Month: February 2020

On February 20, South Sudanese President Salva Kiir and opposition leader Riek Machar agreed to form a new coalition government.  The new coalition government’s formation reportedly includes Kiir’s remaining as President, Machar’s serving as Kiir’s deputy, and the swearing-in of four more vice presidents (two from the government and two from opposition groups).

Although they missed two previous deadlines to form the coalition government, Kiir and Machar made two key concessions that evidently made the February 20 announcement possible.  In Kiir’s case, it was his decision to reduce the number of South Sudanese states from 32 to 10, which Africa News termed “the main stumbling block” in the negotiations to form the coalition government.  In Machar’s case, it was his willingness to have Kiir assume responsibility for his security.  The transition coalition government is now intended “to lead to elections in three years’ time — the first vote since independence.”

Note: Ordinarily, compliance professionals pay little attention to countries such as South Sudan that rank among the most corrupt countries in the world.  But for some time, South Sudan has had the unhappy distinction not only of being suffused with corruption, but of becoming the locus of terrible violence in its civil war.  Since it wrested its independence from Sudan in 2011, that civil war between the country’s Dinka and Nuer ethnic factions (which Kiir and Machar, respectively, represent) has cost the lives of an estimated 400,000 people and displaced millions more.

Last week’s joint announcement by Kiir and Machar provides some basis for hope, however tentative, that the country can step away from the abyss of violence and move toward fragile but genuine stability.  Whether they conclude that maintaining existing corruption structures is a necessary cost of maintaining that stability remains to be seen.

On February 19, Dubai Economy announced that it and six leading banks in the United Arab Emirates (UAE) — Emirates NBD, Emirates Islamic, HSBC, RAKBANK, Abu Dhabi Commercial Bank (ADCB), and Commercial Bank of Dubai (CBD) – have formed “a consortium for sharing of verified KYC (Know Your Customer) data between banks and licensing authorities in the UAE.” Dubai Economy stated that the consortium, known as the “KYC Blockchain Consortium” (Consortium) is part of its strategic focus “on enhancing ease of business in Dubai and supporting the smart transformation of the emirate’s economy.”  It also characterized the Consortium as facilitating “a faster, more secure onboarding and exchange of digital customer data and documents through advanced blockchain-powered distributed technologies, a first of its kind in the region.”

The Consortium, as Dubai Economy described it, “will drive the mutualisation of KYC efforts among existing and future ecosystem participants” on a common KYC platform. After launching in the first quarter of 2020, that platform will be open for additional qualified financial institutions and licensing authorities to join.

In the future, Dubai Economy expects that the blockchain will improve ease of doing business and overall regulatory compliance in the UAE.  The Smart Dubai Department, which is responsible for facilitating Dubai’s “smart” transformation, is slated to play, in collaboration with the UAE Central Bank, “a pivotal role” in overseeing and regulating the Consortium’s operations.

Note: The Dubai Consortium is the latest in a series of financial-sector efforts over the past year to establish KYC data-sharing platforms at the national level (such as the Netherlands) and regional level (such as the Nordic banks).   As international money laundering operations have become increasingly complex and sophisticated, it is increasingly unrealistic to expect that financial institutions can effectively conduct their regulatory anti-money laundering and counter-terrorist financing programs by referring only to their own internal KYC data.  Other nations and regions, including the United States, need to move more expeditiously in identifying the legal, technological, and policy challenges associated with multiple-bank KYC data-sharing platforms, and then working to bring such platforms to fruition.

On February 14, Japanese conglomerate Toshiba announced that one of its subsidiaries, Toshiba IT-Services Corporation, was found to have booked ¥43.5 billion ($391.6 million) in fictitious sales.  Those fictitious sales pertained to 26 transactions recorded only on paper.

The Japan Times reported that “according to information mainly from a report about an in-house survey involving lawyers and certified accountants,” nine companies, including Toshiba IT-Services, “were found to have been involved in ‘round-tripping transactions’ that did not involve any commercial goods or end users.”  The report, according to the Japan Times article, also stated that the fictitious transactions “related to sales of information technology equipment, such as personal computers, [that] were booked between November 2015 and July 2019.”

Those transactions “are believed to have been masterminded by a former sales manager” at Japanese company Net One Systems Co. “who received help with the paperwork from Toshiba IT-Services officials.”  Toshiba, however, said that it “’confirmed there was no evidence’ that any employees of Toshiba IT-Services or a manager of the subsidiary directly in charge of the transactions initiated the fictitious deals.”  Toshiba also reported that the subsidiary “was involved ‘without realizing that the transactions were illusory or circular’.”

A Toshiba executive vice president admitted that the company failed to recognize the problem until it received information from “an outside party,” but stated that it would “introduce a system to analyze transactions to detect any irregularities speedily.”

Note: It almost defies belief that a company of Toshiba’s statute and reputation – particularly after it had been caught up in a 2015 accounting scandal involving its overstating its revenues by $1.2 billion over a seven-year period – would need to admit such fundamental defects in its recordkeeping and internal controls.  This latest development involves a substantial expansion on Toshiba’s admission last month that Toshiba IT-Services had booked ¥20 billion in fictitious sales in April-September 2019.

The full details of this fictitious-sales scandal will likely be emerging for some time.  Even so, corporate compliance officers should promptly report on the Toshiba situation to C-level executives, and use it as an opportunity to review the accuracy and reliability of their own recordkeeping and internal controls.

On February 13, the U.S. Department of Justice announced that Larry Harmon, the operator of a Darknet-based cryptocurrency laundering service that “mixed” Bitcoin, had been arrested based on a federal indictment that charged him with money laundering conspiracy, operating an unlicensed money transmitting business and conducting money transmission without a District of Columbia license.

Bitcoin “mixers,” as a Bitcoin Magazine post defined them, are “solutions (software or services) that let users mix their coins with other users, in order to preserve their privacy.”  While Bitcoin addresses themselves are pseudonymous, the post explained, “they can often still be linked to real-world identities” through Bitcoin exchange data or blockchain analysis.  By mixing their coins, however, “users can obscure the ties between their Bitcoin addresses and real-world identities.”

Bitcoin mixers use a variety of techniques.  Some use “centralized” mixing, in which a mixer simply takes a batch of Bitcoins that a person owns and sends that person someone else’s Bitcoins.  Others enable a large group of users to collaborate in making a single large payment to themselves, or merge smaller transactions into larger transactions.

The indictment against Harmon alleges that he operated his Bitcoin “mixer” or “tumbler” service, named Helix, from 2014 to 2017.  Helix allegedly allowed customers, for a fee, to send Bitcoin “to designated recipients in a manner that was designed to conceal the source or owner of the bitcoin.”  Harmon advertised Helix to customers on the Darknet as a means of concealing transactions from law enforcement.  Helix was also allegedly linked to and associated with “Grams,” a Darknet search engine that Harmon ran.

The indictment further alleges that Helix moved more than 350,000 Bitcoin (valued at more than $300 million at the time of the transactions) on behalf of customers, with the largest volume of Bitcoin coming from Darknet markets.  Helix partnered with the Darknet market AlphaBay – reputed to be the largest Darknet marketplace in operation when law enforcement seized it in 2017 — to provide Bitcoin laundering services for AlphaBay customers.

Note:  This indictment is reportedly the first that the Justice Department has brought against a Bitcoin mixer.  Observers of the cryptocurrency industry can safely assume that it will not be the last.  Especially after this indictment and last year’s shutdown of Bitcoin mixer Bestmixer by the Dutch Fiscal Information and Investigation Service, law enforcement and anti-money laundering regulators in multiple countries are likely to increase their investigation and pursuit of cryptocurrency mixers and tumblers.  The volume of transactions that mixers have handled – reportedly $200 million by Bestmixer and $300 million by Helix – are substantial enough to cause concern about their continuing utility in concealing and laundering criminal proceeds.

On February 13, cybersecurity expert Pierluigi Paganini reported on Security Affairs that the Italian hacktivist collective LulzSec ITA claimed to have hacked three Italian universities: University of Basilicata, University of Naples Parthenope (Uniparthenope), and University of Rome 3.  In all three cases, according to Paganini, LulzSec ITA used a longstanding and well-recognized technique known as a SQL injection attack.

A SQL injection attack can be simply defined as “a computer attack in which malicious code is embedded in a poorly-designed application and then passed to the backend database,” allowing the malicious data “then [to] produc[e] database query results or actions that should never have been executed.”  First discovered in 1998, SQL injection attacks remain a simply but highly effective and popular form of web application malware.

Paganini termed it “embarrassing that universities could be hacked with a so simple technique.”  He wrote that the LulzSec ITA hacktivists told him “that in some cases, they were able to bypass login pages without knowing the username and password, just using simply using SQL Injection strings.”

The LulzSec ITA hackers also asserted that initially, all three universities had failed to disclose the data breach and attempted to hide the incident in violation of the European Union General Data Protection Directive.  Subsequently, according to Paganini, Uniparthenope emailed a data breach notification to affected students and teachers. LulzSec ITA told Paganini that the notification attempted to downplay the incident, even though they claimed “to have accessed data contained in 27 databases and compromised some portals used by the university.”

Note: This latest incident is, regrettably, just one of many examples of colleges and universities’ vulnerability to cyberattacks from many sources.  A variety of reports in just the last year indicate the high degree and prevalence of that vulnerability around the world:

• Australia: In March 2019, media reported that Chinese authorities stole “huge volumes of highly sensitive personal data from the Australian National University” (ANU) in a sophisticated cyberattack,” even after ANU had received assistance from the Australian intelligence community in bolstering its cyberdefenses.
• United Kingdom: In an authorized penetration-testing attack by ethical hackers on more than 50 United Kingdom universities, “in every case hackers were able to obtain ‘high-value’ data within two hours.”
• United States: In March 2019, hackers breached applicant data for Oberlin College in Ohio, Grinnell College in Iowa, and Hamilton College in New York, then emailed applicants and offering them the opportunity to buy and view their admissions files. In April 2019, Georgia Tech University admitted that it had suffered a data breach – its second in less than a year — potentially affecting more than 1.3 million current and former students, faculty, and staff members.  In July 2019, hackers exploited a vulnerability in a popular admissions and enrollment banner software to steal data from at least 62 U.S. universities and create bogus student accounts.
• Global: In March 2019, the Wall Street Journal reported that “Chinese hackers have targeted more than two dozen universities in the U.S. and around the globe as part of an elaborate scheme to steal research about maritime technology being developed for military use.”

While even well-funded cyberdefenses can be breached by sophisticated cyberattacks, there is little excuse for universities failing to defend against SQL injection attacks.  As one writer put it, “SQL injection is the lowest of the low-hanging fruit for both attackers and defenders. SQLi isn’t some cutting edge NSA Shadow Brokers kit, it’s so simple a three-year old can do it.”  For that reason, the Italian university hacks should prompt university information security teams, at a minimum, to identify all of the web applications on which their universities depend and apply well-recognized techniques for preventing SQL injection attacks.