A brilliant future for the telephonic transfer
Criminal funds or terrorist funds …
A brilliant future for the telephonic transfer
It is the year 2008
You are a French Jihadist affiliated to the Maghreb branch of al-Qaeda, and you are preparing an attack against the Mufti of Marseille, a moderate Muslim. You need several thousand euros to purchase material and forged papers, which you will have to request urgently from the parent organisation. How can you do this? Do you send a brother from the organisation to find a suitcase full of bank notes? Do you make a transfer from bank to bank and then go to the bank teller to collect the funds? It’s simple: you take your mobile phone, the one that the police cannot intercept because you change the chip frequently; you tap on the keyboard. A few minutes later, your supplier looks at his mobile phone and nods his head: you can take delivery of the goods, it has been paid for. Change your chip do not throw your phone away. On the day of the attack, if you do not have the vocation to be a suicide bomber, your mobile phone will enable you to activate the bomb from a distance.
You are Yuri, an absolute whiz kid in computer technology. For several weeks now, you have been disseminating a Trojan horse via the Internet, which your naive victims have been downloading while seeking pornographic images on their mobile phones. Today, you can press a key and wait for a few minutes: your associate, behind you, gives you a bank account number and then smiles slyly: tens of thousands of telephones worldwide have, at that very same moment, unbeknown to their owners, just credited that bank account number with the amount of several euros. By the time the victims have realised what has happened, the funds have disappeared. Yuri too, has disappeared, of course.
Is this pure imagination?
Unfortunately, it is not. To be convinced, just look at some recent events.
In February this year, MasterCard and the GSM Association (GSMA) announced the creation of a system designed to issue and receive international transfers via mobile telephones. Nineteen operators representing approximately 600 million users in one hundred countries are associated with this project, for which a pilot project has already been launched. The goal, among other objectives, is to enable migrant workers who do not necessarily have a bank account to be able to send money easily to their families, starting from the principle that the mobile network gives better planet coverage than the banking network. The development potential is impressive: at the end of 2004, GSMA grouped together more than 660 operators, serving more than 1.3 billion clients in 210 countries. Such a system already exists in the early phases in the Philippines and in other countries.
A priori, it is a friendly initiative: why should the poor (or the rich for that matter) have to pay high transfer costs and have to wait several days for a transfer? Thousands circulate every day from stock exchange to stock exchange in the form of bits of data and digital wallet type projects are being developed; why should a transfer continue to be a badly printed piece of paper, full of mysterious boxes, requiring many rubber stamps and arriving when the postman next calls?
So, everything is fine unless
unless international criminal gangs take advantage of the flaws in this system
Thousands of dollars are circulating speedily from country to country, often in small amounts that barely attract attention, from or to areas where there is not necessarily a fiscal administration or police force that is zealous and incorruptible. The traceability of transactions will depend on the hard disks of the telephone or banking operators, dispersed and subject to very different legislation or legal standards and control techniques. The verification of the names and addresses of the players (indeed, of their very existence) will be complex. Everything will take place between virtual correspondents identified by a number and no one will see their correspondent.
Certain parties will belong to exiled communities and will be living in conditions that will make then easily subject to pressure. Do you really think that a poor Pakistani or Vietnamese worker, living thousands of miles from home, would be able to resist the friendly pressure of people asking him to render them a small service every month? Can you imagine that every technical device at the access provider or operator, the memory switches, hubs or routers could be visited by a cyber-policeman?
This complex system will represent incredible opportunities for all kinds of trafficking and laundering. By virtue of being an instantaneous planetary network, with multiple entries and anonymity, it is intrinsically vulnerable.
In addition, there is a second factor. A GSM is by its very nature a nomadic, almost intimate object, as the user always carries it with him. It is also a terminal linked to a digital flow of voices, texts, images and data, and now money circulating in digital form via a multitude of relays and vectors. It combines all the weaknesses of a computer in terms of security, in addition to others linked to its status as a hybrid object.
In recent years, events affecting the security of mobile phones have multiplied. Some very upmarket matters for example, were involved in the economic spying (obviously very costly) on the mobile telephones of financial or other executives. Whereas other occurrences have affected a vast mass of ordinary users making then spend a few cents, a tiny theft virtually invisible on an invoice, but which has proved very profitable for the party collecting the results of this large scale theft.
Everything that can be done on a computer (introduction of a virus, Trojan horse and other harmful software, consultation of confidential data, code theft, identity substitution, taking over control of a piece of equipment or a network of equipment, message interception, phishing which consists of attracting the victim to a false website or a false telephone exchange to swindle them) all this can also be done on a mobile telephone. Increasingly, mobile phones are acquiring the functions of a PC (including the ability of accessing the Internet); it is poorly protected by chips and codes and can be accessed by multiple vectors, including Bluetooth or WiFi waves, which have a bad reputation regarding security.
In other words, this presents a considerable number of opportunities for unauthorised substitution, removal of funds and transactions, in addition to predatory action and sabotage that can lead to blackmail and extortion. Ranging from small scale swindling to steal a few digital cents from a needy person to large scale coordinated transactions that simultaneously take control of thousands of accounts: a vast field of opportunities has opened up to the criminal mind. It also encompasses sophisticated actions based on cryptology as well as swindling based on human gullibility or fallibility.
This is most certainly a case where early detection should be applied.
We see here the conjunction of a technology that is not yet adequately protected, a multiplicity of weak links whether they be material or human international dispersion and the multiplication of badly protected targets, vast financial stakes, minimal risk and the possibilities of expansion and profits through the networks for organisations working in networks. Of course, organisations such as MasterCard who have paid enough to know are not going to neglect security. Yet the problems raised by the virtual international transfer cannot be solved by increasing the protection technology or by better algorithms: many of them would be simple or even very basic while being used on a planetary scale: yet another reason to watch developments very closely.
The full version of this document is available on the website of the research department for contemporary criminal threats: