On Friday 12th May the world paused and drew breath
as cybercriminals launched WannaCryptor (popularly known as WannaCry), a
ransomware attack that dominated news and conversations around the
globe. Companies shut down technology that they rely on to trade, to treat
patients and to communicate with customers. The results for many of the
affected companies and their customers were devastating.
Security experts everywhere were called into action
to combat the ransomware that was unleashed as companies and organizations
attempted to return to normal trading and practice. The vulnerability used as
an entry point to infect machines was in Microsoft’s Windows. The National
Security Agency apparently knew about it, then someone leaked the details and
the cybercriminal took advantage of the situation.
“As with all new innovative
technology, it takes time for regulators and governments to catch up.”
We may never know what motivated the cybercriminal
to unleash WannaCryptor but we do know that there was financial gain. The
ransomware encrypted files, with an offer to decrypt them of $300, payable by
bitcoin.
I am sure many of you, like me, have watched crime
dramas where the law enforcement dudes say ‘follow the money’ as the method to
find the real criminal behind a crime. Can you follow the money flow for
WannaCryptor? Apparently not.
If you’ve attempted to open a bank account or
applied for a credit card then you know the financial services industry has
strict regulations requiring the identification of the person opening the
account. The regulations extend to businesses and staff opening accounts or
applying for a credit card terminal; the people responsible go through a
process of being identified so they can be held responsible. The regulations
are there to combat fraud and money laundering — in other words, to stop crime
in the financial system.
Why does the criminal behind WannaCryptor
only accept payment with bitcoin?
Bitcoin’s message on their website states that
“bitcoin is open-source; its design is public, nobody owns or controls bitcoin
and everyone can take part” and goes on to state: “Bitcoin allows exciting
uses that could not be covered by any previous payment system.”
The concept of a virtual currency is potentially a
good one: exchange rate free and accepted globally — there would seem to be
benefits for businesses and consumers. How do I join the bitcoin community and
reap the benefits of this virtual currency? To start with, I need a wallet to
hold my virtual cash.
There are several wallet vendors, just like the
physical world. With some offering additional privacy by rotating addresses and
others offering services that remove the need to validate payments.
Once I’ve selected my wallet I can generate an
address, a virtual location to receive funds; the recommendation is a different
address for every transaction to enhance my privacy. The messages of rotating
addresses and using a new address for every transaction start to give me the
confidence that I am going to be able to remain hidden, private and anonymous.
Ok, my wallet is full, how do I get the
money?
My wallet, which is an account, is bursting at the
seams and I want to withdraw my funds. There are two methods: register with an
exchange, or in person. Registering with an exchange will require positive
identification, uploading utility bills and stuff that we are used to doing at
normal banks. Alternatively, you can trade directly with another person, meet
them, exchange a QR code for cash and walk away.
The ‘in person’ method of cashing out means another
unidentified person now holds the virtual money in his wallet and I remain
completely anonymous. Needing to move the funds on may not be essential though
— holding on to them as an investment or anonymously trading for services could
be alternatives.
Bitcoin is often regarded as an anonymous currency
because it is possible to send and receive bitcoins without giving any personal
identifying information. True anonymity may be impossible, as the cashing out
process could require a physical meeting, but it is probably reasonable to say
it’s pseudonymous.
Financial institutions around the world have
sophisticated systems to detect money laundering, such as large sums moving
from account to account. If you have ever sold a property and had the funds
deposited in an account, you may have had to go through the experience of
explaining where the funds came from.
In the virtual currency world there seem to be no –
or very limited – requirements to track the flow of money, making it an ideal
solution for criminals, fraudsters and terrorists to use for storing and moving
their funds. A secret currency.
“As with all new innovative
technology, it takes time for regulators and governments to catch up.”
As with all new innovative technology, it takes
time for regulators and governments to catch up. Now would seem an opportune
moment, though, for the same requirements imposed on financial organizations to
be migrated to the new world of virtual currency, making “follow the money” a
reality again. Taking action now by cutting off the ability to have an
anonymously traded currency could stop the next major cyberattack.