Recently, investors have been frequently exposed to Crypto-focused phishing attacks. So what is a phishing attack? Phishing is a type of cyber-attack that occurs by stealing personal data and is frequently favoured by fraudsters. In other words, it is the acquisition, transmission, storage or use of personal information belonging to real or legal persons by unauthorised persons for use in fraud and other crimes. Fraudsters use many methods to enable phishing attacks to take place, and they are developing and diversifying these methods every day.
For example; Clone Phishing Attack, Pharming Attack, Phishing Attack, Ice Identity Attack, Evil Twin Attack…While some of these are the product of social engineering; some are the product of malware.
In order to proceed more concretely, let us give an example of a Phishing attack method. Individual investors are constantly redirected to fraudulent websites with the help of e-mails that they think are sent by the website of the platform they prefer. Thus, personal data such as username, password, network credentials or credit card belonging to individual investors can be obtained by malicious persons and their digital assets can be stolen by making large transfers from their digital wallets without the consent of individual investors. As can be seen, unlawful acquisition, use and recording of personal data, as well as personal data breaches such as failure to fulfil obligations regarding data security are in question.
The sanctions for these unlawful acts exist both in the Turkish Penal Code and in the Personal Data Protection Act. As it is known, in accordance with the Law on Personal Data, financial and economic information of individuals, their internet shares, passwords and e-mails, and the information of the sites they visit are also considered as personal data.
Within the scope of the LPPD, administrative fines are imposed in case of failure to fulfil various obligations regarding data security and other obligations, while imprisonment is imposed under the Turkish Penal Code.
Misdemeanours
MADDE 18-
(1) This Law;
a) from 5.000 Turkish Lira to 100.000 Turkish Lira for those who fail to fulfil the disclosure obligation stipulated in Article 10;
b) from 15.000 Turkish Liras to 1.000.000.000 Turkish Liras for those who fail to fulfil the obligations regarding data security stipulated in Article 12;
c) from 25000 Turkish Lira to 1.000.000 Turkish Lira for those who fail to fulfil the decisions taken by the Board pursuant to Article 15;
ç) envisaged in Article 16; For those who act in breach of the obligation to register and notify the data controllers registry, a fine of 20.000 Turkish Liras to 1.000.000.000 Turkish Liras, shall be imposed an administrative fine.
(2) Administrative fines stipulated in this Article shall be imposed on natural persons and private law legal entities who are data controllers.
Recording of Personal Data
Article 135-
(1) Anyone who unlawfully records personal data shall be sentenced to imprisonment from one to three years.
(2) If the personal data is related to political, philosophical or religious opinions, racial origins, unlawful moral inclinations, sexual life, health status or trade union affiliations of persons, the penalty to be imposed pursuant to the first paragraph shall be increased by half.
Unlawful Provision or Seizure of Data
Article 136-
(1) Any person who unlawfully gives, disseminates or obtains personal data to another person shall be sentenced to imprisonment from two to four years.
(2) (Additional: 17/10/2019-7188/17 art) If the subject matter of the offence is statements and images recorded pursuant to the fifth and sixth paragraphs of Article 236 of the Code of Criminal Procedure, the penalty shall be increased by one;
Qualifying Circumstances
Article 137-
(1) The offences defined in the above articles
Failure to Destroy Data
Article 138-
(1) Those who are obliged to destroy the data in the system despite the expiry of the periods determined by law shall be sentenced to imprisonment from one to two years if they fail to fulfil their duties.
(2) (Additional: 21/2/2014-6526/5 art.) If the subject matter of the offence is data that must be eliminated or destroyed in accordance with the provisions of the Code of Criminal Procedure, the penalty to be imposed shall be increased by one times
The number of victims can be reduced to some extent by raising awareness of personal data breaches. Ayrıca telefon üzerinden kripto para madenciliği yapılmasına olanak tanıyan Pi Network yaklaşık 17 GB’lık bir kişisel veri hırsızlığına sebep olduğuna dair haberler ile birlikte kullanıcıların daha dikkatli olmasında fayda vardır. Our article on the issues to be considered in the Crypto Money Exchange will guide you to some extent at this point.
The most important problem arising in practice is undoubtedly the security problem. The unlawful acquisition and use of personal data poses a serious risk for both platforms and individual investors. Individual investors will of course want to be able to trade on a secure platform. For this reason, platforms must fulfil their objective duty of care and take the necessary security measures to protect their users.
Since the platforms aim to gain more profit by reaching more individual investors in the cryptocurrency exchange; in parallel with this goal, it is of great importance in this sense that they should take all measures for the security of the system belonging to the platform, identify system errors and deficiencies, and make the system suitable for the latest known technological development by eliminating these errors and deficiencies.
Platforms, for example, in order to prevent malicious third parties from damaging both their users and their own systems, they should create security mechanisms to prevent such persons from accessing the platform, constantly update and renew their systems, take the necessary measures in case of any irregular transaction, and inform their users immediately in this sense.
In this case, platforms, like banks, should be under an objective duty of care as a requirement of aggravated liability, and in return, they should be liable even for minor defects. As a matter of fact, although there is no special provision specific to platforms in our legislation, we are of the opinion that there is no obstacle to reach this conclusion in accordance with the general provisions of the Turkish Code of Obligations.
However, of course, it cannot be expected from the rule of honesty to impose the responsibility on one party to the contract. In order to provide a secure trading service, individual investors are also obliged to fulfil their maximum responsibilities compared to platforms. For example; they should change the password they use on the platform at regular intervals, they should not prefer passwords that can be easily decrypted by third parties, they should not open e-mails from people they do not know, and they should prefer not to make transactions from places they do not know or from places such as internet cafes that are used in public, considering that there may be security weaknesses.
Even if individual investors have diligently taken all necessary precautions to prevent their personal data from falling into the hands of third parties, if any breach has occurred; Platforms should be liable for compensation pursuant to Art. 49, Art. 112 of the TCO due to the breach of the contract by acting contrary to the duty of care and protection. In this respect, if the investor has a fault in the theft of his/her digital account and the access of his/her personal information to malicious third parties, this fault may be considered as mutual fault pursuant to Article 52 of the TCO. In this case, the platform is obliged to prove that it is not at fault in failing to fulfil its contractual obligation pursuant to Article 112 of the TCO, and is also obliged to prove that the investor is jointly at fault.
We also know that Trezor, a crypto hardware wallet manufacturer, recently warned its users of its duty of care and protection against crypto phishing attacks.