That was then, this is now

by on May 14, 2017 at 2:58 am in Economics, Law, Web/Tech | Permalink

Several of London’s largest banks are looking to stockpile bitcoins in order to pay off cyber criminals who threaten to bring down their critical IT systems.

The virtual currency, which is highly prized by criminal networks because it is difficult to trace, is being acquired by blue chip companies in order to pay ransoms, according to a leading IT expert.

That is from October of last year, via Brian S.  I wonder how much such “precautionary demand” has pushed up the price of Bitcoin?

1 bdbd May 14, 2017 at 7:25 am

Makes Bitcoin something of a preserve currency, doesn’t it?

2 JWatts May 14, 2017 at 4:48 pm

Reserve currency ?

3 Bill May 14, 2017 at 7:41 am

What could possibly go wrong with currency that accumulates outside of a regulated or monitor able system–where banks do not have to report large cash transactions, money does not have to be carried in a suitcase to pay the cocaine factories, where you have to use physical currency in small denominations etc.

Perhaps we had fewer kidnappings, large drug transactions, bribes, or extortions because one link in the chain was monitorable or involved high transaction costs when it involved cash. In other words, the monetary system impeded illegal behavior by imposing costs or detection risks for illegal activity.

Bitcoin could become monitor able by requiring that transactions go through approved hubs or be stored in approved facilities, but then it wouldn’t be bitcoin.

That’s my two bitcoins worth of thought.

4 Paavo O May 14, 2017 at 8:20 am

I don’t see why governments tolerate bitcoin as much as they do. I think using it should be illegal, because it’s only uses are facilitating illegal transactions.

5 Ricardo May 14, 2017 at 11:32 am

Bitcoin is simply a publicly distributed ledger with some crypto-magic to make it almost impossible to introduce fraudulent transactions or alter the record after the fact — it is difficult to imagine narrowly tailored legislation that bans it without having lots of unintended consequences.

That aside, a lot of scammers rely on iTunes gift cards, prepaid debit cards or other similar things to receive the proceeds of crime so there is nothing particularly unique or sinister about bitcoin with respect to petty extortion and fraud.

6 Paavo O May 14, 2017 at 12:02 pm

You can make buying bitcoin illegal, so any service that exchanges dollars or euros to bitcoin would be illegal. That wouldn’t stop it, but make it more difficult and less widespread. Itunes gift cards, prepaid debit cards are a lot less useful in ransom and other crime and increase transaction costs significantly and are a lot easier to use to track down criminals.

Cash is already heavily regulated and increasingly so, with goal being to get rid of it. Large cash transactions are a sign of something illegal going on.

7 Ricardo May 14, 2017 at 12:28 pm

You can certainly regulate the activity of cashing in or cashing out bitcoin or regulate businesses that accept bitcoin as payment — and I suspect we will see some efforts in that direction if they aren’t in place already — but it is much harder to imagine stopping people from running bitcoin mining operations. This latest randomware case involves amounts of as little as $300 so each instance of extortion is comparable to the India-based IRS tax scam, which used iTunes gift cards. As far as I can tell, tracing the gift cards did not play a major role in identifying and arresting the responsible individuals.

8 Jayson May 14, 2017 at 2:52 pm

Exactly, this is why no illegal transactions happen in dollars. Because it is illegal.

9 Bill May 14, 2017 at 12:03 pm

Try taking $10,000 or more in cash to a bank sometime.

10 Ricardo May 14, 2017 at 12:41 pm

Absolutely, but we are not talking about amounts of $10,000 or more at a time. These hackers are apparently demanding $300 per infected user. There are many ways to receive and launder amounts of $300 even without bitcoin. For a shockingly underreported and egregious example, google Bangladesh Bank heist sometime where millions of fraudulent wire transfers were laundered through the Philippines and are apparently untraceable and unrecoverable.

11 Dan Lavatan-Jeltz May 14, 2017 at 7:54 pm

While it should be legal generally, these particular transactions would violate criminal law on money laundering and if banks are going to be regulated at all any bank that pays any ransom should have its banking license permanently revoked.

12 Troll Me May 14, 2017 at 9:52 am

There are other ways to promote a more rapid move to a Bitcoin alternative.

For whatever costs in terms of potential criminality there might be, the ability to transact anonymously should be upheld. Cash is one way to do this.

The limits of bitcoin expansion are more related to the need of central banks to be able to manage monetary supply for economic stability purposes.

13 Bill May 14, 2017 at 12:05 pm

Small cash is always anonymous, but try getting a $100 k in small bills sometime, or try moving between countries with that amount, or using a banking system to deposit the money.

14 Troll Me May 14, 2017 at 1:55 pm

Yes.

But no one who needs to do 100k transactions in cash is up to any good.

I prefer that my brand of coffee preference, time and date of all minor transactions, etc., should be easily anonymous if preferred.

When you cross borders, most countries set the limit at $10,000 US equivalent. If you cross the border with more than that much in cash, it may be confiscated (or worse).

15 Dan Lavatan-Jeltz May 14, 2017 at 7:53 pm

That is a lie, you can bring as much cash as you want you just have to declare it. But things like warehouse receipts are legal in any amount and need not be declared. Governments and crooks are both just stupid.

16 Boonton May 14, 2017 at 10:00 am

US currency accumulates outside of a regulated/monitorable system. Remember actual cash is just pieces of paper that can be shrink wrapped and passed from one entity to another with absolutely no record beyond which those entities opt to create. Bank deposits are regulated and able to be monitored but ultimately the cash isn’t. I see no reason why you couldn’t have a bank that would accept Bitcoin deposits and simply report them the way they report cash deposits from customers.

17 Dick the Butcher May 14, 2017 at 10:11 am

This reminds of the 18th and 19th century European powers paying tribute to the Barbary Pirates.

Two bitcoins is a fistful of Federal Reserve Notes.

Has anyone measured how much “impeded illegal behavior” there was or the costs? I see good intentions and Feelings . . . Nothing More Than Feelings. . . We Did Something!

“. . . the monetary system impeded illegal behavior by imposing costs . . . ” To be clear. It was not the monetary system. It was the Congress that imposed a form of conscription (involuntary servitude to fight the wars on drugs and tax evasion – The Bank Secrecy Act/anti-money laundering legislation) and another tax on financial intermediaries.

Possibly, the London banks’ purchases contributed to the rise of bitcoin to above $1,800, or approximately 150% of the MV of a troy ounce of gold. See May 15, 2017 Barron’s, Kopin Tan, “Fasten Your Seat Belts” penultimate paragraph.

18 chuck martel May 14, 2017 at 11:42 am

Criminals, ie. people that don’t follow government diktats, also steal cars and bicycles. Eliminating those things would prevent their theft. Driving with a blood alcohol level above a certain point is a crime. Maybe prohibition of its consumption would make sense. Texting on magic phones can cause serious accidents. Perhaps cell phones should be forbidden or, at the least, locked in the trunk of cars, like liquor. No statistics are kept for the problem but dogs running loose in the passenger compartment of autos inevitably cause accidents. For sure, dogs should be restrained in the back seat, like infants and toddlers. The logic behind getting rid of cash because it’s used in criminal activity can easily be extended to many other aspects of life. Fortunately, limitless human ingenuity would find ways around restrictions on personal exchange.

19 byomtov May 15, 2017 at 3:00 pm

While I take your point, I think you are overlooking something. Bicycles and dogs do not have, as their principal purpose, facilitating criminal activity. Bitcoin seems to, and even if that is not the main purpose it does seem to facilitate crime on a very large scale relative to other uses.

It is necessary to draw distinctions. Absolutes are only rarely helpful.

20 byomtov May 15, 2017 at 6:23 am

I admit I don’t really understand bitcoin, so my questions may be foolish, but here goes:

1. What can you actually buy with bitcoin, and from who?

2. Is it possible to require merchants to report sales paid for in bitcoin, including identifying the buyer?

3. If identifying the buyer is impossible or impractical, is it possible to institute a tax on bitcoin sales so big that merchants longer accept bitcoin?

21 Daniel Weber May 15, 2017 at 10:16 am

1. You can buy from any merchant who accepts bitcoin, the same way if you have dollars you can buy from any merchant who accepts dollars.

2. You can “require” anything. There might be constitutional problems with requiring merchants to report customer information to the government.

3. Same as #2.

22 Ricardo May 15, 2017 at 12:15 pm

On #2, we already have rules requiring businesses to confirm the identities of their customers. Banks, gun stores, sellers of prescription drugs and pseudoephedrine, car dealers, casinos when dealing with high rollers, etc. It is fair to allow people a certain degree of privacy for small transactions or purchases but to increase scrutiny the bigger the amounts of money are.

23 byomtov May 15, 2017 at 2:54 pm

Daniel,

Thank you.

24 jonathan May 15, 2017 at 2:59 pm

All US-based cryptocurrency exchanges (the places you can buy and sell between fiat currency and cryptocurrency) are now implementing KYC (know your customer) policies. In terms of turning cryptocurrency into money in the US, that is the only way I know, and a logical regulation point: to/from fiat requires some level of identification. I don’t know what the reporting requirements are for the exchanges though.

Selling cryptocurrency privately to someone else runs afoul of the law, at least in Missouri: http://www.coindesk.com/localbitcoins-user-pleads-guilty-undercover-sting/ and probably other places too.

25 Daniel Weber May 15, 2017 at 10:17 am

currency that accumulates outside of a regulated or monitor able system

You should learn the first thing about Bitcoin. There has never been a currency system more easily monitored. Every transaction is visible to everyone.

26 Brit Coyne May 14, 2017 at 8:09 am

Maybe increasing the penalties for bitcoin extortion would help. Have the culprits treated like terrorists at Gitmo, with no access to lawyers etc. They would still be just as hard to trace, but maybe the casual teen hackers would be deterred if they faced a potential life sentence in federal lockup.

27 Ricardo May 14, 2017 at 8:24 am

Some of these attacks are probably coming from Russia and Russia is notoriously unhelpful when it comes to prosecuting their own citizens for cybercrime or extraditing them to the U.S. On the rare occasions when Russian suspects who steal from and defraud Americans face justice, it is typically because they go on vacation to a country that is willing to extradite. Thailand is still deciding whether to extradite two Russian fraudsters to the U.S. or send them back to Russia where they will receive a slap on the wrist if that. In another recent case, a Russian suspect was essentially subject to rendition while on vacation in the Maldives and bundled onto an FBI-chartered jet bound for Guam before Russia had a chance to complain.

28 Mitch Berkson May 14, 2017 at 9:57 am

Aren’t the arguments against that the same as the ones used to explain why we don’t impose the death sentence for shoplifting?

29 Dangling Pointer May 14, 2017 at 10:13 am

But the hackers are going to be White/Asian, so it will be easier to hold them responsible for their actions.

30 Troll Me May 14, 2017 at 10:29 am

Should we find out if they are guilty or innocent before, or after, they are tortured for years on end?

The spectacle of punishment is not evidence of guilt.

31 rayward May 14, 2017 at 8:39 am

Is net neutrality partly responsible for this? If net neutrality were overturned by the new FCC chair would that make cybercrime more difficult and easier to detect? Do the opponents of net neutrality gain by cybercrime? I’m not so sure the medium of payment contributes to cybercrime, but maybe the enormous financial payoff to some companies if net neutrality were ended might.

32 Troll Me May 14, 2017 at 10:40 am

Yes, the ability to control or ban access, including speed of access, to any site, would enable other things too.

It could start with bandwidth limitations on those expressing insufficiently pro- or anti-Kremlin positions, with the possibility of physical and mental attacks in formal or informal prisons (the second of which including mental health facilities, under something known as “psychiatric reprisal”, which is reputed to have been used for hundreds of thousands at least under the Soviets) before simply blocking the site.

Maybe the IT backbone companies could squeeze out another 0.1% profit by abolishing net neutrality, until the costly process of breaking them up would have to be instituted. Among other things, it encourages vertical integration. In the days when just a handful of national newspapers had major influence nationwide, for delivery purposes at least the roads were equally accessible to all.

Setting lower speed limits for small players is not right. Consumers should be empowered to make these choices through the bandwidth speeds they pay for. (This is the status quo.) It should not be left to the ISPs to decide which websites will get slow or fast access. That would be wrong.

33 rayward May 14, 2017 at 11:36 am

So ISPs today might be less than vigilant in combating cybercrime in the hope that cybercrime will result in the end of net neutrality and allow the ISPs to substantially increase their revenues? Of course, that’s ridiculous, about as ridiculous as Trump collaborating with the Russians to get himself elected president and then using that status to benefit Trump Enterprises.

34 GoneWithTheWInd May 14, 2017 at 10:14 am

“Critical IT systems” should not be connected to the internet. You would think after 15-20 years of serious and expensive hack attacks that management would have figured this out. I blame the IT department. It is full of perennially over confident geeks who think they can keep the system safe from hackers. I also blame management who believes that anything that can be done with a computer should be done.

35 Ricardo May 14, 2017 at 11:09 am

I think real geeks would want nothing more than to force everyone else in their company to use a Linux-based system and restrict access to the internet as much as possible. Nobody else wants this, though, and so we have organizations where everyone is using Windows with full internet access. Windows is simply terrible for security and everyone has known this for at least the past 15 years but everyone outside of the geek set is simply too dependent on it and on software that only runs within Windows to change.

36 A Definite Beta Guy May 14, 2017 at 12:38 pm

A lot of hospital hardware uses legacy systems. A friend of mine works for an advanced university health system, and recently an old research unit was toasted. They are now looking for Windows 95, because the only usable software runs only on Windows 95. Otherwise the whole unit is a high-five-figure paperweight.

He’d love to get all these old items disconnected from the internet, but the business decision-makers will not let him. He had to push EXTREMELY hard to get permission to remote-brick employee cell phones if they are stolen. Employees and business leaders hate it.

Apparently, legacy software in hospital systems is common, because upgrading to new software requires upgrading to new hardware, and new hardware is expensive. You can’t really “disconnect” from the internet either, because service agreements ban it (apparently). Also, what’s the point of having a MRI that’s not connected to any other network?

Note: I am not an IT expert. But the IT people I know, and the IT people I follow on the web-er-netz, are well aware of these issues, have known them for years, and do not have the permission to implement the expensive fixes.

37 Cyrus May 14, 2017 at 1:53 pm

You can run unpatchable legacy software if you have to, but in a business environment there’s no excuse for not segmenting such workstations down to only a whitelist of necessary network connections.

38 AlanG May 14, 2017 at 2:51 pm

I read that England’s National Health Service was still running Windows XP which MSFT has not provided security patches for several years. Those who updated the MSFT March security patch could not be hacked with this latest worm and most of the commerical anti-virus programs were also prepared to prevent infection. It’s correct that a lot of places run legacy systems for a couple of reasons. they may have an old software solution that is adequate for the job and updating the OS would mean spending more money to purchase new applications. Secondly, the computer system may be part of a critical control manufacturing unit and has passed regulatory compliance in terms of validation (very ijmportant for systems in pharmaceutical manufacturing). Shifting OS will require new testing and validation which is not a trivial matter.

Shifting to Linux, while appealing, is not a good answer as the number of needed applications are limited. Companies are interested in off the shelf apps which is why Windows OS is so useful in the corporate world.

39 Dan Lavatan-Jeltz May 14, 2017 at 8:04 pm

Linux is no more secure than Windows, particular Linux distros 15 to 20 years out of date. Windows gets attacked more because it is in use more, if everyone ran Linux (or Apple’s FreeBSD) everyone would write Linux malware. If IT tries to restrict Internet access users will just use hotspots and such to bridge the network. The problem is they should have good backups, the ability to re-image any system in real time, and a strict policy never to pay ransoms. Of course the NHS is all a bunch of iatrogenic socialist waste, and the government is to blame by not responsibly disclosing the vulnerabilities when the systems were supported.

40 Matthew Young May 14, 2017 at 10:30 am

Card logic has a password card. Tap the password icon with it to access critical info and you are protected. . The reason we send our cyber money to hackers is so Google and Facebook have open access for ads. Security is simple, protecting the web is simple, just do it or send your money to cyber thieves, your choice.

41 Troll Me May 14, 2017 at 10:48 am

Most workplaces do not follow even the most basic of safe IT security practices.

Now that most people can play their addictive Facebook games on their phones, in between reading fake news and uploading massive amounts of psychometric data into the cloud for whoever might use it to model and then brainwash individuals or entire societies …

… well, since you can do all that on your phone, what reason could any workplace have to allow Facebook or other tracking-heavy sites with high likelihood to contain links to websites with hostile code?

42 Potato May 14, 2017 at 3:12 pm

Nathan,

Targeted ads for things you’ve googled is not brainwashing. Care to provide any evidence of successful brainwashing ? This is tin foil hat , rambling homeless man level stuff. Even for you.

Links or it didn’t happen. Psychology studies can’t even be replicated. They’re complete nonsense as it is. The diagnostic tests for psychiatric illnesses are basically “well, you know it when you see it”. And you think they’re about to brainwash society. Unless the replication crisis is part of the conspiracy??! Omegehrd the incompetence of psychology as a discipline is a ploy to lull us into a false sense of security!

43 The Original D May 14, 2017 at 10:56 am

This is essentially the reason I bought Bitcoin a couple years ago: its use for illicit trade.

44 The Original D May 14, 2017 at 10:57 am

To be clear, not for me to use it illicitly, but because I believe demand will grow for quite some time.

45 derek May 14, 2017 at 11:39 am

We have to get our best people on this. Maybe the NSA.

46 AlanG May 14, 2017 at 2:53 pm

What would be really funny is if hackers can disrupt a user’s bitcoin locker so that the money is not available.

47 Ricardo May 14, 2017 at 4:05 pm

Bitcoin “miners” (meaning, those who maintain the ledger) could theoretically collude and simply refuse to record any transaction involving a certain address. However, the sender in a transaction can include a transaction fee and so in an environment where miners are competing with each other to collect transaction fees and add more blocks to the blockchain, it is difficult to sustain such collusion. Governments may try to regulate miners and require them to blacklist certain addresses — it will be interesting to see if they try and if they succeed.

48 BC May 14, 2017 at 3:24 pm

How credible has the US Govt’s claim been that they don’t negotiate with terrorists, i.e., is there any evidence that it has resulted in fewer hostage takings, ransomware attacks, etc.? I wouldn’t count hostage takings of Americans where the ransom demands have been made to families or other non-governmental entities. Can banks or other private corporations make credible pre-emptive claims that they will not negotiate with terrorists?

49 BC May 14, 2017 at 3:28 pm

Obviously, stockpiling bitcoins sends the opposite message. Could corporations include in their corporate by-laws provisions that they can’t pay ransoms, for example, such that doing so would expose the management to shareholder lawsuits?

50 Dan Lavatan-Jeltz May 14, 2017 at 8:09 pm

Of course, shareholders can put whatever they want in the bylaws and the individual employees would be bound by them and would ignore management even if they tried to act illegally. However, in practice corporations all have useless bylaws that don’t do anything, and shareholders just sell rather than try and get management to act responsibly. Of course in the case of the NHS, there is zero accountability, unless the people are willing to not be communist anymore. Even in the US people elected in the primary to fight socialism seem not to want to, even with a majority in the legislature and fairly clear popular mandate.

51 JWatts May 14, 2017 at 4:52 pm

“Several of London’s largest banks are looking to stockpile bitcoins in order to pay off cyber criminals who threaten to bring down their critical IT systems.”

I’m not sure I understand this. All of the current hacking is merely a remote encryption scheme which can be trivially thwarted via regular backups. Instead of paying a ransom, you recover an image from before the virus and then recover a second image from just before the end of the ransom period. Then copy any new data from the latest image to the older safe image through a sanitary process.

This is all trivial. So, it leads me to believe that the stated reason they are acquiring BitCoins, but it may not be the real reason. Or perhaps they fear a far more sophisticated attack in the future?

52 TMC May 15, 2017 at 12:07 am

This is a C level decision. They don’t have the slightest clue what you are talking about. But it’s real cool to be stockpiling bitcoins.

53 jonathan May 15, 2017 at 4:05 pm

It’s “somethings-on-fire” psychology: Sure you have the backups and business continuity plan, but if the cost of restoring from backup is 2 hours and $x million in lost revenue while systems are down, but the attacker can get you back online immediately for $50k, you might pay the ransom, then rotate out the hacked systems later on in a managed maintenance event, when you’re out of panic mode.

Comments on this entry are closed.

Previous post:

Next post: