Cryptocurrencies & Sanctions

bitcoin-2007769_1920

Bitcoin has seen its value skyrocket in the past few weeks, and some cyber analysts are beginning to worry that the digital cryptocurrency is primed for exploitation by countries looking to dodge sanctions.

Bitcoin is but one of many cryptocurrencies backed by encrypted blockchain technology that allows users to conceal their identities when buying or selling the currency. This offers a level of anonymity that has been perceived as hitherto limited to cash transactions. Consequently, cryptocurrencies may offer a means for criminals and sanctioned entities to conduct business beyond the global financial system.

Furthermore, the anonymity available in bitcoin transactions makes it challenging for international authorities to prove that money has been transferred by sanctioned entities.

Nonetheless, we have seen stories crop up surrounding North Korea’s use of the currency to dodge UN sanctions. According to FireEye, North Korean state-backed hackers have been increasing attacks on cryptocurrency exchanges in South Korea to steal Bitcoin and other cryptocurrencies. It’s expected that North Korea’s hold of the digital currency will continue to increase in the wake of tightening sanctions.

Keeping in mind that FireEye’s article was originally published in September, it was stated that they observed North Korean actors target at least three South Korean cryptocurrency exchanges since May 2017. When taken into consideration in combination with the ties between North Korean operators and a compromised Bitcoin news site in 2016, as well as the use of a cryptocurrency miner, we begin to see the potential interest that the nation has in Bitcoin, among other cryptocurrencies.

Furthermore, Bloomberg recently published a report suggesting that Russia may utilize cryptocurrencies to work around increasing sanctions.

However, there are still quite a few obstacles in the way of using Bitcoin for large-scale transfers, as cashing out of the system is complicated. Regulators keep a close watch on the transfer of virtual currencies into cash, and anything that operates in dollars would be subject to US regulation.

Moreso, there’s simply the issue that there is a limited quantity of the cryptocurrency available. The total market capitalization of Bitcoin seems to be around $280 billion, which, while it is a lot of money, is but a drop in the bucket of true global wealth.

For more content like this, follow @CentryLTD and @CentryCyber on Twitter! 

When is ‘State-Owned’ a Red Flag?

One of the things that we screen for in our risk assessments is the connection of the subject to a politically exposed entity. This basically refers to any individual or company that has connections to the government of a country or other public office. For someone unfamiliar with screening processes and typical red flags, you might ask – when does political exposure or state ownership become a red flag?

The short answer is that state-owned corporate groups are linked to sensitive geopolitical spheres and carry with them the potential for many prominent international sanctions.

To get more in depth, the issue with state ownership can be a multi-faceted one. Usually, it’s not a problem. When it does present an issue, it’s because of the political exposure – where an individual or entity with prominent public function is at higher risk for bribery and corruption. In that case, determining the level of risk is up to the country in question.

Russia has had its state-owned companies sanctioned by the West. Whilst proper screening will yield entities that have been sanctioned, the connections between these and potential business partners may not always be so cut and dry. Say you are a tech company supplying technology that has been sanctioned from being imported to Russia. Over the course of business, you may find out that the new customer you were about to supply that tech to has a reliance on a separate customer that is state-owned. In that case, your company would need to evaluate the connections of your prospective customer to ensure that there are no liabilities present.

For a macro perspective, there is also the issue of planning global ventures to navigate geopolitics and risky relations. These situations must take into consideration regional tensions, such as that between the Middle East and Israel.

The issue of lobbying is one that should be considered as well, because a state-owned or backed company may attempt to influence your business to rise to the occasion. Whilst in some cases, state-backing can be a boon, danger could arise from discrete or unknown political exposure. If something is “off the radar”, it could mean that there is something to hide.

In many areas of the world, it’s impossible to do business with important state-owned entities without at least having gratitude payments involved. It’s also very common in some countries to have a former high ranking Politically Exposed Person (PEP) or government official connected to a state-owned company, where the PEP’s own companies on the side are taking advantage of the state-owned one. It’s even possible for these individuals to continue to benefit from this type of action even when they are no longer directly in the state-owned company.

Overall, there is no one-size-fits-all casting for state-owned or politically exposed entities as a whole, as it is all dependent on the laws and geopolitical context of each unique situation. That said, we hope this article has provided you with some perspective on how investigators may draw evidence-based conclusions regarding entities with political connections.

For more content like this, follow @CentryLTD on Twitter! This article was co-written by Oskar Savolainen and Kristina Weber of Centry Ltd.

 

Faults in Keyless Car Entry Systems

Ignition System Button Push Car Start Keyless

Keyless entry systems in cars may be a step forward in convenience, but that benefit comes at the steep price of compromised security.

Business Insider reported that two carjackers had been filmed using devices called relay boxes to pick up the signal from the set of keys inside the house and re-broadcast that signal in another location, thus opening up the car. The entire process was less than a minute long.

Another method reported by the Telegraph utilized a radio amplifier, which involves altering the radio frequency in the car to trick the keyless sensor technology into detecting a nearby “fob”. The affected European models include the Ford Galaxy, Audi A3, Toyota Rav4, Volkswagen Golf GTD, and Nissan Leaf. Researchers believe that dozens of other keyless models could be at risk.

The National Insurance Crime Bureau tested a similar relay device on used cars at dealerships and found that in 19 of its 35 tests, the device was able to unlock the vehicle. In 18/19 of those entries, it was able to start the car. NICB said that these relay boxes are just one variety of a vast potential for wireless theft devices, which means that automakers are going to have to bolster vehicle security.

While it is ultimately up to the manufacturers to develop defenses for this, there are a few things you can do as a car-owner to protect your vehicle.

First, you should contact your dealer and ask about the digital features in your car, specifically whether or not there have been any software updates that can be implemented. Next, check if your keyless entry fob can be turned off – if it can, do so when you will be away from the vehicle.

Finally, for additional peace of mind you can use a steering-lock or keep your fob in a faraday bag – which is a pouch designed to block radio transmissions.

This article was written by Kristina Weber of Centry Ltd. For more information like this, follow @CentryLTD on Twitter!

5 Ways Businesses Blunder on Compliance

An effective compliance program is essential to ensuring business functionality across the globe. It is not enough to merely implement the program – it must also be fluid, in that it is properly and competently administered. The list below outlines some common mistakes that organizations make, which can lead to inefficient compliance strategies or breaching regulations.

Poor due diligence:

Failing to properly vet a third party entity before conducting business can drag a company’s reputation and standard down. Most companies spend time making sure that they are operating above board and in accordance with both domestic and international regulations. However, where the mistake comes in is assuming that the third party entity has a similar moral standard. The findings from due diligence can be priceless, whether it is detecting non-compliant actions in a potential third party and saving your company’s reputation and money, or investing in trust knowing that the third party has a clean slate.  

Using out of date technology for compliance programs:

Another common error that companies make is using legacy technologies that don’t work to manage their compliance programs. Oftentimes these go un-updated due to factors such as cost or technical constraints. These programs can become a headache for global compliance efforts because they can be fragmented according to activity-specific vendors, which makes reporting more difficult on a grand scale and increases the administrative cost. Companies that want to avoid issues arising from legacy tech might want to consider compliance platforms and secure cloud-based solutions.

Lack of effective communications between different teams:

Siloed security teams can lead to mixups or situations in which the relevant information is not available to an involved party.  There is a lot of teamwork that goes into developing security policies – there are those who create and enforce the policies, those who ensure optimal system functionality, and those who tie those security policies to business applications. Sometimes these teams don’t always interact with each other, but their responsibilities are collaborative.

Allowing undocumented changes on the fly:

An essential part of compliance and risk management is documenting everything. If businesses don’t encourage documentation, they run the risk of – at best, having policies for which there is no explanation, and at worst – breaching compliance regulations.

Failure to thoroughly train employees:

Once the compliance program has been implemented, it is of utmost importance to ensure that it gets clearly communicated to everyone in the business. Training should be frequent and thorough, making sure to cover all aspects of the program and how it translates into everyday work life for company personnel. So many data breaches in recent times have been due to human error. Whether these were instances caused by a lack of adherence to security policies or simply ignorance on part of the individual, your business has the ability to address both issues. Training is an easy win in the long run of compliance.

This article was written by Kristina Weber of Centry Ltd. For more content like this, follow @CentryLTD on Twitter!

Centry’s Online Guide

Working in office situation

Security is more than the concept of a guard holding vigil over a point of access, or data breach of some far off corporation. Our readers may have noticed a common theme in our posts wherein we talk about security being only as strong as the weakest link. This is because the concept of protection is not an external force that works its way in, but rather it is highly personal, relying on a network of individuals to make conscientious choices.

Today, we are moving away from the grand scale of business security to focus on just one point: You.

Think about all of the ways that you almost automatically take precautions to protect yourself and your belongings in the physical space around you. You may lock the door when you leave your house, or ensure that your vehicle has an alarm to deter intruders. Maybe you choose to wear cross-body bags instead of ones that fit only over the shoulder. Perhaps your important documents are kept in a locked file cabinet.

All of these are precautions and measures taken to protect your belongings and livelihood.

But what about online?

Now consider all of the times you have entered your credit card information into a website as you were shopping. All of the emails you open and send. All of the apps on your smartphone. Perhaps, even, a VPN that you have chosen.

Are you protected?

Fortunately, we are here to help you! Over the past few months, we have written a variety of quick and easy guides to secure your online life. Here, we provide the breakdown for you. Empower yourself with knowledge, and feel free to share this master post!

Social Media

5 Tips for Smart Social Media

Hook, Line, and Sinker: Phishing on Social Media

Email

4 Ways to Secure Your Email

Smartphone

4 Tips to Secure Your Smartphone

VPN

VPNs: What Not to Choose

We hope that you find this list helpful, and feel free to contact us @CentryLTD on Twitter or here on our blog if you have any questions or comments!

The Paradise Papers

Over the past week, we have been confronted with a steady stream of revelations from the Paradise Papers, which refers to a trove of 13.4 million files taken mostly from the offshore law firm, Appleby. The documents were obtained by Süddeutsche Zeitung, a German newspaper.

Appleby is a market leader in the offshore legal service provider business, with locations in Bermuda, the British Virgin Islands, the Cayman Islands, Isle of Man, Jersey, Guernsey, Mauritius, and Seychelles as well as Hong Kong and Shanghai. It’s a member of the “Offshore Magic Circle,” which is a global network of lawyers, consultants and other execs that advise companies in tax havens.

Since the Paradise Papers have made their way around journalism venues, Appleby made a statement criticising the media outlets for using information that may have “…emanated from material obtained illegally and that this may result in exposing innocent parties to data protection breaches.”

However, as evidenced by the Paradise Papers, we have been able to see that Appleby has a history of dubious clients. Among them, many are corrupt politicians, internationally sanctioned businessmen, and convicted tax evaders. Some examples of these include a suspected member of the Chinese mafia, a man who was extradited to Mexico for fraud, and a client with ties to financial gains from criminal activity – who was later murdered.

Money typically moves through tax havens in various countries mainly for the purpose of hiding the true wealth of the assets, to launder it, or otherwise evade taxes. People who do this are typically involved in large businesses or are wealthy individuals.

The first day of the disclosures revealed some big names, and among them were some 120 US politicians including Mr. Trump’s Commerce Secretary Wilbur Ross.

Ross has a stake in a shipping form that has millions of dollars in revenue from a company whose key owners include Putin’s son in law and a Russian oligarch that has been sanctioned by the US Treasury Department.

The firm is called Navigator Holdings, and it draws in millions of dollars transporting gas for one of its top clients – Sibur, which is a Russian energy giant. Although Ross sold off a number of other holdings, he retained an investment in Navigator, which continued to conduct business with Sibur even in the wake of the of the unrest in Ukraine.

Others reported in the papers include Stephen Bronfman – friend and advisor of Justin Trudeau, Queen Noor of Jordan, Uganda Foreign Minister Sam Kutesa, Brazil Foreign Minister Campos Meirelles and a Russian billionaire investor named Yuri Milner. The details on Milner additionally reveal large stakes in Facebook and Twitter, both of which have come under fire recently for airing US political ads created by Russians.

Another big firm to come under scrutiny is Apple. The Paradise Papers have shed light on the company’s search for a new place to bank after more than twenty years of benefiting from the artificially low taxes in Ireland. For years Apple funneled most of its overseas profits through Ireland, where arrangements with the Irish government permit the company to pay an artificially low rate of tax.

While in some cases, investing offshore is not expressly illegal, it is secretive in nature and can be twisted to suit nefarious purposes. It is difficult to obtain a clear picture of what someone is doing with their money when they are using five or six different offshore havens, especially because law enforcement does not have an easy time crossing borders.

For more content like this, follow us on Twitter @CentryLTD and check back for weekly updates on Centry Blog!

Unraveling the Equifax Data Breach

Equifax is one of the three largest consumer credit reporting agencies, collecting information on over 800 million individuals and 88 million businesses worldwide. In September 2017, it announced that it had experienced a cyber-security breach, wherein the personal details of more than 145 million Americans was leaked. The information included their full names, addresses, driver’s license numbers, birthdays, and most drastically – their social security numbers. With all of these personal details in hand, malicious entities could open credit cards up in the victim’s names, purchase homes, open bank accounts, take car loans, etc.

Although the breach reportedly happened in July, it was not until September that the former CEO of Equifax, Richard Smith, released a public statement about the breach. In the lieu between the breach and the announcement to the public, CBS news reported that Chief Financial Officer John Gamble and two other executives, Rodolfo Ploder and Joseph Loughran, sold a combined $1.8 million USD in company shares almost immediately after.  Equifax made a statement on the subject that suggested the executives were not aware that the breach had occurred at the time they sold their shares, despite the fact that Equifax detected the breach on July 29th, and the shares were sold on Aug. 1st and 2nd respectively.

So how did the breach even happen? The New York Times reported that the former CEO of Equifax claimed it was a single employee’s error. On several occasions, Mr. Smith referred to an individual in Equifax’s technology department that failed to ensure the implementation of critical software fixes and did not heed security warnings. Furthermore, the Department of Homeland Security had sent Equifax an alert in March about a critical vulnerability in software. Equifax has endured a number of breaches over the years, including one incident where a woman named Katie Manning received ~300 credit reports of random individuals in the mail after she tried to check her own report. The information on the other reports had details similar to those in the 2017 leak – social security numbers, dates of birth, bank account numbers, etc.

Furthermore, in the wake of this year’s data breach, Equifax set up http://www.equifaxsecurity2017.com/, which is a site to help people determine whether or not the data breach affected them. In order to demonstrate the vulnerability of this website and its domain name, a software engineer set up a fake website, rearranging the words in the domain to securityequifax2017. It was an example of a fake phishing site, purportedly set up to educate people rather than actually steal their information – and it worked. People fell for it. Not just customers of Equifax, but Equifax itself. The company’s official twitter responded to customer inquiries by tweeting the link to the fake site instead of the real one. A banner at the top of the fake site read “Cybersecurity Incident & Important Consumer Information Which Is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?” What we have seen in the wake of this breach seems to be a series of human failures that, due to the magnitude of the company and the sensitivity of the information it handles, are having catastrophic reach.

Timing is key when notifying stakeholders of a breach. That Equifax took so long to make a statement about its July 29th discovery damaged consumer-business relations, particularly when combined with the knowledge that company executives were selling shares before information on the breach went public. By contrast, Article 33 of the General Data Protection Regulation (GDPR) states that organizations should notify stakeholders within 72 hours of discovering a breach. A lesson to be learned here will be to preserve stakeholder relationships by ensuring they are well informed of the goings on of their investment.

Individuals affected by the Equifax breach should additionally be mindful of scams cropping up to ‘assist’ them in the recovery, as there are many malicious entities that may see this as an opportunity to further take advantage of the leak.

For any further questions or comments, feel free to contact us at info@centry.global or @CentryCyber on Twitter!