On Feb. 11, Future Tense—a partnership of Slate, the New America Foundation, and Arizona State University—will host an event on cryptocurrencies at the New America office in Washington, D.C. For more information and to watch the webcast, visit the New America website.
“Bitcoin Can Now Buy You Breakfast in Glasgow,” reads a typical recent headline about the increasingly popular cryptocurrency. As media attention has shifted from Bitcoin’s meteoric rise in value to the question of its long-term viability, headlines have cropped up touting how you can now use your Bitcoins to pay for everything from college degrees and space travel to Lamborghinis and houses.
Just as legitimate consumers and companies are exploring and adopting new uses for cryptocurrencies, so, too, are criminals. As awareness about the currency has spread and its popularity has increased, Bitcoins have played a prominent role in several cybercrime stories, including the high-profile shutdown of the drug marketplace Silk Road, on which all transactions were conducted using Bitcoins, as well as the spread of the ransomware CryptoLocker, which held victims’ hard drives hostage unless they made payments in Bitcoins. Then there was the phishing scheme aimed at stealing recipients’ Bitcoins. And the Bitcoin charity donation of 180 BTC (then worth about $2,600, now worth $150,000, according to Forbes) that coincided with raids of cryptocurrency exchanges.
These aren’t new problems, by any means. All of these crimes—extortion, theft, and selling illegal drugs—predate Bitcoins. For that matter, all of them predate the Internet. But just as the rise of the Internet changed the scale and nature of certain types of crime, the rise of cryptocurrencies like Bitcoin has the potential to alter the ways that some familiar crimes are conducted online and how they may or may not be stopped. Since we’re still struggling to get a handle on how to deal with online crimes that involve standard currencies, there’s a good chance that it will take some time still to figure out all the necessary tools and stakeholders for detecting, investigating, and preventing cryptocurrency-based crime.
Despite some claims to the contrary, cryptocurrencies are by no means just for criminals. You might choose to use Bitcoins because you don’t want some purchases linked to your main bank accounts (like, say, a breakfast in Glasgow with someone other than your spouse, or an embarrassing sex toy, or a lifetime subscription to the Justin Bieber fan club), or because you don’t trust some merchants to protect your credit card data. And those merchants might, in turn, choose to accept Bitcoin payments to avoid paying card processing fees and chargebacks.
Nor are Bitcoins the unmarked bills of the digital era. As many people have pointed out, Bitcoin itself does not necessarily protect users’ anonymity since the public records of all Bitcoin transactions can potentially be used to piece together spender’s identities. That’s why some are attempting to develop other, more anonymous cryptocurrencies.
Bitcoins can, however, help criminals circumvent some of the defensive measures that we currently rely on to protect against financial crime. An April 2012 report by the FBI titled “Bitcoin Virtual Currency: Unique Features Present Distinct Challenges for Deterring Illicit Activity” highlights some of the ways that Bitcoin, in particular, might upend existing cybercrime-fighting efforts.
“If Bitcoin stabilizes and grows in popularity, it will become an increasingly useful tool for various illegal activities beyond the cyber realm,” the report predicts, explaining:
“Since Bitcoin does not have a centralized authority, law enforcement faces difficulties detecting suspicious activity, identifying users, and obtaining transaction records—problems that might attract malicious actors to Bitcoin. Bitcoin might also logically attract money launderers and other criminals who avoid traditional financial systems by using the Internet to conduct global monetary transfers.”
At the heart of the FBI’s concerns is that Bitcoin has no “centralized authority,” a body equivalent to the banks and payment processors that play such a crucial role in monitoring for and protecting against online financial crime. It is the credit card companies that are often responsible for detecting major data breaches—like those reported in recent months to have targeted Target, Neiman Marcus, Michaels, and prominent hotel chains—and notifying the affected companies. By tracking patterns across fraud reports from customers, these payment processors can uncover breaches long before the victims themselves.
And these financial institutions do much more than just detect major breaches. In December, following the disclosure of the Target breach, JPMorgan Chase & Co. announced that it would limit customers who had used their debit cards at Target stores to $100 in cash withdrawals and $300 in purchases per day, essentially devaluing the stolen card information for the thieves. The Payment Card Industry Security Standards Council, formed in 2006 by a coalition of major credit card companies, even publishes a list of security requirements for businesses to help them protect sensitive credit card data. In some sense, these centralized financial authorities—companies like JPMorgan Chase, Bank of America, Visa, MasterCard, and others—are at the heart of security measures defending against every stage of online financial crime. They dictate the preventive measures businesses should take, detect the breaches that occur when those measures fail, and try to stem the cash flow to the successful criminals.
The rise of cryptocurrencies could dramatically change which actors have the power to stop cybercriminals, even as they commit the same age-old offenses. For instance, the FBI report identifies “third-party Bitcoin services,” or businesses that exchange Bitcoins for traditional currency, as important players in this new defensive landscape since they may “require customers to submit valid identification or bank information to complete transactions.” But it remains to be seen how effective these services will prove at providing the security services that, for better or for worse, we have come to rely so heavily on banks and credit card companies to provide. If cryptocurrencies like Bitcoin become increasingly mainstream, for instance, and criminals have correspondingly less need to exchange them for traditional currencies, then these exchange services will lose their power to interfere with criminal activity.
Credit card and payment processing companies have become an important force in controlling online crime precisely because for so long credit cards were the only way to spend or steal money on the Internet. If cryptocurrencies succeed at altering that—not just for a small group of niche users and services, but for a broader set of people and purchases—then we will have to seriously rethink how we defend against financial cybercrime. When the Bitcoin ransom note comes, who rides to the rescue, marks the bills in invisible ink, and keeps watch over the pick-up? The crimes may be the same, but the new forms of currency will require the development of new tools and the involvement of new actors to maintain even the baseline level of protection against cybercrime that we have today.
Something to ponder over breakfast in Glasgow.