Bitcoin attackers present “a new frontier” for cybercrime, a gathering of top security specialists heard in Barcelona this week.
Government agencies, banks, universities, private companies and consulting firms attending the Anti-Phishing Working Group’s (APWG) eCrime 2015 event on Tuesday were warned by a panel of cryptocurrency experts that research in the sector is lagging behind criminal practice.
Speaking inside the CaixaForum, APWG chairman Dave Jevans, who has been following bitcoin since 2011, told the audience that this knowledge gap presented a challenge for everyone in the room, noting:
“[Cryptocurrencies] have their own world of crime and fraud that we need to explore and understand in the coming years. They also are deeply integrated in the fraud that we deal with today: phishing, ransomware and money laundering.”
Founded in 2003, the APWG is a 2,000-strong member organisation that aims to tackle security threats in the digital age by pooling resources and brainpower across the public and private sectors.
The four-day symposium, billed as the destination “where cybercrime fighters meet and collaborate”, included cryptocurrencies on the agenda for the first time in the group’s 12-year history.
Speaking to CoinDesk, APWG secretary general Peter Cassidy said it had taken a while for digital currencies to gain enough momentum to be taken seriously by the organisation.
Support from merchants like Dell and TigerDirect, he said, played a part in changing this, explaining:
“Like cheques, drafts and wires, [bitcoin] is now part of the panoply of payment mechanisms, part of normal commerce. We have a responsibility to follow normal commerce and its abuse. Our role as stakeholders is to manage that abuse – we owe it to that community.”
“We have to learn to understand how the bad guys are using it to instrument new forms of crime, or old forms of crime with a new [twist],” he added.
The topic of how to go about out-innovating criminal activity featured throughout the day’s cryptocurrency sessions.
The subject first appeared during a short primer on the history of bitcoin led by Jevans and later on a QA panel with four experts in the field: AIT data scientist Bernhard Haslhofer; Maurits Lucas, head of cyber intelligence at Fox inTELL; PayPal analyst Brad Wardman and Gem CEO Ken Miller.
Haslhofer, who presented findings from the Bitcrime project, suggested that there were several methods available to “deanonymise” users of bitcoin, a subject that has been hotly debated by the cryptocurrency’s community.
However, despite some successes in areas like transaction clustering, one privacy tool that has withstood researchers’ scrutiny has been the bitcoin ‘mixing’ model.
With no real way to trace relationships between the senders and receivers using these services, Haslhofer proposed that crimefighters could choose to ‘blacklist’ criminal transactions instead.
“If you taint the output of mixers and demotivate them to use them for a transaction they are of less value.”
Other panelists argued that coordinating and maintaining such lists across exchanges, wallets and law enforcement agencies could prove difficult. Miller went on to suggest that media and consumer awareness could be enough to pressure stakeholders into such an agreement.
Maurits Lucas, head of cyber intelligence at Fox inTELL, presented a skeptical counterpoint to others on the panel, terming the cryptocurrency sector a “Wild West”.
“A lot of the issues that we’re facing here with cryptocurrencies today are the exact reasons why we thought up the institution of a bank in the first place,” he said, adding that the technology is a solution in search of a problem.
Criminals, too, have found the currency problematic, he said. Its volatility means most are eager to cash out and run as soon as possible.
A DDoS researcher in the audience also regaled how bitcoin was a poor currency for other digital criminals, explaining:
“Having spoke to the people running DDoS sites, the fact that they can keep getting paid in bitcoin is of no interest to them because people who buy services off them want to pay in PayPal.”
Jevans was more enthusiastic about the potential benefits of a technology like bitcoin. The Marble Security CEO revealed he had got into the currency early, buying in at $6 a coin.
He later shared images of the goo-cooled custom mining rig he constructed with a friend.
Following Gem’s January announcement that it had implemented a custom Hardware Security Module (HSM) to protect its private keys, Miller stressed that bitcoin could learn a lot from the way the banking industry uses the technology, which “has been done for years.”
The CEO was less bullish on consumer hardware, USB wallets like Trezor and Ledger, which he said were not the answer to “mass scale adoption”.
“My personal opinion is that a software wallet will win the day because I think if you’re not a hardcore bitcoin enthusiast you don’t want to carry something like that around with you. It’s a small market,” he remarked.
Wardman, who talked about account validation at PayPal earlier in the day, agreed that overcomplicating tech could be a barrier for some users – despite the benefits, adding:
“I’m a big fan of two-factor authentication but I guess one concern I have is how the older generation who already struggle with current tech will cope.”
A show of hands in the room indicated that around 10% of attendees owned bitcoin. However, with one in every tenth coin stolen, audience members questioned how the cryptocurrency could cross into the rest of the room, let alone reach widespread mainstream use.
Consumer adoption aside, due to the sophistication and skill of bitcoin attacks, Cassidy warned that cryptocurrencies would be something the group could not afford to ignore. The topic would now be a fixture on future APWG events, he added.
“It’s a scary moment to imagine the level of skill and sophistication of an attacker who wants to game bitcoin. It’s a different kind of attacker. It’s a new frontier.”
Miller said it was obvious that bad actors would feature in some of bitcoin’s 20 million wallets, emphasising that criminals have historically been “the early adopters of things”.
However, he added, this shouldn’t deter those exploring bitcoin’s legitimate uses, concluding:
“In the early days of the Internet, it was only for gamblers, illicit activity and drug dealers and pornography, fortunately we didn’t all subscribe to that and it’s changed all our lives.”
Images via Grace Caffyn for CoinDesk