ISMG Editors: Plot Thickens for Crypto Mixer Tornado CashAlso: Rising Business ID Theft and Finding the Appropriate Level of Security
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including how security leaders determine the right level of security for the business, the growing risk of business ID theft to enterprises, and the arrest of a developer suspected of working for popular cryptocurrency mixing service Tornado Cash, for "facilitating money laundering."
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday & Europe; Tom Field, senior vice president, editorial; and Suparna Goswami, associate editor, ISMG Asia - discuss:
- Highlights from an interview with CISO Bruce Philips on how to find the level of security that is appropriate for the business;
- Key takeaways from a conversation between fraud experts Andrew La Marca and Ralph Gagliardi on the growing risk of business ID theft to enterprises and what tools can mitigate such risk;
- The arrest by Dutch police of a man suspected of working as a developer for Tornado Cash, a popular cryptocurrency mixing service sanctioned by the U.S. government on Aug. 8.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Aug. 5 edition discussing how ransomware groups are aiming for smaller targets and the Aug. 12 edition analyzing the Twilio breach.
Anna Delaney: Hello, welcome to the ISMG Editors' Panel. I'm Anna Delaney. And here's our weekly roundup of the top news stories and cybercrime trends. And joining me this week, Tom Field, senior vice president of editorial, Suparna Goswami, associate editor for ISMG Asia, and executive editor of DataBreachToday & Europe, Matthew Schwartz. Great to see you all.
Tom Field: Nice to be seen.
Mathew Schwartz: Thanks for having us.
Delaney: Suparna, you've got to start us off, because you've got the most interesting background this week.
Suparna Goswami: Well, yes, we had assumed the Independence Day earlier this week. So this year what was special was that the Prime Minister launched a campaign where citizens can now hoist or display a flag all days of the year. Earlier, we were allowed to hoist the tricolour only on certain occasions and not in residential complexes, but now it is allowed. So, that was a campaign that was launched this year during the Independence Day and you could take selfie with the flag and all that garnered a lot of popularity.
Delaney: Okay. Did you take a selfie?
Goswami: I did not, but my kid did.
Field: Can do in this background now is revolutionary. So congratulations.
Goswami: Thank you.
Delaney: And Matt, more flags or bunting?
Schwartz: Bunting, yeah, I'm in Pittenweem in the East Neuk of Fife for the annual Arts Festival, well, annual before the pandemic. So, it was nice to have it back. All bunch of artists, illustrators, painters, photographers, you name it, take over the town for about 10 days, garages are filled with art, houses, all sorts of stuff, beautiful seaside location, beautiful week that we've been having, before some crazy thunderstorms. So it was wonderful just to be outdoors and soaking up some arts as well.
Delaney: Very nice. Art and community. Love it. Tom, what time of day is this?
Field: Sunset on the lake.
Field: And the reason is because in the month of July, as I traveled around the United States, I got to see everybody's heatwave. I was in Chicago, I was in Charlotte, I was in New York, I was in Washington, DC, hottest week of the year every time I was there. It was nice to come home and spend a hot night on the lake. And that's exactly where I took this photo.
Delaney: Very good, well deserved. And I thought it'd be good to revisit Italy this week. So I'm in the historic city of Perugia. Back to the present. Tom, I believe you caught up with one of our CyberEd board CISOs recently.
Field: Absolutely. And that's the fun of our job as we get to interact with the CyberEd board community. I mean, we did this virtually for over a year. Now we get to do it often live at our events. When they come and they visit our summits, we're able to sit with them. And the conversations always revolve around challenges and threats and what their passions are in their careers. And it's a great opportunity to dive into the making of the CISO. So I had a conversation with Bruce Phillips, who was the CISO of an insurance company, WEST, a large organization. And he talked about the evolution of the CISO role, how he used to be just that IT guy that knew a little bit of something about security, and it sort of kept him at a distance in case he might be dangerous, and how that evolved to a role where now he's interacting with the board on a daily basis and advising the business on all matters of cybersecurity. And so, we got into the conversation of what is the right amount of security for an organization that isn't primarily focused on security. And so, I want to share with you a bit of what he told me about how to find that balance.
Bruce Phillips: That's the good question. And that's what I talk about most of the time is, what do we need versus what is the media telling you to do? All the time I hear from our founder, or president and CEO, they have some new thing that they've heard about, and which is cool. It's nice that they're reading. But then, we have the conversation. But do we need this? What is the risk that we're trying to avoid? And then, what is the impact of adding this yet another security control into our stock? And things that now we have to manage it, we have to take care of it. We have to teach people how to use it and is it really helping the business? And that's, I think, the most important thing is understand that there's a lot of cool tools out there. But do you really need them?
Field: So, it becomes an interesting conversation in so many ways. You've got organizations everywhere now trying to rationalize the security stack that they have, trying to make their legacy technology work as they further their cloud migration, trying to find ways to consolidate the number of vendors that they work with to mitigate supply chains, security risks. Bruce's comments don't come in a vacuum. They're very common among what I hear these days and just thought it was a nice slice to be able to share from the conversation that we have every day.
Delaney: Very interesting. In fact, I have this very conversation with the CISO of Canon last week. How do you know when you've done enough? And he likened it to the old days of advertising, when you know that 50% of your advertising spend is wasted, but you don't know which 50%? And we also talked about benchmarking, but he said, that's dangerous, too. Because how do your benchmarking peers, how do they know how much they have is enough? Or how much is too much? So he, bit like Bruce, he said, "Well, we'll start with education of stakeholders and ask them, what do they expect? And then say, “I can't stop everything. So let's focus on the essentials, not to be seduced by the shiny tools out there."
Field: There's a dangerous myth out there, Anna, which is, you hear this a lot, even in high-profile security events where people say, "You don't have to outrun the bear, you have to outrun the guy next to you." And that presumes that the bear is hungry for only one meal and in these days of automated attacks, that's a very hungry bear with, I think, an inexhaustible appetite. So you better be prepared not to be a meal.
Delaney: Good point. We encourage viewers to watch that interview in full. It's great. So, Suparna, you have been talking with fraud experts about tackling business ID theft. What do we need to know?
Goswami: So, yes, Anna, thank you so much for that. So, I had this panel discussion with Andrew La Marca, who is from Dun & Bradstreet and Ralph Gagliardi, who is from the Colorado Bureau of Investigation. So before I start, let me give a bit of background about business ID theft. So, we generally see an increase in business ID theft after there is a natural disaster or there's an economic crisis. As you know, bad actors, they usually tend to take advantage of business funding programs, or probably gain access to capital by probably falsely applying for a loan. So, this time, there has been a 254% increase in business ID theft last year. And this was a report that has been published by Dun & Bradstreet because they tackle, they track this field a lot. So the reason being, one, they said was squeezed in cash flows because of higher input prices, and low availability of capital because of which businesses have been applying for loan. And we all know there have been a major funding program throughout the past two years, and more of another factor which contributed to increasing business ID theft has been the increase in digitization. So now, we have a lot of information on the website about any business. This helps fraudsters create synthetic names and register businesses. So, Andrew from Dun & Bradstreet, evaluated one of the government relief programs that happened last year and identified that roughly 90 million of the 200 million requested were from bad actors using the stolen business identity names of officers or using their email IDs. So, it's very easy. So, essentially, they create a website and use other legitimate looking systems, they register it, and victim is drawn through emails. And moreover, the business name also gets registered with multiple banks. So that doubt, which I had was essentially that those banks, when they are giving out loans, don't they do their due diligence on businesses, but apparently, no. Few are registered with the state. That's all you need. And banks will give out loans. So, there's no control in place and essentially, see, the entire thing is to make it easy for the businesses. But there are technologies that can be leveraged, the panelists said that can go a long way in controlling this kind of fraud. And Ralph said that the Secretary of State wants to be business friendly and is trying its best from its end, like it's applying password protection or email notification. But, as a whole, we need to go a level up and understand who is this person who is applying for the loan or who has opened this new business. So here, technologies like device fingerprinting, to know which device is being used for registering a particular business, that will help, or a new request of loan is coming from which device? Is it the same device in which the business was registered? Then behavior analytics, that will also play a huge role that how you're interacting on your webpage, document authentication, so these are some of the tools that need to come in place. But yes, business ID theft has not been spoken about a lot but the past couple of years have seen a lot of increase in this kind of thing.
Delaney: So, are businesses aware of this threat?
Goswami: They are aware of this threat. But essentially, there's nothing because the fraudsters are using synthetic ID of the various businesses, synthetic ID names. And the states are also not doing much about it, because they are giving out loans or registering the businesses. So, there's nothing much you can do about these things. So, essentially, the control has to be more from the state side than from the businesses on their own.
Field: Suparna, related to this as well is the vast amount of impersonation that's happening because of fraudsters. Now, I've had this conversation at some of our roundtables, talking about to what extent are you monitoring to see that your business, your executives are being copied on social media or elsewhere. It comes down to an interesting conversation, heard this from Dave Estlick, he is the CISO of Chipotle, used to be with Starbucks. And he said, "Yes, we're out there monitoring for our brand. But where's the line between monitoring and policing the internet?" And that's something that CISOs are trying to find a balance for.
Goswami: Essentially, that's what they said. It is essential to find that balance, we're not creating too much friction for the businesses, but at the same time, that person who has applied for the loan or who's registering the business is right, so it's all about finding the right balance.
Delaney: Thank you very much, Suparna. And then, Matt, Tornado Cash has been in the news again this week. Why is that?
Schwartz: It has been in the news. Well, it's fascinating to see this ongoing crackdown on the cybercrime-as-a-service economy that helps facilitate so many different kinds of attacks and illicit activity. And money laundering is a popular feature of the cryptocurrency ecosystem. And some of the services that provide this are called mixers or tumblers. And these are services that will take your cryptocurrency and promise to give it back after having broken the chains between where it came from and where it's going. So, they take the cryptocurrency, throw it into a big pool, mix it about, and at a later time, you can get it back out again. Again, hopefully it's been cleaned coins, they sometimes call it, or white. Now, mixer proponents will say that there's nothing inherently wrong about using a mixer. Governments have increasingly, however, been disagreeing with your use of mixers being legal, if those mixing services don't enforce anti-money laundering and know your customer requirements. And they've been cracking down. We've seen two mixer services sanctioned so far now. The most recent was Tornado Cash earlier this month. And in the ongoing saga of Tornado Cash, one of the alleged developers got arrested in the Netherlands earlier this week. So this is fascinating because they're not just going after the services, but also the individuals, it seems, who are helping to power or provide these services. So, Dutch authorities said the gentleman, who's 29 years old and has not been named, is suspected of involvement in concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies via the decentralized Ethereum mixing service called Tornado Cash. Now, that's a mouthful. But the basics here is that Tornado Cash, which is still operating, although it's been sanctioned, so it's illegal for any American or anybody in the United States to use it. You face civil and some serious criminal penalties if you use it, even to get out cash you've already put in. So don't go there, basically. But it's the theory of service. So this is interesting, because it's not clear if authorities can shut it down. The mixing is accomplished using smart contracts. So, if you want to use the service, you essentially spool up a smart contract, put your money in. At some point, it gets crunched through this mixing service, and then made available to you. You don't need to pull it out right away. But unfortunately, this sort of thing looks like it's going to be very difficult for authorities to permanently shut down because it runs on its own. And certainly, one of the cofounders of the service has claimed that there's no way it can ever be taken down. Because it's been engineered to just do its thing without any human input. I guess we'll see if that's going to happen and other ways that authorities can track these cryptocurrency flows and oftentimes trace them back to individuals. So, also in terms of the flows, interestingly, blockchain analysis firm Chain Analysis said that from the time Tornado Cash became active in 2019, until it was sanctioned earlier this month, it said that it had handled more than $7.6 billion worth of Ethereum. And a sizable portion of that cryptocurrency had come from illicit or high-risk sources. North Korea, in particular, appeared to be an avid user of the service, maybe almost a fifth of the funds that went across it have so far been attributed to North Korea or other sanctions evaders. A tenth of the funds that it handled have also been tied to known cryptocurrency theft, stolen funds. So, mixer proponents might say, "Don't hate on the service, hate other people who are using it incorrectly." Governments had been saying, "That's nice in theory, but if you don't enforce some very basic controls, we're going to become an afterthought." They're just fascinating to see how these crackdowns on the illicit use of cryptocurrency services have been continuing.
Delaney: And we've got two cases here then. The employee suspect, allegedly involved in stealing criminal financial flows. And then of course, you got the sanctions on Tornado Cash by the OFAC, are they related? Do we know?
Schwartz: No, we don't know. In particular, if the developer is being accused of money laundering for facilitating money laundering, or if they might be tying it more directly to the developer using it for personal illicit enrichment, it's one of these press releases that's come out from the police. It doesn't say a whole lot, it suggests many things. But it's not extremely technically nuanced about exactly what's being alleged. This is common. If the FBI unveils charges against someone, they don't give the whole case away, they just give you enough of a flavor to understand what's going on. And the Dutch authorities have said their probes continuing, there could very well be more arrests. I'm surprised that this alleged developer associated with this alleged money laundering happened to be based in the Netherlands. I would think this wouldn't be a great move when you're doing something that's so obviously risky. Again, in theory, mixing services provide a service. And you don't control who uses it. But the writing's been on the wall here about people who aid and abet these services, which, if you're going to be nice, can be safe to operate in a gray territory. But there's a lot of illicit use as well here.
Goswami: Yeah, so Matt, you said that probably there are sanctions on companies who do not adhere to the basic rules, like if you don't know your customer KYC. So, is there a particular reason why they don't do or they do, and they don't follow up, like who is continuing to access their account?
Schwartz: I've reached out to Tornado Cash - at least one of the founders seems to be based in Russia - to ask about these allegations against it. And the OFAC sanctions saying is basically they're not doing what they should be doing with AML and KYC. They have not gotten back to me. So, I couldn't speak to the thinking about why they have or have not. Certainly, there's other services that we've seen. There was a case recently where a service was providing the ability to trade cryptocurrency and they didn't have AML and KYC in place, but then they did get it in place. And so, the Feds didn't try to shut them down. They did find them. But they also acknowledged the service had gotten compliance. So, it's not the government wanting to just erase the services from the map. It's wanting them to do some due diligence. So if they do the due diligence, it seems that they're allowed to operate. This is okay, you can provide the service, you've met our basic requirements. If you don't, they're going to come after you. They're going to sanction you.
Goswami: Fair enough.
Delaney: And Matt, what will you be watching closely as the illicit crypto mixer challenge evolves?
Schwartz: I'm waiting to see who they try to take down next. It's fascinating. And these cases, it's important to remember the cops are never going to identify all the criminals, they're never going to arrest all the bad guys and girls. But by arresting people such as this alleged developer associated with Tornado Cash, they're sending a message, and that can have a really good disruptive effect. It says, "Play by the rules or you could be next when it comes to the cops busted down your door."
Field: Did you know, Anna, crypto has been the story of the year. Matt's right. Could be another chapter next week.
Delaney: Okay. I think you're right. Well, thank you. Matt, final question for you. If you were to write the next cybersecurity themed musical, what would you call it?
Schwartz: Jazz hands. I'll jump in there. I would do an updating of Music Man, because you have a conman who comes to small town, convinces them that they should spend a lot of money on something that conman doesn't know anything about. Or a cybersecurity man maybe, I don't know. The snake oil salesman who, at the end, finds the light, helps everyone become secure. I think there's a cybersecurity wrinkle there or angle, I should say, on the whole conman theme. Yeah, call me cynical, but I think it could be a really rousing success on Broadway.
Field: Sounds little bit like John McAfee superstore.
Schwartz: Double Bill.
Goswami: Yeah, I thought Michael Jackson Smooth Criminal because Smooth being one of the jazz thing, a genre and songs. I thought that would be a very apt name.
Delaney: Thriller! Yeah. Choices. Good with Michael. Tom?
Field: Yeah, you know, for mine, it comes down from talking to all these incident responders in the past years about SolarWinds and about Log4J. And they all talk about the immediate aftermath. And everybody's hair on fire. So the name of my musical's Hair on Fire.
Delaney: Love it. I was going to go for Les Hacked. Les Mis' is but I would definitely get a fundraiser for the musical.
Field: First of mine, Tory Johnson, the old 1940s,1950s actor of bad movies. But it could, both could be interesting.
Delaney: Yeah. We'll talk about who's going to compose these musicals next week. For now, thank you very much for a great discussion. Tom, Suparna and Matt, as always, thank you. And thanks so much for watching, and until next time.