Cryptocurrency has always been the payment method of choice for bad guys. Are you the victim of a business ransomware attack and planning to pay? You will need crypto. The main reason cyberthieves like cryptocurrencies so much is that it is much harder to trace payments.
That is why an initiative attempted by the European Union has so much potential. The EU, in a move likely to be emulated by many other regional regulatory forces, including the US, is implementing tracking requirements for all cryptocurrencies.
If this is successful, and the EU has a great track record on precisely these types of exchanges, cryptocurrency could quickly disappear as the payment method of choice for thieves.
What does this mean for IT and business security? It's entirely plausible that the ransomware fights you'll have in 2023 and 2024 won't necessarily require crypto. Criminals can find ways to use Visa, wire transfers, or ACH payments more securely. (Do you know how much easier it becomes to pay a ransom if you can load a PayPal account or use Zelle or Venmo?)
A big part of the nightmare of ransomware payments is the difficulty of quickly obtaining a large amount of cryptocurrency. The company cannot keep it for the future, given the extreme volatility of its value. You think you're hiding $5 million worth of cryptocurrency, only to find out it's worth $42 when you try to use it.
So what exactly did the EU do? The Council of the European Union said the bloc had reached an "interim agreement" on a landmark new regulatory framework for cryptocurrencies. The text of the agreement is not final, so it is not clear what will ultimately be included. An EU official told me that "the text will be ready in time for the confirmation of the provisional agreement by the ambassadors of the EU member states during one of the Coreper meetings, not before September."
"Not before September"? As for the deadlines, it does not make relatively sense. But since it's been announced, the change seems more likely than not.
Excerpt from the EU statement: "The purpose of this recast is to introduce an obligation for crypto asset service providers to collect and make accessible certain information about the originator and beneficiary of crypto asset transfers. This is what the providers of payment services are currently doing for electronic transfers, which will guarantee the traceability of crypto asset transfers so that they can better identify possible suspicious transactions and block them.
The statement also promised that “the new agreement requires that the full set of sender information travel with the crypto asset transfer, regardless of the number of crypto assets being transacted. There will be specific requirements for crypto asset transfers between crypto asset service providers and non-hosted wallets.
By the way, the EU in this document has also listed "non-cooperative jurisdictions for fiscal purposes", which include American Samoa, Fiji Guam, Palau, Panama, Samoa, Trinidad, Tobago, US Virgin Islands. UU. and Vanuatu.
Another interesting detail is what the EU has promised consumers, although it is less clear how well each can deliver on consumer protection promises. The new deal “will protect consumers against some of the risks associated with investing in crypto assets and help them avoid fraudulent schemes. Currently, consumers have very limited rights of protection or compensation, especially if the transactions take place outside the EU. Under the new rules, crypto asset service providers will have to meet strict requirements to protect consumers' wallets and be held liable if investors' crypto assets are lost. (The Agreement) will also cover any type of market abuse related to any type of transaction or service, including market manipulation and insider trading.
These are good targets, but let's not forget that they impose rules on criminals who pretty much make a living ignoring laws and other restrictions. The penalties for these violations are unlikely to be more deterrent than being caught and charged with extortion, theft, fraud, and possibly espionage. In this context, some EU sanctions do not arouse much fear.
That said, cryptocurrency exchanges are, in a way, mostly legal operations. If the new rules can make these operations less welcoming to thieves, so much the better. Will it be enough to push them into the arms of PayPal and its counterparties? It will be very interesting to see.
Copyright © 2022 IDG Communications, Inc.