I write this post with mixed feelings about the adoption and use of crypto and digital currencies. For those who might not know, cryptocurrencies like Bitcoin, Dogecoin and others offer digital online wallets of virtual money. Initially envisioned as irreversible ‘peer-to-peer’ trustless exchanges, these currencies claim to offer the possibility of anonymous transactions between strangers, without the need for a historically trusted intermediary such as a financial institution or payment processor to back them up (and charge a fee for the privilege). Instead, these decentralized currencies rely on complex computer algorithms and a public ledger of all transactions (without identifying information about the people performing them) to keep the system honest.
Today, you can buy or “mine” bitcoins and trade them for goods and services, or sell them for hard currency through an exchange. This open-border form of tender is advancing with little to no consideration about how to deal with the fraud that might be perpetrated against it, even as cybercriminals are already targeting virtual currencies.
As you may have guessed, this is fast becoming a fraudster’s paradise. The notorious “Pony” botnet, identified earlier this year, was specifically designed to steal bitcoins and other digital currencies. The lack of transparent information security practices and requirements on virtual currency websites make specific figures hard to come by, but it is already suspected that millions of dollars’ worth of bitcoins have been stolen. There is essentially no chance of the losses being recouped, especially since Bitcoin transactions are irreversible without the permission of the person receiving the funds. Adding insult to injury, the processors and holders of these digital wallets have no financial or legal obligations to make their customers whole again; there are no deposit insurance or regulatory protection requirements, so somebody robbed of virtual money is completely out of luck.
With so much risk, I have a hard time understanding why this type of currency is appealing to anyone. Don’t get me wrong, there are benefits to a low-cost, global currency that facilitates travel without the need to carry cash or go through currency exchanges. I travel a lot, but I can’t find any reason to accept this level of risk, just to avoid a paying some fees and standing in a few lines.
When I travel I look for solid protection, and my bank provides that to me. I can use my credit cards without the fear of loss due to someone else’s lack of security, because my bank will compensate me in the event of fraud. I don’t have to worry about storage of my virtual currency on a server or digital wallet that is open for attack. Yes, cards get compromised, but truthfully, as a customer, I don’t care. There is protection in place to keep me from losing money in the event of a predicament or payment processor malware event, and I think that most bank customers feel the same way. Sure, people get upset and call their banks, angrily asking how these things can possibly happen, but the key difference is that banks are prepared for those types of events. Bitcoin’s lack of a centralized authority means there is no one to get angry at in the event of a theft; you are on your own.
Then there’s the enterprise. Their middle-man role between consumers and banks is key in the adoption of virtual currencies. We have already started to see how this may play out as several household names have started to accept Bitcoin, including some of the country’s largest names in e-commerce - Overstock.com and TigerDirect. The million dollar question is: Why are they doing this? These businesses say they want to offer their customers more choices in payment methods, avoid so-called “politics” and human error, and show their ability to adapt quickly to changes in the market. While all of these are valid reasons, avoiding the minimal transactional costs seem to be the most logical explanation for their adoption. On the flipside, they are also opening the door to increased fraud incidents that could damage their reputation and balance sheet. Just ask Target how painful that can be.
As an industry, we know that there are things out of our control, but that there are also actions that banks and enterprises can take to prevent or resolve the problem. If virtual currencies continue to gain momentum, we - the people who dedicate our careers to fighting fraud - are in for a real treat. Fraud of virtual currencies can be highly dynamic and not precisely obvious, adding an unnecessary layer of complexity and vulnerability to an already challenging space. Adding virtual currencies to the threat landscape only ensures that fraud will have new places to dwell with even less possibilities to prevent it.