Vulnerabilities / Threats

11/21/2017
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

A Call for Greater Regulation of Digital Currencies

A new report calls for international collaboration to create more transparency with virtual currencies and track money used for cybercrime.

Alternative payment systems, or "virtual currencies" as the Financial Action Task Force (FATF) has dubbed them, have fueled the exchange of illegal goods and services on the Dark Web. Under the shield of anonymity these currencies have let criminals engage in a growing breadth of illicit activities.

The use of cyberspace for financial activity has expanded opportunities for attackers, writes Tom Kellerman in a new report, "Follow the Money: Civilizing the Darkweb Economy," an initiative for The Wilson Center's Digital Futures Project, where he is a global fellow.

The World Economic Forum estimates cybercrime costs the global economy about $445 billion per year, the report states, citing a stat from the McKinsey Global Institute. It's time for payment systems to be held accountable, according to the report. Many implement Anti-Money Laundering (AML) and Know Your Customer (KYC) protocols, but criminals continue to find workarounds.

"We, as an industry, continue to talk about the symptoms of cybercrime without appreciating the fact that hacking tools and services are all commodities that are facilitated by an economy of scale," Kellerman explains. "The Dark Web has become a full economy of scale by definition."

Indeed, the Dark Web has enabled the sale not only of hacking tools, but all types of personally identifiable information and content promotion services to spread disinformation online. While hacking tools can be expensive, data is not: Identity "packages" can cost as little as 25 cents. Criminal markets include weapon and drug sales, child pornography, and hackers for hire.

Bitcoin is among the most well-known virtual currencies but far from the only one; in fact, most cybercrime proceeds are not laundered through Bitcoin, says Kellerman. Internet-based virtual currencies also include the more anonymous Monero, Dash, and Zcash, as well as China's AliPay, Russia's WebMoney, and Kenya's M-Pesa. While these are commonly used for legitimate purposes, they are also "ripe for abuse," the report says.

"The more anonymous they are, the more likely they are to be used on the Dark Web," says Scott Dueweke, president at the Identity and Payments Association, who provided insight for the report. Anonymity fuels cybercrime and the movement of currencies across systems.

Kellerman says financial institutions, including alternate payment providers, should be able to prove who their customers are and freeze funds used for crime and conspiracies if needed by law enforcement. "The best way to destabilize the capability of cybercriminals to flourish is to put pressure on their capacity to deliver goods and services," he explains.

Since 50% of all crimes now have a cyber component, the report states, it's time to "follow the money" and create an e-forfeiture fund to benefit public and private organizations around the world. The idea is financial institutions can track funds used for illegal purposes, seize it, and reinvest the money in protecting the infrastructure of the global financial system.

As cybercrime is a global problem, it demands an international solution among public and private organizations, says Dueweke. A public-private partnership could build a de facto or industry-led standard for converting money into alternate payment systems.

"This could create a baseline of respectability and standard of trust that doesn't exist now," Dueweke explains. There is no standard for companies to prove which customers are using virtual currencies for legitimate purposes, and which are using them for crime.

The global initiative would involve the Bank for International Settlements, which is owned by 60 member central banks around the world, the report explains. Because global cybercrime is enabled by cryptocurrencies, all nations should join to regulate and supervise them.

"The fund would represent a global public/private partnership to combat money laundering using these alternative payment systems," the report states. Virtual currencies which refuse to identify their customers or freeze accounts could potentially be linked to criminal activity.

"The only way to get a global standard like that is to have a public/private partnership," Dueweke says.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/28/2017 | 9:45:12 PM
Re: 2, 4, 6, 8, what else can we regulate?
@Dr. T: Yeah, the term "trust" gets fuzzy when it comes to blockchain and Bitcoin. Trust the system and the math, but no individual or central source.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/28/2017 | 9:44:02 PM
Re: 2, 4, 6, 8, what else can we regulate?
@Dr. T: Moreover, many forget that the cost of regulation gets passed directly on to consumers.

Imagine having to pay a set of mandatory regulatory fees for every cryptocurrency transaction and/or being taxed on cryptocurrency holdings!
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/28/2017 | 10:44:11 AM
Re: 2, 4, 6, 8, what else can we regulate?
" Messing with cryptocurrencies to defeat cybercriminals is like banning gasoline to defeat arsonists."

I would agree, digital currency is not the problem, it is how we use it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/28/2017 | 10:42:59 AM
Re: 2, 4, 6, 8, what else can we regulate?
"The whole point is trustless decentralization"

It is actually implicit trust, in a block chain platform is designed trust in mind.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/28/2017 | 10:41:01 AM
Re: 2, 4, 6, 8, what else can we regulate?
"what else can we regulate"

I agree, regulations tend to not deliver the intended results.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/28/2017 | 10:39:14 AM
Re: Great News
"This ecosystem really needs some regulation"

I would partially agree, however I would not think it would be effective.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/28/2017 | 10:38:29 AM
Digital Currencies
I think Digital Currencies is not the problem, people  misusing them are the problems, so I am not sure of regulations would make any difference.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2017 | 4:23:07 PM
2, 4, 6, 8, what else can we regulate?
Which, of course, defeats the whole legitimate purpose of cryptocurrencies to begin with. And then why even have them? The whole point is trustless decentralization to make them immune to central-authority interference.

Crime should be dealt with the way one deals with crime. Messing with cryptocurrencies to defeat cybercriminals is like banning gasoline to defeat arsonists.
AutoEcole18
50%
50%
AutoEcole18,
User Rank: Apprentice
11/21/2017 | 5:34:05 PM
Great News
Such a great news. This ecosystem really needs some regulation.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.