Subject 11 – Cybercrimes and Crimes Against Property in the Information System
- Cybercrimes Specialized Courts
According to the HSK decision published in the Official Gazette on 30.11.2021, as of 15.12.2021, the specialized cybercrime courts investigate the following crimes:
- Qualified theft by using information systems
- Qualified fraud by using information systems as a means by banks or credit institutions
- Qualified fraud by impersonating oneself as a public official or an employee of banks, insurance, or credit institutions or claiming to be related to these institutions
- Unauthorized access to information systems
- Disrupting, sabotaging, deleting, or altering data in systems
- Misuse of bank or credit cards
- Prohibited devices or software
- Imposing specific security measures on legal entities benefiting from crimes committed in the field of information technology.
- Distinction in Cybercrime and Crimes Committed in the Digital Environment
Crimes in the field of informatics are listed as follows in the Turkish Criminal Code. Apart from these crimes, crimes committed in the digital environment are not referred to as “cybercrimes.”
- Unauthorized access to the information system
- Obstruction, disruption, erasure, or alteration of data within the system
- Misuse of bank or credit cards
- Prohibited devices and programs
Crimes against Property, while not explicitly categorized under “Crimes in the Field of Informatics,” are technically not considered as computer crimes. However, committing these crimes in the realm of informatics is considered an aggravating factor.
- Aggravated Theft
- Aggravated Fraud
- Crimes in the Field of Informatics
- Access To Data Processing System
According to Article 243 of the Turkish Criminal Code (TCK), the offense of unauthorized access to computer systems is defined as follows.
(1) Any person who unlawfully enters a part or whole of data processing system or remains there is punished with imprisonment up to one year, or imposed punitive fine.
(2) In case the offenses defined in above subsection involve systems which are benefited against charge, the punishment to be imposed is increased up to one half.
(3) If such act results with deletion or alteration of data within the content of the system, the person responsible from such failure is sentenced to imprisonment from six months up to two years.
(4) A person who, without entering the computer system, unlawfully monitors data transfers that occur within a computer system or between computer systems through technical means, shall be sentenced to imprisonment for a term ranging from one year to three years.
Regarding the subject, in accordance with the decision of the 8th Criminal Chamber of the Supreme Court numbered 2018/10824 and 2019/15723:
‘‘In a case where the defendant was charged with unauthorized access to a computer system, allegedly entering the complainant’s email and Facebook accounts without the complainant’s consent and changing the passwords, it was determined that the defendant accessed the complainant’s account. However, there was no evidence in the case file to support the claim that the passwords were changed or that the defendant obtained any benefit from the complainant. It was also evident that the individuals who requested mobile phone credits using the complainant’s account were friends of the complainant. Therefore, it was concluded that the offense committed by the defendant fell under Article 243/1 of the Turkish Criminal Code, and the mischaracterization of the offense led to the annulment of the judgment in the manner indicated in writing.’’
- Hindrance Or Destruction Of The System, Deletion Or Alteration Of Data
According to Article 244 of the Turkish Criminal Code,
(1) Any person who hinders or destroys operation of a data processing system is punished with imprisonment from one year to five years.
(2) Any person who garbles, deletes, changes or prevents access to data, or installs data in the system or sends the available data to other places is punished with imprisonment from six months to three years.
(3) The punishment to be imposed is increased by one half in case of commission of these offenses on the data processing systems belonging to a bank or credit institution, or public institutions or corporations.
(4) Where the execution of above mentioned acts does not constitute any other offense apart from unjust benefit secured by a person for himself or in favor of third parties, the offender is sentenced to imprisonment from two years to six years, and also imposed punitive fine up to five thousand days
According to the justification of the article, in the final paragraph, it is stated that if an individual commits the acts defined above to benefit themselves or another, it will be subject to criminal sanctions. However, in order for a penalty to be imposed based on this paragraph, the act must not constitute another offense that carries a heavier penalty. In this regard, if the act, for example, constitutes offenses such as fraud, theft, abuse of trust, or embezzlement, then a penalty will not be imposed based on this paragraph.
Regarding the subject, in accordance with the decision of the 8th Criminal Chamber of the Supreme Court numbered 2012/31216 and 2013/25978:
“Based on the statements of the participants throughout the stages, the responses received from Microsoft and the TIB regarding the entry into the participant’s email account through the internet account belonging to the defendant’s father, and all the documents in the file; it should have been decided that the defendant, who obtained the password of the participant’s email account, entered this address and changed the password to prevent access to the participant’s emails, be punished under Article 244/2 of the Turkish Criminal Code. However, the written justification for the acquittal verdict is in violation of the law. Therefore, the objections of the Chief Public Prosecutor and the participant are well-founded. Accordingly, the verdict has been (ANNULLED) according to Article 321 of the Turkish Code of Criminal Procedure, which should be applied under Article 8/1 of Law No. 5320.”
- Improper use of bank or credit cards
According to Article 245 of the Turkish Criminal Code, the following penalties are prescribed for the offense of misuse of bank or credit cards:
(1) Any person who acquires or holds bank or credit cards of another person(s) whatever the reason is, or uses these cards without consent of the card holder or the receiver of the card, or secures benefit for himself or third parties by allowing use of the same by others, is punished with imprisonment from three years to six years, and also imposed punitive fine.
(2) Any person who secures benefit for himself or third parties by using a counterfeit bank or credit card is punished with imprisonment from four years to seven years if the act executed does not constitute any offense other than forgery.
(3) A person who uses a counterfeit or fraudulently altered bank or credit card, resulting in a benefit for themselves or others, shall be sentenced to imprisonment for a term of four to eight years and a judicial fine of up to five thousand days, provided that the offense does not constitute a more serious crime.
(4) In cases where the offense described in the first paragraph is committed for the benefit of:
- one of the spouses for whom a separation order has not been issued,
- an ascendant or descendant or one of the in-laws within the same degree or an adoptive parent or adopted child,
- one of the siblings living together in the same household,
no penalty shall be imposed on the respective relative.
(5) Effective repentance provisions concerning property crimes under this Law shall apply to offenses falling within the scope of the first paragraph.
In Article 3 of Law No. 5464 on Bank Cards and Credit Cards, titled “Definitions,” the following definitions are provided:
“Bank card: A card that allows the use of deposit accounts or special current accounts, including the use of banking services.
Credit card: A printed card or card number that allows for the purchase of goods and services or cash withdrawals without the need for cash.”
According to the decision of the 8th Criminal Chamber of the Supreme Court with case number 2014/23295 E. and 2014/24442 K.:
The defendant, who used the credit card information acquired without the consent of the victim through mail order over the internet at various times, has been convicted of the crime of theft by electronic means as regulated in Article 142/2 of the Turkish Criminal Code, without considering that the defendant’s actions as a whole constituted the crime of misusing a bank or credit card as stipulated in Article 245/1 of the Turkish Criminal Code. Therefore, the conviction decision is unlawful. Thus, the appeals of the defendant and the Public Prosecutor are found valid in this regard, and the decision is (REVERSED) in accordance with Article 321 of the Criminal Procedure Code, which should be applied under Article 8/1 of Law No. 5320, unanimously on 03.11.2014.
- Illegal Devices or Programs
T Criminal Code Article 245/A is as follows:
“When a device, computer program, password, or other security code is created or manufactured exclusively for the commission of the crimes defined in this Chapter or other crimes that can be committed by using information systems as instruments, a person who manufactures, imports, exports, transports, stores, accepts, sells, offers for sale, purchases, delivers to others, or possesses such items shall be sentenced to imprisonment for a term of one to three years and a judicial fine of up to five thousand days.”
- Imposition of Security Precautions on Legal Entities
ARTICLE 246-(1) Security precautions specific to legal entities are imposed in case of commission of the offenses listed in this section within the frame of activities of legal entities.
- Some Methods Used in the Commission of Cybercrimes
- DDoS Attacks
One of the most common cyberattacks seen today is the Distributed Denial of Service (DDoS) attack. A DDoS attack can be defined as a cyberattack with the aim of disrupting the operation of an online application or service by utilizing the entire bandwidth to prevent the system from responding. It is a type of cyberattack that seeks to block the functionality of a service or application online. (Source)
A computer hacker floods a server or network with useless traffic, rendering a website inaccessible for those attempting to visit it. DDoS attacks are typically conducted from many different computers or devices, which are enlisted into a network called a BOTNET. Botnets are created by a hacker to control numerous computers or devices for malicious purposes. As a result, DDoS attacks typically do nothing besides causing services to crash or slow down. They are also known as Ping Flood, Ping Of Death, or SYN Flood.
Case Study:
Public Announcement (Data Breach Notification) – ……. Construction Industry and Trade Corporation
As known, according to Article 12 of the Personal Data Protection Law No. 6698, titled “Obligations Concerning Data Security” paragraph (5) states: “In case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate.”
Data controller company …………, which holds the title of data controller, has submitted a data breach notification to the Board as follows:
It was determined that the data controller was subjected to ransomware and also Denial of Service (DoS-DDoS) attacks. The breach was discovered on 31.01.2022 during the investigations conducted as part of the prosecutor’s inquiry.
The affected parties of the breach are employees and customers.
The categories of personal data affected by the breach include identity, contact, personnel, customer transaction, financial, visual and auditory records, as well as biometric data.
The number of affected individuals due to the breach is 1000.
A criminal complaint has been filed with the Kocaeli Chief Public Prosecutor’s Office regarding the breach.
While the investigation on this matter is ongoing, the Personal Data Protection Board has decided, with its Resolution dated 10.02.2022 and numbered 2022/124, to announce this personal data breach on the Board’s website.
- Brute Force Attack
Brute force is a method used to break a password, PIN code, or other authentication mechanisms. This method works by trying various combinations or automatically attempting passwords to obtain the password or authentication credentials of any account or system.
This method is typically carried out using automated software tools to guess or steal a user’s password. These tools automatically continue to try various password and authentication combinations until they find a correct match.
Case Study:
Public Announcement (Data Breach Notification) – ….Pizza Restaurants Inc.
As known, according to Article 12 of the Personal Data Protection Law No. 6698, titled “Obligations Concerning Data Security” paragraph (5) states: “In case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate.”
Data Controller ……. by the Turkish Personal Data Protection Authority regarding the incident on 26.06.2019, it was reported that:
There was a suspicion that the usernames and passwords, which customers set themselves for logging into dominos.com.tr, the website of the company, for ordering pizza or other products, were compromised.
As a result of a detailed technical examination, it was determined that 5225 sets of usernames and passwords belonging to customers were accessed unlawfully by third parties through trial and error (brute-force attack) and shared on the internet.
The data affected by the breach included information about identity, contact details, usernames (email addresses) and passwords used for the website login, as well as information about free pizza and discount rights.
The relevant individuals can obtain information about the data breach from the email address …….
The investigation on this matter is ongoing; however, with the decision of the Turkish Personal Data Protection Authority dated 01.07.2019 and numbered 2019/190, it was decided that this data breach would be announced on the Authority’s website.
- Ransomware- Cryptolocker
Ransomware, a type of malicious software (malware), is used to infect personal or corporate computers, encrypt files, or render them inaccessible, and then demand a ransom from the computer owner.
Ransomware typically spreads through email or fake links and downloads on the internet. Once it infects a system, it quickly encrypts or locks all of the computer’s files. After this encryption process, the user loses access to their files. Subsequently, it is claimed that, in exchange for a ransom payment, the files can be made accessible again.
Case Study:
Public Announcement (Data Breach Notification) – Yalova Municipality
As known, according to Article 12 of the Personal Data Protection Law No. 6698, titled “Obligations Concerning Data Security” paragraph (5) states: “In case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate.”
In a letter sent to our institution by … Municipality, which is the data controller, the following summary was provided:
As a result of an examination on their servers, it was determined that files had been encrypted with ransomware. Access to citizen information in the municipality’s database was restricted.
The breach occurred on 30.08.2020 between 01:00 and 09:00, and it was discovered at 09:00 when some servers stopped working.
Upon examining the servers and firewall, no data flow to the outside was detected.
The breach affected identity, contact, location, customer transaction, and financial data of employees, users, and customers.
The estimated number of affected individuals has not been determined at this stage, and investigations are ongoing.
While the investigation on this matter continues, the Personal Data Protection Board decided on 03.09.2020, with decision number 2020/675, to announce this data breach report on the institution’s website.
Case Study: https://tr.wikipedia.org/wiki/WannaCry
- SQL Injection
SQL injection is a method used in attacks on web applications. In this attack, when an attacker logs into a web application, they attempt to gain access to the database by adding malicious SQL code to the data sent to the web application.
For example, in an input form, a malicious user can add malicious code to the data sent to SQL queries, allowing them to make changes to the database or steal data.
Case Study:
Public Announcement (Data Breach Notification) – ……. International B.V.
As known, according to Article 12 of the Personal Data Protection Law No. 6698, titled “Obligations Concerning Data Security” paragraph (5) states: “In case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate.”
Data Breach Notification to the Public – … International B.V.
Summary of the data breach notification sent to our Authority by the data controller … International B.V. is as follows:
It was determined that a data breach occurred on August 13, 2021, on the remote ordering website with the domain name “www.s….siparis.com,” which belongs to the data controller.
The data breach resulted from the compromise of a copy of the SQL database.
The breach occurred on July 3, 2021, and was detected following an investigation initiated after a social media post on August 13, 2021.
The group of individuals affected by the breach consists of users/subscribers who have accounts on the remote ordering website.
The number of individuals affected by the breach is 51,295.
The breach impacted personal information such as first name, last name, email address, remote ordering account passwords, phone numbers, addresses, and information related to previous orders of the relevant individuals.
The investigation into this matter is ongoing. However, with the decision of the Personal Data Protection Authority dated August 18, 2021, numbered 2021/844, it was decided to publish this data breach notification on the Authority’s website.
- Phishing
Phishing is a tactic used by attackers to gain the trust of users, typically by employing a fake or deceptive identity, in order to steal sensitive information or financial details from individuals or organizations. This tactic is often carried out through email, messaging applications, social media, or fake websites.
It involves the illegal acquisition of information used by users for any system, such as usernames, passwords, identification details, credit card information, etc. The term “phishing” is the Turkish equivalent of the English word, formed by combining “password” and “fishing.” Phishers, also known as “baiters,” usually reach out to individuals through methods like email and request their personal information, such as credit card details, as if they were an official institution. Users who respond to such emails have their accounts, passwords, and other private information stolen.(Source)
For example, a phishing attempt may take the form of an email that appears to be from an official bank, urging the recipient to provide their password, credit card number, and other details. In response to phishing attempts, all banks and similar institutions emphasize that they would never request users’ private information via email and, in such cases, they advise individuals to contact them directly to verify the requests.(Source)
Case Study:
Public Announcement (Data Breach Notification) – ……. Software Technologies Inc.
As known, according to Article 12 of the Personal Data Protection Law No. 6698, titled “Obligations Concerning Data Security” paragraph (5) states: “In case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate.”
In the data breach notification sent to the Authority by ……… Software and Technology Inc., who has the title of data controller, it is summarized as follows:
As a result of a phishing attack against the data controller, unauthorized access was gained to the computers of three employees of the data controller, and these computers were encrypted with ransomware.
The affected personal data from the breached computers included names, surnames, Turkish Republic ID numbers, and workplace registration numbers.
The number of affected individuals and records has not yet been determined.
Affected individuals can obtain information about the data breach via the call center and email.
The investigation into this matter is ongoing. However, by the decision of the Personal Data Protection Authority dated June 1, 2023, and numbered 2023/975, it was decided to announce this data breach notification on the Authority’s website.
- Offenses Against Property
- Larceny and Qualified Larceny
Larceny, ARTICLE 141-(1) Any person who takes other’s movable property from its place without the consent of the owner to derive benefit for himself or third parties is punished with imprisonment from one year to three years.
Qualified Larcency Article 142 – (1) In cases where theft is committed through:
- d) Illegally obtaining and possessing or by using a duplicate key or another tool to unlock or prevent locking,
- e) Using computer systems,
- f) Taking precautions to avoid recognition or assuming an official title without authorization,
- h) In cases of property left in a place accessible to everyone but locked or kept within the premises of a building or its annexes,
If committed, a prison sentence of five to ten years is imposed.
- According to the decision of the 2nd Criminal Chamber of the Supreme court, FN: 2019/11010, VN: 2020/568, the difference between Aggravated Theft and the Crime of Altering Data in a Computer System is as follows:
‘‘The passage describes a legal decision regarding a case involving the unlawful acquisition of data and deriving benefits from it, particularly in the context of the “Knight Online” game character. The decision points out that even if data has economic value, it should not be considered as tangible property. Consequently, the act of unlawfully obtaining a player’s character in the “Knight Online” game should be regarded as a violation of the Computer Crimes Law (TCK Article 244/2-4) rather than being mischaracterized as theft (TCK Article 142/2-e). As a result, the verdict was overturned, and the defendant’s appeals were accepted, leading to the annulment of the judgment on these grounds.’’
- According to the decision of the Turkish Supreme Court General Criminal Assembly D. 17/11/2009, CN: 2009/11-293 main, DN: 2009/268, regarding the distinction between Cybercrime and Theft Offense,
In the action where the defendant V, acting together with the fugitive S.T., improperly obtained the victim company’s internet banking password they had previously acquired, and by using it, transferred 10,750 YTL from the victim’s Şekerbank Ankara Küçükesat Branch account to an account opened in the name of the defendant V. at Şekerbank Istanbul Zeytinburnu Branch and withdrew the money from the branch on the same day, the intention behind this action was to transfer the tangible money in the victim company’s bank account, by using the information system, into their own bank accounts, causing a decrease in the victim’s assets without consent. In other words, it was aimed at acquiring the money represented by this data, rather than sending the existing data elsewhere. Moreover, there was no alternative for the defendant to reach the money in the victim’s internet banking account without using information systems. Therefore, it should be accepted that the crime of ‘larceny by using a computer system’ regulated in Article 142/2-e of the Turkish Criminal Code No. 5237 took place in our case. Hence, considering that the defendant’s action constitutes the qualified larceny offense in accordance with Article 142/2-e of the Turkish Criminal Code No. 5237, there is no possibility of applying Article 244, paragraph 4.
- Qualified Plunder and Plunder
- Plunder
Article 148 of the Turkish Criminal Code regulates the “Plunder”
(1) Any person who avoids delivery of a property or forces a person to resist taking over the delivery by use of threat or violence and mentioning that he intends to hurt himself or one of his acquaintances, or to execute an act aimed to violation of one’s corporal and sexual immunity, or to give severe damage to his property, is punished with imprisonment from six years to ten years.
- Qualified Plunder
ARTICLE 149-(1) In case of commission of offense of plunder;
- a) By use of a weapon,
- b) By concealing one’s identity,
- c) Jointly by more than one person,
- d) By intercepting a person in a residence or business place,
- e) Against a person who cannot protect himself due to corporal and spiritual disability,
- f) By taking advantage of terror action carried out by the existing and potential organized criminal groups,
- g) By securing benefit for criminal groups,
- h) During the night,
the offender is sentenced to imprisonment from ten years to fifteen years.
- Qualified form of Fraud
TCK m. 157 deals with “fraud”, (1) Any person who deceives another person through fraud or secures benefit both for himself and others by giving injury to the victim is punished with imprisonment from one year to five years and imposed punitive fine up to five thousand days. defines.
TCK m. 158 provides provisions regarding “qualified fraud using information systems” :
(1) In case of commission of offense of fraud;
- f) By using data processing systems, banks and financial institutions as an tool,
- g) By benefiting from the facilities of press and publication organs,
(3) In the event that the offenses mentioned in this article and Article 157 are committed by three or more persons together, the penalty to be imposed is reduced by half; if the offenses are committed within the framework of the activities of an organization established to commit crimes, the penalty to be imposed is increased by one.
- According to the decision of the Court of Cassation General Assembly D: 16.4.2013 with DN: 2013/8-140, RN: 2013/171:
To constitute the offense of fraud, which also safeguards not only property but also freedom of will:
1- The perpetrator must engage in certain deceptive behaviors,
2- Deceptive behaviors must be of such a nature as to deceive the victim,
3- As a result of deceptive behaviors, the perpetrator must obtain an unfair benefit for themselves or for another person, to the detriment of the victim or someone else.
…..
As seen, what distinguishes the crime of fraud from other types of offenses committed against property is its basis in deception. This crime, which has multiple legal aspects, not only results in harm to property, but also involves the deception of the will of the victim or the person harmed by the crime through deceptive behaviors. In the justification of the article, it is emphasized that behaviors with deceptive qualities disrupt the good faith and trust that should exist in relationships between individuals. As a result, a person’s freedom of will is affected, and their freedom of will is violated.
…..
In light of these explanations, when the dispute is evaluated;
In the case of a dispute in which the defendant, who advertised a vehicle for sale on the website “www.sahibinden.com,” took advantage of the speed of reaching many people at the same time by computer systems and the convenience it provided, the defendant first persuaded the complainant to send 150 Lira under the pretext of an advance payment and then, according to the agreement they reached, convinced the complainant to send a total of 2,350 Lira in two installments to come to Edirne, saying that his wife was in the hospital giving birth and he needed money to go to her. He then disconnected his phone and cut off contact with the complainant. In the case, where the crimes were committed through the use of a computer system, it must be recognized that the actions committed constitute the offense of qualified fraud under Article 158 of the Turkish Criminal Code (TCK), paragraph 1, subsection (f).
Therefore, there is no error in the local court’s decision to convict the defendant of fraud by using the computer system and in the Special Department’s decision to confirm this verdict.
—————————————————————————————————————————————————–
The copyrights pertaining to these lecture notes and all of their content, including the rights to reproduce, distribute, duplicate, represent, transmit via signals, and publicly communicate through any means of text, sound, and/or visual presentation, are protected by the Turkish Intellectual and Artistic Works Law and related legislation.All these intellectual and moral rights belong to Attorney and Lecturer Ozge EVCI ERALP. These lecture notes cannot be duplicated, published, or used without permission, and they cannot be published on internet websites without obtaining the necessary permissions. Ozge Evci ERALP 2023-2024