fbpx
ALERT – Update Mozilla NOW
20/06/2019
‘Next level security’: ID verification email spoofing Suncorp delivers phishing attack
08/07/2019
Show all

FaceBook New Crypto Currency is Big News, But is it Secure?

https://sophosnews.files.wordpress.com/2019/06/shutterstock_1427815031-compressor.jpg?w=780&h=408&crop=1

 

Unless you’ve been living under a rock, you’ll know that earlier this week Facebook announced plans for a new global cryptocurrency for absolutely everyone called Libra.

Slated to launch in 2020, Libra’s success will be decided by the interaction of three things – its financial architecture (which is complex and novel), how this affects its popularity and take up, and the consequences of how it might be used and misused.

Financial design

Regardless of what you think of the idea of a cryptocurrency invented (but not controlled) by Facebook, Libra’s coming feels like a big moment for an idea that’s been around for a decade but is still struggling to become mainstream.

Bitcoin, for instance, is a world-famous cryptocurrency almost nobody uses to do real economic work beyond consuming lots of electricity mining tokens and then speculating emptily on their value.

Libra thinks it can solve this by being more like a real fiat currency, managed by big brands (Visa, Mastercard, Spotify, PayPal, Uber, Lyft, Vodafone, and Facebook itself), backed by real assets, and regulated to avoid both volatility and the possibility of money laundering. As Libra’s 29-page white paper states:

The Libra Blockchain is a decentralized, programmable database designed to support a low-volatility cryptocurrency that will have the ability to serve as an efficient medium of exchange for billions of people around the world.

Far from trying to disrupt central control, Libra will embrace it whilst fulfilling the big economic promise of cryptocurrencies to abolish the archaically high charges levied to move currencies around or translate them from one (the dollar, say) to another (the euro or Renminbi).

Libra does employ one innovation for a cryptocurrency on this scale by splitting itself into two parts, the fiat-backed currency and a second investment token that will be offered to accredited investors and members of the Libra Association.

Instead of pegging its value to scarcity a la Bitcoin, Libra’s value and liquidity will be decided by a distributed bank of big investors (including central banks) who, we must assume, know what they’re doing.

In other words, it will behave like a usable, reliable form of digital money that just happens to function via a pseudonymous blockchain somewhere out there.

Why are big companies such as PayPal, Mastercard and Visa so keen? Because they will take a chunk out of the vast and profitable foreign exchange market they currently see very little of.

What about security?

If there’s a nervousness surrounding Libra’s effect on the real world, it’s connected to its biggest feature – Facebook also wants it to be used by billions of people to buy and sell things, and move money around at low cost, in effect creating the world’s first unofficial global currency.

You don’t have to be a pessimist to predict that this sort of prominence will attract a lot of unwanted attention, indeed within hours of Facebook’s announcement there were already reports of sites peddling scams.

And that’s before Libra even exists. Scams promoting imaginary currency, fake exchanges, services and wallets – including phishing targeting currency accounts – could well proliferate after launch.

The bullseye for cybercriminals would be to break into Libra’s Calibra wallets held on smartphones, which is why the consortium behind Facebooks claims it will refund lost coins, including ones stolen fraudulently.

That implies advanced authentication, which the official Callibra wallet app says it will manage for users so they won’t have to remember long passwords or manage private crypto keys.

But cybercriminals won’t give up on breaking wallets and are bound to look for vulnerabilities in the software (or rival wallets offering the same service) or developing mobile malware capable of siphoning off data.

Another way might be to attempt to take over accounts by exploiting reset procedures. Or perhaps they’ll focus more on trying to trick people into sending money to scam accounts masquerading as genuine contacts – a version of wire fraud.

Because third-party wallets are allowed, inevitably there’s a risk that developers could become a soft underbelly in terms of their security.

Can fraud be beaten?

In theory, being run on a centralised blockchain via the “Byzantine” LibraBFT consensus protocol, fraudulent trades or losses could be reversed, although it’s not clear how that would work if the recipient has cashed out. That suggests a comprehensive scheme for controlling accounts and identifying account holders that goes beyond anything in existence today.

This raises an intriguing possibility – perhaps what Libra heralds isn’t simply a global currency but one that might be the beginnings of a basic system of secure identity, not from the blockchain itself (which is just a public-private key pair) but the authentication architecture surrounding it.

Many cybercrime problems are tied to the lack of a mechanism for knowing that someone is who they say they are. The evolution of authentication has been knocking on the door of this problem for some time and it could be that the real significance of Libra is that the systems built to ensure its integrity are about to shift identity to the next level.

Sophos..