Financial Cryptography

Councils engaged in "War on Rubbish Days" to thank the FATF for new seizure powers..

How the war on drugs has become the war on you is an ongoing topic. However, ordinary people would generally dismiss this as more ranting blogs and kooksterising. Until it happens, in which case we simply present the evidence and hope we don't get caught in the cross-fire. From Britain, spotted by Charon QC and noosphere:

Councils get ‘Al Capone’ power to seize assets over minor offences

Draconian police powers designed to deprive crime barons of luxury lifestyles are being extended to councils, quangos and agencies to use against the public, The Times has learnt. The right to search homes, seize cash, freeze bank accounts and confiscate property will be given to town hall officials and civilian investigators employed by organisations as diverse as Royal Mail, the Rural Payments Agency and Transport for London.

The measure, being pushed through by Alan Johnson, the Home Secretary, comes into force next week and will deploy some of the most powerful tools available to detectives against fare dodgers, families in arrears with council tax and other minor offenders. The radical extension of the Proceeds of Crime Act, through a Statutory Instrument which is not debated by parliament, has been condemned by the chairman of the Police Federation. ...

My reading of the article is that this is a done deal. In a new rendition of that old Chinese curse, be careful what you wish for, it seems that the police (Federation) are now opposed to the ill-thought-out extensions of seizure powers.

Paul McKeever said that he was shocked to learn that the decision to hand over “intrusive powers” to people who were not police was made without consultation or debate.

“The Proceeds of Crime Act is a very powerful tool in the hands of police and police-related agencies and it shouldn’t be treated lightly,” Mr McKeever said. “There is a behind the scenes creep of powers occurring here and I think the public will be very surprised. They would want such very intrusive powers to be kept in the hands of warranted officers and other law enforcement bodies which are vetted to a very high standard rather than given to local councils.”

His concerns are shared by leading legal figures, who believe that there is a risk of local authorities abusing the powers to search people’s homes, seize their money, freeze their accounts and confiscate their property. They also see parallels with the spread of counter-terrorist surveillance powers to monitor refuse collections and school catchment areas.

They're shocked now, but wait until the councils ask them for advice on how to meet new and rising Home Office profitability targets. Wait, I know! A new role for the FATF: business development for County Police, Local Councils and other stationary Princes.

Wideranging confiscation powers were given to police and law enforcement bodies in 2003 to seize the cash and property from drug dealers, people-traffickers and money launderers. They were viewed as “Al Capone powers” — a means of getting at the Mr Bigs of organised crime by seizing wealth accrued from criminality. David Blunkett, then Home Secretary, said law enforcement was targeting “the homes, yachts, mansions and luxury cars of the crime barons”.

The expansion of seizure powers is part of a Home Office plan to “embed” financial seizure across the criminal justice system. Ministers set a target to recover £250 million in criminal assets by 2010, rising to £1 billion per year soon after.

Three weeks ago I wrote where this was heading: Mexico. I gave it 20 years, and now it's 20 days later.

Put yourself in the shoes the Mr Bigs that this targets; do you think they are trembling in their evil boots at the thought of the rubbish police coming after them? Or, are they seeing new opportunities for corporate expansion? Or, are they worried they need to move fast to stake out the territory before the Mr Not-So-Big from across town gets a jump on them?

Audits VI: the wheel spins. Until?

We've established that Audit isn't doing it for us (I, II, III). And that it had its material part to play in the financial crisis (IV). Or its material non-part (II). I think I've also had a fair shot at explaining why this happened (V).

I left off last time asking why the audit industry didn't move to correct these things, and especially why it didn't fight Sarbanes-Oxley as being more work for little reward? In posts that came afterwards, thanks to Todd Boyle, it is now clear that the audit industry will not stand in front of anything that allows its own house to grow. The Audit Industry is an insatiable growth machine, and this is its priority. No bad thing if you are an Auditor.

Which leaves us with curious question: What then stops the Audit from growing without bound? What force exists to counterbalance the natural tendency of the auditor to increase the complexity, and increase the bills? Can we do SOX-1, SOX-2, SOX-3 and each time increase the cost?

Those engineers and others familiar with "systems theory" among us will be thinking in terms of feedback: all sustainable systems have positive feedback loops which encourage their growth, and negative feedback loops which stop their growth exploding out of control. In earlier posts, we identify the positive feedback loop of the insider interest. The question would then be (for the engineers) what is the negative feedback control?

Wikipedia helpfully suggests that Audit is a feedback control over organisations, but where is the feedback control over Audit? Even accepting the controversial claim that Sarbanes-Oxley delivered better reliability and quality in audits, we do know there must be a point where that quality is too expensive to pay for. So there must be a limit, and we must know when to stop paying.

And now the audit penny drops: There is no counterbalancing force!

We already established that the outside world has no view into the audit. Our chartered outsider has taken the keys to the citadel and now owns the most inner sanctums. The insider operates to standard incentives which is to improve own position at the expense of the outsider; the Auditor is now the insider. Which leads to a compelling desire to increase size, complexity and fees of Audit.

Yet the machine of audit growth has no brake. So it has no way to stop it moving from a useful position of valuable service to society to an excessive position of unsustainable drain on the public welfare. There is nothing to stop audit consuming the host it parasites off, nor is there anything that keeps even the old part of the Audit on the straight and narrow.

And this is more or less what has happened. That which was useful 30 years ago -- the opinion of financial statements, useful to educated investors -- has migrated well beyond that position into consuming the very core of the body corporate. IT security audits, industry compliance audits, quality audits, consulting engagements, market projects, manufacturing advice, and the rest of it now consume far more of their proper share.

Many others will point at other effects. But I believe this is at the core of it: the auditor promises a result for outsiders, has taken the insiders' keys and crafted a role of great personal benefit, without any external control. So it follows that it must grow, and it must drift off any useful agenda. And so it has, as we see from the financial crisis.

Which leads to a rather depressing conclusion: Audit cannot regulate itself. And we can't look to the government to deal with it, because that was part & parcel of our famous financial crisis. Indeed, the agencies have their hands full right now making the financial crisis worse, we hardly want to ask them to fix this mess. Today's evidence of agency complicity is only just more added to a mountain of depression.

What's left?

Microsoft: the new IBM?

Microsoft has peaked and is on the way down. For those who watched the rise in the 1980s, and the domination in the 1990s, this is good news. It was a long wait.

In the aftermath of the failure of Vista, there is of course a lot of hand-wringing. Some talk about security, notably following CEO Steve Ballmer's admission:

Mr Ballmer said: "We got some uneven reception when [Vista] first launched in large part because we made some design decisions to improve security at the expense of compatibility. I don't think from a word-of-mouth perspective we ever recovered from that."

Let's go back to the basics. As I described in previous posts, the problem is that Microsoft is sitting on a 20 year legacy of insecurity (e.g., 1). Bill Gates recognised that the pre-Internet design assumption was heading into stormy weather, and to his credit tried to turn it around.

But, it turns out that it is easier to turn around a Blackbird than a supertanker, and even Ballmer's legendary energy didn't substantially challenge the Newtonian physics. I have to hand it to them, at least they tried!

The point isn't whether Vista was sunk by security issues (Schneier), or whether it was sunk by marketing & direction failures (as suggested by Mordaxus). This is backwards thinking. The strategic picture is that security issues had to succeed in order to save Microsoft's dominant position.

The fact now clear is that Vista failed, and this has consequences for Microsoft. Firstly the security problem is still there; so they will still have to figure that one out. But secondly, it still means that anyone concerned with security over the last decade has now had a long time to discover the solution. For the most part it is a mixture of (a) stick with old/simpler Microsoft systems, (b) switch to Mac as highlighted on this blog, or (c) switch to other more reliable (==secure) technologies like web-based, cloud,, smart-phone etc. Thirdly, while Microsoft was grappling with the problem, the PC-to-Internet equation of the 1990s has shifted. It is now a much different place.

Ultimately, it means the end of dominance for Microsoft. Like the year 1989 for IBM, the emergence of the credible alternates is no longer just hopeful talk, it is concrete. And a big correction is needed, and as seen in the chart on market caps, the market has done that over the last decade.

But unlike IBM in 1989, Microsoft does seem to know its fate. Bill Gates is the King, and he sealed his legacy by signalling this pain in a really big way back in 2002. So instead of a mass riot, a run for the bank, a complete collapse of confidence as we saw in 1989, it looks like we are now heading to a more regularised market in IT. The big players are now all within striking distance of each other. They all have some particularly strong territory, they all can defend their territory, and they can all look a the new stuff and wonder if they can get in for some of it. The IT market is now interesting again.

Welcome to the next decade!

The Elliot Wave has arrived at stage 5, so it's all over for the dollar!

I just had to write about this one:

The greenback is heading for the trough of a super-cycle that started in August 1971, Uno said, referring to the Elliot Wave theory, which holds that market swings follow a predictable five-stage pattern of three steps forward, two steps back.

The dollar is now at wave five of the 40-year cycle, Uno said. It dropped to 92 yen during wave one that ended in March 1973. The dollar will target 50 yen during the current wave, based on multiplying 92 with 0.764, a number in the Fibonacci sequence, and subtracting from the 123.17 yen level seen in the second quarter of 2007, according to Uno.

The Elliot Wave was developed by accountant Ralph Nelson Elliott during the Great Depression. Wave sizes are often related by a series of numbers known as the Fibonacci sequence, pioneered by 13th century mathematician Leonardo Pisano, who discerned them from proportions found in nature.

! Well, I'll bet all the technical traders are packing up their books and retiring, now that they've heard this news.

More seriously, the problem with fundamental analysis (like the above) is that although it can be very right, it can also be very hard to time. Point in fact, I predicted the shift in the dollar (and so did a lot of others). But I predicted it around 2001, and it just didn't happen according to any schedule I could see. So this information is interesting but relatively worthless on a daily basis.

On the other hand, the technical trader works to patterns. To scientists this seems more like voodoo or interpreting the future from chicken entrails, and to all objective metrics it is like that. But the technical traders swear by it, and they promise it makes them money.

What's the truth? I think it is clear that complexity is such that fundamentals can't be time-predicted so easily. Which means that day-to-day is unpredictable, being the random walk. But something has to happen (never forget the Stiglitz observation), and it happens in the minds of the traders. Ideas for patterns emerge: cat droppings & bouncings, peaks & troughs, decision points. The ideas that are consistent over time are probably decided by the efficiency of meme-spreading more than anything else, which then leads to the patterns becoming self-confirming.

So where are we heading? Well, the dollar is no longer the undisputed champion. But it will still retain leadership for some time, a steady decline into a more dispersed market. People talk about alternates:

Uno said after the dollar loses its reserve currency status, the U.S., Europe and Asia will form separate economic blocs. The International Monetary Fund’s special drawing rights may be used as a temporary measure, and global currency trading will shrink in the long run, he said.

But that doesn't make sense; as Chris says:

As a bear of little economic brain but with market experience approaching 25 years, I prefer to deal with the practical, rather than the theoretical. I observe that the transaction currency is relatively unimportant, because the foreign exchange market allows an alternative currency to be used in a microsecond. What matters is, for a consumer, the capability to make future payments in the transaction currency; and for a producer, where and in what currency and asset class the proceeds of sale may be invested.

Right.

I propose an entirely different approach, and that is to distinguish between the value standard we use, and the currencies we exchange by reference to the standard.

Firstly, a fixed amount of energy - for instance the energy value of a liter of gasoline, or its equivalent in kilowatt hours - would be intuitively obvious as a pricing reference. Most people could relate to that, and whether the unit is called a petro, electro, or an energy dollar is irrelevant.

Secondly, there is the need for nationally and globally acceptable units of currency as a store of value. A unit redeemable in land rental value could perhaps be a nationally acceptable currency, but for international acceptance or "fungibility" the obvious candidates are electricity, which is pure energy, and carbon-based fuels, such as natural gas, gasoline, kerosene, heating oil and fuel oil.

If a new force is to emerge, it won't be a political unit like the IMF's accounting thing, nor will it be a historical thing like gold, but will be backed by something substantial. Energy is one universal, and if anything it is going up in value and demand, not down (so it doesn't equate to Moore's law or technology reductions, nor to natural commodity pricing).

But also, we should be very important not to attach the dollar's pain to the American Economy. Although it will suffer one hell of a hangover, bear in mind this observation from the Economist:

Only one thing seems sure about the future of the digital skies: the company or companies that dominate it will be American. European or Asian firms have yet to make much of an appearance in cloud computing. Nokia, the world’s biggest handset-maker, is trying to form a cloud with its set of online services called Ovi, but its efforts are still in their infancy. Governments outside America may harbour ambitious plans for state-funded clouds. They would do better simply to let their citizens make the most of the competition among the American colossi.

Practically all new value is created in North America. They may have sacrificed their dollar over the irrational exuberance, but the attitudes in creating new value run deep; Europe can't do it, and most all other new countries copy the essential model of post WWII Japan: copy and out-perform.

(So much for a quick post!)

How the FATF brought down modern civilisation and sent us all to retire in Mexico

Nobody likes criminals. Even criminals don't like criminals; they are unfair competition.

So it is with some satisfaction that our civilisation has worked for a 1000 years to suppress the criminal within; going back to the Magna Carta where the institution of the monarch was first separated from the money making classes, and the criminal classes, both. Over time, this genesis was developed to create the rights of the people to hold assets, and the government as firmly oriented to defending those rights.

One of those hallowed principles was that of consolidated revenue. This boring, dusty old thing was a foundation for honest government because it stopped any particular agency from becoming a profitable affair. That is, no longer government for the people, but one of the money making or money stealing classes mentioned above.

Consolidated Revenue is really simple: all monies collected go to the Treasury and are from there distributed according to the budget process. Hence, all monies collected, for whatever purpose, are done so on a policy basis, and are checked by the entire organisation. If you have Budget Day in your country, that means the entire electorate. Which latter, if unhappy, throws the whole sorry group out on the streets every electoral cycle, and puts an entirely new group in to manage the people's money.

This simple rule separates the government from the profit-making classes and the criminal classes. Break it at your peril.

Which brings us to the FATF, the rot within modern civilisation. This Paris-based body with the soft and safe title of "Financial Action Task Force" deals with something called money laundering. Technically, money laundering exists and there is little dispute about this; criminals need a way to turn their ill-gotten gains into profit. When criminals get big, they need to turn a lot of bad money into good money. So part of the game for the big boys was to set up large businesses that could wash a lot of money. It is called laundering, and washing because the first large-scale money-cleansing businesses were launderies or launderettes: shops with coin-operated washing machines, which took lots and lots of cash, in a more or less invisible fashion. Etc etc, this is all well known, undisputed, a history full of colour.

What is much more disputable is how to deal with it. And this is where the FATF took us on the rather short path to a long stay in hell. Their prescription was simple: seize the money, and keep it. It is indeed as simple as the law of Consolidated Revenue. Which they then proceeded to break, as well, in their innocence and goodliness.

The Economist reports on how far Britain, a leader in this race to disaster, has come in 30 short years it has taken to unravel centuries of governance:

The public sale of criminals' property, usually through auction houses or salvage merchants, has been big business for a long time. The goods are those that crooks have acquired legitimately but with dirty money, as opposed to actual stolen property, which the police must try to reunite with its rightful owners. Half the proceeds go to the Home Office, and the rest to the police, prosecutors and courts. The bigger police forces cream off millions of pounds a year in this way (see chart).

So if a crook steals goods, the police work for the victim. But if a crook makes money by any other means, the police no longer works for the victim, but for itself. We now have the Home Office, the prosecutors, the courts, and the humble British Bobby well incentivised to promote money laundering in all its guises. Note that the profit margin in this business is *well in excess of standard business rates of return* and we will then have no surprise at all that the business of legal money laundering is booming:

Powers to confiscate criminals' ill-gotten gains have grown steadily. A drugs case in 1978, in which the courts were unable to strip the traffickers of £750,000 of profits, caused Parliament to pass asset-seizure laws that applied first to drug dealers, and then more widely. The 2002 Proceeds of Crime Act expanded these powers greatly, allowing courts to seize more or less anything owned by a convict deemed to have a "criminal lifestyle", and introducing a power of civil recovery, whereby assets may be confiscated through the civil courts even if their owner has not been convicted of a crime.

Everyone's happy with that of course! (Read the last two paragraphs for a good, honest middle-class belly laugh.) Of course, the normal argument is that the police are the good guys, and they do the right thing. And if you oppose them, you must be a criminal! Or, you like criminals or benefit from criminals or in some way, you are dirty like a criminal.

And such it is. This is the sort of thought level that characterizes the discussion, and is frequently brought up by supporters of the money laundering programmes. It's also remarkably similar to the rhetoric leading up to most bad wars (who said "you're either with us or against us?"), pogroms and other crimes against civilisation.

Serious students of economics and society can do better. Let's follow the money:

Since then, police cupboards have filled up fast. Confiscations of criminal proceeds in 2001-02 amounted to just £25m; in 2007-08 they were £136m, and the Home Office has set a goal of £250m for the current financial year. To meet this, new powers are planned: a bill before parliament would allow property to be seized from people who have been arrested but not yet charged, though it would still not be sold until conviction. This, police hope, will prevent criminals from disposing of their assets during the trial.

This is the standard evolution of a new product cycle in profitable business. First, mine the easy gold that is right there in front of you. Next, develop variations to increase revenues. Third, institute good management techniques to reduce wastage. The Home Office is setting planning targets for profit raising, and searching for more revenue. The government has burst its chains of public service and is now muckraking with the rest of the dirty money-grubbing corporates, and is now in a deadly embrace of profitability with the dirty criminal classes.

All because the legislature forgot the fundamental laws of governance!

Can the British electorate possibly reel in this insatiable tiger, now they've incentivised it to chase and seize profit? Probably not. But, "surely that doesn't matter," cry the middle-class masses, safe in their suburban homes? Surely the police would never cross the NEXT line and become the criminals, seizing money and assets that was not ill-gotten?

Don't be so sure. There is enough anecdotal evidence in the USA (1) that this is routine and regular. And unchallenged. It will happen in Britain, and if it goes unchallenged, the next step will become institutionalised: deliberate targetting of quasi-criminal behaviour for revenue raising purposes. Perhaps you've already seen it: are speeding fines collected on wide open motorways, or in danger spots?

The FATF have broken the laws of civilisation, and now we are at the point where the evidence of the profit-making police-not-yet-gang is before us. The Economist's article is nearly sarcastic .. uncomfortable with this immoral behaviour, but not yet daring to name the wash within Whitehall. Reading between the lines of that article, it is both admiring of the management potential of the Home Office (should we advise them to get an MBA?), and deeply disgusted. As only an economist can be, when it sees the road to hell.

Britain stands at the cusp. What do we see when we look down?

We see Mexico, the country that Ronald Reagan hollowed out. That late great President of the USA had one massive black mark on his career, which is a cross for us all to bear, now that he's skipped off to heaven.

Ronald Reagan created the War on Drugs, which was America's part in the FATF alliance. It was called "War" for marketing reasons: nobody criticises the patriotic warriors, nobody dare challenge their excesses. This was another stupidity, another breach of the natural laws of civilisation (separation of powers, or in USA, this might be better known as the destruction of the Posse Comitatus Act). This process took the "War" down south of the border, and turned the Mexican political parties, judiciary, police force and other powerful institutions into victims of Ronald Reagan's "War". From a police perspective, Mexico was already hollowed out last decade; what we are seeing in the current decade is the hollowing out of the Army. The carving up of battalions and divisions into the various gangs that control the flow of hot-demand items to from the poor south to the rich north of the Americas.

When considering these issues, and our Future in Mexico, there are several choices.

The really sensible one would be to shut down the FATF and its entire disastrous experiment. Tar&feather anyone involved with them, run them out of town backwards on a donkey, preferably to a remote spot in the Pacific, with or without speck of land. The FATF are irreparable, convinced that they are the good guys, and can do no wrong. But politically, this is unlikely, because it would damn the politicians of a generation for adopting childish logic while on duty before the public. And the FATF's influence is deep within the regulatory and financial structure, everyone will be reminded that "you backed us then, you don't want people to think you're wrong..." Nobody will admit the failure, nobody will say «¡Discuplanos!» to the Mexican pueblo for depriving them of honest policing and a civilised life.

The simple choice is to go back to our civilised roots and impose the principle of Consolidated Revenue back into law. In this model, the Home Office should have its business permit taken away from it, and budget control be restored. The Leicestershire Constabulary should be raided by Treasury and have its eBay and Paypal accounts seized, like any other financial misfits. This is the Al Capone solution, which nobody is comfortable with, because it admits we can't deal with the problem properly. But it does seem to be the only practical solution of a very bad lot.

Or we choose to go to Mexico. Step by step, slowly but in our lifetimes. It took 20 years to hollow out Mexico, we have a bit longer in other countries, because the institutions are staffed by stiffer, better educated people.

But not that long. That is the thing about the natural laws: breach them, and the policing power of the economy will come down on you eventually. The margins on the business of sharing out ill-gotten gains are way stronger than any principled approach to policing or governance can deal with. I'd give it another 20 years for Britain to get to where Mexico is now.

Washington DC discovers new economic force: the World

Compelling evidence that FinancialCryptography.com is not deeply read in Washington DC arrived with this fascinating article:

It’s the biggest mystery in global finance right now: Who conducted a sneak attack on the U.S. dollar this week?

It began with a thinly sourced but highly explosive report Monday in a British newspaper: Arab oil sheiks are conspiring with the Russians and Chinese to quit using the dollar to set the value of oil trades — a direct threat to the global supremacy of the greenback.

Is it true? Everyone from the head of the Saudi central bank to U.S. officials scrambled to undercut the story, but no matter.

Wakeup America? The collapse of the dollar was first heralded around 2001. The clue was the weaker-than-deserved crash after the dotcom era. Then, as evidence continued to pile in that the Fed was managing the US crises and economy too nicely, and the President was spending too many of the toys chasing towelheads and oil in Asia, the idea of a shift from dollar hegemony to multiple leading units went from theory to inevitability.

War Against the Dollar, the Pillar of United States Power

Whatever happens, Washington can no longer backtrack. In fact, the survival of the U.S. is menaced - not by an external enemy, but by internal economic weakness and tensions running between its communities. Many are becoming conscious of the fact that U.S. power is based upon a mirage, the dollar. These are only pieces of paper, printed when more are needed, while the rest of the world feels obliged to use them.

For the past three years, Jacques Chirac and Gerhard Schroder have engaged France and Germany in a pitiless war against the United States. They have sent emissaries world wide to convince other States to convert their monetary reserves to euros. The first to accept were Iran, Iraq and North Korea. Precisely the countries described by George W. Bush as those of the "axis of evil".

Meanwhile, Vladimir Putin has begun restoring the economic independence of the Russian Federation. He has reimbursed - ahead of time - the debts that Yeltsin had contracted with the International Monetary Fund and will also make an early repayment, before the end of the year, of the remaining debts to the Club of Paris.

That was 2003. It was reported here, not because we like poking fun at the Yanks, but because a monetary shift of this proportion is HUGE. Such a shift passes as news, except in Washington DC of course, where it's a sneak attack! The evidence in monetary terms was compelling enough to make it not only hypothesis but a clear progression; this blog reported it at least a dozen times back to 2003 (when the blog started. E.g.: 2008, x, x, x, x, The Coming Collapse of the Dollar, x, x, x, x, x, 2004).

Meanwhile, back in Washington DC, where the brightest and best are analysing this surprising development:

For American officials, the possibility of the dollar losing its long-term dominance in global commerce is a nightmare scenario because it would likely mean sharply higher interest rates at home and a declining ability to finance the U.S. debt. No one believes it could really happen right now, but stories like the British report this week make it seem incrementally more likely.

Reading the article, I get the feeling that because the report is British, it isn't credible. And Fisk, the author, is apparently a radical who consorts with Osama bin Laden. That's good news for us here in financialcryptography. That means it is not personal, the people in Washington DC don't read anything from outside their borders....

And so the USA seals its fate. With analysis like that, American policy is apparently immune from forces beyond the board, even when triggered from within.

In other news, President Obama was awarded the Nobel Peace Prize, which comes with a gold medal. Going up in value every day...

If he can save the dollar, he could be in line for another gold coin. He's probably too late this year as the Prize in Economics, in memorium of Alfred Nobel, will be awarded this Monday. But there's always next year.

Man-in-the-Browser goes to court

Stephen Mason reports that MITB is in court:

A gang of internet fraudsters used a sophisticated virus to con members of the public into parting with their banking details and stealing £600,000, a court heard today.

Once the 'malicious software' had infected their computers, it waited until users logged on to their accounts, checked there was enough money in them and then insinuated itself into cash transfer procedures.

(also on El Reg.) This breaches the 2-factor authentication system commonly in use because it (a) controls the user's PC, and (b) the authentication scheme that was commonly pushed out over the last decade or so only authenticates the user, not the transaction. So as the trojan now controls the PC, it is the user. And the real user happily authenticates itself, and the trojan, and the trojan's transactions, and even lies about it!

Numbers, more than ordinarily reliable because they have been heard in court:

'In fact as a result of this Trojan virus fraud very many people - 138 customers - were affected in this way with some £600,000 being fraudulently transferred.

'Some of that money, £140,000, was recouped by NatWest after they became aware of this scam.'

This is called Man-in-the-browser, which is a subtle reference to the SSL's vaunted protection against Man-in-the-middle. Unfortunately several things went wrong in this area of security: Adi's 3rd law of security says the attacker always bypasses; one of my unnumbered aphorisms has it that the node is always the threat, never the wire, and finally, the extraordinary success of SSL in the mindspace war blocked any attempts to fix the essential problems. SSL is so secure that nobody dare challenge browser security.

The MITB was first reported in March 2006 and sent a wave of fear through the leading European banks. If customers lost trust in the online banking, this would turn their support / branch employment numbers on their heads. So they rapidly (for banks) developed a counter-attack by moving their confirmation process over to the SMS channel of users' phones. The Man-in-the-browser cannot leap across that air-gap, and the MITB is more or less defeated.

European banks tend to be proactive when it comes to security, and hence their losses are miniscule. Reported recently was something like €400k for a smaller country (7 million?) for an entire year for all banks. This one case in the UK is double that, reflecting that British banks and USA banks are reactive to security. Although they knew about it, they ignored it.

This could be called the "prove-it" school of security, and it has merit. As we saw with SSL, there never really was much of a threat on the wire; and when it came to the node, we were pretty much defenceless (although a lot of that comes down to one factor: Microsoft Windows). So when faced with FUD from the crypto / security industry, it is very very hard to separate real dangers from made up ones. I felt it was serious; others thought I was spreading FUD! Hence Philipp Güring's paper Concepts against Man-in-the-Browser Attacks, and the episode formed fascinating evidence for the market for silver bullets. The concept is now proven right in practice, but it didn't turn out how we predicted.

What is also interesting is that we now have a good cycle timeline: March 2006 is when the threat first crossed our radars. September 2009 it is in the British courts.

Postscript. More numbers from today's MITB:

A next-generation Trojan recently discovered pilfering online bank accounts around the world kicks it up a notch by avoiding any behavior that would trigger a fraud alert and forging the victim's bank statement to cover its tracks.

The so-called URLZone Trojan doesn't just dupe users into giving up their online banking credentials like most banking Trojans do: Instead, it calls back to its command and control server for specific instructions on exactly how much to steal from the victim's bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim's on-screen bank statements so the person and bank don't see the unauthorized transaction.

Researchers from Finjan found the sophisticated attack, in which the cybercriminals stole around 200,000 euro per day during a period of 22 days in August from several online European bank customers, many of whom were based in Germany....

"The Trojan was smart enough to be able to look at the [victim's] bank balance," says Yuval Ben-Itzhak, CTO of Finjan... Finjan found the attackers had lured about 90,000 potential victims to their sites, and successfully infected about 6,400 of them. ...URLZone ensures the transactions are subtle: "The balance must be positive, and they set a minimum and maximum amount" based on the victim's balance, Ben-Itzhak says. That ensures the bank's anti-fraud system doesn't trigger an alert, he says.

And the malware is making the decisions -- and alterations to the bank statement -- in real time, he says. In one case, the attackers stole 8,576 euro, but the Trojan forged a screen that showed the transferred amount as 53.94 euro. The only way the victim would discover the discrepancy is if he logged into his account from an uninfected machine.