Sunday, 18 December 2011

Is Anonymous Cyber Cash Good Or Bad?

Online currencies are not new.  Since the dotcom boom there have been those who have sought to provide a service that enables non-traditional means of payment online.  However, most of the mechanisms that survived have a formal linkage to some real-world form of payment.  For example, PayPal is linked to credit cards or bank accounts.  It provides a level of abstraction when entering details of payment online, thereby isolating the risks of your bank details being captured to the one place.

But, there has been a rise in another form of online payment which seeks to provide complete anonymity.  Whereas, if they wished, law enforcement agencies could trace back some transaction via, say, PayPal to a real person via their bank, the new forms of exchanging funds aim to isolate the user completely from any investigation.  There are a few of these new services:

  1. eCache: an anonymous bank operating over the Tor network.
  2. Bitcoin: a de-centralised, (Peer-to-peer), digital currency
  3. Pecunix: an anonymous digital gold currency.
Anyone who knows anything about the Tor network will be aware of how it is used to maintain anonymity in what a user does online.  However, the service that has been worrying people involve in cyber security for some time is Bitcoin.  Why?  Well, it appears to have become the currency of choice for cyber criminals.  There are sites, including some on Twitter, that advertise stolen (or at least valid) credit card details in exchange for a transfer via Bitcoin. 

In a previous Blog I talked about how cyber criminals were selling information in a growing "market", that enabled other cyber criminals to mount very powerful attacks.  Whilst the obvious information, such as credit card and identity details, are "for sale", the really high stakes involve the selling of zero day exploits.  If one hacker finds a previously unknown vulnerability s/he can sell it online; sometimes for hundreds of thousands of dollars.

There is a proper exchange rate between real-world currencies and Bitcoin. Hence, we can tell by looking at some of the transactions online just how much these zero day exploits are worth to the cyber criminals.  And, its not necessarily just "criminals" that are operating in this new market.  The Stuxnet attack of 2010 used 20 zero day exploits.  If that attack was mounted by a nation state then you can't help but conclude that they must have bought the knowledge of at least some of the zero day exploits used.

The systems of anonymous banking rely upon public key encryption but the key to their power is "blind signatures". It is worth noting that this is a peer-to-peer process, and that it relies upon a web of trust developing.  One of the simplest forms of blind signature is the RSA blind signature. But as you might expect this has already been attacked and so further more robust algorithms have (and contine to be) developed.  Buy why?  Why develop algorithms that can so easily be used to enable anonymity in online transactions.  Well, not all online transactions requiring anonymity are criminal.  For example, e-voting.  In a secret online ballot I do not want the person running the systems to necessarily know who I voted for.

It's also worth noting that the physical banking system also has several methods for unregistered transfer of money, so this is not a unique feature of the online world.  Bearer bonds are perhaps the best known.  And, of course, cash is untraceable for most of the transactions in which it is involved.  Having said that, most jurisdictions have a variety of means to discourage mechanisms like bearer bonds or transportation of large amounts of cash.

Of course, the virtual currency has to be converted at some point into currencies that can be used in real-world transactions.  And there's the rub.  These new online currencies have an exchange rate just like any other and that rate is influenced very strongly by the faith that the markets have in it.  Whilst Bitcoin started strongly, there is evidence that it may be tailing off (see conversion rate below).

So, the big questions for debate are:
  1. Should such virtual, anonymous currencies exist at all?
  2. Will they ultimately be undermined by a lack of confidence?
I suspect that the increasing levels of cybercrime is going to raise these questions, and will probably change the answers you might give, over the coming year.