The Security and Utility of Blockchain Technology

FROM THE ARCHIVES

Zach Capers, CFE
Contributing Author, Association of Certified Fraud Examiners        

The technology underlying the virtual currency bitcoin has the potential to disrupt several industries while significantly reducing fraud. Known as blockchain, the technology was created to ensure the legitimacy of every bitcoin transaction by tracking them in a distributed public ledger. Bitcoin has endured a divisive reputation due to its volatile value fluctuations and use in illicit transactions on the Deep Web; however, the security and utility offered by its blockchain is anything but controversial.

Any addition to bitcoin’s chain of information represents a new block that must be validated by every copy of the ledger spread across a worldwide computer network. Because the ledger is permanent, public and decentralized, it is incredibly difficult to defraud. These characteristics have resulted in an influx of investment and research aimed at adapting the blockchain concept to a diverse array of new applications.

Illuminating Supply Chains
The information in a blockchain can consist of anything that can be represented digitally. As such, blockchain technology can be used to ensure the authenticity and source of any number of products from organic produce to jewelry. For example, a start-up named Everledger is betting that a diamond’s myriad attributes can be recorded and tracked using an inscribed serial number and a digital blockchain to ensure that the stone being purchased is authentic.

This idea can be applied to a host of high-end goods that have typically relied on paperwork and certificates of authenticity that can be faked far more easily than a blockchain can be manipulated. Furthermore, stolen goods that are recovered can be re-authenticated to regain their value, which is important to former owners and insurance companies that have paid claims on stolen goods. 

The Rise of Smart Contracts
One of the most heralded potential uses of blockchain technology is its ability to facilitate smart contracts. Rather than a standard legal contract that must be litigated or otherwise disputed if breached, a smart contract can enforce itself through digital means when preset terms are met, and revoke the contract automatically if the terms are breached.

Ethereum, a crowd-funded smart contract platform, might foretell the future of smart contracts. The network allows users to input virtually any stipulations (e.g., if this, then that) into the smart contract's blockchain and exchange value using virtual currency. For example, if one were to purchase an item from an online seller, a smart contract could be employed to hold the payment in escrow until a tracking system confirms that the item has been delivered.

Another example of a smart contract platform applies to the streaming music industry. Renowned English singer-songwriter Imogen Heap recently released a new single on Ujo Music, a company that allows artists to register and track their creations on a blockchain using associated smart contracts that allow the listener to stream the song only after specified conditions (e.g., payment, terms of use) have been satisfied. The idea is to foster an equitable method of music distribution that provides artists with more control over how their music is shared and for how much it is sold.

Impact on Financial Institutions
A key advantage of blockchain is its ability to allow two entities that do not necessarily trust one another to trust one another. Because a blockchain can only be updated when there is consensus among the participants, the need for a third party to mediate a transaction is lessened or removed. This can alleviate many factors that complicate financial transactions (e.g., need for collateral, time required for settlements) and automate many banking processes currently requiring human interactions that add time, costs, and opportunities to commit fraud.

Stock exchanges around the world have begun to experiment with blockchains. The Japan Exchange Group announced a collaboration with IBM to test securities trading in a blockchain environment. The Australian Stock Exchange has partnered with Digital Asset Holdings, a blockchain start-up founded by well-known former JP Morgan executive Blythe Masters, to increase efficiencies related to post-trade settlements. To keep pace, the Toronto Stock Exchange hired the co-founder of aforementioned smart contract platform Ethereum to serve as the organization's first chief digital officer.

Conclusion
While blockchain technology is still in its infancy, it is not too early to see bitcoin as the first use case of a versatile and potentially revolutionary concept. From proving an asset’s origin to the streamlining of high finance, various new uses for blockchain continue to emerge. And while applications might vary greatly, what they all have in common are enhanced audit trails, increased efficiency and improved transparency — each of which is a known foe of fraud.

*For background on bitcoin, I recommend listening to this Fraud Talk podcast by Jacob Parks , J.D., CFE.

**This article was originally published in the ACFE's members-only monthly newsletter, The Fraud Examiner in April of 2016.

Bitcoin and the Future of Bribery

GUEST BLOGGER

Dennis Lawrence, CFE, CAMS

Lawrence is a Denver-based risk consultant.

Bitcoin’s value in the criminal underworld continues to rise. Although well known as the preferred payment method on the Deep Web for illegal goods and services, the digital currency has attracted the attention of increasingly shadowy figures seeking to anonymously transfer funds. ISIS advocates its use for terrorist financing, and kidnappers seeking ransom payments have even begun demanding bitcoins instead of cash. Given its popularity amongst wrongdoers, discussions surrounding the role of digital currency in the multi-billion dollar business of bribery are curiously absent. Silence on the issue is perhaps all too ironic since the threat has never been greater for bribes to be both covertly delivered and hidden indefinitely from the eyes of investigators, forensic accountants and financial institutions.

In principle, Bitcoin transactions are far from untraceable. All transfers of currency are recorded in a public ledger called a blockchain, but only randomly generated Bitcoin addresses comprised of numbers and letters are logged… not names or identities. Many wallets containing Bitcoin addresses which are used for receiving, storing, and sending bitcoins also record IP addresses and require the uploading of personal identification documents. However, these security measures can be easily sidestepped by any determined individual with enough imagination. A few wallets purposely refrain from collecting any identifying information at all in order to appeal to specific audiences.

In order for a transaction to be traced to a person, investigators must figure out a way to tie an individual to a Bitcoin address. At present, users are able to transfer money without revealing their identities so long as they understand how to effectively operate the anonymous web browser Tor, certain wallets and exchanges, Bitcoin ATMs, and web applications such as Bitcoin Fog or Dark Wallet. These tools collectively subvert the digital currency’s traceability by disguising the true origin and destination of Bitcoin transactions. Paranoid users can even resort to private in-person meetings with local traders who exchange cash for bitcoins at a small fee with no questions asked.

So how can Bitcoin be leveraged in the payment of a bribe? Read the scenario below.

A construction company agrees to bribe a city official in exchange for facilitating the award of a lucrative public works contract. Given the high stakes involved, the bureaucrat wants no incriminating evidence that could potentially be uncovered in an investigation. After careful discussion, the parties arrive at a mutually agreeable solution.

In light of the construction industry’s common practice of paying certain workers in cash, a weekly purchase order request begins to be submitted at the company which describes compensation for day laborers. At the direction of executives, a trusted manager pays cash for a used laptop that he connects to a downtown coffee shop’s public Wi-Fi network during his lunch break in order to set up several Bitcoin wallets. He decides on an anonymous wallet or perhaps a Chinese wallet since they are the most unlikely to cooperate with Western authorities in the event of a subpoena. Shortly thereafter, the manager starts making weekly deposits of $5,000 into his wallet via anonymous Bitcoin ATMs . Using Bitcoin Fog on the Deep Web, the manager transfers $20,000 in cash per month to the city official who keeps the money hidden online in his wallet. Once a quarter, the bureaucrat travels abroad to cash out his small fortune using local Bitcoin traders and Bitcoin ATMs, partaking in luxury vacations and spending sprees. After the entirety of the $250,000 bribe has been paid to the city official, the construction manager physically destroys the laptop and never accesses the Bitcoin wallets again.

As illustrated, bribery using Bitcoin offers numerous advantages and few methods of detection. Even if a whistleblower were to come forward to disclose general details of the scandal, investigators would almost certainly hit a dead end. And in the unlikely event that authorities knew Bitcoin was somehow involved, where would they even start? It would be nearly impossible to establish a trail of evidence that could adequately serve as a basis for criminal prosecution or civil action. At worst, the construction company would receive a slap on the wrist for paying day laborers in cash.

The reason why we haven’t heard more about the involvement of Bitcoin in bribery schemes might be due to fraudsters not yet realizing the full potential of digital currency. Or perhaps, it’s because many investigators remain unaware of the extent to which it has already been used as a tool for bribery worldwide.

Untraceable Links: Technology Tricks Used by Crooks to Cover Their Tracks

FROM THE ACFE GLOBAL FRAUD CONFERENCE

Emily Primeaux
Asst. Editor, Fraud Magazine

"I think we need a change in investigations. We need to evolve because of technology," said Walt Manning, CFE, president of Investigations MD, in his session, "Untraceable Links: Technology Tricks Used by Crooks to Cover Their Tracks," at the 26th Annual ACFE Global Fraud Conference last week. "We have to change the way we think about technology because [our methods] are not working anymore," he continued.

Manning began his session with these thoughts and by explaining that this change is based on more sophisticated technologies such as mesh networks and anonymous and encrypted email services that are under development (or have been created) to evade government surveillance. And awareness is key: fraud examiners that are aware of these tools stand a better chance of learning and understanding how they could be used to hide possible evidence of fraud.

From the Tor network to the Invisible Internet Project (I2P), Blackphone to Tox, cybercriminals are finding new ways to get into victims' data. According to Manning, the visible web is only 1 percent of the entire content on the Internet. Criminals lurk on the Dark Web and even though illegal service providers, like Silk Road, are being caught and prosecuted, a new operation will pop up shortly after. For example, as the Tor network receives more attention from law enforcement, a growing number of networks are moving to I2P. Yet another thing to monitor.

Manning also emphasized the importance of not connecting to insecure, public Wi-Fi without VPN. Crooks are using services like Blackphone to keep their anonymity. "Silent Phone allows criminals to make encrypted texts, calls, video messages to anywhere in the world," said Manning.

Manning finished the session with an overview of mesh networks. Mesh networking makes use of special hardware or software to allow devices to directly connect to each other without the use of the cellular network or the Internet. According to Manning, from an investigative perspective, mesh networks make it more difficult to track investigative targets and to trace their communications. Users of a mesh network may never “touch” their cell network or the Internet, and there are no logs to trace messages through this decentralized network.

These developments seem especially threatening, but Manning called fraud examiners to act to thwart the nefarious schemes. "I need your help. Our profession needs your help. It’s only going to get worse," said Manning. "We have to take action, and we can only do it if you’re willing to get involved in the effort."

Find more articles, as well as videos and photos, at FraudConferenceNews.com.

Global Security Advisor Proposes ‘Moon-shot’ Fight Against Cybercrime

LIVE FROM THE ACFE GLOBAL FRAUD CONFERENCE

Dick Carozza, CFE
Editor, Fraud Magazine

Marc Goodman, a global security advisor, believes the anti-cyber crime community should mount a campaign against online criminals similar to President John F. Kennedy’s challenge to land a man on the moon.

“He made a bold declaration. … We don’t have anything like that for cyber security; yet we’re handing over every aspect of our lives over to these machines with no concept of protection. … We’re all going to have to do that,” he said. “And you folks from the ACFE have the right skill sets, the right knowledge, the right network to make that happen. I invite you to join me in that fight.”

Over the last 20 years, Goodman built his expertise in cyber crime, cyber terrorism and information warfare. He’s worked with Interpol, the United Nations, NATO, the Los Angeles Police Department and the U.S. federal government.

He founded the Future Crimes Institute to inspire and educate on the security and risk implications of newly emerging technologies. He also serves as the global security advisor and chair for policy and law at Silicon Valley’s Singularity University — a NASA- and Google-sponsored educational venture dedicated to using advanced science and technology to address humanity’s grand challenges.

“Technology can be awesome,” Goodman said. “It’s had a tremendous impact on the world. … But there’s a significant downside to technology and the ways bad guys use it. …

“All the technology change is leading to a paradigm shift in crime and in fraud. Crime used to be an easy affair; it was a good start-up business. You could go out and get a knife or a gun, hide in a dark alley and say ‘stick ‘em up.’ … But eventually criminals could only rob so many people in a day. New technology helps criminals rob more people,” Goodman said.

In the Target breach last December more than “one-third of America had its information compromised. … Now one person can rob 100 million people.” Also, Target had to spend $214 for each one of the accounts hacked. He said a recent Center for Strategic and International Affairs study said that the annual global cost for cyber crime is $400 billion — about 1 percent of the U.S. GDP. 

He then shared some cyber crime developments. Here are just a few:

  • Innovative Marketing Solutions, a company in Kiev, set loose a popup box that told computer users that they had a virus, and for $49 they could download malware protector software that would solve their problems. However, users actually never had infected computers until they paid their money and downloaded the software. Before the FBI and Interpol shut them down, the business ripped off $500 million.
  • When we’re browsing on the Internet, we only see the “surface web” — underneath is the “Web Profunda” or “Deep Web,” which is 500 times larger than the web we know. “About 50 percent is involved with crime and fraud,” Goodman said. The Deep Web site, “Silk Road,” sold drugs, guns, fake IDs and hits for hire, among other nefarious goods and services. Before the site was taken down, 20 percent of all American drug users had purchased their drugs on the site, he said.
  • Most flashlight apps on phones steal contact information.
  • Those who think they’re calling their banks often are shunted via malware to criminal call centers that request, and often receive, personally identifiable information.
  •  Fraudsters are hacking pacemakers, insulin pumps and vehicle computer systems.

Goodman said that personally we should:

  • Use different passwords for every system.
  • Always use a VPN when connected to public networks.
  • Always encrypt our data.

Corporations should:

  • Implement open-source intelligence programs. Go into the Dark Web.
  • Place adults in charge of risk, fraud and security.
  • If something is really important, don’t put it in a computer.
  • “Red team” and test your assumptions; find problems before hackers do.
  • Hackers are already in the system; hunt them out.

“Technology runs the world,” Goodman said. “ … When it fails, what’s our backup plan? We don’t have one.” He said we owe it to our children’s children to not leave them a scary cyber world.

Find more conference coverage at FraudConferenceNews.com.