determined by the internal programming ofthe another person , but they currently are too costly, are not highly
card , and open to access without any test. reliable, and are not widely accepted .
The first section contains information used only inside the Stored records in existing cards are protected by precautions
card, such as the issuer's code word and the user's PIN, card that prevent overwriting. Such measures also prevent a card
authorization codes, and operational microcode. The second holder from making unauthorized changes in stored records.
section holds authorizations and transaction records and is con New records in new memory locations can be entered only under
trolled so that only the issuer can make or change authorizations control of the card holder's PIN . Future electrically rewritable
and only the user can use them . It is also possible to control ac cards, if developed, would require additional software protection
cess by validation dates, patterns of earlier use, and any other against unauthorized erasure .
criteria that can be interpreted by a short software routine. Remote transactions — from a home terminal, for example ,
can be authenticated by codes generated in the card ( Fig. 5) . It
Security: good but not perfect should be emphasized that this is an on - line application , with the
Smart cards have security features that only a computing smart card performing functions that the user prefers not to have
device could provide. Magnetic - stripe and digital optical cards in the terminal for security or portability reasons.
are passive. They can be made components of security systems, Protection against forged cards is necessary because of the ease
 287

of manufacturing a breadboard ( and possibly even a full- fledged The Philips two-chip card has a microprocessor and a 16 -kb
card ) with all the right electrical properties and code words EPROM , of which about 12 kb is available to the user. Printed
entered by the forger. Transactional- authentication schemes are circuit wiring connects the chips inside the card . Experimental
useful here, especially some variation of authentication at unat Japanese smart cards with a 16-kb capacity have been demon
tended and unsecured terminals. The Rivest- Shamir -Adelman strated but are not yet commercially available.
(RSA ) public -key encryption algorithm might be appropriate, The nonvolatile EPROM in all three of the commercially avail
although it has not yet been rigorously validated . A technique able cards requires a " write " voltage of 21 to 25 volts in addition
proposed by this writer combines PIN and public-key techniques to the standard 5 - V power source , and it cannot be erased and
to establish both authenticity of the card and the identity of its reused. Cards must be replaced after their memories are com
bearer. pletely filled . Many applications would benefit from an elec
trically erasable PROM ( EEPROM ), even though great care
How the chips are made would have to be taken to avoid inadvertent erasure . EEPROM
As for chip and assembly technologies, the Honeywell Bull cards are said to be under development but have not yet been
and Philips cards incorporate 8 - bit NMOS microprocessors, shown .
while Flonic uses dedicated logic. Flonic and Honeywell Bull There are no U.S. designs to compare with those of the three
each use a single custom -designed chip, accommodating MOS French manufacturers, but some potential manufacturers are
electrically programmable ROMs (EPROMs) of 4.6 kilobits in leaning toward a single-chip design that would mate an 8 -bit
" he first case and 8 to 12 kb in the second. A bipolar memory was microprocessor with from 2 to 16 kb of EEPROM . Several con
originally chosen by Flonic for its robustness against erasure, but cerns in the so - called Silicon Valley in California could make
bipolar circuits are less dense and more susceptible to optical such chips available by early 1985. Smart Card Systems is aiming
" tapping." The Honeywell Bull memory is protected against for a 64 -kb card (possibly, but not necessarily, rewritable ) within
erasure by ultraviolet light or other radiation by a mechanism the same time frame. Cost and possibly heat dissipation are the
hat disables the card if it has been irradiated . major barriers to making large-memory cards in standard card

Card Remote terminal

Personal
PIN 0 identification
number ( PIN )
entered

Secret
PIN comparison code word

Authentication
Enable code
2
Random
number
Authentication
Account code computed
number for present
5 transaction

Accountnumber Authentication
code
(5) In the French Télépaiement Bank computer
system : ( 1) A userentersaperson Approval or
disapproval
al identification number. ( 2) The
card compares the number with
that previously stored . If iden
tical, it activates an authentica Random Card's and bank's
tion process. ( 3) The holder's ac Alle number authentication
count number is transmitted to generated codes compared
the terminal and to the bank's
computer. (4 ) The bank's com Account number
puterproduces a random number Secret code word
and transmits it to the card . (5 )
The secret code word and the
user's account number are made
available for computation of an Authentication code computed for present transaction
authentication code in the card.
The bank's computer produces
the same code in parallel. (7 )The
bank compares its computation
with the card's. (8 ) Ifidentical, it
approves the user.
 288

proposed by Smart Card Systems, which also advocates a

Tolématique: an Information -access program metallic frame for mechanical support and electrical grounding.
Making information easily and quickly available to many The carrier assembly is encapsulated epoxy or some other inert
users is the essence of the French Télématique program . material before mounting in the card . This is necessary to avoid
Calling for the installation of cathode ray- tube terminals corrosion problems associated with the polyvinyl chloride plastic
throughout the country and for a network facilitating fast in . used in transactional cards. This encapsulation does not in itself
formation transfer, the program leans heavily on the sup provide a hermetic seal necessary for normal human handling
port of the French government's Telecommunications Ad (which might include submersion in water), so additional steps
ministration, or PTT.
An important part of the program is an electronic direc must be taken . At least one manufacturer " paints” the bonded
tory system , inaugurated in Rennes last February, following chip with an impervious coating before encapsulation , and there
successful two-year tests in lle and Vllaine in Brittany. By is some interest in glass seals, like those used in ceramic dual-in
the end of last year, up to 100 000 cheap stand -alone ter. line packages. There is no evidence of any problem with the seals
minals were installed there and Installations were begin
ning in Paris and the Picardie region , north of Paris. A used in existing cards.
spokesman for France Telecom Inc.in New York City,an en
tity representing the PTT, said it expects up to 3 000000 ter Improvements are expected
minals to be installed throughout the country by 1986, es Cheaper cards, rewritable memory, and more memory are the
sentially wiringit up into a large network of databases and main advances anticipated by smart -card developers. A 16 -kb
access terminals.
At present, the Brittany electronic telephone-directory EEPROM would make the card attractive for many applications
inquiry system can handle 120 simultaneous inquiries in a in which new data could keep coming in and old data periodically
regional data base of 1 200 000 subscribers. When fully could be purged. Some potential users would like to see the cards
operational - with 250 000 terminals installed -- the Brit execute more complex algorithms, such as those recommended in
tany regional system will be able to handle 500 simulta
neous Inquiries. Access to a national directory data base the DES, at speeds useful in telecommunications.
with 23 000 000 listings will be possible later this year, the More, better, and cheaper terminals also are needed and slowly
PTT believes. are becoming available. Personal terminals with built -in smart
Operating in natural language, the electronic directory card interfaces are under development, but inexpensive outboard
system is also highly flexible, accepting partial information,
misspelled words, and even easily identifiable synonyms interface devices are also needed for personal computers. Some
such as car and automobile. The system allowsSearches by users would like to have a hand -held card reader and calculator,
name, profession, and locality. -Gadi Kaplan which could make the contents of a card readily accessible to its
owner. A variety of card designs are likely to appear for different
applications.
thickness, and large -memory thin cards are likely always to be
significantly more expensive than those of moderate capacity. To probefurther
It is no mean feat to create an IC card that meets existing Inter A fundamental technical paper by smart -card innovator
national Standards Organization (ISO ) standards on the thick Roland Moreno, “ Un support individuel d'information in
ness dimension ( 0.76 mm thickness, 010 percent), flexing, sur violable ,” Informatique, no. 129, April 1979, emphasizes
vival over a wide range of temperature and humidity, and com memory segmentation for security.
patibility with embossing and a magnetic stripe. After the fun M. Meyer mentions who is doing what in “ Here comes the
damental task of systems and security design, the main technical smart card , ” Fortune, Aug. 8, 1983. The article is light on
challenges were tomake a card that would resist large static elec technology.
tric potentials, make good electrical connections despite dirt on A general application review is presented by A. Lessin in
the contacts, operate reliably with a variety of terminals, and be " Smart card technology and how it can be used ,” American
configurable for a variety of applications. Banker, May 20, 1982.
The technique for building the chip into the card is one of the Representative U.S. patents on “ electronic cards” are no.
more difficult elements in card construction , and it is only recent 3 703 464, by Castrucci, November 1972 (assigned to IBM
ly that smart cards have met the ISO thickness standard. There Corp.); no . 3 868 057, by Chavez, February 1975; no. 3 971 916,
are several alternative encapsulation technologies, and the choice first of a series of four by Moreno , November 1976; no .
among them depends on performance requirements, the number 4 105 156, by Detloff, August 1978 , as well as " microcomputer
of chips to be used , and exactly how much thickness is allowed . card” patent no. 4 211 919, by Ugon, July 1980.
The area of each chip is limited to about 25 square millimeters; a
larger chip might crack when the card is flexed . About the author
A chip is built into a carrying structure before being encap Steven B. Weinstein (F ) is vice president for technology
sulated in a card . Connections from the chip are made by wire strategy and chief scientist in the American Express Co. office of
( for a printed circuit board ) or tab bonding ( for film carriers and corporate development and planning in New York City. Previ
dual film carriers) to contact pads on the carrier. Wire bonding is ously, while at Bell Laboratories in Holmdel, N.J. , he con
easier to do for small production runs, but it poses a thickness tributed to the theory and practice of high -speed data communi
problem . cations on telephone lines. As a member of the IEEE Communi
One choice for the carrier is a relatively thick material -- for ex cation Society's Board of Governors, Dr. Weinstein participates
ample, a circuit board with double -sided etched circuits and in standards work on the integratedcircuit card through mem
plated through -holes. This solution is effective for connecting bership in the American National Standard Institute's Working
several chips but is not easy to squeeze into the required Group .
thickness. As an alternative, one can use tape automated bond
ing ( TAB) assembly, in which a polyester film carries metallic cir The author is especially grateful to Marie -Monique Steckel of France
cuits on one side only. Two such films can be used for convenient Telecom Inc. in New York, Jerome Svigals of IBM Corp., and Michel Ugon
of Cil (Compagnie Internationale pour l'Informatique) Honeywell Bullfor
and relatively secure connections between two or more chips, as help in preparing this article.
 289

Mr. HUGHES. How far along is the technology on smart cards?

Mr. WEINSTEIN . Those cards typically have an 8,000 bit memory
and an eight-bit microprocessor and they can do most of the securi
ty functions that I was describing. The memory is a little small for
a lot of applications because you can't reuse it. You just have to
keep burning new memory cells in with new information. This is
good for perhaps 80 transactions in a debit card application.
Mr. HUGHES. In other words, if you are dealing with, let's say, a
financial institution, and you have a checking account and savings
account, with the use of the integrated circuit and this type of a
card, you can actually have a complete record of your transactions,
let's say, for the past 2 years stored in this card ?
Mr. WEINSTEIN. Except for the problem of the quantity that you
could store . It is somewhere between 80 and 100. As memory capa
bilities of these cards go up , you will be able to hold more transac
tions and there is also a possibility of having a reusable memory,
an electrically rewritable memory in these cards in the future so
that you could erase outdated records and release room for
fresh
Mr. HUGHES. I presume that, like with a data base in a standard
computer, this is just basically a minicomputer and you would have
to develop some sort of an access code and this would be user
friendly, I would assume.
Mr. WEINSTEIN . The most common security mechanism for user
access to the card is a password, so -called personal identification
number.
Mr. HUGHES. So it is possible to make this " smart card ” tamper
proof, and thus you could deny access to the information to any
body but that individual that had the code.
Mr. WEINSTEIN . Part of the idea is that if the card is lost or
stolen nobody would be able to use it because they don't know the
password for access to the card .
Mr. HUGHES. Let me ask you: As the technology moves, and it is
moving very swiftly at this point, do you see a time when even
cards may not be particularlyrelevant to transactions?
Mr. WEINSTEIN . I think there is always a need to make some di
viding line in how processing power is distributed. You might want
to have it all centrally located, but that is not necessarily the most
efficient way of doing things.
There are questions of efficiency, of utilization of facilities, com
munications and processing, and also personal privacy. I think
there is something to say for carrying a certain portion of your
records with you, instead of having them in a central file. I could
give examples where people's movements might be tracked very
quickly if everything theydo is immediately put into a central file,
whereas if it is carried in a medium like this, there would be a
little less central control.
Mr. HUGHES. I see.
Are these presently tamperproof, these “ smart cards”?
Mr. WEINSTEIN. I wouldn't claim that anything is tamperproof,
but they seem to have a fairly high level of security. There was
Mr. HUGHES. My own perception is that those who want to
tamper with “smart cards” and with computers have their own re
search programs ongoing and they seem to be about one step
 290

ahead, in many instances, those that make the laws to deal with
those that are trying to abuse the laws.
I ask that as one who is interested in trying to craft legislation
now to try to stay even , with these “ high-tech ” criminals. I would
also like to be able to get ahead of those that would abuse the law ,
but I would be happy to be able to stay even with them.
I wonder if what we are doing in this legislation , 5112, enables us
to do that. Do you have a view on that ?
Mr. WEINSTEIN. I am really not competent to comment on the
legislation, per se. I think that if you regard this instrument as a
computer, and especially if you take account of forgery through
emulation, rather than creating something that looks like the origi
nal, that
Mr. HUGHES. Henry, you have described the entrepreneur in this
developing area, and you have had a remarkable career for your
age. Let me ask you, do you think that H.R. 5112 addresses the
problems as you see them emerging in your industry?
Mr. DREIFUS . I think 5112 makes a very good start, and in the
absence of any legislation at the Federal level or what I would con
sider a uniform basis on which to protect the consumer and protect
private industry; 5112 will make a very significant quantum leap
and probably cover, I would say, 95 percent of all of the problems
that will come in the next 3 to 5 years through abuse of electronic
information and computers.
Mr. HUGHES. I don't want to discount what you are doing be
cause I think what you are doing, in attempting to develop counter
feitproof tamperproof types of cards is a very important endeavor.
You know, for instance, we have developed the technology today to
actually identify voice. Voices are like fingerprints. Are we going to
arrive at some point inthe not-too -distant future where I am going
to go in to, let's say Hogate's, and order dinner and when they
bring me the bill, I am going to be able to speak into some gadget
and say, " I want to pay Hogate's $ 25.50 and I want to put a $ 10.50
tip .” Is that going to happen, and be able to, right at that point,
verify the fact that it is authentic? Is that the direction we are
taking, do you think?
Mr. DREIFUS. I don't think so. I think that that technology will
be available or off the shelf, as we call it in our industry, for what
is known as bio -identification . I think the trends are not to provide
a centralized recourse of our information.
Mr. HUGHES. Do you think it is going to be decentralized, such
as
Mr. DREIFUS . Such as the " smart cards."
Mr. HUGHES [continuing].The " smart cards ” offer.
Mr. DREIFUS. Even though the technology for centralized ac
countability will exist. And it is not only voice print, but there is
eyescan technology, fingerprint technology, handgeometry technol
ogy , allon the verge ofmarketability right now .
Mr. Hughes. Inthe next panel, we are going to hear from a wit
ness who is going to be talking about the Videotex industry. In the
next decade, they anticipate that we are going to be able to not
only speak on the telephone very readily, as we are now , but also
be able to speak and see the individual. Is that going to be a part of
the technology as we do business ?
 291

Mr. DREIFUS. I believe the technology of Videotex and "smart

cards” or smarter systems will converge in the future and they will
dovetail very nicely. However, the need for accountability infrarec
ords will not disappear. As long as there are accountants in the
world, there will be need for accounting things, and “ smart cards”
are oneimproved method of accountability.
Mr. WEINSTEIN . If I may comment, I think that "smart cards”
will be used very frequently as an access device to services offered
via these new consumer telecommunications systems.
Mr. HUGHES. We are always going to have the process. I mean ,
even ifyou work on the assumption that Videotex is going to be a
very important part of it, or that we are going to be able to, by
using voice as a way of identification, some facility has to exist to
record that transaction obviously. So we are always going to have
that.
The only question is, what medium are we going to be using to
engage in the day-to -day activities and your answer is that you
think that decentralized recordkeeping, such as “ smart cards”
offer, is what the trend will be.
Mr. WEINSTEIN . The trend is moving to online and decentralized
at the same time. Online can be a replication of the full informa
tion kept at a central site at many regional sites. That possibility
will exist in the future. It is an interesting question of which way
America will go in terms of the information age. Will it become a
fully distributed society where the “ smart cards” are the ultimate
in distributed computing, such that every individual has his own
computer, or will it be a fully centralizedsociety where one or two
companies — the TRW's and the General Electrics — will have all
the information about everyone and everything ?
I have a feeling it will be a median between the two and both
will need to be supported and protected.
Mr. HUGHES. Thank you . That is very interesting .
The gentleman from Florida.
Mr. Shaw. Mr. Chairman , I think other than the remarkable
statement that you were going to leave a $ 10 tip on a $25 tab,
which I----
Mr. HUGHES. I am glad you noticed I was a big spender at Ho
gate's. [Laughter.]
Mr. SHAW [continuing ]. Which I found perhaps even more incred
ible than the technology that we are talking about today.
I really don't have any questions, except to comment as to the
question that I have that we here in the Congress will be able to
devise laws fast enough to keep up with this type of technology. By
way of background, I was a CPA before I became a lawyer and I
got out of accounting because I thought the computers were going
to win, and now I am totally satisfied that my prediction hasbeen
fully vindicated .
I must say that much to my chagrine, however, it may be that
the technology itself is going to be the key to this destruction of the
technology. I just don't know how in the world we are ever going to
keep up with it or how law enforcement is going to keep upwith it
with all of these types of devices.
Obviously this does not mean we should throw in the towel and
create as many laws as new tools that we can possibly put together
 292

without further interfering with the privacy of the vids, but there
is no question but 1984 is certainly here in many ways, some desir
able and some of it aa bit frightening.
As I say, Mr. Chairman, I have no questions at this time, but
look forward to learning more even from the next panel .
Thank you .
Mr. HUGHES. Thank you .
The gentleman from Oregon .
Mr. WYDEN . Thank you very much , Mr. Chairman .
I just have one question. Let me tell you what I think is part of
the problem , and particularly focusing on the young people and the
hackers. One of the things that has struck me as so strange about
this is that there are a lot of young people in this country who
would never think about knocking an older woman down on the
street and taking her pocketbook, and you know , $50, $60, who
don't seem to think there is anything wrong about playing with a
few keys on a computer terminal and thereby wiping out that same
elderly woman's retirement savings .
I think it goes right to the heart of what Mr. Miller talks about
the fundamental question: Is breaking into a computer system
wrong? I think we obviously think that it is, and I want to ask you
about an idea that I have been talking about around the country
and see if you think it would make any sense.
I would like to see every school district in this country with a
program of computer instruction begin to factor into those courses
an ethical section, a section in their ongoing computer courses that
focuses on the do's and don'ts of computer use from an ethical
standpoint. I think it ought to be started at the earliest ages and it
ought to go right up through the end of high school.
Obviously when you are talking about very young people, you
are talking about very simple kinds of concepts in terms of right
and wrong, but certainly with the older students, you would be
looking ata different kind of thing.
What do you think about this idea? I don't think it would essen
tially cost any money . What we would be trying to do is encourage
school districts with ongoing courses in computer instruction to put
in these kinds of ethical sections in their courses about the do's
and don'ts of computer use.
Do you think that would make sense? Is that the kind of idea
you could support?
Mr. WEINSTEIN . Well, certainly computer responsibility, responsi
bility in use of computers, just as learning courtesy of the road in
driver training is something that should be part of the program ,
but I personally am a little skeptical about dissuading those people
who get a great thrill out of getting into computers. I am not sure
how effective it will be. I think it is worth a try, though.
Mr. WYDEN. It is interesting you mention that because we cer
tainly don't dissuade everybody. No one disputes that, but I re
member when we had one of the young people before one of the
committees I serve on who was involved in the Wisconsin break-in.
They asked, “ When was the first time you understood that you had :
done something wrong? ” and he said, “ When the FBI knocked on
the door.”
 293

I think that that sketches out the dimension of the problem. You
are absolutely right; we are not going to dissuade everyone, and
certainly those who are insistent on taking advantage of new tech
nologies to engage in lawbreaking won't be deterred, but what I
hope to see is I think Congressman Hughes, our chairman, has a
very thoughtful piece of legislation here and I think a combination
of some good legislation plus an educational strategy together gets
to the heart of it.
Maybe your colleague there has a comment or two on my idea as
well.
Mr. DREIFUS . I think it is a fantastic idea and I would like to
extend your idea to encompass not only computing, but technology
in general and taking a responsibility and awareness of the serious
ness of all the wonderful pieces of technology that are available to
our new society, the 2001, if you will.
Mr. WYDEN . I appreciate your comment because I think that this
question of balancing educational activities and good strong legisla
tion, like the chairman's, is at the heart of it. I have always felt,
Mr. Chairman, we could in a lot of areas of government just pass
laws until we ran out of paper to print them and if we didn't do
the followup kind of educational work, we wouldn't get all the ben
efit from the intent of the legislation .
I think your bill is first- rate and I appreciate the gentle
man's
Mr. Shaw. Would the gentleman yield on that ?
Mr. WYDEN . I would be happy to .
Mr. SHAW. I would like to expand that perhaps one step further
when we talk about the morals involved. I think that is a very in
teresting point. What do you see as the morals or the responsibil
ity, ethical, and legal, of the industry who devises these type of sys
tems that are not infallible and that are susceptible to some type of
intrusion or “ trespass,” I believe, as one of you gentlemen used the
word?
Mr. WEINSTEIN. I think the industry in general has the responsi
bility to tell consumers what the risks are and what the compro
mises of privacy are. We all give up some privacy to attain certain
services and that should be and my company does attempt to ex
plain it. I think this is the case in the use of any kind of new in
strument; that the risks and the price being paid for some benefit
that may be gained through taking those risks should be made as
clear as possible.
Mr. DREIFUS. My comments are very much in line with Steve's.
There is a risk -to - reward ratio here and it is going to be the respon
sibility of private industry to police its own technologies. I have of
fered in the record one example of one way to protect information
which will be applied as time goes on and the seriousness of infor
mation becomes greater.
It is still an unresolved question as to the concept of protecting
technology or protecting use of the technology. Credit cards, when
they were originally put forth, and other transaction instruments,
was based on the faith that the American consumer was trustwor
thy. I still believe the American consumeris trustworthy, however,
there are those who will take advantage of any mousetrap and find
 294

new ways around it to derive benefit in nonconventional or nonle

gal ways .
It is for this reason that the legislative issue has to be brought
forth , in my opinion.
Mr. Shaw. I know that we must stay even with technology, or in
some instances stay ahead, but I will throw this in gratuitously. I
think there is some technology that I wish never came about and I
am a little concerned about the possible chaotic conditions that we
may be finding ourselves in some day as a result of some of this
new technology that I think really, as human beings, we could
have done without, but quite obviously, we can't staystill and let
the rest of the world go forward .
Thank you, Mr. Chairman , and I thank the gentleman for yield
ing .
Mr. WYDEN. Thank you, Mr. Chairman. Just one other question
very briefly for either of you. One of the things that I have also
picked up as we get into this area is that much of what we do
seems to work for the larger institutions, whether they are large
businesses or large colleges or large institutions of one sort or an
other, but are pretty hard for small institutions, the small busi
ness, the small school.
Is industry and other kinds of private groups making an effort to
target in on their particular computersecurity needs, because I
think they have a very different set of problems. If you are a large
bank or something, for example, the classic way you protect your
system is you just limit access. Well, if you are a small institution,
you can't really limit access. Just in the course of doing business,
you can't divideup your functions that way.
Is there an effort to look at the needs ofsmaller institutions that
you know of ?
Mr. WEINSTEIN . Well, there are economies of scale in data proc
essing and communications. I think the efforts being made to pass
them on to smaller users are through shared systems, through
service bureaus of various kinds, through things like packet switch
networks, which share data communication capacity amongst small
users at reasonable cost.
I think there is an effort being made in that direction. I think
that a technology like these integrated circuit cards are a generic
product that could be readily programmed even for a very small
run of cards for a small institution would be something that would
be accessible to small institutions, just as large, though it would re
quire the large orders from the large institutions in order to get
the price down to an economically acceptable level.
Mr. WYDEN. Thank you, Mr. Chairman.
Mr. HUGHES. Thank you very much. You have given us a great
deal to think about. I believe , as you have indicated, that this legis
lation is a start. I think we all have a lot to do and learn . There is
a tremendous attitudinal problem that gives me some concern and
I think my colleague from Oregon points it out. I mean, people can
relate to mugging a little old lady and taking her pocketbook, but
the perception is that perhaps there is notsomething so wrong
about taking information by use of a device called a computer.
I also beleive that until we get a lot more cooperation in the pri
vate sector so that we can begin to identify the dimension of the
 295

problem , people are not going to sense that there is a problem . You
know, it is almost a catch -22 situation. I sympathize, with the in
dustry being concerned about not publicizing these incidents of
abuse of their data base, but until we convey the very strong opin
ion that there is a massive problem occurring that is going to
translate into big dollars for consumers indirectly, it is going to be
a very difficult problem to convince the majority of Americans.
White-collar crime of all kinds is very difficult to deal with be
cause it is that insidious type of crime that is often hard to meas
ure. When a cardholder, for instance, only has to pay for the first
$50, they don't feel the pinch. Therefore, it is very difficult to get
across to them the importance of attempting to deal with what
could, potentially, be a multibillion dollarabuse in this country in
the years ahead if we don't begin to deal with it realistically.
Thank you. You have been very helpful to us and we are indebt
ed to you for your testimony.
Mr. DREIFUS. Thank you for the opportunity.
Mr. WEINSTEIN . Thank you.
Mr. HUGHES. Thank you.
Our final panel consists of Mr. George Minot and Mr. Clifford
Karchmer. Mr. Minot is senior vice president for CompuServe, Inc.,
a $50 million remote computing service organization headquartered
in Columbus, OH. CompuServe has more than 110,000 subscribers
through its home information service. He is also on the board of
directors for the Videotex Industry Association and chairman of
the VIA's Internal-External Affairs Council. Mr. Minot is speaking
onbehalf of the Videotex Industry Association.
Mr. Karchmer is a research scientist with the Battelle Memorial
Institute. He joined Battelle in 1977 and has served as director of
operations and training of the National Center on White Collar
Crime, as well as project director for a number of research, techni
cal assistance, and training programs in the law enforcement field .
Mr. Karchmer served as director of the Massachusetts Organized
Crime Control Council prior to joining Battelle. He has had a most
distinguished career, as has Mr. Minot. We welcome both of you
gentlemen to the panel today.
We have your statements which will be made a part of the
record in full and you may proceed as you see fit. Why don't we
start with you , Mr. Minot. Welcome .
TESTIMONY OF GEORGE MINOT, SENIOR VICE PRESIDENT, COM
PUSERVE, TESTIFYING ON BEHALF OF THE VIDEOTEX INDUS
TRY ASSOCIATION, AND CLIFFORD KARCHMER, LAW AND JUS
TICE PROGRAM, HUMAN AFFAIRS RESEARCH CENTER, BAT
TELLE
Mr. Minot. Thank you, Mr. Chairman.
I would like to just go through and highlight some of the com
ments that I made in my statement for you today, addressing it
from the standpoint that we are talking about Videotex, and I am
representing the Videotex Industry Association, which is a 2 -year
old organization consisting of approximately 120 companies of all
sizes, ranging from the IBM's and the AT&T's to the CompuServes
and interested individuals as well .
 296

Videotex is a new communications technology which enables an

individual with a personal computer or a computer terminal or a
dedicated Videotex terminal connected to a television set to access
a wide range of information data bases via telephone or cable.
Videotex also enables an individual to send electronic messages
and conduct financial transactions, such as transferof funds, pay
ment of bills and purchase of goods and services. Videotex is cur
rently being developed for both home and business use. There is
not a major company in the United States who will not use some
form of Videotex to sell and market its products and services or
assist them in managing their operations within the next 15 years.
Specifically, I would like to discuss the issue of trespass against
information resources, which, in my opinion, is a greater threat in
the long run than in the intent to execute a scheme to defraud,
which H.R. 5112 addresses very succinctly.
The reality, as you pointed out, Mr. Chairman, is that the per
sonal computer makes hacking or attempting to break into comput
er systems a viable course of action today.The cost of electronic
trespassing to public system operators, such as CompuServe, will
increase in direct proportion to the growth in personal computers
and the concurrent increase in computer literacy so long as there
are no directly applicable State and Federal laws covering such un
authorized access.
The costs that unauthorized users inflict occur in several differ
ent forms. The first and most obvious is the damage caused by the
theft of service from the system operator, the stealing of that com
puter time. That is our only resource. That is what we sell.
The second cost is the tying up of the finite number of communi
cations ports, or access lines, into a Videotex computer system .
Each unauthorized access attempt reduces the number of ports
available to legitimate subscribers.
Another cost associated with electronic trespassing is a commit
ment of personnel and capital by the system operator to combat
these vandals. These are valuable and scarce resources which are
diverted from the task of improving and expanding the services
being offered.
The cost that has the potential to be the most expensive of all,
yet the hardest to measure, is that associated with the damage
being done to the young Videotex industry through the implica
tions that the accounts of legitimate users are not secure from tres
passers .
The costs I just outlined pose a real and serious threat to the
future wide availability of Videotex services in the United States.
What about the losses associated with theft of property of the vari
ous information providers whose data bases are resident on the Vi
deotex systems? What about the losses incurred by the value- added
network carriers that support the Videotex industry by providing
local loop and long distance communication service from the end
user to the computer systems? They are being vandalized as well.
It is imperative that you consider these costs, and to them , you
can add the expense of “ anything of value other than the use of
»
the computer to arrive at the aggregate fraudulent amount.
We, in the Videotex industryrecognize that the first important
line of defense from unauthorized access is through implementa
 297

tion of good computer security. It is imperative that such informa

tion does not come from within a company offering this service.
At the same time, we strive to impress upon our subscribers the
importance of keeping their personal ID and password secret and
1
strongly encourage them to change their passwords frequently. Se
curity measures are being employed today and will be improved as
we and our subscribers gain more experience with Videotex sys
tems.
However, security measures alone will never be adequate to con
trol electronic trespassers. Better laws, both at the State and Fed
eral levels, are needed to combat this new criminal element in our
society. Both State and Federallaw should not only make electron
ic trespassing illegal, but also the trafficking and fraudulently ob
tained subscriber ID's and passwords, as well as the selling of
fraudulent access devices.
We also respectfully suggest that laws are needed to permit both
criminal and civil relief. There will be instances where a Videotex
system operator, and /or its information providers, will be in a
better position to take an unauthorized accessor to court than a
local or Federal prosecutor.
We also need better legal definitions to cover the electronic infor
mation society. Such terms as “ property, property rights, theft of
properly, malicious access and manipulation of contents” need to
be defined with the current and future electronic information socie
ty in mind.
With the wider availability of remotely accessible information
and sophisticated personal computers, the potential for unauthor
ized attempts, unauthorized connections, theft of service, theft of
property, destruction of property and a whole range of other crimi
nalactivities is possible and highly probable.
Unless such formsof computer abuse are recognized as crimes
through new State and Federal legislation and/or new definitions
and sanctions under existing laws,the multibillion dollar informa
tion assets of business and Government will be at greater and
greater risk . Those very information resources which we see and
hear described as the cornerstone of the information society or the
foundation of the information age are not currently recognized as
tangible assets. As such, they are not afforded the same protection
under the law.
As a result of the VIA's forum on unauthorized access, conducted
here in Washington last month , the Videotex Industry Association
will soon begin drafting new legal definitions for consideration by
Federal andState legislators. In our drafting of new language, we
will be reviewing and considering the language from all relevant
Federal, State laws and bills. We will , of course, share our findings
with this subcommittee.
One last point before I close. We should all recognize that better
crafted laws and more stringent security measures will not be
enough to stop this insidious computer abuse. More effort needs to
be put forth in informing and educating the public. An unauthor
ized access of a computer system is a serious criminal act. The
public needs to be made aware that electronic browsing through a
data base is no different than a stranger coming into a house unin
vited and rummaging through it.
 298

Without this public understanding, law enforcement officers will

not be able to gain the public support for effective prosecution of
these crimes.
Thank you for allowing me, on behalf of the VIA, to make these
comments.
[ The statement of Mr. Minot follows:)
 299

TESTIMONY OF GEORGE M. MINOT, SENIOR VICE PRESIDENT, COMPUSERVE, INC. , ON

BEHALF OF THE VIDEOTEX INDUSTRY ASSOCIATION

SUMMARY

Videotex is a new communications technology which enables an individual

with a personal computer or dedicated videotex terminal connected to a tele
vision to access a wide range of information via telephone or cable . It also
enables an individual to send electronic messages and conduct financial
transactions , such as the transfer of funds , payment of bills and purchase of
goods or services . There is not a major company in the United States within
the next 15 years who will not use videotex to sell and market their products
and services or to help them manage their operations .

The reason for such widespread , future usage of videotex lies in its
principal features , interactivity and user friendliness . Naturally , the
degree of user friendliness will vary between videotex systems currently
being offered .

The reality is that the personal computer makes " hacking " or attempts to
break into computer systems a viable course of action . The costs to public
systems operators such as CompuServe for electronic trespassing will increase
in direct proportion to the growth in personal computers and the concurrent
increase in computer literacy so long as there are no directly applicable
State and Federal laws covering such unauthorized access ,

We in the videotex industry recognize that the first , important line of

defense from unauthorized users of our services is through security . We are
careful in restricting employee access to our subscriber IDs and Passwords.
At the same time , we try to press upon our subscribers the importance in
keeping their IDs and Passwords secret and strongly encourage them to change
their passwords frequently , at least once a month .
Howeyer , our security measures will not be sufficient to control all
unauthorized users . Better laws , both at the state and federal level , are
needed to combat this new criminal element in our society . We respectfully
suggest we need laws that permit both criminal prosecution and civil relief .
We also need better legal definitions for our electronic information society .
Such terms as " property ," " property rights , " " theft of property , " " malicious
access , " and "manipulation of contents" need to be defined with our current
and future electronic information society in mind . As a result of our
industry forum on unauthorized access last month , the VIA will soon begin .
drafting new legal definitions for consideration by federal and state
legislators .

In addition to better laws and better security measures by companies ,

more effort needs to be spent in informing and educating the public that
unauthorized access of a computer system is a serious criminal act . We , both
the private sector and the government , need to discuss computer fraud in .
terms that the public will clearly understand . Without public understanding
of this new crime , law enforcement officials will not have the necessary
public support for effective prosecution .
 300

Good afternoon , Mr. Chairman . I an George Minot , Senior Vice

President of CompuServe Incorporated , a 50 million dollar remote computing
services organization headquartered in Columbus , Ohio . Videotex services will
account for 25 percent to 30 percent of our 1984 revenues and by 1985 ,
information services will account for greater than 40 percent of revenues .
Today , CompuServe's more than 110,000 home information service subscribers tie
their computers into the company's 32 mainframe computers through a local call
from about 300 U.S. cities , The information service is sold through more than
8,500 retail outlets such as Radio Shack , Sears , Toys R Us , Service
Merchandise and Computerland .

It is estimated that there are currently over 350,000 subscribers to

commercial videotex systems in the United States . Today , I am speaking on
behalf of the Videotex Industry Association (VIA ) , a two - year old industry
association with a membership of over 120 companies active in the development
of videotex products and services . A list of members is enclosed . We
appreciate the opportunity to appear before the Subcommittee on Crime relacive
to a very important problem facing the emerging Information Society
unauthorized access .

To comprehend the potential magnitude that computer trespassing poses to our

emerging industry , it is important to understand the features and capabilities
of videotex . Videotex is a new communications technology which enables an
individual with a personal computer or a computer terminal or a dedicated
videotex terminal connected to a television set to access a wide range of
information databases via telephone or cable . Videotex also enables an
individual to send electronic messages and conduct financial transactions ,
such as transfer of funds , payment of bills and purchase of goods and services .
Videotex is currently being developed for both home and business use . There is
not a major company in the United States who will not use some form of videotex
to sell and market its products and services or assist them in managing their
operations within the next 15 years .

The reason for such widespread , future usage of videotex lies in its principal
features interactivity and user friendliness . Most videotex systems are
designed to be ' menu driven ' and employ a vocabulary of commands that are
 301

normally associated with a topic . For example , a videotex system that offers
" News " will most likely have a menu page as shown in Figure A.

FIGURE A : VIDEOTEX NEWS MENU PAGE

1. Top News
2. Local News
3. National News
.
4

. International News
5. Business News

In order to access one of the five news topics in Figure A, all the user
has to do is press the number corresponding to one of the topics . · After
the rumber is keyed ( for instance , 5 for Business News ) , another menu listing
business related stories will appear on the screen . To select the business
story of interest , the user simply keys in the number associated with that
news story and the full text of the selected story will be transmitted . In
order to complement the 'menu ' feature , most videotex services also employ
"key word" search routines . Thus , once an individual has gained access to the
videotex system , they can directly navigate to the " Business News" menu page .

Naturally , the degree of " user friendliness " will vary between videotex
system currently being offered ; however , as the example demonstrates , all
videotex systems are designed such that their users can easily access the
wide range of information available on an two -way , interactive basis .

With that preface , let me now address the issue that brings us together
today – Fraud and related activity in connection with computers , which
apparently the proposed H.R. 5112 is intended to address . Specifically ,
I would like to address the issue of " trespass against information resources "
which in the long run , in my opinion , is a greater threat than the ' intent
to execute a scheme to defraud ' which the proposed bill addresses .

38-178 0 - 85 - 20
-
 302

The reality is that the personal computer makes ' hacking ' or attempting to
break into computer systems a viable course of action. The costs to public
systems operators such as CompuServe for electronic trespassing will increase
in direct proportion to the growth in personal computers and the concurrent
increase in computer literacy so long as there are no directly applicable
State and Federal laws covering such unauthorized access .

The costs that unauthorized users inflict upon videotex system operators
occur in several different forms . The first and most obvious is the danage
caused by the theft of service from the system operator . This can take the
form of unauthorized access to an internal , non -billing account or the
unauthorized access to another individuals billing account from which the
system operator cannot recover monies due for services rendered .

The second cost is the tying -up of the fini - e number of communications ports
or access lines into a videotex computer system. Each unauthorized access
attempt reduces the number of ports available to legitimate subscribers . If
authorized subscribers are unable to gain immediate access to a videotex
service , it is likely that they will become frustrated and tend to stop
attempting to use the service .

Another cost associated with electronic trespassing is the commitment of

personnel - and capital by a videotex system operator to combating these
unauthorized vandals . These are valuable and scarce resources which are
diverted from the tasks of improving and expanding the videotex services being
offered .

The cost that has the potential to be the most expensive of all , yet the
hardest to measure , is that associated with the damage being done to the young
videotex industry through the implications that the accounts of authorized
users are not secure from unauthorized users . New technologies are often
viewed with skepticism by the public-at-large and , unless this problem is
addressed early on and means provided to videotex system operators to protect
their " electronic property " , then this technology will never reach its
>

potential .
 303

The costs I just outlined pose a real and serious threat to the future wide
availability of videotex services in the United States . All of the costs of
unauthorized access have not even been covered . What about the losses
associated with theft -of - property of the various information providers whose
databases are resident on the videotex system . What about the losses
incurred by the value- added - network carriers that support the videotex industry
by providing local- loop and long-distance communciations service from the end
user to the computer systems ? It is imperative that you consider these costs ,
and to them you can add the expense of ' anything of value ( other than the use
of the computer ) ' to arrive at the aggregate fraudlent amount .

We in the videotex industry recognize that the first , important line of

defense from unauthorized access is through implemention of good computer
security . We are careful in restricting employee access to our subscriber
ID and Password file . It is imperative that such information does not come
from within a company offering the service . At the same time , we strive to
impress upon our subscribers the importance of keeping their personal ID
and Passwords secret and strongly encourage them to change their passwords
frequently. A password is like a credit card , the possessor can seemingly
obtain anything available where the password is accepted . Security measures
are being employed today and will be improved as we and our subscribers
gain more experience with videotex systems .

However , our security measures will never be adequate to control all

electronic trespassers . Better laws , both at the state and federal level
are needed to combat this new criminal element in our society . Both State
and Federal laws should not only make such electronic trespassing illegal ,
but also the trafficking in fraudulently obtained subscriber IDs and
Passwords as well as the selling of fraudulent access devices .

We also respectfully suggest that laws are needed to permit both criminal
and civil relief . There will be instances where a videotex system operator
and /or information providers will be in a better position to take an
 304

unauthorized accesser to court than a local or federal prosecutor will be .

Thus , companies need civil remedies available to them for this particular
criminal action .

We also need better legal definitions to cover the electronic information

society . Such terms as " property " , "property rights " , " theft of property" ,
"malicious access" and " manipulation of contents “ need to be defined with
the current and future electronic information society in mind .

As you the members of this subcommittee are probably already aware , with the
wider availability of remotely - accessible information and sophisticated
personal computers , the potential for unauthorized attempts , unauthorized
connections , theft - of -service , theft-of-property , destruction -of- property
and a whole range of other criminal activities is possible and highly probable .

Unless such foras of computer abuse are recognized as crimes through new
State and Federal legislation and/or new definitions and sanctions under
existing laws , the multi - billion dollar information assets of business and
government will be at greater and greater risk , Those very information
resources which we see and hear described as the ' cornerstone of the
Information Society ' or the ' foundation of the Information Age' are not
currently recognized as " tangible assets" , and as such , are not afforded the
same protection under the law .

As a result of the VIA Forum on Unauthorized Access conducted last month , the
Videotex Industry Association will soon begin drafting new legal definitions
for consideration by Federal and State legislators . In our drafting of new
language , we will be reviewing and considering the language from all relevant
Federal and State laws and bills . We will , of course , share our findings with
this subcommittee .

One last point before I close my testimony . We should all recognize that
better crafted laws and more stringent security measures will not be enough
to stop this insidious computer abuse . More effort needs to be put forth in
informing and educating the public that unauthorized access of a computer
system is a serious criminal act . The public needs to be made aware that even
 305

electronic browsing through a database is no different than a stranger coning

into a house uninvited and rummaging through it . Both the public and private
sectors need to discusss computer abuse in terms that the public - at - large will
clearly understand . Without this public understanding , law enforcement
officials will not be able to gain the public support for effective
prosecution of these crimes .

In suomary , for the Information Society to grow and flourish , we need secure
computer based systems , well -crafted laws written specifically to combat
unauthorized access , and more public awareness of the seriousness of this type
of criminal activity .

Thank you for allowing me , on behalf of the Videotex Industry Association, to

make these comments .
 306

March 1984

Corporate Members
of the

Videotex Industry Association

ADP / Telephone Computing Service

American Automobile Association
American Express Travel Related Services Company, Inc.
American Greetings Corporation
American Videotext Services , Inc.
Aregon International , Inc.
Arlen Communications Inc.
ATEX , Inc.
AT & T Consumer Products
AT & T Information Systems
Auragen Systems Corporation
Bank Administration Institue
Bank of America
Ted Bates Worldwide , Inc.
Byron Boothe & Associates
Booz - Allen & Hamilton , Inc.
Bratton Crews Cummings Group , Inc.
Broadcast Marketing Company
Alex Brown & Sons
Buick Motor Division
Cableshare , Inc.
Candle Corporation
Cavanagh Associates
Centex
Chase Manhattan Bank
Chemical Bank
Chillicothe Telephone Company
Citibank , N.A.
 307

Clark Cable Advertising , Inc.

Clemson University Computer Center
Colony Electronic Information Services , Inc.
Community Memory Project
CompuServe , Inc.
Computer Graphics Lab , Inc.
Consulting Resources for Management
Continental Telephone Service Corporation
Control Data Corporation
Corporation for Public Broadcasting
Courier - Journal & Louisville Times Company
Cox Cable Communications , Inc.
The Delta Report
Digital Equipment Corporation
Dow Jones & Company , Inc.
Doyle Dane Bernbach Inc.
Durham Herald Company
Equitable Life
Future Computing Inc.
Gartner Group , Inc.
General Instrument Corporation
General Videotex Corporation
Gingras , Goldman & Associates
Group W Cable , Inc.
Harris Electronic News
Hearst Cable Communications

Hoke Communications , Inc.

Home Vue Hawaii
E , F . Hutton Company , Inc.
Hycom Inc.
IBM Corporation
Impact 1040 Corporation
InfoNorth Computing , Inc.
InnoSys Inc.
Institute for the Future
Integrated Communications Systems , Inc.
 308

INTELFAX Ltd.
Intelmatique

Interactive Features , Inc.

Internationally Syndicated Information Services
KCET - TV
K.L.K , Inc.
KEYCOM Electronic Publishing
Link Resources Corporation
Macrotel , Inc.
March of Dimes Birth Defects Foundation
Maritime Data Network , Ltd.
Maryland Switch , Inc.
Matsushita Technology Center
McCann - Erickson , Inc.
McClatchy Newspapers
Mindset Corpiration
Mitre Corporation
National Broadcasting Company , Inc.
National Captioning Institute
NewsNet , Inc.
NORPAK Corporation
NYU /Alternate Media Center
Pacific Bell
PacketCable , Inc.
PartyNet Inc.
Paul & Turner , Inc.
Philips Electronic Instruments
Private Satellite Network , Inc.
Public Broadcasting Service
R/G Cable
Reference Technology , Inc.
The Reistad Corporation Payment Systems , Inc.
Saffer Cravit & Freedman Advertising , Inc.
St. Clair Videotex Design
San Diego State University/Center for Communications
San Francisco Videotex
 309

Satellite Network Delivery Corporation

Schiff , Hardin & Waite
Scripps -Howard Newspapers
SDI Inc.
The Servnet Corporation
Southern New England Telephone Company
Southern Satellite Systems , Inc.
SRI International
Systemhouse , Inc.
TELELOGIC Inc.

Telemedia Corporation
TeleQuest

Keith Teruya & Associates

The Communication Studio
J. Walter Thompson , U.S.A.
Time Video Information Services
Tribune Company
Tymshare
United Media Enterprises
Verticom Inc.
Videodial , Inc.
VideoFinancial Services
Videographic Systems of America
Videotex Information Corporation
VideoNet , Inc.
Videotex America
Viewdata Corporation of America
WGBH Educational Foundation
Young & Rubicam
Zenith Radio Corporation

1
 310

Mr. HUGHES. Thank you, Mr. Minot.

Mr. Karchmer.
Mr. KARCHMER. Thank you very much, Mr. Chairman, members
of the subcommittee and staff.
Putting aside my prepared remarks, which will, as I understand,
go in the record, I will try to amplify some of them that I think are
most appropriate to consideration of this issue this afternoon, par
ticularly the issue of wire fraud or the use of the EFT mode to
transfer funds from bank to bank, between banks and the Federal
Reserve System , and from domestic banks to banks internationally,
including offshore banks.
Briefly, if you try to get some perception of the order of magni
tude of different kinds of EFT, electronic funds transfer usage,
roughly 1 percent of all the transactions involve the transfer of
funds by wire, 1 percent. If you are looking, however, at the
number of dollars, the volume of dollars involved, several years
ago, it was 85 percent of all the EFT, and I think that number has
only increased dramatically in the last few years. The point is that
the hundreds of billions ofdollars, and in fact, probably trillions of
dollars that are vulnerable to theft, fraud, diversion , as well as
errors and harmless mistakes, are really in the area of wire fraud,
both domestic and international. As I said, it is to this issue that I
would like to direct my comments.
The examples to date involving EFT fraud, fraud by wire, in
clude a couple of sensational examples that do give some, I think,
some good insight into the kind of problem with which we are deal
ing and the more or less tip of the iceberg which we are seeing and
the likely growth of this particular kind of problem in the next few
years. Namely, it is very largely an insider type of problem in
many cases, with the aiding and abetting and conspiratorial in
volvement of outsiders. In particular, the one case of, I believe, the
Security National Bank in California, involving a $ 10.5 million
theft of funds involving a Stanley Rifkin , which was largely an in
sider type of transaction because Rifkin was a consultant to that
bank in the design of its computerized EFT wire system and he
took advantage of his access to the room which was normally a se
cured form of premises one day to view on the wall, which was dis
played the access code. So that with the use of that code, funds
could be transferred from that bank to another bank.
As the record of that case showed, Mr. Rifkin purchased dia
monds and then had them shipped into this country and was subse
quently apprehended because he did what many of these computer
entreprenuers do—the kids, the hackers and those involved in
other forms of computer crime, many times a lone entrepreneur
seeking to manipulate or in some way combat a large impersonal
system - he was very proud. He succeeded. Had he not told anyone
about it, no one would have shared in his success. So he told sever
al people who realized that they did not benefit from the fruits of
the crime to the extent that he did involving many millions, I
think more than 10 million, and the issue of jealousy in that case
bred an informant who notified the authorities.
In many other cases, this is how the crime - generically comput
er crime is detected and reported, not through careful sleuthing by
bank auditors, Government bank regulatory agency auditors or ex
 311

aminers, I should include, nor by diligent law enforcement agencies

who find out very much after the fact that, indeed, something has
gone awry .
The involvement of insiders with - insiders as fiduciary employ
ees of the financial institution—with outsiders is not really an un
usual or very new form of crime from the standpoint of electronic
funds transfer .The coming together of various different forms of
crime, white-collar, organized crime, professional theft, has been
widely documented and I think amply recorded in a number of in
stances involving other insurance, land bank, commodities and
other types of fraud. We simply see an example here, with EFT
crime ingeneral and wire fraud in particular, where those sophisti
cated in technology come together with those who have some par
ticular interest in gaining some, you might call it venture capital,
for a land fraud scheme, a commodities fraud scheme and so forth,
realize that someone who has technological access to codes and so
forth inside financial institutions can secure for them , illegally , the
venture capital they want to consummate the land deal or what
ever the sham , transaction or scheme happens to be.
I refer to this in my prepared statement and in an article that I
wrote earlier on this type of problem as a sort of new form of
hybrid crime. We see many examples of it in the electronic area.
The numbers of dollars involved in wire fraud evolving from na
tional institutions makes it something that we should be very con
cerned about.
Now, in order to further try and pinpoint the nature and extent
of the problem that we have with wire fraud in EFT systems in
banks and other financial institutions, that is a very difficult prob
lem for the simple reason that the institutions generally do not
report this type of crime as other types of institutions and individ
uals victimized by computer crime do not report.
The situation is a little different here. The issue is parallel to the
extent that there would be embarrassment to the institution for
having been victimized-in many cases by its own employees. What
we have tended to see from the limited examples so far is that the
institutions choose not to ask the really tough, embarrassing ques
tions about the nature of the fraud - defaultations, as it is techni
cally known-within their institution, but would rather have them
written off as errors or mistakes or bad loans. To the extent that
the institution doesn't ask the followup questions that an auditor
examiner, a law enforcement investigator would ask, the institu
tions are arguably not liable under the Federal misprisony of
felony and similar types of statutes which obligate them to report
crimes to the appropriate regulatory and law enforcement agen
cies.
This appears to be one of the major drawbacks to getting an ac
curate assessment of how much crime we are dealing with. Again, I
would use the analogy ofthe tip of the iceberg. And the question is
really the dimension and mass and nature of the iceberg beneath
the surface. What is, in my mind, unequal is that whatever the
mass is beneath the surface, there is every indication that it will
grow larger and worse in the foreseeable future, simply because
this is such a lucrative area of crime .
 312

It offers high degrees of secrecy almost unprecedented in the un

derworld. It offers the ability to almost instantaneously steal and
hide, through various forms of concealment, the fruits of the crime,
and it offers many other advantages as well, those that I just men
tioned being the more prominent.
If one further wants to get an idea of the order of magnitude
here with the area of bank card, credit and debit, automatic teller
frauds in the neighborhood of roughly $25 million a year, the over
all volume of computer crime, which the chairman, I believe, has
cited in his prepared statement as $100 million a year, by far, the
largest area of crime involving the use of computers where comput
ers are used as instruments to facilitate and consummate illegal
transactions is the use of bank computers as wire fund mechanisms
to launder illegal drug and other organized proceeds.
I offer to insert this parenthetically because I realize from the
text of your bill, H.R. 5112, that this is not one of the issues viewed
as a problem within the purview of that legislation , but I would
offer that one of the greatest, most serious areas involving fraud
against institutions — that is, against the U.S. Treasury; to some
extent, against Customs Service and against other law enforcement
agencies, involves the use of wire fund mechanisms to spirit out of
the country, to offshore jurisdictions and to foreign jurisdictions,
the billions-you are dealing with a matter here of many billions,
from an estimated $50 to $150 billion a year. That almost, it would
seem to me, eclipses the dimensions of the other aspects of the
computer crime and EFT problem .
With that rather, I apologize, lengthy parenthetical comment, I
will close my comments and offer to answer any questions that you
might have .
[The statement of Mr. Karchmer follows:)
 313

STATEMENT OF CLIFFORD L. KARCHMER, RESEARCH SCIENTIST, BATTELLE MEMORIAL

INSTITUTE, HUMAN AFFAIRS RESEARCH CENTERS

Mr. Chairman , members of the Subcommittee , and staff :

For some time , our system for settling financial transactions ( known as
payments settlement ) has been evolving from one that is primarily paper
based to an cashless alternative that relies on computerized electronic

signals to debit and credit appropriate accounts . This cashless mode ,

which is primarily but not exclusively based on the use of computers by
financial and commercial institutions , is known as Electronic Funds
Transfer -- or EFT for short .

In simple terms , the electronic transfer of funds offers a quick and

relatively inexpensive means of paying for goods and services .

this by effecting payments settlement in a manner that is more efficient ,

in terms of time and paperwork, than the traditional mode offered by the
use of cash , checks , and other paper based instruments .

The uses to which we put modern day electronic banking are many and
varied . Most of the conveniences make use of computerized systems to send
and receive debit and credit information , in order to effect the timely
transfer of funds . Because of their widespread adoption by banks and
other financial institutions , most modern day commerce would be virtually

impossible without them . For example , every time we pick up the telephone
to verbally authorize a bill payment from our checking account , or have

our monthly pay deposited directly to our neighborhood bank , or wire money
to a relative in another city , we are moving farther across the threshold
of the so- called " cashless society . "
 314

Although we do not tend to think of a future economic order without either

currency or checks , financial experts predict that is where our financial
system is eventually headed . What is unresolved is how quickly and
effciently our financial order will get there . The following factors help
to explain the current popularity of EFT among public agencies and private
institutions :

First , a recent survey revealed that the cost to banks of processing

cancelled checks has mushroomed to roughly $7.5 billion annually , and is

increasing rapidly due to bank labor and postage costs to process and mail
cancelled checks , as well as increas : s in the volume of payments that are
still handled by check .

Second , banks are now borrowing from and settling up with each other and

with Federal Reserve Banks at a record pace-- so much so that instantaneous

funds transfers are essential in order for financial institutions to keep
up with all of their monetary needs and to service depositors and
borrowers , It has been reported that many financial institutions turn

over their entire assets each business day , and this activity would be
virtually unthinkable without the massive wire transfer of money through
EFT .
 315

Third , millions of Social Security and other benefit recipients , as well

as employees in both government and private sectors , receive their
periodic payments through an EFT system known as the Automatic Clearing
House , or ACH . Here , the payor institution makes a computer tape of all
the relevant data needed to effect payment ( the recipient's name , bank ,
bank code number , amount of payment , etc. ) and sends that tape to a
Federal Reserve Bank , where computers there " read" the data and send it
along to the local bank of the payment recipient . This paperless direct
deposit system saves the government and private employers substantial sums
each year in administrative , printing , and mailing costs .

Consumers are probably more familiar with the bank automatic teller

marchine ( ATM ) systems, which are now common features at both commercial
banks and savings and loan associations . Newer EFT modes , known as Point
of Sale systems, are the real heart of the " cashless society" basis of
EFT's future potential . Point of sale systems will be located at retail
stores and other commercial outlets , such as gasoline stations , and

utilize a " debit card" ( rather than the traditional credit card ) to
instantly deduct the amount of the purchase from the cardholder's bank

account balance . It is my understanding that another witness will

elaborate upon the use of such cards which also contain a computer memory
chip ( -
so- called " smart cards )).. Therefore , I will confine my remarks to
those issues where both actual and potential fraud , and other crimes
involving EFT systems, appear to warrant the most concern .
 316

The term EFT brings to mind an image of rooms filled with elaborate
computers that perform arcane statistical functions . In reality , many EFT
transactions do not require sophisticated hardware . For example , wire
transfers may be consummated with relatively simple equipment . Some are
as basic as consoles that log in , relay, and record TELEX messages . In
this case as in other situations involving technology , the level of

sophistication is governed by the requirements of the task . The

transmission of messages regarding debits and credits is not
extraordinarily complicated .. To the extent that sophisticated computers
do become involved , it is because of the enormous volume of debit and

credit messages transmitted ( literally millions daily ) , and the circuitous

national and often international paths over which those electronic data
travel . I will come back to this point later , as it relates to security
and crime control problems .

Many EFT technologies are fairly new , and the financial information is
both sensitive and involves considerable amounts . Consequently , there is
a great deal of interest in EFT security and vulnerability to fraud .
part , this appears to stem from a concern that a new technology as
efficient as EFT may tend to trade off certain degrees of security , in the
short term , for efficiency , in the long run . When such concerns are
played out , they lead to inferences that system managers may be less
concerned with occasional errors and frauds that work to the detriment of

consumers , than feel is desirable . With a few notable exceptions , covered

below, hard evidence of widespread fraud is lacking . A close look at some
 317

of the frightening multi - million dollar EFT frauds does leave the

impression that these systems are highly vulnerable to many types of foul
play , and it is to this issue of probable and potential crimes that we
should be addressing ourselves .

The disturbing accounts include one of a bank computer consultant who

defrauded his client institution out of $ 10 million by improperly

obtaining access to its "wire room" and manipulating its wire transfer
systen , and another of a dishonest money market fund employee who diverted
someone's $1.5 million deposit to the account of her boyfriend . From the

perspective of this Subcommittee's interest , it is important to question

whether the record of reported frauds is as as accurate as is should be
for policy development purposes . Unfortunately , it is not possible to
answer this question today. It is entirely possible that these and other
senational reports are representative of a greater number of crimes that
go unreported , but it is also possible that these incidents represent a
relatively small universe of such incidents .

On the other hand , if we are to learn from past experience with other
crime problems , it is important to emphasize prevention and so- called
proactive enforcement in order to contain potential crime epidemics in

their earliest stages . Here , the record would seem to support the claim
that the incidence of computer related and EFT crimes can only grow worse ,
and will probably do so in the forseeable future . Specifically , the
trillions of dollars that pass along bank and corporate wires constitutes

38-178 0 - 85 - 21
 318

a potential fraud problem that we are just beginning to appreciate .

The EFT frauds that have occurred , and which probably will grow in both

numbers and severity , represent another step in the evolution of

white- collar crime toward newer , hybrid forms. By this I mean that
sophisticated forms of crime characteristically evolve from "crosses of
earlier types and varieties . A new hibrid , such as EFT fraud , emerges

when opportunity impels a lone criminal , with expertise in one specialized

field ( such as computer crime ) to seek out one or more schemers in
traditional forms of crime ( such as insurance , commodities , or bank
fraud . ) In this example , criminals unite in a short - lived but
nevertheless lucrative " marriage of convenience . " The length of their
criminal relationship is a function of many factors , but most of them are
economic and relate to the amount of money they can " score " before they
are caught , retire , or choose to leave criminal enterprise .

In recent years , we have seen the number and variety of crime hybrids grow
more complex , as schemers from the fields of organized and white- collar
crime team up with professional thieves and other career criminals . Far
from abating , there are indications that this trend is growing at an
alarming pace . In an example tied directly to computer and EFT crime , the
underworld of major drug traffickers has forged ties with financial
experts of all types to launder hundreds of millions , and perhaps
billions , of illegally earned narcotics dollars , and their laundering is
facilitated by domestic and international transfer of their funds by
wire .
 319

My point in raising the above issues with respect to hybrid crime is that
a successful effort to proscribe serious activities usually takes into
account the objectives , operational practices , and other factors that
determine why criminals behave the way they do . Although this may sound
simple enough , legal revisions and reforms frequently tend to ignore this
important point . The legislation that is before this Subcommittee today

is a noteworthy exception to this trend , and should be very effective for

this reason . In reference to the pending legislation , and its specific
application to computer and EFT crime , there are three specific points
that I would like to make :
First , criminals who attempt , fi om outside an institution , to corrupt a
fiduciary employee are probably more important violators than the
emplcyees , for the " outsiders " usually moves from institution to

institution , and employee to employee , until they find one who is

sensitvely placed and who they can compromise ;

Second , criminals who steal , divert , and otherwise traffic.in EFT

authorization , access , and other codes are criminals who steal and fence
infornation . Accordingly , statutory proscriptions need to focus on such
traffic in purloined information , as well as traffic in bank card ,
computer , and other hardware . The traffic in access data appears to be a
conscious focus of the pending legislation .

Third , schemers who invest illegally obtained funds , or who advise

crinals with respect to investment options by means which utilize EFT
systems, are important to target and apprehend . This is so because of
their skill in concealing the origin , ownership , and often the amounts of
the funds in questions . Although this point is not a particular focus
the pending legislation , I believe that it is a critical issue in the
cases of criminals who defraud institutions , as well as employees ,

finarcial advisors , and others who knowingly help organized criminals

launder their drug and other underworld profits through use of wire
transfer and other EFT modes .

I hope that these comments and observations are helpful to the

Subcommittee, and I welcome the opportunity to answer any questions that
you may have and to elaborate upon what I have outlined here today .
 320

Mr. HUGHES. Thank you very much, Mr. Karchmer.

Let me ask you with regard to the money laundering problem
that you have alluded to—what is the modus operandi used to con
vert what are ordinarily small bills, 10's and 20's, into some form
of security that will enable an electronic transfer ?
Mr. KARCHMER. There is no one standard one. It, at minimum,
involves the exchange of a quantity of bills for some form of negoti
able instrument, which can be a CD, cashier's check, travelers
checks and so forth . Also, the cash that is exchanged at the finan
cial institution can be credited to the person's account or to the ac
count that the person making the exchange so directs.
From that point on, the money can be wired, as easily as you can
wire money to someone in another city.
Mr. HUGHES. But they have to take it to some institution first to
exchange it into some negotiable instrument.
Mr. KARCHMER. Sure, they take it to a bank. They can take it to
a currency exchange. They can-
Mr. HUGHES. That requires a reporting when you take it to a
bank.
Mr. KARCHMER . Yes, it does.
Mr. HUGHES. Up until recently, that was one method used to
launder large sums of cash, but now , with the reporting require
ment the banks are no longer used extensively to launder large
sums .
Mr. KARCHMER. Banks are still used to launder money. I don't
think that there is much dispute about the extent to which it
occurs .
The problem comes when someone takes that usually a bearer
instrument-and deposits it in an account, perhaps in another
bank, and then has those funds wired. The identity of the account
into which they are wired may bear no correspondence whatsoever
to the person who authorizes or commissions that transfer to take
place. So from that standpoint, the computer is used as a vehicle
and it is a way station for information, as it is in most other cases,
for concealing the identity and the origin of those funds.
Mr. HUGHES. How are we going todeal with this problem that
exists in underreporting of computer crime and computer fraud ? In
order to deal with the overall problem in the long term, certainly
part of the equation has to be a full disclosure of what is occurring
so people in this country understand the dimension of the problem
and how it affects them as consumers.
How are we going to deal with that problem?
Mr. MInot. Well , I think that the gentleman from Drake Univer
sity says that a couple of years ago, they wouldn't have said any
thing about it, but now it has hit home. And it is hitting home in
so many places to such a magnitude — and a month ago today,
when we had our VIA unauthorized access forum , we had banks
standing up and saying, “ Yes, we are victims.”
CompuServe, for the first time in its history, stood up and said,
“ Yes, we have unauthorized access.” It is of such a magnitude
today that they have now reached their threshold of pain and they
will
 321

Mr. HUGHES. Do you agree that that has to be a part of the equa
tion? We can't deal with the problem unless we have that disclo
sure?
Mr. MINot. Absolutely. One of the measures that we are going to
take as the VIA is to try to assist you and others in quantifying
that by getting together some industry statistics. That is not easy
to do in a public forum , but I think that we could collect it individ
ually and then present it in some aggregate forum that everybody
would be comfortable with.
Mr. HUGHES. We ran into problems—the staff did-in attempting
to get information and to solicit testimony concerning the issue.
Mr. MINOT. Our individual subscribers don't wish to be pointed
out that they have been defrauded and one of the things that has
happened with the advent of the personal computer is that they
can simulate the computer response in the fact that now you have
another computer, so that they will break in and look like the host
computer saying, “ We have a system problem, please relog on ,
and they have their systems ready to capture the ID and the pass
word.
If you will allow me to talk about–in the USA Today, it talks
about Golden Bridge, NY, man got a $61,000 bill for 4,000 credit
card calls, and a Bedford, NY, woman reported a monthly bill of
$109,000. They are doing just that. They are capturing your tele
phone number in devious ways and then they are marketing that.
You will read on, instantaneously on 50 or 60 bulletin boards
around the country, “ I have got a live one. It may not last long, but
what do you want to trade ? You want to trade 100 numbers from
CompuServe or do you want an access code that will give you free
MCI or Sprint usage?”
There is an underground marketplace there with money chang
ing hands, and it is much more efficient than our own accounting
system . II mean, we have had instances where the person in Flori
da, for example, will send us a copy of his canceled check where he
paid for the service. Unfortunately, he didn't pay CompuServe for
the service; he paid some freaker or hacker that offered that. And
they offer better terms than we do . Try it; if it works, don't pay me
unless you try it and believe what I say. That is going on. It is
rampant today.
Let me share with you a copy of one of the bulletin board notices
that was up not too long ago. “ OK , folks, this is what freaking is
all about. It is, in broad terms: (A) crashing computer systems; (B)
using CompuServe for free; (C) using the source for free; (D)
making long -distance calls for free using Sprint, MCI, et cetera; (E)
plus a whole lot more mischief.”
This is what is involved. “ If someone out there is sick of paying
for your calls when you use out -of-town bulletin boards, call me
and I will tell you how to use Sprint or MCI for free. I am - yours
truly .”
Mr. HUGHES. And where do those appear ?
Mr. MINOT. On a bulletin board . On the same bulletin board. We
have been trying to work with the telephone companies to trace
and find out who these people are so that we can act against them.
There are certainly things — the telephone company security people
 322

tell us that we can only disclose that information to certain levels

of law enforcement officials under certain conditions.
On the bulletin board — they verify the participants on this bulle
tin board to make sure that they are telling them the truth by
using what they call the CNA number. That is the routine that is
used by the telephone company. Finding out the name and address
of the caller based on the phone number - sort of like a reverse
telephone directory - CNA is how this system verifies users. “Being
as I know how - more about phones than most telephone employ
ees, I know how to use CNA and I verify the name of the owner of
the phone line and address that before the applicant leaves.”
So he has instant access to information that we are trying to get
cooperation with the telephone company to help the prosecuting at
torneys in all of these places to track down and prosecute these
people. They have instant access. We can't get it because we run
into the laws.
Mr. KARCHMER . Mr. Chairman , excuse me-
Mr. HUGHES . Yes, Mr. Karchmer.
Mr. KARCHMER. Back to the question of how you can get better
data and better reporting on this, you might consider looking into
the reporting mechanisms and proceduresof the various bank reg
ulatory agencies for trying to distinguish between the sort of grey
areas of mistaken messages, messages that somehow end up inthe
wrong account, whether it was intentional or not, usually involving
more than a million dollars, their procedures for verifying errors,
the auditing examination procedures in large financial institutions
for trying to aggregate the errors in bad loans, bad debts, to see
whether or not collapsed in there are not some of these frauds that
would be more embarrassing if they were segregated out.
I think that might be a constructive undertaking.
Mr. HUGHES. And make that information public.
Mr. KARCHMER. Well, I don't know if it would have to be—
Mr. HUGHES. The problem is trying to get those institutions to be
up front about computer crime.
Mr. KARCHMER. There is another reason, though, that they-
Mr. HUGHES. Not the information carried on a financial state
ment, profit / loss statement as a loss.
Mr. KARCHMER. Sure, but-no, I agree. There is another reason
that they are not more forthcoming. Recent changes in insurance
offered to banks , namely amendments to what is known as the
banker's blanket bond insurance, covering losses and thefts involv
ing computer operations, have changed the deductibles and
amounts of co -insurance by, in effect, forcing the institution to
share the burden of any theft by having substantial, relatively
large deductibles, which means that the institution, in order to
reduce its losses, has to try to keep them beneath a certain thresh
old because they are going to have to eat a certain proportion.
I have talked with some of the insurers who were reputed to
write this insurance and talked to them about the extent of claims,
and over an initial period, they felt that that—that the incidences
were reduced somewhat-at least the reporting of the incidents
was being reduced — the institutions were tightening up.
There are quite a few things that the institutions can do which
some of which I mention in my prepared statement, and I will talk
 323

to the staff continuously about this if it would be all right. They

are not necessary to go into here.
Mr. HUGHES. Thank you.
The gentleman from Oregon.
Mr. WYDEN . Thank you , Mr. Chairman .
This has really been a fascinating colloquy in my view . Let me
try and add a little bit on what the chairman has said .
The heart of the problem is that the law has not kept up with
these new technologies. That is why we are here. That is what we
faced all over Capitol Hill as we have tried to look at this issue. I
just must tell you that I really disagree with the general tone of
what you are talking about with respect to more data and how to
get it.
I think that people like Bill Hughes are going to be very sympa
thetic in terms of trying to change laws and financial statements
and the like, but I think you gentlemen, and your colleagues, are
really going to have to go out and light afire among people in your
industry because I know when I got the small business computer
crime bill through the House in November, I mean , it was just a
case of kicking and screaming to get anybody to talk .
We are really faced with a situation of trying to persuade our
colleagues, without the people who are most affected, the people
who have been victimized, likely to say anything. I know what the
problem is. They say:
We have been had already; nothing can come from our talking about it in public,
except people really looking at us even more unfavorably than they have in the
past.

I think you all have an enormous persuasion job in front of you ,

and people like the chairman want to be a help, but unless you are
willing to go out and really shake people up within your industries
and similiar industries, it is going to be very, veryhard for us to
pass these laws that are necessaryfor us to deal with the new tech
nologies and the new criminal risks that are exposed.
I think that your points about financial statements and changing
the laws and the like just beg the question. We need you to go out
and really do some very, very aggressive selling efforts to get
people in the industry, once they have had a problem , to do some
talking. Without thatkind of information, I think it becomes very,
very tough for our colleagues to take this problem seriously.
I have a couple of just specific questions. You, Mr. Minot, if I un
derstand it right, you want to make it a computer crime under the
Federal code to launder money through electronic transfers. Is
that-2
Mr. MINOT. No, I believe that was my colleague.
Mr. WYDEN. Is that Mr.
Mr. KARCHMER. I am suggesting that you take a serious look at
that. That is a big gap in the law now .
Mr. WYDEN. How exactly would we do that? I mean , maybe you
could just very briefly - I must have missed that because I think
that is a very tricky thing to do.
Mr. KARCHMER. It is a very tricky thing to do, but I don't think it
is necessarily difficult and not impossible. To use computers, or I
would even encourage to use more broadly, concept of telecom
 324

munications, any mode of telecommunications to conceal the

origin , ownership and even amounts of funds that were earned in
an illegal manner. You could specify narcotics; you could limit it to
organized crime; I don't think anyone wants the burden of trying
to make this apply to all crimes. Make that illegal.
Present laws on wire fraud, the sort of companion law on mail
fraud, the so -called Travel Act, the interstate travel or transporta
tion , the native racketeering activities, the so -called RICO law, the
continuing criminal enterprise law that deals mainly with narcot
ics; they don't proscribe this activity in the way in which I am
mentioning it - in which I am describing it.
Mr. WYDEN. What would you think of the idea of trying to pull
together some experts, say, at the Justice Department right now to
deal with the specific problem of laundering the money ? I mean , I
have always had reservations about strike forces and task forces
and the like, but this laundering money is a unique kind of con
cern. Do you think that might be something that makes sense?
Mr. KARCHMER . I wouldn't be surprised if it is already being
done. I don't know that it is not being done. I know this very issue
is being considered by the President's Commission on Organized
Crime and there is, as you may well know , heavy input from the
Justice Department in that. But I don't know that they have taken
up this specific recommendation or this specific area of electronic
banking. It is highly technological; it deals with agencies primarily
under the jurisdiction of the Treasury Department and some inde
pendent regulatory agencies to the extent to which Justice feels
that it is its role to serve as the sort of focal point or pivot.
-

I clearly am not the one to comment - to respond on that one .

Mr. WYDEN . I thank both of you for your comments and come
back to what I said earlier. It is going to make it a lot easier for us
to pass some of these bills if we can get beyond this kind of fear
threshold which is keeping people who are most vulnerable and
have been seriously victimized from coming before the Congress. I
have seen it in the passage of the small business bill and I am con
vinced we are goingto see it in every kind of issue.
I think it is something that we have to lay out to people because
if we just keep this dry and abstract and say, “ Let's,” you know,
" change the reporting laws and get a bunch of statistics on a sheet
of paper ,” it is going to take more than that.
I thank you, Mr. Chairman .
Mr. HUGHES. Thank you.
Mr. Minot, you heard the previous panel talking about “ smart
cards,” didn't you ?
Mr. MINOT. Yes, sir.
Mr. HUGHES. Any of your members anticipate using that technol
ogy ?
Mr. MINOT. From the standpoint of some of the members—we
represent, of course, manufacturers, vendors, terminals, and all
sorts of equipment, but I think the key will be to have that into
smart television sets, into terminals, into telephones, into every
thing. Once that is pervasive enough and it ubiquitous, then cer
tainly the information providers and the systems operators will
adapt that technology.
 325

That is not difficult to do. Our big problem today is that we don't
know who the customer is. This will, in fact, help us take another
step toward identifying who the customer really is.
Mr. HUGHES. Mr. Karchmer, on laundering of funds — this sub
committee is interested in this subject as part of our responsibility
for overseeing the Drug Enforcement Administration and problems
with substance abuse generally in this country and organized crime
activities. One of the reasons, as I recall, why electronic transfer
was exempt from the Bank Secrecy Act was because of the dimen
sion of the problem of literally hundreds of thousands of electronic
transfers that take place every week. How are we going to deal
with that problem? Do you think that that is manageable ,to try to
develop legislation that would deal with those thatwould use elec
tronic transfer for criminal purposes, to transfer assets into other
forms so that there is no paper trail ?
Mr. KARCHMER. A couple of points: Yes, I do think it is managea
ble. First of all, to get to the reason why it was probably exempt
from the Bank Secrecy Act, the transfer for funds by wire does not
involve the transfer of currency ; it doesn't involve use of a mone
tary instrument; it is really the transfer of information and in
structions, debiting and crediting. So I think the way that that law
was constructed, it excluded the transfer of information on such a
matter.
Mr. HUGHES. That was because of the dimension of the problem.
Mr. KARCHMER. OK.
Now, to try and find some way to reconstruct from the number
of transactions, probably hundreds of thousands of millions each
day, to those that involve the laundering of funds, first of all—and
I believe there is under consideration now in the Treasury Depart
ment a revised - or a regulation pursuant to the Bank Secrecy Act,
where financial institutions that had more than a certain number
of wire fund transfers over a period of time would be required to
make special records of those transactions and supply those-either
make available for inspection or supply the computer magnetic
tape to Treasury agencies for inspection. That would not make it
all that much easier to find these needles in haystacks, but it
would substantially reduce the size of the haystack, so to speak,
where the agents are now looking for illegal laundering transac
tions .
Second-or third, I should say, the amendment to the crime bill
now pending that would add currency violations to those for which
electronic surveillance would be applicable if that would—I think it
is clearly possible to amend that to allow electronic surveillance in
any case where funds are being laundered through any, process,
however your crafters would want to define “ laundering,” to allow
electronic surveillance of any commands, whether they be verbal,
whether they be Telex or TWX, involving those.
To take a specific issue, any time a drug trafficker issues an au
thorization to his financial advisor, or very often an attorney, to
wire money with telephone banking now, personal banking, that is
a verbal authorization. The person who has control over that ac
count, the financial advisor, the attorney, calls the bank and au
thorizes a debit of a certain amount from an account, gives the
number, usually there is a password which that attorney properly
 326

has because he has usually signatory authority over that account

which is delegated to him by the person who owns the money, who
is a drug trafficker.
The bank accepts that—through prearrangement-telephonically
accepts that instruction and wires the money to Barbados or Liech
tenstein or Panama, wherever theycan , to get it out of the country
so that hopefully all trace of it is lost by all law enforcement au
thorities. Presently, if the investigators are just after laundering,
looking for financial advisors, looking for corrupt attorneys who
may be helping out laundering, for tax evasion and currency viola
tion purposes, they cannot get what is known as a title III, a wire
tap order.
The amount of information that is probably out there and acces
sible in this mode is—I would offer as an estimate-quite substan
tial. I would say " windfall.” The ability to use electronic surveil
lance for this means is essential. Just as in gambling and syndicat
ed bookmaking, the telephone is a central instrument of this type
of crime, and so long as the telephonic communications are ex
empted from law enforcement scrutiny in this way, the verbal au
thorization , verbal commands, will make it as next to impossible to
do much about it as is presently the case.
Mr. HUGHES. Very interesting. It is an area that, obviously, we
are going to have to deal with. This hearing wasn't set up, howev
er, for money laundering and I won't pursue it any further,
but---

Mr. KARCHMER. Happens when you amplify your remarks.

Mr. HUGHES. Fascinating area and it points up just how many
areas we are going to have to deal with as we attempt to deal with
all forms of unorganized, as well as organized, crime.
Thank you very much. You have given us a great deal to think
about and we are grateful for your testimony.
That concludes the hearing today and the subcommittee stands
adjourned.
(Whereupon, at 5 p.m., the subcommittee was adjourned, to re
convene subject to the call of the Chair. ]
 ADDITIONAL MATERIAL SUBMITTED FOR THE RECORD

AMERICAN INSTITUTE OF
CERTIFIED PUBLIC ACCOUNTANTS ,
New York, NY, May 25, 1984.
Hon . WILLIAM J. HUGHES,
Chairman, Subcommittee on Crime, House Committee on the Judiciary, Cannon
House Office Building, Washington, DC .
DEAR CHAIRMAN HUGHES: We would like to have the enclosed AICPA Report on
the study of EDP -Related Fraud in the Banking and Insurance Industries included
in the Subcommittee's March 28, 1984 , record of hearings on the general subject of
credit card and computer fraud and abuse.
We appreciate this opportunity and will gladly provide any additional information
that you may wish.
Sincerely ,
THEODORE C. BARREAUX ,
Vice President - Washington.
Enclosure .

( 327 )
 328

Report on the Study

ofEDP - Related Fraud
in the Banking and
Insurance Industries

EDP Fraud Review Task Force

American Institute of
Certified Public Accountants
 329

Notice to Readers

This report is issued by the American Institute of Certified Public

Accountants for the information of its members and other interested
parties. However, this report does not represent an official position of
any of the Institute's senior technical committees.

Copyright © 1984 by the

American Institute of Certified Public Accountants, Inc.
1211 Avenue of the Americas, New York , N.Y. 10036-8775
1 2 3 4 5 6 7 8 9 0 AudS 8 9 8 7 6 5 4

38-178 O - 85 - 22
-
 330

Preface
Crimes and catastrophes make eye -catching headlines. Stories that in
clude large sums of money, intrigue, technology, and clever schemes
are good copy. Frauds involving electronic data processing (EDP) often
have all these features. Cases such as the $ 200 million insurance fraud at
Equity Funding, the $21 million theft at Wells Fargo Bank , the $ 24 mil
lion misstatement of revenue at JWT Group, Inc. , and the $ 10 million
wire transfer theft from Security Pacific National Bank all received na
tional attention .
These cases share some common characteristics. The perpetrators
were individuals familiar with the companies' systems; their objectives
were to either carry out or conceal financial misdeeds; and they took ad
vantage of the existing technology.
There has also been press coverage of break - ins to computer systems
for reasons other than to commit fraud or theft. Although these acts
point out potential security problems, they are not related to the business
fraud cases reviewed in this study.
The purpose of this report is to place the problem of EDP- related
fraud in perspective. Because of the inadequate data available on many
reported cases , it is difficult to determine what went wrong or how the
crime could have been prevented. By describing the specifics of how
several cases were perpetrated , the Task Force hopes to provide infor
mation that will help EDP users prevent becoming victims of similar
frauds.
 331

Acknowledgments

The Task Force is indebted to the Bank Administration Institute, the

American Insurance Association , the American Council of Life Insur
ance , and the Life Office Management Association for their support of
this project. The Task Force particularly thanks those banks and insur
ance companies that cooperated in the surveys and were willing to share
their experiences.

Membership
EDP Fraud Review Task Force
CARL A. PABST, Chairman
BRANDT R. ALLEN JAMES L. BROWN
BILL D. COLVIN WILLIAM J. DUANE
FREDERICK L. NEUMANN STEPHEN W. C. HOLBROOK
JAMES R. WATTS MARK F. POLANIS
ROGER J. WHEELER JOAN TARWATER

Sub - Task Forcefor the Survey ofthe Insurance Industry

JAMES R. WATTS, Chairman
CHARLES A. ANDERSON JOHN C. GAZLAY
WILLIAM C. FREDA OTTO K. KALOK

AICPA Staff
DAN M. GUY, Vice President, Auditing
NANCY A. Fox , Practice Fellow , Auditing Standards
MICHAEL F. GRIES , Practice Fellow , Auditing Standards
 332

Introduction
Background
Growth in the use of large integrated data bases, microcomputers, port
able “ intelligent” terminals with access through telecommunications,
and other evolving technologies, can provide greater susceptibility to
fraud. The increasing complexity of computer systems and their related
operations compound the difficulties of preventing and detecting fraud .
The concentration of processing and recording activities in computer
systems makes the accounting records of some organizations more ac
cessible and the manipulation of those records and the concealment of
theft somewhat easier. The decreasing use of hard copy books, records,
and other documents and decreasing human involvement also facilitates
concealment. The ability to alter data in computer systems, often with
out any observable evidence of manipulation , has made it easier to per
petrate and cover up fraud.
Because of the significant potential for EDP -related fraud, the Ameri
can Institute of Certified Public Accountants (AICPA ), in 1978 , ap
pointed the EDP Fraud Review Task Force to look into the nature and
pervasiveness of such fraud. The Task Force evaluated several sources
of information and reviewed several cases in depth . The Task Force was
unable to obtain significant information from existing or potentially
available sources. This was primarily due to a lack of consistent, com
prehensive, reliable data and a reluctance or inability of the sources to
disclose significant facts.
To obtain information for analysis, a study consisting of two industry
surveys was undertaken , focusing attention on the variety of fraud sce
narios to provide a basis for evaluating the range of conditions through
which EDP-related frauds may occur. The focus of this study was on the
who, what , where, when, why, and how of specific EDP-related fraud
cases rather than on projections of the number of cases or the dollar size
of those cases. For this reason , readers are cautioned not to generalize or
 333

draw conclusions on the incidence or dollar magnitude of EDP -related

frauds based on the results of this study.
The extent of EDP -related fraud may not be quantifiable for a variety
of reasons. There is aa lack of reliable data. Available data is frequently
based on news coverage. Legal constraints prevent comprehensive anal
ysis of some cases until court proceedings are complete. Not all reports
of fraud accurately distinguish frauds related to EDP, and, in fact, there
is no general agreement on the definition of EDP -related fraud. There is
also a general reluctance of many companies to disclose information
about fraud.
Furthermore, determining the size of the problem may be affected by
the following factors. First, several cases of EDP-related fraud continue
for long periods of time— some for many years — before they are de
tected. Some may never be detected; thus , undetected frauds are likely
to exist, but their number and magnitude are unknown . Second, many
EDP-related frauds are discovered accidentally. Thus , the dollar amount
of reported frauds merely states the minimum amount; the potential total
loss is considerably higher.Third , the amount of the loss may be stated
either before or after restitution , or it may be the amount manipulated or
only the actual amount extracted.

Auditors' Concern with EDP -Related Fraud

Traditionally, independent auditors have been engaged to lend credibil
ity to the financial statements they examine. Users of those audited fi
nancial statements expect that they can reasonably rely on such state
ments for making economic decisions . Therefore , auditors are
concerned about matters that can materially affect the reliability of the
financial statements under examination .
Fraud or irregularities could have a material effect on the financial
statements . The AICPA's position on auditors' responsibilities for the
detection of fraud is stated in Statement on Auditing Standards No. 16: '
Under generally accepted auditing standards the independent auditor has
the responsibility, within the inherent limitations of the auditing process
... , to plan his examination ... to search for errors or irregularities that
would have a material effect on the financial statements, and to exercise
due skill and care in the conduct of that examination . . . . An indepen

'AICPA , Statement on Auditing Standards No. 16, The Independent Auditor's Re

sponsibility for the Detection of Errors or Irregularities (New York : AICPA , 1977),
paragraph 5 .
 334

dent auditor's standard report implicitly indicates his belief that the finan
cial statements taken as a whole are not materially misstated as a result of
errors or irregularities.? (emphasis added)
Because information used in the preparation of financial statements is
often processed by computers, auditors are concerned with errors and
irregularities that might occur during computer processing that could
have a material effect on the financial statements.

Definition of EDP -Related Fraud

The Task Force's definition of EDP -related fraud used for this study was
“ any intentional act, or series of acts, that is designed to deceive or
mislead others and that has an impact or potential impact on an organiza
tion's financial statements . EDP must be involved in the perpetration or
cover- up of the act or series of acts.” This definition has three essential
characteristics.

1. The existence offraud.A good definition of fraud is that given in the

report of the Commission on Auditors' Responsibilities:
Viewed broadly, any intentional act designed to deceive or mislead others
is fraud . Fraud in the business environment with which the auditor is
concerned has a more specialized meaning. Fraud may occur at the
employee or management level . Frauds by nonmanagement employees
are generally designed to convert cash or other assets to an employee's
own benefit. ... Fraud at the management level includes intentional
misrepresentations that may lead to improper selection of accounting
principles or inclusion of false amounts in, or the omission of amounts
from , financial statements. It is usually accompanied by acts of conceal
ment , such as omission of entries, manipulation of documents (including
forgery ), or collusion among individuals inside or outside the company.
2. An impact on the financial statements . Fraud can affect financial
statements in a variety of ways:
• Theft, impairment, or misrepresentation of assets
• Misrepresentation , omission , or concealment of liabilities or
equities
• Manipulation or misrepresentation of revenue or expenses
? Irregularities are defined by SAS No. 16 as intentional distortions of financial state
ments or misappropriations of assets .
Commission on Auditors' Responsibilities: Report, Conclusions, and Recommenda
tions (New York : AICPA , 1978) , page 32 .
 335

The Study
To study EDP-related fraud , surveys were conducted in the banking and
insurance industries in cooperation with the Bank Administration Insti
tute , the American Insurance Association , the American Council of Life
Insurance, and the Life Office Management Association . These indus
tries were selected because both are highly automated , both deal in
liquid assets , and the operations of entities within each industry are
fairly similar.
Similar questionnaires were sent to banks and insurance companies .
No respondent identification techniques were used, although respon
dents were invited to identify themselves to permit follow -up inquiry. In
some cases , the Task Force contacted banks and insurance companies
that had identified themselves, to obtain additional information to
complete the analysis .
It should be noted that survey participation was voluntary. The Task
Force was aware of some significant cases that were not reported
through the surveys and could, therefore, not be included in the study.
Of the 9,405 banks surveyed, 5,127 responded, yielding a response
rate of 55 percent. Of those responding, 105 reported they had experi
enced at least one case of what was believed to be EDP-related fraud and
submitted information on one of their cases. After reviewing the details
of all reported cases, it was determined that 85 conformed to the study
definition .
The insurance company questionnaire was sent to 1,232 companies,
429 were casualty-property insurance companies, and 803 were life and
health insurance companies. A total of 854 responded, for a response
rate of 69 percent. The respondents identified 40 cases they believed to
be EDP- related fraud . Of the cases submitted , 34 conformed to the
study definition .
The data and analyses provided in the following sections , although
presented in some cases in a numerical format, are not intended to
present conclusions about the incidence or magnitude but rather on the
general nature and means of committing some EDP- related frauds.
 336

3. Involvement of EDP . The third and essential characteristic of the

definition of EDP -related fraud used for the study is that EDP must
be directly involved in the perpetration or cover -up of the scheme.
EDP may be directly involved by any improper manipulation of:
Input or transaction data — Manipulations may occur when unau
thorized data are prepared for input to a computer system or when
authorized input is improperly altered, duplicated, destroyed, or
withheld .

Output or results — Manipulations may happen when reports, files,

or other output are mislabeled , misrepresented , altered, or misdeliv
ered to effect a fraud or cover-up.
Application programs Manipulations may be accomplished by
the development of unauthorized programs, or segments of pro
grams, or by the subsequent alteration of once - acceptable programs
or documentation .
Data files Manipulations may happen when files are directly
-

changed without transactions, such as through the use of file utilities

or on-line terminal access .

Computer operations — Manipulations may result from the deliber

ate misuse of the computer system operations such as the use of the
wrong programs, data files or transactions, or the interruption of
normal program processing .
Communications Manipulations may happen by intervention in
the process of data being sent between terminals and the computer or
between two or more computers.

Computer hardware, systems software or firmware – Manipula

tions may happen by improper use, alteration, or intervention in the
functioning of these resources.

Other definitions of EDP -related fraud have included theft of software,

hardware, or data; theft of computer time; and errors (made without the
intent to deceive) . The definition used for this study specifically ex
cluded those occurrences, as well as other computer crimes or abuses,
such as the destruction of computer software or hardware or illegal
access to telecommunications or computer systems without the intent to
commit fraud .
 337

Summary of Findings
The 119 cases identified in the surveys of EDP-related fraud in the
banking and insurance industries provide useful information for devis
ing strategies for preventing and detecting EDP -related fraud . The
results of the surveys are categorized to answer the following questions:
• What was the environment in which the frauds were committed ?
What was the general nature of the frauds, and how were they
committed ?
• Who committed the frauds, why, and what corrective action was
taken ?
• How were the frauds detected ?

What Was the Environment in which the

Frauds Were Committed ?
In almost all cases , the fraud occurred during normal transaction proc
essing cycles . The type of computer system was not significant. Also,
fraud occurred in both batch and on-line systems. It should be noted ,
however, that at the time of the surveys the insurance industry used on
line systems more than the banking industry did. This accounts for some
industry differences in the analyses. Many types of application systems
were subject to manipulation.

What Was the General Nature of the Frauds,

and How Were They Committed ?
Perpetrators employed a variety of schemes , methods, and techniques.
Relatively few perpetrators used sophisticated techniques; many took
advantage of weaknesses in the system of internal accounting control.
Inadequate segregation of duties was a common weakness in the re
ported frauds.
 338

Most frauds were perpetrated in the input area; perpetrators generally

introduced or created unauthorized input or manipulated otherwise
proper input. File maintenance was a fairly common method used by
perpetrators; in all but one of these cases , the file maintenance manipu
lation involved nonfinancial data (for example, extending due dates on
loans , changing names and addresses).
A specific area worthy of mention is the importance of control over
access codes and passwords and, specifically in banking , the availabil
ity of personal identification numbers and the plastic cards needed to
access automated teller machines .
In some cases , there appears to have been no significant attempt at
concealment. It appears that the perpetrator may have relied on a large
volume of transactions to cause the fraudulent transaction to be “ lost.”
In other cases , perpetrators attempted to conceal their frauds by altering
names and addresses to divert normal customer correspondence. Sev
eral cases involved over 100 transactions , but in one case , several
million dollars was taken in a single transaction .
Losses from the reported cases ranged up to several million dollars,
although the majority involved amounts of $ 25,000 or less. The amount
of the loss is before any restitution .

Who Committed the Frauds, Why, and What

Corrective Action Was Taken ?
The cases showed the range of perpetrators covered almost every aspect
of corporate operations, with the preponderance outside the EDP area .
Most perpetrators in the banking industry were either data entry clerks
or loan officers. In the insurance industry, most were claim processors
or policy service clerks. Where perpetrators were supervisors or man
agement personnel, their schemes generally lasted longer and involved
larger dollar amounts.
In several cases , accomplices were used to receive or negotiate funds;
but , in virtually all of these cases , they were not necessary to perpetrate
the fraud .
The primary objective of most perpetrators was to take money from
the bank or insurance company; however, some perpetrators manipu
lated data to show a better record of performance ( for example, one
bank loan officer extended due dates on loans to show a good record of
loan collections).
In virtually all cases , perpetrators were employees and were later
dismissed from employment. In the majority of the cases , legal action
 339

was taken or was pending. In many cases, restitution was made or was in
process.

How Were the Frauds Detected ?

According to the respondents, the cases were detected by the following
means:

1. Methods of detection :

• In approximately one -third of the cases , the systems of internal

accounting control or routine internal or external audits uncovered
the fraud .
• Approximately another one-third of the cases were detected
through nonroutine events (such as , accident, unusual activity of
>

perpetrator, or tip - off ).

2. Sources of detection :

• In the majority of the cases , people uncovering the frauds were

within the company (that is , other employees, middle manage
ment, and internal auditors).
• In about one - fourth of the cases , customer complaints were
mostly the source within the first three months. Virtually all these
cases occurred in the banking industry; in the insurance industry,
policyholders usually were not aware that fraudulent transactions
had been processed against their policies.
 340

Analysis of Reported Cases

Selected characteristics of each EDP-related fraud and perpetrator were
identified and summarized to present a composite profile of the 119
cases reported by the survey respondents (85 bank cases and 34 insur
ance cases) . This section contains tables and explanations of these
analyses.

Application Systems Affected

The application system is the primary area of operations affected by the
fraud. Listed below , by industry, are the applications reported affected
by the 119 cases, from most to least frequently affected.

Table 1 - Application System

-

Banking Insurance

• Demand Deposits • Accident and Health Claims

• Proof and Transit • Property and Casualty Premiums
• Installment Loans • Life Insurance
• Credit Card Loans Premiums/Commissions
• Savings Accounts • Policy Loans
• Commercial Loans • Property and Casualty Claims
• Automated Teller Machines • Life Insurance Dividends,
• Check Credit Surrenders (Cancellations ),
• Cash Control and Other Transactions
• Mortgage Loans
• Wire Transfer

Banking Applications
Demand deposits are checking accounts .
Proof and transit is the verification and balancing of daily bank trans
 341

actions, accounting distribution of those transactions, and collection of

checks and drafts payable at or through other banks.
Installment loans are single disbursement, often consumer, loans that
are repaid through regular payments.
Credit card loans are revolving credit lines available to bank credit
card holders.
Savings accounts refers to relatively low -rate interest-bearing de
posits.
Commercial loans are typically single payment loans.
Automated teller machines ( ATM ) allow customers to deposit, with
draw , or transfer funds, remotely, without the involvement of a bank
employee. For purposes of analysis, ATM has been categorized as a
special application, distinct from the cash application .
Check credit refers to revolving credit activated by writing checks
and overdrafts.
Cash control is the cash balancing function performed by tellers.
Mortgage loans are generally collateralized long -term loans.
Wire transfers are the instantaneous, electronic movements of, 'fre
quently, large amounts from accounts at the bank to other banks.

Insurance Applications
Accident and health claims cover recording, approving, and paying
claims for medical expenses under group or individual accident or
health insurance policies.
Property and casualty premiums includes processing of premium
billings , endorsements, refunds, and cancellations.
Life insurance premiums/commissions covers processing of billings
and adjustments, as well as commissions due to agents .
Policy loans refers to loans made against the cash surrender value of
life insurance policies.
Property and casualty claims includes recording, approving, and
paying claims for damages to property, liability for damages to the prop
erty of others, or injuries to others.
Life insurance dividends, surrenders ( cancellations ), andother trans
actions have been grouped together for purposes of this analysis.

Schemes
Scheme is the fraudulent activity used by the perpetrator to effect the
fraud. The accompanying table lists the schemes reported by industry,
from most to least frequent.
 342

Table 2 - Scheme

Banking Insurance
• Divert customer funds into per • Create fictitious claims
petrator's own account • Trigger unauthorized refund or
• Make unauthorized extensions of reduction of premiums
credit limits , loan due dates • Create unauthorized policy loans
• Create fictitious loans • Trigger unauthorized dividend
• Defer recording of perpetrator's withdrawals
own checks and charges • Forge checks
• Forge customer input documents • Create unauthorized mortgage
(checks and withdrawals) loans
• Make ATM extractions • Reinstate lapsed policies
• Make adjustments to customer • Create fictitious pension
deposits payments
• Divert loan payments into perpe
trator's own account
• Divert customer income to per
petrator's own account
• Wire transfer

Banking Schemes
In the cases of fraud in the banking industry, misposting or misdirecting
customer deposits, often to the perpetrator's own account , was most fre
quent. Other frequently used schemes included crediting loans to bor
rowers who never received the funds, or who , in fact, may never have
existed . In several cases, perpetrators made unauthorized extensions of
credit limits and loan due dates. They changed the due dates on their
own loans , or they changed the due date on loans for which they were
responsible to make their job performance look better.
Insurance Schemes
The most frequently used scheme in the insurance industry was generat
ing claim payments to the perpetrator or to accomplices . Another promi
nent scheme was generating refunds or reductions of policy premiums,
for example , by authorizing refund checks after changing policyholder
names and addresses, or by cancelling policies to automatically gener
ate policy refund checks (the checks were forged and the policies were
later reinstated ).
 343

Methods
Method identifies what the perpetrator did to the automated system to
initiate and carry out the fraud. Several perpetrators employed multiple
methods. In these cases , the analysis identified the one method that was
most instrumental in carrying out the fraud . Table 3 lists the methods
used , which were similar in the banking and insurance industries.

Table 3 — Method

Method Banking Insurance

Transactions manipulation to :
Create original items 16 18
Divert or capture items 21 2
Force or divert rejects 14
Subtotals 51 20

File maintenance changes:

Nonfinancial fields 23 13
Financial fields 1
Subtotals 24 13

Direct file changes 6 1

Other -
2011
#1

Totals 34

Creation of original items includes initiating transfers from customer

accounts to the perpetrator's account, making adjustments to their own
accounts, creating loans , submitting fraudulent claims, requesting pol
icy loans , initiating policy dividends or refunds.
Diverting or capturing items includes incorrectly encoding or altering
the encoding of items to be posted to customer deposits, assets, or fee
income . Also , items such as premium receipts or the perpetrator's own
checks were removed from normal processing.
To force or divert rejects , perpetrators altered magnetic ink character
recognition encoding . For example, a bookkeeper changed the check
digit on deposits thus interfering with their timely processing and
permitting a deposit lapping scheme. Other perpetrators also incorrectly
encoded previously rejected items to misdirect deposits or to capture
items to prevent further processing.
File maintenance changes involved making unauthorized changes to
computer-based master files . This included increasing credit limits,
 344

changing dates, opening credit or loan accounts, reactivating closed

accounts, changing names and addresses, and reinstating lapsed poli
cies .
Direct file changes involved changing master files without any associ
ated transaction processing or file maintenance, for example, by the
misuse of file utility routines.

Procedures
Procedure describes how the perpetrator manipulated the automated
system to allow the methods to work. Table 4 lists the procedures the
perpetrators followed .

Table 4 - Procedure
-

Procedure Banking Insurance

Prepared forms or documents improperly 34 18

Unauthorized on - line transactions, input,
or access 11 15
-
Prepared EDP-media improperly 24
enr

Altered forms or documents authorized by

wa

someone else
ll

Manipulated EDP -media 1

-

Unauthorized program alterations

Manipulated EDP output
Totals 34

In both industries, the perpetrators, generally, either introduced

unauthorized transactions or altered or manipulated authorized
transactions.
In nearly half the cases, input forms were prepared improperly, for
example, file maintenance forms or claim data forms. In a number of
other cases, on -line terminals were used to input unauthorized transac
tions , file maintenance entries, or to gain information necessary to
effect the fraud ( for example, through inquiry routines). The cases of
improper preparation of EDP-media involved proof operators, key
punch operators, or machine operators, intentionally misposting or
miskeying transactions or misusing suspense accounts, inter-branch
transactions, or adjustments. The absence of cases in this third category
in the insurance industry is aa reflection of the significance of on-line
processing
 345

Perpetrators
Perpetrator refers to the position of the person mainly responsible for
the fraud. Table 5 lists the reported perpetrator, by industry, in order of
frequency

Table 5 - Perpetrator
Banking Insurance

• Clerks (data entry, proof machine • Clerks ( claim processors, policy

operators , other) service, other )
• Managers ( loan officers) • Supervisors (claims, policy
• Data processors ( operators , service, other)
systems and application • Insurance agents
programmers ) • Systems programmers
• Tellers
• Item processors

Clerical personnel were the most frequent perpetrators reported in

both industries. They often had many opportunities to perpetrate a fraud
by altering, rejecting, or otherwise incorrectly processing items, as well
as by introducing unauthorized items. In the banking industry, they
generally included data entry clerks and proof machine operators; in the
insurance industry, claim processors and policy service clerks.
In the banking industry, perpetrators reported at the clerical level
were more likely to be involved in frauds in the checking, proof and
transit, and savings areas. In the insurance industry, clerical personnel
usually focused on claims .
The next most prominent category of perpetrator reported was mid
level management or supervisory personnel. In banking, the manage
ment personnel were generally loan officers who initiated fictitious
loans or extended loan due dates. In the insurance industry, manage
ment personnel were generally clerical supervisors using any of the
applications including premiums, claims, and loans.
Computer personnel (systems and applications programmers and
operators) were also moderately prominent in banking, but to a lesser
extent in insurance. Computer personnel tended to focus on diversion of
funds in banking. However in the insurance study, a systems program
mer changed certain parameters concerning his own policy.
The most common objective of the perpetrators in both industries was
theft of assets. To aa lesser extent, some perpetrators sought to manipu
late information used by management or even the financial statements,

38-178 O - 85 - 23
 346

in order to present better performance records. Occasionally a fraud was

perpetrated primarily for self -satisfaction.

Fraud Size
The emphasis of these studies focused on the circumstances of the fraud
rather than the dollar magnitude of individual cases . Nevertheless, the
accompanying table shows an interesting relationship between the size
of the fraud and the perpetrator's position . ( The dollar size is the gross
amount manipulated rather than only the amount actually extracted and
is before any restitution .)
Table 6- Number of Cases by Dollar Range
(thousands)
More than
Perpetrator Under $ 25 $ 26-$ 100 $ 100 Total
Banking cases

solo
coño
Clerical 37 1

llos
lo
Managers 7 4 6
110 d
luu

Data processors
222

9 2
Tellers
Others
-||না

10
mamu

Insurance cases
Clerical 17 21
Supervisors 2 9
Others 1 4
IKI

2 1
20 77 34

Management and supervisory level personnel tended to be responsible

for the larger frauds, and clerical level personnel tended to be responsi
ble for the smaller frauds. In one case, a pension supervisor was able
to extract $ 400,000 because he had complete control over payment
transactions and related correspondence with contract holders and
claimants.

Duration
Duration of the fraud refers to the length of time the fraudulent activity
was occurring.
 347

Table 7 - Relationship of Duration to Perpetrator

Number of Cases Lasting

laluco
Less Than 1 to 12 More than
Perpetrator 1 Month Months 12 Months Total

Banking cases

-18
ra!||
Clerical 36
Supervisors/managers 6

5992m
EDP personnel 7
Others 1

011
50

T01-|=|
lleiri

Insurance cases
Clerical 4 4
Supervisors/managers ‫|ب|ی‬ 6
‫سیرا‬

‫ا‬
||
‫سی‬
EDP personnel

‫ی‬
Others
4

Frauds perpetrated by supervisory or management personnel tended to

last longer than those perpetrated by clerical personnel. In one case , a
claim supervisor was able to extract money over five years because he
had access to subordinates' passwords, could submit false claims for
clerks to process, and could access terminals to change master file data.

Concealment
In several cases no significant attempt to conceal the fraud was apparent,
such as a one -shot extraction of funds with no effort to cover up. Perpe
trators appear to have been relying on the possibility that fraudulent
transactions would be “ overlooked” or “ lost” in the larger volume of
transactions normally processed or would simply be written off as un
reconciled items.
When attempts at concealment had been made, the effort usually in
volved using file maintenance transactions or destroying or “mislay
ing ” source documents or output documents. Frequently, addresses
used for mailing customer bank statements or policyholder change
notices were changed so that fraudulent transactions would not come to
a customer's attention . In one case, a policy service clerk used a termi
nal and an error correction routine to reverse the effect of file main
tenance changes submitted earlier to perpetrate the fraud . In another
 348

case , computer-generated policyholder cancellation notices were

destroyed. In still others, error or reject listings were destroyed or
" mislaid .”

Detection
According to the respondents, the methods and sources of detection of
the fraud were as follows.

Method of Detection
Method ofdetection identifies the event or factor that triggered the de
tection of the fraud .

Table 8 - Method of Detection

-

Method Banking Insurance

Control and audit
Internal controls 12 10
Routine audit 17 4
Customer complaint/inquiry 24 4
Unusual or non - routine events
Accident, tip -off, unusual
activity of perpetrator 11 15
Non -routine study 8 1
Change in operations,
EDP, or financial
-

statements 7

Unidentified 6
lles
-la

Totals 34
85

Complaints from customers were much more significant to the detection

of the fraud in banking (particularly in the checking and deposit areas)
due to frequent correspondence with customers. For frauds of short du
ration (less than four months), customer complaint/inquiry was the most
significant factor in detecting the frauds. In one case, after aa clerk with
drew funds from a customer's account, the clerk intercepted the cus
tomer's statements. The customer complained after one statement
slipped through.
Frauds perpetrated with file maintenance changes were usually de
tected through internal accounting controls and audit. Frauds perpe
 349

trated by manipulating transactions were detected almost equally by

control and audit, customer complaint/inquiry, and accident.

Source of Detection
Source ofdetection identifies who first discovered the fraud (or caused
the fraud to be discovered ).

Table 9 - Source of Detection

Source Banking Insurance

Other employees 16
Middle management 20 7
Internal auditors 5
Customers 16
-

External auditors/ examiners 4

।
8
୮୯8
Other/unidentified 2 6
Totals 34

Other employees, including substitute clerks, accounting clerks, and

mail clerks, among others, made up the single most significant group in
detecting fraud.

The following appendix contains details of selected cases . These

cases were selected to illustrate the wide range of fraud scenarios de
scribed in the surveys .
 350

APPENDIX

Sampling of Cases From the Study

(all amounts are approximate )
Banking Cases
1. A data entry clerk manipulated the automated central information file
that permitted debit cards to access unrelated customer accounts through
automatic teller machines . Over 100 transactions totaling $ 25,000 were made
within a period of less than two months. Numerous customer complaints were
received about unauthorized ATM withdrawals against their accounts. These
complaints triggered an investigation that discovered the fraud .
2. A computer operator using a card -driven system prepared a false set of
ledger cards that increased his checking account balance and decreased a large
business checking account balance , which had reached $ 90,000. Each month at
statement preparation time , accurate statements were prepared for the customer
using the correct ledger cards. After several years, the fraud was detected by an
employee researching another account.
3. A data entry clerk responsible for reviewing all maintenance changes on
installment loans changed the due date on his own loan . He was thereby able to
extend the loan five to ten times and not make any payments . The total amount
ofthe loan was $ 3,500 . When the employee was transferred , he could no longer
make the extensions . The loan became past due, and the fraud was discovered .
4. Unauthorized extensions of payment due dates were made over a three
year period to loans of approximately $ 1 million . The perpetrator, a member of
senior management, thereby hid delinquencies and showed a better lending and
collection record. The extensions were made by master file changes prepared
by the individual , who would then remove the change forms when the work was
returned from the service bureau . Regulatory examiners made an investigation
when they noted there were loans shown as current without payments made or
extension fees charged.
5. A data entry clerk obtained a customer's credit card and personal
identification number from returned mail. He then raised the credit limit on the
 351

terminal and obtained cash from an automatic teller machine. Over a five month
period $ 3,000 was obtained. The customer was not aware of this, as the clerk
intercepted the statements . When one statement did get to the customer, the
customer's complaint triggered the detection.
6. An applications programmer analyst increased his bank account and
reduced a customer's account by a file manipulation, the specific mechanism of
which was not disclosed . The fraud was discovered when the customer com
plained. The period of concealmentwas less than a month and the total amount
was under $ 1,000.
7. A proof clerk correcting rejected items keyed in a false credit to his own
checking account, using a CRT terminal. The total amount involved was under
$ 300, and the period ofconcealmentwas less than one month. One of the false
credits he entered was not offset by a debit. This caused an out-of-balance
situation that was traced to his account. Subsequent investigation disclosed the
nature and scope of the fraud.
8. A computer operator increased thebalance on his own checking account
ledger card and decreased the balances for two other accounts. At statement
time, he would reverse all the changes so the statements sent out would be
correct .
The total amount involved in this fraud was less than $ 1,000 and it was
concealed for two months. The fraud was detected by the EDP manager when
he came into work early one day and supervised the preparation of statements
before the operator had a chance to replace the improper cards. A system check
that recalculated the statement balance then flagged the accounts as out-of
balance.

9. An officer who supervised operations at a branch withheld savings

deposits from customer savings accounts and took cash or credited his own
account as an offset. The perpetrator occasionally filled in as a teller and would
sell money orders and never record them as outstanding. When a complaint was
made by a customer that a deposit had not been entered, the perpetrator entered
a correction charging another account with the offset. Sometimes he took cash
and offset the shortage by creating an inter -branch clearing. When no response
to such entries were made after five to six days by other branches, the amounts
were transferred to the branch's suspense account. The perpetrator also con
trolled that account. For the month -end balancing they were charged to another
suspense account and then transferred back after the balancing.
Concealment lasted thirteen months, and the total amount was $ 800,000.
The EDP system was used in processing the entries and in transferring the
entries from account to account thereby causing them to lose their identity. The
fraud was discovered when the perpetrator was transferred to another branch.
Subsequently, a customer complained about a charge to his savings account that
had not been authorized . The fraudulent item was traced by another employee
who found that an embezzlement had occurred .
10. The cashier of this bank was able to extend loan due dates to avoid
disclosure of delinquent accounts and to conceal poor lending practices. The
 352

total amount of the loans involved was $ 500,000. The fraud took place for a
year. It was discovered by a loan secretary who inquired about the recurring
maintenance changes extending loan due dates. Apparently, no funds were
actually taken .
11. A teller misappropriated cash payments made on loans and then ex
tended the due dates so the loans would not show up as past due. The extensions
were made by preparing file maintenance change sheets. After the maintenance
instructions were acted on, the individual destroyed the sheets. The total
amount involved was $ 3,000 and the fraud was concealed for six months. The
fraud was discovered by the auditors when they confirmed loan balances with
borrowers.

12. A credit card clerk established fictitious card accounts and credit limits.
The accounts were created , addresses changed, credit lines increased , and
closed accounts reactivated by terminal entry. The cards were used for cash
advances and for purchases. A total of $ 20,000 was involved; the period of
concealment was two months. Collectors became involved in investigating
some of these accounts for which statements were returned by the post office or
that had exceeded their credit line. Research on undelivered statements re
vealed that the accounts lacked authorization and supporting documentation .
Further investigation identified the perpetrator and the nature of the fraud.
13. A note clerk working with a customer as an accomplice changed that
customer's overdraft limit via on-line terminal input. The maintenance code to
do this was supposedly known only by senior management. Approvals were
forged on the input document. This customer was then allowed to draw up to
$ 6,000 against the improperly authorized credit line. The fraud was concealed
for three months. Payments were made by other unauthorized advances that
were not properly shown on the reconciliation of the account. The accomplice
made the mistake of calling the bank several times inquiring about the amount
of his credit limit. This aroused the suspicion of the note supervisor, who
couldn't understand why a customer would call several times concerning his
credit limit. Upon investigation, it was found that the $ 6,000 credit limit had
not been properly approved. Further investigation identified the scheme and the
perpetrators.
14. The money transfer department received instructions from an imposter
to transfer $5 million. The imposter identified himself as an employee of a
branch and stated that he had received instructions from a customer to transfer
the money to another institution for further transfer to that institution's cus
tomer. The test code reported by the imposter for that date and branch were
correct, thereby not causing suspicion . The following morning the customer,
upon receiving notification of the transaction , disputed the item and denied
authorizing it.Upon inquiry, the branch reported that they never issued such
instructions.
15. In this case , a branch manager and a computer operator colluded to
extract cash from an automatic teller machine. The branch manager stole the
money from the machine while the computer operator destroyed logs and
 353

records of transactions transmitted from the machine to the computer center.

The money was taken in small amounts over a period of four months. Between
10 and 100 shortages were involved totaling $ 3,500 . An investigation of the
cash shortages revealed the scheme between the branch manager and the
computer operator. The fraud was concealed for four months.
16. An applications programmer using a terminal altered the computer
programs governing the bank's cash management service . This program auto
matically triggered reports of excess funds, which were then to be transferred
by wire to another bank . Very likely, they were credited to his own account
rather than wired elsewhere. The fraud was discovered within a month because
the fraudulent transfers caused overdrafts to customers' accounts. When the
overdraft unit investigated disputed transactions, it discovered differences
between the customer's instructions and the automatic charges. After the
internal audit department investigated , the scheme and the perpetrator were
identified . Between five and ten transactions were involved . The total amount
of the fraud was $600,000, but no money was extracted from the bank. The
-period of concealment was less than aa month.
17. Fictitious commercial loans were set up by a branchmanagerbycreating
false inputdocuments. New fictitious loans were created eventually to pay off
older fictitious loans. In those cases where a demand loan had been created , he
paid interest to keep the loan current. The perpetrator input file maintenance
changes to ensure that all bank mail pertinent to the fictitious loans would be
routed to post office boxes he controlled.
The fraud was discovered by audit confirmation and by a customer's com
plaint of irregularities at the branch. The auditors investigated loan confirma
tions returned by borrowers whose addresses were listed as post office boxes .
Checking the signatures on the confirmations, the auditors found them to be
questionable in comparison with the bank's signature card files. Further com
munication with thepeople listed as borrowers uncovered the fraud . The total
amount was $ 120,000. It was concealed for five years, and over 100 transac
tions were involved .

18. The EDP manager made program alterations causing activity on his
account to be suppressed from the detail on overdraft reports although the total
was correct. He also made a change to ensure that no statement would be
prepared for his account. All of the checking programs were changed to avoid
his account. Checks that were paid against his account would be removed from
the files before they were filmed . The account became overdrawn, but it was
never reported as such. Since no statement was ever prepared, no one became
aware of the overdraft in the normal course of operations. In this way, the EDP
manager was able to set up a potentially unlimited overdraft line for himself.
The fraud was detected by running internal audit software independently
against the files. The fraud was concealed for a period of six and one-half years.
The total amount of the overdraft accumulated to $ 40,000 and involved over
100 items .
19. A data entry clerk used a CRT terminal to set up a fraudulent revolving
credit line for a check / credit account in his name. The credit line was never
 354

properly authorized. The perpetrator then drew the full amount of the credit line
and deposited this amount to his account. Access to the computer terminal was
not restricted. Computer reports of the new loans set up were not reviewed.
The total amount of the fraud amounted to $ 6,000 . The period of conceal
ment was five months. It was detected when one of his transactions was rejected
due to a systems change ( requiring that loan cycle dates and checking statement
cycle dates coincide) . Investigation found that his credit line was not
authorized
20. An applications programmer-analyst used a vendor-supplied utility pro
gram to make two fraudulent transfers from customer savings accounts into his
own. The total fraudulently transferred was $ 10,000. The perpetrator then
withdrew the entire $ 10,000 from his account the next day.
At the time of the fraud , the bank was undergoing a major systems conver
sion. During this conversion, programmers were allowed to routinely enter the
computer room to operate and test programs. Since the bank's savings system
was in a conversion mode, the audit department of the bank had been watching
exception transaction reports very closely. The bank's daily reporting systems
identified large transactions against savings accounts . On this day, the auditors
noted a large $ 10,000 withdrawal from an account that reported a previous
day's balance of only $3 . They also noted that no $ 10,000 deposit transaction
had been recorded simultaneously. This unusual withdrawal, without an offset
ting deposit should have caused an overdraft. Upon investigation, it was deter
mined that the account belonged to an employee of the computer service center.
21. An operations officer in the charge card department would divert cus
tomer payments to his own account by keying in his account number on pay
ment processing documents. The perpetrator's duties included investigation of
customer complaints. If he received a complaint on one of the defrauded ac
counts, he entered a payment to that account and debited a suspense account.
Suspense debits were lapped to further confuse the trail. After the perpetrator
quit the bank, subsequent customer complaints were investigated and led to dis
covery of the fraud. The fraud was concealed for one year and totalled $ 3,000.
22. An operations officer increased his own credit line without authority via
computer terminal entry. The bank had a terminal system that allowed account
information inquiries to be made on-line. Later, a system change allowed for
direct terminal update of certain “ nonmonetary ” fields that included credit line
limits . The perpetrator was then able to raise the line of credit on his account
and draw the limit . A routine audit test later revealed that this account exceeded
its original credit limit. Subsequent investigation found that his unauthorized
entry via computer terminal had raised the credit limit. The perpetrator later
repaid the loan . The total amount of the line withdrawn was $ 500 , and the
fraudulent loan was in effect four months before being detected.
23. A computer operator, using direct access to the master files through a
computer console, transferred deposit balances from inactive accounts into ac
counts controlled by customers with whom he was in collusion. The EDP man
ager also cooperated in the scheme. The funds were withdrawn from the recipi
ent account by the accomplices. The computer operator hoped to conceal the
 355

frauds by changing the balances during statement preparation. This was to be

done by raising the forwarded balance . He chose relatively inactive accounts to
further minimize the chance of detection. Finally, he made some unauthorized
transfers to accounts owned by persons uninvolved in the scheme to further
confuse the situation in case an investigation developed. After a month and a
half, however, a customer did complain that his statement balance had been
reduced without any transaction being posted. An investigation revealed that
the “ error ” was caused by direct console intervention .
24. An applications programmer, who also functioned as an operator, devel
oped a software program to decrease balances in selected inactive accounts and
increase the balance in his own account. No transactions were input , but the
files were directly changed. Cycle codes were also altered to ensure that state
ments would not be mailed until the perpetrator could intercept them . The per
petrator then prepared falsified statements and mailed them tothe customers. In
one case, the post office returned a falsified statement to the bank , and the per
petrator then didn't bother anymore with preparing statements for the customer.
This customer, however, came in and asked for his statement. A subsequent
investigation revealed the fraud and identified the perpetrator. The fraud was
concealed for a period of 13 months and involved between 11 and 100 items.
The total amount misappropriated was $ 25,000.
Insurance Cases
25. A policy service clerk obtained a management-level password and used
it to submit file maintenance transactions to reverse surrendered policies on the
master file and to update dividend fields. Policies were later surrendered again
and checks made payable to the clerk's spouse . The clerk also manipulated a
loan on an active policy, which led to detection of the schemes when the policy
holder questioned a loan transaction in response to a confirmation. A follow -up
inquiry revealed the improper transactions in the policy adjustment and dis
bursement areas. The schemes lasted about three months and amounted to
$6,000 .
26. A policy service supervisor held back incoming cash premium receipts
until just prior to the automatic lapsing of policies. “New cash ” would then be
used to cover the premiums due on the about-to -lapse policies. Sometimes the
supervisor used the computer to generate “new cash” by submitting a filemain
tenance transaction to place the supervisor's name on an active policy that had
premiums paid to a certain date. The supervisor would then take an incoming
check payment on another policy and apply it to the changed policy; a company
check was automatically produced in the supervisor's name with an explanation
that the policy was overpaid. A tip from an employee initiated an audit that
revealed the scheme. The scheme lasted two years, involved over 100 transac
tions, and netted $ 30,000 .
27. A policy service clerk had the authority to cross functional department
lines to resolve problem cases requiring refunds or return of premiums. The
clerk also had authority to initiate and approve disbursement requests. Using
these authorities, the clerk initiated fraudulent premium refund requests and
 356

buried the transactions in various suspense accounts. The clerk also submitted
override transactions to block automatic adjustments to commissions because
of the premium refunds. Detection occurred when the operating management
started reviewing old, suspended transactions. The scheme netted $ 17,000 over
thirty -two months.
28. A policy service clerk normally received a computer printout showing
the cash surrender values of policies that had lapsed fornonpayment of premi
ums . The clerk introduced file maintenance transactions to place certain poli
cies back into an active status on the master policy file ( always selecting poli
cies with a policyholder name similar to the perpetrator's ). The clerk then
submitted transactions to produce checks for the policy equity cash value and
deposited the checks in an account. The clerk subsequently came forward and
revealed the fraudulent activity, which lasted for tenmonths and amounted to
$ 6,000.
29. To make loan delinquencies appear to be within the established guide
lines, a mortgage loan manager used a computer terminal and entered file main
tenance transactions to manipulate mortgage loan due dates. Having success
fully accomplished this scheme, the manager then began using the terminal to
establish fraudulent loans . The total financial manipulation exceeded
$ 320,000, with $ 55,000 actually converted to cash over a period of nine
months. The schemes were uncovered during a routine annual audit.
30. A senior claim processor with signature authority issued claim checks to
a fictitious payee that were later forged and deposited in a bank account. To
conceal each fraudulent claim check, the processor prepared and sent a data
entry code sheet to data processing, which recorded the issued check in the dis
bursement and statistical claim information files. The processor then destroyed
copies of the coding sheets which should have gone into the claim files. The
fraud was detected when the processor coded a sheet incorrectly causing a mis
match between the disbursement file and a cancelled check . The fraud lasted
sixteen months and exceeded $ 110,000.
31. In a five-year period , a claim supervisor converted about $ 500,000 by
submitting false health claims that generated checks payable to special payees
or outside accomplices covered by group health contracts. The supervisor's po
sition provided access to other people's passwords and negated some of the seg
regation of duties controls passwords create. In some cases , the supervisor gave
fraudulent claim papers toclerks to process in the course oftheir work and later
destroyed the papers. In other cases, the supervisor used a terminal to add
names to the eligibility file and then entered fraudulent claim data. Detection
occurred when the perpetrator ofanother fraud told an internal auditor that this
might be going on .
32. A group pension supervisor had complete control over payment transac
tions and related correspondence with contract holders and claimants. The su
pervisor initiated fraudulent lump- sum payment requests for eighteen months.
The computer control to detect duplicate payments was based on a comparison
of social security numbers, which the supervisor circumvented by transposing
 357

the social security numbers of the fraudulent payments . The fraud , which ex
ceeded $ 400,000, was revealed when a legitimate retiree requested a lump-sum
benefit and aclerk remembered seeing a previous claim payment to the retiree.
33. A policy service supervisor submitted file maintenance transactions to
change the name and address fields on valid master policy record files to those
of family members. The supervisor then prepared coded input documents to
authorize fictitious premium refunds amounting to over $ 14,000 . Once the
computer- generated refunds were made, the perpetrator restored the correct
data on the changed policy records. The fraud, which lasted four months, was
detected in the bankreconciliation process when a clerk, instructed to review
checks for unusual items, noticed aa series of large amounts to the same payees
and addresses.
34. A producer, working with a policy service clerk as an accomplice, cre
ated bogus policies and manipulated valid ones to obtain loans and the full an
nualized commissions when only one monthly premium was paid. The perpe
trators used error correction routines to prevent recovery of the annualized
commissions when the bogus policies were cancelled . In addition, fictitious
prernium “ paid -to” date entries were made to increase case equities. The per
petrators then submitted policy loan requests for the increased cash equity and
negotiated checks that were made payable to the insured. The schemes lasted
five years and netted $ 300,000 . Detection occurred when the producer com
plained about a commission payment, which aroused a supervisor's suspicion.
35. A policy service supervisor responsible for the dividend unit created
fictitious dividend payments by submitting requests with bogus policy num
bers; the checks were mailed to an outside accomplice. When the check was
authorized by the supervisor, the check data automatically created the account
ing entry and simultaneously updated the master policy file. Because a bogus
number was involved , an update of the policy file would reject and the transac
tion would appear on an error report that was returned to the supervisor for in
vestigation. Apparently, these listings were subsequently destroyed by this in
dividual. The scheme was discovered accidentally during a routine review of
dividend transactions at the corporate office . It lasted thirty months and netted
$ 150,000 .
36. A policy service clerk introduced file maintenance transactions to can
cel active policies, which produced policyholder cancellation notices and pre
mium refund checks. The clerk destroyed the cancellation notices and forged
the refund checks. The clerk then followed a special error correction procedure
to reinstate the policies with full coverage. This scheme was detected through a
non -routine study of paid checks in which an employee noticed many out-of
state policyholders had apparently cashed their checks locally. The scheme
lasted one year and netted $ 25,000.
37. A policy change clerk with access to an on-line terminal entered name
and address changes to alter the policy master file records to the clerk's spouse.
Using general ledger transactions, the clerk caused refund checks to be mailed
to the spouse. The refund accounting entry was entered into a general ledger
 358

suspense account not adequately controlled at the time. Detection was made
when a supervisor routinely reviewed the suspense account for old items. The
scheme netted $ 5,000 in four months.
38. A group dental claim processor obtained the names of covered employ
ees from a co -conspirator employee of a policyholder company. Using a termi
nal , the clerk entered fictitious claims made payable to the covered employees,
but mailed to a post office box. The checks were obtained , signatures forged,
and proceeds ($30,000 in twenty -one months) split. The fraud was detected
when the claim clerk was absent and a replacement clerk routinely called a den
tist for verification of the nature of a claim .
39. Three claim processors, using terminals, entered fictitious claim data
causing computer-produced checks to be sent to each other's home addresses.
The supervisor had lunch with one of the perpetrators who mentioned that one
of the other perpetrators, now an ex -employee, was being investigated for den
tal claim frauds by the new employer. The supervisor initiated an audit of the
claims processed by the informer and the ex -employee; the audit eventually dis
closed the three perpetrators. This scheme lasted for sixteen months and netted
$ 80,000
 359

AMERICAN COUNCIL ON EDUCATION ,

DIVISION OF GOVERNMENTAL RELATIONS,
Washington, DC, March 26, 1984.
Hon . WILLIAM J. HUGHES,
Chairman, Subcommittee on Crime, Committee on the Judiciary, House of Represent
atives, Rayburn House Office Building, Washington, DC.
DEAR MR. CHAIRMAN : On behalf of the American Council on Education an organi
zation representing over 1500 colleges and universities and the associations listed
below , we wish to state our strong support for legislation that would adequately pro
tect computers by making illegal unauthorized intrusions and outright fraud in the
use of such systems. We urge the adoption of legislation along the lines introduced
by you and Congressman Sawyer that would make it a federal crime to use a com
puter for fraud, theft, or to vandalize computer stored information when operating
in interstate commerce. We respectfully request that this letter be included in the
hearing record on H.R. 5112.
The higher education community is increasingly dependent on computers both in
terms for their use for research and for conducting its own business affairs.
Individuals are currently able to enter a system over telephone lines. Information
can , therefore, be easily amended or deleted from various files contained within
computer systems and the system itself caused to crash (go out of service) as some
kind of intellectual joke.
Most notably , instances have recently turned up at colleges and universities
where individuals following the “War Games” model have sought to alter their
grades. This is not an innocent prank, but is an obstruction of the legitimate func
tions of a computer system often without legal recourse. When an individual manip
ulated the computer at a major eastern institution this past fall, rather than resort
ing to the criminal laws, the university moved by a civil action to penalize the indi
vidual and ultimately restrain him from interfering with the university's computer
systems.
It has been noted by a variety of prosecutors and by various representatives and
senators, who have introduced legislation dealing with computer crime, that present
federal and state laws are often inadequate to deal with the multiplicity of problems
relating to computer theft. It is extraordinarily difficult to establish that a computer
file is properly protected under current statutes and that copying from it, is patent
thievery.
Federal legislation along the lines of H.R. 5112 would give prosecutors a reasona
ble basis forinstituting charges against anyone who steals information from a com
puter or who alters or destroys information in a computer maliciously or for person
al gain.
A statute covering computer crime in interstate commerce would fill the inter
stices of other federal statutes which have failed to provide adequate protection.
Federal legislation could also establish a pattern for states that have failed to enact
computer fraud legislation .
Computer crime legislation making it illegal to tamper with computers, operating
in interstate commerce or using interstate facilities, will dispel the image that these
actions are a mere lark and are not criminally wrong . Legislation could serve as a
deterrent by emphasizing to many young individuals that computer gamesmanship
is in violation of the law. There is a concurrent need, however, for computer firms
to increase security to bar unauthorized entries . H.R. 5112 presents a significant
step forward in dealing with the growing amount of crime associated with computer
usage. Unauthorized borrowing of materials contained in computer systems is not a
sport, it is piracy and should be dealt with as such.
We in the higher education community stand ready to work with you and your
staff to secure passage of such legislation in this session of Congress. If you have
any questions relating to our position on this legislation, please do not hesitate to
contact us.
This letter is being sent on behalf of: American Association of Community and
>
Junior Colleges, American Association of State Colleges and Universities, American
Council on Education , Association of American Universities, Association of Catholic
Colleges and Universities, Association of Jesuit Colleges and Universities, Associa
tion of Urban Universities, Council of Independent Colleges, National Association of
College and University Business Officers, National Association of Independent Col
legesand Universities, National Association of Schools and Colleges of the United
 360

Methodist Church, National Association of State Universities and Land -Grant Col
leges.
Very truly yours,
SHELDON ELLIOT STEINBACH ,
General Counsel.