Bitcoin and Credit Cards: Scams and Money Laundering

chinabitcoinBitcoin has been facing trouble this week due to a series of crackdowns by the Chinese government. First, the People’s Bank of China stated that bitcoins did not qualify as currency and barred its banks and payment systems from being involved. Later, this ruling was extended to third party payment processors, meaning that bitcoin could only be exchanged in private transactions. The initial justification given was that people must be protected from speculation and wild changes in price – but the chilling effect has led to bitcoin losing half of its value. Presumably Chinese investors must now return to property speculation.

Negative reactions from government agencies, law enforcement, and established financial businesses are to be expected because they see digital currencies as a threat to their existing systems of checks and controls over financial transactions, their ability to regulate the market, to implement monetary policy, to protect consumers, and to oppose organized
crime. Such fears have been fanned by a series of high profile scams and losses.

Some countries, such as Denmark, have taken a more level-headed approach, however, warning people of risks, but not rushing to implement draconian regulations.

In this article I explore the benefits and dangers of bitcoin, especially relative to the existing credit card payment system. I consider some ways that individuals can avoid financial loss and law enforcement can control money laundering. I argue that governments should not over-react, because there are reasonable regulatory approaches to tame, rather than ban this promising technology.

BitcoinThe bitcoin system is a peer-to-peer currency that is built on modern cryptographic innovations. In order to own bitcoins, a user must possess a wallet which is simply a pair of encryption keys. Despite the fact that a wallet is often portrayed in the media as actually holding money, the information about who owns what in fact resides in a common database which is globally copied via non-stop chatter between computers. Wallet keys just provide the ability to unlock the creation of new transactions into or out of a particular account, with all transactions being public information. Bitcoins are not in any sense stored in the wallet that you keep on your computer.

The first of the two wallet keys is the public key. This references a particular record of value, and once you know someone’s public key, you know their wallet address, and you can send bitcoin into that wallet from anywhere in the world.

However, in order to actually spend the money by sending it to someone else, you need a second key: the private key. Any people who hold the private key for a wallet have control over the associated money and can spend it at will. Ownership of funds is entirely based on knowing a private key.

Since wallet keys are just small amounts of information, they can be stored using any method that we normally use to store data: in the cloud, on a local computer, on a USB drive, written down on paper, or committed to memory. Your money is only as safe as your control over this information. Bitcoin losses by scams or hacking, which have frequently been in the news, all come via obvious routes:

  • A person was psychologically manipulated into sending their money to a scammer.
  • A person used an on-line wallet where their private key was entrusted to the operator of a web site who chose to abscond with their money, or where hacking, technical issues, bankruptcy, legal actions against the operator, or law enforcement seizures rendered their money inaccessible.
  • A person created a wallet on their local machine which was then hacked to obtain the private key.
  • A person placed a wallet on a drive but then accidentally deleted it, or else the drive was lost, stolen, failed, or was destroyed.
  • A person printed the keys onto paper which was then lost, defaced or destroyed.

The lesson from these experiences is that users always need to understand and maintain the security of wallet keys, especially if large amounts of money are involved!

The reason why these loss scenarios are reported as problematic, and not merely resulting from lack of common sense, is that we are used to living in a society where the security of our funds is someone else’s problem, and where our government, banks or financial companies are legally bound to make us whole if something goes wrong. In its present state, bitcoin puts all this responsibility back on the user.

It may seem that using the bitcoin system for commerce is full of risks, but in order to get some perspective, I want to compare it to the use of credit cards.

If you want to spend money on a credit card you need to know the card number and the expiration date, and possibly also the security code and the account holder’s address. This combined information is equivalent to the bitcoin private key.

In the bitcoin system you never need to give anyone your private key – to buy goods, you use it to create a new transaction going from your wallet to an address that you obtain from the merchant. This is called a ‘push model’: you push money from your own account to a merchant account. The transaction only involves you and the merchant, and the merchant never obtains information that can be used to extract money from your account.

Credit CardsIn the credit card world – an archaic system invented in the 1960s before the development of modern encryption – you must hand out your private information to every merchant that you want to buy from, no matter how shady. The system works by using a ‘pull model’ where your credit card information authorizes the merchant to pull money out of your account via three credit card transacting intermediaries who also take a cut. This creates the need for a whole lot of trusted parties and communication links and ends up with a situation where you are always handing out your private account key. You have no control of what each merchant does with credit card numbers and how securely they store them for future transactions. In addition, your personal financial transactions are logged by multiple agencies, who use them for targeted advertising or law enforcement activities.

Not surprisingly, the widespread dissemination of credit card information in this manner produces many opportunities for fraud. In fact credit card losses in the USA alone cost the industry $190 billion in 2009. This yearly loss to criminal activity is 20 times the current global market capitalization of bitcoin. Consumers simply would not use credit cards if they themselves were liable for fraudulent charges, and therefore since issuers are forced to absorb much of the loss, they have to work tirelessly to reduce these figures.

If the credit card payment system could be migrated to a push model by layering a user-friendly interface on top of bitcoin or by using some other future payment mechanism which does not involve disseminating private information to potential fraudsters, much of this loss would be prevented. In an ideal world, the industry should welcome such technological innovations.

Apart from the concern about fraud, much of the active opposition to bitcoin comes from government agencies fearful of money laundering or loss of monetary control in global finance.

LaunderingMoney laundering is the act of bringing proceeds obtained from illegal activity into the realm of legitimate operations so that the money can be spent freely. Dirty money is converted to clean money by making it seem like it came from a legal source.

Common money laundering operations involve setting up businesses which deal with consumers who frequently transact in cash, so that cash from illegal operations can be inserted as though it was legitimate income or given out in exchange for legitimate funds. Networks of local stores, casinos operations, or private ATMs are easily co-opted for such purposes. Other methods include: splitting dirty money into small batches which are moved off shore and then combined as investments into supposedly legal businesses; gaining control over small banks; or alternatively, using private transactions to purchase anything of value, such as houses, cars, diamonds, or even perhaps British premiership soccer teams, all of which can be re-sold later to obtain clean funds.

Historically, criminals have made use of relatively anonymous cash instruments, such as money orders, to break the documentation trail of fund movements. However, with the digital age many more opportunities exist for laundering that don’t involve the movement of physical goods. Cryptocurrencies such as bitcoin, or currencies used within computer games such as Second Life, Entropia Universe, or other multiplayer games with virtual economies, facilitate money laundering because funds can be freely exchanged with dollars. Even games that only allow restricted conversion of dollars to digital goods can be used for laundering because secondary markets exist for virtual goods or for re-selling access to game accounts that have been fully loaded with credit.

The attraction of these newer routes is that they are unregulated, complex to track, and require no obvious physical goods or operations. The greater efficiency afforded by automated computer approaches to creating a clean money stream may be attractive to criminals since the cost of setting up and staffing a network of conventional business fronts for laundering may return only cents on the dollar.

The annual amount of money laundered by organized crime is largely unknown because a covert process cannot be realistically measured. Governments attempt to restrict this activity by imposing many kinds of reporting requirements on financial institutions as well as monitoring and controlling the flow of cash or wire transfers across borders. Anti-laundering practices have been criticized by financial service industries as costly and ineffective and largely driven by rhetoric.

In order to consider the extent to which bitcoin may be used for laundering, we need to understand whether bitcoin transactions are actually anonymous. There is a lot of confusion over the level of privacy in the bitcoin system because it has been variously reported in the media as being an anonymous or secretive system of payment, while at the same time it technically makes use of a completely public database which can be trivially inspected by anyone visiting the blockchain.info web site.

As an example, if one inspects the information about the wallet with an address starting with 1BeQ2fSB… which can be viewed here, it is possible to see that (at the time of writing) there were three incoming and outgoing transactions of 1.9, 7 and 4.5 bitcoins on November 3rd, November 8th, and December 17th 2013, involving other addresses which are given. It is possible to follow the chain of money transfers as far as one might desire as amounts split and merge between accounts. This information is public and is updated in real time. This means that if we know who possesses the secret key that allows control of a particular wallet, we would also have identified the owner and could follow every transaction they made. The pattern of bitcoin movements is therefore fully transparent.

However, since a new pair of wallet keys can be generated at any time, for example by going to bitaddress.org, it is easy to create an anonymous place to store funds. But merely storing funds is not of much use – we would want to buy or sell items or exchange them for dollars or other currencies.

ExchangeIn order to convert bitcoin to dollars, two main options exist: exchanging them for cash in a private deal with someone who wants to buy bitcoin, or else selling them on an exchange such as Mt Gox, or via a middle man operation like Coinbase. Both of these latter methods involve linking to a bank account and are potentially subject to regulatory money laundering scrutiny in every country. So while it is possible to move funds around the network with ownership deniability, it is relatively difficult to cash out of the system anonymously, especially when large quantities of money are involved.

Once a single wallet has been associated with a crime, all funds leading out of this wallet are completely traceable using elementary network analysis in real time using the publicly available transaction data, and attempts to exchange money into a bank account from any addresses that received from this source could easily be flagged.

It is not hard to envisage a public service database which is set up by law enforcement or other interested parties to track and mark suspicious bitcoin activities. Such a database would record transactions as they come in and associate metadata with all wallets to indicate if they received funds directly or indirectly from any wallets known to be associated with illegal operations. Regulators might require that exchanges consult this database before allowing people to sell bitcoin in order to obtain dollars or other fiat currencies, restricting the ability for criminals to cash out their proceeds. People involved in private commercial transactions might also use such a database to check that the funds they are receiving for goods were not tainted.

This consumer-level black-listing scenario is not however a good solution in my opinion because all coins should be equal, otherwise people can be tricked into receiving bad coins which end up being worthless, leading to loss of confidence in the currency.

One common method to increase the anonymity of bitcoin transactions is the use of tumblers such as Bitcoin Fog. A user sends the tumbler some funds and the tumbler mixes these up with bitcoin arriving over a designated time window from other users, using many internal wallet transactions to create obfuscation. Eventually the tumbler trickles the funds out, over a few hours, into one or more wallets that the user specifies at the start. This mixing service is commonly used to hide a source of funds and might have legitimate uses in corporate accounting privacy.

However, there are currently two clear limitations of tumblers when applied to money laundering: Firstly, it is not made public how many people are actually using the tumbler at any particular time, and if the volume is low compared with the amount of money to be laundered, then the illicit funds will just be mixed with themselves giving no anonymity. And secondly, the receiver will most likely need to re-consolidate the funds at the end, and so will create an obvious convergence of transactions into a limited number of wallets. The only way around this is to maintain the separation of funds at all times across many thousands of wallets using custom software.

If illicit funds are tracked using a law enforcement database, then the progressive use of distributed wallets and repeated tumbling would diffuse the marked bitcoin throughout the whole system. This is reminiscent of the adage that chemical analysis of most bank notes shows traces of cocaine. It remains to be seen whether modern network analysis can keep up with criminal innovations.

SheepAs an example of attempting to track stolen money, consider the recent Sheep scam. This was an illegal operation where around $100 million of bitcoin were allegedly stolen from other conspirators by the operator of an illicit on-line drugs marketplace which was briefly active after the well-publicized fall of Silk Road. According to commentary on Reddit, a large fraction of the stolen funds passed through this wallet. It is possible to see that much of the money went through some kind of tumbling service, but ended up in many wallets that still hold bitcoin which has not yet been used. Numerous interested parties have been following the Sheep funds as they move around. Actually cashing out all this money seems like an extremely difficult task for the perpetrator, especially if he is forced to do it by personally exchanging bitcoin for cash in private street sales. In any case, the historical records of this operation will be available for analysis by researchers and law enforcement for years to come.
 
While the methods I have discussed may help to track the flow of illicit funds, establishing the actual ownership of a particular wallet is more difficult, but may not be impossible.

When a person has an account with an exchange or with Coinbase, or stores money in a web-based wallet, company records will presumably indicate which wallet addresses are associated with which customer, and so are available for subpoena. This would allow law enforcement to establish the identity of certain nodes on the network and trace the flow of funds into and out of these places. Additionally, certain wallets have been publicly associated with particular operators, such as the Satoshi Dice gambling site, and various other enterprises, and ownership of these is often notated at blockchain.info.

When a transaction is initialized from a user’s machine on the bitcoin network, it is necessary for that machine to contact other peers to broadcast this information. Collaboration between law enforcement and ISPs can be used along with deep packet analysis to identify the computer associated with the sending or receiving wallet address. Also by maintaining a strategic network of machines around the globe that process bitcoin operations, governments could constantly gather and record likely originators of specific financial transactions.

Based on these discussions, it is best to think of the privacy of bitcoin as lying somewhere between cash and regular bank accounts. It is as though cash were constantly monitored so that anyone can see how it was changing hands, while only occasionally knowing who spent it. As such it is open to data mining and deep computer analysis.
 
If certain governments try to crack down on bitcoin by making exchanges illegal, then it will not stop criminal use of the system because private buying and selling is always possible; there is always going to be an advantage to bitcoin’s rapid and secure ability to enable international payment which sustains a certain minimum exchange rate. Heavy-handed local government legislation would just provide opportunities for less principled nations around the world to make a lot of money providing bitcoin services.

I think that if governments enforce the same regulations at exchanges as they do at national borders then money laundering will be similarly limited. Governments also have the resources to set up databases and servers for detailed transaction analysis around the globe to catch illegal operations without introducing draconian regulation or suppression of bitcoin commerce. If anything is to be learned by China’s actions and the bitcoin price fall, it is that suppression of exchange is going to be effective for sidelining bitcoin in that nation, but could more productively be replaced with regulatory law by less hard-line authorities.

If consumer protection is a concern, this should grow organically as businesses build user-friendly payment processing products on top of the bitcoin system, creating a layer of accountability with products that are easy to regulate through traditional laws – and the public will naturally choose to use these rather than the underlying technology.

My belief is that we are starting on a revolutionary period of change here. I recommend keeping a level head and not throwing out the potential benefits of a new technology because of panic about criminal misuse when reasonable technological, commercial, and regulatory solutions seem quite feasible.

Accepting whiskey fund donations at 1MEeRmWAViTKsU3ty8dxCrY36Bi635j5k9.