Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/21/2017
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

A Call for Greater Regulation of Digital Currencies

A new report calls for international collaboration to create more transparency with virtual currencies and track money used for cybercrime.

Alternative payment systems, or "virtual currencies" as the Financial Action Task Force (FATF) has dubbed them, have fueled the exchange of illegal goods and services on the Dark Web. Under the shield of anonymity these currencies have let criminals engage in a growing breadth of illicit activities.

The use of cyberspace for financial activity has expanded opportunities for attackers, writes Tom Kellerman in a new report, "Follow the Money: Civilizing the Darkweb Economy," an initiative for The Wilson Center's Digital Futures Project, where he is a global fellow.

The World Economic Forum estimates cybercrime costs the global economy about $445 billion per year, the report states, citing a stat from the McKinsey Global Institute. It's time for payment systems to be held accountable, according to the report. Many implement Anti-Money Laundering (AML) and Know Your Customer (KYC) protocols, but criminals continue to find workarounds.

"We, as an industry, continue to talk about the symptoms of cybercrime without appreciating the fact that hacking tools and services are all commodities that are facilitated by an economy of scale," Kellerman explains. "The Dark Web has become a full economy of scale by definition."

Indeed, the Dark Web has enabled the sale not only of hacking tools, but all types of personally identifiable information and content promotion services to spread disinformation online. While hacking tools can be expensive, data is not: Identity "packages" can cost as little as 25 cents. Criminal markets include weapon and drug sales, child pornography, and hackers for hire.

Bitcoin is among the most well-known virtual currencies but far from the only one; in fact, most cybercrime proceeds are not laundered through Bitcoin, says Kellerman. Internet-based virtual currencies also include the more anonymous Monero, Dash, and Zcash, as well as China's AliPay, Russia's WebMoney, and Kenya's M-Pesa. While these are commonly used for legitimate purposes, they are also "ripe for abuse," the report says.

"The more anonymous they are, the more likely they are to be used on the Dark Web," says Scott Dueweke, president at the Identity and Payments Association, who provided insight for the report. Anonymity fuels cybercrime and the movement of currencies across systems.

Kellerman says financial institutions, including alternate payment providers, should be able to prove who their customers are and freeze funds used for crime and conspiracies if needed by law enforcement. "The best way to destabilize the capability of cybercriminals to flourish is to put pressure on their capacity to deliver goods and services," he explains.

Since 50% of all crimes now have a cyber component, the report states, it's time to "follow the money" and create an e-forfeiture fund to benefit public and private organizations around the world. The idea is financial institutions can track funds used for illegal purposes, seize it, and reinvest the money in protecting the infrastructure of the global financial system.

As cybercrime is a global problem, it demands an international solution among public and private organizations, says Dueweke. A public-private partnership could build a de facto or industry-led standard for converting money into alternate payment systems.

"This could create a baseline of respectability and standard of trust that doesn't exist now," Dueweke explains. There is no standard for companies to prove which customers are using virtual currencies for legitimate purposes, and which are using them for crime.

The global initiative would involve the Bank for International Settlements, which is owned by 60 member central banks around the world, the report explains. Because global cybercrime is enabled by cryptocurrencies, all nations should join to regulate and supervise them.

"The fund would represent a global public/private partnership to combat money laundering using these alternative payment systems," the report states. Virtual currencies which refuse to identify their customers or freeze accounts could potentially be linked to criminal activity.

"The only way to get a global standard like that is to have a public/private partnership," Dueweke says.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/28/2017 | 9:45:12 PM
Re: 2, 4, 6, 8, what else can we regulate?
@Dr. T: Yeah, the term "trust" gets fuzzy when it comes to blockchain and Bitcoin. Trust the system and the math, but no individual or central source.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/28/2017 | 9:44:02 PM
Re: 2, 4, 6, 8, what else can we regulate?
@Dr. T: Moreover, many forget that the cost of regulation gets passed directly on to consumers.

Imagine having to pay a set of mandatory regulatory fees for every cryptocurrency transaction and/or being taxed on cryptocurrency holdings!
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/28/2017 | 10:44:11 AM
Re: 2, 4, 6, 8, what else can we regulate?
" Messing with cryptocurrencies to defeat cybercriminals is like banning gasoline to defeat arsonists."

I would agree, digital currency is not the problem, it is how we use it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/28/2017 | 10:42:59 AM
Re: 2, 4, 6, 8, what else can we regulate?
"The whole point is trustless decentralization"

It is actually implicit trust, in a block chain platform is designed trust in mind.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/28/2017 | 10:41:01 AM
Re: 2, 4, 6, 8, what else can we regulate?
"what else can we regulate"

I agree, regulations tend to not deliver the intended results.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/28/2017 | 10:39:14 AM
Re: Great News
"This ecosystem really needs some regulation"

I would partially agree, however I would not think it would be effective.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/28/2017 | 10:38:29 AM
Digital Currencies
I think Digital Currencies is not the problem, people  misusing them are the problems, so I am not sure of regulations would make any difference.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2017 | 4:23:07 PM
2, 4, 6, 8, what else can we regulate?
Which, of course, defeats the whole legitimate purpose of cryptocurrencies to begin with. And then why even have them? The whole point is trustless decentralization to make them immune to central-authority interference.

Crime should be dealt with the way one deals with crime. Messing with cryptocurrencies to defeat cybercriminals is like banning gasoline to defeat arsonists.
AutoEcole18
50%
50%
AutoEcole18,
User Rank: Apprentice
11/21/2017 | 5:34:05 PM
Great News
Such a great news. This ecosystem really needs some regulation.
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.