OFFICIAL SECURITY BLOG

Passing The BitCoin

August 24, 2012 | BY

BitCoin is a new-ish form of digital currency.  It allows people to perform financial transactions without the need for a bank or central authority and allows for a large amount of privacy.  Transactions are currently limited to ones performed online and only by individuals and organizations that accept BitCoin as payment. However, in the next few months BitCoin will be available on more than just shops on the web with the release of the BitInstant BitCoin debit card, a new way to spend virtual money in the real world.  However, is this new creation a step in the right direction or just another avenue for cyber-criminals to steal your money?

What exactly is going on?

A company called BitInstant, which specializes in converting real cash into BitCoins (and vice versa) by either transferring them from a BitCoin virtual wallet or a non-digital financial institution, is on their way to creating a BitCoin debit card.  With this debit card, users will be able to withdraw real cash from ATMs by converting their BitCoin balance into whatever currency the ATM supports. It also allows the user to conduct real-time BitCoin transactions in person using a special phone App and the QR code located on the debit card itself. It is a revolutionary idea that, combined with BitCoin itself, serves as a shining example of real life science fiction.

How could it go wrong?

While BitCoin has been a great tool for getting around government and private industry control of our finances, cyber-criminals heavily abuse it. Just like most things designed to help people keep their virtual independence.  BitCoin has been used notoriously by cyber-criminals on the black market to buy and sell things like credit card numbers and bot installs.  It is also used as a tool for money laundering and keeping law enforcement guessing when it comes to funding Hactivism and “extra-legal” activity.

Contrary to how BitCoin has been abused before, the BitInstant debit card might actually be used for good.  BitInstant automatically has rules against any kind of money laundering activities. In addition, in order to comply with credit card application standards, people will probably be required to submit identification to apply for the card itself.  This means that cyber-criminals will less likely use it. Although historically proof of identification does not stop the bad guys.  We have seen the use of fake identification used to register domain names and purchase hosting servers in the past and there is nothing stopping them from doing it here.  The benefit for the criminals being the ability to easily withdraw “dirty” money from ATMs or use the card to pay for things like black fedoras or vans with tinted windows.

 

Figure 1. What Image obtain from: http://arstechnica.com

Figure 1. What the BitInstant Card Might look like.
Image obtain from: http://arstechnica.com

In addition to fake identification, BitCoin account stealing malware already exists and has for some time. Other related malware includes “BitCoin mining” malware which uses the processing power of the infected system to involuntarily participate in “mining” operations, an action which helps BitCoin clear transactions in exchange for free BitCoins for the attackers.  Combine the end goal of the BitCoin malware with the credit card scanning technology and BitInstant debit cards may very well become targets for literal “walk-by” card scans to steal account information and virtual money.

Conclusion

BitCoin takes Science Fiction straight from the paper and puts it into reality, one where virtual money and real money are equal in value.  I do not expect BitCoin or anything that might be similar to it, to be going away any time soon.  I also think that making purchases in the future will rely even more on an international tender that exists in the physical world as nothing more than binary code. However, it is important to realize that as we put more and more of our dependencies, our assets and ourselves in the digital hands of the internet, we are opening the door for cyber-criminals to walk in and take it all from under our noses.

For more information about BitCoin and BitInstant, check out:

 


  • cpcoder

    Why don’t they invent something called Sheild Sleeves or Card Shield? Just like those sleeves the bank gives you to protect your ATM card, only something that blocks the card from being scanned!

    Or at least, clear “stickers” that block the scannable square, which you can remove only if you want to use it, then stick back on?

    After all, only people with smartphones and certain apps will want to use the scanner frequently…probably only those that are also of the Geeky type! Many people would have little to no need to scan their card (since I assume a traditional strip is needed at ATMs anyway), and could just pull the little square off to use it then re-stick it. I imagine using such a feature only once or twice a year.

    This should be used for all scannable credit cards.

  • Adam Kujawa

    They have certain types of wallets that you can purchase which will shield your card from any sort of RFID attacks. A card would be vulnerable to this type of attack if it had the ability to transmit the information via RFID, like swiping your card at the gas station without actually inserting it. Most other cards are protected from that kind of “walk-by” attack, however you still need to watch out for devices inserted into the credit card reader that send the information to an attacker when you insert it into the device. As far as the BitCoin card goes, you make a good point about the sticker, would be a good way to protect it, the only reason they have the QR code block would be so you could make BitCoin transactions via your phone by someone in person. Just another of numerous technological wonders that make simple things even more simple and at the same time give attackers new ways to steal your info. Thanks for the comment Cpcoder!

  • Pingback: World’s first Bitcoin ATM comes to Canada | Malwarebytes Unpacked