Group items tagged

The IMF published a high-level report on central bank digital currency (CBDC) technical assistance (TA) provided to the Bank of Namibia (BoN) in early 2024. The mission assisted the authorities in establishing the groundwork for a feasibility study and drafting a roadmap for the BoN's CBDC exploration. The mission also reviewed requirements for retail CBDC issuance, including institutional capacity, technology, cybersecurity, and legal foundations. The mission recommended the BoN assess how retail CBDC can improve the payment systems and financial inclusion in Namibia compared to alternative solutions. The authorities are advised to establish a compelling rationale for retail CBDC before embarking on a more resource-intensive undertaking. The mission suggested that the BoN continue developing expertise and capacity in retail CBDC across policy, technology, and legal domains, including through continued engagement with stakeholders.

The Bank of Israel (BOI) published the results of a survey of public willingness to adopt a digital shekel. 34% of respondents showed a very high interest in using a digital shekel, 52% showed a high level of interest, and 17% expressed medium-high interest. The survey also examined what features of the digital shekel may increase its use.  Prominent among them was ease of use, customer protection against fraud and system errors, the Bank of Israel's backing of the currency, and the innovation embedded in it.  In contrast, the main concerns raised by the survey participants were cybersecurity and information security risks, difficulty of use, and lack of accessibility for certain population groups.  Unlike findings in some other countries, privacy concerns did not emerge as a dominant issue. Men showed higher interest than women in the digital shekel, and interest was positively correlated with age and with income level. 

A DTCC white paper said participants in the financial sector should work to establish a set of "agreed-upon standards" that could address some of the security concerns surrounding the tech."

The ECB and BoJ suggest that a single trusted source, either an existing DLT component or a credible third party, could provide the necessary information to the auditor. But the introduction of such a model would also increase risks to the network. "While reliance on … [a single] source of information has obvious benefits for auditing from all three perspectives, it may become a single point of failure in the auditing arrangement," the authors say. If there was a single entity storing all transaction information, the central banks conclude, a potential security breach could result in a leak of the transactional details of all participants.

"This week, a stunning story from Vice revealed how easy it is for an attacker to siphon away your text messages. They don't need access to your phone; they don't even need your SIM card. They just need to pay a trivial sum, convince a VoIP wholesaler that they're a reseller (also a trivial matter), and sign a form swearing that they're allowed to route messages to your number to another."

"A gaping flaw in SMS lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages."

"Not all in the crypto security world are convinced by the urgency of the matter. In some quarters, an active debate is being had about whether quantum computing will ever be strong enough to break standard encryption protocols. The question is of particularly relevance to those active in the cryptocurrency sphere, since so much of the sector depends on secure cryptography to retain its value. Opinions, however, remain hugely divided."

"While the motivation behind the inclusion of TEEs in mobile devices is positive, the current implementations are still lacking in many regards. The introduction of new features and the ever increasing number of trustlets result in a dangerous expansion of the TCB. This fact, coupled with the current lack of exploit mitigations in comparison to those offered by modern operating systems, make TEEs a prime target for exploitation."

The German Federal Office for Information Security (BSI) published a technical guideline (TR) describing requirements that ensure a high level of IT security for the backend systems that support the operation of a central bank digital currency (CBDC) ecosystem. The CBDC ecosystem consists of the backend systems operated by the central bank, the frontend functionality made available to end users by wallet providers, exchange points, which may be operated by third parties other than the central bank, and, potentially, additional service providers. If implemented, the CBDC ecosystem constitutes a critical infrastructure, and the TR aims to ensure that it is made resilient to a wide range of attacks. In addition to implementing the goal of security-by-design, this TR also considers some privacy aspects.

The BIS Innovation Hub (BISIH) published a report on Part II of its Project Polaris which focused on the risk and resilience aspects of CBDCs built on distributed ledger technology (DLT) based platforms. It analyses several notable DLT attacks in the decentralized finance (DeFi) domain, revealing that there are gaps in existing threat modelling techniques that may not adequately address the threats and associated security controls to properly protect CBDCs that make use of novel technology (e.g., DLT, smart contracts) from the tactics, techniques and procedures (TTPs) used by threat actors in the DeFi space. Additionally, the "mean time to attack" (based on the DLT attacks studied in this analysis) is around 10 months from the launch of a DeFi implementation and the successful compromise. Hence, CBDC issuers must be positioned to monitor and repel both well understood and novel TTPs.

The Bank for International Settlements (BIS) published a report that analyses the operating, technology, third-party and business continuity risks for the central banks that issue central bank digital currency (CBDC). It proposes an integrated risk-management framework that can be applied to the entire life cycle of a CBDC. For CBDCs to be a reliable means of payments, central banks need to address, among others, the risks of interruptions or disruptions and ensure integrity and confidentiality. Key risk are the potential gaps in central banks' internal capabilities and skills. While many of the CBDC-related activities could in principle be outsourced, doing so requires adequate capacity to select and supervise vendors.

In a case of "do as I say, not as I do" the U.S. Securities and Exchange Commission (SEC) is not employing two-factor authentication (TFA) on its X account, which was compromised to spread false bitcoin exchange-traded fund (ETF) news on January 9, 2023, according to X (formerly Twitter). Apparently, the SEC did not have TFA enabled at the time the account was compromised, only a few months after SEC Chair Gary Gensler reminded everyone to use "strong passphrases or passwords and set up multifactor authentication"! The fake tweets caused bitcoin prices to immediately spike to $47,680 from the $46,800 level, and then fall as low as $45,400 as the tweets were found to be fake. The fake tweet announced the approval of 13 spot bitcoin ETFs, which was quickly denied by Gensler.

The Bank for International Settlements (BIS) announced the first batch of six new projects in its 2024 Innovation Hub work program including experimentations on digital payments cyber security and central bank digital currencies (CBDCs). Project Leap starts its phase II, aiming to "quantum-proof" payment systems, after successfully establishing a quantum-safe communication channel between the central banks of France and Germany in its first phase. Project Aurum enters a new phase in which it will study the privacy of payments in retail CBDCs. The recently started Project Promissa tests the feasibility of tokenizing promissory notes, financial instruments that help fund multilateral development banks and other international financial institutions. All these new initiatives will be added to existing projects that various Innovation Hub Centres will continue to develop this year:  FuSSE, Gaia, Mandala, mBridge phase III, Nexus phase III, Pyxtrial, Rio and Viridis. https://www.bis.org/about/bisih/about.htm

Chinese scientists have mounted what they say is the world's first effective attack on a widely used encryption method using a quantum computer. The breakthrough poses a "real and substantial threat" to the long-standing password-protection mechanism employed across critical sectors, including banking and the military, according to the researchers.

"I cannot figure out why the Safe cold wallet, even though it is a web based application connecting to the internet, qualifies as a cold wallet. Bybit used a Safe wallet. Safe is an Orwellian term, like Liberty, Patriot, Truth. The wallet UI was hosted on a AWS S3 bucket a database in the Amazon cloud. All the postmortems point to the hacking of this UI with stolen Safe S3 credentials, leaked many months ago. Cold wallets are not for timely transactions as it takes a while for such multisig wallets to bridge between a disconnected wallet and the internet. Cold wallets can be as simple as a piece of paper with your private key or hardware cold wallets. Of course the bridging point is where it is most vulnerable. Maybe Safe was used because for people on the move like the Bybit CEO and his two co-signers, a wallet such as Safe is convenient. Calling it cold is a stretch."