Crime and Currency

The Stuxnet worm is in the news. Was it the Israelis? The CIA? The Chinese? No one knows, or even what the aim was (hindering Iran's nuclear infrastructure, industrial sabotage against Siemens by the Chinese, or simple extortion on a wide scale) but the event was significant in the risk it poses to infrastructure, and more widely to the West's, and America's, commercial payment system. Growing cyber-crime might be the one thing to restore cash to its former glory. As the world discovers the downsides of a cash-less, sci-fi world of debit and credit cards: they are easily hacked.


Hacking or skimming credit and debit cards is nothing new. episodes in Florida, and Utah involving gas stations with skimmers installed, the twist being that they had Bluetooth transmitters, more high powered than consumer devices, allowing criminals parked blocks away to collect the data on credit and debit cards, and use the data to fraudulently skim accounts. The scam was perpetrated, because there are only two major manufacturers of gas pumps in the US, and both have standard master keys that open all pumps built by that manufacturer.

Stuxnet is a problem for US infrastructure, obviously the same weapon used against (perhaps) the Iranians can be used against us. Stuxnet spread by infected USB drives, exploiting previously unknown Windows vulnerabilities, and spread throughout the local networks, looking for Siemens industrial controllers and issuing sabotaging commands. Stuxnet was found in Iran, Indonesia, and India, the source infection being shipments of Chinese manufactured USB flash drives, and using forged digital security certificates from Taiwanese manufacturers. The same attack could be used, of course, against US utilities, nuclear power plants, and the like. But more significantly, against the US electronic payment system.

Most people today rarely use cash in purchases. Shopping at the grocery store, paying for gas, and all sorts of daily life activities generally involve credit or debit cards. Cash is harder to carry around, more vulnerable to street robberies, and by its nature imposes stricter spending limits (if you pay by cash only, you cannot buy more than what cash you carry). Checks are becoming a rarity, something written out to pay bills sent in the mail (and even that is declining as online payments proliferate), and not much else.

But the system is vulnerable. External facing security is fairly robust, since ATMs were introduced, banks have done a reasonably good job at limiting the damage criminals can do on their network, by using dedicated network connections, massive amounts of encryption, and imposing limits on withdrawals. Bank payment systems are also robust, sharing the same, dedicated networks, encryption, automated verification, and auditing and analysis to spot intrusions and fraud. Far less robust, is the internal systems. Or more succinctly, once you are inside various bank internal systems, there is far less security. Most of it is oriented towards preventing employee fraud and theft. Not outside intruders.

Stuxnet was thought to have required about six months full-time, dedicated work by a team of six top-notch programmers. At a nominal wage of $150,000 a year per programmer, that works out to about $450,000 to create Stuxnet, outside of other costs. Such costs are well within organized crime rings, particularly those operating in Russia and Asia. The US financial payment systems must look like a very tempting target. Obviously, help from a former or current employee at one of the major electronic clearing/payment systems banks would be needed, but that is relatively straightforward. Organized crime is good at finding people like that. Current internal systems would need to be carefully studied for weaknesses inherent in system designs and trade-offs in the engineering (security vs. usability). No doubt banks are yanking out USB ports even now from internal systems, but a network is as vulnerable as its most vulnerable connection. Other equipment required for the network is vulnerable in the manner that Iranian, Indonesian,and Indian power plants were vulnerable, to equipment from reputable manufacturers that would not at first blush contain malware or viruses. Cisco routers, or firewall, or other network equipment, would come to mind.

It is shocking, however, to see how widespread the use of Microsoft Windows, really has become in the banking industry. Just see how your local bank uses them. You'd expect with Stuxnet, banks would see the danger, and rip out Windows in favor of something else, with a more robust security model. But human nature is what it is, security is not a profit center, and so little money is spent on it. Overestimation of the efficacy of external security makes institutions complacent, as they've spent considerable sums on it. All of which is useless when it is bypassed by malware hidden in something from a legitimate manufacturer.

Nobody thought to check the USB drives because the idea that they would be infected with malware from the factory, even though that was the case. Network equipment from global manufacturers, and the like would be targets as well. Since most of them use common components sourced and assembled in China, it is a matter of mass-infection, and stealth operation, until some trigger is reached. Once inside, the Stuxnet modeled malware can be used to skim accounts and so on. The amounts could be staggering, and so large that banks would be tempted to pass on the cost in one way or another to retail customers. Even if the cost is simply a government bail-out, that itself will be passed onto customers. Swipe card network components, are another target of course. While security is tight, Organized Crime networks specializing in cyber crime and flush with cash are undoubtedly targeting the whole swipe card network system now, at the time of this writing.

Which brings us to the next issue. Will the cost of Organized Crime networks so compromise the safety and cost of the current electronic banking system that it can no longer function in the way that it does today? And if so, how will people operate? ATMs, and the networks they depend on, including the whole swipe cards, depend on both security and low costs. If the networks are compromised, both security and low costs will be gone. The advantage banks have had is that there were relatively few gifted electronics and computer science people, and those that existed were well compensated and solidly middle class. Since the early 1960's, the advantage of banks and payment companies has been that they had most of the truly gifted people, and criminal organizations did not.

The explosion of learning, and technical knowledge, particularly in a globalized workforce, means there are literally millions of people, often with profoundly non-middle class ideas, beliefs, and backgrounds, who are also technically astute or even gifted, in electronics and computer science. There now exists, globally, available to global Organized Crime networks, people who are at least the equal, of the men who create security networks for banks and electronic payment companies. Not the least of which are the layoffs prevalent in much of the electronics and computer science industry, and the ethos of youth over experience. This resource has already been utilized.

Zeus malware is continually updated and auctioned to lower-tier crime rings at $1,500 a transaction. Of course, for criminal rings operating outside the US or US-friendly jurisdictions (principally Russia and China), the risk of e-mail phishing scams and the like is relatively low, and the payoff fairly unattractive if not lucrative. But the big target is of course, the entire retail payment system itself. A ring that could penetrate and exploit, comprehensively, that system, would not reap millions. At the minimum, such an exploit would net billions, if not trillions, of dollars to any ring audacious and determined enough to get such an advantage. Particularly if measures were taken along the lines of Stuxnet, to cover the tracks of the creators and the recipients of the transfers. Such as massive chaos, erasing transaction records, and the like. Presumably, after the money has been sent abroad. A key component would of course be sending the money out of the country to places where the Organized Crime ring can use it. The money is no good unless they can get at it. Formidable problems to be sure, but not insurmountable given the extraordinary rewards. Indeed, the nexus of political objectives by hostile regimes and Organized Crime speak for themselves. Considerable resources are available to crack this problem, and eventually it will be cracked.

But what then? How will people react? If their payment network is compromised? Indeed if online transactions and swipe-card systems alike are unreliable, insecure, and high cost (because merchants run the substantial risk of non-payment and fraud), people will stop using them. It has happened before. Confederate bank-notes had little value as the war progressed, as prospects for victory grew remote and Union counterfeiting increased. In Britain, during the Dark Ages, usage of coins essentially ceased from the early 400's until the reign of Alfred the Great. Indeed, gold and silver coins, passed from common usage into oblivion, fairly rapidly, in the Twentieth century, except for collecting. Dollar coins themselves, common in the 19th Century, are now considered a bother by many. So too, usage of cash has declined significantly for common payment except for small items. When you are in line at the grocery store checkout, or at the gas station, you will rarely see people paying cash.

Yet before the ATM was introduced widely in the 1970's, and the widespread use of Credit Cards in the mid 1960's, cash was king. As it had been since 700 BC in Lydia, when the first coins came into use. Coins, either precious or made of ordinary base metals (copper, zinc, etc.), have a long history of being used globally as a means of trade. More recently, a few trusted paper currencies have been used, despite frequent counterfeiting, because of the massive amount of money in circulation and the general soundness of the currency. The US paper denominations being the best known but not the only currency in that category.

If electronic payment networks become so compromised that it is far too costly to use them, consumers will simply default to cash. Almost everything that can be done with electronic payment systems, either swipe cards or chips with various encryption (and Blu-Tooth) can be done with cash. Except of course, online payments in particular, Amazon and Itunes. Since a substantial amount of commerce depends on this electronic payment system, work-arounds will have to be rapidly constructed. One such would be partnerships with retail establishments for payment. An order "pending" until payment is made, in cash, at a fulfillment station. At grocery stores, or other places eager to partner with folks like Apple or Amazon.

Electronic payment systems have had a remarkably long run without serious interference from Organized Crime rings intent on extracting their own percentage. Inevitably, as skills spread out around the world, and the small cadre of solid middle class professionals that defends the system faces a massive army of people with matching skills and unbounded ambitions, that is likely to change. Particularly since those who have been most inspired by Stuxnet are not likely to be security professionals but those in the intersection of rogue states, terrorism, and crime. All that money to be stolen just begs for someone to try and steal it. Particularly since the world is now awash in the equivalent of electronic safe-crackers, and much of the safe components (electronic hardware) are manufactured in a few, fairly corruptable, Chinese factories.

So it is probably a matter of when, not if, all things considering. And not one event, but a series of events, propelled by the need to steal a lot of money. When that happens, cash will once again be king.