But, there has been a rise in another form of online payment which seeks to provide complete anonymity. Whereas, if they wished, law enforcement agencies could trace back some transaction via, say, PayPal to a real person via their bank, the new forms of exchanging funds aim to isolate the user completely from any investigation. There are a few of these new services:
- eCache: an anonymous bank operating over the Tor network.
- Bitcoin: a de-centralised, (Peer-to-peer), digital currency
- Pecunix: an anonymous digital gold currency.
In a previous Blog I talked about how cyber criminals were selling information in a growing "market", that enabled other cyber criminals to mount very powerful attacks. Whilst the obvious information, such as credit card and identity details, are "for sale", the really high stakes involve the selling of zero day exploits. If one hacker finds a previously unknown vulnerability s/he can sell it online; sometimes for hundreds of thousands of dollars.
There is a proper exchange rate between real-world currencies and Bitcoin. Hence, we can tell by looking at some of the transactions online just how much these zero day exploits are worth to the cyber criminals. And, its not necessarily just "criminals" that are operating in this new market. The Stuxnet attack of 2010 used 20 zero day exploits. If that attack was mounted by a nation state then you can't help but conclude that they must have bought the knowledge of at least some of the zero day exploits used.
The systems of anonymous banking rely upon public key encryption but the key to their power is "blind signatures". It is worth noting that this is a peer-to-peer process, and that it relies upon a web of trust developing. One of the simplest forms of blind signature is the RSA blind signature. But as you might expect this has already been attacked and so further more robust algorithms have (and contine to be) developed. Buy why? Why develop algorithms that can so easily be used to enable anonymity in online transactions. Well, not all online transactions requiring anonymity are criminal. For example, e-voting. In a secret online ballot I do not want the person running the systems to necessarily know who I voted for.
Of course, the virtual currency has to be converted at some point into currencies that can be used in real-world transactions. And there's the rub. These new online currencies have an exchange rate just like any other and that rate is influenced very strongly by the faith that the markets have in it. Whilst Bitcoin started strongly, there is evidence that it may be tailing off (see conversion rate below).
So, the big questions for debate are:
- Should such virtual, anonymous currencies exist at all?
- Will they ultimately be undermined by a lack of confidence?