Financial Conduct Authority Warns Banking Industry of ICOs and Cryptocurrency

Writing a “Dear CEO” letter to banking executives, the Financial Conduct Authority (FCA) warned executives on June 11, 2018, to perform enhanced due diligence on clients who use or trade cryptocurrency for business transactions. The letter urges banks to check the use and value of cryptocurrencies in the same manner as banks check their clients’ other sources of wealth.

The tone of the letter was to warn banks that clients who use cryptocurrencies or invest in initial coin offerings may be doing so anonymously and therefore, such transactions are suspect. The FCA suggested that banks review their existing compliance frameworks to account for new transactions that are associated with abuse. It said “this class of product can also be abused because it offers potential anonymity and the ability to move money between countries.”

The FCA recommended that banks’ compliance programs keep up with fast technological advances, including cryptocurrencies and initial coin offerings.

MA Clean Energy Center Victim of Wire Fraud

A recent State audit has discovered that the Massachusetts Clean Energy Center wired $93,679 to a cyber-criminal in February 2017, and didn’t advise its board about the incident for 7 months.

Following the audit, the auditor recommended that the agency conduct a risk assessment, develop written policies and procedures to address the potential for cybercrime, and report incidents to the board and to law enforcement.

The Clean Energy Center has beefed up its security measures following the incident to better protect itself from similar incidents.

Wells Fargo Prohibits Customers from Using Credit Cards to Buy Cryptocurrency

This week, Wells Fargo & Co. announced that it will not allow customers to buy cryptocurrency with its credit cards. This follows other banks’ prohibitions on the use of credit cards for the purchase of cryptocurrency over the past several months.

Some surmise that the prohibition is due to the volatility in the price of cryptocurrencies, like bitcoin, that could put customers at risk to be able to pay the credit card bill after a significant down swing in the price of the cryptocurrency.

Wells Fargo said that it will continue to monitor the issue “as the market evolves.” Its announcement was before the Financial Credit Authority sent its “Dear CEO” letter [view related post] warning banks to increase evaluation of customers that are buying and trading cryptocurrency, which will no doubt have an impact on its evaluation of the situation.

Bitfinex Stops Trading After Cyber-Attack

Bitfinex, a global digital currency exchange, paused trading last week when it experienced a distributed denial-of-service attack. During the pause in trading, it announced to users that “Bitfinex is currently under extreme load. We are investigating the issue and will keep you all up to date as we learn more.”

The company resumed trading after maintenance and was “monitoring the situation closely.” It stated that “[T]he attack only impacted trading operations, and user accounts and their associated funds/account balances were not at risk at any point during the attack.”

Bitfinex previously suspended trading in August of 2016 when an intruder stole 120,000 bitcoins.

Lawmakers Push for Legislation to Heed Threats Posed by Drones

Last week, federal officials testified at a Senate Homeland Security and Governmental Affairs hearing claiming that the statutes that constrict the government’s ability to counter reckless or malicious drone use, including the ability to test and research different methods of counter-UAS technology, are outdated. From the use of drones to deliver explosives by Islamic State and other international terrorist groups to drug traffickers in the United States, U.S. law seems to be falling behind, federal officials said. Undersecretary of Intelligence and Analysis at the Department of Homeland Security (DHS), David Glawe, said “This threat is real. We are witnessing a constant evolution in the danger posed by drones as the technology advances and becomes more available and affordable worldwide.” In response to much of this testimony, Chairman Ron Johnson said that he hopes to attach legislation to this year’s defense authorization bill to provide law enforcement agencies with the authority to defend against malicious drones in U.S. skies.

Under the proposed legislation, DHS and the Department of Justice (DOJ) would gain enforcement authorities against drone use that is deemed to be a threat against public safety or national security. Law enforcement agencies would be able to track or surveil drones in public areas, or even intercept, seize or destroy them if necessary.
The American Civil Liberties Union (ACLU) opposes the bill citing its failure to protect “property, privacy and First Amendment rights.”

We will continue to monitor this legislation as it progresses.

Drone Helps to Discover $17 Billion in Sunken Treasure

In the early 18th century, on June 18, 1708, the San Jose, one of the largest treasure ships in the Spanish fleet, sunk to the bottom of the ocean as a result of the battles of the War of Spanish Succession. The San Jose housed treasure valued at around $17 billion in today’s dollars. Since its demise, this ship wreck has been one of the most sought after treasures. After years of looking for this valuable wreck, an autonomous underwater vehicle (or an underwater drone) was finally the one who discovered it.

While this wreck was actually discovered over two years ago, it was only just reported that it was Woods Hole Oceanographic Institute’s REMUS 6000, an underwater research drone, that actually made the discovery. This torpedo-shaped AUV is capable of operating at depths of 3.73 miles and weighs about 1,900 pounds. REMUS 6000 uses accelerometers and gyros to measure movement in three directions and pulses of sound, as well as separate sonar pulses, while operators above the ocean’s surface communicate mission commands and get updates on the AUV’s course via short pulses of sound (think of it like a data-driven Morse code).

REMUS 6000 discovered the wreck through a meticulous grid search of a large area where the ship had supposedly sunk. It was the AUV’s side-sonar that picked up the ship. Specifically, the AUV had been programmed to locate the ship’s distinctive cannons, which is the piece of data that was pinged back up to the operators above.

This mission is a prime example of one of the ways in which AUVs and drones are changing the way many industries do business. From land to air to sea, AUVs and drones can extend beyond the capabilities of humans and increase efficiency and successes –like this discovery of treasure.

For now, the precise coordinates of the treasure remain a closely guarded secret.

Privacy Tip #143 – North Korea/U.S. Summit Gift Bags Remind us of Dangers of USB Devices

The Singapore summit was the focus of news stories this week. The media descended on Singapore to capture all of the news. When journalists started posting pictures of the contents of the gift bags that they were given at the summit by a company associated with the local government, cybersecurity experts from around the world started tweeting and alerting them about one of the contents of the gift bag.

We have all been to conferences and events where we walk out with a gift bag. This particularly gift bag given specifically to the media included: a guidebook, a trial subscription to the local paper, a water bottle, and a fan that could be plugged into a USB port.

The responses by security experts were actually frantic alarms to the media. They urged the media not to plug in the fans. Why? Because they could be filled with malware and could exfiltrate data.

One guy tweeted, “So, um, summit journalists. Do not plug this in. Do not keep it. Drop it in a public trash can or send it to your friendly neighborhood security researcher. Call any computer science department and donate it for a class exercise…” Another said “If you are a journalist at a summit with the North Koreans and someone gives you a USB fan, please do not plug it into your laptop. COME ON.”

It reminds me of the piece we posted on May 5, 2016 after The American Dental Association mailed 37,000 flash drives to its members that were supposed to include new billing codes, but in fact the USB drives also included malware. When the dentists put the flashdrives into their systems, they were directed to a web page that was a known web page that distributed malware, which allowed criminals full access to their system. The flashdrives were manufactured in China.

That was two years ago, and the same distribution methods are being used to dupe people into putting infected USBs into their laptops.

Tip for the week: beware of all USB drives. Especially when you are in Singapore with North Koreans, who are notorious for hacking and cyber fraud.

Rumor Mill Suggests Fidelity Investments Might Open Cryptocurrency Exchange

While many traditional financial institutions hesitate to embrace cryptocurrencies such as bitcoin, a recent news report suggests that Fidelity Investments, the fourth largest U.S. asset manager, is looking to enter the fray. Business Insider reported last week that Fidelity has posted internal job listings for systems engineers “to help engineer, create, and deploy a digital asset exchange to both a public and private cloud.” Another job listing looked for experience related to “first-in-class custodian services for bitcoin and other digital currencies.”

Commentators note that it makes sense that Fidelity would want to make cryptocurrencies available to its sizeable customer base, many of whom might be hesitant to trust  lesser-known exchanges such as Coinbase. Fidelity would not confirm that it is building its own cryptocurrency exchange, but the company’s spokesperson did state that Fidelity is hiring for projects related to “open and permissionless ledgers, with technologies like digital assets, currencies and blockchain.”

Blockchain security firm Hosho, was quick to express concern that Fidelity’s unconfirmed plans could make it a prime target for cyber-attacks. Noting Fidelity’s 2.5 trillion in assets under management, the CEO of Hosho, Yo Kwon, stated that “While it’s great that a company like Fidelity is moving towards blockchain and digital asset adoption, the risk factors associated with the move are that much greater. Fidelity will potentially introduce a large number of users onto its exchange, which by extension, means a large amount of assets being moved around. Fidelity could expose themselves as hacker bait — the greater the bait, the more motivated hackers will be to get inside.”

VPNFilter Worse Than Previously Reported

We previously reported that the FBI has warned consumers about a nasty malware, known as VPNFilter and believed to have been launched by a Russian government hacking group is infecting hundreds of thousands of small business and home router [view related post here].

Apparently the malware is much worse than anyone thought and Cisco’s Talo security team says the malware is more powerful and is infecting a larger number of routers than originally reported.

The new research shows that the malware is capable of implementing a man-in-the-middle attack (which we have seen an increase in over the past few weeks) on incoming web traffic, and is targeting not only home and small business routers, but the router owners themselves. Cisco reports that the attackers use the infected router to inject malicious payloads into traffic as it passes through the infected router. It can also steal sensitive data that is passed between internal end-points and the internet.

According to the senior researcher at Cisco “[t]hey can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”

A list of devices that are affected can be accessed here.

What is even more concerning is that the malware is particularly sneaky and works in stages. So if you heeded the FBI’s warning to reboot your router, the malware cold still be persisting on your device. For those of us who are non-techies, this means that the attackers could have infected your device and put the malware in a listening mode that can then be activated at a later time. Security experts are recommending that if your router is more than a few years old, you should just buy a new one. Another security expert recommends “Run DD-WRT/OpenWRT/Tomato or similar, never use a stock vendor-created firmware if you can help it. The open-source stuff isn’t perfect but at least it represent pooled resources shared across many hardware platforms and with the broader OS community, rather than one vendor’s overtaxed engineering department that’s under-incentivized to worry about security.”

LabMD Wins Against FTC—11th Circuit Vacates Enforcement Order Against It

We have been watching the LabMD/FTC case for a long time. We have written about it [view related posts here], read the book about it that was hand delivered to our office by the CEO of LabMD, debated it in privacy law class and marveled at the energy and focus of Mike Daugherty over the years to fight what he believed to be an injustice against him and his company by the federal government.

The case has taken many turns and at times is very hard to follow. Suffice it to say that the FTC alleged that LabMD did not have sufficient security measures in place to protect the information of patients and started an enforcement action against it. The facts of the case are fit for a mini- series, with characters you can’t make up. To try to make a long story short, the FTC proceeded in an enforcement action, the administrative law judge found in favor of LabMD, the full Federal Trade Commission reversed the ALJ’s decision and the FTC issued an order directing LabMD to create and implement a variety of security measures. LabMD appealed to the 11th Circuit Court of Appeals.

Yesterday (6/6/18), the 11th Circuit Court of Appeals issued its decision on the appeal and found in favor of LabMD. The 11th Circuit stated “LabMD petitions this Court to vacate the order, arguing that the order is unenforceable because it does not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a). We agree and accordingly vacate the order.”

This case has great significance to the ability of the FTC to enforce data security against companies. The FTC alleges that Section 5 of the FTC Act gives it authority to enforce data security measures, and alleged that LabMD committed an unfair act or practice by engaging in practices that failed to reasonably secure the information of patients. The 11th Circuit found that the FTC failed to allege specific unfair acts or practices engaged in by LabMD. It further found that the FTC failed to “explicitly cite the source of the standard of unfairness it used in holding LabMD’s failure to implement and maintain a reasonably designed data-security program constituted an unfair act or practice.”

Finally, the Court held that the prohibitions set forth in the FTC’s cease and desist order were not specific, and therefore, unenforceable.

This long-awaited opinion has wide reaching implications for companies facing enforcement actions by the FTC now and no doubt long into the future.