Digital currency : breakthroughs in research and practice 9781522562016, 152256201X, 9781522562023, 1522562028

Table of contents :
Title Page
Copyright Page
Editorial Advisory Board
List of Contributors
Table of Contents
Preface
Section 1: Bitcoin and Virtual Currency
Chapter 1: Bitcoin
Chapter 2: Benefits From Using Bitcoin
Chapter 3: Bitcoin for E-Commerce
Chapter 4: Web-Based Electronic Money for Online Banking
Chapter 5: Mobile Banking and Payment System
Chapter 6: A Survey of Research in Real-Money Trading (RMT) in Virtual World
Chapter 7: Cybercrimes via Virtual Currencies in International Business
Chapter 8: Three New Directions for Time Banking Research
Section 2: Blockchain Technology
Chapter 9: A Novel Security Framework for Managing Android Permissions Using Blockchain Technology
Chapter 10: Evaluation of Blockchain in Capital Market Use-Cases
Section 3: Crowdfunding and Crowdsourcing
Chapter 11: Making Citizens' Activities Flourish Through a Crowdsourcing-Based Social Infrastructure
Chapter 12: Social Media and Online Gaming
Chapter 13: #TerroristFinancing
Section 4: Security and Privacy
Chapter 14: The State-of-the-Art Technology of Currency Identification
Chapter 15: Electronic Payment Systems and Their Security
Chapter 16: Data Mining for Secure Online Payment Transaction
Chapter 17: Ransomware
Index

Citation preview

Digital Currency: Breakthroughs in Research and Practice Information Resources Management Association USA

Published in the United States of America by IGI Global Business Science Reference (an imprint of IGI Global) 701 E. Chocolate Avenue Hershey PA, USA 17033 Tel: 717-533-8845 Fax: 717-533-8661 E-mail: [email protected] Web site: http://www.igi-global.com Copyright © 2019 by IGI Global. All rights reserved. No part of this publication may be reproduced, stored or distributed in any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher. Product or company names used in this set are for identification purposes only. Inclusion of the names of the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark. Library of Congress Cataloging-in-Publication Data Names: Information Resources Management Association, editor. Title: Digital currency : breakthroughs in research and practice / Information Resources Management Association, editor. Description: Hershey : Business Science Reference, [2018] Identifiers: LCCN 2018004010| ISBN 9781522562016 (hardcover) | ISBN 9781522562023 (ebook) Subjects: LCSH: Electronic commerce. | Electronic funds transfers. Classification: LCC HF5548.32 .D5383 2018 | DDC 332.1/78--dc23 LC record available at https://lccn.loc.gov/2018004010 British Cataloguing in Publication Data A Cataloguing in Publication record for this book is available from the British Library. The views expressed in this book are those of the authors, but not necessarily of the publisher. For electronic access to this publication, please contact: [email protected].

Editor-in-Chief Mehdi Khosrow-Pour, DBA Information Resources Management Association, USA

Associate Editors Steve Clarke, University of Hull, UK Murray E. Jennex, San Diego State University, USA Annie Becker, Florida Institute of Technology, USA Ari-Veikko Anttiroiko, University of Tampere, Finland

Editorial Advisory Board Sherif Kamel, American University in Cairo, Egypt In Lee, Western Illinois University, USA Jerzy Kisielnicki, Warsaw University, Poland Amar Gupta, Arizona University, USA Craig van Slyke, University of Central Florida, USA John Wang, Montclair State University, USA Vishanth Weerakkody, Brunel University, UK



List of Contributors

Abghour, Noreddine / Hassan II University, Morocco..................................................................... 141 Alam, M. Afshar / Jamia Hamdard University, India........................................................................ 286 Atli, Dincer / Uskudar University, Turkey......................................................................................... 105 Balasubramanian, Kannan / Mepco Schlenk Engineering College, India...................................... 270 Bhardwaj, Akashdeep / UPES Dehradun, India.............................................................................. 313 Devi, Aruna / Surabhi Software, India................................................................................................ 59 Funderburk, Pierre / Florida International University, USA........................................................... 220 Gebelein, Jennifer / Florida International University, USA............................................................. 220 Glück, Daniel / Aalen University of Applied Sciences, Germany........................................................ 24 Haerting, Ralf / Aalen University of Applied Sciences, Germany....................................................... 24 Hanafizadeh, Payam / Allameh Tabataba’i University, Iran.............................................................. 66 Heydari, M. Hossain / James Madison University, USA..................................................................... 41 Karjaluoto, Heikki / University of Jyväskylä, Finland....................................................................... 66 Keller, Barbara / Aalen University of Applied Sciences, Germany..................................................... 24 Kumar, Raghvendra / LNCT Group of Colleges, India...................................................................... 59 Man Lui, Carrie Siu / James Cook University, Australia.................................................................... 83 Mathew, Sinsu Anna / VIT University Chennai, India....................................................................... 168 Möhring, Michael / Munich University of Applied Sciences, Germany.............................................. 24 Nakajima, Tatsuo / Waseda University, Japan................................................................................. 194 Nazir, Mohamed / James Cook University, Australia......................................................................... 83 Ouaguid, Abdellah / Hassan II University, Morocco........................................................................ 141 Ouzzif, Mohammed / Hassan II University, Morocco...................................................................... 141 Quadir Md, Abdul / VIT University Chennai, India......................................................................... 168 Rajakani, M. / Mepco Schlenk Engineering College, India.............................................................. 270 Ramos, Pedro / Florida International University, USA.................................................................... 220 Reichstein, Christopher / Aalen University of Applied Sciences, Germany....................................... 24 Saito, Tetsuya / Nihon University, Tokyo, Japan................................................................................... 1 Sakamoto, Mizuki / Waseda University, Japan................................................................................ 194 Schmidt, Rainer / Munich University of Applied Sciences, Germany................................................. 24 Shaikh, Aijaz A. / University of Jyväskylä, Finland............................................................................. 66 Shamsolmoali, Pourya / CMCC, Italy.............................................................................................. 286 Sharan, Preeta / The Oxford College of Engineering, India............................................................... 59 Tierney, Michael / University of Waterloo, Canada.......................................................................... 240 Tjaden, Brett / James Madison University, USA................................................................................. 41  



Valek, Lukas / University of Hradec Kralove, Czech Republic......................................................... 123 Wang, Guangyu / Auckland University of Technology, New Zealand............................................... 252 Wang, Xunhua / James Madison University, USA.............................................................................. 41 Wu, Xiaotian / Jinan University, China & Chinese Academy of Sciences, China............................ 252 Yan, WeiQi / Auckland University of Technology, New Zealand....................................................... 252 Zareapoor, Masoumeh / Shanghai Jiao Tong University, China..................................................... 286

Table of Contents

Preface.................................................................................................................................................... ix Section 1 Bitcoin and Virtual Currency Chapter 1 Bitcoin: A Search-Theoretic Approach.................................................................................................... 1 Tetsuya Saito, Nihon University, Tokyo, Japan Chapter 2 Benefits From Using Bitcoin: Empirical Evidence From a European Country..................................... 24 Rainer Schmidt, Munich University of Applied Sciences, Germany Michael Möhring, Munich University of Applied Sciences, Germany Daniel Glück, Aalen University of Applied Sciences, Germany Ralf Haerting, Aalen University of Applied Sciences, Germany Barbara Keller, Aalen University of Applied Sciences, Germany Christopher Reichstein, Aalen University of Applied Sciences, Germany Chapter 3 Bitcoin for E-Commerce: Principles and Applications......................................................................... 41 Xunhua Wang, James Madison University, USA Brett Tjaden, James Madison University, USA M. Hossain Heydari, James Madison University, USA Chapter 4 Web-Based Electronic Money for Online Banking............................................................................... 59 Raghvendra Kumar, LNCT Group of Colleges, India Preeta Sharan, The Oxford College of Engineering, India Aruna Devi, Surabhi Software, India Chapter 5 Mobile Banking and Payment System: A Conceptual Standpoint......................................................... 66 Aijaz A. Shaikh, University of Jyväskylä, Finland Payam Hanafizadeh, Allameh Tabataba’i University, Iran Heikki Karjaluoto, University of Jyväskylä, Finland  



Chapter 6 A Survey of Research in Real-Money Trading (RMT) in Virtual World.............................................. 83 Mohamed Nazir, James Cook University, Australia Carrie Siu Man Lui, James Cook University, Australia Chapter 7 Cybercrimes via Virtual Currencies in International Business........................................................... 105 Dincer Atli, Uskudar University, Turkey Chapter 8 Three New Directions for Time Banking Research: Information Management, Knowledge Management, and the Open Source Model.......................................................................................... 123 Lukas Valek, University of Hradec Kralove, Czech Republic Section 2 Blockchain Technology Chapter 9 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology.... 141 Abdellah Ouaguid, Hassan II University, Morocco Noreddine Abghour, Hassan II University, Morocco Mohammed Ouzzif, Hassan II University, Morocco Chapter 10 Evaluation of Blockchain in Capital Market Use-Cases...................................................................... 168 Sinsu Anna Mathew, VIT University Chennai, India Abdul Quadir Md, VIT University Chennai, India Section 3 Crowdfunding and Crowdsourcing Chapter 11 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure........... 194 Mizuki Sakamoto, Waseda University, Japan Tatsuo Nakajima, Waseda University, Japan Chapter 12 Social Media and Online Gaming: A Masquerading Funding Source................................................ 220 Pedro Ramos, Florida International University, USA Pierre Funderburk, Florida International University, USA Jennifer Gebelein, Florida International University, USA Chapter 13 #TerroristFinancing: An Examination of Terrorism Financing via the Internet.................................. 240 Michael Tierney, University of Waterloo, Canada



Section 4 Security and Privacy Chapter 14 The State-of-the-Art Technology of Currency Identification: A Comparative Study......................... 252 Guangyu Wang, Auckland University of Technology, New Zealand. Xiaotian Wu, Jinan University, China & Chinese Academy of Sciences, China WeiQi Yan, Auckland University of Technology, New Zealand Chapter 15 Electronic Payment Systems and Their Security................................................................................. 270 Kannan Balasubramanian, Mepco Schlenk Engineering College, India M. Rajakani, Mepco Schlenk Engineering College, India Chapter 16 Data Mining for Secure Online Payment Transaction......................................................................... 286 Masoumeh Zareapoor, Shanghai Jiao Tong University, China Pourya Shamsolmoali, CMCC, Italy M. Afshar Alam, Jamia Hamdard University, India Chapter 17 Ransomware: A Rising Threat of New Age Digital Extortion............................................................ 313 Akashdeep Bhardwaj, UPES Dehradun, India Index.................................................................................................................................................... 340

ix

Preface

The everchanging landscape surrounding the diverse applications of different technology breakthroughs can make it very challenging to stay on the forefront of innovative research trends. That is why IGI Global is pleased to offer this one-volume comprehensive reference that will empower students, researchers, practitioners, and academicians with a stronger understanding of digital currency. This compilation is designed to act as a single reference source on conceptual, methodological, and technical aspects, and will provide insight into emerging topics including but not limited to e-commerce, asset management, online financial systems, data collection, and micro-laundering. The chapters within this publication are sure to provide readers the tools necessary for further research and discovery in their respective industries and/or fields. Digital Currency: Breakthroughs in Research and Practice is organized into four sections that provide comprehensive coverage of important topics. The sections are: 1. 2. 3. 4.

Bitcoin and Virtual Currency; Blockchain Technology; Crowdfunding and Crowdsourcing; and Security and Privacy.

The following paragraphs provide a summary of what to expect from this invaluable reference source: Section 1, “Bitcoin and Virtual Currency,” opens this extensive reference source by highlighting the latest trends in web-based electronic money and cryptocurrency. Through perspectives on dual currency, mobile banking, and bitcoin mining, this section demonstrates the risks and challenges involved in using bitcoin and other digital currencies. The presented research facilitates a better understanding of how different cybercrimes are affecting virtual economics. Section 2, “Blockchain Technology,” includes chapters on emerging innovations surrounding the use of blockchains in financial systems. Including discussions on encryption, decentralized systems, and economic transactions, this section presents research on the impact of blockchain technology on the global market and the advancement of digital transactions. This inclusive information assists in advancing current practices in conducting and organizing financial transactions. Section 3, “Crowdfunding and Crowdsourcing,” presents coverage on the use of bitcoin and e-banking and other online transactions in various activities and settings. Through innovative discussions on virtual platforms, cyberterrorism, and online video games, this section highlights how virtual platforms



Preface

are being used to exchange funds. Discussions include the ways that these funds are helping societies to flourish, while also covering the alarming rate at which they are being used to support terrorism and criminal activities. These inclusive perspectives contribute to the available knowledge on cryptocurrency exchanges using social media and other sites. Section 4, “Security and Privacy,” discusses coverage and research perspectives on features and methods for secure electronic transactions and preventing identity theft and other forms of digital extortion. Through analyses on anti-counterfeit methods, fraud detection, and ransomware, this section contains pivotal information on the latest developments in electronic payments systems and their security. The presented research facilitates a comprehensive understanding of the use of data mining for secure online payment transactions and the technology of currency identification. Although the primary organization of the contents in this work is based on its four sections, offering a progression of coverage of the important concepts, methodologies, technologies, applications, social issues, and emerging trends, the reader can also identify specific contents by utilizing the extensive indexing system listed at the end.

x

Section 1

Bitcoin and Virtual Currency

1

Chapter 1

Bitcoin:

A Search-Theoretic Approach Tetsuya Saito Nihon University, Tokyo, Japan

ABSTRACT This paper considers whether the stability of Bitcoin in the market as a method of payment using a dual currency money-search model. In the model, there is traditional money and Bitcoin. The two currencies are classified by the storage cost and the probability that sellers accept particular money for payments. Agents are randomly matched for transactions. To consider substitution effect between monies, we allow new entries every period. In the beginning of each period, new entrants come into the matching process with a unit of money of their choice. A certain number of sellers also come into the same process to maintain the population share of sellers at a constant level. With appropriately chosen parameters, the author finds that there can be stable and unstable equilibria of the share of bitcoiners. In this case, a stable equilibrium is a success (bitcoiners take a large share) while the other (unstable) is a failure (bitcoiners take a marginal share or vanish). However, if the inflation rate of traditional money decreases, the successful equilibrium disappears to start approaching the failure even if Bitcoin is currently widely accepted. Furthermore, welfare comparisons suggest that an increase in the share of bitcoiners has a negative effect; hence, the benefit from reductions in the transaction costs must compensate for the welfare erosion if Bitcoin is accepted as a new kind of payment system. If the author is to succeed, the Bitcoin community or the public authorities need to be prepared for protecting the system from several illicit activities.

1. INTRODUCTION Bitcoin, which was launched in 2009, is a math-based digital currency project operated by nongovernmental entities.1 Anyone can obtain bitcoins if he/she can solve a math problem (mining). The math problem gets harder as more coins are mined. The math problem is so hard that miners use computers for mining; hence, the money supply is constrained by the progress of computing technologies. Once a coin is mined, it can circulate as an ordinary coin within the internet. Bitcoins can also be exchanged DOI: 10.4018/978-1-5225-6201-6.ch001

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 Bitcoin

with other currencies, such as Euro and US dollar (USD). For example, Figure 1 shows the exchange rate with USD at the Mt. Gox that shows a steady increase in its value: from almost zero to $100 in May 2013. Mt. Gox is a Tokyo-based Bitcoin exchange that deals with most of the Bitcoin exchange trades. According to this chart, it seemed that Bitcoin is heading toward the successful establishment of a new payment method beyond the control of any authority, until the crash of Mt. Gox in 2014 (some signals might have already been observed in 2013). There are several digital currencies other than Bitcoin, such as eBay, Anything Point, and Facebook Credits. Several new projects are also being launched, such as Amazon Coin and Ripple. In addition, mileage points of commercial airlines and shopping points of credit card vendors, for example, are similar to these digital currencies. Why was the focus on Bitcoin? Before the crash of 2014, some major financial companies, such as Western Union and MoneyGram, are approaching Bitcoin vendors.2 In addition, public authorities, such as the Fed and the FBI, are also interested in the activities using Bitcoin, as it may help criminal activities such as money laundering as well as tax evasions, and may be targeted by various cyber crimes.3 This paper studies Bitcoin (a legendary digtal currency) using a search-theoretic model of money. There are three major versions of money-search model: the first generation model that uses indivisible money and goods (Kiyotaki & Wright, 1989); the second generation model that uses indivisible money and completely divisible goods (Trejos & Wright, 1995); and the third generation model that uses completely divisible money and goods (Lagos & Wright, 2005).4 This discussion is based on the second-generation money-search model. We extend the basic model by Trejos & Wright (1995) to a dual-currency model as Craig & Waller (2000). The reason to use the second generation model is its simplicity for extension and its capability of dealing with price differences in methods of payments. In the dual-currency system, there are two currencies coexisting in a unified market as methods of payments. For keeping the seller to buyer ratio constant, this paper allows new entries of sellers and buyers. Accepting new entrants, who observe the previous period’s market performance of each currency, Figure 1. Bitcoin-USD exchange rate at Mt. Gox (Source: bitcoinchart.com)

2

 Bitcoin

allows correlations among parameters within each currency, and eventually an interdependence of shares of traditional money and Bitcoin users. With such a framework, we examine if Bitcoin can stay in the market as a method of payment. In addition, we consider dynamic stabilities of bargaining outcomes and population shares of respective agent types. It is then clarified that Bitcoin may fail to exist if the inflation rate is sufficiently low relative to the storage cost (or gain) of Bitcoin. Actually, the financial crisis in Europe has brought the focus on Bitcoin. To overcome such a time on the cross, bitcoiners may have to accept major financial institutions to get involved in the community. The analysis proceeds as follows. Section 2 defines the dual-currency framework and provides some basic results. The dual-currency framework is extended to examine the dynamics of population share of bitcoiners in Section 3. In Sections 2 and 3, the key results are also examined by numerical examples. Section 4 argues social welfare with and without Bitcoin. We then conclude the discussion in Section 5. In the conclusion, we summarize the key results and provide scopes for further studies. For reference, the Appendix considers an explicit inclusion of the Bitcoin exchange market to apply the analysis of this paper without modifications. Bitcoin is currently in a drastic situation and it may dispappear. Yet, the analysis of this paper can still be applied to a new digital currency after Bitcoin.5

2. BASIC FRAMEWORK 2.1. The Dual-Currency Model We consider an extension of the second-generation money-search model (Trejos & Wright, 1995) similar to Craig & Waller (2000). In this model, there is a traditional money as well as a math-based virtual money (Bitcoin hereafter). Each money is used as a medium of exchange. The two monies are indivisible and agents in this model are not allowed to hold more than one unit of them at one time. If an agent holds money, one is called a buyer. If an agent does not hold money, one is called a seller. By storing money beyond a period, in the beginning of the new period, the money holder accepts transferable utility γm , where m is an index to identify monies: m = 1 indicates the variable is for traditional money and m = 2 for Bitcoin. For convenience, we may write m -money to refer traditional money and Bitcoin for m = 1 and m = 2, respectively. If γm < 0 , m-money is costly to store, as ordinary fiat money. If γm ≥ 0 , the m-money is not costly to store as commodity money. Agents live infinitely long and discount the future by a common moment discount rate r. The length of each period is τ > 0 ; for example, the periodical discount rate is then approximately τr . Within each period, each agent is randomly matched with another agent. The frequency of matching is represented by Poisson arrival rate λ for each moment; hence, τλ is the periodical arrival rate. Without loss of generality, we can set τ as small as possible to keep λ < 1 for λ to be the probability of meeting another person. Agents are capable of producing a differentiated good and enjoying products of others. If an agent consumes q units of merchandise that one likes, there is a utility represented by u(q), such that u(0) = 0, u ′(q ) > 0 , and u ′′(q ) < 0 . If an agent produces q units of merchandise, as ordered by one’s paired partner, there is a cost represented by c(q), such that c(0) = c0 ≥ 0 , c ′(q ) > 0 , and c ′′(q ) ≥ 0 . It is popular to introduce an increasing-return technology in a digital economy. Technically, in the second-

3

 Bitcoin

generation money-search model, an increasing-return technology c0 > 0 allows the possibility of a deflationary economy to have a stable monetary trade equilibrium. For simplicity, we assume that whether one likes paired partner’s product is random at all, by probability s ∈ (0, 1] ; hence, s2 provides the probability of double coincidence of wants. If there is a single coincidence, where the buyer likes the product of the seller, there is a monetary trade. We define σm to be the trade success rate when there is a single coincidence that is decomposed as: σm ≡ sαm

(1)

where αm is the probability that the m -money is accepted by the seller. In this sense, a buyer’s preference about a seller’s product and a seller’s preference about the payment method is also considered as ad hoc. For now, we assume that here is no correlation between the share of bitcoiners in the population µm and the trade-success rate σm . The independence between µm and σm is considered in Section 3. If a buyer and a seller are paired and the buyer likes the seller’s product, they bargain over the quantity of trade for a unit of money. In the model, for simplicity, we assume that the quantity is determined by a take-it-or-leave-it offer by the buyer. This simplification is popular in the money-search literature. It is known that social welfare reaches efficient level when buyers make take-it-or-leave-it offers. In addition, the basic behavior of the model is maintained so long as the bargaining power of compaired models are on the buyer’s side—for example, Saito (2012) also shows that models assigning relatively larger bargaing power to sellers violate participation constraint. However, in the dual-currency framework, this simplification delete impacts of the other currency in seller’s value function. If there is a double coincidence, the pair can choose either barter or monetary trade. In this analysis, we assume that pairs with double coincidence always choose barter transactions, as it is known that they obtain an instantaneous net utility that maximizes the social welfare in the barter trade: ν ∗ ≡ max q{u(q ) − c(q )} . In particular, when an agent processes a barter transaction, one’s continuation value is: u(x ) − c(y ) +Vm −Vm = u(x ) − c(y )

In barter trade, we assume agents have even bargaining powers. In this case, by symmetry of agents’ problem, we have x = y = q, and then the bargaining solution coincides with the social optimum. We let V0 (t ) be the value function of a seller from period t onward. Similarly, we let Vm (t ) be the value function of an m -money holder. The Bellman equation of a seller is then given by: (1 + τr )V0 (t ) = τλσ1µ1 {V1 (t + τ ) − c(y1 )} +τλσ2 µ2 {V2 (t + τ ) − c(y2 )}

{

}

+τλs 2 v ∗ +V0 (t + τ )



(2)

+ (1 − τλχ)V0 (t + τ ) + o(τ )

where o(τ ) is the counting loss function, such that lim τ →0 o(τ ) / τ = 0 and χ is the probability of trade of any kinds: 4

 Bitcoin

χ = σ1µ1 + σ2 µ2 + s 2

(3)

The Bellman Equation (2) is arranged to get: rV0 (t ) = λσ1µ1 {V1 (t + τ ) − c(y1 )} +λσ2 µ2 {V2 (t + τ ) − c(y2 )}

+λs 2v ∗ − λ (σ1µ1 + σ2 µ2 )V0 (t + τ ) V (t + τ ) −V0 (t ) o(τ ) + 0 + τ τ

(4)

For τ  0 , the Bellman Equation (4) reaches: rV0 = λσ1µ1 {V1 − c(y1 ) −V0 } +λσ2 µ2 {V2 − c(y2 ) −V0 } +λs 2v ∗ +V



(5)

0

The Bellman equation of a buyer that holds m -money is given by: (1 + τr )Vm (t ) = τλθσm {u(x m ) +Vm (t + τ )}

{

}

+τλs 2 v ∗ +Vm (t _ τ )

{

}

+ 1 − τλ(θσm + s ) Vm (t + τ ) 2



(6)

+τγm + o(τ )

where θ is the share of sellers in the population: θ ≡ 1 − (µ1 + µ2 )

(7)

Similarly to the Bellman equation of the seller (4), for τ  0 , the Bellman of the buyer that holds m-money reaches:

}

{

rVm = λθσm u (x m ) +V0 −Vm +λs 2v ∗ + γ +V m

(8)

m

Since the buyer makes a take-it-or-leave-it offer, the bargaining solution qm = x m = ym is given by equating the incentive compatibility condition of the seller Vm − c(qm ) ≥ V0 as: Vm − c(qm ) = V0

(9)

In this case, the value function of the seller is computed as:

5

 Bitcoin

rV0 = V0 + λs 2v ∗

(10)

In addition, differentiating both sides of the bargaining rule (9) with respect to time provides the motion function of qm as: qm =

Vm −V0 c ′(qm )

(11)

where qm ≡ dqm / dt . We substitute value functions of (8) and (10) into (11) to get: qm =

(r + λθσm )c(qm ) − λθσm u(qm ) − γm c ′(qm )

(12)

We search equilibrium that satisfies qm = 0 . Since c ′(qm ) > 0 , we now find the equation that provides law of motions of qm as: >

>


0 is a preference parameter. Agent i then brings traditional money into the matching process if:

7

 Bitcoin

V1 − ξLi1 > V2 − ξLi2

(

⇒ V1 −V2 > ξ Li1 − Li2

)



(14)

where δi ≡ ξ(Li1 − Li2 ) is distributed as cumulative distribution F (δi ) with probability distribution F ′(δi ) ≡ f (δi ) . Similarly, agent i brings Bitcoin if: V1 − ξLi1 ≤ V2 − ξLi2 ⇒ V1 −V2 ≤ ξ(Li1 − Li2 )



(15)

To compute the left-hand side of conditions (14) and (15), V1 −V2 , we consider: Vm −V0 = (r + λθσm )(Vm −V0 ) −λθσm u(qm∗ ) − γm = 0



(16)

which provides: Vm −V0 =

λθσm u(qm∗ ) + γm r + λθσm



(17)

Thus, V1 −V2 is computed as: V1 −V2 ≡ D (⋅) =

λθσ1u(q1∗ ) + γ1 r + λθσ1

−

λθσ2u(q2∗ ) + γ2

(18)

r + λθσ2

Axiom 1: If Bitcoin is normal, an increase in σ2 increases the share of bitcoiners; hence, dD / d σ2 > 0 . Similarly, in this case, an increase in γ2 increases the share of bitcoiners; hence, dD / d γ2 > 0 . Based on conditions (14) and (15) and Axiom 3, we find the distribution of shares of respective money types, as depicted in Figure 3. This figure plots D(σ2 ; …) = V1 −V2 in the right-half space to take δi for the vertical axis. In the left-half space, the density function f (δ) is placed to obtain the shares of respective money types in the population of new entrants: the darker area corresponds to the share of bitcoiners, F(δ) , and the brighter area the share of traditional money holders, 1 − F(δ) . Proposition 1: If Bitcoin is normal as in Axiom 3, for a given σ2 , the share of bitcoiners in the population of entrants increases when γ1 decreases (e.g., further inflation of traditional money) or γ2 increases (e.g., further deflation of Bitcoin).

8

 Bitcoin

Proof: By symmetry of the problem described in (18), the sign of derivative of D-function with respect to γ1 is opposite to the sign of dD / d γ2 ; hence, Axiom 3 implies dD / d γ1 < 0 by dD / d γ2 > 0 . Therefore, a decrease in γ1 and an increase in γ2 make upward shifts of D-function in Figure 3. This implies an increase in the share of bitcoiners for a given σ2 , as stated in this proposition.

2.3. A Numerical Example For numerical analysis, we provide utility and cost functions as: u(x ) = log(x + 1)     c(y ) = 0.1y + 0.5  

(19)

We assume the probability that a traditional-money holder always likes seller’s product and the seller always accepts traditional money for payment; hence, σ1 ≡ 1 . Bitcoin holders also like the respective seller’s product. However, some sellers do not accept bitcoins for payment. In this case, we have σ2 < 0 . The share of sellers in the population and the arrival rate are half ( θ = 0.5 and λ = 0.5 ). The traditional money is costly to store and its inflation rate is given by either 3% or 5% ( γ1 = − 0.03 or − 0.05 , respectively). The discount rate is assumed to be 5% (r = 0.05). Using these parameters, Figure

4 shows the result for σ2 ∈ [0, 1] and γ2 = {−1%, 1%, 2%} that are consistent with Axiom 3 and Proposition 1.

Figure 3. Determining shares of money holders

9

 Bitcoin

Figure 4. Determining shares of money holders (numerical example)

3. DYNAMICS OF THE SHARE OF BITCOINERS 3.1. An Extension We allow a correlation between µm and σm that implicitly allows a correlation between traditional money and Bitcoin. In this case, Remark 1 does not hold true as it is due to feedback effects, but the independence between the two currency is still held. The revision of the remark is formally provided as follows. Remark 2: If there is a correlation between µm and σm , Remark 1 holds as partial effects instead of total effect; hence, ∂qm∗ / ∂σm < 0 and ∂qm∗ / ∂γm < 0 , but the independence between the currencies is still held: dqm∗ / d σk = dqm∗ / d γk = 0 for k ≠ m. For more details, we extend our model by setting up the rule of correlation of the two parameters. We suppose s is constant overtime. In this case, the dynamic version of σm is given by: σm (t ) ≡ s αm (t )

(20)

We assume that sellers always accept traditional money and they may not accept bitcoins: α1 (t ) ≡ 1 and α2 (t ) ∈ (0, 1)

(21)

The correlation between µm and σm is actually a correlation between µm and αm , as s is stationary and preferred by the buyer; hence, the relationship between µm and σm is obtained as:

10

 Bitcoin

α2 (t + τ ) = φ[µ2 (t )]  σ (t + τ )  ⇒ µ2 (t ) = φ−1  2   s ≡ g[σ2 (t + τ )]

(22)

where φ−1 represents the inverse function of φ -function. To make bitcoins attractive, we assume that there is a positive acceptance rate even if nobody is a bitcoiner (or to say before launching Bitcoin). In addition, all sellers need to accept bitcoins if all buyers are bitcoiners. In the following equation, the two conditions are written as: φ(0) > 0 and φ(1) = 1

(23)

Letting N 2 (t ) be the population of bitcoiners in period t, the share of bitcoiners in period t is arranged to get: µ2 (t ) = =

N 2 (t − τ ) + ∆N 2 (t )

N (t − τ ) + ∆N (t ) µ2 (t − τ ) + ∆N 2 (t ) / N (t − τ )

(24)

1 + n(t )

where N(t) represents the total population and n(t) the population growth rate given by: n(t ) ≡

∆N (t ) N (t − τ )

(25)

By definition, the population of bitcoiners increases in period t by: ∆N 2 (t ) = F [δ ∗ (t )] ∆M (t )

(26)

where δ ∗ (t ) is a cut-off level for ξ(Li1 − Li2 ) determined by σ2 (t ) as shown in Figure 3; M(t) represents the population of buyers (sum of traditional-money holders and bitcoiners); and ∆M (t ) the increase in the population of buyers. By assumption, the share of sellers in the population is fixed at θ ; hence, the population of buyers satisfies: M (t ) ≡ (1 − θ)N (t ) ⇒ ∆M (t ) ≡ (1 − θ)∆N (t )

(27)

To compute (24), using (26) and (27), we arrange ∆N 2 (t ) / N (t − τ ) as:

11

 Bitcoin

∆N 2 (t )

=

F [δ ∗ (t )] ∆M (t )

N (t − τ ) ∆N (t ) = (1 − θ) n(t ) F [δ ∗ (t )]

⋅

∆N (t ) N (t − τ )

(28)

We then substitute (28) into (24) to get: µ2 (t ) =

µ2 (t − 1) + (1 − θ) n(t ) F [δ ∗ (t )] 1 + n(t )



(29)

Let µ 2 ≡ µ2 (t ) − µ2 (t − τ ) be a periodical change in the share of bitcoiners to arrange (29) to get: µ 2 = (1 − θ) n(t ) F [δ ∗ (t )] − n(t ) µ2 (t )

(30)

We search equilibrium that satisfies µ 2 = 0 by taking τ  0 in (30) and substituting µ2 = g(σ2 ) into it. To verify the dynamic stability of equilibria, we evaluate: µ 2 ≥ 0 ⇔ (1 − θ)F (δ ∗ ) ≥ g(σ2 ) (τ  0)

(31)

Since δ ∗ is determined by σ2 via D(σ2 ;...) , (32) is eventually written as: >

>


0 and δ ∗ f (δ ∗ ) < 0 . Therefore, W is an increasing or a hump-shaped function for δ ∗ while it is a decreasing function for δ ∗ ≥ 0 . Next, ϕ -function provides a positive correlation between σ2 and µ2 . As δ ∗ ≡ ξ(Li1 − Li2 ) determines the cutoff level for conditions (14) and (15) for each σ2 , δ ∗ ≥ 0 indicates that generating bitcoins is easier than obtaining traditional money. Therefore, an increase in the share of bitcoiners reduces the social welfare for δ ∗ ≤ 0 . Numerical examples to confirm Proposition 2 are shown in Figure 7. In this figure, σ2 to assign ∗ δ = 0 for γ2 = 1% and γ1 = −3% for Figure 7 (Left), and γ2 = −5% Figure 7 (Right) are σ2  0.36 (µ2  0.33) and σ2  0.29 (µ2  0.25) , as indicated by solid grid lines. In the figures, the flat segment

indicates that Bitcoin vanishes and W ≡ (1 − θ)V1 holds. The examples also confirm that W is decreasing in σ2 for δ ∗ ≥ 0 and it is hump-shaped for δ ∗ < 0 , as stated in the proof of the proposition. In accordance with our result, the single-currency system is more preferable. If Bitcoin is not so beneficial in the end, we should abandon bitcoins. Bitcoin is a kind of international currency. As proposed by Matsuyama et al. (1993), a unified currency may reduce the welfare level, as merchants specialize in productions of general goods instead of locally tailor-made ones, which could be traded only between locals, as sellers choose larger opportunities to trade general goods. In this study, in contrast, a less acceptability as a payment method generated a welfare-decreasing result, as buyer’s preference is completely ad hoc. Figure 7. Social welfare and share of bitcoiners

18

 Bitcoin

Our Proposition 2 and Matsuyama et al. (1993) propose negative results for Bitcoin to improve social welfare. When we consider welfare gains from Bitcoin, however, we also need to consider the vehicle currency issue. If Bitcoin takes a role as a vehicle currency, it provides further benefits by eliminating fees for one-to-one exchanges. Or to say a vehicle currency is introduced to minimize such costs from one-to-one exchanges (for example, Jones 1976, Chrystal 1977, Krugman 1980). In this case, the welfare erosion by an increase in the share of bitcoinersmust be compensated by the reduction of foreign exchange cost, which is Bitcoin’s actual aim. In addition, Devereux & Shi (2013), for example, claim that the welfare of countries within the vehicle currency system is eroded by a higher inflation rate of the center country. In this sense, such an erosion of welfare is reduced by making Bitcoin a vehicle, as its inflation rate is subject to the math problem that eventually becomes unsolvable within a reasonable time (no money-supply growth then). According to Devereux and Shi’s study, there is also a possibility of the coexistence of multiple vehicle currencies depending on respective storage cost (inflation rate). Therefore, there is a possibility that USD, Euro, and Bitcoin can coexist and it can still have a room for improving social welfare. Once we decide to accept Bitcoin as a new method of payment, we need to revert to the argument of how to maintain a healthy Bitcoin system, inclusive of discussions whether accepting involvements of public authorities, as discussed in the previous section.

5. CONCLUDING REMARKS To examine the potential sustainability of Bitcoin, this paper analyzed a dual-currency money-search model with new entries keeping the buyer-seller ratio constant. We then have found that sustainability of Bitcoin may be vulnerable to a decrease in the inflation rate of a major currency and a decrease in the credibility of Bitcoin. Such criteria for the sustainability is analogous to ordinary money except for the fact that Bitcoin is not based on traditional banking system. Bitcoin is based only on the market. The theory predicts that Bitcoin can coexist with traditional money as long as the inflation rate and credibility issues are cleared. In such a case, however, an increase in the share of bitcoiners reduces social welfare, as sellers may reject Bitcoin for payments. We then need to consider if we accept Bitcoin as a new method of payment. If Bitcoin cannot reduce transaction costs sufficiently, it is better to abandon Bitcoin. If we accept Bitcoin, we still need to control the system appropriately against several criminal activities, such as money laundering, tax evasions, counterfeiting (double-spending), and cracking. Tracking bitcoin transactions seems much easier than traditional currencies, but there are huge monitoring costs due to the size of the data. Bitcoin is hard to copy and based on a secure system, the existence of threats of counterfeiting affects the value of Bitcoin. In addition, without public entities, the Bitcoin community may have to provide resources against illicit activities inclusive of the ones caused by external effects. The decision to accept/reject involvements of public entities should be done with rational thoughts, such as comparisons of cost and benefit in conjunction with demand and supply of offenses. Let us assume that Bitcoin is accepted as a part of current payment system and approaching the successful equilibrium. Its public responsibility then becomes further significant. This implies that the Bitcoin community is prepared for protecting the system from several illicit activities and market turmoils. For the protection, large financial and human resources are needed. For the community, it is the time on the cross, as they need to decide whether to involve public authorities in Bitcoin. Moreover, if they reject public authorities, they need sufficient resources (funds) or public authorities may need to compulsorily intervene in the Bitcoin system. To what extent the authorities are involved in Bitcoin is

19

 Bitcoin

then determined, for example, by comparisons between costs and benefits for market offenses. If public authorities involve in the Bitcoin community have a positive side effect, the acceptance rate may help to improve the social welfare level in the equilibrium. If Bitcoin fails to exist in the near future, for example, by a decrease in inflation rates of major traditional currencies or a weak Bitcoin-market trend, public authorities do not need to be much involved in Bitcoin.

REFERENCES Becker, G. S. (1968). Crime and punishment: An economic approach. Journal of Political Economy, 76(2), 169–217. doi:10.1086/259394 Berentsen, A., & Rocheteau, G. (2004). Money and information. The Review of Economic Studies, 71(4), 915–944. doi:10.1111/0034-6527.00309 Camera, G. (2001). Dirty money. Journal of Monetary Economics, 47(2), 377–415. doi:10.1016/S03043932(01)00043-5 Camera, G., Craig, B., & Waller, C. (2004). Dollarization and currency exchange. Journal of Monetary Economics, 51(4), 671–689. doi:10.1016/j.jmoneco.2003.10.002 Cavalcanti, R., Erosa, A., & Temzelides, T. (1999). Private money and reserve management in a randommatching model. Journal of Political Economy, 107(5), 929–945. doi:10.1086/250085 Cavalcanti, R., & Nosal, E. (2011). Counterfeiting as private money in mechanism design. Journal of Money, Credit and Banking, 43(S2), 625–636. doi:10.1111/j.1538-4616.2011.00456.x Chang, W. W., Kemp, M. C., & Van Long, N. (1983). Money, inflation, and maximizing behavior: The case of many countries. Journal of Macroeconomics, 5(3), 251–263. doi:10.1016/0164-0704(83)90060-5 Cho, I.-K., & Kreps, D. (1987). Signaling games and stable equilibria. The Quarterly Journal of Economics, 102(2), 179–221. doi:10.2307/1885060 Chrystal, K. A. (1977). Demand for international media of exchange. The American Economic Review, 67(5), 840–850. Craig, B. R., & Waller, C. J. (2000). Dual-currency economies as multiple-payment systems. Federal Reserve Bank of Cleveland Economic Review, Q1, 2–13. Devereux, M. B., & Shi, S. (2013). Vehicle currency. International Economic Review, 54(1), 97–133. doi:10.1111/j.1468-2354.2012.00727.x Dutu, R. (2008). Currency interdependence and dollarization. Journal of Macroeconomics, 30(4), 1673–1687. doi:10.1016/j.jmacro.2008.03.002 Ehrlich, I. (1974). Participation in illegitimate activities: An economic analysis. In G. S. Becker & W. M. Landes (Eds.), Essays in the economics of crime and punishment (pp. 68–134). New York, NY: Columbia University Press.

20

 Bitcoin

Ehrlich, I. (1981). On the usefulness of controlling individuals: An economic analysis of rehabilitation, incapacitation and deterrence. The American Economic Review, 71(3), 307–322. Ehrlich, I. (1982). The optimum enforcement of laws and the concept of justice: A positive analysis. International Review of Law and Economics, 2(1), 3–27. doi:10.1016/0144-8188(82)90011-4 Ehrlich, I. (1996). Crime, punishment, and the market for offenses. The Journal of Economic Perspectives, 10(1), 43–67. doi:10.1257/jep.10.1.43 Ehrlich, I., & Saito, T. (2010). Taxing guns vs. taxing crime: An application of the market for offenses model. Journal of Policy Modeling, 32(5), 670–689. doi:10.1016/j.jpolmod.2010.07.008 Green, E. J., & Weber, W. E. (1996). Will the new $100 bill decrease counterfeiting? Federal Reserve Bank of Minneapolis Quarterly Review, (Summer): 3–10. Jones, R. A. (1976). The origin and development of media of exchange. Journal of Political Economy, 84(4), 757–775. doi:10.1086/260475 Kiyotaki, N., & Moore, J. (1997). Credit cycles. Journal of Political Economy, 105(2), 211–248. doi:10.1086/262072 Kiyotaki, N., & Wright, R. (1989). On money as a medium of exchange. Journal of Political Economy, 97(4), 927–954. doi:10.1086/261634 Krugman, P. (1980). Vehicle currencies and the structure of international exchange. Journal of Money, Credit and Banking, 12(3), 513–526. doi:10.2307/1991725 Kultti, K. (1996). A monetary economy with counterfeiting. Journal of Economics, 63(2), 175–186. doi:10.1007/BF01258671 Lagos, R., & Wright, R. (2005). A unified framework for monetary theory and policy analysis. Journal of Political Economy, 113(3), 463–484. doi:10.1086/429804 Li, Y., & Rocheteau, G. (2011). On the threat of counterfeiting. Macroeconomic Dynamics, 15(S1), 10–41. doi:10.1017/S1365100510000544 Martin, A. (2006). Endogenous multiple currencies. Journal of Money, Credit and Banking, 38(1), 245–262. doi:10.1353/mcb.2006.0019 Matsuyama, K., Kiyotaki, N., & Matsui, A. (1993). Toward a theory of international currency. The Review of Economic Studies, 60(2), 283–307. doi:10.2307/2298058 Nosal, E., & Wallace, N. (2007). A model of (the threat of) counterfeiting. Journal of Monetary Economics, 54(4), 994–1001. doi:10.1016/j.jmoneco.2006.02.006 Ostroy, J. M. (1973). The informational efficiency of monetary exchange. The American Economic Review, 63(4), 597–610. Rocheteau, G. (2008). Money and competing assets under private information. Federal Reserve Bank of Cleveland Working Papers, No. 0802.

21

 Bitcoin

Rupert, P., Schindler, M., Shevchenko, A., & Wright, R. (2000). The search-theoretic approach to monetary economics: A primer. Federal Reserve Bank of Cleveland Economic Review, Q4, 10–28. Saito, T. (2012). Rationality and stability of equilibrium in a search-theoretic model of money. Theoretical Economics Letters, 3(2), 283–286. doi:10.4236/tel.2012.23052 Saito, T. (2013). Bitcoin: a search-theoretic approach. Working Paper Series, Research Institute of Economic Science, College of Economics, Nihon University, No.13-01. Soller-Curtis, E., & Waller, C. J. (2000). A search-theoretic model of legal and illegal currency. Journal of Monetary Economics, 45(1), 155–184. doi:10.1016/S0304-3932(99)00042-2 Trejos, A. (1996). Search theoretic models of international currency. Federal Reserve Bank of St. Louis Review, 78(3), 117–132. Trejos, A., & Wright, R. (1995). Search, bargaining, money, and prices. Journal of Political Economy, 103(1), 118–141. doi:10.1086/261978 Williamson, S., & Wright, R. (2010). New monetarist economics: Methods. Federal Reserve Bank of St. Louis Review, 92(4), 265–302. Williamson, S. D. (1999). Private money. Journal of Money, Credit and Banking, 31(3), 469–491. doi:10.2307/2601065 Williamson, S. D. (2002). Private money and counterfeiting. Federal Reserve Bank of Richmond Economic Quarterly, 37-57.

ENDNOTES 1



2



3



4



5



6

Bitcoin is proposed by Satoshi Nakamoto, Bitcoin: A peer-to-peer electronic cash system, 2009. This article is freely available online at http://bitcoin.org/bitcoin.pdf. Yet, Satoshi Nakamoto is not identified who is he. Robin Sidel (2013, April 13). Bitcoin Investors Hang On for the Ride. The Wall Street Journal. Retrieved April 13, 2013, from http://online.wsj.com. Jeffrey Sparshott (2013, March 21). Web Money Gets Laundering Rule. The Wall Street Journal. Retrieved March 21, 2013, from http://online.wsj.com. Rupert et al. (2000) provides a detailed survey for the first and second generation models, and Williamson & Wright (2010) summarize the recent developments in this field including the third generation model. The first draft of this paper is written in May 2013 (Saito, 2013). The detail in given by the official press release at https://mtgox.com/press_release_20130404.html.

This research was previously published in the International Journal of Innovation in the Digital Economy (IJIDE), 6(2); edited by Ionica Oncioiu, pages 52-71, copyright year 2015 by IGI Publishing (an imprint of IGI Global).

22

Bitcoin

APPENDIX Inclusion of the Exchange Market When we include an exchange market, we need to consider the demand and supply of bitcoins. The demand for bitcoins is derived from the population of new entrants that purchase bitcoins. We then assume that a portion of bitcoiners goes out of the market at the end of every period. To keep θ , the corresponding traditional-money holders and sellers also go out of the market then. This is an analogous thought as used in marriage market and random matching models. If we accept such a framework, the analysis is processed without any modification. Another modeling strategy is to include outside options of agents, as discussed by Dutu (2008) in his study of dollarization. However, it does not change the course of discussions as long as outside options are given exogenously. A possible change in the result is the shift of cumulative distribution function F. An increase in the relative population of entering bitcoiners relative to out-going bitcoiners β increases the average market value of Bitcoin and that affects δi = (1 − πi )Li1 for Li2 = πi Li1 . Thus, a stronger Bitcoin market increases the transformation rate πi to reduce δi . As a result, it makes a rightward shift of F, which results in a decrease in the inflation rate of traditional money in Figure 3. As a result, a stronger market reduces the share of bitcoiners in the stable equilibrium in Figure 5. A too strong Bitcoin trend with a successful equilibrium disappears to reach the failure one. However, it improves social welfare as indicated by Figure 7. A weaker Bitcoin trend makes an analogous result with an increase in the inflation rate of traditional money. If it has little effect in sellers’ preference about payment methods, the weaker trend increases the share of bitcoiners. However, a too weak trend may result in a crash of Bitcoin, as sellers may hesitate to accept bitcoins then (a further leftward shift of function g in Figure 5).

23

24

Chapter 2

Benefits From Using Bitcoin: Empirical Evidence From a European Country Rainer Schmidt Munich University of Applied Sciences, Germany Michael Möhring Munich University of Applied Sciences, Germany Daniel Glück Aalen University of Applied Sciences, Germany Ralf Haerting Aalen University of Applied Sciences, Germany Barbara Keller Aalen University of Applied Sciences, Germany Christopher Reichstein Aalen University of Applied Sciences, Germany

ABSTRACT Bitcoin is the most successful approach for establishing a currency outside of state supervision and government institutions. Besides, Bitcoin is very controversial discussed. Therefore, a further investigation of different aspects of the benefit of using Bitcoin should be realized in order to identify some core aspects of the digital currency Bitcoin. In this context, the study described in the following achievements is done. It shows that there exist key aspects, like dissemination as well as safety, which are important impact factors on users’ benefit of using a digital currency like Bitcoin. In addition, it also gives implications for a further development of the topic and aspects for future research.

DOI: 10.4018/978-1-5225-6201-6.ch002

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 Benefits From Using Bitcoin

1. INTRODUCTION For centuries, the privilege of issuing banknotes and coins had been exclusively assigned to states and government institutions. Only they were able to suppress forgery by criminal prosecution. At the same time, the monopoly on the creation of money was also an expression of power. Therefore, it does not surprise that the rise of Bitcoin (Nakamoto, 2008) is also regarded as a “democratic disruption of finance” (El-Erian, 2014). Both, positive as well as negative aspects of Bitcoin can be found in the public discussion. Some regard it as a means to drive financial sector innovation (Hileman, 2014) or even as a weapon to break U.S. dominance in financial markets (Sheng, 2014). Critical voices consider Bitcoin as evil (Krugman, 2013), a kind of ultra-liberal putsch in order to destroy governmental structures (Krugman, 2013). A central trait of bitcoin is anonymity (Reid & Harrigan, 2013), although first concepts are developed in order to de-anonymize bitcoin users (Dupont & Squicciarini, 2015). Nevertheless, there is research striving to identify the most important user groups of bitcoin (Bohr & Bashir, 2014). This research found that the average bitcoin user is rather young, 33 years old. Most bitcoin users are living in the U.S. and selected libertarian as preferred political ideology. In consequence freedom from government regulations is an important motivation to use bitcoins. Over recent years, the interest in Bitcoin increases while more and more companies starting to accept Bitcoin as a digital currency. Companies can simply establish Bitcoin in their web pages due to payment service providers (Barber, Boyen, Shi, & Uzun, 2012). They provide supply Bitcoin as a payment information system in thousands of companies. For instance, the biggest payment systems are ‘Bitpay’ with over 50.000 and ‘Coinbase’ with more than 39.000 businesses and organizations. They include major companies like Dell, Microsoft, Expedia, Overstock.com and Wordpress (“BitPay,” 2015, “Coinbase,” 2015). The widespread practical use and the influence on Information Systems make Bitcoin of high relevance for information systems research (Giaglis & Kypriotaki, 2014; Glaser, Zimmermann, Haferkorn, Weber, & Siering, 2014). As a virtual currency Bitcoin can be used as a payment for services (Karame, Androulaki, & Capkun, 2012; Meiklejohn et al., 2013). However, Bitcoin can be also considered as a service (Sasson et al., 2014) or part of service-systems (Jim Spohrer, 2007). The obvious fierceness of the discussions about Bitcoin makes it necessary to carve out the facts in a more clearly and precisely manner. Therefore, it is important to clarify what influences the benefits of using Bitcoin by using empirical research. This paper addresses the following research question: What influences the benefit of using Bitcoin? Thereby, the benefit of using Bitcoin can be defined as the advantages of the utilization of a digital currency (Bitcoin) from a user`s point of view. Thus, this paper addresses two communities, the academic community and practical users of bitcoin such as enterprises. Academics will profit from the empirical insights as foundation for theoretical analysis. Potential users of bitcoin receive a framework allowing them to evaluate the benefits of bitcoin. The contribution of the paper is to provide empirical insights into the benefits of using bitcoin. Existing research either tried to develop an economic model of bitcoin or analyzed the technological aspects such as anonymity. This research will address the research gap of the missing investigation of the benefits of using Bitcoin from a European view. The paper is structured as follows: First, we give a short introduction to the topic about Bitcoin and develop a literature review Cooper, 1998). In the next section, we define and explain the empirical research design and the method of structural equation modeling (Wong, 2013). Afterward, we discuss the findings of the research. Finally, the paper will be finished with a conclusion. 25

 Benefits From Using Bitcoin

2. DIGITAL CURRENCY AND BITCOIN Digital currency is growing rapidly based on the increasing use of internet services. According to ITU (“Country classifications,” 2015), the volume of worldwide internet users surpassed 2.9 billion in 2014 – this is consistent with growth by a factor of 8 over 14 years, and it is expected that the rise will be continued in the future. In the context of these technological developments a widespread use of new internet services, especially virtual communities like Facebook or Twitter has to be stated. In connection with some of these services, new types of digital currencies and methods of payment appeared. In economic literature, we find different approaches to categorize digital money. We find a helpful approach given by the European Central Bank (Virtual Currency Schemes, 2012, p. 12). The ECB distinguishes between regulated and unregulated digital currencies and the money format (see Table 1). The physical appearance of money differs between digital and physical. Regulated and physical money (e.g. traditional currencies) has a fixed supply of money, which is issued by a legally established money institution. Unregulated digital money is without has no statutory regulations. It is not fixed and often issued by a private institution. Within the frame of Table 1 and according to the definition of the virtual (digital) currency from the ECB, the following understanding for Bitcoin could be given: Bitcoin “is a type of unregulated, digital money, which is issued and usually controlled by its developers, and used and accepted among the members of a specific virtual community” (Virtual Currency Schemes, 2012, p. 13). Bitcoin is based on digital signatures saved in a protocol file. The protocol enables, a decentralized virtual network to transfer digital money, like TCP/IP (Fall & Stevens, 2011). This open source protocol is available to all peers of the internet without limitation. In that community, all transactions are packed into blocks, which are connected by a reference. The result is an ordered transaction in time, which is called block-chain (Nakamoto, 2008). There are two mechanisms to receive Bitcoin (Nakamoto, 2008). First, Bitcoin can be generated by transferring goods against the digital currency. The second mechanism is a mining process. Creating a new valid block will be rewarded by the system. In other words, miners are credited by Bitcoin. The on-going mining process becomes more and more complex. This calls for more computing power with the result that the creating of Bitcoin decreases geometrically. Every four years the reward is halved (Nakamoto, 2008). The supply of Bitcoin will be finally limited by approaching 21 million bitcoins (Virtual Currency Schemes, 2012, p. 24). Due to this limit, it is expected for the future that fees play a more important role if miners create new blocks. According to different determinants of a digital currency like Bitcoin, we developed a literature review in the next section. Table 1. Legal status of digital money, according to (Virtual Currency Schemes, 2012, p. 12) Legal Status Regulated Digital Physical

26

E-Money Commercial bank money (deposits) Banknotes and coins

Unregulated Bitcoin Certain types of local currencies

 Benefits From Using Bitcoin

3. DETERMINANTS OF THE DIGITAL CURRENCY BITCOIN In order to gain a deeper knowledge in the field of the digital currency Bitcoin, a literature review according to Cooper (Cooper, 1998) was carried out. We systematically looked up for papers in established journals and conferences to ensure a high-quality standard. Therefore, we used databases such as Springer Link, AISel, IEEEXplore and ACM Digital Library. In association with the keyword “Bitcoin”, we found several articles in English. The range of the field was wide and spread. It began with the first publication about Bitcoin by Satoshi Nakamoto in the year 2008 (Nakamoto, 2008) and also involved the field of Computer Science, Theoretical and Applied Economics, Public Policy as well as Finance. All relevant publications about Bitcoin (with respect to keyword “Bitcoin”) were taken into consideration. All keywords with respect to other digital currencies (e.g. “digital currency”) with different schemes were excluded. In summary, there was no broad view about the benefit of using Bitcoin. But we collected interesting determinants of the digital currency Bitcoin. Therefore, we design a research model as well as empirical study according to the results of the literature review. Based on the literature review and the categorization of the results, we found the six determinants (summarized results) in relation to the determinants of using Bitcoin (Table 2). Table 2. Determinants Determinant Transaction velocity

Acceptance

Decentrality

Usability

Community

Safety

Short Description

References

transactions are near real-time

(Bamert, Decker, Elsen, Wattenhofer, & Welten, 2013; Barber et al., 2012; Singh, Chandavarkar, Arora, & Agrawal, 2013)

rising dissemination

(Decker & Wattenhofer, 2013; Glaser et al., 2014; Rogojanu & Badea, 2014)

more than 22.000 merchants accept Bitcoin

(Van Alstyne, 2014)

no (physical) trader presence needed

(Brito & Castillo, 2013; Rogojanu & Badea, 2014)

products are cheaper if are paid with bitcoins

(Brito & Castillo, 2013; Hurlburt & Bojanova, 2014; Rogojanu & Badea, 2014)

independent of central institutions and banks

(Bohr & Bashir, 2014; Glaser et al., 2014; Van Alstyne, 2014)

no control by the government

(Bohr & Bashir, 2014; Rogojanu & Badea, 2014; Van Alstyne, 2014)

handling transactions (e.g. easy transfers, division of bitcoins)

(Bamert et al., 2013; Barber et al., 2012; Dev, 2014; EvansPughe, Novikov, & Vitaliev, 2014)

Immediately available for implementations (e.g. smartphones)

(Barber et al., 2012; Hurlburt & Bojanova, 2014)

no third parties (e.g. intermediate agents)

(Alt & Puschmann, 2012; Reid & Harrigan, 2013)

Bitcoin users are part of a community

(Glaser et al., 2014)

only a designated group (e.g. internet users) is able to use Bitcoins

(Glaser et al., 2014; Rogojanu & Badea, 2014)

users have virtual pseudonyms (Bitcoin addresses)

(Androulaki, Karame, Roeschlin, Scherer, & Capkun, 2013; Jayasinghe, Markantonakis, & Mayes, 2014; Miers, Garman, Green, & Rubin, 2013; Reid & Harrigan, 2013; Sasson et al., 2014)

27

 Benefits From Using Bitcoin

Based on the literature, we found specific determinants that summarize main characteristics of Bitcoin. The determinant “Transaction velocity” (Bamert et al., 2013; Barber et al., 2012; Singh et al., 2013) explains the fact that transactions are near real-time. Compared to traditional currencies, it is possible to transfer money in a digital world at a faster pace and with marginal transaction costs. The term “Dissemination” (Brito & Castillo, 2013; Rogojanu & Badea, 2014; Van Alstyne, 2014) describes the rising spreading of the digital currency Bitcoin with more than 22,000 merchants accepting Bitcoin. Therefore, more and more gain from the opportunity to pay with Bitcoin in thousands of shops worldwide. One of the main reasons of these phenomena might be, that products bought with Bitcoin can be offered for a much lower price. This stands in contrast to the traditional currencies and could be explained for example through savings in time, because the physical presence of a trader is not needed (Decker & Wattenhofer, 2013; Hurlburt & Bojanova, 2014). Considering the determinant “Decentrality” (Glaser et al., 2014; Rogojanu & Badea, 2014; Van Alstyne, 2014), the digital currency Bitcoin is neither dependent on central or even financial institutions nor is it controlled by the government. Hence, the digital currency Bitcoin is not at a risk of manipulations by institutions, governments and politicians (Gervais, Karame, Capkun, & Capkun, 2013; Sasson et al., 2014). The determinant “Usability” (Barber et al., 2012; Reid & Harrigan, 2013) stands at least for three elementary factors. First, there is the handling of transactions. Therefore, Bitcoin is relatively uncomplicated because of the possibility to divide. Bitcoins can be divided into minimum units smaller than 1 Eurocent (Dev, 2014; Evans-Pughe et al., 2014). Second, digital money transfers are quite flexible. There are independent of the terminal device and can be done by e.g. smartphones, tablets, etc. everywhere and at any time. (“BitPay,” 2015; Barber et al., 2012). Third, there are no intermediate agents like financiers when using Bitcoin as a digital currency (Alt & Puschmann, 2012; Reid & Harrigan, 2013). For the explanation of the determinant “Community” (Glaser et al., 2014; Rogojanu & Badea, 2014), the psychology of group dynamics has to be understood (Alt & Puschmann, 2012). On the one hand, it is crucial for group members to be an equivalent part of a certain group. On the contrary, groups aim to be more powerful in a special area compared with others. In this context, it is, therefore, important for Bitcoin users to be part of a designated group of internet user, which is exclusively able to deal with digital currencies (Bohr & Bashir, 2014; Evans-Pughe et al., 2014; Glaser et al., 2014). Finally, the determinant called “Safety” (Androulaki et al., 2013; Miers et al., 2013; Sasson et al., 2014) describes the circumstance that users of digital currencies like Bitcoin have virtual pseudonyms meaning “Bitcoin addresses”. Consequently, the use of the digital currency Bitcoin is not anonymous, but pseudonymous. Third parties do not know about the user’s identity, but information about the usage is recorded and thus possible to backtrack (Jayasinghe et al., 2014; Reid & Harrigan, 2013). We referred to the results and recommendations of prior research in our conducted empirical research. We investigated the impact of all the mentioned aspects on the benefits of using bitcoin. In contrast to studies in the past, we include all of them in our research model in order to create a framework as effectively as possible. This approach seems beneficial for theory as well as practice because it shows the evidence of each single aspects and develops the unique influence. Therefore, the model shows not only implications for starting point in future research and but also recommendations for practical implementation and use.

28

 Benefits From Using Bitcoin

4. RESEARCH DESIGN AND METHODS The following section defines our research design and methods to explore the benefit of using Bitcoin. It depicts the design of the study, research methods, and data collection.

4.1. Design of the Study In order to explore the benefit of using Bitcoin, a quantitative research study was realized. The design of the study is shown in Figure 1 and it is developed in the following section. It is based on the literature review mentioned before (section 3). The authors identified six determinants that might influence the benefit of using Bitcoin (according to section 3). First, we assume that users benefit from a fast transaction regarding the time needed to transfer money. With an electronic (financial) mechanism, the infrastructure of Bitcoin allows nearly real-time transactions, what might positively influence the benefit using Bitcoin, because of high time savings and low transaction costs (Bamert et al., 2013). Therefore, we postulated Hypothesis 1: H1: A fast transaction positively influences the benefit of using Bitcoin. There are crucial factors describing the high acceptance of Bitcoin. With an increasing number of merchants accepting Bitcoin and a widely distributed network of Bitcoin user, the dissemination of this digital money is rising (Brito & Castillo, 2013; Rogojanu & Badea, 2014). Furthermore, there is no

Figure 1. Research model

29

 Benefits From Using Bitcoin

need for a (physical) trader presence. Additionally, products can be bought at a lower price if they are paid with Bitcoin. This results in a higher user dissemination (Van Alstyne, 2014). Hence, we assume the following Hypothesis 2: H2: A higher dissemination positively influences the benefit of using Bitcoin. Third, studies showed admittedly that people value the possibility of central institutions and banks to intervene in recession or depression periods in order to harmonize fluctuations and to react against manipulations like counterfeit money (Benston & Kaufman, 1996; Richardson & Troost, 2006). In contradistinction to traditional currencies, the unregulated currency Bitcoin is neither dependent on central institutions and banks nor is it under government control which “... greatly appeals to individuals who wish for a freely-traded currency not in control by any governments, banks, or authorities…” (Giaglis & Kypriotaki, 2014, p. 4; Virtual Currency Schemes, 2012). These circumstances lead to Hypothesis 3: H3: A decentralized digital currency positively influences the benefit of using Bitcoin. It can be assumed that users exploit the usability of Bitcoin regarding the opportunity to transfer money easily by smartphones, etc. without involving third parties like intermediate agents (Barber et al., 2012; Reid & Harrigan, 2013). This assumption results in Hypothesis 4: H4: The usability positively influences the benefit of using Bitcoin. Studies have shown that the bigger a community is the higher is their influence on others (Glaser et al., 2014; Rogojanu & Badea, 2014). Thus, being part of a community, more specifically being part of a designated group, strongly influence the benefit of using Bitcoin. Therefore, Hypothesis 5 is formulated: H5: A community-based currency positively influences the benefit of using Bitcoin. In terms of security aspects, we expect that the possibility to use pseudonyms while trading with Bitcoins positively influences the benefit of using Bitcoin because of more privacy compared to real world trading transactions (Androulaki et al., 2013). This aspect resulting in Hypothesis 6: H6: Safety positively influences the benefit of using Bitcoin. For the investigation of the impact of the specified determinants above, the online-based responses of the participants ranged on a scale of one to five (1: very unimportant; 2: unimportant; 3: either... nor; 4: important; 5: very important) regarding specific items according to Table 4. All questions were designed according to general empirical study guidelines (Hewson, 2003) and described in Table 4 as well as Table 5 in the appendix.

4.2. Research Methods and Data Collection We conducted our quantitative research study via a web based online survey in Germany. We followed general empirical research guidelines (Creswell, 2012; Greenlaw & Brown-Welty, 2009).

30

 Benefits From Using Bitcoin

First of all, we tested our web questionnaire via a pre-test to ensure a good quality of the study. After improving the questionnaire based on the pre-test data and decisions, the study started in July 2014 and was finished in September 2014. Our questionnaire was implemented into the open source web platform LimeSurvey (“LimeSurvey,” 2011) and the pre-tested questions were implemented to ensure the quality of the survey. During three months a sample of about n=660 participants was collected. After cleaning the data, we collected a sample of about n=534. The respondents include a wide range of personal attributes. The age of the asked persons differs from 16 to 82 (mean age: 31). 34% female and 66% male persons answered our questionnaire. More than 90% person using online financial systems (e.g. online banking) regularly and have been in contact with the Bitcoin topic (see Figure 2). Moreover, we asked our participants about how they would use Bitcoin with 4 given possibilities to answer seen in Figure 3. As a result, 283 persons out of 534 (53%) stated that they would use the digital currency Bitcoin mainly private rather than predominantly on business (4%) while almost one-third (33%) would never use Bitcoin. At least 55 people (9.7%) stated that they would use Bitcoin both, private and on business. In the next step, structural equation modeling (SEM) (Chin, 1998; Hooper, Coughlan, & Mullen, 2008; Wong, 2013) were used to analyze our causal model (hypothesis). SEM (Hooper et al., 2008) can be defined as a method to analyze and evaluate the fit of a multivariate theoretical causal model with empirical data (Chin, 1998; Wong, 2013). Figure 2. Usage of online financial systems

31

 Benefits From Using Bitcoin

Figure 3. Bitcoin usage

We used a Partial Least Squares (PLS) (Wong, 2013) SEM approach because it is not so restrictive like other SEM approaches (e.g. AMOS) and focuses on analyzing the Partial-Least-Squares. Therefore, we test our PLS-SEM by using the software SmartPLS 3.1 (Ringle, Wende, & Will, 2005). In the case of single item sets, these are allowed and often used in information systems research (Ringle, Sarstedt, & Straub, 2012). There is no need to calculate metrics like Cronbach’s Alpha for single item sets. For other item-sets with more than one item, we calculate Cronbach’s Alpha for validating the scales (Ringle et al., 2012). By scale-validating with Cronbach’s Alpha two item sets are also verifiable (Bland, Altman, & others, 1997). Furthermore, significances are calculated via Bootstrapping (Ringle et al., 2005).

5. RESULTS After analyzing our data with structural equation modeling (SEM) to test the hypotheses by using SmartPLS 3.1 (Ringle et al., 2005), we got the following results (visualized in Figure 4). According to Hypothesis 1 (A fast transaction positively influences the benefit of using Bitcoin.) the transaction velocity has a positive impact (+ 0.124) on the benefit of using Bitcoin. Therefore, the hypothesis can be confirmed. Based on this Hypothesis, Bitcoin must process a transaction very quickly to be successful as well as beneficial for users. Hypothesis 2 analyzes the influence of the dissemination of Bitcoin. After analyzing the data with structural equation modeling, Hypothesis 2 (A higher dissemination positively influences the benefit of using Bitcoin.) can be confirmed. According to our structural equation model (Figure 1, 4), the dissemination even has the highest influence (+ 0.246) on the benefit of using Bitcoin. For users of this digital currency, the results show that paying at different places (e.g. Bars, web shops) with Bitcoin is very important.

32

 Benefits From Using Bitcoin

Regarding the fact that the digital currency Bitcoin is decentralized, our hypothesis 3 (A decentralized digital currency positively influence the benefit of using Bitcoin.) tests this relation. Based on the sample data combined with our structural equation model, Hypothesis 3 can be confirmed because of a positive effect (+ 0.147). As a consequence, Bitcoin users greatly honor a freely-traded currency, which is not in control by any government, bank or authority. The usability of Bitcoin can be seen as another very important aspect referred to the reviewed literature. Unfortunately, our analysis of the influence of the usability on the benefit of using Bitcoin is not significant (see Table 3). Furthermore, the value of Cronbach’s Alpha is not as high as mentioned in the literature (0.4 < 0.7) (Santos, 1999). Therefore, Hypothesis 4 (The usability positively influences the benefit of using Bitcoin.) cannot be confirmed. Reasons for not confirming Hypothesis 4 might be difficulties in understanding the Bitcoin mining process (Dwyer, Hiltz, & Widmeyer, 2008). In addition to a less convenient handling, the Bitcoin mining process is said to be vulnerable, too (Karanasios, Cooper, Deng, Molla, & Pittayachawan, 2010). If someone wants to be a user of Bitcoin, he or she must be a member of the community. Our Hypothesis 5 tried to explain the effect of the community aspects on the benefit of using Bitcoin. Covering our data, communities are relevant aspects of Bitcoin (+ 0.093). Based on this, Hypothesis 5 (A community-based currency positively influences the benefit of using Bitcoin.) can be confirmed. Hence, users benefit from Bitcoin by being part of a designated group of internet user that are solely able to deal with digital currencies (Glaser et al., 2014; Rogojanu & Badea, 2014). As a result, the bigger (i.e. stronger) the Bitcoin community is, the higher its influence on others and the higher the benefit of using Bitcoin. Figure 4. Structural equation model with coefficients

33

 Benefits From Using Bitcoin

Hypothesis 6 (Safety positively influences the benefit of using Bitcoin.) can be confirmed based on our structural equation model, too. Pseudonymity in terms of security aspects is consequently very important for users trading with Bitcoin in the digital world (+ 0.164) because of more trading privacy compared to real world transactions (Androulaki et al., 2013). The important values of the SEM (Figure 4) are all summarized in Table 3 and Table 4. The coefficient of determination (R2) is also in a satisfying range (0.242 > 0.19) according to the literature (Chin, 1998) as well the composite reliability (>0.70). For single item sets (in this paper: transaction velocity and safety) there is no need to calculate metrics like Cronbach’s Alpha (Ringle et al., 2012). Additional material (e.g. questions) of the study can be found in the appendix of the paper. Table 3. SEM coefficient Path Transaction velocity → Benefit of using Bitcoin

Path Coefficient 0.124

Significance (P Values) 0.007

Dissemination→ Benefit of using Bitcoin

0.246

0.000

Decentrality → Benefit of using Bitcoin

0.147

0.002

Usability → Benefit of using Bitcoin

0.058

0.193

Community → Benefit of using Bitcoin

0.093

0.042

Safety → Benefit of using Bitcoin

0.164

0.000

Table 4. Cronbach’s-Alpha and items; *rounded Cronbach’s Alpha* Transaction velocity (How important is velocity regarding transactions with a digital currency?)

(1 item)

Dissemination (How important are the following criteria regarding Bitcoin: number of users, number of merchants, no needed (physical) trader presence, buying power?)

0.7 (4 items)

Decentrality (How important are the following criteria regarding Bitcoin: independency of central institutions, state control?)

0.8 (2 items)

Usability (How important are the following criteria regarding Bitcoin: ease of handling, mobility, service?)

0.4 (3 items)

Community (How important are the following criteria regarding Bitcoin: being part of a community, group behavior?)

0.8 (2 items)

Safety (How important is it to be pseudonym when trading with a digital currency?)

(1 item)

Use of Bitcoin (For how important do you value the use of Bitcoin and the use of digital currencies in general?)

0.8 (2 items)

34

 Benefits From Using Bitcoin

6. CONCLUSION Our paper explores different aspects of the benefit of using Bitcoin. Dissemination as well as safety are important impact factors for users of the benefit of using Bitcoin. Increasing daily transactions are important for a growing (shop) acceptance. Also important is a network for Bitcoin and its increasingly the standing (Van Alstyne, 2014). Furthermore, decentralization and the velocity of a transaction are important for the user of a digital currency (Bitcoin). Our study can help academics to understand some core aspects of the use and benefits of Bitcoin. Further, it can be helpful with regard to a development and combination with other economics as well as information system concepts. We contribute to the literature how the benefit of using Bitcoin is influenced. Researchers can profit from the identified influence factors in different ways. For instance, they can validate it. Also an investigation for other digital currencies like AuroraCoin, Litecoin, etc. could be interesting. The aspects, which have a significant influence on Bitcoin could be transferred to this different but similar currencies. Maybe there are differences between, which are not immediately recognizable. Therefore, future research should provide some further insights and put the results of the conducted study in a more common context. Furthermore, the influence factors can be used to examine user behavior in the context of digital currencies. Practical users can benefit from this study for developing or improving current or new digital currencies. The mentioned aspects, which are all significant can help to fulfill the requirements users impose to digital currency. This could be a beneficial approach not only to enhance the benefit of using digital currencies (e.g. Bitcoin), but also to improve the benefit and consequently hold a competitive market position. Furthermore, the users (e.g. online stores, retailers, or personal users) can evaluate Bitcoin for their individual use and compare the important influence factors with their own preferences. According to aspects of distributed organization, not all argumentations of the literature can be confirmed in an empirical case. However, there are some limitations to discuss. First, our study was based only on a German-Speaking sample. The aspects may differ in other countries (e.g. US and BRIC states). Furthermore, Bitcoin is not used by all of the people we asked. Therefore, the answers might be differenced after the responder has used some of the digital currency. Hence, most factors are not as strong as expected in the literature. A deeper insight into the personal preferences of Bitcoin users can not be reached via a quantitative study (cf. qualitative research methods). Therefore, future research should investigate cultural differences as well as differences to other digital currencies in order to enlarge our study. Furthermore, qualitative insights of using of Bitcoin would also be a good opportunity for future research. Therefore, future research should investigate deeper insights in personal preferences of the use of Bitcoin by using a qualitative research approach (e.g. interviews). Future research can further enlarge the sample of different countries and can explore cross-cultural aspects as well as differences in this study (e.g. in the next decade). Furthermore, analysis of current Bitcoin transactions with methods of Big Data can be applied (Zikopoulus & Eaton, 2011; Schmidt et al., 2014). Other qualitative research methods to investigate user Behavior of Bitcoins can also be a good opportunity for future research.

35

 Benefits From Using Bitcoin

REFERENCES Alt, R., & Puschmann, T. (2012). The rise of customer-oriented banking-electronic markets are paving the way for change in the financial industry. Electronic Markets, 22(4), 203–215. doi:10.100712525012-0106-2 Androulaki, E., Karame, G. O., Roeschlin, M., Scherer, T., & Capkun, S. (2013). Evaluating user privacy in bitcoin. In Financial Cryptography and Data Security (pp. 34–51). Springer. doi:10.1007/978-3-64239884-1_4 Bamert, T., Decker, C., Elsen, L., Wattenhofer, R., & Welten, S. (2013). Have a snack, pay with bitcoins. Proceedings of the 2013 IEEE Thirteenth International Conference on Peer-to-Peer Computing (P2P) (pp. 1–5). IEEE. 10.1109/P2P.2013.6688717 Barber, S., Boyen, X., Shi, E., & Uzun, E. (2012). Bitter to better—how to make bitcoin a better currency. In Financial Cryptography and Data Security (pp. 399–414). Springer. doi:10.1007/978-3-642-32946-3_29 Benston, G. J., & Kaufman, G. G. (1996). The appropriate role of bank regulation. The Economic Journal, 106(436), 688–697. doi:10.2307/2235577 BitPay. (2015). Accept Bitcoin. Retrieved from https://bitpay.com/ Bland, J. M., Altman, D. G., & ... (1997). Statistics notes: Cronbach’s alpha. BMJ (Clinical Research Ed.), 314(7080), 572. doi:10.1136/bmj.314.7080.572 PMID:9055718 Bohr, J., & Bashir, M. (2014). Who Uses Bitcoin? An exploration of the Bitcoin community. Proceedings of the 2014 Twelfth Annual International Conference on Privacy, Security and Trust (PST) (pp. 94–101). IEEE. 10.1109/PST.2014.6890928 Brito, J., & Castillo, A. (2013). Bitcoin: A primer for policymakers. Mercatus Center at George Mason University. Chin, W. W. (1998). The partial least squares approach to structural equation modeling. Modern Methods for Business Research, 295(2), 295–336. Coinbase. (2015). Accept Bitcoin Payments. Retrieved from https://www.coinbase.com/ merchants?locale=en Computing Research & Education. (2015). Conference Rankings. Retrieved from http://www.core.edu. au/index.php/conference-rankings Cooper, H. M. (1998). Synthesizing research: A guide for literature reviews (Vol. 2). Sage. Creswell, J. W. (2012). Qualitative inquiry and research design: Choosing among five approaches. Sage (Atlanta, Ga.). Decker, C., & Wattenhofer, R. (2013). Information propagation in the Bitcoin network. Proceedings of the 2013 IEEE Thirteenth International Conference on Peer-to-Peer Computing (P2P) (pp. 1–10). IEEE. 10.1109/P2P.2013.6688704

36

 Benefits From Using Bitcoin

Dev, J. A. (2014). Bitcoin mining acceleration and performance quantification. Proceedings of the 2014 IEEE 27th Canadian Conference on Electrical and Computer Engineering (CCECE) (pp. 1–6). IEEE. 10.1109/CCECE.2014.6900989 Dupont, J., & Squicciarini, A. C. (2015). Toward De-Anonymizing Bitcoin by Mapping Users Location. Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (pp. 139–141). ACM; Retrieved from http://dl.acm.org/citation.cfm?id=2699128 doi:10.1145/2699026.2699128 Dwyer, C., Hiltz, S. R., & Widmeyer, G. (2008). Understanding Development and Usage of Social Networking Sites: The Social Software Performance Model. Proceedings of the 41st Annual Hawaii International Conference on System Sciences (p. 292). http://doi.org/ 10.1109/HICSS.2008.476 El-Erian, M. A. (2014, April 22). The Democratic Disruption of Finance. Retrieved from http://www. project-syndicate.org/commentary/mohamed-a--el-erian-compares-nascent-innovations-in-the-financialsector-to-those-that-have-transformed-media European Central Bank. (2012). Virtual Currency Schemes. Retrieved from http://www.ecb.europa.eu/ pub/pdf/other/virtualcurrencyschemes201210en.pdf Evans-Pughe, C., Novikov, A., & Vitaliev, V. (2014). To bit or not to bit? [Bitcoin cryptocurrency]. Engineering & Technology, 9(4), 82–85. doi:10.1049/et.2014.0411 Fall, K. R., & Stevens, W. R. (2011). TCP/IP illustrated, volume 1: The protocols. Addison-Wesley. Gervais, A., Karame, G., Capkun, S., & Capkun, V. (2013). Is Bitcoin a decentralized currency? IACR Cryptology ePrint Archive. Giaglis, G. M., & Kypriotaki, K. N. (2014). Towards an Agenda for Information Systems Research on Digital Currencies and Bitcoin. Proceedings of the Business Information Systems Workshops (pp. 3–13). Springer. doi:10.1007/978-3-319-11460-6_1 Glaser, F., Zimmermann, K., Haferkorn, M., Weber, M. C., & Siering, M. (2014). Bitcoin-Asset or Currency? Revealing Users’ Hidden Intentions. ECIS. Greenlaw, C., & Brown-Welty, S. (2009). A comparison of web-based and paper-based survey methods testing assumptions of survey mode and response cost. Evaluation Review, 33(5), 464–480. doi:10.1177/0193841X09340214 PMID:19605623 Hewson, C. (2003). Internet research methods: A practical guide for the social and behavioural sciences. Sage (Atlanta, Ga.). Hileman, G. (2014, February 12). Buying into Bitcoin. Retrieved from http://www.project-syndicate. org/commentary/garrick-hileman-highlights-bitcoin-s-potential-to-drive-financial-sector-innovationand-reform Hooper, D., Coughlan, J., & Mullen, M. (2008). Structural equation modelling: guidelines for determining model fit. Articles, 2. Hurlburt, G. F., & Bojanova, I. (2014). Bitcoin: Benefit or Curse? IT Professional, 16(3), 10–15. doi:10.1109/MITP.2014.28

37

 Benefits From Using Bitcoin

ITU. (2015). Country classifications. Retrieved from http://www.itu.int/en/ITU-D/Statistics/Pages/ definitions/regions.aspx Jayasinghe, D., Markantonakis, K., & Mayes, K. (2014). Optimistic Fair-Exchange with Anonymity for Bitcoin Users. Proceedings of the 2014 IEEE 11th International Conference on e-Business Engineering (ICEBE) (pp. 44–51). IEEE. 10.1109/ICEBE.2014.20 Karame, G. O., Androulaki, E., & Capkun, S. (2012). Double-spending fast payments in bitcoin. Proceedings of the 2012 ACM conference on Computer and communications security (pp. 906–917). ACM. Retrieved from http://dl.acm.org/citation.cfm?id=2382292 Karanasios, S., Cooper, V., Deng, H., Molla, A., & Pittayachawan, S. (2010). Antecedents to Greening Data Centres: A conceptual framework and exploratory case study. Krugman, P. (2013). Bitcoin is evil. New York Times. LimeSurvey. (2011, April 24). Survey Tool [Software]. Retrieved from http://www.limesurvey.org/de/start Meiklejohn, S., Pomarole, M., Jordan, G., Levchenko, K., McCoy, D., Voelker, G. M., & Savage, S. (2013). A fistful of bitcoins: characterizing payments among men with no names. Proceedings of the 2013 conference on Internet measurement conference (pp. 127–140). ACM. Retrieved from http://dl.acm. org/citation.cfm?id=2504747 doi:10.1145/2504730.2504747 Miers, I., Garman, C., Green, M., & Rubin, A. D. (2013). Zerocoin: Anonymous distributed e-cash from bitcoin. Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP) (pp. 397–411). IEEE. Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system. Consulted, 1(2012), 28. Reid, F., & Harrigan, M. (2013). An analysis of anonymity in the bitcoin system. Springer. doi:10.1007/9781-4614-4139-7_10 Richardson, G., & Troost, W. (2006). Monetary intervention mitigated banking panics during the Great Depression: Quasi-experimental evidence from the Federal Reserve district border in Mississippi, 1929 to 1933. National Bureau of Economic Research. Retrieved from http://www.nber.org/papers/w12591 Ringle, C. M., Sarstedt, M., & Straub, D. (2012). A critical look at the use of PLS-SEM in MIS Quarterly. Management Information Systems Quarterly, 36(1). Ringle, C. M., Wende, S., & Will, A. (2005). SmartPLS 2.0 (beta). Hamburg, Germany. Rogojanu, A., & Badea, L. (2014). The issue of competing currencies. Case study–Bitcoin. Theoretical and Applied Economics, 21(1), 103–114. Santos, J. R. A. (1999). Cronbach’s alpha: A tool for assessing the reliability of scales. Journal of Extension, 37(2), 1–5. Sasson, E. B., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., & Virza, M. (2014). Zerocash: Decentralized anonymous payments from Bitcoin. Proceedings of the 2014 IEEE Symposium on Security and Privacy (SP) (pp. 459–474). IEEE.

38

 Benefits From Using Bitcoin

Schmidt, R., Möhring, M., Maier, S., Pietsch, J., & Härting, R. C. (2014, May). Big data as strategic enabler-insights from central european enterprises. In International Conference on Business Information Systems (pp. 50-60). Springer International Publishing. 10.1007/978-3-319-06695-0_5 Sheng, A. (2014, August 14). The Coming CLASS War. Retrieved from http://www.project-syndicate. org/commentary/andrew-sheng-argues-that-cyberspace--land--air--sea--and-space-now-define-the-basisof-global-conflict Singh, P., Chandavarkar, B. R., Arora, S., & Agrawal, N. (2013). Performance Comparison of Executing Fast Transactions in Bitcoin Network Using Verifiable Code Execution. Proceedings of the 2013 2nd International Conference on Advanced Computing, Networking and Security (ADCONS) (pp. 193–198). IEEE. Spohrer, J. (2007, January). Steps Toward a Science of Service Systems. Retrieved from http://csdl2. computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/co/&toc=comp/mags/co/2007/01/r1toc. xml&DOI=10.1109/MC.2007.33 Van Alstyne, M. (2014). Why Bitcoin has value. Communications of the ACM, 57(5), 30–32. doi:10.1145/2594288 Wong, K. K.-K. (2013). Partial Least Squares Structural Equation Modeling (PLS-SEM) Techniques Using SmartPLS. Marketing Bulletin, 24, 1–32. Zikopoulos, P., & Eaton, C. (2011). Understanding big data: Analytics for enterprise class hadoop and streaming data. McGraw-Hill Osborne Media.

This research was previously published in the International Journal of Service Science, Management, Engineering, and Technology (IJSSMET), 7(4); edited by Ahmad Taher Azar and Ghazy Assassa, pages 48-62, copyright year 2016 by IGI Publishing (an imprint of IGI Global).

39

Benefits From Using Bitcoin

APPENDIX In the following section there are additional materials (e.g. quality metrics) of the made data analysis. Table 5. Questions of the study Transaction velocity

• How important are fast transactions regarding the use of Bitcoin?

Dissemination

• How important are the increasing number of merchants accepting Bitcoin regarding the use of Bitcoin? • How important is a high number of users regarding the use of Bitcoin? • How important are cheaper prices due to lower transaction fees regarding the use of Bitcoin? • How important is the benefit compared to other currencies regarding the use of Bitcoin?

Decentrality

• How important is the independency of Bitcoin to central institutions regarding the use of Bitcoin? • How important is the independency of Bitcoin to state controls regarding the use of Bitcoin?

Usability

• How important is to pay almost everywhere regarding the use of Bitcoin? • How important is mobility regarding the use of Bitcoin? • How important is internet access regarding the use of Bitcoin?

Community

• How important is to being part of a community regarding the use of Bitcoin? • How important is that only group members can use Bitcoin regarding the use of Bitcoin?

Safety

• How important is it to be pseudonym when trading Bitcoins regarding the use of Bitcoin?

Use of Bitcoin

• For how important do you value the use of Bitcoin? • For how important do you value the use of digital currencies?

General information

• How old are you? • What is your gender? • How often do you use online financial systems? • How would you use Bitcoin?

40

41

Chapter 3

Bitcoin for E-Commerce: Principles and Applications Xunhua Wang James Madison University, USA Brett Tjaden James Madison University, USA M. Hossain Heydari James Madison University, USA

INTRODUCTION Amateurs study cryptography; professionals study economics − Allan Schiffman, 2 July 2004 Few people took note on January 8th, 2009, when an email (see Figure 1) was sent to the cryptography mailing list to announce the first release of a new electronic cash system, called Bitcoin (Nakamoto, 2008). About four and half years later, when Ross William Ulbricht was arrested in October, 2013 for allegedly running the online black market Silk Road where Bitcoin was adopted as the payment system (Grossman & Newton-Small, 2013), Bitcoin was already well known, if not widely used. Today Bitcoin is traded on exchange markets for several hundred dollars per coin unit, and merchants such as Amazon, eBay, and Target now accept bitcoin payments. So, what is Bitcoin? How does it work? Why do people accept it? What is its future? How will it affect electronic commerce? Despite significant media coverage on Bitcoin (Goodman, 2014; Andreessen, 2014; Grossman & Newton-Small, 2013) and quick adoption of Bitcoin by an increasing number of merchants, the complex technical details of Bitcoin remain elusive to both the general public and many professionals. This chapter aims to answer all these questions in a straightforward manner.

DOI: 10.4018/978-1-5225-6201-6.ch003

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 Bitcoin for E-Commerce

Figure 1. The 2009 email announcing Bitcoin v0.1

Commodity Cash and Fiat Cash: Double Spending and Anonymity The history of cash can be dated back to 7th Century BC, if not earlier, when Lydia used the first standardized metal coins (Surowiecki, 2012; Davies, 2002). Before that, two persons conducted trades through bartering, when each side had what the other wanted and the values of the goods were considered equivalent (Acton & O’Grady, 2007). Cash was invented to make trading easier by allowing merchants to defer consumption (i.e., one’s selling and buying do not have to happen simultaneously) and measure the values of different goods (Surowiecki, 2012). Essentially, cash serves a medium of exchange. In addition to coins, other scarce items such as silver jewelry were also used as cash. These kinds of physical goods-based cash are commodity money. Later, paper bills were introduced by Venetian merchants around the 12th century in the west and by Kublai Khan throughout China in around the 13th century (Surowiecki, 2012). Unlike commodity money based on scarce goods, paper bills can be created cheaply and in abundance, but this runs the risk of overprinting, which causes inflation and devalues the currency. As a result, to get widely accepted, paper bills are often supported by governments. At one time, paper bills were backed by gold held by central banks, and could be exchanged for a specific amount of gold. This is no longer the case with most national currencies, which are called fiat money since they have value only because a certain government decrees that they do. Two points deserve more attention. First, commodity money is inherently hard to forge, due to the inherent value of the goods used for money (such as silver) and easy-to-forge goods do not make for good commodity money. As a result, commodity money is naturally immune to double spending: after Alice has spent her commodity money, she does not have it anymore and cannot double spend it. In contrast, paper bills do not have this inherent characteristic and could be forged if not property designed. To make it hard to clone/forge paper bills, many security features have been used in their printing, such as special paper, an enlarged off-center portrait, watermark, fine-line printing patterns, color-shifting ink, security thread, and micro-printing. These security features can be easily verified, either with naked

42

 Bitcoin for E-Commerce

eyes, a magnifier, or a special pen. It is worth noting that these existing security features on paper bills are not foolproof and government mints keep introducing new designs and features (such as those in the new $20 bill) against more advanced counterfeiting technologies. An even less noticeable property of commodity money and fiat money is that they are hard to trace. Commodity money is naturally hard to trace because there is no trusted third party for tracking. Fiat cash does have a trusted third party, namely the issuer, but since cash does not directly flow back to the bank after it is spent, tracking is hard too. For example, Alice may withdraw a dollar bill, with a unique serial number on it, from her bank account and then give it to Bob for a can of soda. Later, Bob may spend this bill at another vendor. As long as the bill does not go back to the bank immediately, it will be hard for the bank to trace how Alice has spent the money and trace where Alice has been. In other words, paper bills have the property of anonymity, which is an essential building block for privacy and democracy. (Admittedly, anonymity has a dark side, as it makes money-laundering possible for criminals.) Carrying a lot of paper bills runs the risk of robbery and paper bills also have the drawback of requiring exact change in a transaction. The advent of personal and business cheques can alleviate the latter, as any exact dollar amount can be put on a cheque but this convenience comes at the expense of anonymity, as cheques are linked to a bank account and can be easily traced. Another way to avoid paper bills is to use credit cards and debits cards, which first appeared in 1950s (Surowiecki, 2012) and are now very popular. Plastic credit/debit cards store information of a user’s account at the issuing financial institution and this information can be verified, often in real time through communication with the issuing bank, by merchants when a purchase is made. However, like checks, credit/debit card transactions can be easily traced through the issuing financial institution and thus, compared to paper bills, anonymity is lost.

Electronic Cash: Trusted Third Party, Anonymity, and Failed Efforts Our society has grown increasingly digitalized (Isaacson, 2014) and the fast and automatic generation, processing, and distribution of digital photos, text, financial and personal documents have brought us great convenience and significantly enriched our lives. To catch up with this trend, various kinds of electronic cash schemes, also called digital cash and electronic money, have been developed (Chaum, 1982, 1985, 1988). As shown in Table 1, these electronic cash schemes can be categorized in terms of whether a trusted-third party (TTP) is used and whether anonymity is a design goal. It is a challenging task to design an anonymous electronic cash scheme for two reasons. First, unlike physical objects (such as paper bills with security features) that are hard to forge, digital data can be easily copied in a perfect manner and there is no difference between the original and a copy. This makes electronic cash intrinsically vulnerable to double spending. Second, unlike our physical society that is mechanical and often requires human intervention, the digital world can be made fully automated and so is digital tracking (Orwell, 2001). Anonymity for an electronic cash system is therefore challenging, but important. Table 1. Electronic cash: A summary With TTP No anonymity

Digital credit/debit cards, PayPal

With anonymity

Chaum’s scheme (online, offline)

Without TTP BitCoin

43

 Bitcoin for E-Commerce

The study of TTP-based anonymous electronic cash actually predated the advent of the world-wide web, and, as early as 1982 (Chaum, 1982), David Chaum developed the concept of electronic cash that is both anonymous and free from double spending. In this design, user Alice’s electronic cash is a digital money order digitally signed by a bank (i.e., the trusted third party). For example, one money order might contain “This is $1000. In God We Trust; ce1c3c356c a48d164c e68f01 c44328de.” Another might contain “This is $1000. In God We Trust; b899 ee492932b472531bf9991b934c ac.” The random-look parts are 16 random bytes serving as unique serial numbers. A digital money order is not authentic if not digitally signed by the bank. (If the reader is not familiar with digital signature, we will cover the concept in Section 1.2.2 shortly.) This digital signing process is blinded in that the bank does not know the serial number of the money order it is digitally signing but the bank checks to make sure that this is a $1000 note. (This may sound self-contradictory but can actually be done. In the signing process, Alice prepares 5000 such digital money orders, all in $1000 but each with a16 random-byte string, seals them, and presents them to the bank. The bank randomly picks 4999 of them and asks Alice to open these. The bank checks to make sure all of these opened bank notes indeed have a value of $1000. If not, the bank quits. Otherwise, the bank has reason to believe that the last unopened note has $1000 value too and will digitally sign it. Thus the bank does not know the serial number of the money order it is signing but it is confident about its value. In the above description, 5000 is not a particular value and can be adjusted for different security levels.) This blinding factor allows Alice to spend the electronic money later in an anonymous manner and nobody can trace the money order back to her. When Alice spends this electronic cash at a merchant for some goods, the merchant can verify its legitimacy by checking the bank’s digital signature and will present the money order to the bank for deposit. The bank maintains a database of serial numbers of spent cash and any double spending can be detected. This basic scheme can be further refined with more desirable properties (Chaum, Fiat, & Naor, 1988; Chaum, 1989; Chaum, den Boer, van Heyst, Mjxlsnes, & Steenbeek, 1989; van Antwerpen, 1990; Hayes, 1990; Chaum & Pedersen, 1992; Hirschfeld, 1993; Youm, Lee, & Rhee, 1993; Lim & Lee, 1993), such as when Alice tries to double-spend her electronic cash, her identity will be revealed to law enforcement. In this scheme, the bank is essential in creating electronic cash and in checking double spending. As shown in Table 1, another form of digital payment is digital credit and debit card-based transactions, in which credit/debit card numbers, instead of the physical cards, are used. A similar electronic payment system is PayPal, in which PayPal acts as a trusted third party and mediates the payment. As described earlier, neither electronic credit/debit card-based transactions nor PayPal achieves anonymity, as the third party can identify the principles involved in every transaction. Both credit/debit cards and PayPal have become very successful electronic payment systems. Unfortunately, the anonymous electronic cash system DigiCash (web.archive.org, 2015), based on Chaum’s invention of blind digital signature (Chaum, 1982, 1985, 1988), never took off. Almost all other types of Internet-based payment systems such as Flooz, Beenz, CyberCash, BitPass (Wikipedia, 2015), B-money, and Peppercoin (R. L. Rivest & Micali, 2002) suffered the same fate. That is, before Bitcoin, no anonymous electronic payment systems really gained momentum (Barber, Boyen, Shi, & Uzun, 2012). Thus,Bitcoin is a unique electronic payment system that achieves anonymity, prevents double-spending, and is increasingly accepted by the public. The remainder of this chapter is organized as follows. We will first review the technical building blocks of Bitcoin, including the cryptographic hash functions SHA-256 and RIPEM 160 and the digital signature scheme ECDSA. Next, we shall discuss Bitcoin’s no-TTP design principle and focus on its 44

 Bitcoin for E-Commerce

technical details, including how Bitcoins are created (which is called Bitcoin mining in the community) and spent (that is, transferred from one party to another), how anonymity is achieved, and how doublespending is prevented. In this chapter, the operational details of Bitcoin from a user’s perspective will also be discussed, including how to purchase Bitcoin with fiat currency and how to manage Bitcoin wallets. The future of Bitcoin and its potential nefarious applications (including several highly publicized real-world examples) will also be discussed. This chapter will conclude with a summary and some further reading items.

BITCOIN BUILDING BLOCKS Bitcoin has two technical building blocks, namely cryptographic hash functions and digital signatures. In this section, we will cover these concepts without assuming any prior knowledge of these topics on the part of the reader.

Cryptographic Hash Function A hash function is a compression function that maps an arbitrarily long (for example 4096 bits) input string to a shorter, often fixed-sized, output (for example, a 256-bit string), which is called the hash value. An example hash function is the modulo 100 operation; given an integer of any size, applying the modulo 100 function always results in an integer between 0 and 99, inclusive. Since a hash function maps a big space to a smaller one, it is inevitable that there are some distinct inputs being mapped to the same hash value; such an input pair is called a collision. In the example of modulo 100, 101 and 201 have the same hash value 1 and thus cause a collision. A cryptographic hash function h is a hash function with two additional properties. First, h must be one way, in the sense that given a hash value y, it is hard to find an input x which is mapped to y. When y is a valid hash value, there must be at least one input mapped to y. Thus one-wayness is a computational concept and the hardness depends on an adversary’s computation power. Second, h must be collision-resistant, in the sense that it is very hard to find any two distinct inputs mapped to the same hash value. Since collisions are inevitable for cryptographic hash functions, the concept of collision resistance is also computational and its hardness depends on the computational power of an attacker. Over the years, several cryptographic hash functions have been developed, including SHA256 (National Institute of Standards and Technology, 2012) and RIPEM-160 (Dobbertin, Bosselaers, & Preneel, 1996; Mendel, Pramstaller, Rechberger, & Rijmen,2006). SHA-256 takes a variable-sized input and generates an output of 256bits. RIPEM-160 takes a variable-sized input and generates an output of 160 bits. Both are currently considered secure. For both SHA-256 and RIPEM-160, it is considered hard to determine the exact impact of a few specific bits of the input on a specific bit of the hash value. In other words, bits of the hash value can be considered random, even though they are deterministically generated. As a result, one may not be able to do better than pure randomly selecting inputs in generating hash values with some specific properties (such as the first 70 bits of the hash value are all zeros).

45

 Bitcoin for E-Commerce

As an example, on a Ubuntu Linux box, type in echo -n mystring | sha256sum | awk ‘print 1’ and it will return the SHA-256 hash value of “mystring”, which is bd3ff47540b31e62d4ca6b07794e5a886b0f655fc322730f26ecd65cc7dd5c90. Change “mystring” to “mystring2” and you should get a very different 256-bit hash, d5e43c11f3ee1d44aab5469c5816bc81c7a1e557bf606f8352054102a70017ad.

Digital Signature and ECDSA In our physical society, when Alice needs to commit to a serious commercial transaction such as a rental agreement or a contract, she needs to manually sign the document. If a dispute takes place in the future, Bob can bring Alice’s signed document to a judge (for example, Dave), a third party who can verify Alice’s signature. The concept of signature in the digital world, called digital signature, was first developed in the public domain in 1976 (Diffie & Hellman, 1976) and is depicted in Figure 1.2. Digital signature is implemented with public key cryptography (Diffie & Hellman, 1976; R. Rivest, Shamir, & Adleman, 1978). In Figure 2, Alice needs to digitally sign a document. She first generates a public and private key pair, both of which are a bit string. Alice needs to keep her private key (the one in a rectangle and with cuts facing upward in Figure 2) confidential while publish her public key (the one with cuts facing downward in Figure 2). Bob and other people like Dave can get an authentic copy of Alice’s public key. To digitally Figure 2. Digital signature

46

 Bitcoin for E-Commerce

sign a document m (in Figure 2, m is “Dear Bob Sell 20 shares of my IBM stock”), Alice will apply her private key to m with a digital signature algorithm and the output is a digitally signed document. This signed document is then sent to Bob over a public channel, which an attacker Eve has access to; Eve may modify the document, its signature, or both. After receiving the signed document, Bob will apply to it Alice’s public key, with a signature verification algorithm, and the output is a simple “yes” or “no.” “Yes” means that the document is indeed digitally signed by Alice and has not been modified since. “No” means that either the document, the signature, or both has been modified and the signature is not valid and Bob will reject it. As shown in Figure 2, any third party (for example, a judge who is arbitrating a dispute between Alice and Bob) who has a copy of Alice’s public key can verify Alice’s digital signature as well. In Figure 2, only Alice knows her private key and only she can generate a valid digital signature in her name. No other people, including Bob, Eve, or Dave, can forge a signed document in Alice’s name. Since Alice’s digital signature is universally verifiable, once she digitally signs m, Alice cannot deny that she has digitally signed it. Also, Alice’s digital signature is calculated on message m and is message-dependent. This signature value will not be valid with a different message m’ (for example, m’ is just one bit different from m). All these properties show that digital signature can potentially be used for non-repudiation. Over the years, several digital signature schemes have been developed, including the RSA digital signature (R. Rivest et al., 1978; RSA Laboratories,1999),the digital signature algorithm (DSA) (National Institute of Standards and Technology, 2013), and the elliptic-curve DSA (ECDSA) (National Institute of Standards and Technology, 2013). Some of these algorithms, such as DSA and ECDSA, need some system-wide parameters and there are many such recommendations, including those in National Institute of Standards and Technology (2013) and Certicom Research (2010). The latter has a parameter recommendation called the secp256k1 curve. With these general concepts, and with no specific details of ECDSA, we are now ready to understand the working of the Bitcoin electronic cash system.

BITCOIN: TECHNICAL DETAILS Instead of relying on a trusted third party to create electronic money and check double spending, Bitcoin is based on distributed trust over a peer-to-peer network consisting of many network nodes. There is no centralized trusted third party (TTP) in Bitcoin. Naturally, in the absence of a TTP, it might be easier to achieve anonymity. However, without a TTP, we need to answer several questions: (1) What is Bitcoin and who is going to create electronic money (i.e. Bitcoin) in a verifiable manner? (2) How to check the ownership/authenticity of Bitcoin? (3) How to irreversibly transfer a Bitcoin from one user to another? (4) How to prevent double spending? (5) How exactly is anonymity achieved? We will answer all these five questions in this section.

Bitcoin Philosophy and Double Spending In Figure 2, Alice digitally signs m and she is committed to it and everybody who has an authentic copy of Alice’s public key can verify this commitment. If m happens to be Bob’s public key along with a message m’, Alice’s digital signature on it tells other people that Alice is committed to Bob’s public key

47

 Bitcoin for E-Commerce

with message m’. In the context of electronic money, if Alice indeed has a coin, this commitment may well mean that Alice agrees to transfer the coin to Bob. Bitcoin transfer is based exactly on this idea and such a transfer (from Alice to Bob) is called a Bitcoin transaction. In other words, the transaction to transfer a Bitcoin from Alice to Bob includes both Bob’s public key and Alice’s digital signature on it. This gives the basic idea of how Bitcoin can be irreversibly transferred (for question (3)). How can other people verify that Alice actually owns a Bitcoin before she can transfer it to Bob? Bitcoin is a peer-to-peer system and all Bitcoin network nodes maintain the same dynamic global data structure called block chain (see Figure 5), which is a linked chain of basic units called blocks (see Figure 3)and keeps growing. Each block consists of one or more transactions, which are abbreviated as TXi, i is an integer, in Figures 3, 4, and 5. •

•

If Alice’s public key is among one of the transactions in one block (say block x) of the current global block chain, then everyone in the Bitcoin system will accept that Alice (more specifically, Alice’s public key) owns a Bitcoin and whoever owns the corresponding private key (in this example, Alice) can spend it in the future. This is how users verify the ownership and authenticity of any Bitcoin (for question (2)). To spend her Bitcoin and transfer it to Bob, as described earlier, Alice will digitally sign Bob’s public key and create a new transfer transaction. This transaction will be broadcast to all Bitcoin network nodes who will work to include this transaction in a new block to extend the block chain. (All Bitcoin nodes have financial motivation to participate in creating new blocks, which will be elaborated shortly.) Once the transfer transaction is included in the global block chain with certain depth (i.e., the distance to the last block), it is not reversible.

After Bob’s public key is included in a block of the global block chain, he can spend the Bitcoin from Alice and transfer it to Charlie by digitally signing Charlie’s public key, forming a new transaction, and using the Bitcoin network to include this transaction in a new block to extend the global block chain. In this sense, a Bitcoin is a chain of digital signatures (Nakamoto, 2008), first by Alice and then by Bob. Figure 3. Bitcoin block with transactions

48

 Bitcoin for E-Commerce

Figure 4. Bitcoin creation

Figure 5. Bitcoin block chain

So, how does this distributed design prevent double spending (i.e., question (4))? In the Bitcoin system, every network node has a copy of the global block chain and if Alice tries to spend her coin for a second time, everyone in the system will notice that this coin has already been transferred to another user and cannot be spent again. Does Bitcoin achieve anonymity (i.e., question (5))? In the Bitcoin system, the owner of a Bitcoin is not identified by a user name but through a public key, which is a random string. This random-looking public key does not have any essential links to a specific person in the real world such as Alice. Indeed, a Bitcoin user may choose to generate multiple public/private key pairs and use them simultaneously. In the above example, we used the names of Alice and Bob for the sake of convenience. They are whoever has the corresponding private keys. So far, we have not answered the questions of how a block is created in the first place (i.e., question (1)) and why blocks need to be chained in the global block chain. Neither have we explained some fields in Figure 3 and Figure 4, such as nonce, and what the genesis block is in Figure 5.

49

 Bitcoin for E-Commerce

Block Creation: Proof of Work In its flat form, a Bitcoin block is simply a binary string. Structure-wise, as depicted in Figures 3 and 4, a new Bitcoin block consists of all transactions to be integrated into the block chain, a nonce field, and a field containing the cryptographic hash value of the previous block in the block chain. In Bitcoin, the process to create new blocks is called a mining and a mining node is called miner. In terms of functionality, there are two basic types of Bitcoin blocks: one is used to blend, as shown in Figure 1, verified regular transactions (such as Alice transfers her Bitcoin to Bob and Charlie transfers his Bitcoin to Dave, not necessarily the miner’s own transactions) into the global block chain; the other is used to create new Bitcoins and introduce them into the system, which is through a special type of transaction, called coinbase transaction, as shown as TX1 in Figure 4; a coinbase transaction contains the miner’s public key. Since Bitcoin does not depend on any trusted third party for creating new money, who can create a Bitcoin then? The short answer is every node in the Bitcoin network. Of course, if anybody could create Bitcoin easily, there would be a huge oversupply of Bitcoin, making Bitcoin worthless. To slow down the mining speed, Bitcoin adopts the concept of proof of work from (Back, 2002). A Bitcoin miner has to perform some intensive computing to create a new Bitcoin block, which has to meet certain conditions to be valid. Bitcoin introduces the concept of target to define the validity of a Bitcoin block. A block is valid only when its cryptographic hash value (see the Building Blocks Section), treated as an integer, is smaller than a target value, which is collectively adjustable by all Bitcoin nodes to meet the goal of one block created in around 10 minutes. As shown in Figure 6, to mine a new block, a miner first collects all transactions to be blended (including regular transactions and one coinbase transaction that has the miner’s public key, if allowed); next, the miner generates a random value for the nonce field, concatenates (the hash value of the last block of the current block chain, all transactions, and the nonce value) into a single string, calculates the cryptographic hash value of this string, and compares it against the current target value. If the computed hash value is not smaller than the target value, the miner needs to select another nonce value and repeat these steps. When the hash value is smaller than target, a new valid Bitcoin block is found and the miner will broadcast this new block to the whole Bitcoin network. Every node in the network can check the validity of this new block (by recalculating the hash value of the new block and checking whether it is smaller than the current target value) and if the block is verified successfully, all honest members will accept this block and extend the block chain with this new block as the last block of the chain. How did the block chain start in the first place? The Bitcoin project started with a fixed block called the genesis block (see Figure 5), which is the head of the block chain and is hard-coded in the Bitcoin software. The pace at which new blocks are added to Bitcoin’s global block chain depends on the overall computing power of the Bitcoin network. Fora fixed target value, the more computers that are in the network, the faster a new block will appear. In Bitcoin, it has been designed that there should be roughly one newly mined block in every 10 minutes. To meet this goal, the target number is adjusted after every 2016 blocks to make sure that Bitcoin blocks are not generated too fast or too slowly. For example, on Nov. 18th, 2013, at 14:26:03, the target value, in hex, is 00000000000000070BF B00000000000000000000000000000000000000000000,

50

 Bitcoin for E-Commerce

Figure 6. Bitcoin mining

whose first 61 bits are all zeros. For SHA-256 whose hash values have 256 bits, there are 2256 possible hash values. Roughly speaking, only

1 of those 2256 hash values are smaller than this target value. 61 2

1 to lead to a valid block. On a general PC 261 that canperform1 million SHA-256 hashes in one second, the chance that this computer can get a valid That is, a single SHA-256 hashing has a probability of

block in one second is

1 1 and the chance in ten minutes is about 32 , which is pretty slim. Therefore, 41 2 2

mining in 2013 was already pretty hard and many miners choose to work in a group, which split the mining tasks and share the mining blocks. How many Bitcoins can be mined? The basic unit of account in Bitcoin is BTC. Each of the first 210,000 blocks after the genesis block is worth 50 BTC units and subsequent blocks are worth less, decreasing in a four-year cycle until 2040, when new blocks will have no new Bitcoin values (miners of

51

 Bitcoin for E-Commerce

these future blocks will be paid by transaction fees instead); for example, blocks with numbers between 210, 001 and 367, 500 are worth 25 BTCs only. In total there will be 21 million Bitcoins in the system. It should be noted that the above block generation process is completely random and due to the nature of cryptographic hash function, a miner who uses a monotonically increasing nonce value (or any other non-random ways to generate nonce values) has no advantages over another miner who generates nonce values randomly. However, a miner with a faster computer does have advantages, as he/she can compute cryptographic hashes faster and may be able to test more nonce values in the same amount of time.

Block Chaining All Bitcoin blocks, in their chronological order, form a global ledger and their order matters, as the order decides who has what at any moment and it is used to guard against double spending. These blocks would not need to be chained if all Bitcoin network nodes agree on the order. However, Bitcoin is based on a peer-to-peer network and there is no centralized trusted third party. So, when a new node joins the Bitcoin network and downloads the blocks from other Bitcoin nodes that it does not trust, how does it know that the order of the blocks downloaded is correct? One way to solve this problem is to link all Bitcoin blocks as they are created. This is the whole purpose of the previous hash field in a Bitcoin block, as shown in Figure 3 and Figure 4. When a new block is being mined, the miner has to find the last block of the block chain, calculates its cryptographic hash value, and sets the previous hash field to this value. This essentially links all blocks into a one-way chain. At any moment, a Bitcoin node A can download a copy of the block chain from another Bitcoin node B which A does not necessarily trust. Node A can verify the integrity of the block chain by checking the cryptographic hash values. An attacker who wants to modify a specific block of the block chain would have to change that block and all subsequent blocks, which becomes increasingly hard when the block chain grows longer and longer.

Other Issues: Block Collision The early parts of this section explain how Bitcoin works in principle. More problems need to be solved in the system level. For example, in theory, it is possible that Bitcoin node A and Bitcoin node B find out two new valid blocks simultaneously, which have nonce values. Both node A and node B will do their best to broadcast their own blocks, hoping that the block chain will extend from their own new block. This will cause a collision for the block chain and eventually one of the two new blocks will be dropped and the unlucky node will have to start over.

BITCOIN: APPLICATIONS FOR E-COMMERCE As described earlier, Bitcoin is an anonymous electronic payment system that does not depend on any trusted third parties. Since there will be no new Bitcoins after 2040, eventually, there will be a fixed number of Bitcoin in the system and as a result, Bitcoin is almost inflation free. This is very desirable, compared to the inflation in all fiat currencies. Also, since Bitcoin is not managed by any governments or capital systems, it is free from capital control and is very appropriate for international trades with low transaction fees. As a result, BitCoin has the potential to be a disruptive payment system for electronic

52

 Bitcoin for E-Commerce

commerce across the globe and has seen increasing acceptance by merchants such as OkCupid, Reddit, Baidu, Humble Bundle, and Foodler. In this section, we shall explain the operational details of Bitcoin from an end user’s perspective.

Get Into the System: Bitcoin Nodes and Users There are a couple of ways to get into the Bitcoin system. First, for tech-savvy users who want to start with almost nothing, they can download the Bitcoin core software (Bitcoin Foundation, 2014), set it up, and run a Bitcoin node to join the Bitcoin network and mine new Bitcoins. The software will first create a digital wallet, which is essentially a public/private key pair, and the wallet’s Bitcoin address is the cryptographic hash of the public key. Any mined Bitcoins will be saved to this digital wallet and this Bitcoin address can be used to receive Bitcoin funds, which will be described shortly. However, as described earlier, currently it is hard to mine new Bitcoins alone. A tech-savvy user can also download and run third-party mining software to join a mining pool. A second way that requires no Bitcoin technical background is through a Bitcoin currency exchange market, where one can purchase Bitcoins with fiat money. A Google search will lead to many such exchange markets. Some of these exchange markets also provide a digital wallet software for users to manage their Bitcoins. Due to the fragility of digital data and possible compromise of computers, it is often recommended that an end user prints her/his Bitcoin private key on a piece of paper. To spend Bitcoins in person, one simply visits a merchant that accepts Bitcoin. ABTC can be broken up into small fragments of 0.00000001 BTC, which is the smallest amount that can be spent and transferred and is often called satoshi. To transfer Bitcoins to a remote party, the payer first receives from the fund receiver (i.e., the payee) a Bitcoin address. The payer then digitally signs this Bitcoin address and creates a new transaction for it. Next, the payer either runs his/her own Bitcoin node to broadcast this new transaction to the Bitcoin network for blending or gives this transaction to a third party who will broadcast this transaction, for a fee, to the Bitcoin network. After a short delay, the payee will be able to verify this transfer through checking the global block chain in the Bitcoin network.

The Dark Side of Bitcoin: Real-World Examples Prior to the advent of Bitcoin, a common concern regarding anonymous electronic payment systems is that they may be abused for illegitimate purposes (von Solms & Naccache, 1992). Bitcoin is no exception. The most sensational story of this type might be the online black market Silk Road, which was used as a platform for selling illegal drugs, pirated software, and other illegal goods and services. Silk Road ran as a hidden Tor service to avoid geolocation (Dingledine, Mathewson, & Syverson, 2004) (that is, one can use Tor to visit the market’s web pages but could not find where the server is) and it used Bitcoin for payment to avoid tracing (Grossman& Newton-Small, 2013). This perfect marriage of Tor and Bitcoin caused some difficulties for law enforcement authorities. Silk Road was shut down in 2003 and its successor, Silk Road 2.0, was shut down in November, 2014. Another dark use of Bitcoin happened in November, 2013. A computer in the Swansea, MA police department was infected with the CryptoLocker virus and several important image and MS Word documents were encrypted by the virus, whose key was not known to the police (Fraga, 2013). The infected computer showed a countdown clock displaying how much time the department had to buy the decryption

53

 Bitcoin for E-Commerce

key, with a Bitcoin address, before all the files were deleted. The police department ended up paying $750 for two Bitcoins. Due to the anonymous nature of Bitcoin, this ransom is very hard to trace.

The Status Quo: Who Has What For Now? For a newcomer, Bitcoin looks like a Ponzi scheme: it creates money out of thin air and early participants reaped benefits. Early on, Bitcoin mining was much easier when there were fewer miners and the target value was much larger. According to one study (Ron & Shamir, 2012) in October, 2012, in the global block chain, 36% of the entities received fewer than one BTC, 52% of the entities received fewer than ten BTCs, and 88% of the entities received fewer than one hundred BTCs. There are four entities who received over 800, 000 BTCs. On the other hand, some other people argue in favor of Bitcoin on both the similarity of Bitcoin mining and gold mining, which was easy in the beginning too but getting harder and harder over time, and the prospect of Bitcoin as a cheap, inflation-free online payment tool (Andreessen, 2014).

The Future of Bitcoin Bitcoin is just less than five years old. It had a downy ear in 2014, in which a big Bitcoin exchange, MtGox, was shut down and a Bitcoin Foundation board member was arrested for alleged money laundering. Its value fluctuated much, from it speak of $900 per Bitcoin to a little bit more than $300. Still, it is a little bit premature to dismiss its future. As described in Section 1.3, the technical foundation of Bitcoin is sound and unlike its predecessors such as DigiCash, it gained momentum surprisingly quickly.

The Risks of Bitcoin The risks of Bitcoin can be categorized as short-term risk, medium-term risk, and long-term risk. The short-term risk of Bitcoin is the big fluctuation in its value. In October 2012, the price of each Bitcoin was $12. In January 2014, the price went up to almost $1000. In Dec 2014, it went back to a little bit more than $300. For a new currency, this fluctuation may be natural and hopefully Bitcoin’s price will become more stable over time. The medium-term risk of Bitcoin is that its security depends on the assumption that a majority of computational power in the Bitcoin network is honest and is distributed among multiple parties. However, this may not be true. These days, to increase the chance of mining new Bitcoins, people tend to join a mining pool and these mining pools have huge computing power. In January 2014, a mining pool GHash.io was estimated to have 45% of the Bitcoin network’s computing power and might reach 51% (Bershidsky, 2014), at which point it would be able to dominate the creation of new Bitcoins and may be able to reverse some transactions in the block chain. Eventually GHash.io voluntarily backed off from this high percentage to 34% by rejecting new independent miners from joining but the risk of a dominant Bitcoin network node remains. The long-term risks of Bitcoin are twofold. First, there have been some copycats such as Bytecoin, Peercoin, and Dogecoin. These Bitcoin alternatives use the same or similar techniques and face an uphill battle against Bitcoin but still, they may well replace Bitcoin. Second, as described in the Technical Details section, Bitcoin is based on computational security and its building blocks, including SHA-256, RIPEM-160, and ECDSA-256, are currently thought to

54

 Bitcoin for E-Commerce

be secure. If in the future fast quantum computers are built successfully, Bitcoin’s foundation will be shaken. For example, there have been quantum algorithms to break elliptic-curve cryptography (Proos & Zalka, 2003; Shor, 1997).

SUMMARY AND FURTHER READING Summary Bitcoin is the only anonymous electronic payment system that has gained wide deployment. In this chapter, we have described how Bitcoin works and discussed its potential impact on electronic commerce. By giving all the building blocks of Bitcoin, our introduction does not assume any prerequisites and aims for non-experts. Both the technical and operational details of Bitcoin have been provided.

Further Reading Inevitably, this chapter does not cover every detail of Bitcoin and for the simplicity of explanation, some technical details have been deliberately skipped. For example, In Bitcoin, when a cryptographic hash function h is used on a message m, instead of hashing m just once, Bitcoin uses double hashing h(h(m)). For advanced Bitcoin details, the following articles and documents are recommended. In-depth technical details: check (Bitcoin, 2014). Bitcoin only provides anonymity for its transactions. If a user chooses to purchase Bitcoins in an exchange market with fiat money, the authority can still obtain a user’s public key through the exchange market and trace by checking it the global block chain. A tool to add a further layer of anonymity to Bitcoin transactions is the Dark Wallet (Taaki & Wilson, 2014). There have been some research on analyzing Bitcoin and improving its design: check (Ron & Shamir, 2012; Barberetal., 2012; Karame, Androulaki, & Capkun, 2012; Eyal & Sirer, 2013; Miers, Garman, Green, & Rubin, 2013).

REFERENCES Acton, J., & O’Grady, S. (2007, 16 October). Money, money, money: The history of cash. The Independent. Retrieved from http://www.independent.co.uk/money/spend-save/money-money-money-thehistory-of-cash-397015.html Andreessen, M. (2014, January 21). Why Bitcoin matters. New York Times. Retrieved from http://dealbook.nytimes.com/2014/01/21/why-bitcoin-matters/? r=0 Back, A. (2002). Hashcash - a denial of service counter-measure. Retrieved from http://www.hashcash. org/papers/hashcash.pdf Barber, S., Boyen, X., Shi, E., & Uzun, E. (2012). Bitter to better: How to make Bitcoin a better currency. In Financial Cryptography FC 2012 (Vol. 7397, pp. 399–414). Berlin: Springer-Verlag. doi:10.1007/9783-642-32946-3_29

55

 Bitcoin for E-Commerce

Bershidsky, L. (2014, Jan 14). Did Ukrainians almost take over bitcoin? Bloomberg View. Retrieved from http://www.bloombergview.com/articles/2014-01-14/did-ukrainians-almost-take-over-bitcoinBitcoin. (2014). Bitcoin protocol specification. Retrieved from https://en.bitcoin.it/wiki/Protocolspecification Bitcoin Foundation. (2014, September 27). Bitcoin core. version 0.9.3. Retrieved from https://bitcoin. org/en/download Certicom Research. (2010, January 27). Sec 2: Recommended elliptic curve domain parameters version 2.0. Standards for Efficient Cryptography. Retrieved from http://www.secg.org/sec2-v2.pdf Chaum, D. (1982). Blind signatures for untraceable payments. In Crypto82 (pp. 199–204). Berlin: Springer-Verlag. Chaum, D. (1985). Security without identification: Transaction systems to make big brother obsolete. Communications of the ACM, 28(10), 1030–1044. doi:10.1145/4372.4373 Chaum, D. (1988). Blind signature systems. Retrieved from http://www.google.com/patents/US4759063 Chaum, D. (1989). Online cash checks. In Advances in Cryptology - Eurocrypt ’89 (pp. 288–293). Berlin: Springer-Verlag. Chaum, D., den Boer, B., van Heyst, E., Mjxlsnes, S., & Steenbeek, A. (1989). Efficient offline electronic checks. In Advances in Cryptology Eurocrypt ’89 (pp. 294–301). Berlin: Springer-Verlag. Chaum, D., Fiat, A., & Naor, M. (1988). Untraceable electronic cash (extended abstract). In Crypto88 (pp. 319–327). Berlin: Springer-Verlag. Chaum, D., & Pedersen, T. (1992). Transferred cash grows in size. In Advances in Cryptology Eurocrypt 92 (pp. 391-407). Davies, G. (2002). A history of money: From ancient times to the present day (2nd ed.). University of Wales Press. Diffie, W., & Hellman, M. E. (1976, November). New directions in cryptography. IEEE Transactions on Information Theory, 22(6), 644–654. doi:10.1109/TIT.1976.1055638 Dingledine, R., Mathewson, N., & Syverson, P. (2004, August).Tor: The second-generation onion router. In Proceedings of the 13th USENIX Security Symposium. Retrieved from http://www.onion-router.net/ Publications.html Dobbertin, H., Bosselaers, A., & Preneel, B. (1996). RIPEMD-160, a strengthened version of RIPEMD. In D. Gollmann (Ed.), Fast Software Encryption (Vol. 1039, pp. 71–82). doi:10.1007/3-540-60865-6_44 Eyal, I., & Sirer, E. G. (2013). Majority is not enough: Bitcoin mining is vulnerable. Retrieved from http://arxiv.org/abs/1311.0243 (Version v5) Fraga, B. (2013, Nov. 15). Swansea police pay $750 ransom after computer virus strikes. The Herald News. Retrieved from http://www.heraldnews.com/x2132756948/Swansea-police-pay-750-ransom-aftercomputer-virus-strikes

56

 Bitcoin for E-Commerce

Goodman, L. (2014, March 6). The face behind Bitcoin. Newsweek. Retrieved from http://www.newsweek.com/2014/03/14/face-behind-bitcoin-247957.html Grossman, L., & Newton-Small, J. (2013, Nov. 11). The secret web: Where drugs, porn and murder live online. Time Magazine. Retrieved from http://time.com/630/the-secret-web-where-drugs-porn-andmurder-live-online/ Hayes, B. (1990). Anonymous one-time signatures and flexible untraceable electronic cash. In Advances in Cryptology-Auscrypt 90 (pp. 294-305). doi:10.1007/BFb0030369 Hirschfeld, R. (1993). Making electronic refunds safer. In Advances in Cryptology-Crypto 92 (pp. 106–112). Springer-Verlag. doi:10.1007/3-540-48071-4_8 Isaacson, W. (2014). The innovators: How a group of hackers, geniuses, and geeks created the digital revolution. Simon & Schuster. Karame, G. O., Androulaki, E., & Capkun, S. (2012). Double-spending fast payments in Bitcoin. In Proceedings of the 2012 ACM conference on Computer and Communications Security (CCS’12). 10.1145/2382196.2382292 RSA Laboratories. (1999, September). PKCS#1 v2.1: RSA Cryptography Standard. Author. Lim, C., & Lee, P. (1993). A practical electronic cash system for smart cards. In Proceedings of the 1993 Korea-Japan Workshop on Information Security and Cryptography (p. 34-47). Seoul, Korea. Mendel, F., Pramstaller, N., Rechberger, C., & Rijmen, V. (2006). On the collision resistance of RIPEMD-160. In S. K. Katsikas, J. Lopez, M. Backes, S. Gritzalis, & B. Preneel (Eds.), ISC (Vol. 4176, pp. 101–116). Springer. Miers, I., Garman, C., Green, M., & Rubin, A. (2013). Zerocoin: Anonymous distributed e-cash from Bitcoin. In Proceedings of the 2013 IEEE symposium on Security and Privacy (SP) (pp. 397-411). 10.1109/SP.2013.34 Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system. Retrieved from http://bitcoin.org/ bitcoin.pdf National Institute of Standards and Technology. (2012, March). Secure hash standard (SHS). FIPS PUB 180-4. Retrieved from http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf National Institute of Standards and Technology. (2013, July). Digital signature standard (DSS). FIPS PUB 186-4. Retrieved from http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf Orwell, G. (2001). Nineteen eighty-four. In The complete novels of George Orwell. Penguin Classics. Proos, J., & Zalka, C. (2003). Shor’s discrete logarithm quantum algorithm for elliptic curves. QIC, 3(4), 317-344. http://arxiv.org/abs/quantph/0301141 Rivest, R., Shamir, A., & Adleman, L. (1978, February). A method for obtaining digital signature and public key cryptosystems. Communications of the ACM, 21(2), 120–126. doi:10.1145/359340.359342

57

 Bitcoin for E-Commerce

Rivest, R. L., & Micali, S. (2002). Peppercorn micropayments via better lottery tickets. Talk given at the rump session of Financial Cryptography 2002. Retrieved from http://people.csail.mit.edu/rivest/ pubs/RM02.slides.pdf Ron, D., & Shamir, A. (2012, October). Quantitative analysis of the full Bitcoin transaction graph. Cryptology ePrint Archive, Report 2012/584. Retrieved from http://eprint.iacr.org/2012/584 Shor, P. W. (1997). Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing, 26(5), 1484–1509. doi:10.1137/S0097539795293172 Surowiecki, J. (2012, June). A brief history of money or, how we learned to stop worrying and embrace the abstraction. IEEE Spectrum, 49(6), 44–79. doi:10.1109/MSPEC.2012.6203967 Taaki, A., & Wilson, C. (2014, November). Dark wallet. Darkwallet Alpha7 (version0.7.0). Retrieved from https://www.darkwallet.is/ van Antwerpen, H. (1990). Electronic cash. (Master’s thesis). CWI, Netherlands. von Solms, S., & Naccache, D. (1992). On blind signatures and perfect crimes. Computers & Security, 11(6), 581–583. doi:10.1016/0167-4048(92)90193-U web.archive.org. (2015). Archive of web sites. Retrieved on Feb. 10 from http://web.archive.org/ web/19970103082045/http://digicash.com/ Wikipedia. (2015). Various busted internet payment efforts. Retrieved on Feb. 10 from http://en.wikipedia. org/wiki/Flooz.com, http://en.wikipedia.org/wiki/Beenz.com Youm, H., Lee, S., & Rhee, M. (1993). Practical protocols for electronic cash. In Proceedings of the 1993 Korea-Japan Workshop on Information Security and Cryptography (p. 10-22). Seoul, Korea.

KEY TERMS AND DEFINITIONS Bitcoin: A peer-to-peer-based, anonymous electronic payment system. Bitcoin Block: The basic data structure of Bitcoin’s global ledger. Bitcoin Block Chain: Bitcoin’s global ledger, which is linked and universally verifiable. Bitcoin Mining: the process to create a new Bitcoin block for the block chain. Bitcoin Proof of Work: A computation-intensive operation in creating Bitcoin blocks. Cryptographic Hash Function: A hash function that is both one-way and collision-resistant. Digital Signature: A digital string calculated from a digital document and a cryptographic private key. A digital signature is bound to both the document signed (hence document-dependent) and the signing key and is universally verifiable. This research was previously published in Encyclopedia of E-Commerce Development, Implementation, and Management edited by In Lee, pages 1013-1030, copyright year 2016 by Business Science Reference (an imprint of IGI Global).

58

59

Chapter 4

Web-Based Electronic Money for Online Banking Raghvendra Kumar LNCT Group of Colleges, India Preeta Sharan The Oxford College of Engineering, India Aruna Devi Surabhi Software, India

ABSTRACT Online transaction payment for the purpose of introducing web-based electronic money as an alternative way of online transaction payment, the main areas that cover in this chapter include research of current payment system, limitation of current payment, what are e-money and the current state of electronic money. It will discuss the proposed web-based electronic money as an alternative for online payment and the benefit of web-based e-money. Online payment transaction is a form of a financial exchange that takes place between the buyer and seller facilitated by means of electronic communications for conducting e-commerce and online purchasing. This chapter includes research of current payment system, limitation of current payment, what are e-money and the current state of electronic money.

INTRODUCTION Mobile banking services are on the complete iterations of current assistance that use the banks presents day structures and infrastructure. Actuality that online banking infrastructure is already in area and reusing existing components is a cost-effective way to build new systems, mobile banking location based banking is as subsequent new release of net banking. For mobile banking we agreed to apply the subsequent infrastructure: ‘that kind of execution of economic services within the area of which, the customers make use of mobile communication strategies at the side of mobile devices. In the context of net banking, mobile website banking falls inside that definition. The net banking, internet site accessed is an internet site through a mobile device. A mobile website is a website optimized for viewing DOI: 10.4018/978-1-5225-6201-6.ch004

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 Web-Based Electronic Money for Online Banking

on a mobile tool that require authentication in the form of a different device. For financial institution the Random Reader is used handiest for registering for the primary time and, relying at the transaction, during transfers, and for SMS Banking the Digipas is continually used for logging in and for transfers. The Random Reader and Digipas are devices which are used to generate responses to a data obtained from the bank so as to authenticate the consumer.

INFORMATION TECHNOLOGY IN BANKING SECTOR The banking devices have to protracted manner seeing that independence from nationalization to liberalization. It has witnessed transition from a slow business organization to a extraordinarily proactive and dynamic entity. This transformation has been in large part brought approximately by means of liberalization and economic reforms that allowed banks to discover new commercial enterprise opportunities in place of generating revenues from traditional streams of borrowing and lending. These economic reforms that were initiated in the early Seventies brought in a completely new environment for the banks. The banks are now offering innovative and attractive generation based multi channels to offer their products and services. The process began inside the Seventies, where computers have been introduced as ledger posting machines. Technology has been deployed in variety of again-workplace and consumer-interface supports of banking. In the early Eighties Reserve Bank of India uses a mechanism to speed up the temporary operation in banking sector. An excessive-stage mechanism turned into fashioned to attract up a phased plan for computerization and mechanization inside the banking sector. The consciousness turned into on customer service. For this motive, two models of department have been developed and implemented. The second committee constituted in 1988 a plan for computerization and automation to other areas such as budget control, e mail, BANKNET, SWIFT, ATMs, I-banking and so forth. In the last decade, facts technology has introduced extensive modifications in the banking quarter. It has supplied a possibility to banks for offering different products and services to their clients the usage of today systems. Apart from operations, development in generation has played a vital role within the distribution method of industrial banks. Banks, which have been traditionally counting on important channel i.e. To supply services have now commenced supplying their product and carrier through sort of modern and generation based channels which consist of channels inclusive of Internet Banking’, Automated Teller Machines (ATMs)’, Mobile Banking’, Phone Banking’, TV Banking’ and so on. All those new channels of distribution are in the area of e-banking or I-banking. Electronic banking has been around for quite a while in the form of automatic teller machines (ATMs) and cell phone transactions. In recent instances, it has been converted by the internet a new channel that has facilitated banking transactions for both clients and banks. As measurement of strategic choices, banks in India have been investing and persisted to make investments extensive amount of finances on laptop and associated technologies anticipating sizeable payoff. According to the Boston Consulting Group (2011), the advanced costs on information technology (IT) for banks on the whole is Rs 6,500 Cr. In keeping with yr, approximately 2.7 in keeping with 100% in their sales is in addition possibly to increase up to Rs 10,000 Cr. Annually in the coming years. Further, Reserve Bank has unique emphasis on generation infusion within the each day operations of banks. The IT Vision Document, 2011-17 of the Reserve Bank design the roadmap for implementation of key IT packages in banking with unique emphasis on faultless release of banking contributions via effective implementation of Business Continuity Management (BCM), Information Security Policy, and Business Process Re-engineering.

60

 Web-Based Electronic Money for Online Banking

DEVELOPMENT OF WEB-BASED ELECTRONIC MONEY FOR ONLINE PAYMENT TRANSACTION Electronic money or “e-money” (Bakre and Badrinath 1995) is often referred to as a monetary value instrument which is stored electronically on an electronic device such as a chip card or a computer memory. In other words, e-money represents digital money or digital currency. Electronic money is a payment instrument that contains monetary value that has been paid in advance by the user (Baratloo, Chung, Huang, Rangarajan, and Yajnik. Filterfresh 1998). Goods and services can be purchased by users from merchants and the payment can be done through electronic money. The amount will be automatically deducted from their electronic money balance (Badrinath and Gathercast 1998) when they are paying through electronic money. Online payment transaction is a form of a financial exchange that takes place between the buyer and seller facilitated by means of electronic communications for conducting e-commerce and online purchasing (Michael Bender, Davidson, Dong, Drach, Glenning, Jacob, Jia, Kempf, Periakaruppan, Snow, and Wong 1993).

PAYMENT SYSTEM Payment system is a funds transfer system that facilitates the circulation of money, and includes any instruments and procedures that relate to the system. Payment system is one of the fundamental for the modern economies. Some of the well used payment systems are cash, credit card, debit card, cheque (Birman and Joseph 1987) and electronic money. For this research study purpose, we will divide payment system into conventional payment system i.e. credit card and debit card and alternative payment system i.e. electronic money.

Conventional Payment System A conventional payment system involves two parties, buyer and seller which a buyer transfers cash or payment information to seller. The payment is settled in the financial institution. For the cash payment, buyer withdraws money from his/her bank account, transfer money to seller and seller deposits the payment to his/her bank account (Birman and Joseph 1987). For non-cash payment, buyer will credit or debit money from his/her account to the seller through credit cards, debit cards or cheques.

Conventional Payment Instruments Adapted to Internet An overview of the existing payment methods and techniques, which have been developed to adapt the conventional payment instruments for use over the Internet. This research study will focus on conventional payment instruments; credit card and debit card (Birrell and Nelson 1984).

Credit Cards A credit card is a conventional payment system that entitles its holder to buy goods and services based on the holder’s promise to pay for these goods and services. The issuer of the card grants a line of credit to the consumer from which the consumer can borrow money for payment to a merchant or as a cash

61

 Web-Based Electronic Money for Online Banking

advance to the user. Each month, a statement will be sent to card holder on indicating the purchases undertaken with the card, outstanding fees and total amount owed. After receiving the statement, the cardholder may dispute any charges that he or she thinks are incorrect. Otherwise, the cardholder must pay a defined minimum proportion of the bill by a due date, or may choose to pay a higher amount up to the entire amount owed. The credit issuer charges interest on the amount owed if the balance is not paid in full. Credit cards are widely used for making payments over internet as they are internationally known to consumers and accepted by merchants (Birrell, Nelson, Owicki, and Wobber 1993).

Debit Card Debit card provide a convenient way to present the cardholder information needed to debit the card holders bank account. This information is embedded in the magnetic stripe (or chip) on the bank of the card. In some countries, debit cards can be used in internet shops. Internet usage operates similarly to the direct debit system, but offers additional security features for payment owing to the presence of the card. The cardholder readers are many cases provided by card-issuing bank. The use of debit cards for purchases on the internet is still relatively limited.

Limitation of Conventional Payment Instruments Existing payment systems, such as credit cards and debit card, are inadequate for retail customer digital business from the following general viewpoints (Boyland and Castagna 1997):

Lack of Usability Existing conventional payment methods, i.e. credit cards and debit cards require consumers to provide a lot of information on web site interfaces before making online payment. E.g. credit card and debit card payments via a web site are not the easiest way to pay, as these require entering extensive amounts of personal data and contact details in a web form.

Lack of Security Existing conventional payment methods, i.e. credit cards and debit cards has been target of risk and theft abuse. Consumers have to provide personal and account information before making online payment. Even encrypted Internet credit card transactions do not include the owners signature, and anyone with knowledge of the customer’s credit card number, expiration date and 3 digit codes can create a payment order. Visa Debit Card and Credit card are an example of an insecure payment system since authentication is based only on “something you know”. In order to gain access to their bank account: 1. We need to find out credit card or debit card number, expiry date, and full name. 2. Set up a Visa-enabled merchant 3. Debit the account.

62

 Web-Based Electronic Money for Online Banking

If the victim notices that his account has been debited without his permission, Visa will force the merchant to refund the user. However, if the merchant has disappeared, Visa will refund to the user. This is a cumbersome and expensive process as merchants do not have a reliable way to verify that a credit card or debit card is being used by its registered owner.

Lack of Trust Consumers would not trust existing payment methods with the long history of fraud, misuse or low reliability. In recent years, there are many reported cases of fraud and thefts on conventional payment systems that has been used as online payment method. Potential customers often mention this risk as the key reason why they do not trust a payment service and therefore do not make Internet purchases.

Lack of Eligibility Not everyone with money and intention to pay can make use of certain payment methods to make online payment. In the present, majority of e-commerce merchants are adopting credit card and debit card as their online payment method. In reality, not all potential buyers can obtain credit cards and debit card due to credit history limitations, low income or other reasons. In reality, this will hinder on the development of e-commerce.

Lack of Efficiency Some electronic commerce payments can be too small to be handled by existing payment systems due to high administrative costs included in the processing of payments and transaction. Credit cards and debit cards are too expensive for small payments and unsuitable for small transactions. The minimum fixed fee charged to the retailer for processing a transaction could even surpass the value of the goods sold.

High Usage Costs for Customers and Merchants Credit card and Debit card are very expensive for consumers as they use expensive infrastructure to assist in the payment process. The growing size of fraud, which amounts to billions dollars per year is intangibly re-financed by users by the higher costs of credit card and debit card services. For online transaction, credit card and debit card are not physically available for inspection, therefore the chance of fraud is higher and charges to merchant will be higher too. Transactions fees are notably higher for internet, between 2.5% and 6% of total sales, depending on the chargeback history of the merchant. For internet transaction, payments must be approved in real time by the card issuing bank. Online authorization will help to prevent fraud but will increase handling costs for all parties involved. Average, online authorization process takes about 6 to 90 seconds. There is a risk that consumers will reject the transaction before completion due to unacceptable queuing for online authorization. If the payment fails, the merchant must either reject the payment or accept a much higher chargeback risk. In addition, credit card and debit card bills are sent in a paper form to customers by post, and the bills are mostly settled by posting paper documents, which makes the whole cycle rather expensive.

63

 Web-Based Electronic Money for Online Banking

ELECTRONIC MONEY Electronic money is a payment instrument (Carter and Crovella 1997) that contains monetary value that has been paid in advance by the user. Goods and services can be purchased by users from merchants and the payment can be done through electronic money. The amount will be automatically deducted from their electronic money balance when they are paying through electronic money. Online payment transaction is a form of a financial exchange that takes place between the buyer and seller facilitated by means of electronic communications for conducting e-commerce and online purchasing. In general, electronic money products are “stored-value” or “prepaid” products in which a record of the funds or “value” available to a consumer is stored on an electronic device in the consumer’s possession. The electronic value is reduced whenever the consumer uses the device to make purchases and intended to be used as a multipurpose means of payment. Electronic money allows consumers to use electronic means of communication to make payment. Banks may participate in electronic money schemes as issuers or distribute electronic money issued by other entities; redeeming and maintaining electronic money transactions for merchants; handling the processing, clearing, and settlement of electronic money transactions.

CURRENT STATE OF ELECTRONIC MONEY The continuous change from paper-based payments to electronic form is obvious from the rising trend in the number of electronic payment transactions recorded in 2008. The motivating force for this upward trend is the consumer demand for fast, convenient and secure transactions, as well as the merchants‟ efforts in improving business processes and lowering costs. Payment cards are still the most popular epayment mode used with electronic money (e-money) recording the highest number of transactions and credit cards leading the way in terms of amount spent. At the same time, the e-money industry continued to gain reputation as an alternative payment instrument for micro payments, representing more than half of non-cash transactions performed in the economy.

CONCLUSION This chapter includes research of current payment system, limitation of current payment, what are e-money and the current state of electronic money. It will discuss the web-based electronic money as an alternative for online payment and the benefit of web-based e-money. Next chapter discusses about Mobile transaction processing system in real world.

REFERENCES Badrinath & Sudame. (1998). An efficient mechanism for multi-point to point aggregation in IP networks. Technical Report DCS-TR-362. Rutgers University.

64

 Web-Based Electronic Money for Online Banking

Bakre & Badrinath. (1995). I-TCP: Indirect TCP for mobile hosts. Proceedings of the 15th International Conference on Distributed Computing Systems. Baratloo, C., & Huang, R., & Yajnik. (1998). Filterfresh: Transparent hot replication of Java RMI servers. Proceedings of the USENIX Conference on Object-Oriented Technologies (COOTS). Bender, D., Dong, D., & Glenning, J., … Wong. (1993). Unix for nomads: Making Unix support mobile computing. Proceedings of the USENIX Symposium on Mobile & Location-Independent Computing. Birman & Joseph. (1987a). Exploiting virtual synchrony in distributed systems. Proceedings of the 11th ACM Symposium on Operating Systems Principles. Birman & Joseph. (1987b). Reliable communication in the presence of failures. ACM Transactions on Computer Systems, 5(1), 47–76. Birrell & Nelson. (1984). Implementing remote procedure calls. ACM Transactions on Computer Systems, 2, 39–59. Birrell, N., Owicki, & Wobber. (1993). Network objects. Proceedings of the 14th ACM Symposium on Operating Systems Principles. Boyland & Castagna. (1997). Parasitic methods: An implementation of multi-methods for Java. Proceedings of OOPSLA ’97: Object-Oriented Programming Systems, Languages and Applications, 66-76. Carter & Crovella. (1997). Server selection using dynamic path characterization in wide-area networks. Proceedings of the IEEE Conference on Computer Communications (INFOCOM 97).

This research was previously published in Advanced Mobile Technologies for Secure Transaction Processing by Raghvendra Kumar, Preeta Sharan, and Aruna Devi, pages 55-63, copyright year 2018 by Information Science Reference (an imprint of IGI Global).

65

66

Chapter 5

Mobile Banking and Payment System: A Conceptual Standpoint Aijaz A. Shaikh University of Jyväskylä, Finland Payam Hanafizadeh Allameh Tabataba’i University, Iran Heikki Karjaluoto University of Jyväskylä, Finland

ABSTRACT This study conceptualizes and proposes a well-regulated and designated mobile banking and payment system (MBPS) with the potential to strengthen the banking system, foster the regulatory framework, and to be integrated across various platforms and mobile devices. Unlike other mobile payment systems that lack convenience, scalability, and usability, the proposed MBPS contains several important functionalities and it has the potential to bring together hitherto unconnected industries—banking, Fintech and telecoms—to offer value-added services to their existing and potential customers. The ownership of the MBPS shall remain with the financial services sector including the banking and microfinance institutions. The paper concludes with a discussion on the implications and limitations of the study and proposes future research directions.

INTRODUCTION One of the profoundly interesting developments of the past three decades is the electrification, automation, and digitization of business and financial services and the arrival of mobile telephony in emerging and developed economies. Each of these developments appeared when a variety of electronic payment (e-payment) systems and banking channels commonly known as alternative delivery channels or ADCs (Shaikh & Karjaluoto, 2015; 2016) were developed and deployed by banks and microfinance institutions DOI: 10.4018/978-1-5225-6201-6.ch005

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 Mobile Banking and Payment System

from the early 1990s onwards. According to Abrazhevich (2001), e-payment systems were primarily meant to bring the infrastructure necessary to facilitate payment over the internet using different devices and they are widely considered necessary for further developing e-commerce and e-business. In addition, by eliminating location and time barriers, e-payment systems and ADCs facilitate consumers accessing their banking information remotely, quickly, and conveniently without the need for visiting the bank branch. Mobile and branchless banking services, added latterly in the mobile payment and digital banking portfolio, have revolutionized the banking services landscape (Mortimer et al., 2015) and increased the outreach of retail banking to remote areas. Considering their success and growing consumer interest in the adoption and usage of these e-payment systems and ADCs, non-financial actors (NFAs) including telecoms, mobile network operators, financial technology (Fintech) firms, start-ups and other market participants such as PayPal, Amazon, and Google developing and offering a range of payment services thereby creating increased competition for diligently regulatory banks. According to Denecker et al. (2014), payments represent a beachhead for changes to the entire banking relationship, and this beachhead is under attack from NFAs. Given the growing influence of these diverse NFAs or non-bank entrants on the payments landscape, three reasons underline the foundation as well as the purpose and objective of this article as explained below: First, in the presence of a huge (but diversified and heterogeneous) range of digital banking channels, the banks and regulators are facing several security, privacy, strategic, operational, and oversight challenges (Denecker et al., 2014). The basic premise is that these digital banking channels both motivate the customers to become self-directed and adapt to the online world and demand new controls and risk monitoring systems, especially given their dependence on rapidly changing technology and their ubiquitous nature (International Finance Corporation, 2014). Accordingly, a large and diversified banking portfolio including services and products is likely to have a wider range of harmful effects (Allen et al., 2012) on the performance of the banks and will create unnecessary security risks for them. The second concern is the existence of a consumer base who are not bank account holders or have any kind of formal relationship with a banking institution. Such consumers are located mainly in developing and emerging markets, and access banking and payment information on portable devices such as cell phones to conduct several different financial transactions. Unfortunately for banks, many of these consumers conduct transactions through mobile payment apps that are developed, managed, and controlled by NFAs. As a result, banking companies, long tightly regulated, are fast losing this consumer base as well as core business segments (i.e., accounts and payments) to NFAs. These developments present several challenges for banks, regulators, and policymakers, especially when NFAs and third party app developers require banks to allow access to confidential consumer data. The third concern is that these NFAs are operating with fewer regulatory constraints, and most of them lack any significant prior experience in the banking industry (Henniaux, 2014). What is more worrying is that a few of these NFAs are providing mobile financial services in a largely isolated way involving a high risk element. Similarly, there is wide agreement that mobile apps are miniature apps and many of these have not had their codes effectively audited for security flaws prior to their release and use. Consequently, the purpose is to assess and evaluate the potential of mobile payment services and investigate how these services will be affected if unregulated actors provide critical services in the payment system? Building on these arguments and in order to reconcile these issues, the authors have identified the need to conceptualize a versatile, integrated, and a designated new channel of distribution called ‘mobile 67

 Mobile Banking and Payment System

banking and payment system (MBPS)’ primarily meant for regular bank customers or account holders. In particular, this innovative model will strengthen the banking institutions and banking system in general, foster the regulatory framework, and allow integration across various platforms and mobile devices (see Figure 1). Here, the term payment system equates to e-payment system. Among the frequently-used delivery channels, choosing the mobile option is largely based on the fact that m-banking is considered to be among the latest in a series of recent mobile technological wonders (Shaikh et al., 2015a); it appears to be the fastest-growing digital banking channel worldwide (Wonglimpiyarat, 2014); and the commercial value of this new revenue stream is predicted to be very significant (Barnes & Corbitt, 2003). As to the scope of this conceptual paper, the aim is to provide a high-level overview of different aspects of the conceptualized MBPS. This article will use the new term MBPS throughout the paper. Practitioners can use it in promotions and advertisements, describing it as a new mode of banking and payment. Consequently, the authors assume that this flagship term can easily be used in bank marketing terminology as a single comprehensive digital banking and payment term. The section that follows offers a detailed overview of the innovative financial services in an international context (Section 2). Next, the research methodology is outlined (Section 3) followed by the detailed presentation of the conceptual model— MBPS (Section 4). The last section (Section 5) concludes the discussion and suggests valuable implications, limitations, and future research directions.

A DETAILED OVERVIEW OF ALTERNATIVE DELIVERY CHANNELS AND INNOVATIVE FINANCIAL SERVICES Over the past two decades, banking and payment functions have been virtualized on a massive scale globally (Bons et al., 2012). The shift saw the traditional banking and payment services evolve from branch-oriented to branchless and more recently to become mobile and social media oriented. There have also been advances in delivery channels and the development of new business models. For instance, the development of automated teller machines (ATMs) and recently introduced retail teller machines (RTMs) deployed at various merchant locations has provided greater convenience to consumers accessing financial (e.g., fund transfers) and non-financial (e.g., account balance requests) services and transferring payments. However, the use of ATMs is declining considerably for two major reasons: the proliferation and the increasing usage of mobile devices (Gao et al., 2014) and a growth in the theft of payment card data (Shaikh & Shah, 2012). Another popular ADC is called internet banking. Internet (or net) banking provides bank customers access to banking information that helps to facilitate various transactions using either a personal computer or laptop anytime and anywhere (Shaikh and Karjaluoto, 2016). Broadly speaking, an internet banking allows bank customers to engage in a vast array of innovative online services, such as paying utility bills, checking account information, using check services through bank websites, 24/7 customer support, and the possibility of easy access for disabled people (Hanafizadeh et al., 2014b; Jagannathan et al., 2016). Some benefits of internet banking to customers as identified by Angelakopoulos and Mihiotis (2011) are the absence of time constraints and geographical limits, cost cutting, the possibility of easy access for disabled people, and an integrated environment for internet banking transactions. Despite these advantages and benefits, internet banking, which early on promised to be the most popular electronic delivery channel (Karjaluoto et al., 2002), ended up being a poorly adopted delivery channel (Kuisma et al., 2007).

68

 Mobile Banking and Payment System

Several reasons have been offered for the poor adoption of internet banking, also referred to as online banking or virtual banking. One such is that a decline in the use of internet banking services was largely due to changing consumer perceptions of value and growing consumer empowerment, which, according to Pires et al. (2006), allows consumers to choose what they want, when they want, where they want, at their own convenience, and on their own terms. In addition, after the introduction of smart phones by Apple corporation in 2007 (Hall and Anderson, 2009), many financial services firms including banks follow these trends in mobile communications by developing and offering wireless and mobile banking applications easily downloadable onto smartphones for conducting transactions and bank account management (Kurila et al., 2016), which further undermined the need for internet banking services, largely in developed markets. Internet security and users’ privacy concerns refuse to go away and further hinder the growth of internet banking. Especially in emerging and developing countries, poor internet connectivity and speed correlate with the low adoption of internet banking services. Similarly, early studies on internet banking suggest that the complexity of using the service deters some consumers from adopting and using it (Laukkanen, 2016; Kuisma et al., 2007). Other digital banking channels that have transformed the banking culture in different developing and emerging countries are m-banking and social media. A significant body of literature (e.g., Shaikh et al., 2015b; Laukkanen, 2016) has shown that the adoption and the usage of mobile banking (basically meant for bank account holders to access banking services) and its variant branchless banking (allows both bank account holders and non-account holders to access banking services and it is largely meant for the unbanked segment of society) have recorded a massive growth globally. On the other hand, social network banking, a term introduced by Bohlin et al. (in press), offers largely non-financial services to consumers on popular social media platforms such as Facebook, Twitter, YouTube and so forth. To summarize, the commercial potential and a profound growth and usage of mobile-based financial services has both opened new business opportunities for the banking companies and provided greater convenience of anytime, anywhere banking to a demographically dispersed population. Consequently, any future technology development that does not account for mobile technology is unlikely to be popular with the consumer.

RESEARCH METHODOLOGY In consideration of the vastness of published literature on MBPS, it is important that the literature should be carefully scrutinized. Here, a watchful approach was adopted involving all the authors to identify, select, shortlist, and download the most relevant and appropriate literature. In addition, one of the authors has an enviable track record of working with the banking industry especially in designing policy documents concerning different aspects of digital banking and payment systems. The research methodology used to gather and interpret the data, to support the arguments, and to reach a decisive conclusion, is largely based on secondary and non-numeric sources. According to Sørensen et al. (1996), secondary data in research are data that have not been collected with a specific research purpose. Prior research has discussed several benefits to using secondary data (Heaton, 2003) and the importance of using secondary data for analysis purposes has been established in the literature (e.g., Smith, 2008). For instance, Cowton (1998, p.432) concluded that “secondary data may have attributes which render them highly attractive when compared to interview and questionnaire results.” Nonetheless, the disadvantages of secondary data relate to the fact that their selection, quality, and the methods of

69

 Mobile Banking and Payment System

their collection, are not under the control of the researcher, and that they are sometimes hard to validate (Sørensen et al., 1996). The authors utilize a vast contemporary, historical, and original set of secondary data and information consisting of policy and regulatory documents, archives, and popular market surveys published by the banks, central banks, and advisory firms such as Forrester Research to propose the MBPS, draft the findings, and draw conclusions. In addition, a cursory review of the literature consisting of the scientific publication and conference proceedings was also conducted to understand the banking and payment models developed and proposed previously.

MOBILE BANKING AND PAYMENT SYSTEM (MBPS): CONCEPTUALIZATION AND DEFINITION This section is divided into different sub-sections with an underlying objective of providing a detailed overview of the MBPS. A great deal of understanding about the e-payment system (and its variant mobile payment system) is required to understand the core concept of the MBPS. Prior research (e.g., Bezovski, 2016) has considered an e-payment system the backbone of e-commerce business, and defined it as an online or e-payment service that utilizes information and communication technologies. The Financial Services (Banking Reform) Act 2013 of the United Kingdom has defined the term payment system as “a system which is operated by one or more persons or entities in the course of business for the purpose of enabling consumers to make transfers of funds, and includes a system which is designed to facilitate the transfer of funds using another payment system.” Compared with traditional payment methods such as pay-by-check, pay-by-phone, or wire transfer, an online payment system is generally considered more convenient and flexible for customers and banks alike (He & Mykytyn, 2009). Moreover, for many companies including banks, e-payments have become one of the most critical issues in their successful business and financial services (Kim et al., 2010). Prominent and frequently-used e-payment systems include payment cards (such as debit, credit, and prepaid debit cards); E-wallets; Mobile payments; Loyalty and Smart cards and so forth. Considering their scope and usage, these payment systems have been divided into account-based and electronic currency systems. An account-based payment system allows consumers to make payments using their regular bank account, while an electronic currency payment system allows the consumers to make payments using electronic or virtual currency (Bezovski, 2016). The proposed MBPS follows the account-based payment system mechanism because the growing security issues largely seen in the electronic currency system. In light of the many past mobile payment system failures (Ondrus & Pigneur, 2009) as discussed in the following paragraphs, there is a real need to analyze and understand the requirements to succeed in this market ruled by uncertainty and lightly regulated NFAs. Here, considering the growing influence of NFAs, ranging from telecom companies to small and agile technology players, start-ups, and software houses that are defining the standards for digital banking (Denecker et al., 2014), a basic question arises of ‘who will then own the customer?’ During the last decade, prior research in the broader area of m-banking and payment systems has conceptualized and proposed some versatile mobile-based payment systems. Strikingly, some of these efforts failed to achieve the expected results and others proposed mobile payment systems with limited functionality; mobile payment systems that further strengthen the NFAs or service providers; mobile

70

 Mobile Banking and Payment System

payment systems that pay little attention to the regulatory issues, and the prior research has also on occasion overlooked the role of the banking institutions in these conceptualized payment systems. More precisely, Saxena et al. (2005) proposed a mobile-to-mobile payment system supported by Europay, MasterCard, and VISA (EMV) with thin functionality (payments are linked to only debit/ credit accounts in a bank to pay at a merchant that should have an online EMV capable terminal). The proposed system had limited scalability and diversity of the services (it was designed only to be used on cell phones), and did not consider regulatory requirements or incorporating a near field communication (NFC) capability. Considering its significance and its usage in the proposed MBPS model, a cursory overview of NFC technology is provided in the following section. Similar issues afflict another conceptualized mobile payment system based on a real-time quick response (or QR) bar codes (Ma et al., 2015) primarily meant to support buying and selling transactions on all goods and products with QR barcode identification. According to Liu et al. (2008), the QR code, an automated data collection method, is developed in Japan by Denso Corporation during early 1990s and later it is recognized as standard. Conceptualizing a general packet radio service (GPRS) mobile payment system based on radio frequency identification (RFID) technology, Liu et al. (2006) argued that their cell-phone based proposed payment system could be developed and managed by a telecom service provider to provide diverse mobile payment services. Considering their nature, RFID tags are small, wireless devices that help identify objects and people (Juels, 2006). Although there is no any globally accepted mobile payment system, our premise is that without the ownership or co-operation of any banking institute, the development and deployment of any payment system should be considered unsafe, to have a high probability of failure, and to jeopardize the interest of the consumer.

MBPS and NFC Technology NFC facilitates communication between various mobile devices, which could greatly contribute to the democratization of mobile computing (Ondrus & Pigneur, 2007) as well as increased scalability. In addition, different, innovative ways have been identified whereby contactless or NFC-equipped devices could connect financial institutions, merchants, and retailers with their customers (Tan et al., 2014). NFC-embedded ATMs allow cash withdrawal and fund transfer facilities using any portable device as a form of access code. Owing to its necessity and convenience, NFC-enabled mobile payments have reached the mass market in Japan (De Reuver et al., 2014), Korea (i.e., Hana SK Card), Hong Kong (i.e., Octopus Card) and Singapore (i.e., Smart Card and EZ-link). According to IDTechEx (2014), over 200 million NFC-enabled mobile phones were recently shipped worldwide. NFC technology is widely considered as a convenient, safe and fast payment system which allows low value transactions at Point-of-Sale terminals such as kiosks or fast-food restaurants. In addition, a related stream of research (e.g., Halaweh and Al Qaisi, 2016; Ondrus and Pigneur, 2009) has considered NFC as one of the emerging technologies that has a great potential, making it convenient to process payments through mobile phones. Ondrus and Pigneur (2007) conducted a detailed systematic analysis and present NFC technology as a trendy but fundamental technology to facilitate the uptake of mobile payment systems. Consequently, any new scheme that does not support NFC payments seems to be incomplete and inefficient.

71

 Mobile Banking and Payment System

Differences Between MBPS and M-Wallets There is potential for considerable confusion around the terms MBPS and m-wallet, and it is therefore important to distinguish them to establish the need to conceptualize the MBPS. The m-wallet was recently added to the digital banking portfolio (Gruenberg and Thompson, 2012) and allows users to pre-load payment account information on their mobile devices, such as smartphones, and to choose payment options. Consequently, the underlying assumption of creating an m-wallet was to allow non-bank account holders to conduct m-payment transactions. Some scientific and anecdotal evidence suggests that although m-wallets provide greater convenience to the consumers, their development has been erratic (e.g., Sahut, 2006), with little usefulness or trust (e.g., Shaw, 2015). In contrast, the MBPS will be initiated under a set of pre-defined rules and regulations; it is meant for regular account holders; and its ownership lies within a banking institute. The banking institutions, therefore, will continue to play a decisive role in facilitating an MBPS in collaboration with NFAs.

The Conceptualization of MBPS The objective to conceptualize and propose the MBPS follows consideration of the proliferation of digital banking channels and entry to new aggressive players and social networks, along with growing safety, security and regulatory concerns. The MBPS, as explained in the succeeding paragraphs, can be integrated seamlessly into the digital banking portfolio controlled and managed by the banking companies. The remarkable penetration rates of portable devices, combined with the hedonic nature of mobile phones and tablets (Lai et al., 2012) are hard to ignore, and it is difficult to imagine today’s “always on” consumers adopting any future development in the broader field of electronic business that does not account for mobile devices. Consequently, leveraging portable devices as well as the contactless, proximity or NFC technology to access financial information, conduct various transactions and perform a variety of financial and non-financial transactions is at the core of the MBPS. Incorporating the NFC inherent tap & pay payment mechanism, the MBPS will allow its users to access proximity and remote banking options using a downloadable banking and payment application onto a NFC-enabled mobile device such as a smartphone or tablet. This conceptualized MBPS is primarily meant for regular bank customers. As reported by Accenture (2013) in one of its extensive surveys involving 30,900 mobile consumers in 26 countries, the banks are the most trusted partner in terms of protecting consumers’ personal information (57% of the survey’s participants trust banks), while social networks such as Facebook appear to be the least trusted organizations (4% of the survey’s participants trust social networks). These results clearly suggest that the respondents favor banks as one of their trusted banking services providers. The MBPS is multi-faceted, in that it has many different features that represent the coverage and scope of the MBPS. Those features are presented in Figure 1 below, which also illustrates that the MBPS is a convergence service (Lee et al., 2015) that brings together hitherto unconnected industries—banking and telecoms—to offer value-added services to their respective customers. The mobile telecommunication industry has significantly extended its boundaries since the early 1990s (Mazzoni et al., 2007) and now plays a crucial role and provides the necessary mobile infrastructure, the ownership of MBPS will however remain with banking or microfinance institutions holding a banking license and with the

72

 Mobile Banking and Payment System

Figure 1. Scope and coverage of MBPS

appropriate infrastructure. The basic premise is that bank companies ensure oversight and regulatory compliance with national financial regulations and policy (Nyaga, 2014) and bank companies facilitate foreign exchange, clearing and settlement services (Jenkings, 2008) in the most secure and efficient way. Nonetheless, the telecom sector will retain the role of facilitator or business partner, depending upon the nature of regulatory framework governing how cross-industry participants can take advantage of technological innovations. In addition, a strong emphasis is placed on the development and deployment of an integrated digital platform for the MBPS that can serve as a master repository across different products and services. The obvious consideration for banks and marketers, argued by Forrester Research (2012), for the development and deployment of an integrated digital platform is extensive functionality, security and the convenience of different customer segments, and the capability for seamless use on various portable devices such as smartphones and tablets. This integrated platform will gradually reduce, and in a few cases may eliminate, the need for the use of multiple applications and procedures supporting various channels (such as ATMs, POS, the internet and so forth), devices (smart phones and tablets) and payment cards (such as the ATM, Debit, Credit and so forth). The MBPS can easily be hosted on a smart phone or tablet using a dedicated, secure and downloadable user interface and provide a variety of traditional and innovative mobile banking, payment and transfer services to bank customers. These innovative MBPS features will increase customer outreach, providing customers with enhanced security and convenience. Finally, the MBPS is NFC-enabled. Prior research (e.g., Leong et al., 2013) has recognized NFC payment technology as the future of mobile payments and its usage as critical (Tan et al., 2014). NFC has been considered an emerging payment technology and its presence in the payment ecosystem cannot be avoided. Considering these arguments and predictions, developing any banking product in future without accommodating NFC technology would be unwise.

MBPS and the Regulatory Environment In the case of the MBPS, the objective is to streamline the regulations that are scattered between different digital banking channels and products into a more coherent set of prudent regulations. Consequently, the purpose is to create a common regulatory framework for both established players, such as banks, and emerging institutions, such as telecoms, Fintech firms, and start-ups. The benefits will be immense for the industry, regulators, policy makers, and service providers since a comprehensive and consolidated policy framework on the MBPS will create a level playing field for all stakeholders, including bank-

73

 Mobile Banking and Payment System

ing and NFAs. It will also effectively increase the regulatory and oversight mechanism and reduce the multiple rounds of customer due diligence (CDD) and know-your-customer (KYC) exercises, until now conducted separately when the consumer signs in or applies for bank accounts, credit cards, prepaid debit cards, and so forth. Unlike CDD, KYC is one of the critical regulatory requirements and requires verifying the identity of both new and existing customers who banks deal with. Without these controls, banks can be exposed to reputational, operational, and legal risks, which can result in significant financial cost (Bank for International Settlement, 2001). In summary, the integrated functionality of the MBPS (previously scattered across various domains, such as branchless (or mobile) banking, ATMs, POS, and payment cards) will help policy makers, regulators, practitioners, banks, and other industry stakeholders prepare future policies, procedures, and regulations. The MBPS will, therefore, streamline CDD and KYC controls.

MBPS as a Designated Payment or Technological System The designation criteria for payment systems will have a fundamental impact on the structure and process of the MBPS and provide several benefits to the retail banking institutions, NFAs and others. These payment systems designation criteria have somewhat surprisingly been overlooked by the mainstream research. After the explosion of financial applications, products, and services, in addition to the establishment of several non-bank organizations providing settlement and electronic transaction routing services to banking companies and their consumers, the regulators have begun to understand the necessity of supervising and regulating payment systems. Consequently, a separate set of laws and regulations on designating a payment system as a designated payment system were enacted in many countries including the UK (Payment systems regulators, 2014); Europe (Systemically important payment systems, 2014); Singapore (Payment Systems Oversight Act, 2007); Pakistan (Payment systems and electronic fund transfer act, 2007); Australia (Payment systems regulation act, 1998); Malaysia (The Payment systems act, 2003) and so forth. In a few cases, prior research (e.g., M’Chirgui, 2005) used the term technological systems instead of the term payment systems. In its current manifestation, the payment system laws entail the entities developing, distributing, and offering innovative banking, payments and even fund transfer services and products being required to be ‘designated’ under the payment systems regulations and their ‘designation’ as a designated payment system is obligatory. The need for a designated payment system and its significance in bringing stability to the financial markets have been established in prior research as well as in popular market and regulatory reports. For instance, one of the major advantages associated with the designation criteria is that a designated payment system will bring the payment system players under the scope of regulation and thereby protect the interest of the consumers as well as all the parties in the system. In addition, Akhtar (2007) argues that a designated payment system provides standards for protection of the consumer and determines the respective rights and liabilities of the financial institutions and other service providers (commonly known as third parties), their customers, and other participants. Here Asokan et al. (1997) found that in addition to flexibility of use, a properly designed e-payment system can provide better security than traditional means of payment. At the very least, designation criteria require that each player in the value chain has a clear financial incentive as well as a responsibility to participate in and actively promote the service (Mas, 2009). Consequently, the banks, telecoms, and other industry stakeholders involved in designing,

74

 Mobile Banking and Payment System

implementing and maintaining MBPS services and applications should operate under a well-defined regulatory framework, supervised by the regulatory authorities—commonly, but not exclusively, the central banks and telecommunication authorities—to protect the interests of consumers, substantially reducing systemic and operational risks, promoting financial system stability and increasing consumer trust.

CONCLUSION This paper examines the current state of innovative banking systems, products and services, and helps move the existing electronic banking environment toward a more coherent and sustainable mobile banking paradigm. The authors have analyzed the contemporary and historical literature, laws, regulations and policy documents on digital banking, popular market reports and the regulatory framework, highlighting significant gaps and discussing the operational and regulatory challenges faced by the retail banking institutions in managing a huge, diverse, and heterogeneous array of delivery channels consisting of different products and services. Prior to the financial crises 2007–2010, NFAs were operating as niche providers concentrating on a select range of products, and operating through partnerships with existing banks (Worthington and Welch, 2011). However, learning from the financial crisis experience, NFAs started developing into full-service retail banking products and service providers but without any regulatory or oversight framework. The emergence of these new players in the mobile payment market makes it evident that banks and credit card companies need to take an active role in this revolution (Gupta, 2013). As clearly stipulated by Worthington and Welch (2011), if the financial crisis created new opportunities, it also introduced new threats. This paper has conceptualized and proposed a new mobile banking system it calls the MBPS. The MBPS is a multi-functional mobile system allowing various banking and payment transactions using a single downloadable fat application on any NFC-enabled mobile device such as a smartphone or tablet. Similarly, leveraging mobile and other portable devices for accessing financial information, conducting financial and non-financial transactions and performing a variety of payments is at the core of the MBPS. Dahlberg et al., (2008) note how the m-payment products, services, and markets are currently in transition, and have a history of numerous failed innovations, and a future of promising but as yet uncertain possibilities. This new mobile banking system has been conceived and proposed considering the uncertainties predicted in the m-payment market, the emergence of new players and NFAs, as well as an inevitable growth seen in the adoption and usage of mobile devices such as smartphones and tablets globally. For example, Juniper Research (2013) finds that over 1.75 billion mobile phone users will have used their devices for banking purposes by the end of 2019, compared to 800 million this year. In light of the huge growth and potential that has been predicted in the adoption and usage of mobile devices for banking purposes in the not too distant future, mobile will outperform other digital banking channels and products.

IMPLICATIONS, LIMITATIONS AND FUTURE RESEARCH DIRECTIONS Our arguments on the MBPS offer some contributions to theory and practice. This study advances the literature on m-banking by providing new insights and a comprehensive understanding of payment systems,

75

 Mobile Banking and Payment System

digital banking, and designation criteria. Although previous research has identified several antecedents and consequences of behavioral intention to adopt and use m-banking services (e.g., Hanafizadeh et al., 2014a) in developed and developing countries, our research extends these lines of study by presenting a new mobile payment system model; one capable of empowering financial institutions and the regulatory authorities to address growing privacy and security issues and protect the consumer interest, which should encourage its adoption and usage across several markets. In terms of practical implications, findings from this study show that commercial banks have not fully realized the implications of the payment systems criteria, despite the presence of a necessary regulatory framework on ‘designated payment systems’. The industry, that is, banks, telecoms and so forth, therefore, needs to consider the designation criteria as critical when offering mobile payment services to a widely dispersed population. After all, a safe and efficient payment system is critical to the effective functioning of the financial systems and to build consumer trust (European Central Bank, 2010). Similarly, the power of partnerships and outsourcing can make visible differences. The MBPS does not entail banks necessarily developing, deploying and managing the system by themselves; rather a broader understanding is required to fully understand its implications. The authors’ perception is that it is very unlikely that the development and deployment of the MBPS would be possible without collaboration with other market participants, especially given that banks usually struggle to develop and deploy innovative technological platforms to their customers at the pace at which customers adopt these new technologies. As a result, banks are at a remarkable disadvantage and risk losing their customers as more agile intermediaries and third parties capture the benefit of the innovation (King, 2013, p.29). In the same vein, a strong convergence mechanism (where the companies from different industries collaborate on the development and deployment of a product or service) will facilitate the development of an MBPS where retail banks, microfinance institutions, telecoms, and payment associations such as VISA, MasterCard, and Union Pay can collaborate and work under a well-defined and properly regulated mechanism to provide value-added services to new and existing consumers. It is, therefore, paramount that the laws, regulations, and market standards pertaining to mobile banking and payment services should be holistic and designed with a coordinated approach and an underlying assumption that they will strengthen the regulatory framework, allowing third parties to develop superior solutions, and facilitate new payment providers so as to encourage competition and create greater choice, options and convenience for consumers. Despite our careful study design, it is not without limitations. First and the foremost is the validation of our conceptual model. As per an agreed protocol, after constructing and suggesting a conceptual model, such as MBPS, the research needs to validate the model with the users who have either used or intend to use a mobile and payment system. According to Shanks et al. (2003), failure to validate the model might lead to subsequent system design, implementation and usage activities failure. Moreover, if these defects are not discovered and corrected until late in the development process, they are often costly to correct. Validating a conceptual model is thus critical to successful system development and deployment (Shanks et al., 2003). Future research validating the conceptualized and proposed MBPS with users, preferably in a developed country setting where the infrastructure supporting e-payment systems has been in place (Kim et al., 2010) for a few decades, and which features a large consumer base using different e-payment systems should be encouraged. Second, although the authors made considerable efforts to conceptualize a versatile and designated mobile banking model, our conceptualization is not perfect. In particular, the MBPS is meant to benefit regular account holders and endeavors to serve the community with banking facility in different countries. 76

 Mobile Banking and Payment System

A more holistic approach may require future research to cover all the segments of consumers, especially the unbanked and under-banked rural and urban groups. In addition, the banking companies and other stakeholders investigating the MBPS must understand that consumers’ usually value the reliability of such digital services and that trust in services is built and increased via learning and awareness processes (Arvidsson, 2014). It implies that consumers’ increasing awareness and their learning to use the service will probably increase the level of trust. Third, we have deliberately omitted the financial inclusion programs from the scope of the MBPS. Financial inclusion programs have been initiated in several emerging and developing countries following research findings indicating their importance to both government and society (e.g., Koku, 2015). Similarly, mobile payment systems have been identified as a significant driver contributing to the development and economic growth in developing and emerging countries when compared to other e-payment systems (Mwafise and Stapleton, 2012). Future research should examine these dimensions when putting forward any new MBPS. Forth, this study has postulated that designation criteria provided several benefits to the banks, service providers and consumers, such as allowing better service development and better customer relationship management by way of increasing customer satisfaction and trust. However, given the structure of our conceptualization, we are unable to justify the designation criteria for the MBPS. That is largely due to the lack of research on designated payment systems and their benefits to the banking industry and other stakeholders. Prior research (e.g., Liébana-Cabanillas et al., 2014; Su et al., 2013) has, however, considered mobile payment systems and examined the antecedents of adoption, but the designation of such mobile payment systems as a designated payment system is missing. We encourage future studies to unpack the true benefits of ‘designating’ and its benefit to different stakeholders, enhancing the supervisory portfolio and protecting the interests of the consumer. After all, banks may not be able to sustain another round of financial crises in the future.

REFERENCES Abrazhevich, D. (2001, September). Classification and characteristics of electronic payment systems. Proceedings of the International Conference on Electronic Commerce and Web Technologies (pp. 8190). Springer Berlin Heidelberg. 10.1007/3-540-44700-8_8 Accenture. (2013). Mobile Web Watch 2013: The new persuaders. Retrieved from http://www.accenture.com/SiteCollectionDocuments/PDF/Technology/accenture-mobile-web-watch-2013-survey-newpersuaders.pdf Akhtar, S. (2007). Building inclusive financial system in Pakistan. Retrieved from www.sbp.org.pk/ about/.../Draft-Agriculture-PRs-18-04-05.pdf Allen, F., Demirguc-Kunt, A., Klapper, L., & Peria, M. S. M. (2012). The Foundations of Financial Inclusion. World Bank Policy Research Working Paper. Angelakopoulos, G., & Mihiotis, A. (2011). E-banking: Challenges and opportunities in the Greek banking sector. Electronic Commerce Research, 11(3), 297–319. doi:10.100710660-011-9076-2

77

 Mobile Banking and Payment System

Arvidsson, N. (2014). Consumer attitudes on mobile payment services–results from a proof of concept test. International Journal of Bank Marketing, 32(2), 150–170. doi:10.1108/IJBM-05-2013-0048 Asokan, N., Janson, P. A., Steiner, M., & Waidner, M. (1997). The state of the art in electronic payment systems. Computer, 30(9), 28–35. doi:10.1109/2.612244 Bank for International Settlement. (2001). Retrieved from http://www.bis.org/publ/bcbs85.pdf Barnes, S. J., & Corbitt, B. (2003). Mobile banking: Concept and potential. International Journal of Mobile Communications, 1(3), 273–288. doi:10.1504/IJMC.2003.003494 Bezovski, Z. (2016). The Future of the Mobile Payment as Electronic Payment System. European Journal of Business and Management, 8(8), 127–132. Bohlin, E., Shaik, A.A, & Hanafizadeh, P. (in press). Banking on social networking sites – A case study of 100 top-notch global banks (working paper). Bons, R. W., Alt, R., Lee, H. G., & Weber, B. (2012). Banking in the Internet and mobile era. Electronic Markets, 22(4), 197–202. doi:10.100712525-012-0110-6 Cowton, C. J. (1998). The use of secondary data in business ethics research. Journal of Business Ethics, 17(4), 423–434. doi:10.1023/A:1005730825103 De Reuver, M., Verschuur, E., Nikayin, F., Cerpa, N., & Bouwman, H. (2014). Collective action for mobile payment platforms: A case study on collaboration issues between banks and telecom operators. Electronic Commerce Research and Applications, 14(5), 331–344. doi:10.1016/j.elerap.2014.08.004 Denecker, O., Gulati, S., & Niederkorn, M. (2014). The digital battle that banks must win. Retrieved from http://www.mckinsey.com/insights/financial_services /the_digital_battle_that_banks_must_win Dahlberg, T., Mallat, N., Ondrus, J., & Zmijewska, A. (2008). Past, present and future of mobile payments research: A literature review. Electronic Commerce Research and Applications, 7(2), 165–181. doi:10.1016/j.elerap.2007.02.001 European Central Bank. (2010). The payment system. Retrieved from https://www.ecb.europa.eu/pub/ pdf/other/paymentsystem201009en.pdf Financial Services (Banking Reform) Act. (2013). Retrieved from http://www.legislation.gov.uk/ukpga/2013/33/pdfs/ukpga_20130033_en.pdf Forrester Research. (2012). The state of mobile banking 2012. Retrieved from http://interact.f5.com/rs/ f5/images/Forrester%20Report%20The%20State%20of%20Mobile%20Banking%202012.pdf Gao, S., Krogstie, J., Chen, Z., & Zhou, W. (2014). Lifestyles and mobile services adoption in China. International Journal of E-Business Research, 10(3), 36–53. doi:10.4018/ijebr.2014070103 GruenbergM. J.ThompsonS. L. (2012). Retrieved from https://www.fdic.gov/regulations/examinations/ supervisory/insights/siwin12/SIwinter12.pdf Gupta, S. (2013). The mobile banking and payment revolution. European Finance Review, 2, 3–6.

78

 Mobile Banking and Payment System

Halaweh, M., & Al Qaisi, H. (2016). Adoption of Near Field Communication (NFC) for Mobile Payments in the UAE: A Merchants Perspective. International Journal of E-Business Research, 12(4), 38–56. doi:10.4018/IJEBR.2016100103 Hall, S. P., & Anderson, E. (2009). Operating systems for mobile computing. Journal of Computing Sciences in Colleges, 25(2), 64–71. Hanafizadeh, P., Behboudi, M., Koshksaray, A. A., & Tabar, M. J. S. (2014a). Mobile-banking adoption by Iranian bank clients. Telematics and Informatics, 31(1), 62–78. doi:10.1016/j.tele.2012.11.001 Hanafizadeh, P., Keating, B. W., & Khedmatgozar, H. R. (2014b). A systematic review of Internet banking adoption. Telematics and Informatics, 31(3), 492–510. doi:10.1016/j.tele.2013.04.003 He, F., & Mykytyn, P. P. (2007). Decision Factors for the Adoption of an Online Payment System by Customers. International Journal of E-Business Research, 3(4), 1–32. doi:10.4018/jebr.2007100101 Heaton, J. A. N. E. T. (2003). Secondary data analysis. The AZ of Social Research (pp. 285–288). London: Sage. Henniaux, E. (2014). Mobile Banking Strategy-What are the key success factors? Retrieved from http:// www.pwc.lu/en/press-articles/2014/mobile-banking-strategy-what-are-the-key-success-factors.jhtml IDTechEx. (2014). Near Field Communication (NFC)-2014-2024 Mobile phone and other NFC: market forecasts, technology, players. Retrieved from http://www.idtechex.com/research/reports/near-fieldcommunication-nfc-2014-2024-000363.asp International Finance Corporation. (2014). Alternative delivery channels and technology. Retrieved from http://www.ifc.org/wps/wcm/connect/5d99c500477262e89844fd299ede9589/ADC+Handbook+-+2014. pdf?MOD=AJPERES Jagannathan, V., Balasubramanian, S., & Natarajan, T. (2016). A modified approach for information systems success in the context of internet banking using structural equation modelling with r: an empirical study from India. International Journal of E-Business Research, 12(3), 26–43. doi:10.4018/ IJEBR.2016070103 Jenkings, B. (2008). Developing Mobile Money Ecosystems. Washington, DC: IFC and the Harvard Kennedy School. Juels, A. (2006). RFID security and privacy: A research survey. IEEE Journal on Selected Areas in Communications, 24(2), 381–394. doi:10.1109/JSAC.2005.861395 Juniper Research. (2013). Mobile banking: handset & tablet market strategies 2013-2017. Retrieved from http://www.juniperresearch.com/viewpressrelease.php?pr=356 Karjaluoto, H., Mattila, M., & Pento, T. (2002). Factors underlying attitude formation towards online banking in Finland. International Journal of Bank Marketing, 20(6), 261–272. doi:10.1108/02652320210446724 Kim, C., Tao, W., Shin, N., & Kim, K. S. (2010). An empirical study of customers perceptions of security and trust in e-payment systems. Electronic Commerce Research and Applications, 9(1), 84–95. doi:10.1016/j.elerap.2009.04.014

79

 Mobile Banking and Payment System

King, B. (2013). BANK 3.0: Why banking is no longer somewhere you go, but something you do. Singapore: Marshall Cavendish. Koku, P. S. (2015). Financial exclusion of the poor: A literature review. International Journal of Bank Marketing, 33(5), 1–26. doi:10.1108/IJBM-09-2014-0134 Kuisma, T., Laukkanen, T., & Hiltunen, M. (2007). Mapping the reasons for resistance to Internet banking: A means-end approach. International Journal of Information Management, 27(2), 75–85. doi:10.1016/j.ijinfomgt.2006.08.006 Kurila, J., Lazuras, L., & Ketikidis, P. H. (2016). Message framing and acceptance of branchless banking technology. Electronic Commerce Research and Applications, 17, 12–18. doi:10.1016/j.elerap.2016.02.001 Lai, J. Y., Debbarma, S., & Ulhas, K. R. (2012). An empirical study of consumer switching behaviour towards mobile shopping: A Push–Pull–Mooring model. International Journal of Mobile Communications, 10(4), 386–404. doi:10.1504/IJMC.2012.048137 Laukkanen, T. (2016). Consumer adoption versus rejection decisions in seemingly similar service innovations: The case of the Internet and mobile banking. Journal of Business Research, 69(7), 2432–2439. doi:10.1016/j.jbusres.2016.01.013 Lee, H., Harindranath, G., Oh, S., & Kim, D. J. (2015). Provision of mobile banking services from an actor–network perspective: Implications for convergence and standardization. Technological Forecasting and Social Change, 90, 551–561. doi:10.1016/j.techfore.2014.02.007 Leong, L. Y., Hew, T. S., Tan, G. W. H., & Ooi, K. B. (2013). Predicting the determinants of the NFCenabled mobile credit card acceptance: A neural networks approach. Expert Systems with Applications, 40(14), 5604–5620. doi:10.1016/j.eswa.2013.04.018 Liébana-Cabanillas, F., Sánchez-Fernández, J., & Muñoz-Leiva, F. (2014). Antecedents of the adoption of the new mobile payment systems: The moderating effect of age. Computers in Human Behavior, 35, 464–478. doi:10.1016/j.chb.2014.03.022 Liu, W., Zhao, C., Zhong, W., Zhou, Z., Zhao, F., Li, X., . . . Kwak, K. (2006, November). The GPRS mobile payment system based on RFID. Proceedings of the International Conference on Communication Technology ICCT ‘06 (pp. 1-4). IEEE. 10.1109/ICCT.2006.342034 Liu, Y., Yang, J., & Liu, M. (2008, July). Recognition of QR code with mobile phones. Proceedings of the 2008 Chinese Control and Decision Conference (pp. 203-206). IEEE. 10.1109/CCDC.2008.4597299 Ma, T., Zhang, H., Qian, J., Hu, X., & Tian, Y. (2015, January). The Design and Implementation of an Innovative Mobile Payment System Based on QR Bar Code. Proceedings of the 2015 International Conference on Network and Information Systems for Computers (pp. 435-440), IEEE. 10.1109/ICNISC.2015.35 Mas, I. (2009). The economics of branchless banking. Innovations, 4(2), 57–75. doi:10.1162/ itgg.2009.4.2.57 Mazzoni, C., Castaldi, L., & Addeo, F. (2007). Consumer behavior in the Italian mobile telecommunication market. Telecommunications Policy, 31(10), 632–647. doi:10.1016/j.telpol.2007.07.009

80

 Mobile Banking and Payment System

MChirgui, Z. (2005). Smart card industry: A technological system. Technovation, 25(8), 929–938. doi:10.1016/j.technovation.2004.02.004 Mortimer, G., Neale, L., Hasan, S. F. E., & Dunphy, B. (2015). Investigating the factors influencing the adoption of m-banking: A cross cultural study. International Journal of Bank Marketing, 33(4), 442–456. doi:10.1108/IJBM-07-2014-0100 Mwafise, A. M., & Stapleton, L. (2012). Determinants of User Adoption of Mobile Electronic Payment Systems for Microfinance Institutions in Developing Countries: Case Study Cameroon. IFAC Proceedings Volumes, 45(10), 38-43.’ Nyaga, J. K. (2014). Mobile banking services in the East African community (EAC): Challenges to the existing legislative and regulatory frameworks. Journal of Information Policy, 4, 270–295. doi:10.5325/ jinfopoli.4.2014.0270 Ondrus, J., & Pigneur, Y. (2007). An assessment of NFC for future mobile payment systems. Proceedings of the Sixth IEEE International Conference on Mobile Business (ICMB).10.1109/ICMB.2007.9 Ondrus, J., & Pigneur, Y. (2009). Near field communication: an assessment for future payment systems. Information Systems and E-Business Management, 7(3), 347-361. 10.1109/ICMB.2007.9 Pires, G. D., Stanton, J., & Rita, P. (2006). The internet, consumer empowerment and marketing strategies. European Journal of Marketing, 40(9/10), 936–949. doi:10.1108/03090560610680943 Sahut, J. M. (2006). Electronic wallets in danger. Journal of Internet Banking and Commerce, 11(2), 2006–2008. Saxena, A., Das, M. L., & Gupta, A. (2005, July). MMPS: a versatile mobile-to-mobile payment system. Proceedings of the International Conference on Mobile Business (pp. 400-405). IEEE. 10.1109/ ICMB.2005.61 Shaikh, A. A., & Karjaluoto, H. (2015). Mobile banking adoption: A literature review. Telematics and Informatics, 32(1), 129–142. doi:10.1016/j.tele.2014.05.003 Shaikh, A. A., Karjaluoto, H., & Chinje, N. B. (2015a). Continuous mobile banking usage and relationship commitment–A multi-country assessment. Journal of Financial Services Marketing, 20(3), 208–219. doi:10.1057/fsm.2015.14 Shaikh, A.A., Karjaluoto, H., & Chinje, N.B. (2015b). Consumers’ perceptions of mobile banking continuous usage in Finland and South Africa. International Journal of Electronic Finance, 8(2/3/4), 149-168. Shaikh, A. A., & Shah, S. M. M. (2012). Auto Teller Machine (ATM) Fraud-Case Study of a Commercial Bank in Pakistan. International Journal of Business and Management, 7(22), 100–109. doi:10.5539/ ijbm.v7n22p100 Shaikh, A. A., & Karjaluoto, H. (2016). On Some Misconceptions Concerning Digital Banking And Alternative Delivery Channels. International Journal of E-Business Research, 12(3), 1–16. doi:10.4018/ IJEBR.2016070101

81

 Mobile Banking and Payment System

Shanks, G., Tansley, E., & Weber, R. (2003). Using ontology to validate conceptual models. Communications of the ACM, 46(10), 85–89. doi:10.1145/944217.944244 Shaw, N. (2015). Younger Persons are More Likely to Adopt the Mobile Wallet than Older Persons, or are they? The Moderating Role of Age. Proceedings of the Twenty-first Americas Conference on Information Systems, Puerto Rico. Smith, E. (2008). Pitfalls and promises: The use of secondary data analysis in educational research. British Journal of Educational Studies, 56(3), 323–339. doi:10.1111/j.1467-8527.2008.00405.x Sørensen, H. T., Sabroe, S., & Olsen, J. (1996). A framework for evaluation of secondary data sources for epidemiological research. International Journal of Epidemiology, 25(2), 435–442. doi:10.1093/ ije/25.2.435 PMID:9119571 Su, H., Wen, X., & Zou, D. (2013). A Secure Credit Recharge Scheme for Mobile Payment System in Public Transport. IERI Procedia, 4, 303–308. doi:10.1016/j.ieri.2013.11.043 Tan, G. W. H., Ooi, K. B., Chong, S. C., & Hew, T. S. (2014). NFC mobile credit card: The next frontier of mobile payment? Telematics and Informatics, 31(2), 292–307. doi:10.1016/j.tele.2013.06.002 Wonglimpiyarat, J. (2014). Competition and challenges of mobile banking: A systematic review of major bank models in the Thai banking industry. The Journal of High Technology Management Research, 25(2), 123–131. doi:10.1016/j.hitech.2014.07.009 Worthington, S., & Welch, P. (2011). Banking without the banks. International Journal of Bank Marketing, 29(2), 190–201. doi:10.1108/02652321111107657

This research was previously published in the International Journal of E-Business Research (IJEBR), 13(2); edited by Payam Hanafizadeh and Jeffrey Hsu, pages 14-27, copyright year 2017 by IGI Publishing (an imprint of IGI Global).

82

83

Chapter 6

A Survey of Research in Real-Money Trading (RMT) in Virtual World Mohamed Nazir James Cook University, Australia Carrie Siu Man Lui James Cook University, Australia

ABSTRACT This paper presents a set of data relating to the investigation of RMT in the virtual world (VW) and social capital associated with RMT platforms. The investigation is carried out using five main research databases: Science Direct; Emerald Insight; Springer Link; Proquest Database; and IEEE Xplore; with a total of 161 research papers. The objective of this survey study is to highlight areas of strength and weakness in current RMT research in VW and its social capital. This study also presents the basic RMT classification based on these previous studies.

INTRODUCTION Real-Money Trade (RMT) has multidimensional facets that represent a significant element in the developing Virtual World (VW) economies. This new phenomenon requires new ways of thinking, and explicit initiatives to explore RMT from a variety of different angels. In an era in which virtual communities and RMT are so prevalent in people’s daily online lives, research can make a valuable contribution to understanding and improving RMT, and to provide evidence to guide policies and practices. The challenge when undertaking studies in RMT is the complexity of the many elements affecting RMT in the VWs. Many distinct but related factors need to be taken into consideration when researching RMT, such as RMT users’ demographics, different users’ behaviour in the different VWs, purchasing intention, and purchasing behaviour. At the same time, a range of secondary elements also need to be considered, such as virtual communities and social capital, virtual communities and social capital, each of which has proven to play a critical and important role in RMT (Huvila, Holmberg, Huvilo, Ek, & Widden-Wolfe, 2010). DOI: 10.4018/978-1-5225-6201-6.ch006

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

This research is designed to explain the different facets affecting RMT, in order to present a basic RMT classification framework. In order to identify any areas that are not adequately discussed in previous academic studies, this study reviews and classifies the publications that have been carried out in the RMT and Virtual Economy (VE) area. The classification covers keywords such as: real-money trade; real-cash economy; virtual economy; virtual marketplace; social capital, etc. This research is organised in the following manner: background section provides a background about VWs, gaming VWs, social VWs, RMT, and social capital. Research methods section highlights the previous publications’ research methods, research classifications, research types, and research characteristics. Results section outlines the results, research types, while mapping previous studies and RMT classifications, and providing a list of all the publications reviewed in the search. Conclusion and discussion is the summary of the research paper and its finding.

BACKGROUND AND MOTIVATIONS VWs are computer simulated virtual environments, represented in three-dimensions (3D), in which users have a specific goal to achieve (game oriented VW), or in which users have no specific goal (social oriented VW). According to VW research institute KZero (2012), the total number of registered users of VWs had reached 1700 million by the fourth quarter of 2011. In September 2016, more than 47 million users were registered in Second Life (SL) alone (Voyager, 2016), with 900,000 active users a month in 2015 who get payouts of US$60 million in real world money every year (Weinberger, 2015). Not only are there a great many users active and registered in VWs, but there are many hours spent in these simulated environments (in-game/ in-world). Based on Linden Lab’s findings (2013), SL users have spent the equivalent of 217,266 years of time in-world during the last 10 years in 2013 (Linden Lab, 2013). VWs have created significant virtual economies which involved a rather significant of real money. The record for the highest real life price paid for a virtual asset was around US$300,000 (Scarle et al., 2012). It has been reported by Thomas (2010) that Buzz Erik Lightyear, an avatar who is owned by Erik Novak, bought Crystal Palace Space Station in the MMORPG Planet Calypso/Entropia Universe with US$330,000. The sale price includes the ownership of the station, surrounding land, as well as associated virtual hunting and mining rights (Thomas, 2010). Erick Novak commented on this purchase, saying “this is a stunning investment opportunity and I have complete faith I will recover what I spent relatively quickly” (Thomas, 2010). Moving to SL, it was reported in Business week by Hof (2006) that Anshe Chung is the first virtual millionaire in VW. Anshe Chung became the first real world millionaire to have generated her wealth entirely from investments in her VW business. She specializes in virtual assets, where she creates virtual real estate and crafts its landscape, selling or renting these to other users in SL (Hof, 2006). Below are samples of significant RMT related milestones in SL and EU.

Significant RMT Related Milestones in Second Life (SL) •

84

In 2006, it is reported that Anshe Chung (a SL resident whose real name is Ailin Graef, and who lives in Frankfurt) become the first SL millionaire. Anshe has accrued over one million US$ of net

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

•

•

•

worth in RMT inside SL. She accumulated this wealth over a period of two and a half years, with an initial investment of only US$9.95 for opening a premium account in SL (Hof, 2006); Similar entrepreneurship from several SL residents has also resulted in substantial RMT. For instance, Kevin Alderman sold adult-oriented digital simulation of Amsterdam for US$50,000 (Chiang, 2010). The virtual art world called RMB city created by Cao Fei was sold for US$100,000 to collectors, providing 2 years’ access rights to the art world (Nino, 2008); In January 2008, several virtual banks were created in SL, which provide services similar to those of banks in the real world (Chambers, 2011). These banks provided attractive interest rates to SL residents who deposited their Linden Dollars there. One of the virtual banks, GinKo Financial, collapsed, and with it lost all of the investments of the avatars who had deposited there (Chambers, 2011; Scarle et al., 2012); SL banned all in-world gambling activates which affected all virtual banks in SL (Scarle et al., 2012). The SL terms of service prohibit any virtual entity from providing interests or any similar type of direct return on investment - unless the entity has an applicable government registration statement or financial institution charter (Scarle et al., 2012).

Significant RMT Related Milestones in Entropia Universe (EU) •

•

•

•

In 2004, the virtual Treasure Island was sold for US$26,500 to a 22-year-old player, David Storey (BBC News, 2005). Later in 2006, 3 virtual shopping malls also sold at record prices of US$179,688 (Irvine, 2007). Also of note is another transaction; Jon Jacobs, an English actor, mortgaged his house in real world to buy a virtual asteroid for about US$100,000. Jon’s investment gave him a half a million return when he sold the asteroid for US$635,000; In 2011, citizenship and revenues sharing systems and Calypso Land Deeds were introduced in Planet Calypso within EU (MindArk, 2011). Calypso Land Deed holders receive a share of 50% of the planet’s gross revenue, payable monthly, and also have political voting rights on the planet. Similarly, the Arkadia Underground Deeds offered by Planet Arkadia allows holders to share in the revenues of Arkadia Underground and receive dividends on a daily basis. These deeds represent a collaborative investment and profit sharing scheme in RMT (MindArk, 2011); In 2013, a group of EU players jointly funded US$150,000 to obtain the development and management rights to operate their own moon in EU (Entropia Universe, 2013; McGlaun, 2013). In 2014, Planet Arkadia, a virtual planet in the EU, allowed players of the Arkadia Underground game to participate in up to 200,000 deeds for 50 PED each. The selling of 200,000 deeds at this initial price makes Planet Arkadia the world’s first million-dollar virtual property (PRNewswire, 2014); In June 2014, Stable Estates became available for auction in various planets in EU. The players who own the stable can generate revenue by charging other players in EU for services supplied by the stables (Entropia Universe, 2014; Virtual Sense, 2014). These services include hosting and training others players’ pets. Better services provided by the stables will help the players’ pets to progress faster, and to perform better in contests and competitions.

VW provides a unique communication and social platform for users to participate in different activities that may or may not involve RMT. VWs have been classified into two main types, a classification that is based on the motivation of the user: game oriented VW (GVW); and social oriented VW (SVW) (Bainbridge, 2007; Henttonen et

85

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

al., 2009). Several previous studies have investigated the users’ motivations for involving in the GVWs (Hunter, 2006; Yee, 2006), while some studies have also been conducted to examine users’ motivation for using SVW. GVWs users create their character (avatar) which enables them to interact within the virtual platform. They can interact, via their avatar, with virtual items, and with other users. Avatars are created using different sets of groups, classes, types, and races as a digital representation of the user. In general, users begin with a low-level avatar, and during the game a user’s primary goal is to develop their avatar’s skills and abilities, attempting to make them more powerful compared to other avatars. Taking World of Warcraft (WoW) as an example, users get involved in thousands of quests while exploring the game. By completing these quests, they will learn new skills and improve their abilities, in additional to acquiring weapons, tools, and a wide array of other digital items (Zhang & Kaufman, 2015). GVWs platforms encourage team players and group formations, where groups have the ability to complete the same quest to get mutual benefits. These special groups work which generate a high profile for social capital friendly environments within the VW. Social groups, also refer as guilds in GVW, require engagement and commitment, in the same way that real life social groups do. Group players in GVWs need to fulfil the roles in the group, which are kill, irritate, and preserve. The success of any group is based on that group’s ability to balance the fulfilment of these three essential roles (F. Zhang & Kaufman, 2015). Strong relationships of trust and contacts are developed in such a competitive groupbased environment as that offered in GVWs. This trust relationships and social capital are based on their characters’ actions, attributions, and the network of affiliations (Dickey, 2007). SVWs, however, are designed to replicate a real-life experience, allowing different types of interaction between users with extended and unlimited experience (the sky is the limit). Users can craft, buy, and sell products and services, dance, drive, eat, marry, and so forth; that is, they can live an entire virtual life (Mäntymäki & Salo, 2013; Zhou, Jin, Vogel, Fang, & Chen, 2011). In the research model developed by Sharma, Qiang, Wenjun, and Qi, (2013), the users’ motivations were classified into four factors: technology; social networking; entertainment; and making revenue. Similarly, a study conducted by Hassouneh and Brengman (2014) has found that making friendship is that main reason or motivation to join SVWs. The other factors found in this research are: to escape reality; be a role player; achievement (make business and generate revenue); seeking relationship; and manipulation (Hassouneh & Brengman, 2014). There are innovative and trusting social interactions taking place in both SVWs and GVWs. These kinds of interaction have attracted the interest of researchers attempting to understand the nature of social capital as it is organically developed in massively multiplayer online role-playing games (MMORPGs). Several empirical studies have attempted to explain the relationship between VWs and social capital. It is widely agreed that playing MMORPGs leads to a bridging of social capital (Huvila et al., 2010; F. Zhang & Kaufman, 2015; Zhong, 2011). Most of these studies are more focused on a specific target country, such as Zhong’s study in (2011), which has Chinese online games as the target group, and Huvila et al. (2010), who’s study is restricted to only SL, and does not consider other VWs. Several research papers available compare different VWs from different groups or categories (such as GVWs VS SVWs). Over the past ten years, there has been an increased focus on economic, RMT, and social impact on VW communities. However, the absence of any clear understanding of the RMT platforms, alongside limited economic classification of the different business models in the different VWs, makes it more difficult to evaluate the business opportunities in such virtual environments.

86

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

By filtering the type of research that looks at RMT and RMT’s social impact in VWs, which contributes to a better understanding of the virtual platform from a business point of view, the result shows that this field of research - although attracting a lot of attention in media - has been the subject of limited studies to date. By looking at the amount of research that has so far been conducted, it is possible to conclude whether the research area is progressing systematically from simply describing and theorising problems to evaluating strategies, while investigating those that are effective and efficient. For research to make a valuable contribution to the research field area, it needs to involve a wide range of measurements, including quantitative, qualitative, mixed methodologies, etc. (Boaz, Ashby, & Young, 2002): research of this kind is, as yet, very limited in the existing studies. Research quality is critical for researchers and academics. Research quality is measured by the quality of the methodological rigour used to conduct the research. Research which lacks methodological rigour can be criticized as invalid and unreliable (The Cochrane Collaboration, 2008). On the other hand, some researchers argue that the usefulness of research should be derived from its trustworthiness, and that this is sufficient to assure its validity, reliability and objectivity regardless of the methodological background (The Cochrane Collaboration, 2008). In this research, we will be considering the research quality while examining previous studies that cover the area of interest: RMT. This will ensure that the research results are valid, reliable, and trustworthy. However, no standard approach for assessing quality is suitable for all research.

RESEARCH METHOD Research Output: Type and Focus Our research uses a qualitative technique, which we applied through a number of phases based on: • • •

Total number of potential research studies; Classify them based on RMT related or not; Classifying them based on the research type.

Data Sources RMT is a broad research field, one that includes a range of different disciplines, as RMT research is integrated with other areas of research. We were expecting to collect relevant publications from a variety of different databases. In order to identify the suitable databases, we began by searching the university’s database sets to collect a list of those papers most relevant to RMT. We selected Science Direct, Emerald Insight, Springer Link, ProQuest and IEEE Xplore to locate RMT publications during the periods, 1 January 2005 to 16 November 2015. The databases selection was based on the discussion with the supervisor, as we have been advised that these five databases contain most of the research papers that are related to our research topic (VE and/or RMT). Research papers selected include the following terms in the title, abstract or keywords: real money trade, real cash economy, virtual economy, social capital, virtual products, and virtual goods. We have been looking only at the research written in English. Papers relating to issues other than RMT and VE were excluded from our review.

87

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

Classification of Publications In a first phase of Stage 1, we classified research papers (107 in total) according to: (a) research type; (b) research area or scope. In a second phase, we eliminate those publication abstracts (21 in total). We then eliminate research and studies that are news or editorial (9 in total), then eliminated research and studies that are not directly related to RMT or VE (tourism, IT infrastructure, medical and health, etc.), then further eliminate these researches and studies which have been published in conferences and not in journals (13 in total) (Figure 1). This left 15 measurement research papers, either qualitative or qualitative, and 16 descriptive research papers. Figure 1. Search strategy and classification

88

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

Research Type Research type involved classifying the publications according to the type of research that has been used in developing the research. According to a study by Bailey et al. (2010) which focused on medical research papers, there are 12 different research types: database research; reviews; programme description; measurement research; descriptive research; intervention research; biomedical interventions; psychosocial interventions; RCT; CCT; CBA; and ITS (Bailey et al., 2010). In this paper, we will be looking at classifying only the papers that are based on two research types, which are: • •

Measurement Research: This research type is evaluating the RMT and VE platform, testing some defined aspects using assessment and measurements tools or indicator systems; Descriptive Research: This type is investigating the RMT and VE problems and issues, in addition to applying theories to frame these problems and issues.

Research Characteristics The main process in identifying the research characteristics required classifying the publications based on the research method applied, which can be either qualitative, quantitative, or mixed method approaches. Quantitative research describes research that applies statistical, mathematical, or numerical data. There are a few common tools used in quantitative research, such as surveys and predefined questionnaires. These tools have been used to collect data in order to classify, count, or evaluate the impact, effect, and/ or implication of the RMT and VE platforms. Qualitative research is the research that uses data collection and description of textual or pictorial data to provide a measure of the subjective elements of the research area. There are a few common tools used in the qualitative research, such as interview, open questionnaires, and observation. These tools are used to explain the impact, effect, and/or implication of the RMT and VE platforms as they are experienced by users. Mixed research methods is research that uses a combination of quantitative and qualitative research tools to explain the impact, effect, and/or implication of the RMT and VE platforms.

RESULTS Research Output: Type, Target, and Characteristics Relevant to stage one of the research, Table 1 and Table 2 provide details of the overall number and type of publications, and the number and proportion of research publications by targeted VW.

Number and Type of Publications A total of 43 VE/RMT publications in the English language were identified using this search strategy. For all time periods, there are 21 papers using descriptive research, and the same number for measure-

89

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

Table 1. Number and proportion of research publications by type

Table 2. Number and proportion of research publications by targeted VW

ments research, comprising 99 per cent of total publications (Table 1). Mixed research comprised the remaining 1 per cent of studies.

Target VW Table 2 shows the number and proportion of RMT/VE publications by targeted VW. Overall, the VW with the largest proportion of research publications was Mixed VWs (34.5%), followed by SL (32.5%)

90

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

and other VWs (21%). Much of the research that targeted mixed VWs includes WoW and EU. However, there is only 1 research paper that focuses specifically on WoW (2.3%), while there are no research papers that focus only on EU in the RMT and VE area.

Research Characteristics This paper summarises the characteristics of a total of 43 published papers in the area of VE and/or RMT. The summarisation process is based on: publication year; authors; title; data collection methods; targeted VW; sample size; study approach; outcomes or results; and the database source.

Targeted VW The targeted VW in the publication varied, with 14 (32.5%) taking place in SL., 19 (44.2%) in mixed VWs, 9 (21%) in other VWs, 1 (2.3%) in WoW, and 0 in EU.

Study Approach, Design, and Data Collection The targeted publications were classified into quantitative, qualitative, and mixed research methods. Of these qualitative made up 21 (49%) out of 43 publications. Quantitative research comprising the same as qualitative, comprising 21 (49%) publications, while there was only one (1%) mixed research method publication.

RMT Classifications In this section (Figure 2), we have outlined a classification framework for RMT based on the characteristics of products and services, the transaction and marketplace, as well as the currency and exchange systems. We also mapped existing RMT studies identified in this study into the framework to highlight where existing research efforts are spent.

Products and Services Types of products and services delivered to the customers form the value proposition of a business model (Osterwalder, Pigneur, & Tucci, 2005). Products and services in RMT can be classified in terms of: 1) different ways for delivering the products or services for customers; 2) possibility for users to create or design virtual products and services; 3) different cost models of the products or services; 4) different utility of the virtual products or services from VWs; and 5) different kind of ownership of the products created by users, as well as the ownership of these products.

Transactions and Marketplaces Transaction and market environment can greatly affect the nature of an economy. The characteristics of the transaction nature of the marketplace are discussed in this section.

91

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

Figure 2. RMT classification framework

Currency and Exchange Monetary systems for RMT are different in different VWs, with various types of virtual currency and currency exchange systems. For the transaction to take place in VW, there is a need for a defined monetary system. There have been two common monetary systems used in VW: virtual currency (such as PED in EU or L$ in SL), and gold which is used in WoW and EverQuest. Users have different ways to obtain virtual currency, and different virtual currencies could have an exchange rate that is determined by different mechanisms. This section offers a discussion of these unique characteristics of the monetary systems used in the RMT of different types of VW.

Sellers and Buyers Sellers and buyers in real money trading are always well connected with the social capital. That is to say that the virtual platform the relationships, communities, and connections are the main driving force for sales: users would prefer to buy virtual items from friends or users they already know and trust. See Figure 3. The sellers and buyers’ category in RMT includes the motivation to be involved in RMT, purchasing intention and behaviour, community building, and social capital.

Group A: Studies Focused on Overview of RMT There are different studies that provide suggestions for a successful VW and RMT environment. The literature study conducted by Kaplan and Haenlein in (2009) identifies the main points that companies should be focusing on in order to achieve success in the VWs. The study highlights the 5Cs needed for business success in VWs, which are: catch traffic; compensate presence; consider innovativeness; create

92

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

Figure 3. Mapping previous studies and RMT classifications

a learning environment; and care about avatars. Kaplan and Haenlein also suggested that a movement toward standardization is important for the improvement of the business in the VW platforms. In addition, this improvement can help in increasing the interconnection between reality and VWs. Toward more standardization and more understanding for the VE, Papagiannidis, Bourlakis, and Li’s (2008) positioning paper has highlighted some of the profound potential social, economic, ethical, and policy implications, which requires further research in the future. While, Harviainen and Hamari’s (2015) research paper explores the trade that emerges from the MMORPG system. Harviainen & Hamari indicate

93

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

that, “Players pay for services and items, and demonstrate group commitment, through the practices of seeking, creating, sharing and withholding information”. Bourlakis, Papagiannidis, and Li (2009) suggest in their research that retailers must employ a holistic and overarching approach when devising their promotional strategies. This claim is supported by Novak, Mladenow, and Strauss study in 2014. Their paper discovered that Avatar-Based Innovation Process (ABIP) helps in allowing customer integration during the four phases: idea generation and screening, concepts design & development, testing /trial & error, and commercialization. The previous studies (Figure 3) highlight the importance of standardization which significantly foregrounds the importance of RMT classification as introduced by Nazir and Lui in 2015, which takes steps toward the standardization of RMT. RMT classification of the RMT elements in the different VWs also provides a clear mapping of economic, social (motivation), and political (ownership and creation of virtual items) parts which have been suggested by Papagiannidis, Bourlakis, and Li (2008), while also considering the different payment methods explained in Harviainen and Hamari’s (2015) research paper.

Group B: Studies Focused on Users’ Motivation to Join VWs/RMT Individual Motivations Jung and Kang (2010) explore users’ motivation. Their study concludes that the main reason that users get motivated to be involved in the SVWs is to satisfy their social and hedonic needs. In addition, they also cite users’ desire and willingness to escape from the challenges and constraints that they face in their real lives. Also, creating unique activities (e.g. creating virtual items and selling them) seems to attract many SVWs users to become engaged with the platform. In addition to Jung and Kang’s (2010) finding for the users’ motivation to join SVWs, Hassouneh and Brengman (2014) added to this list the following elements: seeking friendship; escapism; and role-playing as the main three motivational factors. These are closely followed by: achievement; relationship; and manipulation. Hassouneh and Brengman classified SVWs users into types, based on their motivations to join the platform. Role-playing, relationship seekers, manipulators, achievement seekers, and escapism are the different user types that have been identified by Hassouneh and Brengman (2014). The previous studies focus on the consumer motivation and engagement to become involved in the VWs with different types of motivations, such as: Role-playing, relationship seekers, manipulators, achievement seekers, and escapism. These consumer motivation and engagement are mostly considered as a personal motivation for the SVWs, and are not directly related to RMT.

Business Motivations Scarle et al.’s study in 2012 describes virtual environments as another media for business. This new environment can be used to attract the attention of a highly creative and technologically advanced set of potential customers. Virtual environments might be the bleeding edge of a new revolution in the way of conducting business online. Sharma et al.’s 2013 study found that communication is playing a very important role in VWs for managers, decision-makers, and policy makers. Also, Jung and Pawlowski’s study (2015) found that virtual entrepreneurship is understood as a self-supporting practice, which is dependent upon the social relationship that is considered to be acceptable behaviour within the SVWs. This fact highlights the

94

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

encouraging nature of the environment for businesses to operate in the SVWs, without any difficulties or worries over SVWs users’ acceptance of virtual entrepreneurship. By looking more at consumer behaviour and customer preference, Jung and Pawlowski (2014) suggest that customer preference can be identified by the marketers using SVWs. Marketers also can predict emerging trends by analysing the users’ interaction within the SVWs platforms. Predicting future trends and customer preference has implications mainly on products with strong design elements (e.g. Vehicles, home decorations, fashion, etc.). SVWs is also a suitable environment within which to conduct experiments and introduce new ideas. Messinger et al.’s (2009) research paper concludes that the real-life brands in VWs are easily remembered in the real world. The study also discovered that only a minority of people in SL are involved primarily for business reasons.

Group C: Studies Focused on Purchasing Motivation and Virtual Consumption Purchasing behaviour and virtual consumption have received more attention from researchers in the last few years. For example, Jung and Pawlowski (2014b) investigate VWs users’ motivation for the virtual consumption and the relation among these motivations using a means-end chain approach. The study found that SVWs users’ virtual consumption motivations overlap with VWs users’ main motivations. These are: socializing; creating; and escape. While Mäntymäki and Salo’s (2013) study has discovered that the role of motivation social influence as well as user interface and facilitating conditions have a significant influence on the virtual purchasing behaviour of users. Mäntymäki and Salo’s (2015) study also found that bundling exclusive features with complimentary virtual items for monthly fees clearly encourages money to be spent within the service, and that users are considering the benefits of premium membership. The survey responses in Mäntymäki and Salo have highlighted the importance of virtual items and premium benefits in the SVWs, because most users made it clear that that they would not be interested in being involved in SVWs platforms if the virtual items did not exist. As there are different user personalities and characters, there is a range of different purchasing behaviour. Shelton (2010) supports the claim that differently motivated SL users will purchase different types of virtual products in order to satisfy their personal needs and goals. This study also highlights the different motivated user types, as well as common consumer behaviours within the online community. Guo and Barnes (2009) divide virtual item purchasing behaviour into three sub-behaviours: creating motivation for pursuing virtual items; purchase behaviour intention; and actual purchase behaviour. Guo and Barnes illustrate a significant variability in the virtual item purchasing behaviour in VWs. This significant variability is influenced by two primary factors: “personal psychological” and “contextual factors”. Contextual factors refer to those which are closely related to the characteristics of VWs such as the quality of VWs, virtual item resources, and the requirements of the quest system (Y. Guo & Barnes, 2009). Lehdonvirta (2009) examines users’ behaviour intentions toward RMT. Lehdonvirta has developed a new model for theoretical insights from behaviour economics, in order to investigate users’ intention to engage in RMT. “Behavioural determinants related to either instantaneous (i.e., doer aspect) or future utility (i.e., planner aspect) in the game were investigated”. On the other side, Castronova and Edward’s (2006) research study analysed RMT using traditional cost-benefit analysis, which found that gold farming has a negative effect on players who are not involved in gold buying or selling, while gold buyers and sellers benefit from RMT.

95

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

Cagnina and Poian (2009) discovered that there are many possible combinations which influence the value drivers. Even though Cagnina and Poian’s research finding indicates the influence of the possible combination, the study was not able to measure the significance of each combination. This has been investigated in greater depth by Drachen, Riley, Baskin, and Klabjan (2014), which looks at the connection between the players’ behaviours and its effect on the in-game economies in MMOGs. Wang, Mayer-Schönberger, and Yang’s (2013) study “suggested that more intensive social networking and flatter social hierarchical structures are associated with lower monetary value of virtual goods across various MMORPGs” (Q. Wang et al., 2013). While Constantiou, Legarth, and Olsen (2011) focus more on RMT, their research finds that players’ intensions for engaging in RMT are positively influenced by the players’ social status and the disinhibiting effects of online play. Players’ intentions for engaging in RMT are negatively influenced by perceived fairness, anticipated regret, and uncertainty about the seller’s behaviour. Interestingly, neither potential punishment or perceived enjoyment influence the users’ intention. The previous study focusing on purchasing motivation and virtual consumption covers different areas, starting from generating revenue, creating items, being part from the RMT economy. These different motivators in the RMT classification comes under (Motivation) which can be classified into three main types: appearance, functionality, property.

Group D: Studies Focused on Digital Intellectual Property and Currency As users in the VWs are able to create virtual item using the available designing tools (Messinger et al., 2009; Sharma et al., 2013), Chambers’ (2011) study looks into the legal part of VWs economy. Chambers discusses the debate between two schools: the first holding the idea that the virtual and real are distinct, while the second school supports the idea that both the virtual and real are merely a continuum of each other. Chambers’ study offers support to the latter school, by looking at the possibility of creating virtual item, owning the virtual items by users, selling this ownership to another, or transferring the ownership for a specific period. Also by looking at the currency exchange market in some SVWs such as SL, in SL it is possible to transfer real money virtual and vice versa. The exchange market includes the exchange rate, exchange rate is the rate used to exchange currency between real world and VW. Currency exchange rate represents a foundational connection between the real and the virtual. This has turned the VE into an open economy with a free exchange rate, where the exchange rate is determined based on the demand and supply of the currency (as is the case in SL). While in other VWs, the exchange rate is fixed, such as Entropia Universe Dollars (PED), which has a fixed exchange rate of 10 PED for each US US$1 (Alves & Roque, 2007; Heeks, 2009; G. Jung et al., 2011; Messinger et al., 2009). By looking at the RMT classification, Chambers’ study highlights the ownership and currency issues in the RMT platforms, which is covered in the “ownership” section in the RMT classifications under “products & services”, where it takes into consideration the legal part of virtual item ownership. It looks at whether the virtual item creator/designer will own the virtual item or, whether the game developer, regardless of who has created/designed the virtual item, will own it. RMT classification is also covering the currency and exchange rate by looking at: exchange direction (one-way or two-ways), exchange rate (free market, fixed rate, negotiable between users), and earing virtual currency (buying online, fight and/or mining, work).

96

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

Group E: Market Place and Virtual Transactions Sousa and Munro (2012) suggest that VWs might be a suitable platform for conducting economic experiments and testing economic theories. Their only concern was in regards to the instability of the VWs: where some VWs become very popular, others lose their users for another VW, or another platform. But one of the economic limitations of Sousa and Munro’s study is that the target VW platform in this study was “RunEscape.” RunEscape is totally based on its in-game (internal) economy system, where users cannot exchange real money to virtual currency or vice versa. The monetary currency can be gained in-game, and spent in-game only. There are different types of consumption mode available in VWs, and these are similar to the kinds of real life consumption, including - but not limited to - one-time consumption (like pizza or coke), assets and items that decay over time (such as weapons and mining tools), and assets such as land and houses (Heeks, 2009; Y. Jung & Pawlowski, 2014a; Shelton, 2010). Transaction types are different from one VW to another. Some VWs, especially SL and EU, transactions principally involve the exchange of real world money for virtual products (Scarle et al., 2012). SL provides its own external marketplace where users and buyers can meet together and exchange products and items. Other VWs - such as WoW - have an internal auction platform, called “auction house” (Ke et al., 2012; Q.-H. Wang & Mayer-Schonberger, 2010). Sousa and Munro’s (2012) finding covers the “marketplace” section under “transaction and marketplace” in the RMT classification. Sousa and Munro study also highlights the “transaction type” in the RMT classifications; this research has discovered that many users are both consumer and producer at the same time, which means that a large percentage of the transaction type in “RunEscape” is customerto-customer (C2C).

Group F: Studies Focused on Social Capital and Trust Hau and Kim (2011) focus on the effect of social capital on the innovation- conducive knowledge sharing. The study suggests that in order for companies to have a positive impact on innovative-conductive knowledge sharing, companies would conduct the course of knowledge sharing with fun, pride, and enjoyment. The study also illustrates the fact that social trust and subjective norms are more achievable when goals, missions, and vision of knowledge are shared with the community. This finding is supported by Dickey (2007), who suggests that MMORPG design may provide a flexible model that can be used for creating engaging interactive learning environments (gamification in education) which foster intrinsic motivation through providing collaboration, achievement, control, choice, and challenge. Hau and Kim study in (2011) focusses on trust and knowledge sharing and its effect on the VW community, while the RMT classification is not covering this area.

CONCLUSION The necessity to improve RMT platforms and the sustainability of virtual economies has been broadly discussed both academically (Y. Guo & Barnes, 2011; Scarle et al., 2012; D. Zhang & Shrestha, 2010) and industrially (Goel, Johnson, Junglas, & Ives, 2011; Holden, 2006; Tedeschi, 2007). Our finding, in

97

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

terms of quality and the type of research, have revealed a similar quantity of both qualitative and quantitative research in the RMT area. Furthermore, there is a shortage of adequate research that addresses the different VW types (GVWs, SVWs, and MVWs), and which considers the RMT and non-RMT users. Classification of publications also revealed a scarcity in RMT studies that examine the different VWs, taking into consideration the differences between RMT and non-RMT users. Based on the existing research papers, this study has developed an RMT classification which lists and groups the research area covered in the previous academic studies. These classifications constitute six different groups: 1) standardisation and better understanding of RMT; 2) Motivation to participate in VWs/RMT; 3) purchasing behaviour, motivation, and virtual consumption; 4) ownership, policy, and currency; 5) marketplace and virtual transaction; 6) social capital, sellers and buyers. This classification is interested in both direct factors and indirect factors which influence RMT (indirect elements such as virtual communities and social capital). This paper has also looked at the significant milestones within some of the most popular VWs - such as SL and EU. This study has suggested RMT classifications based on the studies that have been conducted in the last 10 years. The findings have allowed for RMT to be classified into four main groups: product and services; transactions and market places; currency and exchange rates; and seller and buyers. Little research has yet been conducted in transaction types, marketplaces, exchange direction, virtual exchange rates and its economic impact, social capital and community building in RMT, ownership. On the other hand, some research covers other RMT areas, such as motivation to participate in VWs and purchasing intention and behaviour. Even though there is more research exploring some areas, it is still far below the academic satisfaction level: there are more elements and factors than need consideration than those which presented in the previous studies. The finding of the previous studies that cover the topic of motivation to join VWs can be summarized in the following list: 1) satisfy social and hedonic needs; 2) escape from real life challenges and stress; 3) create unique activities; 4) seeking friendships; 5) role playing; 6) seeking achievements; 7) manipulation (Cagnina & Poian, 2009; Hassouneh & Brengman, 2014; Y. Jung & Kang, 2010). While the factors that influence the purchasing behaviour in the VWs can be summarized as: 1) Consumer motivation to join VW; 2) social influence; 3) user personality and character; 4) personal psychological; 5) contextual factors (Cagnina & Poian, 2009; Y. Guo & Barnes, 2009; Y. Jung & Pawlowski, 2014a; Lehdonvirta, Wilska, & Johnson, 2009; Lehdonvirta, 2009; Mäntymäki & Salo, 2011, 2013, 2015; Shelton, 2010). We suggest that a maturing of the RMT requires standardisation of the RMT classification, whereby different research types and approaches are able to contribute to the RMT area, through an overarching set of big picture questions that will enable a holistic research agenda to evolve. A mature RMT classification taking into account the different VW platforms, and the differences between RMT and non-RMT users, would allow policy makers, practitioners and researchers to access sufficient quality and volume of different types of evidence so as to make informed decisions about these developing economies. This finding suggests that RMT field has a real potential to contribute the complex different virtual platforms and their implications for RMT. Nonetheless, low number of evaluation studies that focus on secondary factors that indirectly contribute to RMT - such as social capital - need to be considered in any future research.

98

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

REFERENCES Alves, T., & Roque, L. (2007). Because players pay: the business model influence on MMOG design. Situated Play: Proc. of the 2007 Digital Games (pp. 658–663). Retrieved from http://eden.dei.uc.pt/~lir/ readings/DIGRA2007.pdf Bailey, L. J., Sanson-Fisher, R., Aranda, S., DEste, C., Sharkey, K., & Schofield, P. (2010). Quality of life research: Types of publication output over time for cancer patients, a systematic review. European Journal of Cancer Care, 19(5), 581–588. doi:10.1111/j.1365-2354.2009.01109.x PMID:19832895 Bainbridge, W. S. (2007). The scientific research potential of virtual worlds. Science, 317(5837), 472–476. doi:10.1126cience.1146930 PMID:17656715 Barnett, B. J. H., & Archambault, L. (2010). How Massive Multiplayer Online Games Incorporate Principles of Economics. TechTrends, 54(6), 29–35. doi:10.100711528-010-0451-y Boaz, A., Ashby, D., & Young, K. (2002). Systematic reviews: What have they got to offer evidence based policy and practice? For Evidence Based. Policy & Practice, 23(January). Retrieved from http:// kcl.ac.uk/content/1/c6/03/45/85/wp2.pdf Bonifield, C. M., & Tomas, A. M. (2009). Intellectual property issues for marketers in the virtual world. Journal of Brand Management, 16(8), 571–581. doi:10.1057/bm.2008.41 Bourlakis, M., Papagiannidis, S., & Li, F. (2009). Retail spatial evolution: Paving the way from traditional to metaverse retailing. Electronic Commerce Research, 9(1-2), 135–148. doi:10.100710660-009-9030-8 Cagnina, M. R., & Poian, M. (2009). Beyond e-business models: The road to virtual worlds. Electronic Commerce Research, 9(1-2), 49–75. doi:10.100710660-009-9027-3 Castronova, & Edward. (2006). A cost-benefit analysis of real-money trade in the products of synthetic economies. Info, 8(6), 51–68. doi:10.1108/14636690610707482 Chambers, C. (2011). How virtual are virtual economies? An exploration into the legal, social and economic nature of virtual world economies. Computer Law & Security Report, 27(4), 377–384. doi:10.1016/j.clsr.2011.05.007 Cheon, E. (2013). Energizing business transactions in virtual worlds: An empirical study of consumers purchasing behaviors. Information Technology Management, 14(4), 315–330. doi:10.100710799-0130169-6 Chiang, O. (2010). Paying A Fortune For Virtual Property. Forbes. Retrieved from http://www.forbes. com/forbes/2010/1220/focus-virtual-property-panasjuk-neverdie-digital-dispatch.html Constantiou, I., Legarth, M. F., & Olsen, K. B. (2011). What are users intentions towards real money trading in massively multiplayer online games? Electronic Markets, 22(2), 105–115. doi:10.100712525011-0076-9 De Sousa, Y. F., & Munro, A. (2012). Truck, barter and exchange versus the endowment effect: Virtual field experiments in an online game environment. Journal of Economic Psychology, 33(3), 482–493. doi:10.1016/j.joep.2011.12.011

99

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

Dickey, M. D. (2007). Game design and learning: A conjectural analysis of how massively multiple online role-playing games (MMORPGs) foster intrinsic motivation. Educational Technology Research and Development, 55(3), 253–273. doi:10.100711423-006-9004-7 Drachen, A., Riley, J., Baskin, S., & Klabjan, D. (2014). Going out of business: Auction house behavior in the Massively Multi-player Online Game Glitch. Entertainment Computing, 5(4), 219–232. doi:10.1016/j.entcom.2014.09.001 Entropia Universe. (2013). Moon Sale Details. Retrieved from http://www.entropiauniverse.com/entropiauniverse/announcements/moon/ Entropia Universe. (2014). Introducing Stable Estates | Latest News. Retrieved from http://www.entropiauniverse.com/news/2014/06/30/Introducing-Stable-Estates.xml Fuchs, B., & Thurner, S. (2014). Behavioral and network origins of wealth inequality: Insights from a virtual world. PLoS ONE, 9(8), e103503. doi:10.1371/journal.pone.0103503 PMID:25153072 Goel, L., Johnson, N., Junglas, I., & Ives, B. (2011). From space to place: Predicting users’ intentions to return to virtual worlds. Management Information Systems Quarterly, 35, 749–771. Retrieved from http://dl.acm.org/citation.cfm?id=2208937 Griffiths, M., & Light, B. (2008). Social networking and digital gaming media convergence: Classification and its consequences for appropriation. Information Systems Frontiers, 10(4), 447–459. doi:10.100710796-008-9105-4 Guo, J., & Gong, Z. (2011). Measuring virtual wealth in virtual worlds. Information Technology Management, 12(2), 121–135. doi:10.100710799-011-0082-9 Guo, Y., & Barnes, S. (2009). Virtual item purchase behavior in virtual worlds: An exploratory investigation. Electronic Commerce Research, 9(1-2), 77–96. doi:10.100710660-009-9032-6 Guo, Y., & Barnes, S. (2011). Purchase behavior in virtual worlds: An empirical investigation in Second Life. Information &. Management, 48, 303–312. doi:10.1016/j.im.2011.07.004 Harviainen, J. T., & Hamari, J. (2015). Seek, share, or withhold: Information trading in MMORPGs. The Journal of Documentation, 71(6), 1119–1134. doi:10.1108/JD-09-2014-0135 Hassouneh, D., & Brengman, M. (2014). A motivation-based typology of social virtual world users. Computers in Human Behavior, 33, 330–338. doi:10.1016/j.chb.2013.08.012 Hau, Y. S., & Kim, Y.-G. (2011). Why would online gamers share their innovation-conducive knowledge in the online game user community? Integrating individual motivations and social capital perspectives. Computers in Human Behavior, 27(2), 956–970. doi:10.1016/j.chb.2010.11.022 Heeks, R. (2009). Understanding“ gold farming” and real-money trading as the intersection of real and virtual economies. Journal of Virtual Worlds Research, 2(4), 1–27. Retrieved from http://journals.tdl. org/jvwr/index.php/jvwr/article/viewArticle/868

100

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

Henttonen, T., Tikkanen, H., Hietanen, J., Rokka, J., Henttonen, T., & Rokka, J. (2009). Exploring virtual worlds: success factors in virtual world marketing. Management Decision. Retrieved from http://www. emeraldinsight.com/10.1108/00251740910984596 Ho, C.-H., & Wu, T.-Y. (2012). Factors affecting intent to purchase virtual goods in online games. International Journal of Electronic Business Management, 10(3), 204–212. Hof, R. (2006). Second Life’s First Millionaire. Business Week. Retrieved from http://www.businessweek. com/the_thread/techbeat/archives/2006/11/second_lifes_fi.html Holden, R. (2006). American Apparel Finds the Right Fit in Second Life. TheStreet.com. Retrieved from http://www.thestreet.com/_tscfoc/newsanalysis/techgames/10318273.html Huang, E. (2012). Online experiences and virtual goods purchase intention. Internet Research, 22(3), 252–274. doi:10.1108/10662241211235644 Hunter, D. (2006). The early history of real money trades. Retrieved from http://terranova.blogs.com/ terra_nova/2006/01/the_early_histo.html Huvila, I., Holmberg, K., Huvilo, I., Ek, S., & Widden-Wolfe, G. (2010). Social capital in Second Life. Online Information Review, 34(2), 295–316. doi:10.1108/14684521011037007 Irvine, D. (2007). Virtual worlds, real money. Retrieved from http://edition.cnn.com/2007/TECH/science/03/12/fs.virtualmoney/index.html?iref Jung, G., Lee, B., Yoo, B., & Brynjolfsson, E. (2011). Analysis of the Relationship between Virtual Goods Trading and Performance of Virtual Worlds. SSRN Electronic Journal. doi:10.2139/ssrn.1938313 Jung, Y., & Kang, H. (2010). User goals in social virtual worlds: A means-end chain approach. Computers in Human Behavior, 26(2), 218–225. doi:10.1016/j.chb.2009.10.002 Jung, Y., & Pawlowski, S. (2015). The meaning of virtual entrepreneurship in social virtual worlds. Telematics and Informatics, 32(1), 193–203. doi:10.1016/j.tele.2014.07.002 Jung, Y., & Pawlowski, S. D. (2014a). Understanding consumption in social virtual worlds: A sensemaking perspective on the consumption of virtual goods. Journal of Business Research, 67(10), 2231–2238. doi:10.1016/j.jbusres.2014.01.002 Jung, Y., & Pawlowski, S. D. (2014b). Virtual goods, real goals: Exploring means-end goal structures of consumers in social virtual worlds. Information & Management, 51(5), 520–531. doi:10.1016/j. im.2014.03.002 Kaburuan, E. R., Chen, C. H., & Jeng, T. S. (2009). Identifying users’ behavior purchasing virtual items. Proceedings of the International Conference on Electronic Business (ICEB) (pp. 250–256). Kaplan, A. M., & Haenlein, M. (2009). The fairyland of Second Life: Virtual social worlds and how to use them. Business Horizons, 52(6), 563–572. doi:10.1016/j.bushor.2009.07.002 Ke, D., Ba, S., Stallaert, J., & Zhang, Z. (2012). An empirical analysis of virtual goods permission rights and pricing strategies. Decision Sciences, 43(6), 1039–1061. Retrieved from http://onlinelibrary.wiley. com/doi/10.1111/j.1540-5915.2012.00384.x/full doi:10.1111/j.1540-5915.2012.00384.x

101

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

Lehdonvirta, V. (2005a). Real-money trade of virtual assets: new strategies for virtual world operators. Proceedings of Future Play, Michigan State University. Retrieved from http://www.hiit.fi/u/vlehdonv/ documents/Lehdonvirta-2008-RMT-Strategies.pdf Lehdonvirta, V. (2005b). Real-Money Trade of Virtual Assets: Ten Different User Perceptions. Proceedings of Digital Art and Culture, 1–7. doi:10.2139/ssrn.1351772 Lehdonvirta, V. (2009). Virtual item sales as a revenue model: Identifying attributes that drive purchase decisions. Electronic Commerce Research, 9(1-2), 97–113. doi:10.100710660-009-9028-2 Lehdonvirta, V., Wilska, T., & Johnson, M. (2009). Virtual consumerism: Case habbo hotel. Information Communication and Society, 12(7), 1059–1079. doi:10.1080/13691180802587813 Linden Lab. (2013). Infographic: 10 Years of Second Life. Retrieved from http://www.lindenlab.com/ releases/infographic-10-years-of-second-life Mäntymäki, M., & Salo, J. (2011). Teenagers in social virtual worlds: Continuous use and purchasing behavior in Habbo Hotel. Computers in Human Behavior, 27(6), 2088–2097. doi:10.1016/j.chb.2011.06.003 Mäntymäki, M., & Salo, J. (2013). Purchasing behavior in social virtual worlds: An examination of Habbo Hotel. International Journal of Information Management, 33(2), 282–290. doi:10.1016/j.ijinfomgt.2012.12.002 Mäntymäki, M., & Salo, J. (2015). Why do teens spend real money in virtual worlds? A consumption values and developmental psychology perspective on virtual consumption. International Journal of Information Management, 35(1), 124–134. Retrieved from http://www.sciencedirect.com/science/article/ pii/S0268401214001030 doi:10.1016/j.ijinfomgt.2014.10.004 Margitay-Becht, A., & Herrera, D. R. (2006). Virtual colonization. Periodica Polytechnica. Social and Management Sciences, 14(2), 1–7. doi:10.1177/135918359900400103 McGlaun, S. (2013). Entropia Universe is auctioning off a virtual moon for US$150k. Retrieved from http://www.slashgear.com/entropia-universe-is-auctioning-off-a-virtual-moon-for-150k-04272342/ Messinger, P. R., Stroulia, E., Lyons, K., Bone, M., Niu, R. H., Smirnov, K., & Perelgut, S. (2009). Virtual worlds — past, present, and future: New directions in social computing. Decision Support Systems, 47(3), 204–228. doi:10.1016/j.dss.2009.02.014 MindArk. (2011). Entropia Universe takes Virtual World Citizenship to a whole new level! Retrieved from http://www.planetcalypso.com/news/pages/2011/11/08/2907/index.xml Nagy, P. (2014). The digital transformation of human identity. Towards a conceptual model of virtual identity in virtual worlds. Convergence : The International Journal of Research into New Media Technologies Identity in Virtual Worlds in Virtual Worlds, 20(3), 276–292. doi:10.1177/1354856514531532 Nazir, M., & Lui, C. (2015). Classifying real money trading in virtual world. Proceeding of the Fifteenth International Conference on Electronic Business (pp. 149 – 159). Hong Kong. News, B. B. C. (2005). Gamer buys virtual space station. Retrieved from http://news.bbc.co.uk/2/hi/ technology/4374610.stm

102

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

Nino, T. (2008). SL art and architecture sells for US$100,000? Engadget.com. Retrieved from https:// www.engadget.com/2008/03/14/sl-art-and-architecture-sells-for-us-100-000/ Novak, N. M., Mladenow, A., & Strauss, C. (2014). Virtual worlds as settings for avatar-based innovation processes. Journal of Service Science Research, 6(1), 71–98. doi:10.100712927-014-0003-7 Osterwalder, A., Pigneur, Y., & Tucci, C. (2005). Clarifying business models: Origins, present, and future of the concept. Communications of the Association for Information Systems, 15(May), 1–43. doi:10.1.1.83.7452 Papagiannidis, S., Bourlakis, M., & Li, F. (2008). Making real money in virtual worlds: MMORPGs and emerging business opportunities, challenges and ethical implications in metaverses. Technological Forecasting and Social Change, 75(5), 610–622. doi:10.1016/j.techfore.2007.04.007 PRNewswire. (2014). The World’s First Million Dollar Virtual Property. Retrieved from http://www. prnewswire.com/news-releases/the-worlds-first-million-dollar-virtual-property-252439271.html Scarle, S., Arnab, S., Dunwell, I., Petridis, P., Protopsaltis, A., & de Freitas, S. (2012). E-commerce transactions in a virtual environment: Virtual transactions. Electronic Commerce Research, 12(3), 379–407. doi:10.100710660-012-9098-4 Sharma, G., Qiang, Y., Wenjun, S., & Qi, L. (2013). Communication in virtual world: Second life and business opportunities. Information Systems Frontiers, 15(4), 677–694. doi:10.100710796-012-9347-z Shelton, A. K. (2010). Defining the lines between virtual and real world purchases: Second Life sells, but whos buying? Computers in Human Behavior, 26(6), 1223–1227. doi:10.1016/j.chb.2010.03.019 Suznjevic, M., & Matijasevic, M. (2013). Player behavior and traffic characterization for MMORPGs: A survey. Multimedia Systems, 19(3), 199–220. doi:10.100700530-012-0270-4 Tedeschi, B. (2007). Awaiting Real Sales From Virtual Shoppers - New York Times. Retrieved from http://www.nytimes.com/2007/06/11/business/11ecom.html The Cochrane Collaboration. (2008). Cochrane Handbook for Systematic Reviews of Interventions. The Cochrane Collaboration (Vol. Version 5.). doi:10.1002/9780470712184 Thomas, A. (2010). Buzz Lightyear pays US$330,000 for imaginary space station | TG Daily. Retrieved from http://www.tgdaily.com/games/45289-buzz-lightyear-pays-330000-for-imaginary-space-station Virtual Sense. (2014). Entropia to release Stable Estates. Retrieved from http://www.virtualsense.eu/ blog/article/entropia-to-release-stable-estates Voulgari, I., Komis, V., & Sampson, D. G. (2014). Learning outcomes and processes in massively multiplayer online games: Exploring the perceptions of players. Educational Technology Research and Development, 62(2), 245–270. doi:10.100711423-013-9312-7 Voyager, D. (2016). Second Life Statistics – September 2016 Update. Retrieved from https://danielvoyager.wordpress.com/2016/09/07/second-life-statistics-september-2016-update/

103

 A Survey of Research in Real-Money Trading (RMT) in Virtual World

Wang, Q., Mayer-Schönberger, V., & Yang, X. (2013). The determinants of monetary value of virtual goods: An empirical study for a cross-section of MMORPGs. Information Systems Frontiers, 15(3), 481–495. doi:10.100710796-011-9339-4 Wang, Q.-H., & Mayer-Schonberger, V. (2010). The Monetary Value of Virtual Goods: An Exploratory Study in MMORPGs. Proceedings of the 2010 43rd Hawaii International Conference on System Sciences. doi:10.1109/HICSS.2010.388 Wang, W. T., & Chang, W. H. (2014). A study of virtual product consumption from the expectancy disconfirmation and symbolic consumption perspectives. Information Systems Frontiers, 16(5), 887–908. doi:10.100710796-012-9389-2 Weinberger, M. (2015). Second Life was 13 years early to virtual reality -- and it’s getting ready to try again. Retrieved from http://www.businessinsider.com.au/second-life-is-still-around-and-getting-readyto-conquer-virtual-reality-2015-3 Yang, L., Dimitrov, S., & Mantin, B. (2014). Forecasting sales of new virtual goods with the Elo rating system. Journal of Revenue and Pricing Management. doi:10.1057/rpm.2014.26 Yee, N. (2006). Motivations for play in online games. Cyberpsychology & Behavior, 9(6), 772–775. doi:10.1089/cpb.2006.9.772 PMID:17201605 Zhang, D., & Shrestha, P. (2010). Doing business in Second Life: E-commerce in 3D online environment. International Journal of Electronic Business, 8(2), 148. doi:10.1504/IJEB.2010.032092 Zhang, F., & Kaufman, D. (2015). The impacts of social interactions in MMORPGs on older adults social capital. Computers in Human Behavior, 51, 495–503. doi:10.1016/j.chb.2015.05.034 Zhong, Z.-J. (2011). The effects of collective MMORPG (Massively Multiplayer Online Role-Playing Games) play on gamers online and offline social capital. Computers in Human Behavior, 27(6), 2352– 2363. doi:10.1016/j.chb.2011.07.014 Zhou, Z., Jin, X. X. L., Vogel, D. R. D., Fang, Y., & Chen, X. (2011). Individual motivations and demographic differences in social virtual world uses: An exploratory investigation in Second Life. International Journal of Information Management, 31(3), 261–271. doi:10.1016/j.ijinfomgt.2010.07.007

This research was previously published in the International Journal of Virtual Communities and Social Networking (IJVCSN), 9(1); edited by Subhasish Dasgupta, pages 34-53, copyright year 2017 by IGI Publishing (an imprint of IGI Global).

104

105

Chapter 7

Cybercrimes via Virtual Currencies in International Business Dincer Atli Uskudar University, Turkey

ABSTRACT This chapter is willing to shed some light on virtual currencies (VCs) and cybercrimes in International Business. In recent years, Cybercrime is a major concern for the global community. Besides, virtual currency (VC) has made a transformational impact on purchasing habits on a global scale. The advantages VC provides and the difficulty to control it cause the problem of the possibility of committing cybercrimes in the virtual environment. The freedom of VCs provides and the difficulties in controlling it facilitate the realization of crimes like money laundering and finance of terrorism in the virtual environment. Our research demonstrates the structural and legal status of VCs, the different regulations in various countries and the cybercrimes committed via VCs.

INTRODUCTION The term “globalization” is full of meanings in economic literature and essentially understood as a symbol of wealth: It is an important tool that shifts all productive sectors to a different level. The type of changes delivered by this phenomenon has been felt in the economic, political, social and technological systems. Moreover, technology seems to be the most highlighted topic in scientific studies (Maftei, 2014). In recent years, a radical revolution has come in socio-economic and communication transaction by the internet. Due to increasing importance of the internet, an integral dimension of the 21st Century is the Cyberspace (Harknett & Stever, 2009; Kamal, Chowdhury, Haque, Chowdhury, & Islam, 2012). The internet has become a fruitful ground for criminals to regain funds to back their operations which are realized by participating in activities ranging from credit card theft using key logging, phishing and hacking attacks to money laundering (Irwin, Slay, Choo, & Lui, 2014). As the Internet technologies advance, the money launderers, terrorism financiers and criminals also advance themselves to use the DOI: 10.4018/978-1-5225-6201-6.ch007

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 Cybercrimes via Virtual Currencies in International Business

internet for illicit and illegal activity (Irwin et al., 2014). Furthermore, conventional organized crime groups have become growingly involved in cybercrime issues (Broadhurst, Grabosky, Alazab, & Chon, 2014). With regards to these developments, VCs or ‘cryptocurrencies’ have evolved immensely and are quickly establishing themselves as a system of payment. Today, the VCs as multibillion-dollar venture has a dual potential as both an investment and an electronic medium of exchange (Lee, Long, McRae, Steiner, & Gosnell Handler, 2015). In the financial markets, Bitcoin is the most popular and fascinating virtual currency among cryptocurrencies. There is no central authority that issues this currency. Thus, the Bitcoin has been controversial ever since its popularity and it was accompanied by increased popular interest that reached high levels (Kristoufek, 2015). It is well known that global authorities including The Financial Action Task Force (FATF), Interpol, The Financial Crimes Enforcement Network (FinCEN), Europol and G7 have long been concerned about the state of regulation on digital currencies. This is due to the potential for the new technology to be used by groups seeking to support various illicit activities (http://www.coindesk.com/bitcoin-parisand-terrorism-what-the-media-got-wrong/). In this paper Cybercrimes via VCs will be examined below.

BACKGROUND When we are examining the history of modern computing as a mainframe business, it dates back to after the World War II. Given the enormous increase in the number of computers, it is not surprising that computer crime started to develop a topic in the 1960s. Using computers to ‘‘harm’’ persons did not become a problematic concern until the 1980s when the ‘‘personal computer’’ emerged (Brenner, 2010). In this regard, cybercrime first coined by William Gibson (1982) and then popularized in his novel ‘’Neuromancer’’ in 1984 (Giddens, 2006). The first remarkable cybercrime case can be attributed to a guy called John Draper in 1971. He smartly figured out that he could make long-distance phone calls for free by using a toy whistle to trick the phone system (Wozniak&Smith, 2006). Cybercrime is a reality of the world today. With the development of the internet, VCs and mobile payments have become important play-actors in the way people utilize payment systems in modern day society. In 1996 a physician Douglas Johnson generated an online digital currency called e-gold that would be fully backed by actual real gold stored in several locations around the world. In January 2009 a new cryptocurrency called Bitcoin was developed by a Japanese man named Satoshi Nakamoto. Bitcoin have seen exponential growth in the following years. Some criminal groups viewed this new technology as an opportunity to commit for various offenses (Healy & Li, 2016). After that the concept becomes more sophisticated and important issue and scholars have started to pay closer attention to the subject (Wall, 2007). The literature includes several studies examining the issues and challenges of cybercrimes via virtual currencies.

Issues, Controversies, Problems Today, most of the developed countries close to accomplishing almost a cashless society. This makes way for new technologies to be presented into the payment sector (Healy & Li, 2016). New technologies

106

 Cybercrimes via Virtual Currencies in International Business

provide us anonymous transactions as payments for goods or services and they can be used in the various illegal activities. Therefore, cryptocurrency is a new way of payments and each country runs differently how to deal with it. This chapter aims to reply the following research questions: • • • •

Do virtual currencies facilitate illegal financial transactions? How is the VCs’s, structural and legal status in different countries? What kind of activities do cyber criminals via VCs in international businesses? How can authorities prevent cybercrime?

CYBERCRIME With its worldwide popularity, the cyber world presents many opportunities for illegal groups to use its interconnectedness, accessibility and anonymity to realize their illegal, and it becomes more difficult for the law enforcement to reach them. Although praiseworthy attempts have been made by state authorities, these endeavors do not go to the root of the problem, which is the fundamental disharmony between the regionally oriented legal enforcement system and the multi-jurisdictional quality of such crimes (Menon & Siew, 2012). The term “cybercrime” refers to criminal conduct by using digital communication and information networks and systems or against such networks and systems (European Commission, 2007, p2; Shang, 2012; Kamal et al., 2012). Cybercrime also has known as electronic crime, computer crime, e-crime, digital crime, technology crime, high-tech crime, online crime, computer related crime, Internet crime, computer misuse (Alkaabi, Mohay, McCullagh, & Chantler, 2011; Lone, 2013). Besides, all unlawful activities carried out by the use of computers, digital and electronic devices are referred to as cybercrimes. It includes disruption of network interchanges, denial of service attacks/e-mail bombing, cyber stalking, extortion, identity theft, cyber-squatting, creation and distribution of viruses, pornography, fraud and impersonation (Adomi & Igun, 2008). Although it is not easy to provide a certain and comprehensive description of cybercrime, specific characteristics of such crimes bring forward certain challenges that we need to immediately evaluate and address. The boundless nature of many modern economy and cybercrime is the first, and perhaps the most important; second, the sophistication and increasing complexity of such crimes; third, the rapidly evolving and ever changing nature of those crimes; and fourth, the fact that economic and cybercrimes are usually profit-driven, with the criminals reaping big economic rewards from their criminal activities (Menon & Siew, 2012). While there are similarities between a physical crime scene and a cybercrime scene, there are also major differences that make cybercrime a critical field of research. A digital crime scene’s boundaries are not clearly outlined and the crime scene field may spread beyond any physical location. A person’s physical location, the remote server, and the network paths that the relevant network protocols use can be the crime scene (Katos & Bednar, 2008). Cyberspace surveillance is considerably more important than real space (Etges & Sutcliffe, 2010). At the moment, the common concept theory of cybercrime has the following three topics: 1. Tool Theory: In cybercrimes, criminals use a computer and parallel network for the crime apparatus in parallel network space, which is an activity with severe cases harming the society.

107

 Cybercrimes via Virtual Currencies in International Business

2. Object Theory: In cybercrimes, the criminals’ behaviors destroy the credibility, applicability and integrity of computer information network system. In other words, cybercrime is a behavior that harms network space. 3. Duplicity Theory of Tool and Object: In cybercrimes, criminals devastate and attack others’ computer system or data bank or use network to commit criminal and economic crime etc. According to the explained three approaches, among which, both the tool theory and the duplicity theory of tool and object notice network is used as a crime tool to realize criminal conduct, such as theft and insult, cheating or instigation (Shang, 2012). From our point of view, cybercrime is criminal behavior that impends and damages network information systems for a criminal object to make unusable. Thus, the network is the object of crime while perpetrators realize criminal behavior. To be able to investigate the digital-related crimes, experts classify them by different types. The classification demonstrates that different components of the public can be influenced by cybercrimes. According to Shin (2011) the cybercrimes are classified as violent and non-violent. The violent crimes include cyber terror, threat, stalking, child pornography, etc. The non-violent crimes include cyberattacks, theft, scam, internet gambling, etc. According to Pati (2007) the cybercrimes are classified various target groups. These are: 1. Harming Individuals: Attacking with e-mails; virtual-stalking; distribution of obscene material; smearing; hacking/cracking; and indecent exposure. 2. Harming Individual Property: Computer vandalism; transmitting virus; illegal entry; control over a computer system without permission; and cracking/ hacking. 3. Harming Organizations: Hacking and cracking; possession of information without permission; and cyber terror against the state institutions; distribution of cracked software, etc. 4. Harming Society at Large: Pornography, especially child pornography; eroding young people through indecent exposure; and trafficking, combating (Adomi & Igun, 2008). Furthermore, there are numerous international approaches and coalitions around the world all attempting to build a stable online environment domestically and internationally as well. Regarding cybercrimes, some efforts can be seen below.

European Efforts The Council of Europe perhaps has one of the most organized and coordinated efforts to fight phishing and other related cybercrimes. It is based in France and includes 47 member states with the purpose to advance common and democratic principles throughout Europe (Council of Europe, 2010; Nykodym, Kahle-Piasecki, Ariss, & Toussaint, 2010).

United States Efforts The Federal Bureau of Investigation (FBI) is in a strong position and properly equipped to deal with cybercrimes. The FBI has the skills to the investigation; forensic knowledge and international relations that make them perfect candidates to counter cybercrime (Nykodym & Ariss, 2006). Likewise, legisla-

108

 Cybercrimes via Virtual Currencies in International Business

tion at the state, national and international level will contribute to the efforts in fighting cybercrime (Nykodym & Taylor, 2004; Nykodym et al., 2010). Therefore, US police departments founded computer crimes units, and cybercrime makes up a large proportion of the offences investigated by these units. The National Cybercrime training Partnership (NCTP) encompasses local, state, and federal law enforcement agencies in the US (Chawki, 2007).

Global Efforts Law enforcement authorities worldwide are realizing the necessity to collaborate with each other in order to restrict perpetrators in transnational conduct. Governments of USA and Romania in two phishing related activities that were related to the global organized crime charged 38 people in both of the countries. The perpetrators were impeached for the fraud of thousands of individual victims and hundreds of organizations (Nykodym et al., 2010).

THE EFFECTS OF CYBERCRIME IN ECONOMIES Recent developments in communication and the expansion of global trade have negatively promoted a matching increase in illegal economic activities that transcend borders. As legitimate businesses become more and more supranational, a similar tendency can also be seen in illicit commercial conduct. Especially, financial markets that are inter-connected are used as a medium for supra-national movements of the revenues of the illicit activities (Menon & Siew, 2012). Criminals in developing economies are playing significant roles in cyber world’s crime scene. According to some reports, organized crime groups in developing economies have also been involved in cybercrime. Cartels and gangs from China, Colombia, Russian and Malaysia have reportedly recruited hackers, diverted their efforts from traditional activities to cybercrime and expanded their conduct globally (Kshetri, 2010). According to PWC Global Economic Crime Survey in 2016; more than one in three organizations reported themselves as being victims of economic crime (36%); Cybercrime rose to the 2nd most reported economic crime harming organizations by 32%; Close to half the organizations surveyed believe that local law enforcement authorities do not have sufficient resources to investigate economic crime, leaving the responsibility to prevent economic crime on organizations (PWC, 2016). The United Nations Office on Drugs and Crime (UNODC) guesstimates that most profit form of cybercrimes is coming from identity theft. Every year, generating nearly $1 billion in proceeds on a global scale. According to the same UNODC report’s estimate, the profit of identity theft using cyber techniques in the US was worth $780 million (no data for other countries was available). Data on another cost of losses by banks is not available, but in the US may be between $300 million and $500 million worth per year (Lewis & Baker, 2013). The Australian Institute of Criminology (AIC) 2014 report shows 1 in 5 Australians victims of identity crime with computer hacking, online banking and shopping mainly to blame and 10 per cent have experienced in the past year. According to experts risk of someone misusing their personal information would increase over the next years (Smith & Hutchings, 2014). The US National Crime Victimization Survey (NCVS) found that 17.6 million Americans about 7% of U.S. residents age 16 or older were victims of identity theft in 2014. Most of the identity theft victims

109

 Cybercrimes via Virtual Currencies in International Business

(86%) experienced the fraudulent usage of current account information, such as bank account information and credit card (Harrell & Langton, 2013). On the other hand, according to 2014 Cost of Cybercrime Study named Hewlett Packard report, the average annualized cost incurred per attack was $12.7 million, with a range of $1.6 million to $61 million (HP Report, 2014). Taking into account all of these, cybercrime is a growth industry and an important international business issue in all over the world. Potential victims and Cyber criminals in the developing world are face to face with different economic and institutional factors than those in the developed world. In economies with low Internet utilization rates and few resources devoted to counter cybercrimes, formal institutions related to such crimes tend to be weak and dysfunctional. In such economies a cybercriminal is less likely to be accused. Furthermore, organizations’ and individuals’ technological and behavioral defense mechanisms are likely to be weaker. Another reason for many people in the developing world to be attracted to cybercrimes is the high unemployment rates and low wages (Kshetri, 2010). The inherent flexibility of law, with the cumulative advancement and fine-tuning of standards in time, is helpful when evaluated against the backdrop of the rapidly developing nature of modern cyber and economic crimes (Menon & Siew, 2012).

VIRTUAL CURRENCIES VCs or ‘cryptocurrencies’ have evolved tremendously and are quickly establishing themselves as a payment system since the past five years. With dual potential as both an investment and an electronic medium of exchange, today VCs are a multibillion-dollar venture (Lee et al., 2015). Furthermore, the number of articles has been continuously growing, which is a sign for the increased level of attention on VCs. (Richter, Kraus, & Bouncken, 2015). There are some factors that explain the popularity of VCs. The main factors were the distrust of market participants in the global financial system and the so-called fiat currency. Besides, the rapid development of an Internet based-economy generated an inevitable interest in electronic money and currencies as well as new payment technologies (Belomyttseva, 2015) There is no consensus on the definition of VC, basically due to different scientific areas, which have their own perceptions on the matter. Besides, the field of innovation, IT, law and economy are within the scope of the definition, which makes it even more difficult to define (Richter et al., 2015). According to the International Monetary Fund (IMF), VCs are “digital representations of value, issued by private developers and denominated in their own unit of account” (IMF, 2016). According to the Financial Crimes Enforcement Network (FinCEN), a VC is “a medium of exchange that is not legal tender in any jurisdiction” (Gordon, 2013). The Stance of the European Central Bank (ECB) defines VC as “a type of unregulated, digital money, which is issued and usually controlled by its developers, and used and accepted among the members of a specific virtual community” (European Central Bank, 2012, p. 14). As a common definition VCs are decentralized peer-to-peer payment systems that are digital representations of value and can be transferred, stored and traded electronically” (Lee et al., 2015). VCs can also be considered as alternative currencies. An alternative currency is a medium of exchange other than the fiat currency. Historically, there are various types of alternative currencies, as classified by Hileman (2014) broadly into two categories: tangible and digital. Tangible currencies, closely associated with “commodity money,” derive their value from relative scarcity and nonmonetary utility:

110

 Cybercrimes via Virtual Currencies in International Business

• • • •

Currencies with Intrinsic Utility: Contemporary examples are prepaid phone cards and, to some extent, smart cards with cash value. Token: Local or community currencies such as Brixton Pound and Bristol Pound that are used in England, BerkShares that is circulated in Berkshire region of Massachusetts, and Salt Spring Dollar in Canada are contemporary examples. Centralized Digital Currency: Examples are loyalty points from financial, telecom, or retail companies; air miles from airlines; Second Life’s Linden Dollar and World of Warcraft Gold etc. Distributed and/or Decentralized Digital Currency: This includes the cryptocurrencies such as Bitcoin, Litecoin, and Dogecoin. There is no legal entity responsible for the activities, and therefore, they fall outside traditional regulations (Saito, 2015).

Another perspective of VCs regarding taxonomy of VCs has been seen in Figure 1. As digital embodiments of value, VCs are in the broader classification of digital currencies (Figure 1). Nevertheless; they are different from other digital currencies, such as e-money. E-money is a digital payment mechanism for (and denominated in) fiat currency. On the other hand, VCs are not denominated in fiat currency and they have their own unit of account. Cryptocurrency can simply be described as a peer-to-peer type of electronic cash. It enables online payments to be sent directly between different parties without going through a financial authority. The network, time stamps transactions using cryptographic proof of work (Saito, 2015). The Table 1 about the categorization of virtual and non-VCs is also highly informative. Although all VCs are digital currencies, not all digital currencies are VCs. VCs are a digital embodiment of value that may be exchanged through the Internet for goods and services. However, VCs have no physical counterpart with legal status and are to a large extent unregulated. “Real money” or “national currencies,” (Fiat Currencies) are the coin and paper money that a state authorizes as the legal tender (Virga, 2015). The most widely recognized example among such VCs is the Bitcoin. The first version of “Bitcoin,” which was a computer program was quietly released in January 2009 by Satoshi Nakamoto with a hope that it would one day be the modern world’s first thriving, non-national currency. The creation and Figure 1. Taxonomy of virtual currencies

111

 Cybercrimes via Virtual Currencies in International Business

Table 1. A money matrix

Legal status

Unregulated

Certain types of local currencies

Regulated

Banknotes and coins Physical

Virtual currency E-money Commercial bank money (deposits) Digital

Money format (Europe Central Bank, 2012)

growth of Bitcoin may finally be considered as one of the most interesting and significant developments of the early 21st century (Parthemer & Klein, 2014). Bitcoin came up as an online communication protocol that enabled the use of a VC, including payments done online (Böhme, Christin, Edelman, & Moore, 2015). It has no backing of a state authority, the central bank, or a commodity like gold. Like any traditional currency, VCs such as Bitcoin can be used to purchase goods and services from anyone who agrees to take it as a form of payment. However, VCs are not legal tender therefore, they can be distinguished from traditional forms of currency, such as the Euro or any other currency authorized by state (Tu & Meredith, 2015). Bitcoin’s high volatility is one of the reasons that make the investors attracted to it. Although the original target audience of Bitcoin was young people drawn to computer technology, currently Bitcoin, along with securities and derivatives, is generating interest among speculative investors (Belomyttseva, 2015). Without any central authority VC, Bitcoin is usually conveyed as having some advantages over traditional currency. The most commonly mentioned benefits of bitcoin are: 1. 2. 3. 4. 5.

Lower costs and fees. Fewer risks for exchangers. Higher rate of anonymity for users. Increased speed and ease of transfer/payment. Less proneness to government manipulation and inflationary pressures (Tu & Meredith, 2015). For a balanced summary of the advantages and disadvantages of VCs, please see Table 2.

Table 2. Advantages and disadvantages of VC Advantages

Disadvantages

a. World-wide toll-free transfers and lower fees in general

a. Acceptance / faith

b. No possibility of censorship or blocking

b. Money laundering, tax evasion and online criminal

c. No inflation

c. The limited group of users

d. Faster transactions

d. Value fluctuation of virtual money

e. Transparency / tamper resistant

e. Impacts of real-world monetary systems

f. Sustainability

f. Danger of virtual money system collapse

(Richter et al., 2015,p.582)

112

 Cybercrimes via Virtual Currencies in International Business

Yet during the drastic fall of the exchange rate, Bitcoin thefts, and the collapse of the Mt. Gox exchange (Mt. Gox is a bitcoin exchange based in Tokyo) and regulators’ continuing concerns about the role of VCs on the illegal market, Bitcoin lost some of its popularity. However, Bitcoin has always been and still is news worthy. For example, at the end of 2014, Bitcoin became the ninth most popular payment method during sales on Black Friday and Cyber Monday; and at the end of January, the first regulated Bitcoin exchange licensed to operate in 24 states of the United States was initiated (Belomyttseva, 2015).

REGULATIONS OF VIRTUAL CURRENCIES WITHIN THE COUNTRIES The United States U.S. does not officially accept Bitcoin as a currency, although a Federal District Court in Texas and the U.S. Department of Treasury do. In the United States, there is currently no consensus on what constitutes a decentralized virtual currency. 77% of all conversions of Bitcoin to a denominated currency are for the U.S. dollar (Ponsford, 2016). In July 2014, the New York State Department of Financial Services came up with the most elaborated regulation of VCs to date usually referred to as a BitLicense. This regulation was not created like US federal regulators did. Input from Bitcoin cliques and the financial industry was gathered through public hearings and a comment period until October 21, 2014 to customize the rules (Luther, 2015). United States laws do not explicitly outline how VCs fit into US regulations. However, the judicial authorities in recent years have ruled out that VCs qualify as money for money laundering. It also ruled out that VCs meet the definition of an investment contract (Virga, 2015).

Japan The Minister of Japan currently made a statement that currency under Japan’s laws mean only coins or notes issued by the Bank of Japan and that VCs are not qualified as legitimate currencies. Officials from Japan’s Financial Services Agency and Finance Ministry stated that VCs are not legitimate in Japan’s economic domain and the Bank of Japan is currently examining the VCs phenomenon. Japan also stated that it does not plan to take any steps towards regulating VCs. The Vice Finance Minister of Japan said that VC regulations must “involve international collaboration to avoid gaps” (Virga, 2015).

The United Kingdom Recently, Bitcoins are categorized as a single purchase voucher and are subject to value added tax between ten to twenty percent. VCs are not regulated in the United Kingdom at the moment. However, in August the United Kingdom’s Chancellor of the Exchequer made a statement that the United Kingdom will look into how VCs can be regulated (Virga, 2015).

Russia Russian Federation’s constitution (1993) and the federal law “On the Central Bank” (2002) define ruble as the currency of the Russian Federation while the Civil Code of the Russian Federation (1994) identi-

113

 Cybercrimes via Virtual Currencies in International Business

fies currency with money, not giving a definition for either of them. Only the federal law “On Currency Regulation and Currency Control” (2003) specifically defines currency, acting as a basic legal act in the field of currency legislation. Due to this conflict of laws, defining VC within the existing currency legislation is not possible and requires specification of the concept of currency in the federal law “On Currency Regulation and Currency Control” (2003) (Belomyttseva, 2015).

China In December 2013, The People’s Bank of China, in cooperation with the MIIT (Ministry of Industry and Information Technology), the Banking Regulatory Commission (CBRC), the Insurance Regulatory Commission (CIRC) and the Securities Regulatory Commission (CSRC), authorized the Notice on Preventing Risks of Bitcoin. According to these notice institutions that run services including Bitcoin registration, Bitcoin Wallet and Bitcoin exchanging must implement AML/CFT necessities and apply measures to classify its customers and record identification information. Financial institutions and payment services providers were also required to take enhanced surveillance measures on Bitcoin service providers to stop related risks (FATF, 2015).

Canada In June 2014, Canadian authorities amended Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT) law to treat persons and entities active in the enterprise of dealing in VCs as money services businesses (MSBs). Adjunct regulations are still being developed to determine the entities to be included and their obligations. On the other hand, it is estimated that the obligations will be to a large extent similar to already existing MSB obligations, which include registration, CDD (including beneficial ownership information), record keeping and an interior monitoring regime, as well as reporting suspicious and certain predetermined transactions (FATF, 2015).

France Beginning from 2011, France has to a large extent enlarged its Financial Intelligence Unit (FIU), TracFin. TracFin is investigating new anonymous electronic payment instruments, gold, and employee meal tickets that are used as alternatives to cash. In France the use of virtual money is growing through online gaming and social networks. Another significant source of money laundering is the sport teams. TracFin has been increasingly focusing on tax and social benefits fraud, in close collaboration with the Budget Ministry and social security organizations (state.gov, 2016). In June 2014, the French FIU, TracFin, issued a report, “Regulating VCs: Recommendations to prevent VCs from being used for fraudulent purposes and money laundering,” with an objective to set up a framework to prevent the utilization of VCs for money laundering and fraud (FATF, 2015).

Germany German Payment Services Supervision Act (ZAG) does not regard Bitcoin as e-money, because no Bitcoin is issued representing a receivable from an issuer. For VCs the situation is different because they are backed by a central issuer. The German Federal Supervisory Authority (BaFin) affirms Bitcoin

114

 Cybercrimes via Virtual Currencies in International Business

legally binding as financial instruments in the form of units of account in accordance with the German Banking Act (KWG). These units are like currencies, but are not considered legal tender either, and therefore qualify as neither currency nor banknotes and coins (FATF, 2015).

United Kingdom The perception of the risks regarding VC in the United Kingdom improved. The United Kingdom’s National Crime Agency (NCA) is heading a multi-institutional action to asses and respond to the risks posed by VCs criminal utilization. These institutions include the Crown Prosecution Service, HM Revenue &Customs, City of London Police, HM Treasury, Bank of England, Financial Conduct Authority, Home Office and the Metropolitan Police Service (FATF, 2015).

Italy VCs are not legal in Italy. In January 2015, Bank of Italy warned about the use of VCs. This warning and communication were included in Supervisory Bulletin 2015, which approves the EBA “Opinion on ‘VCs”. It discourages banks and other supervised financial mediators from buying, holding or trading VCs. The same date, the Italian Financial Intelligence Unit made a statement on the abnormal use of VCs and the detection of suspicious money laundering or terrorist financing transactions by related entities (FATF, 2015). In the below Table 3, we can see that jurisdictions have implemented different policies towards reducing the possible threats of VCs and regulation of VC-related activities. The table shows responses by selected jurisdictions that demonstrate this difference in approaches.

CYBERCRIMES VIA VIRTUAL CURRENCIES Novel technologies also make up novel tools for illicit conduct. VCs is an example of those novel technologies. Besides having numerous benefits, VCs also create numerous opportunities for illicit activities. To date no state entity is controlling VCs. VCs allow clients to send goods anonymously, and they pass borders with ease via the Internet. These features of VCs make it hard for governments to set them separately (Virga, 2015). The more the Internet technologies become advanced, the more the ways in which money launderers, terrorism financers and criminals utilize them for illicit and illegal activity increase. Creation of new payment methods, virtual environments and the easiness of being anonymous on the internet have helped the criminals, contributing in new methods to transfer big money without much difficulty (Irwin et al., 2014). Together with the Internet becoming a global phenomenon, the capabilities for money laundering have changed and transformed significantly at each of the traditional stages of money laundering. For example, digital networks allow passing the placement stage because the stolen money already exists online or as in the case of the illicit trade in digital currencies, money has already been pre-laundered, because they are placed in the legal financial institutions without placement stage (Tropina, 2014).

115

 Cybercrimes via Virtual Currencies in International Business

Table 3. Policy responses to virtual currencies - selected countries Jurisdictions

AML/CFT: Warning and Regulating (Existing and New)

Argentina

Warning on the ML/ TF risks

Tax Treatment

Consumer Warnings and Advisories

Licensing/ Registration of VC Intermediaries

Consumer Warning

Financial Sector Warnings, and Bans Warning on reporting entities

Bolivia

Yes Amending existing regulations

Clarified tax treatment

Consumer Advisory

France

Application of existing regulations

Clarified tax treatment

Consumer Warning

Germany

Application of existing regulations

Canada

Bans on the Issuance/ Use

China

Ban

Consumer Warning

Italy Japan

Plan to introduce new regulations

Consumer Warning

Russia

Application of existing regulations

Consumer Warning

Singapore

Plan to introduce new regulations

Clarified tax treatment

Warning Plan to introduce new regulations Yes-draft law

Consumer Warning Consumer Warning

South Africa U.K.

Application of existing regulations

Clarified tax treatment

U.S.

Application of existing regulations (Federal)

Clarified tax treatment (Federal)

Consumer Warning

State licensing regimes (for example, NY BitLicense)

(IMF, 2016, p.42)

As previously mentioned, the most widely recognized example among such VCs is the Bitcoin. According to Böhme (2015), bitcoin’s Unlawful Financial Transactions (UFT) divided into three categories: specific Bitcoin crimes, money laundering and bitcoin facilitated crime. 1. Specific Bitcoin Crimes: These kind of crimes that occur are a direct result of computer based attacks from technological superior mind whose purpose is to steal bitcoins and also to change the exchange rate of the virtual currency. 2. Money Laundering: Bitcoins can be used for explicit reasons such as money laundering. The movement of funds between accounts can be extremely challenging to trace as funds are routed through mixers as they are hidden from the general public and also law enforcements. 3. Bitcoin Facilitated Crime: Bitcoin facilitates the payment for illegal services and goods predominantly purchased on a marketplace called the ‘Silk Road’. Criminals who use this illegal platform for their individual gain are appealed to it as they perceive it as the perfect scenario. Besides that, the people who utilize VCs are mostly people that conduct illicit activities.

116

 Cybercrimes via Virtual Currencies in International Business

We can demonstrate the international nature of these schemes with the following examples:

Silk Road Launched in 2011, it was the largest anonymous online black market that allowed online users to browse it anonymously and securely without potential traffic monitoring. Silk Road, users could buy and sold illegal narcotics, stolen identity information, weapons, and all kind of illegal commodities (Saito, 2015). From the original Silk Road, which was the forefather of the current online black market, to the Silk Road 2, and now Silk Road 3.0 and Silk Road Reloaded, the term has become synonymous with purchasing drugs on the net (http://silkroaddrugs.org/, 2016). Silk Road did not create a new VC like Liberty Reserve did. It exchanged the crypto currency Bitcoin as the only recognized currency. It was established in January 2011 and allegedly generated around 1.2 billion US Dollars in sales and commissioned around 80 million US Dollars through illegal transactions. The founder and operator of the site, Ross William Ulbricht, was arrested in San Francisco in October 2013 and indicted in New York in February 2014. He faces charges of drug trafficking, computer hacking, money laundering and conspiracy (Virga, 2015).

Liberty Reserve This was one of the biggest online money laundering cases so far. Liberty Reserve was established to counter regulatory inspection and endorse perpetrators in distributing, storing and laundering revenues collected from fraud, identity theft, drug trafficking, child porn and other illegal activities. According to United States Department of Treasury Liberty Reserve was a financial network that was basically concerned with money laundering. Liberty Reserve created VCs called the “Liberty Reserve Dollar” or “Liberty Reserve Euro”. Users of these currencies exchange them for national currencies. Over 6 billion in US Dollars was laundered amongst more than a million users (Virga, 2015).

Western Express International This was an Internet-based supranational, cybercrime group and corporation composed of buyers, vendors, money movers and cybercrime service providers located in many countries, ranging from Ukraine to Eastern Europe and the United States (Virga, 2015). Western Express International was one of the largest currency exchangers in the United States and exchanged 15 million US Dollars and 20 million USD in e-Gold, provided knowledge and support via its websites on strategies to move money anonymously and eliminate surveillance. Illicit conduct is not only transactions of illegal items. A new problem in VCs especially is Bitcoin theft. Bitcoins are encrypted, but it does not mean that Bitcoins cannot be confiscated or stolen (Saito, 2015). In this regard, revenues of a crime can be laundered by criminals via depositing or transferring VCs worldwide, rapidly, irrevocably and anonymously. VC payment systems and accounts are used by criminals for financing purposes. The origins of criminal proceeds are disguised by criminals, undermining the ability of enforcement to collect evidence and recover criminal assets. VC exchanges are used to bypass regulated financial sector and trade in illicit goods and services. It can also be used for anonymous extortion (EBA, 2014).

117

 Cybercrimes via Virtual Currencies in International Business

Financing terror and money laundering are financial crimes and they have economic repercussions. Money laundering needs a principal, revenue-generating crime (such as market manipulation, fraud, tax evasion, drug trafficking, corruption) along with the intent to conceal the revenue of the crime or to promote the illicit business. These activities create financial income that involve the diversion of resources away from economically and socially constructive uses and these diversions can have adverse effects on the financial sector and external stability of states (IMF, 2016).

SOLUTIONS AND RECOMMENDATIONS Cybercrime is certainly a threat to the economy of a country, and businesses. Besides, there is no single solution to responding to cybercrime related issues. It needs effective coordination and collaborative endeavor on the part of a wide range of government and private sector bodies that can occur at various levels. To entirely prevent cybercrime key issue should emphasize the perfection of laws. The awareness and training arrangements among the PC users, cybercrime investigating officer, police, lawyer and judge are critical for detection, prevention of cybercrimes. In order to prevent the utilization of VCs in illegal activities such measures as increasing public awareness, regulating VCs, forging virtual intelligence activities, accepting virtual accounts as bank accounts can be taken. Furthermore, the economic activities of virtual communities can be subject to bank standards regarding identification, tax audition and reporting. Together with an international campaign for war on cybercrimes, reorganization of state regulations with an intent to prevent laundering money and financing of terror can be important steps along with a rearrangement of national laws with technological crimes in consideration.

FUTURE RESEARCH DIRECTIONS This study could be expanded to include specific alternative cryptocurrencies. Moreover, a further study can be done about demographic and sociological characteristics of cyber criminals to find the reasons that effect their cybercrime behaviors.

CONCLUSION Nowadays, cybercrime is an important international business concern in all over the world. The influence of globalization together with the advancement in communication technologies have increased cybercrime committed via VCs and facilitated its expansion at a global level. It is generally accepted that virtual domain and VCs pose a threat in relation to money laundering and terror finance. As the technology of the internet advance, so does the ways in which money launderers, terrorism financers and criminals utilize them for criminal conduct (Irwin et al., 2014). Besides that, virtual currencies, due to its anonymous feature, have been linked to various types of crimes, including; attacks on businesses, corporate espionage; counterfeit currencies; cyber stalking, extortion, identity theft, cybersquatting, creation and distribution of viruses, sexual exploitation and pornography, fraud and impersonation, drugs and weapons.

118

 Cybercrimes via Virtual Currencies in International Business

Thus, vague subjects like the credibility of economic activities carried out within online virtual communities, status of VCs as a legal currency, taxation procedures, the credibility of the records of transactions, fraud and illegal content of websites and fighting fraud are important topics revolving around the VCs today (Johnson, 2007). As a consequence, while scientific and technological expansions generate boundless opportunities to improve the wellbeing of human mankind; new technologies also build great challenges for countries and businesses. Moreover, cybercrime is an international problem, and no country can be isolated from its effects.

REFERENCES Adomi, E. E., & Igun, S. E. (2008). Combating Cyber Crime in Nigeria. The Electronic Library, 26(5), 716–725. doi:10.1108/02640470810910738 Alkaabi, A., Mohay, G., McCullagh, A., & Chantler, N. (2011). Dealing with the Problem of Cybercrime. In I. Baggili (Ed.), Digital Forensics and Cyber Crime (pp. 1–18). Abu Dhabi: Springer Abu Dhabi. doi:10.1007/978-3-642-19513-6_1 Belomyttseva, O. S. (2015). Conceptual Framework for the Definition and Regulation of Virtual Currencies: International and Russian practices. Nase Gospodarstvo, 61(5), 32–39. doi:10.1515/ngoe-2015-0020 Böhme, R., Christin, N., Edelman, B., & Moore, T. (2015). Bitcoin. Economics, Technology, and Governance, 29(2), 213–238. doi:10.1257/jep.29.2.213 Brenner, S. (2010). Cybercrime Criminal Threats from Cyberspace. Santa Barbara, CA: Praeger Publishers. Retrieved from http://books.google.com/books?id=gsWQ-xgbLbUC&pgis=1 Broadhurst, R., Grabosky, P., Alazab, M., & Chon, S. (2014). Organizations and Cyber crime: An Analysis of the Nature of Groups engaged in Cyber Crime. International Journal of Cyber Criminology, 8(1), 1–20. Retrieved from http://search.ebscohost.com/login.aspx?direct=true&db=i3h&AN=9 7333470&site=ehost-live Brown, C. S. D. (2015). Investigating and Prosecuting Cyber Crime. Forensic Dependencies and Barriers to Justice, 9(1), 55–119. doi:10.5281/zenodo.22387 Chawki, M. (2007). A Critical Look at the Regulation of Cybercrime A Comparative Analysis with Suggestions for Legal Policy. Retrieved from http://www.crimeresearch.org/articles/Critical EBA. (2014). EBA Opinion on virtual currencies. EBA Opinion. Etges, R., & Sutcliffe, E. (2010). An Overview of Transnational Organized Cyber Crime. Journal of Digital Forensic Practice, 3(2–4), 106–114. doi:10.1080/15567281.2010.536731 Europe Central Bank. (2012). Virtual Currency Schemes. European Central Bank. Retrieved from http:// www.ecb.europa.eu/pub/pdf/other/virtualcurrencyschemes201210en.pdf FATF. (2015). Guidance for a Risk-Based Approach to Virtual Currencies. Paris Cedex 16. Retrieved from http://www.fatf-gafi.org/publications/fatfgeneral/documents/guidance-rba-virtual-currencies.html

119

 Cybercrimes via Virtual Currencies in International Business

Gordon, G. (2013). Virtual Currencies in the Crosshairs. Criminal Justice, 28(3), 1. Retrieved from http://aut.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwY2BQSDYxNze2TEs2SjM1NzBJTAPWAWnGicbJycbA5okheEMYYjwXqTR3E2JgSs0TZZBzcw1x9tCFFY3xKTk58cbAmgk0KWRsaCjGwALsGacCANomGHQ Harknett, R. J., & Stever, J. A. (2009). The Cybersecurity Triad: Government, Private Sector Partners, and the Engaged Cybersecurity Citizen. Journal of Homeland Security and Emergency Management, 6(1), 1–14. doi:10.2202/1547-7355.1649 Harrell, E., & Langton, L. (2013). Victims of identity theft, 2012. U.S. Department of Justice. Retrieved from http://www.bjs.gov/content/pub/pdf/vit12.pdf Healy, C., & Li, Z. H. E. (2016). The Role Decentralised Non-Regulated Virtual Currencies Play in Facilitating Unlawful Financial Transactions. Academic Press. IMF. (2016). Virtual Currencies and Beyond: Initial Considerations. IMF. Irwin, A. S. M., Slay, J., Choo, K.-K. R., & Lui, L. (2014). Money laundering and terrorism financing in virtual environments: A feasibility study. Journal of Money Laundering Control, 17(1), 50–75. doi:10.1108/JMLC-06-2013-0019 Johnson, M. (2007). Telekomünikasyon Suçlari Ve Organize Suçlar: 3g Servislerinin Etkileri. Retrieved from http://www.masak.gov.tr/media/portals/masak2/files/19-20.03.2007_taiex_toplantisi_bilgi_notu_ TELEKOMUNIKASYON_SUCLARI_VE_ORGANIZE_SUCLAR_3G_SERVISLERININ_ETKILERI. doc Kamal, M. M., Chowdhury, I. A., Haque, N., Chowdhury, M. I., & Islam, M. N. (2012). Nature of cyber crime and its impacts on young people: A case from Bangladesh. Asian Social Science, 8(15), 171–183. doi:10.5539/ass.v8n15p171 Katos, V., & Bednar, P. M. (2008). A cybercrime investigation framework. Computer Standards & Interfaces, 30(4), 223–228. doi:10.1016/j.csi.2007.10.003 Kristoufek, L. (2015). What Are the Main Drivers of the Bitcoin Price? Evidence from Wavelet Coherence Analysis. PLoS ONE, 10(4), e0123923. doi:10.1371/journal.pone.0123923 PMID:25874694 Kshetri, N. I. R. (2010). Diffusion and effects of cybercrime in developing economies. Third World Quarterly, 31(7), 1057–1079. doi:10.1080/01436597.2010.518752 Lee, J., Long, A., McRae, M., Steiner, J., & Gosnell Handler, S. (2015). Bitcoin Basics: A Primer on Virtual Currencies. Business Law International, 16(1), 21–46. Lewis, J. A., & Baker, S. (2013). The Economic Impact of Cybercrime and Cyber Espionage. Academic Press. Lone, M. I. (2013). Cybercrime in India: A study, 2007 TO 2011. Academic Press.

120

 Cybercrimes via Virtual Currencies in International Business

Luther, W. J. (2015). Regulating Bitcoin: On What Grounds? Retrieved from http://ssrn.com/abstract=2631307 Maftei, L. (2014). Bitcoin - Between Legal and Informal. CES Working Papers, 6(3), 53–59. Menon, S., & Siew, T. G. (2012). Key challenges in tackling economic and cyber crimes: Creating a multilateral platform for international co-operation. Journal of Money Laundering Control, 15(3), 243–256. doi:10.1108/13685201211238016 Nykodym, N., Kahle-Piasecki, L., Ariss, S., & Toussaint, T. A. (2010). Cybercrime and Business : How to not Get Caught by the Online Phisherman. Journal of International Commercial Law and Technology, 5(4), 252–260. Parthemer, M. R., & Klein, S. A. (2014). Bitcoin: Change for a Dollar? Journal of Financial Service Professionals, 68(6), 16–18. Retrieved from http://search.ebscohost.com/login.aspx?direct=true&db= bth&AN=99081262&lang=pt-br&site=ehost-live PWC. (2016). Global Economic Crime Survey 2016. Retrieved from www.pwc.com/crimesurvey Richter, C., Kraus, S., & Bouncken, R. (2015). Virtual Currencies Like Bitcoin As A Paradigm Shift In The Field Of Transactions. International Business & Economics Research Journal, 14(4), 575–587. Saito, T. (2015). A Microeconomic Analysis of Bitcoin and Illegal Activities. In D. L. K. Chuen (Ed.), Handbook of Digital Currency: Bitcoin, Innovation, Financial Instruments, and Big Data (pp. 231–247). Elsevier Inc. http://doi.org/ doi:10.1016/B978-0-12-802117-0.00012-6 Shang, H. (2012). Analysis of Youngster Cyber Crime Based on Legislation. In 2012 International Conference on Future Information Technology and Management (Vol. 14, pp. 298–303). Shin, Y.-D. (2011). New Model for Cyber Crime Investigation Procedure. Journal of Next Generation Information Technology, 2(2), 1–7. doi:10.4156/jnit.vol2.issue2.1 Smith, R. G., & Hutchings, A. (2014). Identity crime and misuse in Australia: Results of the 2013 online survey. Academic Press. Tropina, T. (2014). Fighting money laundering in the age of online banking, virtual currencies and internet gambling. ERA Forum, 15(1), 69–84. http://doi.org/10.100712027-014-0335-2 Tu, K. V., & Meredith, M. W. (2015). Rethinking Virtual Currency Regulation in the Bitcoin Age. Washington Law Review (Seattle, Wash.), 90(271), 271–347. Virga, M. (2015). International criminals and their virtual currencies: The need for an international effort in regulating virtual currencies and combating cyber crime. Brezillian Journal of International Law, 12(2), 511–526. doi:10.5102/rdi.v12i2.3557 Wall, D. S. (2007). Cybercrime: The Transformation of Crime in the Information Age (Vol. 95). Cambridge, UK: Polity Press. Wozniak, S., & Smith, G. (2006). IWoz. New York: W.W. Norton & Co.

121

 Cybercrimes via Virtual Currencies in International Business

KEY TERMS AND DEFINITIONS Black Market: An illegal free market also has known as the “underground market’’. Cryptocurrency: A medium of exchange using cryptography to secure the transactions and to control the making of new units. Cybercrime: Refers to unlawful conduct carried out with the use of computers, electronic devices. Europol: The European Union’s law enforcement agency whose main goal is to help achieve a safer Europe for the benefit of all EU citizens. Money Laundering: The method of changing the proceeds of crime, corruption or kleptomania into ostensibly legitimate money or other assets. The Financial Crimes Enforcement Network (FinCEN): The Financial Crimes Enforcement Network (FinCEN) is a bureau of the United States Department of the Treasury that collects and analyzes information about financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes. Virtual Currencies (VCs): Digital symbols of value, issued by private developers and denominated in their unit of account.

This research was previously published in Cybersecurity Breaches and Issues Surrounding Online Threat Protection edited by Michelle Moore, pages 121-143, copyright year 2017 by Information Science Reference (an imprint of IGI Global).

122

123

Chapter 8

Three New Directions for Time Banking Research:

Information Management, Knowledge Management, and the Open Source Model Lukas Valek University of Hradec Kralove, Czech Republic

ABSTRACT This chapter aims to highlight three viable fields of research within the domain of time banking (TB), a time-currency-based complementary economy system that has been implemented in various frameworks now for more than three decades. The areas of information management (IM), knowledge management (KM), and open source software (OSS) are almost totally unexplored within time banking. In information management, attention has mainly been devoted to IM frameworks. One link (among others) between knowledge management and open source software has been found in a core concept of the time bank called co-production. Finally, all three of these fields can be related directly to time banking and should have a place in further research, the results of which could also have applications in the field of complementary economic systems in general.

1. INTRODUCTION Time Banking has been around for more than thirty years, during which time it has spread from its country of origin, the United States, to other countries around the world (hOurworld.org, 2017b; Timebanks_USA, 2017). In some resources (Miller, 2008), however, the world’s first time bank is said to have been founded in Japan in 1973 by Teruko Mizushima, with the idea beginning to spread globally approximately ten years later when E. S. Cahn invented his Time Dollar in the US (Cahn & Rowe, 1992). The TB concept has faced many challenges, and in terms of cultural environment it is often adapted to reflect a particular regional reality (Valek, 2013b), this adaptation including the management of information and knowledge contained within a time bank, but also various information technology solutions. Nowadays many Time Banking movements have emerged around the world, with the number ever-increasing, thus it is quite DOI: 10.4018/978-1-5225-6201-6.ch008

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 Three New Directions for Time Banking Research

difficult to determine a precise count (Blanc, 2011). Nevertheless, their focus on social economy gives users a tool to help themselves rather than expect support from authorities. At the present time, more than 30 different web platforms and software (Boyle & Bird, 2014) support TB endeavors as well as efforts to unify time banks into stronger groups or alliances (Valek, 2016). This goal of this chapter is to show a number of new directions for research in the field of Time Banking. Time Banking is a type of complementary economy, and as TB uses time as a form of currency, it is also considered a complementary currency system. The word “complementary” is important, as we can also find in the literature the term “alternative economy,” with the difference being in the fact that an alternative structure is intended as a replacement for current economic systems or for a particular currency, while a complement merely helps in places where a current economy or currency is failing (Lietaer, 2001). Complements are easier to integrate into an economy, and by its influence slowly shifts the economic paradigm. As for complementary economic systems, literature is available, including works on TB, outlining advantages and risks related to various complementary currency systems (Kennedy, 2012). Justifications for existence of complementary economies and their putative place in society are not part of this study, as this is rather extensive topic which has already filled many books. Thus far, in many places where people have been learning about concepts of Time Banking they are in very hard position to implement it (Valek, 2013a, 2013b, 2015a). Warnings to expect opposition (Cahn, 2004) have been given. It remains important is to build a surrounding environment with people who think the same way, thus a community can be created to further develop the idea and to apply the positive effects of TB. Unfortunately, however, mere enthusiasm is often not enough, since to keep a Time Bank running and sustainable several factors are necessary which are related to the language and other cultural conditions in a respective location, as well as to the number of users and services it offers, how funds are obtained, the readiness of the environment to accept ideas of Time Banking, policies and legal issues, as well as tactical and strategic planning. These points seem to be crucial in all courses of the lifetime of a Time Bank (Valek, 2013b). Aside from this, with the growing professionalization of TB a systemic approach towards managing information and knowledge is necessary. Time Banks are themselves a tool itself to directly target the origin of specific problems, and as tools they should be carefully managed and structured. Research in field of TB is very scarce. Naughton-Doe has found 80 documents related to Time Banking, out of which only 38 can be considered primary data and 29 qualitative data. Most of topics related to TB implementation, processes, outputs, associations and outcomes. Nevertheless, they often contain limited or unexplained samples, the methodology used was not found to be adequate, or the texts fail to explain the measurements used. In the end, only 11 papers were found usable for scientific research (Naughton-Doe, 2015). In the area of information and Knowledge Management, TB remains unexplored, as none of resources were found to be related to these domains. Throughout this text, TB is used as abbreviation both for Time Bank and Time Banking, with TBs used in plural for Time Banks except in situations when the use of abbreviated form might hinder understanding. The chapter has the following structure: after this introduction a short background is described which focuses on the non-mainstream economic approaches of which TB is integral part as well as the details of TB. In next section, the three fields of Information Management, Knowledge Management and Information Technology are outlined in the given context. In the discussion, all three are scrutinized in greater depth, from which conclusions are then drawn.

124

 Three New Directions for Time Banking Research

2. BACKGROUND 2.1. Non-Mainstream Economic Approaches in the Digital Age: Complementary Economies The form of currency generally utilized today alludes to fiat currency. Fiat money is in fact created “out of nothing” and the name itself refers to its enigmatic existence (from Latin Fiat lux in the Biblical book of Genesis, meaning “Let there be light,” which can be restated as “Let there be money.”) (Lietaer, 2001). Critiques of the fiat currency issued by private institutions through the creation of debt have gone as far as to compare it to arsenic, which although it is a deadly poison was used to alleviate short-term symptoms in medicine when no better solution was available (Lietaer et al., 2012). Complementary economic systems are supportive means which provide contextual solutions to problems proceeding from the economy as a whole by the creation of fiat money. An early critique of fiat currency was put forth in the 1930s by Irving Fisher, who proposed the so-called “Chicago Plan,” the aim of which was to gradually transfer the responsibility of issuing of fiat currency to governments by forcing commercial banks to back deposits by credits from a government and later lowering the amount of money in circulation by lowering the banks’ capital deposits. In the working paper “The Chicago Plan Revisited,” authors Jaromir Benes and Michael Kumhof re-evaluate this idea, determining that it could bring many benefits (Benes and Kumhof, 2012), but in the end it would merely signify the transfer of the authority of the “creation” of money to only one intuitional body instead of allowing multiple institutions to control it. Nevertheless, a higher order might be reached by establishing real control over the issuing of fiat money through the prevention of the violent reactions of commercial banks to market events, which is what the Chicago Plan, never instituted, would offer. Related to the previous statements, the observation can be added that fiat money itself has also now become a commodity (Caroll and Belloti, 2015), although it is difficult to imagine trading in something which does not really exist in material form. Tied to concepts like these, the focus of market economies on economic growth has been long institutionalized, despite the fact that endless unlimited growth has been demonstrated to not be possible (Seyfang and Longhurst, 2012, Holmgren, 2011). These previous lines might tend toward the utopic or dystopic, but they are put forward here as only a concentrated description of the kind of rhetoric that many of the founders of complementary economic systems use, and from this somewhat moralistic critique the whole scope of what has been referred to as the non-mainstream economy emerges. As noted earlier, history has proven that alternatives to monetary systems in use at a particular time usually do not work, whereas complements to this system actually possess the power and potential to utilize what is “left behind” by the market economy. Several examples have emerged, starting with complementary currencies, through exchange systems, unconditional minimal revenue, Time Banks, gift economies and other structures. Many of these options were first mentioned in the literature decades (or much longer) ago, but the fact that they not only persist but have been shown to thrive in many parts of the world shows their feasibility. All of these have been studied by the Complementary Currency Resource Center (CCRC, 2016).

125

 Three New Directions for Time Banking Research

2.1.1. Most Common Complementary Economies •

Local Currencies: These structures represent regionally developed and used currencies of which the main aim is to facilitate exchange within a certain geographically defined region. They have several objectives (Kennedy et al., 2012):

Creating Local Jobs • •

Stem the drain of purchasing power from the region. To open up new avenues to enable local government to fulfill its designated tasks

Helping to Develop • • • • • • •

Economic stimulation instead of stagnation Stabilization or growth of the population Increase in regional purchasing power and, by this, improvement in municipal finances Positive identification with the region Improvements to the infrastructure and increased local autonomy A greater sense amongst the population, a sense of participation Preservation and development of employment opportunities and incentives for firms to remain in the region

Local currencies stand upon the trust of their users, which is common feature for all complementary currencies. As mentioned above, the main focus is on bringing back activity, prosperity and jobs to a certain region. These could represent either an urban or rural region. •

•

126

LETS (Local Economy Trading System): LETS represents one of the first working concepts of a trading system, an economy which grows from the needs of community. It resembles a local currency system, as it uses one as a medium, but it sprouts from a need to maintain trading within communities in times of crises (Lietaer, 2001). Standard money might be also used in these transactions, but most exchange is made for the LETS currency (usually a work/service). In this sense, citizens in a particular region can keep trading and working even when official currency is scarce. Scarcity does influence LETS money, as it is generated in the moment when a demand is created, more precisely when a trade is agreed upon. Moreover, currency in a closed system of LETS appears in a strictly reciprocal operation between two parties when at a given time a certain number of units is subtracted on one side and added to on the other side (Martignoni, 2015). Business Exchange: This regional community currency allows small businesses and individuals to continue to trade and produce even when they would not have enough financial power in the official currency. A business exchange provides credits, in turn allowing trades which would not normally take place. In addition, a safe environment is created which fosters commerce between and among proven business partners. In this sense, it plays a similar supportive role as a TB does in business. One good example is Swiss WIR, the oldest continuous complementary currency system in the Western world, in existence since 1934 (Lietaer, 2001). The WIR exchange includes both businesses and individuals in a system which in 2010 had an annual turnover rate of 1.6

 Three New Directions for Time Banking Research

•

billion WIR francs (1 WIR franc = 1 Swiss franc). Other examples of a business exchange have emerged in the RES in Belgium with its yearly turnover of the equivalent of 35 million Euro, as well as the Business Exchange Scotland, along with others. Electronic Currencies: In the 21st century, many services which generally remain within the domain of huge corporations, e.g. amongst their subsidiary banking facilities, have come within the grasp ordinary people. They can be “grown” from grassroots instead of installed from top. The emergence of open source systems has by co-production (introduced below) allowed small enterprises or even individuals to develop their own software, including operating systems, a fact which has also had a huge impact in the field of telecommunications. Individuals can even for the first time legally circumvent banks in domains which had previously remained untouchable. As one example for all, in the money transfer sector, the project Transferwise (Transferwise, 2016) allows the complete avoidance of banks and their fees by matching sending and receiving transactions in different countries and currencies, so that the actual payment never leaves the country of origin.

Perhaps the biggest impact in electronic currencies in past few years has been made by the Bitcoin. This public electronic currency founded in 2009 (Bitcoin.cz, 2016) is based on the open source approach. The main critique of the founders of Bitcoin against ordinary money electronic transactions was focused on the necessity within large financial institutions of an intermediary or “middle man” in electronic transactions, with the accompanying cost increases, especially transaction fees, which limit and in fact often completely rule out small casual transactions. Also, the necessity of officially verifying the identities and financial status of the parties involved, and with this the requirements to submit personal information, slow down and complicate transactions. The proposed approach was an electronic payment system based on cryptographic proof instead of “trust” or identity verification, allowing any two willing parties to transact directly with each other without the need for a trusted third party (Nakamoto, 2009). The verification factor and need for the tracking of exchanges is also inherent for TB, as verification requires memory, while paper money leaves no traceable trail. The Time Dollar, or time credit, is counted as an electronic currency, a fact which builds trust, as the present is shaped by the future (Cahn, 2000). Another feature of Bitcoin is that the final resource of money is limited, but the currency can be divided into fractions. By this constraint, it comes much closer to a commodity-based currency. The payment cryptographic engine uses so-called “mining” to create new coins. However, the Bitcoin system is not without its critics. Firstly, it removes the power over money from banks and places it into uncertain hands of volunteers who run the mining engine on their computers, the combined power of which exceeds the world’s 500 fastest supercomputers put together (Economist, 2013), thus the security of transactions may be called into question. At any rate, the success of Bitcoin has paved the way for other similar currencies, which mimic it or have tried to change some features of it, e.g. Litecoin, which offers faster transactions, but keeps the limited coin supply feature. Peercoin, of which there is unlimited supply, but comes with implicit 1% inflation. Anoncoin and Zerocoin both aim for complete anonymity of the transactions. In conclusion, even though Bitcoin has its own disadvantages, it (and its popularity) has proven a point, that this might be the way of imagining and putting into use new kind of money. The decentralization involved move the power over currency from banks to individuals. In the same way as the online music project Napster (eventually determined to be illegal) paved the way for services like iTunes and Spotify (Economist, 2013), the road has paved by Bitcoin for new currency independence.

127

 Three New Directions for Time Banking Research

•

•

Sharing-Based Economies: Several systems of exchange deserve mention here. These sharing systems actually save costs of users by virtue of the medium of exchange being shared, thus limiting consumption. Typical examples are car sharing, services like Airbnb and Couchsurfing (through which accommodation is shared), tools sharing (along with other various items) through which people use certain items only occasionally and can borrow them from the community for limited period of time. Gift Economy: This would seem to be the oldest kind of complementary economy. Gift giving also helps to strengthen social ties, especially in tough times, and it is particularly important in a demanding and unpredictable environment (Lietaer, 2001). In the Czech Republic, one gift economy-based platform has emerged called Hearth.net (Hearth.net), a web platform which creates a community of people who are willing to give. Those who have something to offer (which could be practically anything) give it unconditionally, and those who need ask from the community that it should be given to them.

2.2. Time Banks This section is based on research on TB conducted by the University of Hradec Kralove, Faculty of Informatics and Management (UHK, FIM), Czech Republic. The long-term project consisted of many methods including questionnaires, semi-structured interviews, study visits, student specific research projects, in-depth analysis and literature reviews. Study visits uncovered particular differences in the understanding of TB concept, with semi-structured interviews with important stakeholders showing management methods of TBs and, finally, a literature review puts everything in scientific context. But as mentioned above, in the fields of Information Management, Knowledge Management and Information Technologies there is little relevant research. Although many initiatives have emerged attempting to develop ideal TB software for their own particular conditions, theoretical research for these groups is also not a priority. In general, the research into TB that does exist is disjointed and often based on anecdotal evidence with lack of appropriate methodology (Naughton-Doe, 2015). As noted earlier, most of the research is related to the performance of existing TBs, e.g. their influence on healthcare, social services, community development, etc. (Boyle & Bird, 2014; Caroll & Belloti, 2015; Granger, 2013; Lasker et al., 2010; Osipov, Volinsky, & Prasikova, 2016; Ozzane, 2010; Ryan-Collins, Stephens, & Coote, 2008; Shih, Bellotti, Han, & Carroll, 2015; Timebanking_UK, 2005). In addition, TB has no clear, agreed-upon definition. It is usually described by a mere description of the workings of the exchange of the time currency, often called Time Credits (TC), along with how it contributes to community. Sometimes a functioning TB is not even referred to using the words “Time Bank,” with one example can be shown in the organization Partners in Care (Partners_in_Care, 2017), where it is described as Time Exchange. While there are various types of TBs, to this date there has been no unified categorization or taxonomy of TBs, although in the past many attempts have been made to classify the category (Ryan-Collins et al., 2008, Naughton-Doe, 2015, Watershed, 2017, Blanc, 2011, Timebanking_UK, 2015, Boyle and Bird, 2014). These attempts have been mostly negatively influenced by a researcher. Still, the very use of a TB remains subjective, i.e. practiced according to the point of view of a particular person or a team. As the most elemental level a division can be made into three usages according to the member base of a TB:

128

 Three New Directions for Time Banking Research

• • •

Person to person TBs, in which only individuals participate in exchanges Person to organization TBs, in which individuals exchange with legal bodies Organization to organization TBs, in which organizations use their unused resources to exchange with each other

Even though there is no unified definition, a TB can be identified by its key features, defined in literature according to function, core values and main principles. The core principle is called co-production and a TB always employs five core values. If a system uses a time currency, but does not involve co-production (Cahn, 2000), these core values do not reflect what can be called TB, e.g. Ithaca Hours (IthacaHours, 2016), which uses time currency, but works on LETS principles. The core values can be listed as the following (Boyle & Bird, 2014; Cahn, 2000; Granger, 2013; Ozzane, 2010): 1. We Are all Assets: TB values people and recognizes that everyone has something special to offer others - knowledge, skills, resources, time. Every human being has the capacity to be a builder and contributor as individual or as a part of an organization. Thus the service offered in a TB could be almost anything, opening up opportunities for exchange – making offers and requests – which are not “marketable,” but have value for other members of the TB (both people and organizations). 2. Redefining Work: Redefining work means that members are rewarded for any kind of work, whether it would be considered financially profitable or not by market economy standards, as touched upon above. Work in this sense does not necessarily mean a “job.” 3. Reciprocity: This exchange works in a two-way process. Members can both offer and request at the same time and both the earnings of TC as well as spending TC bring positive feedback. 4. Social Capital: The creation of social capital is very important for any community, whether it consists of individuals or a knowledge-based organization (Nonaka, 1991). Social capital, among other functions, solves problems with unemployment, and learning for individuals and facilitates innovation and further development of organizations. 5. Respect: Every human being matters. As a mutual understanding of what people and organizations do, this is a key element for the development of positive relationships between entities in a region. A higher level of trust leads to the possibility of further innovation by the facilitating of common projects (Lehaney, 2004) The core principle of TB so-called co-production (Cahn, 2000). Co-production means that people take responsibility for solving problems in their imminent environment and co-produce results. Thus, rather than waiting for help from outside they take initiative and find ways to resolve problems that needs to be solved. In this sense, TB is a tool which creates and nurtures a community that can co-produce results autonomously. Co-production can also be found in the business world and in the sphere of information technologies, even though it is generally not referred to in this way. This will be introduced below.

3. THE NEW DIRECTIONS The main topics explored in this chapter are as follows:

129

 Three New Directions for Time Banking Research

• • •

Information Management frameworks Knowledge Management in TBs Open source software and other tools

3.1. Information Management Processing information in a IT system is an issue for most organizations, with the creation of a functional and efficient Information Management Framework (IMF) attempting to create an “ideal” situation (Maes, 1999), in order that involved stakeholders have access to information to make optimal decisions (Linderman et al., 2005). An IMF should cover and unify the main topics important for directing information in an organization from point of view of management: strategy, structure and operations. Areas of concern include: business/organizational, information and communication, as well as technology (both systems and infrastructure), and should take into account in its design all of the above (Maes, Rijsenbrij, Truijens, & Goedvolk, 2000). IMF should be considered when developing new software for a TB and also take into account the overall layout of information distribution within a TB. To these ends, a generic Information Management framework will be proposed for a TB environment.

3.2. Knowledge Management One of main functions of a TB is knowledge and skill sharing, with these knowledge and skills used to perform a service exchanged. Knowledge sharing is one of most important features of a TB (Valek, Kolerova, & Otcenaskova, 2014) and this happens in several ways. At first, TB provides people/members with a safe environment in which to find other people with similar interests who will gather around certain issues (along with other people bound in standard organizations), much like communities of practice in a company (CoP) form informally around problems. A CoP is by one definition a “group of professionals informally bound to one another through exposure to a common class of problems, common pursuit of solutions, and thereby themselves embodying a store of knowledge” (Manville & Foote, 1996). This could be within a firm or any other organization in which a TB is included. Forming CoPs have the same basis as the idea of co-production, the main driving force of TB introduced above. Co-production is based on giving people the tools to be able to solve problems, so those with the appropriate skills, knowledge and interests can naturally join the effort. These individuals will gather around the problem without much facilitation and start solving it themselves; nevertheless, a framework would be handy in these conditions (Valek, 2015b). CoPs are in essence interest groups who gather informally around a problem to solve it, i.e. in the structured environment of an organization unsolved problems remain, thus people interested in solving those problems with the knowledge to do so gather naturally voluntary around an issue and resolve it. The only difference between interest groups of TB and CoPs is that CoPs form within an existing company, and interest groups (CoPs of a TB) form in an existing and working TB. Of course, in TB both explicit and tacit knowledge is present. Explicit knowledge easily learned and transferred, for example knowledge contained in books. Tacit knowledge comes only by experiential learning and is gained by an individual over time (Shreiber et al., 2002). To “get out” the knowledge from the individual’s mind is very complicated, but a process that must be undertaken so that others can learn from these skills and experience.

130

 Three New Directions for Time Banking Research

Learning from each other’s knowledge within a TB is one of the motivations to join one. This raises the competences of all members, a possibility that many are attracted to, including organizations. This learning happens naturally just by the exchange of certain services, but also by other outputs and spinoff events and projects, i.e. by people offering services, including what they like and know how to do, and thus learning becomes a by-product of the exchange of knowledge contained therein. For this reason, educational processes are fundamental part of the framework of a TB. This is in accordance with Nonaka’s Spiral of Knowledge (known also as SECI by first letters of its four steps of Socialization, Externalization, Combination and Internalization), whereby explicit knowledge can be extracted out of the tacit, as depicted in Figure 1 (Takeuchi & Nonaka, 2004). The steps of the spiral are: •

• • •

Socialization: Seeing how others do it and learning from their knowledge, which happens when people meet and have the opportunity to experience the knowledge of another person, thus be shown how to do things. In TB there are services which are directly aimed at learning, but knowledge is transferred from one person to another also even in those which are not. Externalization: Now it is possible to formulate and describe the knowledge in a way which is understandable for another person. Part of the knowledge of the other person has been “extracted,” after which the learner is now ready to try new tasks and activities him/herself. Combination: To formulate how the newly gained knowledge could be used. In TB this means developing new competences. Internalization: Using what has been learned in application. In TB, typically new services can be offered, new interest groups formed, new projects started, etc.

3.3. Information Technologies As mentioned above, the number of TBs currently in existence is difficult to calculate (Blanc, 2011). To obtain greater support, TBs tend to create networks, such as Timebanks USA in United States of America, Figure 1. Spiral of Knowledge (or SECI model) by Ikujiro Nonaka Source (Takeuchi & Nonaka, 2004).

131

 Three New Directions for Time Banking Research

Timebanks UK in United Kingdom and the newly-born Timebanking Europe, which has sprouted out of TBUK as a TB support net for other European countries (Valek, 2015), although at the moment it lacks proper financial support. The more extensive software platforms which allow more features are Time and Talents (T&Т) from hOurworld (http://hourworld.org/) and Community Weaver from TimeBanks USA (http://timebanks.org/community-weaver-upgrade-to-cw-3-0/). As Timebanks USA states on their website, the network includes more than 200 independent TBs in USA and others in more than 32 other countries, and they have developed the Community Weaver (CW) for the network (http://timebanks.org/ about/), which TBs in the TBUSA network are encouraged to use. On the other hand, T&Т is more widely spread, as it includes 507 communities using the software around the world. This includes mostly the USA, UK and a few countries worldwide. Based on discussions with users, several technical issues with CW have emerged, especially with version 2.0. Put simply, the problems were caused by its overcomplicated design, which is based on two platforms: Wordpress and Drupal (www.larks.la/tags/community-weaver). Currently version 3.0 is available and time will prove its relative stability and usefulness. On the other hand, T&Т is known for its stability, although the design at first glance might seem overly simple. Due to this stability, simplicity, and easy to use approach, T&T has spread widely in the United Kingdom, replacing the older software Time On Line. In addition, hOurworld has just launched their mobile application for Android and iOS called hOurmobile, which broadens greatly the accessibility of the service. Another possibility for time bankers is the internet banking software Cyclos, which can be used as a platform for various kinds of Complementary Currencies, including TB. Cyclos is a pay service in its 4.0 version, but can be used free by a social organization if it demonstrates social benefits and non-profit aims. Cyclos 3.0 is offered as open source (although support was ended in 2013), so it can help enthusiasts to create own Complementary Currency trade system (http://www.cyclos.org/products/). To sum it up, most of the solutions described rely on a content management application, as this is easily accessible and not very complicated to manage even for less experienced users (Valek, 2016).

4. DISCUSSION 4.1. Information Management As noted above, a solid Information Management framework is always necessary so that the involved entities and stakeholders have access to information to make optimal decisions (Linderman et al., 2005). As there is no available theory or research which takes into consideration the TB environment, it is necessary to use an approach from the business world. The structure we have chosen comes from the Generic Framework for Information Management proposed by (Maes, 1999). The structure of the proposed Generic Framework for Information Management (GIMF) also seems ideal for TB, as it considers all the important elements, with each cell of the framework being equally important (Maes, 1999). As noted above, the term business might be confusing, so it can be replaced with the word TB for these purposes. To describe the structure of the GIMF, the columns describe from left to right, business expertise, interpretation of information, and providing technology. The horizontal lines represent from the bottom, the operative, tactical, and strategic levels of these groups (Maes et al., 2000). The adaptation of GIMF to TB environment is shown in Figure 3.

132

 Three New Directions for Time Banking Research

Figure 2. Generic framework for information management Source: (Maes et al., 2000).

Figure 3. Generic Time Bank Information Management framework (GTBIMF)

133

 Three New Directions for Time Banking Research

4.1.1. Time Bank Column Following the bottom up structure, the TB originates from a need of a target group, which turns to its member base, which in turn provides inputs, most importantly their skills, knowledge, assets, resources and time, so the starting cell is one within the Structure line and Time Bank column. In order to root their activity, potential they must adhere to local law and regulations which would lead to the foundation of a base organization (upper cell), the Time Bank. When a TB is in operation, members would start to exchange and they also can form interest groups (lower cell).

4.1.2. Information and Communications Column The coordinator is the central junction of all information flows, i.e. an information bridge and a crossroads. Records about all activities and skills, knowledge, assets, resources and time pass through the coordinator so he/she can facilitate function of a TB. The information is used to provide information to the base organization for strategic decision making.

4.1.3. Technology Column Taking the bottom up approach, members require a simple, affordable, robust, accessible and easy to use technological solution. The final solution depends on availability, but in general it can be designed from scratch, or an existing solution can be used or adapted if available. The selected solution should not only consist of a desktop version, but also contain a mobile application option. From certain point the system should be ideally autopoietic (Holmgren, 2011), in other words “self-sustainable”, using own internal resources to run itself with very little outside inputs. The table introduced above can be called a Generic Time Bank Information Management framework and it is the first of its kind. It not only explains simplifications in the structure of the Time Credit entity, but also proposes a new way of looking at information flows in a TB.

4.2. Knowledge Management Probably the strongest relation to Knowledge Management confirmed by our research is knowledge sharing. Introduced above as Communities of Practice (CoP) in (Valek, 2015b), KM is strongly related to the idea of co-production, with the only difference being that in the literature CoPs have in fact already been introduced in the business environment. As KM is mainly about managing how humans can share their knowledge effectively using technical tools where appropriate (Lehaney, 2004), this approach can be applied to any sphere of human activity. In addition, the above-proposed GTBIMF gives a clear framework not only to the information but also to knowledge sharing. Both CoPs and interest groups, which are often naturally created by members in a TB, can exist and operate successfully only when members trust each other, with trust being the cornerstone of a TB. This dependability among members is secured by rules and the coordinator’s presence. Knowledge is a bond between the social and professional links among people sharing a common interest in a particular area, which enables them to share experiences and an understanding of potential issues and pitfalls. Membership and choice of community needs to be voluntary, otherwise members may not participate in the knowledge sharing

134

 Three New Directions for Time Banking Research

(Lehaney, 2004). If we consider the fact that all TBs are composed of people, whether individuals or groups bound to organizations, this description categorically describes how TB operates in sense of its knowledge sharing potential. The benefits of CoPs are based mostly on the creation of social capital, which allows the further development of an organization. By being part of a CoP, members obtain the benefits of connections and relationships framed within a common context. These ties in fact represent the social capital of the community, which then has the power to enhance the performance of an organization within which a CoP is operating (Lesser & Storck, 2001). In other words, by giving people within an organization the opportunity to participate in a TB we allow creation of CoPs or interest groups in this context, thus enhancing the overall performance of the group. By exchanging services and knowledge in TBs, experiential learning occurs. Experiential learning relates to the tacit knowledge. Managing this knowledge means surfacing it (making it in some way explicit) (Nonaka, 1991). Experiential knowledge can be converted into fluid knowledge so that others can share it (Lehaney, 2004). The knowledge intensity (Otcenaskova, Bures, & Mikulecka, 2012) of all the participants within a knowledge sharing system such as TB is one of the essential keystones supporting the variability of choice within the system. Put another way, the more the participants of the system know, the more they have to share, thus the more possibilities there are for sharing and, in case of TB, the more opportunities to spend the earned TC they have (Valek, 2015b). This idea of knowledge intensity actually supports the assumption that the more skills, knowledge, assets, resources and time are inputted, the more possibilities TB offers and the more outputs it brings. Another similarity is that face to face meetings and communications are considered to be most important for developing relationships and learning within CoPs (Lesser & Storck, 2001). Thus it is in TBs, where the personal contact between or among individuals is even more important than the exchange itself (Valek et al., 2014). This does not mean that virtualization is impossible, but, again, it brings both benefits and risks in both situations. Virtualization or non-personal communication raises questions about the legitimacy of exchanges and thus brings another obstacle for participation of members (Hildreth, Kimble, & Wright, 2000), as shown in a previous analysis (Valek, 2015b). Based on the above, we can say that co-production is a phenomenon which is present both among individuals and in organizations of any kind. We can also say that co-production leads to the creation of CoPs/interest groups and these can give organizations or a TB a much greater potential than solely with pure operation based on original “design” of an organization. To clarify this point, TB is not only a complementary economic system, but it has much other added value in knowledge sharing and coproduction. A TB can create a situation which allows the multiplication of the activities of its members, thus strengthening existing positive feedbacks of TB system regarding the outside wider system environment, thus creating completely new solutions and feedbacks, e.g. diverse kinds of knowledge at the various nodes of a TB.

4.3. Information Technologies As mentioned earlier, contemporary IT solutions are generally limited to adaptations of content management applications, as these adaptations offer the required attributes of low to no cost and are generally accessible even to less skilled developers. Open source software domains, as they do not require high investments, seem a most promising, if not a proprietary solution in terms of TB software development (Sacks, 2015). And although an original

135

 Three New Directions for Time Banking Research

solution needs to be adapted and “forged” into software platforms which would fit to the needs of a particular TB, only a minimal investment of time and money might be required (Anthes, 2016). On the other hand, this adaptation could be also resolved by co-production. Open source attracts various problemsolving communities and thus forms CoPs on the basis of co-production. Regarding co-production in an open source environment, we can say that it has been present in the software development area for long time; it has just not been referred to using this terminology. As open source software has opened completely new ways of innovations and markets, the TB concept, working by the same principles of co-production, opens new opportunities on a societal level by offering so-called diffusion of innovation (Fitzgerald, 2011). This diffusion offers the possibility of innovation to be communicated among members of a social system, such as a TB or an open source community. Based on open source and with simplicity as one of primary attributes, more extensive potential solutions like ERP systems are already “out of the game.” Larger, more complex systems would be a burden to a TB system, as it needs only a simple virtual “marketplace” and two databases. Further, the software would be ideally maintenance free and very robust. A mobile application extension would also be welcomed. The hOurworld organization has already developed an app for their Time & Talents program called hOurmobile (hOurworld.org, 2017a). Regarding the development of mobile applications, it has been found advisable to implement a cloud solution to a TB software package to handle the synchronicity of data between units within the system (Widodo, Lim, & Atiquzzaman, 2017). Another possibility is the use of simulation software. If used from the beginning in the implementation stage, it is not complicated to follow all the flows, gather all the data, and use this information for further simulations, or to take a system as it is and try to simulate it in various contexts without preceding data. An idea has already been proposed to try agent-based simulations to determine the viability of the implementation of TB under various conditions and in various geographical areas (Tucnik, Valek, Blecha, & Bures, 2016). Such simulations can be beneficial, not only to determine the feasibility of a TB set up, but also, if feasibility is proven, to convince stakeholders to support the idea. Simulations can be also done ex-post, to determine possible flaws in operation and avoid them in the future.

5. CONCLUSION This chapter has attempted to demonstrate three new possible directions of TB development: Information Management, Knowledge Management and Information Technologies. In field of Information Management was proposed the Generic Time Bank Information Management framework, which can facilitate the implementation of new TBs, but also review status of an information system within existing structures. This is especially useful from a systemic point of view, based on our contention that a GTBIMF would contain all the essential elements which would have to be considered in building a TB information system. Nevertheless, the approach proposed remains untested, and obviously implementing our framework in real-life situations would be needed to prove its viability and ultimate worth. In Knowledge Management, more commonly known and employed fields emerge, e.g. so-called co-production, which plays an important role, as it essentially relates one of main TB principles to the wider concept of communities of practice (CoPs), a concept already familiar to those involved in Knowledge Management. Co-production phenomena can further be related to open source software development, a movement in which taking

136

 Three New Directions for Time Banking Research

initiative is one of main driving forces in the first place. Another interesting notion proceeds from the so-called diffusion of innovation, the worth of which remains to be explored. Diffusion of innovation is a concept by which an existing community holds the tendency not only to solve problems, as in traditional meaning of co-production, but also to co-produce innovations, whether innovations take the form of communal advances in the field of information technologies. In all three of the fields mentioned, further research into the relatively unexplored realm of TB seems quite promising, with a great potential for developing more economical and effective uses of resources within an organization.

REFERENCES Anthes, G. (2016). Open Source Software No Longer Optional. Communications of the ACM, 59(8), 15–17. doi:10.1145/2949684 Boyle, D., & Bird, S. (2014). Give and Take: How timebanking is transforming healthcare. Stroud, UK: Timebanking UK. Cahn, E. S. (2000). No more throw-away people: the co-production imperative. Washington, DC: Academic Press. Caroll, J. M., & Belloti, V. (2015). Creating Value Together: The Emerging Design Space of Peer-toPeer Currency and Exchange. Paper presented at the Collaborating through Social Media - CSCW 2015, Vancouver, Canada. 10.1145/2675133.2675270 Fitzgerald, B. (2011). Adopting Open Source Software: A Practical Guide. Cambridge, MA: The MIT Press. doi:10.7551/mitpress/9780262516358.001.0001 Granger, P. (2013). Valuing people and pooling resources to alleviate poverty through Time banking. London: Academic Press. Hildreth, P., Kimble, C., & Wright, P. (2000). Communities of practice in the distributed international environment. Journal of Knowledge Management, 4(1), 27–38. Holmgren, D. (2011). Permaculture: Principles & Pathways Beyond Sustainability. East Meon: Permanent Publications Hyden House Ltd. hOurworld.org. (2017a). hOurmobile mobile application on Google Play. Retrieved from https://play. google.com/store/apps/details?id=edu.psu.ist.mtb_hourworld&hl=en hOurworld.org. (2017b). Main Page. Retrieved from hourworld.org IthacaHours. (2016). Main Page. Retrieved from http://www.ithacahours.com/ Lasker, J., Collom, E., Bealer, T., Niclaus, E., Keefe, J. Y., Kratzer, Z., ... Perlow, K. (2010). Time Banking and Health: The Role of a Community Currency Organization in Enhancing Well-Being. Health Promotion Practice. doi:10.1177/1524839909353022 PMID:20685912 Lehaney, B. (2004). Beyond Knowledge Management. Idea Group Publishing. doi:10.4018/978-1-59140180-3

137

 Three New Directions for Time Banking Research

Lesser, E. L., & Storck, J. (2001). Communities of practice and organizational performance. IBM Systems Journal, 40(4), 831–841. doi:10.1147j.404.0831 Linderman, M., Siegel, B., Ouellet, D., Brichacek, J., Haines, S., Chase, G., & O’May, J. (2005). A Reference Model for Information Management to Support Coalition Information Sharing Needs. Academic Press. Maes, R. (1999). Reconsidering Information Mangagement Through A Generic Framework. Academic Press. Maes, R., Rijsenbrij, D., Truijens, O., & Goedvolk, H. (2000). Redefining business - IT alingment through a unified frameworks. Academic Press. Manville, B., & Foote, N. (1996). Harvest your workers´ knowledge. Datamation, 7. Naughton-Doe, R. (2015). An evaluation of timebanking in England: What can timebanks contribute to the co-production of preventive social care? (Dissertation), University of Bristol. Nonaka, I. (1991). The Knowledge-Creating Company. Harvard Business Review. Osipov, I. V., Volinsky, A. A., & Prasikova, A. Y. (2016). E-Learning Collaborative System for Practicing Foreign Languages with Native Speakers. International Journal of Advanced Computer Science and Applications, 7(3). Otcenaskova, T., Bures, V., & Mikulecka, J. (2012). Theoretical Fundaments of Knowledge Intensity Modelling. Paper presented at the 18th International Business Information Management Association conference, Istanbul, Turkey. Ozzane, L. K. (2010). Learning to exchange time: Benefits and obstacles to time banking. International Journal of Community Currency Research, 14, A1–A16. Partners in Care. (2017). Retrieved from http://www.partnersincare.org/ Ryan-Collins, J., Stephens, L., & Coote, A. (2008). The new wealth of time: How timebanking helps people build better public services. London: New Economics Foundation. Sacks, M. (2015). Competition Between Open Source and Proprietary Software: Strategies for Survival. Journal of Management Information Systems, 32(3), 268–295. doi:10.1080/07421222.2015.1099391 Shih, P., Bellotti, V., Han, K., & Carroll, J. (2015). Unequal Time for Unequal Value: Implications of Differing Motivations for Participation in Timebanking. Paper presented at the 33rd Annual ACM Conference on Human Factors in Computing Systems, Seoul, South Korea. 10.1145/2702123.2702560 Shreiber, G., Akkermans, H., Anjewierden, A., Hoog, R. d., Shadbolt, N., Velde, W. V. d., & Wielinga, B. (2002). Knowledge Engineering and Management. Cambridge, MA: The MIT Press. Takeuchi, H., & Nonaka, I. (2004). Knowledge creation and dialectics. Hitotsubashi on Knowledge Management, 1-27. Timebanking UK. (2005). A bridge to tomorrow: Time banking for baby boomers. Gloucester, UK: TimebanksUK.

138

 Three New Directions for Time Banking Research

Timebanks USA. (2017). About Timebanks USA. Retrieved from https://timebanks.org/timebanksusa/ Tucnik, P., Valek, L., Blecha, P., & Bures, V. (2016). Use of Time Banking as a non-monetary component in agent-based computational economics models. WSEAS Transactions on Business and Economics, 13. Valek, L. (2013a). Time Banks in Czech Republic: Filling an Empty Gap in Time Bank Research. Norristown, NJ: Int Business Information Management Assoc-Ibima. Valek, L. (2013b). Time Banks in Russia: Filling an Empty Gap in Time Bank Research. Tradition and Reform: Social Reconstruction of Europe, 383-386. Valek, L. (2015a). The difference in understanding of time banking in various contexts. Paper presented at the 6th LUMEN International Conference: Rethinking Social Action. Core Values 2015, Iasi, Romania. Valek, L. (2015b). Time Banks and Knowledge Sharing: Link to the Knowledge Management. Paper presented at the 5th International Conference Lumen 2014, Transdisciplinary and Communicative Action (Lumen-Tca 2014). Valek, L. (2016). Open Ways for Time Banking Research: Project Management and Beyond. International Journal of Human Capital and Information Technology Professionals, 7(1), 35–47. doi:10.4018/ IJHCITP.2016010103 Valek, L., Kolerova, K., & Otcenaskova, T. (2014). Time banks and clusters: Similarities of sharing framework. Global Journal on Technology, 6, 31-36. Widodo, R. N. S., Lim, H., & Atiquzzaman, M. (2017). SDM: Smart deduplication for mobile cloud storage. Future Generation Computer Systems-the International Journal of Escience, 70, 64–73. doi:10.1016/j.future.2016.06.023

This research was previously published in Multidisciplinary Perspectives on Human Capital and Information Technology Professionals edited by Vandana Ahuja and Shubhangini Rathore, pages 324-340, copyright year 2018 by Information Science Reference (an imprint of IGI Global).

139

Section 2

Blockchain Technology

141

Chapter 9

A Novel Security Framework for Managing Android Permissions Using Blockchain Technology Abdellah Ouaguid Hassan II University, Morocco Noreddine Abghour Hassan II University, Morocco Mohammed Ouzzif Hassan II University, Morocco

ABSTRACT This article presents a new framework named ANDROSCANREG (Android Permissions Scan Registry) that allows to extract and analyze the requested permissions in an Android application via a decentralized and distributed system. This framework is based on the emerging technology Blockchain whose potential is approved in the matter of transparency, reliability, security and availability without resorting to a central processing unit judged of trust. ANDROSCANREG consists of two Blockchains, the first one (PERMBC) will handle analysis, validation and preparation of the raw results so that they will persist in the second Blockchain of Bitcoin already existing (BTCBC), which will assume the role of a Registry of recovered permissions and will save the permissions history of each version of the applications being scanned via financial transactions, whose wallet source, recipient wallet and transaction value have a precise meaning. An example of a simulation will be presented to describe the different steps, actors, interactions and messages generated by the different entity of ANDROSCANREG.

INTRODUCTION The android ecosystem continues its world domination through operating systems and takes pole position with 86,8% in market share in 2016Q3 (IDC: Smartphone OS Market Share, 2016) by profiting from a light increase of 1,1% of the world market of Smartphones. DOI: 10.4018/978-1-5225-6201-6.ch009

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

This position of quasi monopoly is due to its ‘Open Source’ nature that encourages telephone constructors to adapt it to the large scale and also to the large number of developed applications (+2,7 millions applications) (Number of Android applications, 2016). These are made accessible through Google’s official store (Google Play) or Third-Party stores such as Amazon, AppShop, Baidu App Store, Opera Mobile App Store...etc. Android’s popularity has made it the preferred target for hackers (Symantec, 2016) that take advantage of the uncorrected vulnerability (Android, système d’exploitation le plus vulnérable, 2017) of the Operating System in order to launch refined attacks through malwares. These are designed specifically to take control over the targeted device and access the sensitive data of the users (Feizollah, Anuar, Salleh, & Wahab, 2015). Recently, a malware targeting clients of large banks was detected, and it was thought to be a Flash Player. The great danger of this malware resides in its capacity to steal authentication of 94 different applications of mobile banking (Android banking malware masquerades as Flash Player, targeting large banks and popular social media apps, 2016). Limiting the field of action of applications is a solution, among many more, that target reducing the improper use of the users’ sensitive data. This is what Google tried to apply by implementing a control mechanism of permissions that is inspired by a Linux security model. However, this mechanism showed its weakness (Fang, Han, & Li, 2014), especially when the applications’ developers demanded unnecessary permissions that are never used in their applications (over privilege) (Felt, Chin, Hanna, Song, & Wagner, 2011). This can lead to discreetly transforming a legitimate application to malware through a manipulation of authorization with the objective geared towards accessing users’ sensitive data (Geneiatakis, Fovino, Kounelis, & Stirparo, 2015). Since the launching of 6.0 version of Android, the permissions system management has clearly improved by giving the user the right to manage the permissions of the installed application. Yet, this is considered insufficient since: 1) the users underestimate the impact of giving permission about their private life to another source, 2) the majority of users of Android (61,7%) always work through an earlier version of 6.X (Table 1) and 3) wherein the multitude of permissions are accompanied by an incomplete documentation (Felt et al., 2011) of how to use them reasonably. This requires having an autonomous, reliable and trusted entity that analyzes the permissions of each application before the installation to define the level of legitimacy of the permissions requested (Neisse, Steri, Geneiatakis, & Fovino, 2016). The studies (Fang et al., 2014) conducted on the static analysis of permissions favor the centralized approach of analysis; which means either 1) submitting a verification request to a distant analysis platform Table 1. Division of Android versions

Source: Dashboards | Android Developers,2017

142

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

(Aafer, Du, & Yin, 2013), or 2) performing the verification locally on the device to be protected, this verification starts by a textual comparison of the permissions requested and arrives to the disassembly of the complied file of the application, in order to extract, partition and classify the recovered permissions (Almin & Chatterjee, 2015). Both approaches have two main disadvantages: the first has to do with the analysis platform that is hard to judge trustworthy, since it is managed by an entity that takes control over the processing executed there and the results obtained, without neglecting that this platform can be at any given moment a victim of a cyber-attack that will compromise its proper functioning and falsifies the analysis result that is to be communicated to the requester. The second disadvantage resides in the fact that the verification processing that is launched locally on the Smartphone will generate an additional and considerable calculation charge that can impact on the response time of the Smartphones where the technical configuration is minimal (from medium to low range), belonging to the users of emerging markets that will represent the major part of mobile growth on the planet (Gartner Says Five of Top 10 Worldwide Mobile Phone Vendors Increased Sales in Second Quarter of 2016, 2016; Why emerging markets are dominating mobile browsing, 2016). Hence, we believe that the analysis of permissions should focus on the approach that 1) decentralizes the processing of the analysis towards an entity where the architecture ensures a certain degree of trust and guarantees the security of the processing executed, as well as the confidentiality of the flow exchanged among different components of the previously mentioned architecture. 2) include the Smartphones of users only on the processing with low cost that will not generate any hardware latency. In this paper, we will present a new framework baptized as ANDROSCANREG (Android permissions scan register), that will allow extracting and analyzing the permissions of Android applications in a decentralized mode. This functionality will be ensured by neutral and autonomous entities implementing the technology of ‘Blockchain’ (defined in Sub-section 2.2). This Blockchain will be referred to as PERMBC and interacts with the Blockchain of the Bitcoin cryptocurrency (BTCBC) to authenticate the results obtained and make them veritable and auditable. BTCBC will play the role of a registry of the permissions recovered from the applications analyzed by PERMBC. A free access to the history of the requested permissions of an application (since its first integration in the proposed system to its last published version on an official store) will be guaranteed for any other future framework that needs to benefit from the data generated by our framework after each new analysis. Our approach will be compatible and applicable on all Android versions. However, to our own knowledge, 1) the use of a Blockchain in the process of recovery, analysis and control of the permissions declared in the Android applications has never been processed, 2) the backup of the history of permissions requested by different versions of an application has not appeared in literature, which hinders us from conducting thorough analysis by relying on the history of the permissions requested. The remaining sections of the article will be organized as follows: Section 2 presents the background of management mechanism of the permissions implemented in Android as well as an introduction on the Blockchain technology. Section 3 is a detailed description of our new Framework of permissions analysis by relying on the Blockchain technology. Section 4 presents the related work and highlights the main improvements and new concepts provided by our Framework. Finally, Section 5 discusses future perspectives of our work and offers concluding points in the last section.

143

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

PRELIMINARIES AND TECHNICAL BACKGROUND Android Permissions In order to handle access to sensitive data provided by the resources of a Smartphone (GPS Location, contacts list, etc.), the Android operating system uses a security mechanism based on the attribution of specific permissions to installed applications. This mechanism is inspired by the security model of Linux, which is also based on the permissions system. In fact, during the installation of an Android application, a user with low privilege is created (userID) especially for the installed application, and will have access to all the files created by the latter. This user will also have access to different system resources of a Smartphone (Camera, Micro, GPS, Device ID, etc.) where permission is granted before starting the installation or setup process (For users with a Smartphone running Android version 22 of the API or earlier). This allows, on the one hand, to preserve an isolation between applications, and on the other hand, to avoid interference between an application and the resources of other applications. The permissions of the Android system have known both a qualitative evolution (by adding new permissions that are more specific and by reclassifying the existing ones in new groups) and a quantitative one (by providing access to new functionalities, such as NFC or WIMAX) (Wei, Gomez, Neamtiu, & Faloutsos, 2012). The permissions have been granted to ensure better functioning of an application that is listed in the Manifest file (AndroidManifest.xml) of the application to be installed. These permissions are attributed after the approval of the user without giving them the possibility to choose thoroughly the permissions to be approved. The idea is either they accept them all or reject them. If the user rejects the permissions requested, the application will not be installed*. Once attributed, the user does not have control over the permissions that have already been granted for an application. This was true until a new version 4.3 of Android was created. The developers noted the presence of a framework called “AppOps” that allowed to solely manage the permissions that were previously granted to the installed applications (App Ops Brings Granular Permissions Control to Android 4.3, 2013). The AppOps allowed revoking and reassigning the permissions, but it was removed from the 4.4.2 version by Google by mentioning that AppOps was an internal tool that was never destined for the final user, and that making it public was an error (Android 4.4.2 removes hidden App Ops privacy feature, EFF grills Google about it, 2013). Since this issue was raised, no official permission management utility has been published until the creation of 6.0 version where Google got rid of the traditional model (accepting all permissions or none) and gave the user total control over of the permissions of the applications installed by demanding an explicit re-confirmation of every permission judged dangerous when the targeted functionality is solicited. This action is referred to as “permission request on RunTime”, and it is done through a pop-up system. In fact, for an application, the user can give it access to their contact list and not GPS specification. The restrictions on permissions can be modified at any moment by the user through a specified interface (Figure 1). The last version of Android called Nougat (version 7.x) has 138 permissions (Manifest.permission, 2016) classified in categories. The latter are a reference to a protection level and are represented in four groups (Permission element, 2016): “Normal”, “Dangerous”, “Signature” and “Signature or system”. However, the negative point of this model is that dangerous permissions are gathered in groups according to their functionalities (See Table 2). Authorizing a permission includes the authorization of other permissions belonging to the same group. For instance, if the user has authorized the access of an application to the Smartphones’ call log (READ_CALL_LOG), it will have also access to other phone 144

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Figure 1. Interface for assigning/revoke permissions from an already installed application

Table 2. Grouping of permissions

Source: Requesting Permissions | Android Developers, 2017

145

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

functionalities/features such as deleting or modifying the call log (WRITE_CALL_LOG), calling phone numbers without the intervention of the user (CALL_PHONE), etc. The same concern is noted in the case of deactivating permission (Figure 1); the user will not be able to revoke a precise permission without impacting over the other permissions of the same group. Researchers (Xu et al., 2016) have explored and found a number of security problems related to the model of permissions implemented in Android and have proposed solutions that are rarely adopted in practice and that are incompatible with the latest versions of Android.

Blockchain Technology Blockchain is a technology that allows storing and exchanging information in a secured and transparent manner between autonomous entities without an intermediary or a central authority. Its objective is to eliminate reference to other centralized institutions such as banks or notaries in order to minimize the charges either in time or in costs. This technology was created in 2009 by Satoshi Nakamoto (Nakamoto, 2008) and is nowadays ranked among the 10-top strategic technological tendencies in 2017 (Top 10 Strategic Technology Trends for 2017, 2016). The different exchanges done among the users (nodes) of a Blockchain are referred to as transactions and are gathered in blocs where the size (number of transaction by bloc or number of bytes of a bloc) can be differentiated according to the type of the Blockchain. In order to ensure the integrity of the Blockchain and guarantee the immutability of its data, each bloc should be validated by the Blockchain’s nodes by undergoing a cryptographic processing that, also, differs according to the Blockchain type. The most widespread process is the proof of work (PoW) that is based on time calculation used to solve a test (Antonopoulos, 2014) where the difficulty increases according to the computational power of the nodes. Once validated, the bloc is timestamped and attached to the chain by inserting the hash of the previous bloc. The modification of the transaction of an already integrated bloc in the Blockchain seems difficult. It is almost impossible to propagate the modification for all the nodes at the same time without impacting over its hash that is already stocked in the nodes that follow (Roth, 2015). Any change made in the internal register of a node will force the hacker to redo the calculation of all the blocks’ hash including the current bloc, then try to “convince” +50% of all the other nodes in the Blockchain to accept these changes! Moreover, this is hard to achieve. The continuous operation of the nodes guarantees the transparency and high availability of the Blockchain. It also allows each node at any moment to access the history of every carried-out transaction since the creation of the Blockchain. The Blockchain can be used as a means to 1) exchange data of financial type (Bitcoin: Decentralized cryptographic virtual currency) or other ones (votes, titles, etc.), 2), host autonomous programs (called smart contract) that are executed automatically once the conditions and terms previously mentioned are reached (e.g., Ethereum (Buterin et al., 2014)), 3) keep a track of unfalsifiable trace for the different exchanges of data (used for instance as a cadastral tool in many countries, Honduras, Ghana and Georgia (Shin, 2016)). The virtual currency Bitcoin (BTC) is considered to be the first reliable implementation (Snow, Deery, Lu, Johnston, Kirby, Sprague, & Byington, 2014) of the Blockchain technology that has won its notoriety over time (Piscini, Guastella, Rozman, & Nassim, 2016). It can also be seen as an infrastructure of information (Ølnes, 2016) due to its different properties (such as its distributed, open, shared and evolving nature, etc.). Bitcoin is presented as the safest Blockchain thanks to the number of participating nodes, as well as its important market capitalization that attracts more and more participants, which has made it safe

146

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

from 51% attacks by preventing a node (or a set of malicious nodes) from having +50% of calculation power of a Blockchain, because if yes, this node can spend the same type of currency (Bitcoin) more than once (double-spending) (Gervais, Karame, Capkun, & Capkun, 2014).

A NOVEL SECURITY MODEL FOR MANAGING ANDROID PERMISSIONS USING BLOCKCHAIN TECHNOLOGY The presentation of a new security framework for the management of Android permissions that is based on the Blockchain technology requires a detailed description of its components, its actors and its different internal and external interactions. Thus, we propose to divide our work in four parts: the first part focuses on presenting the principle of our security model. The description of the architecture is offered in the second part. The third part deals with the description of different interactions that are included in our model. The last part presents a demonstration of the different input/output that our Framework will generate for the execution of two well-defined scenarios. The notations used in this paper are listed in Table 3.

Principle The ANDROSCANREG Framework proposed allows Smartphones using Android to verify the list of requested permissions before each new installation or application updates. This verification 1) ensures that all the requested permissions are similar to the ones declared in the archival file apk (More precisely in the file AndroidManifest.xml where are declared all the permissions that the application must have to function properly) of the original version of the application (hosted in an official store such as Google

Table 3. Acronym used in the description of the model

147

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Play, Amazon, etc..). The latter is downloaded directly from the store to make the analysis required, 2) provides a history on the requested permissions by application since its first integration to our system, 3) verifies if the principle of the least privilege (Felt et al., 2011) is respected by the developers of the current analyzed version and compares this with its previous versions. The recovery processing, the analysis of the application and the processing of results are not part of the scope of this current article. To secure the different interactions and ensure the integrity of the data generated by the verification process and validation of permissions requested, our framework will be founded on the same approach used by the Blockchain (Bitcoin or other alternatives Blockchains: altCoin) defined in the previous part (2.2). It is a distributed database formed by nodes; these nodes will be in charge of executing the processing required and ensuring the availability and integrity of the results stored without directly involving the users. The main point is to use this concept as database, and it will function without a central authority of control, which will make it hard to compromise, because these are not the nodes that form the Blockchain that are difficult to hack; but the Blockchain concept in its entirety (whose model is designed to make the transactions transparent and reliable). The difficulty lies in the virtual inability of the hackers to take control of +50% of the connected (on-line) and not connected (off-line) nodes of a public Blockchain at the same time and inject a malicious code or compromised data, which makes our solution immune against ransomware attacks thanks to its distributed architecture and the ease of detecting any unilateral attempt to modify (encrypting) the node data.

High-Level Description Figure 2 provides a general overview on the new analysis framework of Android applications by using Blockchain technology. Our approach is composed of three entities: •

A Blockchain of analysis and storage of permissions (PERMBC) used as a processing entity and a registry of authorizations for Android applications. The participating nodes of PERMBC treat

Figure 2. A high-level procedure for a novel security framework

148

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

•

•

the submitted applications analysis requests; they participate also in the validation of the results found by other nodes and ensure the communication with Blockchain Bitcoin (BTCBC) as well once the results obtained are validated by the PERMBC nodes; The Blockchain Bitcoin (BTCBC) used as a centralized trust entity to timestamp and authenticate the integrity of the processing results done by PERMBC by encapsulating them in Bitcoin financial transactions. The detail of these transactions will be firstly accessible to public, but only the nodes of PERMBC can interpret them; The Front-end to implement in the device of the final user. The Front-end is an entity that ensures the unique connection between the Android system and the PERMBC Blockchain, and can operate under the format of an application; a service integrated natively in Android or modification of the managing component of the permissions of Android (Rashidi, Fung, & Vu, 2014) that benefit from basic processing provided by PERMBC such as: sending permission verification requests of an application to be installed, recovering the results stored in the local lists of the permissions of each previously installed application where the result is provided by PERMBC.

Once the request is received by the nodes of the PERMBC Blockchain, (2) they will initiate the processing analysis and communicate the raw result between them (RSLTraw) obtained for validation. Once validated, the result obtained will be interpreted in order to define the level of the danger s of the application to be installed. Then (3) the interpreted result (RSLTnet) will be sent to the user. Finally, the raw result previously obtained will be encapsulated in a financial transaction Bitcoin (4) in order to be sent asynchronously to BTCBC. This transaction should respect some defined rules that are mentioned in the following parts (see part 3.3.6). Once Bitcoin transaction is validated (5), its number (TransactionID) is sent to PERMBC so that it can be stored.

Architecture and Behavioral Description Figure 4 illustrates the architecture of the Framework where we describe the different interactions between the entities. Step 1: Recovery of information in an application to analyze. In the beginning of the installation (or the update) of an Android application (App1), the Front-end of our Framework (that is implemented in the user device) recovers both the version (android:versionCode) and the identifier of the application (package). This information is encapsulated in a request req (PACKIDApp1, version) that is sent en Broadcast to the Blockchain analysis and validation (PERMBC) of our Framework. Figure 3. Initial data of an application stored in a Manifest file

149

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Figure 4. Interaction between 2 Blockchains of our approach and user

Step 2: The internal research of the already stored result. Once the request is received, the nodes of PERMBC verify if this version of the application was already subject to an analysis by our Framework, and this is done relying on an internal research in their registry that plays the role of a database to recover the results that have been stored. The results found are sent to all the nodes of PERMBC for validation before being transmitted to the user. Step 3: Recovering the original version of the application, analyzing and saving the result. If App1 has never been stored in PERMBC, the nodes start the processing of recovery, analysis, extraction and verification of the application’s permissions from the official store: •

Detecting the official store from which the application was downloaded, if no store was detected, the process of analysis stops because our Framework processes only the officially published applications in the most known legal stores (for example: Google Play, Amazon); Downloading the application’s APK file from an official store that was previously detected; Decompiling and disassembling the APK by using the adequate tools like APKtools (Apktool - A tool for reverse engineering 3rd party, closed, binary Android app, 2017); Recovering the Manifest file of the official application and analyzing it syntactically (with a parser) in order to recover the list of permissions requested and launch the different static and dynamic analyses in order to detect if the principle of ‘Least privilege’ has been respected; Defining the degree of dangerousness of the application to download by relying on the recovered information as well as its history previously stored on PERMBC; Structuring the information found in a transaction by respecting the structure defined in Figure 5 to prepare it for validation and recording in the Blockchain.

• • • • •

The meaning of each attribute is described in the Table 4.

150

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Figure 5. Sample transaction data exchanged in PERMBC

Table 4. Acronym used in the description of the model

151

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Before sending the transaction (containing RSLTraw) in PERMBC, each node verifies if a similar transaction has been previously launched: •

•

If so, the node becomes a Node validator (Nodevalidator), which means that it should recover the data block containing the information about the analyzed application and the result obtained, comparing it with the result of the processing. If the results are identical, the Nodevalidator validates the transaction, if this is not the case, it informs the nodes of the Blockchain that the propagated result in the network is not compatible with it proper result obtained locally; If not the case, the node will be the first node (Nodefirst) to start the process of validation by sending its data block to Blockchain nodes so that its transaction can be validated and added to PERMBC.

A transaction will not be considered valid unless it is validated by 51% of its active nodes. After the validation and recording of the transaction, Nodefirst sends the analysis result to the user as well as the result of the comparison with the history of the analyses that were previously done on the last versions of the application since its first integration in PERMBC. Step 4: Interpreting the result obtained and defining its level of dangerousness. After receiving the results, the Front-end implemented in the Device of the user will translate the data received via graphs that show the evolution of the application’s level of danger in comparison to other versions already analyzed by our Framework. The objective of using graphs is to facilitate making the decision concerning whether proceed to install the application or not. Step 5: Intercepting the final decision of the user. Once the result of the analysis is displayed to the user, this latter has the right either to continue the installation (or the update) of the application or not. Step 6: Preparing the result in a Bitcoin transaction. Right after adding the block of data validated in PERMBC, Nodefirst launches another processing that has to do with persisting the result obtained RSLTraw in the Blockchain Bitcoin (BTCBC). This latter will play the role of an unchangeable registry of the data extracted from the applications’ analyses as well as the data issued from different analyses done by PERMBC. For now, our Framework will only verify if the applications respect the principle of “least privilege” or not. The data stored in BTCBC will be used only by PERMBC in the verification of the integrity of its own data; this verification will be done once a major update is applied on the executed programs in the nodes, the access to PERMBC data will be made public once our system is mature. To transform the results obtained by PERMBC to financial data easily transferable in BTCBC, we should convert all the attributes used in PERMBC to existing elements in BTCBC (wallet source, wallet destination, amount to be transferred in the transaction, etc.). Figure 6 presents the translation of some attributes of PERMBC to Wallet Bitcoin; in fact, “application id”, “application id+version code” and “permission name” are the elements that will be transformed to Wallet (Technical background of version 1 Bitcoin addresses - Bitcoin Wiki,2017) and will be ready to receive and send Bitcoins where the values will represent the attributes of “operation type” and “permis-

152

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Figure 6. Interaction between the Blockchain Bitcoin wallets (BTCBC)

sion used” (see Table 5). Our Framework will also have a principal wallet Walletprincipal where we will store the Bitcoins that will be used in the different transactions of our Framework. These Bitcoins will be retransmitted to the main wallet once the necessary transactions are done in order to have a reservoir of Bitcoins necessary for future transactions. The values of the described transaction in Table 5 will help us encapsulate the data that we want to store in BTCBC. The number of these values can be increased according to the number of data to store. For the first version of our Framework, two basic information will be saved: (a) the attribution or removal of permission (Operation type), (b) the functionality associated with the permission granted: is it used in the application (Permission used) or is it just declared without being used (over-privilege)? The column (Padding value) is added to guarantee a minimal value of a transaction of 0.00000001 Bitcoin so that it can be accepted in BTCBC. Nodefirst will be in charge of all the preparation processing of the Bitcoin transaction: • •

The conversion of data saved in PERMBC on BTCBC transaction by relying on the correspondences described in Table 5; The research for wallets (corresponding to packages, versions or permissions) or the creation of these wallets where appropriate. Generating a public address of the wallets to be created will be done through a determined cryptographic hash function (Deterministic wallet - Bitcoin Wiki,2017);

153

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Table 5. Conversion of the results to Bitcoin value

•

The transfer of Bitcoins from one wallet to another through Bitcoin transactions to ensure the backup of the data in BTCBC, these transactions will be submitted to BTCBC after the verification phase. This latter consists of sweeping the history of the transactions already done between the wallet of the analyzed application and the wallets of the permissions by passing through all the wallets of different versions of this application. The objective of this processing is to avoid redundancy of the operations where the information to be saved is already existing in previous versions of the same application and that this information has not undergone any change before. Figure 7 demonstrates the algorithm used.

Step 7: Validation of Bitcoin transactions. After constructing and sending the Bitcoin transactions by Nodefirst, the nodes of the Blockchain BTCBC conducts the verification and validation of the transactions, transactions’ numbers will be generated once the data are persisted there. Step 8: Recording the numbers of Bitcoin transactions in PERMBC. Recuperating the numbers of validated BTC transactions and encapsulating them in a PERMBC transaction by injecting the necessary information that will refer to the result analysis already saved in PERMBC, in order to have at last an analysis result of an application and its different BTC transactions generated by our Framework.

Prototype Demonstration Output In this section, we will run different phases and processing of our Framework and presents different inputs/outputs generated by entities of our Framework in order to process two analysis requests corresponding to two versions (1.0 and 1.1) of the same application (where the name of the package is (com. example.applicationtoscan).During the demonstration phase, we suppose that communication between the different entities of our Framework is secured and that the exchanged messages will not undergo any

154

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Figure 7. The algorithm of verification used in the creation of Bitcoin wallets and different transactions

modification during the process of transfer and reception. The Figures 8 and 9 represent the AndroidManifest.xml file of two versions of the application that we want to analyze.

Scenario 1 • •

Bob wants to analyze the 1.0 version of the application “com.example.applicationtoscan” before the installation process; Bob wants to install the 1.0 version of the application where the package identification is com. example.applicationtoscan. The Front-end of our implemented Framework in its device will send an analysis request req(com.example.applicationtoscan,3) to PERMBC; the value “3” sent in

155

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Figure 8. Overview of the AndroidManifest.xml file of the 1.0 version of the application to be analyzed

Figure 9. Overview of the AndroidManifest.xml file of the 1.1 version of the application to be analyzed

•

•

156

the request represents the value of attribution android:versionCode of the file Manifest of the application; The nodes of PERMBC will receive the request and will start processing research in their internal registry in order to determine if the application to be analyzed was already subject to an analysis or not: ◦◦ If a similar analysis was already done (same package and same versionCode), the nodes will start recovering the details of the result; ◦◦ If this is not the case, they will start the process of recovering, assembling and analyzing the application. Assuming that the node 05 is the first node that arrives at finding the result (Nodefirst), the nit is the one that sends the obtained results to all other nodes of PERMBC for validation; the data sent will have the format presented in Figure 10; After the validation of the obtained result, this latter will be recorded in PERMBC so that the Nodefirst can interpret it. The interpretation of the result will allow calculating the level of dangerousness of the application that is to be transmitted to Bob, after this, Nodefirst will initiate the processing of the conversion of the PERMBC result in a Bitcoin transaction (see Table 6) by applying the rules of the conversion already defined in Table 5. Figure 11 illustrates the necessary different Bitcoin transactions to save the result obtained by PERMBC in BTCBC;

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Figure 10. The structure of the exchanged data concerning version 1.0 of the analyzed application

Table 6. Conversion of the analysis result of the 1.0 version in Bitcoin value

•

These transactions will not be made until after the creation of the necessary wallets, for our example, Nodefirst will interact with 5 wallets (packageID,Version, RECEIVE_SMS, READ_ EXTERNAL_STORAGE and READ_PHONE_STATE) ; if they are not already created, Nodefirst will create them.

Scenario 2 • •

Bob wants to install an update of the application by going to the 1.1 version; Bob wants to update the same application by installing the 1.1 version; Before the installation of the upgrade, the Framework will send an analysis request req(com.example.applicationtoscan,4) to PERMBC;

157

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Figure 11. Different transactions to be done by Nodefirst for the persistence of the analysis result of version 1.0 of the application

• •

•

•

The nodes of PERMBC will receive the request and start the processing of the research in their internal registry in order to determine if the version of this application was already subject to an analysis; The PERMBC nodes conduct verification in their internal registry, and conclude that a similar analysis has not been done (same package and same version); but they detect that a previous version of the application was already analyzed and recorded in PERMBC. In this case, they will recover the previous analysis result and the list of previous permissions demanded to compare it with the result that will be obtained in the analysis of the new version. For a given permission: ◦◦ If the attributes (“operation type” and “permission used”) does not undergo any change compared to the previous version, PERMBC will not mention this permission in its final output of the analysis; ◦◦ However, if a change is detected, it will be mentioned in the final result, and its equivalent in Bitcoin will be also generated; For our second scenario, assuming that the node 23 is the first node that arrives after analysis processing and comparison (Nodefirst), and then it is the one that ought to send the obtained result to all other nodes of PERMBC for validation. The data sent will be in the format of Figure 12. Note that the permission READ_PHONE_STATE does not appear in the file Manifest of the 1.1 version, nevertheless, it will be mentioned in listing 6, because our Framework has detected that this permissions was already declared in the previous 1.0 version and it is not demanded anymore in the 1.1 version. This revoke should be recorded in PERMBC registry, and this is the reason why the attribute “operation type” and “permission used” will not be mentioned and will be positioned at 0; After the validation of the result obtained, the latter will be recorded in PERMBC, then Nodefirst will calculate the level of danger of the application that will be transmitted to Bob; then, Nodefirst will start the processing of the conversion of the result PERMBC in Bitcoin transaction (see Table 7).

Figure 13 presents the different Bitcoin transactions that Nodefirst will start persisting through the different data about the analyzed permissions in BTCBC.

158

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Figure 12. The structure of the exchanged data concerning version 1.1 of the analyzed application

Table 7. Conversion of the analysis result of the 1.1 version in Bitcoin value

Figure 13. Different transactions to be done by Nodefirst for the persistence of the analysis result of version 1.1 of the application

159

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

RELATED WORKS Review of Current Research Efforts in Android Permissions The declarative model of management of implemented permissions in Android operating system adds an additional security layer to manage access to sensitive resources. Currently, various research has been done to present the gaps of this model by shedding light on the unrefined management of the requested permissions (declared in the Manifest File). There are approaches that propose conducting analyses directly on the device of the users either at the installation of the application (Matsudo, Kodama, Wang, & Takata, 2012) or after the installation (Almin & Chatterjee, 2015; Jeong, Lee, & Hwang, 2016) by choosing the application to be analyzed, and applying techniques of clustering and classification on the permissions requested. Other approaches propose sending the functionality of the analysis to a centralized extreme entity that will be in conducting analyses and storing the obtained results. For instance, (Felt et al., 2011) have developed “Stowaway”, which is a tool of static analysis that allows to detect the presence of “overprivilege” in Android applications by comparing the permissions that the application needs for its wellfunctioning to the ones that were declared in the Manifest File. (Geneiatakis et al., 2015) proposed a verification approach for Android applications that combines the static and dynamic analysis with the purpose of detecting the existence of an over-privileged application. (Sarma et al., 2012) conclude the risk that represents the installation of an application by taking into consideration the requested permissions by the application, its category and the permissions requested by the applications belonging to the same category. The approaches above mentioned and other ones such as (Yerima, Sezer, McWilliams, & Muttik, 2013; Wu, Mao, Wei, Lee, & Wu, 2012; Qu et al., 2014; Pandita, Xiao, Yang, Enck, & Xie, 2013; Han, Li, & Gu, 2016) are based on outsourcing the analysis task without having the guarantee that the analysis processing will be always available and non-compromised, and that the results will be unchangeable and not corrupt nor shortened. These gaps are filled through the architecture of our Framework which is based on highly available nodes that ensure the transparency of the executed processes and the integrity of its analysis results. The approach that is similar to our work is proposed by (Rashidi et al., 2014). It has to do with RecDroid, which is a Framework that controls the permissions given in real time by receiving the opinion of the experts that use the same application before accepting the attribution of the permissions requested. This approach does not guarantee that the users judged as “Expert” are indeed honest experts, and that the recommendations collected are objective and not misleading. In addition, the use of a remote server to store the responses of the users, pre-calculate and store recommendations, is risky in the availability side (resisting to attacks of Distributed Denial of Service attack-DDOS- type) and integrity of data in case of piracy (the risk that the data be corrupted is high). We believe that our Framework complete what (Rashidi et al., 2014) has proposed by making the result of the analyses done on the application more objective and reliable with a high availability guaranteed by the continuous functionality of the nodes of the PERMBC Blockchain.

160

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Review of Current Research Efforts in Blockchain Technology Using the Blockchain technology as an entity of processing, or as a decentralized database, was approached in a number of researches and applications in different fields. It is generally used to trace events or data (proof of existence, proof of publication). For instance, constructing a national land ownership registry (Honduras to build land title registry using bitcoin technology, 2015), storing the reputation of an academic institution (Sharples & Domingue, 2016), or the signing of academic certificates (Academic Certificates on the Blockchain, 2017), securing and verifying the integrity of firmware updates installed in embedded devices (Lee & Lee, 2016). All its uses give the public the possibility to verify - at any time - the authenticity of the stored data. The diversity of research implementing the Blockchain is due to its ability to create and maintain in a reliable, authentic and long term manner data (Lemieux & Lemieux, 2016) (financial or other) interpreted by systems that implement to convert them to digital data; Factom (Snow, Deery, Lu, Johnston, & Kirby, 2014), is another example of open source Blockchain that is used to store private data where the hash (generated every 10 minutes from the collected data) will be integrated -via financial transactions- in the Bitcoin Blockchain, in order to benefit from its power for different types of applications and usages. Bella Gipp (Gipp, Meuschke, & Gernandt, 2015) has also tackled the use of Bitcoin transactions as proof of existence of a collection of files (or text) where the hashes are generated separately, collected and then concatenated to generate one hash, this latter is converted to Bitcoin address that will be subject to a financial transaction; our proposition of storage of applications’ permission in BTCBC resembles what (Gipp et al., 2015) proposed solely at the level of creation of Bitcoin addresses (wallets) and not at the level of transactions’ values done; in fact, the values of Bitcoin transactions done in our approach have a meaning (see Table 5); however the one of (Gipp et al., 2015), works only on timestamping the transactions towards Bitcoins addresses that were newly created to underline their existence (proof of existence). However, Snow, Deery, Lu, Johnston, and Kirby (2014) and Gipp et al. (2015) have a common weakness, what they propose is just a proof of existence of hashed data (converted in Bitcoin Address) without offering any additional and useful information that can be encapsulated in the transaction value and that can be easily interpreted via a table of correspondence so that the final user can independently search in BTCBC to verify the existence of data without referring to a Third party system that can at any moment be a victim of compromise (Who Else is Using your Servers? Kaspersky Lab Exposes Massive Underground Market Selling Over 70,000 Hacked Servers, 2016), an attack DDOS (World’s largest 1 Tbps DDoS Attack launched from 152,000 hacked Smart Devices, 2016), or loss of its internal database due to a hardware failure or a malicious attack (Ransomware (Intelligence & Analytics, 2016)).

FUTURE WORK In this section, we identify the direction of future work that we plan to conduct in order to improve the architecture of our Framework and bring nearer to perfection its implementation. It is important to mention that there are lots of important challenges to be focused on, including the most optimal technical choices in the different phases of our approach for a better implementation of the Framework with the least possible response time.

161

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

First, we intend to conduct a study on the best method to extract the Manifest File from APK file of the application to download without affecting the performances of the device nor making major changes on Android OS. An in-depth state of art should be done in this sense. Since PERMBC will be -in the first phase of its launching- a private Blockchain, it is essential to deploy it in a stable and secure environment provided by Cloud service in order to avoid having significant investment costs related to the installation, configuration, deployment and experimentation of the various entities of the PERMBC. To achieve this, we will try to conduct a study on the optimal configuration and on the offer, that mostly suits our needs among the offers proposed by the Cloud giants (Microsoft Azure, IBM Cloud, Amazon AWS, etc..). The Blockchain to be adopted will benefit from the existence of suppliers who already propose “Blockchain-as-a-Service” (BaaS) in their existing Cloud platform (Microsoft for example (Microsoft Explores Adding Ripple Tech to Blockchain Toolkit, 2017)). In the second phase of the framework deployment, we plan to make PERMBC a public Blockchain so that the nodes are decentralized, independent and not subject to any central control or certification authority. To be able to achieve this task, we should consider creating an economic model to attract and reward (in real time) the participants (nodes) that will contribute to the functioning and reliability of the PERMBC with the aim of encouraging them to share more their computing power to be used in the analysis process of submitted applications. We also plan to include in the PERMBC nodes other types of analysis that are based on permissions already discussed in the literature (Sadeghi, Bagheri, Garcia, et al., 2016; Xu et al., 2016), by merging the obtained result so that the information saved in both Blockchains (PERMBC and BTCBC) is the most possibly credible. Using dynamic and hybrid analysis techniques will also be our main focus; the response time of our Framework will also be the subject of an in-depth study. In addition, we think about creating an index representing the degree of respect of the principle of “Least privilege” by the developers of Android application to identify if the permissions declared and not used in the previous versions (over-privilege) are finally used in the versions that follow or not, this will help us identify the legitimacy of introducing explicitly the over-privileges; we will also investigate other parameters in the calculation of this index: the frequency of updates, the popularity of the application, etc. and without a doubt, this index will be stored later in BTCBC to follow its evolution through the published versions of all the applications developed by a developer (or development team). Financially speaking, our Framework will generate a significant number of transactions between wallets that our Framework will create for each application, and for version and permission. These wallets should be managed in such a way that they are visible and accessible by all nodes of PERMBC. All this should be taken into consideration in the detailed proposed architecture of the Blockchain PERMBC to avoid the fact that the different transactions with BTCBC be considered as a “spam”.

CONCLUSION In this paper, we have introduced a new Framework that externalizes the analysis of an Android application to a Blockchain. The permissions’ analysis processing is implemented in the nodes of a Blockchain (PERMBC) to exploit the potential of this technology in terms of power, availability, transparency and also reliability of the results obtained. These results will be considered valid only after the approval of other nodes of PERMBC. Our approach offers persistence to the obtained results in the Blockchain Bitcoin through the financial transactions where the address is wallet source, wallet recipient and the

162

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Table 8. Numbering of the permissions of Android in the order proposed in the official documentation

163

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

value of the transaction have a precise meaning (see Table 5) that refer to the results’ analyses previously done by PERMBC. Using the Blockchain Bitcoin (BTCBC) is about making all the history of permissions collected from Android applications available to the scientific community so that they can be exploited in future studies. The presented approach is extensible, it can implement the different analysis types (static, dynamic or hybrid) of an Android application, especially the one whose attack operation is based on the acquisition of the administrator permissions, which will allow it to download and install malicious modules in the device file in order to be able to upload, destroy or encrypt the victim’s private data (Ransomware) (see Table 8). The obtained results via the different types of analysis can be accessed easily in the Blockchain Bitcoin, and one should just specify the meaning of new values of Bitcoin transactions in a scalable correspondence table, which ensures a non-regression of significance of already made transactions. To conclude, the integration of the Blockchain technology in the process of analysis of applications in general increases the reliability of the analyses and reinforces the degree of trust of users especially when it is combined with all transparency with other existing Blockchain where the reliability is already confirmed. This can lead to other innovative ideas on the exploitation of existing Blockchains in approaches other than those for which they were used.

REFERENCES Aafer, Y., Du, W., & Yin, H. (2013). Droidapiminer: Mining api-level features for robust malware detection in android. In Proceedings of the International conference on security and privacy in communication systems (pp. 86-103). 10.1007/978-3-319-04283-1_6 Academic certificates on the blockchain. (2017). Retrieved from http://digitalcurrency.unic.ac.cy/freeintroductory-mooc/academic-certificates-on-the-blockchain/ Almin, S. B., & Chatterjee, M. (2015). A novel approach to detect android malware. Procedia Computer Science, 45, 407–417. doi:10.1016/j.procs.2015.03.170 Android Authority. (2013). Android 4.4.2 removes hidden app ops privacy feature, eff grills google about it. Retrieved from http://www.androidauthority.com/android-4-4-2-app-ops-privacy-eff-google-324480/&/ Android Developers. (2017). Dashboards. Retrieved from https://developer.android.com/about/dashboards/index.html Android.com. (2016). Manifest.permission. Retrieved from https://developer.android.com/reference/ android/Manifest.permission.html Android.com. (2016). Permission element. Retrieved from https://developer.android.com/guide/topics/ manifest/permission-element.html Android.com. (2017). Android Developers: Requesting Permissions. Retrieved from https://developer. android.com/guide/topics/permissions/requesting.html Antonopoulos, A. M. (2014). Mastering bitcoin: unlocking digital cryptocurrencies. O’Reilly Media, Inc.

164

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Appbrain. (2016). Number of android applications. Retrieved from https://www.appbrain.com/stats/ number-of-android-apps Bitcoin Wiki. (2017). Deterministic wallet. Retrieved from https://en.bitcoin.it/wiki/Deterministic_wallet Bitcoin Wiki. (2017). Technical background of version 1 Bitcoin addresses. Retrieved from https:// en.bitcoin.it/w/index.php?title=Technical_background_of_version_1_Bitcoin_addresses Buterin, V. (2014). A next-generation smart contract and decentralized application platform (white paper). Clubic.com. (2017). Android, système d’exploitation le plus vulnérable. Retrieved from http://www. clubic.com/os-mobile/android/actualite-823758-android-systeme-exploitation-vulnerable.html Coindesk.com. (2017). Microsoft Explores Adding Ripple Tech to Blockchain Toolkit. Retrieved from https://www.coindesk.com/microsoft-hints-future-ripple-blockchain-toolkit/ Deloitte. (2016). Ransomware holding your data hostage. Retrieved from https://www2.deloitte.com/ content/dam/Deloitte/us/Documents/risk/us-aers-ransomware.pdf Fang, Z., Han, W., & Li, Y. (2014). Permission based android security: Issues and countermeasures. computers & security, 43, 205-218. Feizollah, A., Anuar, N. B., Salleh, R., & Wahab, A. W. A. (2015). A review on feature selection in mobile malware detection. Digital Investigation, 13(C), 22–37. doi:10.1016/j.diin.2015.02.001 Felt, A. P., Chin, E., Hanna, S., Song, D., & Wagner, D. (2011). Android permissions demystified. In Proceedings of the 18th acm conference on computer and communications security (pp. 627-638). Fortinet.com. (2016). Android banking malware masquerades as flash player, targeting large banks and popular social media apps. Retrieved from https://blog.fortinet.com/2016/11/01/android-bankingmalware-masquerades-as-flash-player-targeting-large-banks-and-popular-social-media-apps Gartner. (2016). Gartner says five of top 10 worldwide mobile phone vendors increased sales in second quarter of 2016. Retrieved from http://www.gartner.com/newsroom/id/3415117 Gartner. (2016). Top 10 strategic technology trends for 2017. Retrieved from https://www.gartner.com/ doc/3471559?refval=&pcp=mpe#a5632951 Geneiatakis, D., Fovino, I. N., Kounelis, I., & Stirparo, P. (2015). A permission verification approach for android mobile applications. Computers & Security, 49, 192–205. doi:10.1016/j.cose.2014.10.005 Gervais, A., Karame, G., Capkun, S., & Capkun, V. (2014). Is bitcoin a decentralized currency? IEEE Security and Privacy, 12(3), 54–60. doi:10.1109/MSP.2014.49 Gipp, B., Meuschke, N., & Gernandt, A. (2015). Decentralized trusted timestamping using the crypto currency bitcoin. arXiv preprint arXiv:1502.04015. Han, H., Li, R., & Gu, X. (2016). Identifying malicious android apps using permissions and system events. International Journal of Embedded Systems, 8(1), 46–58. doi:10.1504/IJES.2016.073752 ibotpeaches. (2017). Apktool - A tool for reverse engineering 3rd party, closed, binary Android apps. Retrieved from https://ibotpeaches.github.io/Apktool/

165

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Idc. (2016). Smartphone os market share. Retrieved from http://www.idc.com/prodserv/smartphoneos-market-share.jsp Jeong, J., Lee, H., & Hwang, M. (2016). Development of android security permission application. In Information science and applications (icisa) 2016 (pp. 673–678). Springer. doi:10.1007/978-981-100557-2_66 Kaspersky.com. (2016). Who else is using your servers? kaspersky lab exposes massive underground market selling over 70,000 hacked servers. Retrieved from https://www.kaspersky.com.au/about/pressreleases/2016who-else-is-using-your-servers-kaspersky-lab-exposes-massive-underground-marketselling-over-70000-hacked-servers. Lee, B., & Lee, J.-H. (2016). Blockchain-based secure firmware update for embedded devices in an internet of things environment. The Journal of Supercomputing. doi:10.100711227-015-1595-5 Lemieux, V. L., & Lemieux, V. L. (2016). Trusting records: Is blockchain technology the answer? Records Management Journal, 26(2), 110–139. doi:10.1108/RMJ-12-2015-0042 Matsudo, T., Kodama, E., Wang, J., & Takata, T. (2012). A proposal of security advisory system at the time of the installation of applications on android os. In Proceedings of the 2012 15th international conference on Network-based information systems (nbis) (pp. 261-267). 10.1109/NBiS.2012.110 Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system. Neisse, R., Steri, G., Geneiatakis, D., & Fovino, I. N. (2016). A privacy enforcing framework for android applications. Computers & Security, 62, 257–277. doi:10.1016/j.cose.2016.07.005 Ølnes, S. (2016). Beyond bitcoin enabling smart government using blockchain technology. In Proceedings of the International conference on electronic government and the information systems perspective (pp. 253-264). Pandita, R., Xiao, X., Yang, W., Enck, W., & Xie, T. (2013). Whyper: Towards automating risk assessment of mobile applications. In Usenix security (Vol. 13). Piscini, E., Guastella, J., Rozman, A., & Nassim, T. (2016). Blockchain: Democratized trust: Distributed ledgers and the future of value. Deloitte University Press. Qu, Z., Rastogi, V., Zhang, X., Chen, Y., Zhu, T., & Chen, Z. (2014). Autocog: Measuring the descriptionto-permission fidelity in android applications. In Proceedings of the 2014 acm sigsac conference on computer and communications security (pp. 1354-1365). 10.1145/2660267.2660287 Rashidi, B., Fung, C., & Vu, T. (2014). Recdroid: A resource access permission control portal and recommendation service for smartphone users. In Proceedings of the acm mobicom workshop on security and privacy in mobile environments (pp. 13-18). 10.1145/2646584.2646586 Reuters. (2015). Honduras to build land title registry using bitcoin technology. Retrieved from http:// in.reuters.com/article/usa-honduras-technology-idINKBN0O01V720150515/ Roth, N. (2015). An architectural assessment of bitcoin: Using the systems modeling language. Procedia Computer Science, 44, 527–536. doi:10.1016/j.procs.2015.03.066

166

 A Novel Security Framework for Managing Android Permissions Using Blockchain Technology

Sadeghi, A., Bagheri, H., & Garcia, J. (2016). A taxonomy and qualitative comparison of program analysis techniques for security assessment of android software. IEEE Transactions on Software Engineering. Sarma, B. P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., & Molloy, I. (2012). Android permissions: a perspective combining risks and benefits. In Proceedings of the 17th acm symposium on access control models and technologies (pp. 13-22). 10.1145/2295136.2295141 Sharples, M., & Domingue, J. (2016). The blockchain and kudos: A distributed system for educational record, reputation and reward. In Proceedings of the European conference on technology enhanced learning (pp. 490-496). 10.1007/978-3-319-45153-4_48 Shin, L. (2016). Republic of georgia to pilot land titling on blockchain with economist hernando de soto, bitfury. Forbes. Retrieved from http://www.forbes.com/sites/laurashin/2016/04/21/republic-of-georgiato-pilot-landtitlingon-blockchain-with-economist-hernando-de-soto-bitfury Snow, P., Deery, B., Lu, J., Johnston, D., & Kirby, P. (2014). Factom: business processes secured by immutable audit trails on the blockchain (white paper). Factom. Snow, P., Deery, B., Lu, J., Johnston, D., Kirby, P., Sprague, A. Y., & Byington, D. (2014). Business processes secured by immutable audit trails on the blockchain. Symantec. (2016). Symantec’s 2016 internet security threat report (istr). In Internet security threat report, 21. Thehackernews.com. (2016). World’s largest 1 tbps ddos attack launched from 152,000 hacked smart devices. Retrieved from http://thehackernews.com/2016/09/ddos-attack-iot.html Thenextweb. (2013). App ops brings granular permissions control to android 4.3. Retrieved from http:// thenextweb.com/insider/2016/04/07/first-world-problems-emerging-markets-dominating-mobile-browsing/ Thenextweb.com. (2016). Why emerging markets are dominating mobile browsing. Retrieved from http://thenextweb.com/insider/2016/04/07/first-world-problems-emerging-markets-dominating-mobilebrowsing/ Wei, X., Gomez, L., Neamtiu, I., & Faloutsos, M. (2012). Permission evolution in the android ecosystem. In Proceedings of the 28th annual computer security applications conference (pp. 31-40). Wu, D.-J., Mao, C.-H., Wei, T.-E., Lee, H.-M., & Wu, K.-P. (2012). Droidmat: Android malware detection through manifest and api calls tracing. In Proceedings of the 2012 seventh Asia joint conference on Information security (Asia JCIS) (pp. 62-69). Xu, M., Song, C., Ji, Y., Shih, M.-W., Lu, K., & Zheng, C. (2016). Toward engineering a secure android ecosystem: A survey of existing techniques. ACM Computing Surveys, 49(2), 38. doi:10.1145/2963145 Yerima, S. Y., Sezer, S., McWilliams, G., & Muttik, I. (2013). A new android malware detection approach using bayesian classification. In Proceedings of the 2013 IEEE 27th international conference on Advanced information networking and applications (AINA) (pp. 121-128). 10.1109/AINA.2013.88 This research was previously published in the International Journal of Cloud Applications and Computing (IJCAC), 8(1); edited by B. B. Gupta and Dharma P. Agrawal, pages 55-79, copyright year 2018 by IGI Publishing (an imprint of IGI Global).

167

168

Chapter 10

Evaluation of Blockchain in Capital Market Use-Cases Sinsu Anna Mathew VIT University Chennai, India Abdul Quadir Md VIT University Chennai, India

ABSTRACT This article describes the “Blockchain” which is an upcoming technology in the current leading world and which serves as a capital market use-cases for many of the global Fintech industries across the world, is a distributed ledger of economic transactions which not only used for recording financial transactions but mostly everything of value in this world. In the current world, mostly all the transactions are done through online which mainly includes the bank as a “middle man,” which could be untrustworthy at times. Blockchain comes into the picture which eliminates the need of a middle man or third party between the users who are involved in the transactions. Represents a financial ledger entry of data structure which consists of record of transactions which is digitally signed and cannot be tampered as authenticity is ensured in which the ledger is considered to be of high integrity. One of the leading and highly valued platform of blockchain is “Hyperledger Fabric” which is meant for securing transactions and serves a powerful container technology for smart contract development in the global capital firms. The potential of Blockchain and DLT in capital markets in this upcoming world could remove many of the inefficiencies and costs inherent in the global capital markets across the world and could be considered as a viable technology which enable to settlement.

1. INTRODUCTION The global markets across the world are increasing day by day and all are looking for a technology where transactions could be done without the need of a centralized authority between the dealer and the buyer. Since capital is a very critical component which is used for generating the economic outputs, Capital markets includes primary markets and secondary markets, where primary markets consist of stocks and bonds which are issued and sold to investors and secondary markets consists of the trade existing securiDOI: 10.4018/978-1-5225-6201-6.ch010

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 Evaluation of Blockchain in Capital Market Use-Cases

ties. Capital firms are markets mainly meant for buying and selling equity and debt instruments which are securities in the global world or in other words which facilitates the buying and selling of financial instruments. Capital markets involve issuing of stocks known as equity securities and issuing bonds known as debt securities for medium-term and long-term durations (Condos, Sorrell, & Donegan, 2016). It includes various participants as the individual investors, municipalities, governments, companies, organizations, banks and financial institutions. As the blockchain acts as a catalyst for the evolution of various new applications and is a next-step from computing architectural concepts needs to take care of five key concepts – blockchain, decentralized consensus, trusted computing, smart contracts and proof of work or stake. Built-in-robustness is one of the major advantage of Blockchain technology as it helps in storing blocks of information that are same across its network. Another advantage of the distributed ledger is that it cannot be controlled by any single entity and has no single point of failure. The blockchain network also results in transparency as the information is embedded within the network and it is public. It cannot be corrupted at any cost as alteration of any data on the blockchain would result in the usage of a huge amount of computing power to override the entire process. The blockchain makes up a network of computing nodes which solves the problem of manipulation. The global network of nodes use the blockchain network as helps in solving the problem of transactions of stocks or bonds among the capital firms, where it verifies, validates and authenticates each and every user with their own credentials and records transactions in the ledger which is distributed among all the participants in the trade (Buehler et al., 2015). DLT or the distributed ledger technology has become has attracted a lot of people from various industries which has explored a lot of applications in which the centralized consensus process is replaced by DLT. Application of DLT to capital markets is one of the areas attracting people’s attention. Global exchanges, CCPs, CSDs, banks, dealers, and market facility providers have productively explored DLT applications through PoC (proof of concept), and venture in technology income producer or participating consortiums. Cost reduction is one of the inherent advantages of exploiting DLT for capital market framework. DLT enables network partners to validate the transference of rights between each other and share those records in an changeless manner by applying cryptographic technology (Swanson, 2015). DLT consists of five technological features such as database to report ledger, cryptographic hash function to abstract data, public key cryptography, P2P network, and consensus algorithm. A ‘smart contract’ function facilitate users to generate business applications that can be deployed and accomplished on distributed nodes only to devoted parties or a sole entity. Due to the difference in openness policies, appropriate consensus algorithms differ. Since anyone can produce new blocks in public DLTs, assignments like proof of work (PoW) are recurrently built into the consensus algorithm to avoid venomous participants overwriting past facts (see Figure 1). Consortium or private DLTs can confine block creation to designated shareholders. It is also possible to restrict tenancy of multiple nodes to a single individual or entity. These access control deliberation enables use of a swift consensus algorithm where a chief node nominated by a simple rule bring about a new block, and then the block is approved by a predefined proportion of nodes (Underwood, 2016). This paper proposes about the potential of bringing up the blockchain technology and how it can lead a great impact on the FinTech industries and how it is designed to solve the problems of doble spending, issue of trust, Consensus on the latest correct version of the transaction history and not allowing anyone to make changes upon an agreed chain of transactions (Paech, 2016). Global capital market are financial markets which are equity securities known as stocks and debt securities which are known as bonds. In

169

 Evaluation of Blockchain in Capital Market Use-Cases

Figure 1. Working of DLT among the peer nodes (Source: Swanson, 2015)

other words, they are meant for buying and selling stock and bond financial instruments. Capital market firms consists of issuing equity securities and debt securities for long-term and short-term durations as in the contract of one year or more depending on the agreement between the parties (Mainelli & Milne, 2016). Capital markets are generally strenuous in financial centers across the world. Age portion of the trade happening inside the capital businesses occur through electronic trading systems out of which are open towards people in general and few are tightly monitored. Other than stock and bond equities, the capital markets also include other two classifications such as “primary markets” and “secondary markets”. Primary markets allow various industries to raise stock without or before holding the first sale of a stock which helps in making a great profit for the company. It helps in company’s development which brings to “liquidity” where a security or an asset can be bought or sold at stable prices. The most considered standard liquid asset is the “Cash” since it could be easily converted to another asset. If the company faces the problem of liquidity, they sell their assets to few other investment banks or some other global capital firms. Therefore, the leading “Blockchain technology” helps the leaders of the global financial firms to understand the importance of Blockchain and how it enables both the parties to have a transaction of their own in a secured world without the involvement of a “middle man” which may sometimes lead to untrustworthiness among themselves. Blockchain is a distributed database or a distributed ledger technology which is constraining and a very good and efficient way of organizing the financial transactions of various data among the trusted parties. Blockchain technology besets a range of novelty that build upon each other, and the potential benefits of how it could be achieved in the underlying systems and technologies (Hull et al., 2016). Discovering the importance of how the new leading technology could be applied in the global financial markets which leads to a huge range of innovations and the impact on different parts of value chain and participants. It also leads to discovering the major risks in implementing the Blockchain for various use cases in terms of technology, industry coordination, standards and governance, laws, regulation and policy. Potential uses and the steps needed for its adoption are also looked into which makes the industries to move into a blockchain-based system since the technology at a larger scale. Blockchains which was at first meant for the “Bitcoin protocol” is a ledger of transactions where the cryptographically signed data of blocks are added to one another in the form of a chain which is known as “immutable records”. The distributed ledger is mainly an architecture which consists of a peer to peer nodes where they col-

170

 Evaluation of Blockchain in Capital Market Use-Cases

laborate to reach a consensus on the correct state of a shared data resource (Peters & Panayi, 2016). It ultimately leads to a series of modernization in organizing and sharing the data. Blockchain helps in the development of industries which helps in the fast settlement of transactions and the building up and automatic execution of smart contracts which includes business logic which is encoded into the ledger. To evaluate the growing approach of blockchain technology in capital markets and how it offers an outlook to data management and sharing. Blockchain is establishing as a potentially unruly force capable of transforming the financial services industry by making transactions agile, cheaper, more protected and transparent. Blockchain, also known as a distributed ledger technology was basically created as a capturing database for Bitcoin transactions and was developed to enable individuals and management to process transactions without the need for a central bank or other mediator, using complex algorithms and consensus to check transactions where many of the capital markets are betting on blockchain to provide a reliable backup to systems that depend on mediators and third-party validation of transactions. Their goal is to grease blockchain’s distributed ledger approach to design a system that distribute trust — a radical evacuation from existing transaction processing methods — to significantly sever all types of transaction fees and scale down processing times (Peters & Panayi, 2016). A crucial variation, however, is that while the Internet facilitate the exchange of data, blockchain could enable the change of value; that is, it could facilitate users to bring out trade and commerce beyond the globe without the obligation for payment processors, custodians and resolution and reconciliation individuals. Their goal is to brutalize processes, minimize data storage costs, reduce data duplication and strengthen data security. The attraction of blockchain was its method of authenticating and tracking transactions. Rather of a trusted third-party or a central bank, it depends on consensus among a peerto-peer network of nodes based on complicated algorithms. Instead of being stored in a single database, blocks of time-stamped transactions are gathered on all nodes across a value chain (Hull et al., 2016).

2. PROBLEM STATEMENT Estimation of how transactions can be done on a global scale which helps in finding out a solution to many of the inefficiencies afflicting the industries across the globe. The next decade is most likely to be changed in case of social web, big data, cloud, robotics and even the artificial intelligence and the technology blockchain behind the digital currencies like bitcoin. The blockchain technology which is mainly a distributed ledger of economic transactions runs on millions of devices and is open to anyone, which consists of not just information but mainly everything of value which can be stored securely and privately. The trust in blockchain is established through collaboration and clever code by a group of programmers, which in turn ensures integrity and trust between strangers. This technology is mainly the first native digital medium for value, which has a big implication for business and corporation. The potential of the blockchain is to reduce the cost and complexity of financial transactions which improves the transparency and regulations. The blockchain technology experts provides a strong evidence that the distributed ledger platform could transform business, government and society in a more realistic way which increases the trust between the dealers and Investors by eliminating the middle man in the group.

171

 Evaluation of Blockchain in Capital Market Use-Cases

3. LITERATURE SURVEY 3.1. What Is Blockchain? Blockchain is an emerging upcoming technology that has a wide-range of implications that may transform not only the financial industries but also many of the capital firms and financial businesses (Zhang, Cecchetti, Croman, Juels, & Shi, 2016). The term “Blockchain” means it’s a distributed ledger of economic transactions where the data once entered is immutable or unchangeable. It consist of a lists of ordered records called “blocks”. Each block has a timestamp of its own and is linked to its previous state. It’s also called as an “innovative crypto technology” that enables many of the systems and industries to move forward based on their standards and also acts as an immediate beneficiary for many of the financial industries across the world. In financial industries, there’s always a way to correct an attack but according to the concept of Blockchain, there is no mechanism to correct it rather than to accept it. It optimizes the global infrastructure and helps in dealing with global issues in this much confined space. This new technology in the FinTech industry has energized the financial services industry globally (Fairfield, 2014). Technology innovations of blockchain consist of: 1. Encryption: New methods purposes encryption technologies which may enable the safety and anonymity of quite touchy information within a shared access environment. They allow users to reveal information selectively in conformity with others as required. 2. Mutual Consensus Verification: Mutual consensus approval protocol allow a network agree updates to the database collectively, together with a sure bet so the average dataset remains correct at whole times besides the need for a central living authority. There are a range of different methods in conformity with union protocols and safeguard against the malicious manipulations and guarantees that no single point of failure exists. 3. Smart Contracts: They are programmable codes build for generating instructions if a certain condition is met such as payment instruction or moving collateral. They become immutable once accepted to the ledger. Blockchain which is the distributed ledger of economic transactions is also for all bitcoin transactions which have ever been executed. The current part of the blockchain is known as the block, which records all the current and recent transactions. Once the transactions are recorded, it goes into the blockchain which acts as a permanent database. After the completion of a block, a new block gets generated. Blocks are connected to each other in a linear, chronological order in which every block contains a hash of the previous block. In other words, the blockchain is like the history of transactions related to the bank. Every bitcoin transactions are entered in a chronological order in the blockchain like the way bank transactions are done in which blocks are like individual bank statements. The blockchain consists of records of every bitcoin transactions ever executed. Therefore, it can provide any information like how much value belonged to a particular address at a certain point of time in the past. In today’s world, the information is shared through a decentralized online platform such as the internet. But in the case of transferring value such as money, people depend on the centralized financial establishments as the banks. Even most of the online payments are done through credit card or debit cards which also links through the bank. Thus, blockchain eliminates the possibility of a third party by maintaining the major roles as recording transactions, establishing identity and establishing contracts which is mainly carried 172

 Evaluation of Blockchain in Capital Market Use-Cases

out by the global financial capital firms. Across the world, the financial service marketing is the biggest sector of industry by market capitalization. It can make the transactions to be done in fraction of second by enabling peer to peer transactions and in fact has the capability to create huge efficiencies (Zhang, Cecchetti, Croman, Juels, & Shi, 2016). Ways in which blockchain can transform the financial industry: 1. Asset Management: The blockchain’s ability of distributed ledgers to replace the role of “middle man” had a really great impact on the buy-side firms which has the potential to cut cots, reduce delays, provide more timely and exact data and enhance reporting accuracy. Blockchain can have a reasonable impact on the agreement of securities transactions and can afford a great opportunity to reduce the costs of asset managers leading to reduced charges for shareholders. Each party in the trade consists of either broker dealers, intermediaries, custodians, clearing and settlement teams who keeps within themselves the record of all the transactions. Blockchain technology provides an automated trade lifecycle where the transaction are accessible to all the parties involved in the trade. It ultimately leads to cost saving, effective data management and transparency. 2. Insurance: Smart contracts can be created as policies o the blockchain which is an ideal use case for blockchain. It gives complete control, transparency and traceability for every requirement and may led to automatic pay-outs. 3. Supply Chain: Smart contracts are executed automatically on the blockchain to transfer titles of goods and money and creates a trusted network of assured authenticity and the origin of products which are being supplied. 4. Payments: One of the use case for payment is international payments in which certain banks like Santander enabled customers to make international payments within 24 hours a day and clearing the next day through the application of blockchain. 5. Fund Valuations: It enhances the rigor and timeliness of record keeping. It consists of a timeline supply regarding pricing data. It provides opportunity to piece frequent argue over information with service vendors.

4. PUBLIC BLOCKCHAINS A public blockchain enables anyone in the world to read the transactions or to send the transactions or enables anyone to see if they are included in the chain and if the transactions are valid allows anyone in the world to participate in the consensus process. Consensus process determines what blocks get added to the chain and what the current state of the block. Cryptoeconomics which is a combination of economic incentives and cryptographic verifications using mechanisms proof of work or proof of stake are used for securing blockchains. Public blockchains are known to be “fully decentralized”. Also known as “Unpermissioned ledgers” as they have no owners and cannot be owned. The main purpose is to allow anyone to contribute information to the ledger and to have identical copies in everyone’s possession. No actor can deny any transaction from being added to the ledger. Integrity of the ledger is maintained by the participants by reaching a consensus about its state. Public ledgers cannot be edited and is used as a global record of transactions in the case of assigning property ownership (Fairfield, 2014).

173

 Evaluation of Blockchain in Capital Market Use-Cases

5. PRIVATE BLOCKCHAINS Also termed as “Permissioned ledgers”, can have one or many owners. When a new block is added to the chain, the integrity of the ledger by the consensus process, which is mainly a trusted group of partners or actors as the government department or banks, which maintains a shared record and is simpler than the consensus process used in public blockchain. Highly-verified datasets are provided by the permissioned blockchain as the consensus creates a digital signature, which can be viewed by all the parties in the private blockchain. It is faster than un-permissioned ledger and is opted by most of the FinTech industries. Here the write permissions are kept centralized to one organization (Fairfield, 2014).

6. CONSORTIUM BLOCKCHAINS It’s a blockchain which consists of a pre-selected set of nodes as like a consortium of 15 financial institutions, where each operates on a particular node out of which 10 should sign every block, for the block to be valid. The consensus process is controlled by that 15 financial institutions taking part in the ledger. It could be public, which gives the right to read the blockchain and is considered as “partially decentralized”. The major difference between the “Consortium blockchains” and the “Private blockchains” is that the Consortium provides a low trust as like the public blockchains and the single highly trusted entity property of a private blockchain. Public blockchains is mainly a traditional centralized system with an attachment of cryptographic auditability. The consortium or company running a permissioned blockchain can easily change the rules of a blockchain, revert transactions and modify balances etc. Transactions are cheaper since the verifications are only done by few nodes and not by many. Trustworthiness among each node increases and errors can be fixed as fast as possible by allowing the use of consensus algorithm which allows perfections after a shorter block times. As the read permissions are restricted, permissioned blockchains provide a greater level of well privacy (Vukolić, 2015).

7. DISTRIBUTED LEDGERS Distributed ledgers are distributed databases that are spread across multiple sites, countries and is public to all. It’s a continuous ledger where records are stored one after the other, rather than sorting in blocks. Trust is the major fact which should be maintained among the operators or validators in distributed ledgers. It also consists of digital signatures among the various parties (Wyman, 2016). Blockchain’s primary elements include: 1. Decentralization: Instead of one central authority governing everything within an environment, blockchain distributes regulate among all nodes in the transaction chain, designing a shared framework. 2. Digital Signature: Blockchain permits an exchange of transactional value using exclusive digital signatures that confide on public keys and private keys to design proof of ownership. 3. Mining: A distributed consensus system compensate miners for confirmation and authentication of transactions and cache them in blocks using stern cryptographic rules. 174

 Evaluation of Blockchain in Capital Market Use-Cases

Figure 2. Peer-to-Peer shared database (Source: Fairfield, 2014)

4. Data Integrity: The use of complicated algorithms and consensus among users assures that transaction data, once settled upon, cannot be altered. Data cache on blockchain thus acts as a single adaptation of truth for all parties convoluted, reducing the risk of fraud. When a transaction or an edit is to be made in the network, the majority of the peer nodes in the blockchain have to execute some consensus within the network and should evaluate and verify the entire history of the blockchain block which is proposed and make sure that the history and the signature is valid. After the validation is approved by all the nodes in the network, the new transaction is accepted into the ledger where a new block is added to the chain of transactions which is known as the “Blockchain”. If the majority of the nodes in the network do not agree with the transaction, then the new transaction is not added to the ledger. The distributed consensus model provides an advantage of running blockchain without the need of some central authority. Blockchain uses various mechanisms which achieves consensus on transactions where only known participants can be included in the chain and exclude everyone else. Most important blockchain use-case is the Bitcoin blockchain, which is a public ledger in which everyone can participates. Permissioned blockchains are also in use by many of the organizations across the world, where only authorized participants are allowed in the network. Each block in the network maintains a hash of the previous block which is connected and in the chain of blocks. The blockchain consists of chaincode or smart contracts which serves as a major backbone for blockchain network. Each node in the network that performs the task of validating and relaying transactions gets a copy of the blockchain which is downloaded automatically while joining the blockchain network and creates a powerful network among themselves. Each node in the network are known to be the administrator and mining bitcoins. It supports protocols and cryptographic operations which are developed to permit individuals to exchange bitcoins in real time. Enables peer-to-peer decentralized transaction record-keeping, where all participants broadcast their transactions to a shared public ledger called a blockchain. Verification of the legitimacy

175

 Evaluation of Blockchain in Capital Market Use-Cases

of transactions is performed by volunteers called ‘miners’. Miners are required to complete a proof of work in order for a block to be verified and accepted (see Figure 2).

7.1. Workflow of Bitcoin Mining • • • • • •

The first miner who finds the solution, announces it to others on the network and the other miners then validate the solution. If the approval is granted by all, the block is cryptographically added to the ledger and the miners move on to the next set of transactions. The blocks are added to the blockchain a linear, chronological order. Each node gets a copy of a blockchain, which gets downloaded automatically. Blockchain has complete information about the addresses and the balances of each transactions. Once a block of data is recorded on the blockchain ledger, its extremely difficult to change or remove (see Figure 3).

8. SMART CONTRACTS IN BLOCKCHAIN Smart contracts which is also known as self-executing contracts, blockchain contracts or digital contracts is used for digitalized ledger which can be converted to computer code which is stored, replicated and supervised by the network of nodes that run the blockchain. In a smart contract approach, an asset or currency is relocated into a program “and the program runs this code and at some point, it automatically validates a condition and it naturally determines whether the asset should go to one person or back to the other person, or whether it should be instantly refunded to the person who sent it and the decentralized ledger also stores and replicates the document which gives it a certain security and immutability. Exchange of money, property shares are all done through smart contracts in a conflict-free way. Smart contracts give us an assurance of autonomy, trust, backup, safety, speed, savings, accuracy and meets the road for business and distributed ledger technology. It assures not even any forms of confusion and Figure 3. Workflow of blockchain mining

176

 Evaluation of Blockchain in Capital Market Use-Cases

never any need for litigation which of course guarantees a very specific set of outcomes. Smart contracts are the pillars of the blockchain technology which have the capability within them to implement various operations and multiple tasks (Morabito, 2017). Smart contracts are agreements where the terms mentioned in the agreement can be preprogrammed which gives the ability to self-execute and self-enforce it. The main goal of a smart contract is to allow the dealer and the buyer to do trade and business among themselves without the need of a third party. They are using programming code languages such as C++, Go, Python.

8.1. How Do Smart Contracts Work? 1. Coding which represents what goes into the smart contract and they code exactly the way what the parties want them to do. It is done by inputting the appropriate logic in the smart contract while developing the smart contract. 2. Distributed ledgers which represents how the smart contract is sent out. The code is encrypted and sent out to the nodes through a distributed network of ledgers. 3. Execution represents how it is processed in the network. One of the node among the network receives the code and comes to an individual agreement on the results of the code execution (Morabito, 2017).

9. PROPOSED WORK Hyperledger fabric is one of the upcoming blockchain platform which is also a social innovation which helps many of the global industries across the world to transform and immensely reduce the cost of working together across organizations. State-machine replication model is the best way in which blockchain could be understood where a service maintains some state and clients invoke the operations that convert the state and generate outputs. Since it is based on the distributed protocol, run by nodes connected over the internet, “Blockchain” is known as a “trusted” computing service. An asset is created or represented by the service, in which all the nodes have some stake. Services are shared among all the nodes but they do not trust each other. Blockchain in the “permissioned ledger” monitors who participates in the validation and in the protocol as all the nodes have established identities and they form a consortium (Kosba, Miller, Shi, Wen, & Papamanthou, 2016). The project is a collaborative effort taken by all the nodes participating in the network to form an enterprise-grade, open-source distributed ledger infrastructure. It identifies and realizes cross-industry open standard platform for distributed ledgers, which can change the way business transactions are conducted globally.

9.1. Fabric The network of networks is known as “fabric”. One or more networks can be used by an application which manages the different assets, agreements and transactions between different sets of member nodes. Foundation of each network is the Ordering Service which is selected by the network and passes a config

177

 Evaluation of Blockchain in Capital Market Use-Cases

file with rules called as policies, that govern it. The rules include deciding which members can join the network, how members can be added to the network or removed and determining the configuration details like block size. These rules may also include the policies which may sometimes lead to changing the rules, as a matter of consensus between the members of the network (Christidis, & Devetsikiotis, 2016). Distributed ledger platform is implemented by the Hyperledger fabric for running smart contracts, leveraging the new technologies with a creative architecture that allows pluggable implementations of various functions. The group of nodes runs the distributed ledger protocol of fabric. Transactions in the fabric, known as the ledger of digital events is shared among the different participants where each one is having a stake in the system. The consensus of the participants can only update the ledger and once the information is recorded, it cannot be altered. Every transaction which are entered in the ledger is cryptographically verifiable with proof of agreement from the nodes taking part in the transaction where all the transactions are secured, private and confidential. In order to gain access to the system, each participant registers with proof of identity to the network membership services. Transactions along with the derived certificates are issued which is un-linkable to each node and offers a complete anonymity on the network. Sophisticated key derivative functions are used for encrypting the transaction content which ensures that only authorized participants may view the content, protecting the confidentiality of the business transaction. Bitcoin is the simple application of the fabric which is an implementation of blockchain, which is a modular architecture whereby allowing the components to be plug and play by implementing this protocol specification. Any main stream language can be hosted for smart contract development which is its powerful container technology and the major motto of fabric architecture.

9.1.1. Major Terminologies Related to Hyperledger Fabric 1. Transaction – For executing a function on the blockchain, a request has to be passed on to the blockchain and this function is implemented by a blockchain. 2. Transactor is the individual who issues transactions like client application. 3. Ledger is a chain of cryptographically connected blocks, which contains transactions and the current world state. 4. World State is the group of variables which contains the results of executed transactions. 5. Chaincode which is also known as the “smart contract” is an application-level code, stored on the ledger as a part of a transaction and runs transactions that may modify the world state. 6. Validating Peer is a computer node on the network authorized for running consensus, validating the transactions, and maintaining the ledger. 7. Non-validating Peer is a computer node on the network which acts as a proxy connecting transactors to the nearby validating peers. A non-validating peer will never execute transactions but verifies them and also hosts the event stream server and the REST service. 8. Permissioned Ledger is a network in the blockchain where each individual or node is required to be a member of the network. Unidentified or unauthorized nodes are not allowed to connect or view the ledger. 9. Privacy is a must requirement among the chain transactors to camouflage their identities in the network and the transactions should be linked to the transactor without special priviledge when members of the network examine the transactions.

178

 Evaluation of Blockchain in Capital Market Use-Cases

10. Confidentiality is the ability to distribute the transaction content which is not accessible to anyone other than the stakeholders of the transaction. 11. Auditability is required in the blockchain, as business usage of blockchain needs to adhere to with regulations to make it easy for regulators to examine transaction records.

10. ARCHITECTURE OF THE PROPOSED WORK The Hyperledger fabric architecture is made up of with the core components and is aligned in three categories (Christidis, & Devetsikiotis, 2016) (see Figure 4). 1. Membership Services 2. Blockchain Services 3. Chaincode Services

10.1. Membership Services Managing the identity, privacy, confidentiality and auditability on the network are the services provided by the membership services. In an un-permissioned ledger, all the nodes can participate in the transaction and could be added on to the block, in a way, there are no distinction of roles. Elements of Public Key Infrastructure (PKI) and decentralization/consensus are combined together by the membership services inorder to transform a non-permissioned blockchain into a permissioned blockchain. Every member participating in the network, has to register in order to obtain a long-term credential such as the “Enrollment Certificate”. With the help of Transaction Certificate Authority (TCA), the users could be granted permission to issue pseudonymous credentials and is also used to authorize transactions that are submitted and are persisted on the blockchain. Figure 4. Architecture of Hyperledger fabric (Source: Christidis, & Devetsikiotis, 2016)

179

 Evaluation of Blockchain in Capital Market Use-Cases

10.2. Blockchain Services Distributed ledger is managed by the blockchain services through a peer-to-peer protocol, built on HTTP/2. Most efficient hash algorithm are provided by the highly optimized data structures for maintaining the world state replication. Various consensus such as PBFT, Raft, PoW and PoS could be plugged in and configured per deployment.

10.3. Chaincode Services It provides a secured and lightweight path to uplift the chaincode execution on the validating nodes. It consists of a set of signed base images containing secure OS and chaincode language, runtime and SDK layers for Go, Java, and Node.js.

10.4. Protocol of the Chaincode Peer-to-peer communication of the fabric is built on gRPC, where a bi-directional stream-based messaging is allowed. Protocol buffers which are language-neutral, platform-neutral and is an extensiblemechanism which is used to serialize the data structures for data transfer between peers. Messages are encapsulated which are passed between the nodes by Message proto structure, which consists of four types: Discovery, Transaction, Synchronization and Consensus. Payload is an opaque byte array which contain objects as Transaction or Response depending on the type of the message, for example, if CHAIN_TRANSACTION is the type, then the payload is a Transaction object (Delmolino, Arnett, Kosba, Miller, & Shi, 2016) (see Figure 5).

10.5. Transaction Messages Three types of transactions are involved such as Deploy, Invoke and Query. Specified chaincode on the chain is installed by a deploy transaction, while in a query and invoke transaction, a function is called of a deployed transaction. When a deployed transaction is instantiated on the chain and is addressable, it is known as the Create transaction. BFT Consensus protocol are run by the validating peers for executing a replicated state machine that accepts all the transactions as Deploy, Invoke and Query. During the transaction of a message, certain fields are required as chaincodeID, payloadHash, metadata, uuid, timestamp, confidentialityLevel, nounce, cert, signature, TransactionPayload.payload. A transaction consists of a chaincode specification which defines the chaincode and the execution environment which consists of the language and the security context. The chaincode are implemented in a language called GoLang (see Figure 6). CHAINCODE_DEPLOY is the transaction type of a deploy transaction and payload contains an object of ChaincodeDeploymentSpec. Verification of the hash of the codePackage is done by the validating peers when theu deploythe chaincode which make sure that the package has not been tampered with since the deploy transaction entered the network. CHAINCODE_INVOKE is the transaction type of an invoke transaction and the payload contains an object of the ChaincodeInvocationSpec. The message type of a query transaction is CHAINCODE_QUERY and is similar to invoke transaction.

180

 Evaluation of Blockchain in Capital Market Use-Cases

Figure 5. Protocol of the transaction messages. *Source: Delmolino, Arnett, Kosba, Miller, & Shi, 2016)

Figure 6. Transaction messages (Source: Delmolino, Arnett, Kosba, Miller, & Shi, 2016)

181

 Evaluation of Blockchain in Capital Market Use-Cases

11. DEVELOPMENT OF THE CHAINCODE Chaincode also known as “Smart contract” is the business logic that governs how the different participants in a blockchain network interact or transact with each other. The business network transaction in the code is encapsulated by the chaincode. When the chaincode is invoked, it gets the world state of the ledger. Chaincode is mainly written in a language called Go or Java, which runs inside a docker container. A way is provided for the chaincode developers to test and debug their code and whenever any of the participants wants to invoke the chaincode, the chaincode has to be deployed first using the CLI, REST, API or SDK. When the request is received immediatel, the docker container spins up with the relevant chaincode. Three choices are made available, among which needed to be selected for the development of the chaincode (Croman et al., 2016). 1. 2. 3. 4.

Development of Vagrant environment which is used for developing the fabric. Development of Docker container environment for Mac or windows. Development of Docker toolbox. Getting the latest master Hyperledger fabric v0.6 from the github.com.

If using the docker environment, we need to pull and run the fabric-peer and fabric-membersrvc images from the DockerHub. Membersrvc consists of all the certificates issued for a particular user or in other words the user’s credentials. Multiple terminal windows may be needed, essentially for all components. One terminal runs the membersrvc and the other runs the peer.

11.1. Setting Up a Vagrant Development Environment 1. When downloaded the Master source code of Hyperledger fabric v0.6, get into the devenv subdirectory which resides in the fabric workspace environment and ssh into the vagrant. cd $GOPATH/src/github.com/hyperledger/fabric/devenv vagrant ssh

2. Soon after the development of the vagrant environment, build and run the Certificate authority (CA) server. cd $GOPATH/src/github.com/hyperledger/fabric make membersrvc && membersrvc

The Certificate Authority (CA) is a default setup which is in the membersrvc.yaml configuration file, which consist of multiple users who are already registered within the CA. Each user is provided with an enrollment ID enrollment PW pairs. In the configuration file, the role of the users is mentioned in the form of an integer as 1 = client, 2 = non-validating peer, 4 = validating peer, 8 = auditor. 3. For running a validating-peer, ssh into the vagrant fronm the devenv subdirectory of your fabric workspace environment and build and run the peer process.

182

 Evaluation of Blockchain in Capital Market Use-Cases

cd $GOPATH/src/github.com/hyperledger/fabric make peer peer node start --peer-chaincodedev

11.2. Chaincode Structure The chaincode which is written in Go language, consists of a shim package API that let chaincode interact with the blockchain network to access the state variables, transaction context, caller certificates and attributes and to invoke other chaincodes. The chaincode consists of main() function which is used for bootstarpping/starting the chaincode. When the peer invokes the deploy function of the chaincode, the chaincode gets executed. Chaincode interface consists of three methods, that is, Init, Query and Invoke.

11.2.1 Init Method() When the chaincode is first deployed on to the blockchain network, the init method is called which will be executed by each peer that deploys its own instance of the chaincode, which can be used for any tasks related to initialization, bootstrapping or setup (see Figure 7).

11.2.2 Query Method() Whenever any read/get/query operations need to be performed on the blockchain state, the Query method is invoked. The query method does not change the blockchain state and won’t run within a transactional context. And if anyone attempts to modify the state of the blockchain context, an error might pop out about the transactional context. The query method is only for reading the state of the blockchain and enhancements are not recorded on the blockchain (see Figure 8). Figure 7. Init method of the chaincode

Figure 8. Query method of the chaincode

183

 Evaluation of Blockchain in Capital Market Use-Cases

11.2.3 Invoke Method() Whenever a state of the blockchain ID is to be modified, the invoke method is called. Create, update and delete operations should be encapsulated within the invoke method. When invoke method is called, it will modify the state of the blockchain and the blockchain fabric code will automatically create a transaction context, which may execute the method. Whatever invocations are made, are recorded on the blockchain as transactions, which will ultimately is linked up with the blocks (see Figure 9).

12. HYPERLEDGER FABRIC SDK FOR NODE JS As Hyperledger fabric is the operating system of the blockchain network which is permissioned provides a powerful API which interact with the fabric v0.6 blockchain, which is the hyperledger fabric SDK for Node.js. Node js javascript runtime is used to design the SDK. It is through the node SDK, that the User Interface communicates with blockchain. It’s like a middleware where all the functions of the chaincode are called as such the deploy, invoke and query. When the particular functions are invoked, it is linked with the chaincode and the chaincode is executed according to the invoked function. The function first executed when a user interacts with the SDK is the registering and enrolling of the user, which checks with the membersrvc.yaml and core.yaml, where the enrollment certificates and the transfer certificates are generated and the user is given the access to those functions in the chaincode. Thus, it acts like an entrance to the blockchain ledger. Node js provides an hfc module for installing the fabric SDK (Zhang, Cecchetti, Croman, Juels, & Shi, 2016). An identity is must for transacting on the Hyperledger blockchain which should be both registered and enrolled with Membership Services. Registration is mainly where a user invitation is issued to join a blockchain, which may consist of adding a new user enrollment ID to the membership services configuration, which could be done programmatically with the member.register method or could be added directly to the membersrvc.yaml file. Accepting a user invitation to join the blockchain network is the enrollment, which is done by the entity that transacts on the blockchain and could be done programmatically through the member.enroll method.

12.1. HFC Objects 1. Chain: This is the main higher-level class which is the client’s representation of the chain. Interaction with multiple chains is allowed with the help of HFC and also shares a single keyValStore and MemberServices object with multiple chains. Figure 9. Invoke method of the chaincode

184

 Evaluation of Blockchain in Capital Market Use-Cases

2. keyValStore: Stores and retrieves all the persistent data and is the very simple interface used by the HFC and the storage includes the private key which needs to be so secure. 3. MemberServices: It’s an interface which represents the Membership services and is implemented by the MemberServicesImpl class, and provides identity features such as privacy, unlinkability and confidentiality. This implementation issues ECerts for enrollment identity and TCerts for transactions. 4. Member or User: It represents the users who transacts on the chain and also the peers who are also the members who does the checks on the transactions. Registering and enrolling of the users can be done which interacts with the MemberServices object. Deploy, Query and Invoke functions can also be called, which interacts with the peer. 5. TransactionContext: Deploy, Invoke and Query is implemented in the TransactionContext, which interacts with the membership services to get a TCert to perform these operations. One-to-one relationship is maintained between the TCert and TransactionContext.

13. ADVANTAGES OF DISTRIBUTED LEDGERS • • • • • • • • • • •

It creates a cryptographic transaction network without mediators. Consensus is based on the veracity of transactions. Transaction penance and immutability Avoidance of “double spend” Prevention of failure of single node to bring down the entire system. Brings up a permanent time and date stamp. Scalable to many participants, account holders and account entries. Applicable to financial assets in capital markets. Provides faster clearing and settlement. Authorized parties are allocated to access and verify ownership records with information and processes embedded in chaincodes. Ledger consolidation

14. PERFORMANCE EVALUATION Bilateral Repo deal contract which is a Hyperledger project, is mainly a deal between the clients through an agreement. The Dealer and the Investor captures the Inventory Management, where the chaincode gets invoked and a notification is sent to both the custodians (Clearing bank and Investor custodians). After approving the noti_cation by both the custodians, their deal can be enquired by only their custodians and editions are also done in the enquiry part. After the Inventory capture, Admin captures the Repo deal capture, which is invoked by the chaincode, and noti_cations are sent to both the users (dealer and investor). After approving the notifications, they can query their deal with their respective Reference ID. Deploy, Invoke and Query is done by the chaincode according to the business logic. The Query can be done only if both the users accept the notifications as it confirms a proof of deal between the clients.

185

 Evaluation of Blockchain in Capital Market Use-Cases

Whatever deal is done between the clients, is stored in the ledger as a proof of transaction. During the enquiry of a query, the contract is settled and invokes the settlement function in the chaincode, and the notifications goes to both the custodians, who views and approves the settlement deal. Collateral Substitution is a provision in a contract which allows the buyer to obtain a release of the real collateral by replacing it with another form to the seller. The chaincode invokes the collateral substitution function and notifications are sent to both the custodians. After the approval from the custodians they can enquire it, as of what changes have happened between the dealer and the investor. All the transactions which are happening, can be seen on the dashboard as live, where the blocks are getting incremented as per the logic on the smart contract.

14.1. Workflow of Repo Deal Contract See Figure 10 for the workflow of Repo Deal Contract.

15. RESULTS OF BILATERAL REPO • • •

The results of Bilateral Repo, which is an Hyperledger fabric project proved a tremendous use case to the financial industries. The console are used by the Dealer and the Investor or The Seller and the buyer. The use case is made in such a way, that the Dealer and the Investor logs in to the console in which either of the parties have to make an agreement for the stock or trade they are going to buy and sell.

Figure 10. Workflow of Repo Deal Contract

186

 Evaluation of Blockchain in Capital Market Use-Cases

• • • • • • • • • • • • • • • • • • • • •

There are various modules such as the Inventory Management, Repo deal capture, Agreement templates, Notifications and the Collateral Substitution. Each of the screens consists of their own respective chaincodes with functions and the data which is stored in the JSON format. Each of the Dealer/Seller and Investor/Buyer have their own custodians in which, if and deal happens can only be viewed by the user and their respective custodians. Clearing Bank custodian is the custodian for the Dealer and Investor_cust custodian is the Investor. When the user logs in to the console, the first step is it deals with the membership services to retrieve the TCerts and ECerts for the users and validates their authentication and authorization. Either of the Dealer or the Investor has to log in with Inventory Management and captures the inventory. When the Inventory Management is captured, it deals with the chaincode of Inventory Management and invokes the JSON. As soon as both of them invokes the chaincode successfully, notifications are sent to both the custodians who on accepting it can enquire them at the Inventory Report screen. After the Inventory Management capture, the Admin logs in to the Repo deal screen to capture the deal between the dealer and the Investor. The Admin is validated and authenticated through the membership services, and submits the Repo Deal. After capturing the deal, it interacts with the chaincode and invokes it successfully. After invoking from the chaincode, notifications are sent to both the Dealer and the Investor. The Dealer and the Investor have to either approve or reject the notification. After approval of the notifications, the admin, dealer and the Investor can either enquire it through the Deal enquiry screen. The Enquiry screen consists of all the details happened between the Dealer and the Investor. The Enquiry screen consists of an edit, save, settle and close button where the editing can be done if required and is saved. After saving the settlement is done between both of the users by clicking on to the settle button and again close button enables all the buttons to be unseen from the screen after editing. When the settlement is done, notifications are gone to both the custodians who on approving it can enquire it in the Inventory Report screen. Again, Collateral Substitution screen is there, where multiple collateral fields could be added if needed and the deal is submitted which invokes the collateral substitution function and notifications are gone to both the custodians. After approving the notifications, the custodians can enquire it in the Inventory Report. Some in built calculations are also built which on doing some calculations automatically calculates the amount (see Figure 11).

The issues that can be faced while transferring of an asset is Inefficiency, Expense and Vulnerability. The Hyperledger model helps these vulnerabilities and inefficiencies by providing the Membership services and the contract confidentiality mechanisms (see Figures 12, 13, and 14).

187

 Evaluation of Blockchain in Capital Market Use-Cases

Figure 11. Attributes of the blockchain platform

Figure 12. Hyperledger fabric model

188

 Evaluation of Blockchain in Capital Market Use-Cases

Figure 13. Working of membership services

Figure 14. Smart contract confidentiality

16. RESEARCH POTENTIALITIES IN FUTURE CONTEXT Utilizing blockchain innovation along these lines could interestingly empower customers to purchase and offer computerized duplicates second hand, give them away or give them to philanthropy shops, loan them to companions incidentally or abandon them as a component of a legacy – similarly as they used to with vinyl and books – while guaranteeing that they are not proliferating different unlicensed duplicates. For blockchain to prevail with regards to supporting a technique for overseeing computer-

189

 Evaluation of Blockchain in Capital Market Use-Cases

ized rights where such a large number of others have fizzled, it would need to adjust the privileges of venders, purchasers, system of performing artists that involve the first proprietor of the substance and an enormous scope of different middle people, including those that create and keep up the blockchain itself. With such complex systems of interests in question, it would be hopeful to expect a brisk and uncontroversial answer for rise, albeit some recommend that inside a timescale of 10 to 15 years blockchain innovation can be relied upon to have had a genuine effect on the music business, with quicker open doors for early movers. Efficient mapping study was chosen as the examination technique for this investigation. The objective of a precise mapping study is to give a review of an examination range, to set up if look into prove exists, and evaluate the measure of proof. We picked the deliberate mapping process as our examination strategy on the grounds that our objective was to investigate the current investigations identified with Blockchain innovation. The consequences of the mapping study would help us to distinguish and outline ranges identified with Blockchain innovation and conceivable research crevices.

17. CONCLUSION “Blockchain in capital firms” plays a major role in the life of the dealers and the Investors which enabled them to do transactions in a secure way without the use of a “middle man”. Blockchain which is also known as the distributed database of economic transactions where each and every users are registered and enrolled based on the membership services. Smart contracts are built based on the business logic, which on deploying, invoking and querying the chaincode is done by the programmatic code. Smart contracts which acts as a major backbone of the blockchain network can be accessed only through the HFC SDK. Thus, it helps many of the Fintech industries in bringing up their trust on the customers and increasing their efficiencies and stabilities across the global world.

REFERENCES Androulaki, E., Cachin, C., De Caro, A., Kind, A., & Osborne, M. (n.d.). Cryptography and Protocols in Hyperledger Fabric. Backlund, L. (2016). A technical overview of distributed ledger technologies in the Nordic capital market. Buehler, K., Chiarella, D., Heidegger, H., Lemerle, M., Lal, A., & Moon, J. (2015). Beyond the Hype: Blockchains in Capital Markets (Working Papers on Corporate & Investment Banking). McKinsey. Buterin, V. (2014). A next-generation smart contract and decentralized application platform. white paper. Cachin, C. (2016, July). Architecture of the Hyperledger blockchain fabric. In Proceedings of the Workshop on Distributed Cryptocurrencies and Consensus Ledgers. Cachin, C. (2017). Blockchain-From the Anarchy of Cryptocurrencies to the Enterprise (Keynote Abstract). In LIPIcs-Leibniz International Proceedings in Informatics (Vol. 70). Schloss Dagstuhl-LeibnizZentrum fuer Informatik.

190

 Evaluation of Blockchain in Capital Market Use-Cases

Christidis, K., & Devetsikiotis, M. (2016). Blockchains and smart contracts for the internet of things. IEEE Access: Practical Innovations, Open Solutions, 4, 2292–2303. doi:10.1109/ACCESS.2016.2566339 Condos, J., Sorrell, W. H., & Donegan, S. L. (2016). Blockchain technology: Opportunities and risks. Vermont, January, 15. Croman, K., Decker, C., Eyal, I., Gencer, A. E., Juels, A., Kosba, A., . . . Song, D. (2016, February). On scaling decentralized blockchains. In Proceedings of the International Conference on Financial Cryptography and Data Security (pp. 106-125). Springer Berlin Heidelberg. Crosby, M., Pattanayak, P., Verma, S., & Kalyanaraman, V. (2016). Blockchain technology: Beyond bitcoin. Applied Innovation, 2, 6–10. Delmolino, K., Arnett, M., Kosba, A., Miller, A., & Shi, E. (2016, February). Step by step towards creating a safe smart contract: Lessons and insights from a cryptocurrency lab. In Proceedings of the International Conference on Financial Cryptography and Data Security (pp. 79-94). Springer Berlin Heidelberg. 10.1007/978-3-662-53357-4_6 Dinh, T. T. A., Wang, J., Chen, G., Liu, R., Ooi, B. C., & Tan, K. L. (2017, May). BLOCKBENCH: A Framework for Analyzing Private Blockchains. In Proceedings of the 2017 ACM International Conference on Management of Data (pp. 1085-1100). ACM. 10.1145/3035918.3064033 Elsman, M., Henglein, F., & Ross, O. (2017). Automated Execution of Financial Contracts on Blockchains. Fairfield, J. A. (2014). Smart contracts, Bitcoin bots, and consumer protection. Washington and Lee Law Review Online, 71(2), 36. Hull, R., Batra, V. S., Chen, Y. M., Deutsch, A., Heath, F. F. T. III, & Vianu, V. (2016, October). Towards a shared ledger business collaboration language based on data-aware processes. In Proceedings of the International Conference on Service-Oriented Computing (pp. 18-36). Springer International Publishing. 10.1007/978-3-319-46295-0_2 Kosba, A., Miller, A., Shi, E., Wen, Z., & Papamanthou, C. (2016, May). Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP) (pp. 839-858). IEEE. Leinonen, H. (2016). Virtual currencies and distributed ledger technology: What is new under the sun and what is hyped repackaging? Journal of Payments Strategy & Systems, 10(2), 132–152. Li, W., Sforzin, A., Fedorov, S., & Karame, G. O. (2017, April). Towards scalable and private industrial blockchains. In Proceedings of the ACM Workshop on Blockchain, Cryptocurrencies and Contracts (pp. 9-14). ACM. 10.1145/3055518.3055531 Mainelli, M., & Milne, A. (2016). The impact and potential of blockchain on securities transaction lifecycle. Morabito, V. (2017). Smart Contracts and Licensing. In Business Innovation Through Blockchain (pp. 101–124). Springer International Publishing. doi:10.1007/978-3-319-48478-5_6 Morabito, V. (2017). Business Innovation Through Blockchain.

191

 Evaluation of Blockchain in Capital Market Use-Cases

Mougayar, W. (2016). The Business Blockchain: Promise, Practice, and Application of the Next Internet Technology. John Wiley & Sons. Paech, P. (2016). The Governance of Blockchain Networks in Financial Markets. Peters, G. W., & Panayi, E. (2016). Understanding modern banking ledgers through blockchain technologies: Future of transaction processing and smart contracts on the internet of money. In Banking Beyond Banks and Money (pp. 239–278). Springer International Publishing. doi:10.1007/978-3-319-42448-4_13 Peters, G. W., & Panayi, E. (2016). Understanding modern banking ledgers through blockchain technologies: Future of transaction processing and smart contracts on the internet of money. In Banking Beyond Banks and Money (pp. 239–278). Springer International Publishing. doi:10.1007/978-3-319-42448-4_13 Red, V. A. (2017, May). Practical comparison of distributed ledger technologies for IoT. In Disruptive Technologies in Sensors and Sensor Systems (Vol. 10206, p. 102060G). International Society for Optics and Photonics. doi:10.1117/12.2262793 Swanson, T. (2015). Consensus-as-a-service: a brief report on the emergence of permissioned, distributed ledger systems. Swartz, L. (2017). Blockchain Dreams: Imagining Techno-Economic Alternatives After Bitcoin. In Another Economy is Possible: Culture and Economy in a Time of Crisis (pp. 82–105). Cambridge: Polity. Underwood, S. (2016). Blockchain beyond bitcoin. Communications of the ACM, 59(11), 15–17. doi:10.1145/2994581 Vukolić, M. (2015, October). The quest for scalable blockchain fabric: Proof-of-work vs. BFT replication. In Proceedings of the International Workshop on Open Problems in Network Security (pp. 112-125). Springer. Vukolić, M. (2017, April). Rethinking Permissioned Blockchains. In Proceedings of the ACM Workshop on Blockchain, Cryptocurrencies and Contracts (pp. 3-7). ACM. 10.1145/3055518.3055526 Wyman, O. (2016). Blockchain in capital markets: The prize and the journey. euroclear, (Februar)y. Yeoh, P. (2016). Innovations in Financial Services: Regulatory Implications. Business Law Review, 37(5), 190–196. Zhang, F., Cecchetti, E., Croman, K., Juels, A., & Shi, E. (2016, October). Town crier: An authenticated data feed for smart contracts. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 270-282). ACM. 10.1145/2976749.2978326

This research was previously published in the International Journal of Web Portals (IJWP), 10(1); edited by Maria Manuela Cruz-Cunha and Emanuel Soares Peres, pages 54-76, copyright year 2018 by IGI Publishing (an imprint of IGI Global).

192

Section 3

Crowdfunding and Crowdsourcing

194

Chapter 11

Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure Mizuki Sakamoto Waseda University, Japan Tatsuo Nakajima Waseda University, Japan

ABSTRACT We now typically live in modern cities, where ubiquitous computing technologies such as advanced sensing enhance various aspects of our everyday lives. For example, smart phones offer necessary information to make our everyday lives convenient anytime, anywhere in the city; energy management and traffic management have become smarter, making our everyday lives more convenient and efficient. However, from a citizen perspective, the well-being of citizens needs to be more essential than merely achieving efficient and convenient smart city infrastructures. We think that this issue is particularly crucial for establishing the next generation of smart city design. In this chapter, we propose a social infrastructure named flourished crowdsourcing to make our society flourish, so diverse citizens will live comfortably and happily. To achieve a flourishing society, one of the most essential issues is making diverse citizens activists who will participate in socially collective activities. Traditional approaches such as gamification typically make it possible to guide the social activities of the average number of citizens, but it is not easy to maintain activities for diverse citizens. By incorporating fictionality into the real space, our approach is to increase the social awareness of citizens to achieve a flourishing society within each citizen’s community so that they see the necessity of their contribution. To design and analyze fictionality, we also propose a gameful digital rhetoric as design abstractions. The design abstractions are extremely different from traditional approaches; designers can explicitly focus on the enhancement of the meaning in the real space from multiple perspectives; thus designers can change the meaning incrementally according to rapidly changing social situations or citizens’ diverse preferences.

DOI: 10.4018/978-1-5225-6201-6.ch011

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

INTRODUCTION When designing future advanced smart cities, maintaining a desirable lifestyle from the citizen perspective is a promising research topic. There have been numerous previous studies that have focused on efficient physical resource management such as energy and traffic management in underlying smart city infrastructures. However, in a future aging society, the well-being of citizens will become more crucial than building resource-efficient smart city infrastructures; this is an essential design approach in next-generation smart city design. To overcome the abovementioned issues, altering citizen’s attitudes and behaviors is crucial because adopting traditional ubiquitous computing technologies that focus on resource efficiency cannot by itself overcome the serious social problems of the present (Institute of Government, 2010; Stimmel, 2015; Wolfe, Malone, Heerwagen & Dion, 2014). Recently, some researchers have started to investigate how technologies and design strategies can make people flourish (Desmet, Pohlmeyer, 2014; Quercia, Schifanella, Aiello, 2014). Our research goal is to establish a design guideline to enhance our lifestyle towards a more desirable level in urban cities, where many citizens live, to enable them to realize human well-being. Seligman defines well-being theory (Seligman, 2011) as a theme of positive psychology. In his book, he identifies five factors needed for humans to flourish in the PERMA model, including positive emotion, engagement, relationships, meaning, and achievement. The factor of human well-being steers people towards desirable behavior. For example, a husband and wife who have positive images of one another can create a fruitful married life. Additionally, positive emotions reduce the risk of catching a cold or an infectious disease. Seligman claims that people without positivity tend to think that there is no way for them to improve their everyday lives whereas people with high positivity can act to have meaningful and productive lives (Layous & Lyubomirsky, 2014; Seligman 2011). Therefore, developing a next-generation smart city infrastructure should take into account how such an infrastructure helps people achieve human well-being to guide their desirable human behavior. In our current society, we have many serious social problems that we need to overcome. To overcome some of these problems, a top-down approach may not work well. In typical cases, governments or certain ambitious individuals may tackle the problems, but most of the remaining people merely stand as spectators to their activities to overcome the problems. Then, finally, no one has any interest in performing the activities needed to overcome the problems. Now, our world has become increasingly complex, and the top-down approach does not investigate a variety of complex social issues because one issue is unconsciously connected to other issues and observing these effects in advance is not easy. Therefore, each citizen needs to cope with these issues locally. For example, to achieve sustainable environments or realize a healthy social lifestyle, the participation of diverse citizens in the activities to achieve these goals is essential. We call a society in which diverse citizens voluntarily attempt to overcome these problems a flourished society. In the flourished society, citizens need to increase their self-awareness regarding how they should contribute to achieving the flourished society, and they need to establish intrinsic motivation to participate in the activities to make our society flourish. However, most citizens do not understand what they need to do to achieve a flourished society. A future social information infrastructure to guide citizens’ collective human behavior will help them understand and suggest what they need to achieve a flourished society. Some recent work proposed in the positive psychology research community (Layous & Lyubomirsky, 2014; Seligman 2011) offers important scientific evidence to develop a social information infrastructure to guide diverse citizens’ collective behaviors towards achieving a flourished society.

195

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

Recently, digital marketing and social media practitioners have adopted a game-based approach under the term gamification (Deterding, Dixon, Khaled & Nacke, 2011; Huotari & Hamari, 2016) to connect people to products and services. The idea is to use game mechanics, such as those of digital games, to make a work task engaging, thus encouraging them to unconsciously complete more work tasks. Additionally, some researchers focus on changing the human behavior of individuals through persuasive technologies (Spagnolli, Chittaro & Gamberini, 2016). Persuasive technologies attempt to change undesirable human behavior through information technologies. For example, as shown in Consolvo et al. (2008) and Nakajima and Lehdonvirta (2013), presenting proper computationally changing expressions based on people’s current situations or efforts may change their behavior towards a desirable lifestyle. However, the existing approaches do not address true human well-being in terms of Seligman’s definitions, particularly from the perspective of collective human behavior. This chapter proposes a social infrastructure designated flourished crowdsourcing to achieve a flourished society. As shown in the next section, digital games offer useful foundations to make our society flourish. However, the current approaches to extracting the games’ key idea to guide human behavior typically focus on only individual behavioral changes. To achieving a flourished society, flourished crowdsourcing offers several strategies to guide collective human behavior to increase people’s awareness of the necessity of their behavioral changes and to increase their intrinsic motivation to make them activists who achieve a flourished society. Increasing an individual citizen’s awareness to achieve a flourished society is the most essential factor in making our society truly flourish (Layous & Lyubomirsky, 2014). The approach requires different strategies from traditional human motivational mechanisms such as gamification and persuasive technologies to increase the social influence among the members of each citizen’s community. To increase the strategies’ essential power, flourished crowdsourcing incorporates fictionality into its crowdsourcing activities. Fictionality increases the power by exaggerating the effects in the real space or by using non-existing artifacts in the real space, making it possible to increase an individual citizen’s awareness of how his/her contributions to achieving a flourished society are essential. We introduce gameful digital rhetoric, which allows us to enhance the meaning of the real space to design fictionality and makes flourished crowdsourcing a social information infrastructure to guide collective human behavior through incorporated fictionality in the real space to achieve a flourished society. The chapter also presents how to help design and analyze flourished crowdsourcing to incorporate fictionality in crowdsourcing activities to engage citizens through the research method known as design fiction (Lindley, 2015; Tanenbaum, 2014). In the next section, we first present how digital games offer the possibility to make our society flourish. However, current gamification and persuasive technologies do not offer sufficient power because these approaches do not offer a strong stimulus to make diverse citizens aware of the necessity of achieving a flourished society. We next propose a social information infrastructure designated flourished crowdsourcing. Flourished crowdsourcing structures our society into many micro-communities to increase the social influence within the micro-communities. However, the social influence generated from the structuring is not sufficiently powerful to guide the collective human behavior of diverse citizens. We also propose to incorporate fictionality into crowdsourcing activities to enhance the social influence and to make diverse citizens aware of the importance of participating in the crowdsourcing activities. To design fictionality, we introduce gameful digital rhetoric, that is, a design abstraction to design and analyze fictionality by enhancing the meaning of the real space to guide collective human behavior. Finally, we describe some design implications of our current approach.

196

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

USING DIGITAL GAME CONCEPTS FOR FLOURISHING SOCIAL COLLECTIVE ACTIVITIES A digital game, which is produced by the assembly of information technology, has the power to provide all of the factors presented by Seligman that are required to realize human well-being (Seligman, 2011). He argues that engagement is a concept related to flow. During flow, people typically experience deep enjoyment, creativity, and complete involvement with life, with the engagement that causes people to experience a flow state being an essential component in digital game design. Csikszentmihalyi notes that the flow experience has all of the building blocks of personal fulfillment, such as clear goals each step of the way, immediate feedback on one’s actions, and balance between challenges and skills (Csikszentmihalyi, 1997). McGonigal states that positive emotions are the ultimate reward for participation (McGonigal, 2011). Castranova also identifies positive emotions as the single most important motivation for game playing (Castranova, 2007). Almost all digital games include immediate feedback under players’ control, and well-designed digital games provide clear goals and appropriate challenges based on each player’s skill. Regarding meaning, digital games have various rhetorical aspects, many of which have been discussed in previous studies; currently, rhetorical power is being reinvestigated to understand the powerful effects of digital games (Bogost, 2008). Additionally, digital games can create positive relationships, with digital games explicitly providing meaningful and valuable benefits with regard to participating in collective human behavior. In fictional game worlds, players frequently tend to mutually collaborate to achieve a shared goal because they reap individual benefits by doing so. In Massively Multiplayer Online Role-Playing Games (MMORPGs) such as World of Warcraft (Blizzard Entertainment, 2016), multiple players must cooperate to perform complex missions. McGonigal also argues that gamers quickly form bonds with other gamers. In her study, McGonigal illustrates the relationship created through collective activities in the social fabric of games (McGonigal, 2011). Moreover, achievement is often used in digital games as a useful incentive to motivate people. Digital games clarify the process of achievement by using points, badges, leaderboards and other similar features (Deterding, Dixon, Khaled & Nacke, 2011). The foregoing discussion clearly shows that the power of digital games can enhance the five factors defined by Seligman, enabling them to become the permanent building blocks for a life of profound fulfillment oriented towards making a society flourish. As shown in the previous section, gamification is a promising approach to increasing human motivation, and it has been adopted in various digital services, in particular, various recent social media such as Facebook and Twitter. However, traditional gamification mainly focuses on only two factors: engagement and the achievement of Seligman’s five factors, as shown in Figure 1. Therefore, it is difficult to achieve human well-being in terms of Seligman’s definition. The two factors, engagement and achievement, are designed based on goal setting (Deterding, Dixon, Khaled & Nacke, 2011), but other factors must take into account meaning in our everyday lives. For example, as shown in Morschheuser, Hamari and Koivisto (2016) and Liu, Alexandrova and Nakajima (2011), most current approaches to enhancing crowdsourcing with gamification do not make their participants aware of the necessity of their crowdsourcing activities to maintain their long-term activities. Therefore, it is not easy to actually motivate diverse people. In particular, recent trends in the use of gamification in social media and social games mainly aim to unconsciously engage people based on behavioral psychology and not to increase curiosity or intrinsic motivation by increasing people’s joy. However, the insights that we have extracted from research on digital games (Sakamoto & Nakajima, 2014a; Sakamoto & Nakajima, 2014b; Sakamoto & Nakajima, 2015a) show that digital games offer 197

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

Figure 1. Well-being and the power of games

Seligman’s five factors through fictionality, not the game mechanics. Digital games strongly influence us based on their fictional worlds, which consist of computationally changing representations, through player interaction. Our approach attempts to guide human behavior through fictionality, in particular, by incorporating fictionality into the real space. Digital games typically exploit the use of fictionality to make players aware of the meaning of the world of games. For example, the use of empathetic characters increases the familiarity with the game world where the characters appeared. We believe that the real space where we live enhances meaning by incorporating fictionality and that the real space enhances our well-being through fictionality designed based on digital game concepts. Incorporating fictionality into the real space makes it possible for a citizen to achieve a desirable situation by playing a role in a fictional story because the story makes us believe in the necessity of achieving a desirable situation, making it possible to increase our inclination to become activists (Sakamoto & Nakajima, 2015a). Because a typical fictional story describes brave heroes, dignified heroines and mysterious magicians whose strong self-efficacy allows them to overcome difficult challenges, when we play these roles in the real space, our attitudes and behavior are altered, and our own self-efficacy increases. Playing a fictional role in the real space without losing one’s grasp on reality, role-playing is effective in incorporating fictionality into the real space. This style of role-playing is known as pervasive role-playing (Montola, 2007). A person’s fictional experience becomes tangible when he or she feels that the embodied fictionality is realistic. Realism is the most essential criterion for the success of pervasive role-playing (Ishizawa, Takahashi, Irie, Sakamoto & Nakajima, 2015). The crucial aspect of role-playing is to increase a player’s autonomy through the game’s property of agency (Montola, 2007). As shown in Deci (1980), this autonomy is essential for building a player’s intrinsic

198

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

motivation. Therefore, incorporating fictionality becomes an effective tool in helping help citizens understand the embedded ideological messages in the story and induce their participation by increasing their intrinsic motivation, clearly reflecting Seligman’s factor of meaning. A digital game offers a virtual world that contains various virtual objects, social and economic mechanics and challenges that influence a player’s behavior in the fictional world. Typical virtual objects include virtual currency, virtual humans, virtual goods and virtual clothes. Well-designed digital games offer players many attractive imaginary and artificial benefits through meaningful and valuable experiences. When designing an attractive and successful digital game, a game developer defines meaning based on how a player perceives virtual objects and events in the virtual world. If a player feels that the world is meaningful, then he or she will enjoy the game. This discussion indicates that fictionality offers Seligman’s positive emotion. Similarly, in digital games such as MMOPRGs, social influence is also well designed among players to guide their participation in the games. Thus, fictionality also offers Seligman’s relationships. We believe that the same reasoning applies to the real space. Making citizens’ lives in smart cities meaningful is crucial to influencing human behavior to make a society flourish (Sakamoto & Nakajima, 2015a; Sakamoto, Nakajima & Akioka, 2015). If we perceive that the objects and events in our real everyday lives are meaningful and valuable by enhancing them with digital game-related concepts, then our pleasure in our everyday lives is increased. For example, empathetic stories are added to name-brand products to make them more meaningful. Current gamification and persuasive technologies do not exploit the aspects of digital games to enhance the meaning in the real space through fictionality. However, offering well-designed fictionality is a key issue in incorporating human well-being in digital games. Additionally, non-existing fictional effects are promising for enhancing the real space (Ishizawa, Takahashi, Irie, Sakamoto, Nakajima, 2015; Nakajima & Lehdonvirta, 2013; Sakamoto, Alexandrova & Nakajima, 2015). A shown in Sakamoto, Alexandrova and Nakajima (2015) and Sakamoto and Nakajima (2015c), fictionality can strongly influence human behavior to make certain lifestyles highly desirable. Based on the discussion above, the incorporation of fictionality into the real space complements traditional gamification, in particular, for achieving human well-being. However, we still need to discuss how to design fictionality and how to incorporate fictionality in social information infrastructures. To design fictionality, our proposed design concept is based on Caillois’s definition of play. He captures that playfulness is only one of two modes of play, known as paidia: unstructured and spontaneous activities; and he also defines ludus which captures gamefulness: structured activities with explicit rules (Caillois, 2001). Gameful digital rhetoric includes the two modes of play noted above to design fictionality to increase the awareness of the necessity of achieving a flourished society. Our approach is also based on insights into developing several services based on persuasive technologies (Nakajima & Lehdonvirta, 2013; Sakamoto, Nakajima & Alexandrova, 2015) in which offering computationally changing expressions reflects people’s current situations. The expressions present the meaning of the current situation to increase the awareness of the drawbacks of the current situation. From these past insights, we try to redefine playfulness and gamefulness from the aspect to abstract the real space for speculating gameful digital rhetoric, where designing fictionality with gameful digital rhetoric incorporates a variety of digital games’ properties to make us flourish because the properties satisfy the Seligman’s five factors as described above. Our approach regards gamefulness as a frame to abstract a society where people live and playfulness as a frame to abstract people’s meaning-making when they perceive our society. In flourished crowdsourcing, gameful digital rhetoric is adopted to incorporate fictionality to increase the playfulness and gamefulness in the participants’ activities. As shown above, fictionality enhances meaning in the real space and motivates citizens in communities. 199

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

A SOCIAL INFORMATION INFRASTRUCTURE TO MAKE CITIZENS’ ACTIVITIES FLOURISH Technological advances alone are not sufficient to achieve the goal of a better future. Citizens must alter their attitudes and behaviors (Institute of Government, 2010; Wolfe, Malone, Heerwagen & Dion, 2014). According to Faud-Luka (2009), designing people’s activism is a crucial direction for overcoming various serious social problems. It aims to alter human attitudes and behaviors through a designoriented approach. Governments embed persuasive strategies in public policies; however, this method has limits, particularly because setting public policy requires a process that takes a very long period of time (Institute of Government, 2010). The free resources that are shared by a number of people, such as public toilets and the natural environment, tend to be overused as a consequence of the tragedy of the commons (Hardin, 1968). This problem occurs because each individual derives a personal benefit from using the resource, whereas any costs are shared among all of the users; this circumstance leads to use that is inconsiderate towards others. An example of this behavior is the wasteful use of free plastic shopping bags, which are filling landfills. Citizens must experience a feeling of having contributed to achieve a flourished society to be motivated to pay the necessary cost. The roles of crowdsourcing have recently expanded in a variety of new areas, such as citizen science, civic engagement, and political campaigns, and they will become increasingly important in a modern society (Oxford Internet Institute, 2014). In crowdsourcing, each participant performs a micro-task, that is, a tiny task to be completed with a small amount of effort in which the entire task is divided into numerous micro-tasks; each micro-task requires only a small amount of time to be completed because it attempts to achieve the sustainability of a small, common resource in a person’s spare time with minimal effort. Increasing citizens’ awareness of how they participate in solving serious social problems is central to achieving a sustainable smart city (Lea, Glang, Blackstock, Vogt, 2015). In flourished crowdsourcing, to explicitly guide human collective behavior, a micro-task performed in crowdsourcing to steer people towards their desirable situation should be a central concept. Additionally, to involve more citizens, these micro-tasks should be designed by a variety of stakeholders who contribute to overcoming social problems based on participatory design (Ehn, 1993). Flourished crowdsourcing offers a basic concept known as micro-communities to effectively influence community members. The fictionality incorporated into the real space strengthens social power through the techniques pervasively installed and developed in persuasive technologies. The approach increases the possibility of increasing diverse citizens’ awareness of the activities oriented towards achieving a flourished society because enhancing the meaning of the real space through fictionality influences all citizens who reside in the space. The above discussion indicates how our approach takes into account the relationship factor defined in Seligman. Because our approach is lightweight and uses a smart phone, people can participate in flourished crowdsourcing activities with little effort anytime and anywhere. In flourished crowdsourcing, we aim to provide an opportunity to everyone who wishes to contribute and participate in improving our space. Each micro-task is defined as a mission that is typically used in digital games. There have already been several crowdsourcing works to increase participant motivation based on gamification (Morschheuser, Hamari & Koivisto, 2016; Liu, Alexandrova & Nakajima, 2011). Most prior approaches attempted to increase human motivation through points, badges and leader-boards. However, our approach enhances the meaning of the real space through fictionality. Enhancing meaning in the real space may increase people’s positive emotion and positive relationships. Additionally, doing 200

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

so strengthens the engagement to perform activities to make our society flourish and motivate people to achieve a flourished society. Finally, the enhancement of the real space may make people’s activities more meaningful. As shown in the section, our approach offers multiple design frames for designing and analyzing fictionality and increases the possibility of making diverse citizens flourish by considering fictionality from multiple perspectives through framing the meaning in the real space.

Basic Design Strategies for Increasing Social Influences A community-based approach overcomes the issue of guiding aggressive participation in social activities to contribute to a flourished society. The most important design strategy of the approach involves using a micro-community to guide more crowdsourcing activities by increasing the social influence among participants, as shown in Figure 2. The design strategy is to adopt an altruistic society, but altruism alone is not sufficiently strong to motivate citizens when the number of community members is high and other temptations typically obstruct their altruistic behavior (McGonigal, 2013). If each community consists of a small number of members, then the possibility of a free ride is decreased (Olson, 1965). This design is essential for crowdsourcing for collective action because the existence of a large number of free riders significantly kills the motivation of active participants. This approach is also important in increasing curiosity because community members who know each other can propose a new micro-task that may be of interest to members within the same community. With this approach, a community member in each micro-community can propose a micro-task to maintain the flourishing of the community, and other members of the community can then complete or support other members to complete the micro-task. However, members typically do not have sufficient

Figure 2. Structuring crowdsourcing with micro-communities

201

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

time to contribute to a micro-task. In particular, citizens who live in urban areas are busy and have many commitments. Therefore, they typically forget the importance of achieving a desirable situation in our society. In our everyday environments, we have numerous small, common resources that are costly to maintain if maintained by the government, nonprofit organizations or individual companies. However, maintaining these resources typically necessitates tasks that can be achieved with minimal effort in a person’s spare time. In our urban lives, we typically have many opportunities to take advantage of small amounts of spare time. Figure 3 shows an overview of activities of the participants in a flourished crowdsourcing microcommunity. A member of a micro-community related to a small common resource, known as a micro-task organizer, proposes a new micro-task when he or she becomes aware that an activity must be completed to maintain the sustainability of the resource. Typical examples of these common resources are a public sink on a floor of a building or a public shelf used by a university laboratory. The proposal includes a summary of the micro-task, which specifies the necessary activities and the value of achieving the micro-task. When other members, known as micro-task supporters, receive a request to support the micro-task, they decide whether they want to do so based on the delivered photograph representing the micro-task. Members who wish to support the micro-task simply click on the requests on their phones to notify the micro-task organizer. The micro-task can be performed by any member who can access the resource in his or her spare time when the total contributed value satisfies him or her. This member is known as a micro-task performer. The micro-task is typically a simple task, such as cleaning a public fountain or putting a shelf in order. After completion, the micro-task performer takes a photograph of the resource to show that the micro-task has been completed and sends it to the micro-task organizer. Finally, the Figure 3. Overview of flourished crowdsourcing

202

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

micro-task organizer verifies the quality of the achievement, and notification of the completion of the micro-task is delivered to all of the members who supported the micro-task. One typical example of flourished crowdsourcing is to increase the awareness of the necessity of our environmental sustainability. A micro-task organizer proposes a tiny mission such as picking up litter from public streets or parks or increasing the temperature setting of an air conditioner. Some participants may not be aware that these missions contribute to environmental sustainability (Shiraishi, Washio, Takayama, Lehdonvirta, Kimura, & Nakajima, 2009). In particular, micro-task supporters increase the awareness of the necessity of these missions through participations in flourished crowdsourcing activities. This approach increases the awareness of the contributions of community members through social influence because the effects of their contributions can be easily monitored through their participation in flourished crowdsourcing activities. After the micro-task to which the community members are contributing has been completed, each community member who has supported it as a micro-task supporter receives a notification of completion as feedback. Thus, most micro-community members are ultimately aware of the desirable situation to be achieved through the flourished crowdsourcing activities. To increase the awareness of participants, the next subsections propose several design strategies to enhance the meaning of the real space through fictionality incorporated into the real space. This approach increases the social influence within a participant’s community and reflects each participant’s preference and personality to make them activists who achieve a flourished society. In typical crowdsourcing, the price of performing a micro-task is specified; however, our approach can use anything of value, not only money, and the value is enhanced through fictionality. For example, the use of virtual currency to increase the community’s activities is a typical approach (Sakamoto & Nakajima, 2013a), but the approach may not be appropriate for motivating diverse citizens in our society. The basic strategies are not enough to make our society flourish, but enhancing flourished crowdsourcing with the monetary reward does not solve the problem. Thus, we need alternative methods of guiding diverse citizens, who are the most essential factors in achieving a flourished society. As shown in the next subsection, for example, any aesthetic or precious object, empathetic creatures and even useful information can be used; we may also use a mechanic to influence the behavior of citizens, such that they consider that the mechanic makes their activities meaningful. In the next subsection, we introduce gameful digital rhetoric to make a variety of objects and mechanics in our space more valuable by incorporating fictionality into the real space for enhancing the basic strategies to make flourished crowdsourcing’s participants more flourish. The micro-task proposal is published and disseminated to all participants by touching the common resource with the micro-task organizer’s smart phone and sending a photograph that shows the current status of the resource.

Gameful Digital Rhetoric for Designing Fictionality The semiotic aspect of the real space is essential in discussing how the space is meaningful, such that we can discuss the meaning-making of each symbol that appears in the real space. Digital rhetoric in digital games, which we designate gameful digital rhetoric, often plays a role in manipulating a player’s actions to advance a game. In particular, digital rhetoric that represents fictionality has a powerful influence on people in defining the meaning of the worlds of digital games, as shown in the previous section. Gameful digital rhetoric consists of two concepts: “rhetoric” and “value”. “Rhetoric” is defined in the GamiRhetoric model, and “value” is defined in the GamiValue model. The design of virtual objects and mechanics based on “rhetoric” and “value” can be conceptually useful for designing meaning in the real

203

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

space to influence human behavior, thinking, and feeling in smart cities. In most previous game studies, although playfulness and gamefulness are two essential components in play research, as claimed by Caillois, playfulness and gamefulness are typically competitive concepts (Deterding, 2015). Conversely, in our approach, we consider playfulness and gamefulness together to enhance the meanings in the real space. Playfulness is important in enhancing meaning in the real space to increase its attractiveness. This factor increases the intrinsic motivation of humans in their everyday lives. On the other hand, gamefulness is essential in enhancing meaning in the real space to engage people in their communities. Incorporating gameful digital rhetoric into the real space contributes to enhancing the meaning, and it makes the real space more meaningful to citizens. The incorporation of economic and social mechanics is a typical example of the use of “rhetoric”. For example, encouraging communities’ activities through virtual currency and increasing empathy among community members are typical cases of the use of “rhetoric”. Additionally, adding aesthetic, computationally changing expressions to reflect the current situation of citizens is a typical case of the use of “value”. Gameful digital rhetoric offers multiple frames for designing and analyzing fictionality, enhancing meaning in the real space. The multiple frames defined in gameful digital rhetoric allows designers to properly frame the enhancement of the meaning in the real space from different perspectives so that designers can then focus on how to enhance the real space more meaningfully from these multiple different perspectives. Because investigating these multiple frames incorporates the Seligman’s five factors as described in the previous section, enhancing the basic strategies with gameful digital rhetoric allows flourished crowdsourcing achieving to make our society flourish. Additionally, the approach can take into account the frames independently so that designers can incrementally add or replace the meaning of the real space. Meaningfulness is a crucial design factor for emotionally engaging citizens. The enhanced meaning gained through gameful digital rhetoric makes explicit the desirable lifestyle to be achieved through their activities and guides citizens in smart cities by offering many attractive imaginary and artificial benefits. •

The GamiRhetoric Model: The GamiRhetoric model abstracts the real space from the gameful aspect for designing digital rhetoric to make the digital world meaningful. It consists of five types of rhetoric: curious rhetoric, narrative rhetoric, collective rhetoric, social mechanics rhetoric and economic mechanics rhetoric, as shown in Figure 4. These five types of rhetoric have been extracted from experience based on building several crowdsourcing services, as detailed in Sakamoto, Nakajima and Akioka (2015). These authors provide further evidence of how each type of rhetoric is extracted from our experiences. In crowdsourcing infrastructures, designing social influence requires cognitive effects to be exerted on individuals. In this context, changing the meaning in infrastructures alters the cognitive effects on individuals. The five types of rhetoric noted above are used to design the meaning of these infrastructures.

Curious rhetoric influences people through people’s five senses—including the visual and auditory senses, which offer us emotional engagement such as interest, happiness and comfort—and increases their curiosity to motivate their activities. Collective rhetoric represents the accumulated efforts of participants and is one of the essential motivations for participants to continue their efforts. Narrative rhetoric contains an argument specified in a narrative. A typical narrative teaches people what they should do in the everyday lives that they desire. Narratives have two aspects. The first aspect describes the ideological messages in the narrative; the second aspect relates to goal-setting in the narrative. This type of rhetoric 204

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

is specific to digital games, which operate based on interaction with a player. Finally, social mechanics rhetoric and economic mechanics rhetoric offer the norms, rules and mechanics that are typically used to collectively coordinate people in the real space. They include various social and economic mechanics such as the market economy, the gift economy, the altruistic society, battle and role-playing mechanics, with these mechanics also being typical underlying mechanics used in popular digital games. Regarding the utilization of the frame of the GamiRhetoric model, enhancing the meaningfulness added to each frame is important. The agency and immersion properties of this model are useful concepts that are implemented in digital games to make objects more meaningful. The property of agency relates to whether participants can control the effects on their activities, and the property of immersion refers to whether these effects reflect players’ real activities without violating the realism of the enhanced real space. •

The GamiValue Model: The GamiValue model abstracts the real space from the playful aspect for designing a digital rhetoric to make the digital world meaningful. It consists of five types of value. Using value has recently been recognized as an important design approach to developing desirable digital services. In analyzing digital games, it is useful to systematically summarize what values players feel towards the digital game. These values have been extracted from user experiences with developing various digitally enhanced products. The values in the model are extracted from a semiotic perspective, and the model defines six frames for attaching the following values to virtual objects: informative, aesthetic, empathetic, authentic, mindful and ideological values, as shown in Figure 5. Sakamoto, Nakajima and Alexandrova (2015) and Sakamoto, Alexandrova and Nakajima (2015) present further justification of how values can be extracted from experiences with developing digitally enhanced everyday artifacts.

Figure 4. GamiRhetoric model

205

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

Figure 5. GamiValue model

The first value is informative value. This value offers sufficient information to people and helps them make better decisions. A typical example of this value is an augmented reality service that superimposes useful information onto a video. This service provides people with detailed information on their everyday environment, such as shopping and travel information. The second value is empathetic value. This value is achieved and enhanced by adding some similarity with a user. It is usual for people to have a strong sense of empathy to people when they share some similarity between them. People can even feel a close relationship with a product that has some similarities to them. The third value is authentic value. This value provides people with a sense of ownership. In particular, physical tangibility is important because it increases people’s sense of ownership of an object. For example, people enjoy owning expensive jewelry and artwork. Scarcity is key to increasing this sense of ownership because collecting rare objects increases social status. The sense of ownership of an object is very important because it allows people to create their own original “empathetic stories” with the object. These stories include people’s feelings and their levels of attachment to an object and how their everyday lives have changed following their possession of the object. The fourth value is aesthetic value. Aesthetics is an important concept with regard to making everyday objects more attractive. Aesthetics is a branch of philosophy that addresses the nature of art, beauty, and taste, particularly the creation and appreciation of beauty. For example, traditional Japanese folk crafts represent aesthetic values, which are important in increasing people’s quality of life. The fifth value is mindful value. This value provides people with positive feedback regarding their current situations and shows the future influences of their current activities. The value is used when emphasizing the mindful and positive aspect of other values. Showing positive information should increase people’s motivation to engage in desirable activities. The sixth value is ideological value. This value reminds users of important ideological concepts, such as friendship and justice. This value is not explicitly presented to people; instead, special stories that contain important ideological messages are

206

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

used to implicitly explain the importance of these concepts. If people are familiar with the stories, then the characters that appear in the stories can be used as metaphors to demonstrate various ideological values. •

Design Process with Gameful Digital Rhetoric: As shown in Figure 6, in our approach, we first consider the respective types of rhetoric in the GamiRhetoric model, and then, we exploit the types of value in the GamiValue model to make the incorporated fictionality more meaningful and realistic; this approach is proposed as rhetoric-focused design, described in Sakamoto and Nakajima (2015b), because gamefulness offers more fundamental substrates that engage citizens in an infrastructure-based approach such as flourished crowdsourcing (Sakamoto, Nakajima & Akioka, 2015). When considering each model, we analyze each frame of the model to discuss the meaning of the incorporated fictionality. With gameful digital rhetoric, a designer who designs and analyzes fictionality takes into account each frame independently and incrementally. Thus, it is easy to add and replace the respective “rhetoric” and “value” in gameful digital rhetoric while deploying playfulness in the real field. Thus, for typical designers, our approach is friendlier. Because gameful digital rhetoric enhances the meaning of the real space, all citizens in the enhanced space are potentially influenced through the incorporated fictionality. By replacing and adding the “rhetoric” and “value” incorporated into the space incrementally, citizens are guided to change their collective human behavior.

Incorporating Fictionality to Make the Activities of Citizens Flourish To demonstrate our approach, the following shows a concrete story world in which fictionality is introduced in flourished crowdsourcing. As shown above, the basic design strategy of flourished crowdsourcing is to adopt an altruistic society, represented as social mechanic rhetoric. To enhance the social influence, a participant in flourished crowdsourcing plays a role in the story world. To design the story Figure 6. Flourished crowdsourcing with gameful digital rhetoric

207

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

world, we adopt a design-oriented approach known as design fiction to critically design and analyze the effectiveness of gameful digital rhetoric in flourished crowdsourcing. Design fiction exploits the use of story worlds created based on the techniques of design fiction to demonstrate the possible effects of new technologies (Lindley, 2015; Tanenbaum, 2014). This section presents one example of concrete story worlds that show how citizens behave in flourished crowdsourcing. Design fictions combine elements of science fiction, science fact and design to create diegetic prototypes (Kirbey, 2010), that is, artifacts that exist within the worlds of the story. Design fictions attempt to forge a discursive space by depicting technologies and the situations in which they are used that are simultaneously real and speculative. Using story worlds as a substrate to sketch these artifacts enables design fictions not only to explore concepts and technical pitfalls but also to extract insights about what it would be like to live with these technology-oriented artifacts in our everyday lives. When designing a story world to increase social awareness, we also adopt a technique known as a pastiche scenario (Blythe & Wright, 2006), which is one of the most popular techniques used in design fiction. The technique uses characters in an existing well-known story; thus, the approach easily delivers more information in a story world without a long, detailed script to make people understand the story world. After presenting the scenario, we explain how gameful digital rhetoric is used to design fictionality in the scenario. In the scenario, fictionality is incorporated into the real space through the concept known as virtual forms (Sakamoto & Nakajima, 2014a; Sakamoto, Nakajima & Alexandrova, 2015). Virtual forms procedurally show changing fictional expressions according to the current situation and seamlessly integrate the expressions into the real space. 1. A force encroaches on the peaceful world, with each micro-community member asserting his or her power. Then, a shared table also becomes dirty. Hajime plays the role of a heroine who saves the world but is caught by a monster who destroys nature. The peaceful world suddenly becomes dreary or colorless.1 2. Her friends Rui, Sugane, and Utsutsu are assigned roles as team members to work together to find a person who can perform a micro-task to organize the shared table and release Hajime from the monster. Hajime asks her team members to complete their quest as micro-task organizers. 3. Each team member who plays the role of micro-task supporter has a smart phone whose progress bar presents his/her contribution as an inner world. If the team cannot find a person to perform the micro-task before the deadline to save Hajime, the world will be devastated, and they will lose their powers forever. 4. Hajime’s team members are aware of their powers. They notice that three independent powers are necessary to activate the ability of Tsubasa, another heroine, to accomplish the proposed micro-task as a micro-task performer. According to the team members’ individual personalities, Rui’s power is intelligence, Sugane’s is technique, and Utsutsu’s is strength. 5. Each member learns how to save the world from environmental pollution to increase his/her power. Rui increases her knowledge in various areas, Sugane learns various techniques, and Utsutsu studies the importance of political power to solve the problem of environmental pollution. 6. Tsubasa’s smart phone has a progress bar showing whose power is currently given to her, and she waits to collect all three powers. Finally, all of the team members possess their powers and identify Tsubasa as the right person to perform the micro-task. 7. Once Tsubasa possesses the three powers, her smart phone informs her that it is the right time to perform the micro-task, and she can finally clean the table. Rui, Sugane, and Utsutsu observe that

208

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

Tsubasa has completed the micro-task because their inner worlds revert to the original peaceful world where many flowers bloom. She finally sends photos to other members to notify them of the completion of the micro-task. 8. Hajime is released from the monster, and the monster departs for her galaxy. She appreciates Tsubasa and her team members and that the world is again bright and clean. Now, Rui, Sugane and Utsutsu also have knowledge and know the techniques to avoid environmental pollution. On the next occasion, they will want to contribute to other micro-tasks to achieve a desirable society. In the above scenario, the desirable situation is defined only in the story world. If the story world is not well delivered to citizens, they do not understand what their desirable situation is. Additionally, the progress bar does not offer a visual metaphor to show how they are to achieve a desirable situation; it is desirable to explicitly offer the desirable situation and participants’ progress as more meaningful representations. To overcome this issue, collective rhetoric is added to the approach to increase the intrinsic motivation of individuals. We adopt virtual forms to seamlessly incorporate collective rhetoric into flourished crowdsourcing. In the scenario, flourished crowdsourcing adopts three virtual forms, as shown in Figure 7. The first virtual form shows our fictional everyday environment. When a monster appears, the expression showing fictional nature becomes colorless. In the story world, the monster represents a concrete symbol of environmental pollution, which facilitates reminding participants that pollution is a serious problem in our society. The second virtual form is shown on each team member’s mobile phone and represents his/her inner world. The virtual form is used to show each participant’s current contribution as an enhanced progress bar. The third virtual form shows an enhanced progress bar of the growth of the power of each team member and a deadline for a micro-task performer to complete the micro-task. Figure 7. Virtual forms in flourished crowdsourcing

209

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

When designing virtual forms, we take into account several values. The most essential value is aesthetic value because most people can easily understand that the aesthetic is lost when they do not feel that they are flourishing. Both the first and second virtual forms use natural landscapes because it is easy for them to represent aesthetic value and landscapes become metaphors that represent a flourished society. In the first virtual form, empathetic value is adopted in a negative manner. The monster is represented as a less empathetic creature; thus, citizens easily understand that the monster is violating the natural landscape. Finally, the third virtual form uses mindful value and informative value. The virtual form shows how many people agree to support the activity. Additionally, the visual represents the positive effect from when they agree to support the activity. The most important aspect of these designs is that the virtual forms make the desirable situation and achievement of citizens more meaningful, although they are not clearly meaningful without introducing these virtual forms.

Current Status and Analysis We have developed a flourished crowdsourcing prototype system to demonstrate the feasibility of our idea. The prototype system consists of the following three components. The first is an Android phone that possesses an NFC reader, as shown in Figure 8. The second is a computer that is connected to a server—designated the resource management server—embedded in a small, common resource. The last component is a server that stores various data related to the flourished crowdsourcing activities in a database. This second server is designated the flourished crowdsourcing server, which is networked to all of the resource management servers. The system has been implemented as an HTML5 (World Wide Web Consortium, 2014) web application. Thus, participants can easily begin using the flourished crowdsourcing service with minimal effort. In the current prototype system, we have also installed several public displays to show the computationally changing fictional expressions in public spaces as virtual forms, as shown in the previous subsection. Currently, we have deployed our prototype systems in our laboratory environment and conducted some experiments to investigate the feasibility of flourished crowdsourcing. The current focus of flourished crowdsourcing is to achieve sustainable environments. Each micro-task organizer proposes a micro-task such as cleaning a desk or sink in our laboratory or moving tables or chairs to make us more comfortable staying in our laboratory. Our current prototype system deployment focuses on how social influence is changed by incorporating fictionality within a small community. From our experiments using the prototype system, we have found that a micro-task organizer’s creativity becomes a key to increase the activities of laboratory members because other members may not know what activities contribute to making our laboratory environment sustainable. It is also important to exploit the altruism among the members of the laboratory because people typically like to help well-known people from whom they feel a good impression. In the prototype system, each participant chooses a popular virtual character as his/ her avatar that all of the participants know well and typically favor. We also adopt scenario analysis to discuss the effect of embedded fictionality on social influence. From our experiences with the prototypes system, the investigation of the effect of the social and economic mechanism incorporated in flourished crowdsourcing can be performed based on the prototype implementation because participants need tangible experiences to effectively find the drawbacks. However, to investigate different approaches to incorporating fictionality, it is not easy to perform real experiments for the all of the possible investigations on the prototype systems. Thus, scenario analysis compensates for the prototype implementation to accelerate finding the potential pitfalls of the respective strategies.

210

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

Figure 8. Flourished crowdsourcing prototype system

Here, we present the analysis of the basic mechanism of flourished crowdsourcing based on a concept known as social influence (Cialdini, 2006). In flourished crowdsourcing, the social mechanic rhetoric is the most fundamental and most commonly offered as a basic mechanism, as shown in the previous subsection. The social influence known as social proof is crucial in altering citizens’ behaviors. In the basic mechanism, each micro-task supporter’s contribution is visualized on his or her smart phone so that notifications regarding people’s contributions guide others to participate in flourished crowdsourcing activities. However, there is the possibility that no one will contribute to the activities—a phenomenon known as social loafing. Therefore, it is important to add another mechanic to guide contributors to join in activities as early contributors. Competition among participants also increases the effect of social proof. In the current narrative, a progress bar is introduced to show the contributions of others to the micro-community. When a participant feels that his or her contribution offers a visible benefit, he or she feels that the service is meaningful. The progress bar must show who contributes to current activities, and that person should be an acquaintance of the recipient. This analysis assumes that the participants in a micro-task belong to the same community. The setting has a significant influence on participants’ behaviors because the social influence known as reciprocity (Cialdini, 2006) typically affects community members. Thus, when a micro-task organizer is an influential community leader who contributes significantly to the community, other members are likely to participate in additional flourished crowdsourcing activities. However, in the real space, citizens may not be members of the same community. In this case, the story world must be enhanced to exploit reciprocity among strangers. The above analysis indicates that only the basic mechanism does not engage citizens to make their society flourish. Our approach to overcoming this drawback is to adopt the role-playing concept, as shown in the above story world. Role-playing for incorporating fictionality in flourished crowdsourcing can be introduced through narrative rhetoric and curious rhetoric. Each participant’s role is introduced through curious rhetoric; the relationship among the different roles is defined through narrative rhetoric; a story

211

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

world defines their relationship. In our case, using pastiche scenarios is crucial in avoiding an increase in the size of the script that presents the story world. To make fictionality more meaningful, curious rhetoric needs to offer aesthetic value or empathetic value; if a citizen plays an aesthetic or empathetic role, the possibility of other citizens helping him/her will be significantly increased. Using pastiche scenarios easily increases the empathetic value of the roles. In the story world, narrative rhetoric offers ideological value and informative value. In particular, ideological value is essential to increase citizens’ intrinsic motivation to achieve an offered challenge because the value makes the challenges more meaningful and interesting to them. In this case, using pastiche scenarios is also an essential factor in incorporating ideological value because the ideology embedded in the story world in which the character in the pastiche scenarios appears easily reminds us of the aim of flourished crowdsourcing activities through role-playing (Sakamoto & Nakajima, 2013b). On the other hand, informative value is important because this value helps participants make better decisions oriented towards a desirable situation. This type of value also provides effective visual or sound effects to make them more positive. Thus, it is possible to embed mindful value though the effects. If role-playing offers the illusion of knowing each other well and each citizen plays a different role with regard to who should independently perform his/her challenges to realize the desirable situation specified in the story world, then the problem described in the analysis can be overcome. Additionally, the approach also supports Seligman’s remaining factors: positive emotion, relationships and meaning. It is possible to make citizens flourish.

DESIGN IMPLICATIONS Making our society flourish requires diverse citizens to increase their awareness of the necessity of making our society flourish. Traditional approaches in gamification and persuasive technologies typically focus on the average effects on changes in human behavior. However, in contemporary modern society, most people have become “interested bystanders” who do not take any action to influence our everyday lives (Krontiris, Webb, Krontiris, & Chapman, 2015). The existence of a large number of free riders significantly decreases the motivation of active participants and hinders the flourishing of our society. However, as shown in Akasaki, Suzuki, Nakajima, Yamabe, Sakamoto, Alexandrova and Nakajima (2016), traditional gamification-based approaches can approach only a part of the diverse range of people. In particular, the majority of people are typically not taken into account in these approaches. To guide the collective human behavior of diverse citizens, it is essential to enhance the meaning of the real space incrementally by adapting to diverse citizens. As shown in the previous section, gameful digital rhetoric allows designers to incrementally enhance meaning by adding or replacing values to the rhetorical frames designed in the GamiRhetoric model. Conversely, traditional approaches such as gamification and persuasive technologies are difficult to replace and it is difficult for them to add game mechanics or persuasive strategies on-demand because these approaches focus on motivational mechanisms to change individual human behavior and do not offer a mechanism for framing the design for changes in collective human behavior. Dunne and Raby (2013) claim that design offers new forms of expression for complex and critical issues; these forms of expression are grounded in the most abstract, speculative and future-focused considerations. Critical questions about emerging technology in everyday situations have presented preferable futures as opposed to predicting the future. They designate the design approach speculative

212

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

design. Forms of speculative design can be adopted in designing the fictionality presented in our approach to increase the awareness of complex social phenomenon. For example, taxes play an important role in achieving a sustainable society, but for many people, it is difficult to understand how the current tax mechanism influences our sustainable society; however, well-designed works based on speculative design effectively influence human behavior. Additionally, some psychoanalytical frameworks such as those in Segal, Williams, and Teasdale (2002) and Gunaratana (2001) show the necessity of increasing self-awareness to make people happy. Their approaches propose effective techniques to increase our happiness, although at present, the relationship with the approach of positive psychology is not clear. The approach increases each citizen’s self-efficacy in realizing self-fulfillment; direction helps diverse citizens take note of the awareness of our surrounding environments. One of drawbacks of our current approach is that citizens may significantly lose interest if the incorporated fictionality does not contribute to our real everyday lives. Finding the balance to observe self-awareness in the incorporated fictionality is essential in making our approach successful. Incorporating fictionality into flourished crowdsourcing by assigning fictional roles to community members motivates them to propose and complete a micro-task oriented towards a desirable situation defined in flourished crowdsourcing if a fictional story presents ideological messages that identify the micro-task’s importance in achieving a desirable situation (Sakamoto & Nakajima, 2014b; Sakamoto & Nakajima, 2015a). Because the real space can be represented abstractly and sometimes ironically in a fictional story through framing to simplify or exaggerate essential and important concepts in our everyday lives (Sakamoto & Nakajima, 2014a), people easily observe the concepts that are relevant to achieving an ideal, sustainable society. Fiction also allows citizens to use metaphors that are more appropriate than documentaries or other types of nonfiction. In particular, Japanese animation stories contain complex ideological social messages oriented towards futuristic lifestyles (Sakamoto & Nakajima, 2014a; Sakamoto & Nakajima, 2014b) to increase people’s intrinsic motivation. These stories can offer many effective metaphors to increase our self-efficacy through the positivity that they express. This approach also allows flourished crowdsourcing to incorporate ideological value alongside other values (Sakamoto, Nakajima & Alexandrova, 2015)—and improves on our current approach in a manner similar to a pervasive game that blurs the spatial, temporal, and social boundaries between fiction and reality by making the magic circle disappear (Montola, Stemros & Waern, 2009). This approach can be used to inform citizens of the importance of flourished crowdsourcing activities. The GamiRhetoric model and GamiValue model currently offer some frames for helping us design an enhanced real space. The number of frames offered in gameful digital rhetoric should be as minimal as possible. However, we still need to consider whether the number of frames needs to be increased. The current frames are extracted from our previous case studies (Sakamoto, Nakajima & Alexandrova, 2014; Sakamoto, Nakajima & Akioka, 2015). We carefully justify these frames and avoid the temptation of adding new convenient frames in an easy manner. As shown in Sakamoto and Nakajima (2015b), there are several promising candidates that may be added as a new frame, and we still need to investigate the issue. In Ishizawa, Takahashi, Irie, Sakamoto and Nakajima (2015), we are also working on an alternative model to discuss a design framework to develop a virtual or enhanced world. The model offers seven frames to help us more meaningfully design the enhanced space. As the next step, we also need to investigate how the model can be integrated into gameful digital rhetoric. The user study of the prototype system shows that the narrative offered from the first-person perspective is more effective than the narrative from the third-person perspective (Sakamoto, Nakajima & Alexandrova, 2015). The approach offers a new possibility of guiding people to exploit a concept 213

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

known as transmedia storytelling (Sakamoto & Nakajima, 2015a). In transmedia storytelling, one part of an entire story is fragmented in different media placed in various locations in the real space. Each micro-community can create its own favorite partial story to play a role in participating in flourished crowdsourcing activities. The approach engages citizens to become activists to make our society flourish. However, the approach requires maintaining consistency among multiple partial stories created by the independent micro-communities. If consistency is violated, then the activities performed by one microcommunity may interfere the activities performed by other micro-communities. Fan culture, especially popular culture, is important; various fans with different purposes and preferences have developed consistent stories (Lamerichs, 2014). The most important issue to maintain consistency is to offer all participants a shared view of the world and the roles of each fan in the world. As the next step of our project, we would like to exploit this issue to improve the current status of flourished crowdsourcing. We also need to investigate when and how citizens feel happiness in their everyday lives. OECD (2015) has reported the measurement of human well-being in each country by using standard questionnaires. The approach is based on long-term research on human well-being from the psychological perspective and allows us to quantitatively measure human well-being. Thus, the approach enables us to quantitatively evaluate the effect of political strategies. However, we still have questions concerning why citizens feel happy. Quercia, Schifanella, and Aiello (2014) have developed a service to show a route to a destination where a person will feel happy. The service collects numerous photos taken by crowds in urban cities and marks whether people feel happy. Then, based on where most people mark the photos taken along the route as happy, the service finds routes. This approach opens a new direction because we can automatically collect a variety of information about how people feel happy from crowds of citizens. In our current approach, the choice of “rhetoric” and “value” relies on the designers’ instincts. Therefore, there is the possibility that a designer’s assumption is completely wrong. Using the power of crowds to design fictionality is a promising direction. Gushima, Aikawa, Sakamoto, and Nakajima (2016) report one approach to delving into this issue. However, as reported in the paper, we still need to consider whether we can develop creative fictionality that attracts citizens and maintains their interest for a long period of time from the approach.

CONCLUSION Our everyday lives have become increasingly complex. The current progress in developing smart cities helps us have a more comfortable lifestyle because a variety of forms of automation in smart cities reduces the complexities in our real space. However, as described in this chapter, simply reducing complexities in terms of resource efficiency does not create a truly desirable lifestyle for citizens. We believe that directing human attitudes and behaviors towards a more flourishing lifestyle is more important. This chapter introduces a social information infrastructure designated flourished crowdsourcing, a smart city infrastructure for engaging people towards a flourished society, and demonstrates the design concepts for guiding people in flourished crowdsourcing. In particular, our approach increases the social influence within communities and makes us aware of the necessity of the activities through incorporating fictionality in the real space. Flourish crowdsourcing offers a bottom-up approach to solving serious social problems to increase our human well-being. Citizens are guided on what they need to do to make themselves happy by increasing their self-awareness to achieve a flourished society. However, we still need to investigate the role of

214

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

governments and companies in helping citizens to voluntarily make their society flourish. In particular, in a modern society, our universal value system is based on a monetary system, and money remains the essential incentive for motivating people to perform the uninteresting activities that are required to make our society flourish. The governmental system is also essential in coordinating communities that have conflicting opinions without a problem owing to the tragedy of the commons and in fairly dividing assets among citizens without concentrating the world’s wealth. We will investigate how to coordinate the economic and governmental systems with the social infrastructure to guide citizens in making their society flourish from the bottom-up in the next step. We also need to discuss the ethical issues of modifying human attitudes and behaviors because, if misused, the approach makes it possible to unintentionally or maliciously control people. We will investigate the issue by introducing a concept known as the magic circle (Montola, Stemros & Waern, 2009), which is widely used in game studies to discuss the ethical issues.

REFERENCES Akasaki, H., Suzuki, S., Nakajima, K., Yamabe, K., Sakamoto, M., Alexandrova, T., & Nakajima, T. (2016). One Size Does Not Fit All: Applying the Right Game Concepts for the Right Persons to Encourage Non-Game Activities. In Proceedings of the 10th International Conference on Universal Access in Human-Computer Interaction. Springer. 10.1007/978-3-319-40397-7_11 Blizzard Entertainment. (2016). World of Warcraft. Retrieved May 13, 2016, from http://us.battle.net/ wow/en/ Blythe, M. A., & Wright, P. C. (2006). Pastiche Scenarios: Fiction as a Resource for User Centred Design. Interacting with Computers, 18(5), 1139–1164. doi:10.1016/j.intcom.2006.02.001 Bogost, I. (2008). The Rhetoric of Video Games. In The Ecology of Games, and Learning (pp. 117–140). The MIT Press. Caillois, R. (2001). Man, Play, and Games. Urbana, IL: University of Illinois Press. Castranova, E. (2007). Exodus to the Virtual World: How Online Fun is Changing Reality. New York: Palgrave Macmillan. Cialdini, R. B. (2006). Influence: The Psychology of Persuasion (Revised edition). Harper Business. Consolvo, S., McDonald, D. W., Toscos, T., Chen, M., Froehlich, J. E., & Harrison, B., … Landay, J. A. (2008). Activity Sensing in the Wild: A Field Trial of UbiFit Garden. In Proceedings of the Conference on Human Factors in Computing Systems. ACM. 10.1145/1357054.1357335 Csikszentmihalyi, M. (1997). Flow and the Psychology of Discovery and Invention. New York: HarperPerennial. Deci, E. L. (1980). The Psychology of Self-Determination. Lexington, MA: Lexington Books. Desmet, P. M. A., & Pohlmeyer, A. E. (2013). Positive design: An introduction to design for subjective well-being. International Journal of Design., 7(3), 5–19.

215

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

Deterding, S. (2015). The lens of Intrinsic Skill Atoms: A Method for Gameful Design. Human-Computer Interaction, 30(3-4), 294–335. doi:10.1080/07370024.2014.993471 Deterding, S., Dixon, D., Khaled, R., & Nacke, N. (2011). From game design elements to gamefulness: defining ramification. In Proceedings of the 15th International Academic MindTrek Conference: Envisioning Future Media Environment. ACM. 10.1145/2181037.2181040 Dunne, A., & Raby, F. (2013). Speculative Everything: Design, Fiction, and Social Dreaming. MIT Press. Ehn, P. (1993). Scandinavian Design: On participation and skill. In D. Schuler & A. Namioka (Eds.), Participatory Design: Principles and Practices (pp. 41–77). Hillsdale, NJ: Lawrence Erlbaum. Fuad-Luka, A. (2009). Design Activism – Beautiful Strangeness for a Sustainable World. Earthscan. Gunaratana, D. H. (2001). Eight Mindful Steps to Happiness: Walking the Buddha’s Path. Wisdom Publications. Gushima, K., Aikawa, T., Sakamoto, M., & Nakajima, T. (2016). Computational Community: A Procedural Approach to Navigate Collective Human Behavior Towards Achieving a Flourished Society. In Proceedings of 4th International Conference on Distributed, Ambient and Pervasive Interactions. Springer. 10.1007/978-3-319-39862-4_38 Hardin, G. (1968). The tragedy of the commons. Science, 162(3859), 1243–1248. doi:10.1126cience.162.3859.1243 PMID:5699198 Huotari, K., & Hamari, J. (2016). A definition for gamification: Anchoring gamification in the service marketing literature. Electronic Markets. doi:10.100712525-015-0212-z Institute of Government. (2010). MINDSPACE: Influencing Behaviour through Public Policy. CabinetOffice. Ishizawa, F., Takahashi, M., Irie, K., Sakamoto, M., & Nakajima, T. (2015). Analyzing Augmented Real Spaces Gamifed through Fictionality. In Proceedings of the 13th International Conference on Advances in Mobile Computing and Multimedia. ACM. Kirby, D. (2010). The Future is Now: Diegetic Prototypes and the Role of Popular Films in Generating Realworld Technological Development. Social Studies of Science, 40(1), 41–70. doi:10.1177/0306312709338325 Krontiris, K., Webb, J., Krontiris, C., & Chapman, C. (2015). Understanding America’s “Interested Bystander;” A Complicated Relationship with Civic Duty. Retrieved May 13, 2016, from https://drive. google.com/a/dcl.cs.waseda.ac.jp/file/d/0B4Nqm_QFLwnLNTZYLXp6azhqNTg/view Lamerichs, N. (2014). Productive Fandom: Intermediality and Affective Reception in Fan Cultures. (Dissertation Thesis). Maastricht University. Layous, K., & Lyubomirsky, S. (2014). The How, Why, What, When, and Who of Happiness: Mechanisms Underlying the Success of Positive Activity Interventions. In J. Gruber & J. Moskowitz (Eds.), Positive Emotion: Integrating the Light Sides and Dark Sides. Oxford University Press.

216

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

Lea, R., Blackstock, M., Giang, N., & Vogt, D. (2015). Smart cities: engaging users and developers to foster innovation ecosystems, In Proceedings of the 1st international workshop on smart cities: people, technology and data. ACM. 10.1145/2800835.2801629 Lindley, J. (2015). A Pragmatics Framework for Design Fiction. In Proceedings of the 11th European Academy of Design Conference. Liu, Y., Alexandrova, T., & Nakajima, T. (2011). Gamifying intelligent environments. In Proceedings of the 2011 international ACM workshop on Ubiquitous meta user interfaces - Ubi-MUI ’11. ACM. 10.1145/2072652.2072655 McGonigal, J. (2011). Reality Is Broken: Why Games Make Us Better and How They Can Change the World. Penguin Press. McGonigal, K. (2013). The Willpower Instinct: How Self-Control Works, Why it Matters, and What You Can Do to Get More of It. Avery Trade. Montola, M. (2007). Tangible Pleasures of Pervasive Role-Playing. In Proceedings of International Conference on DiGRA 2007. Montola, M., Stemros, J., & Waern, A. (2009). Pervasive Games - Theory and Design. Morgan Kaufmann. Morschheuser, B., Hamari, J., & Koivisto, J. (2016). Gamification in Crowdsourcing: A Review. In proceedings of the 49th Annual Hawaii International Conference on System Sciences (HICSS). IEEE Computer Society. Nakajima, T., & Lehdonvirta, V. (2013). Designing Motivation using Persuasive Ambient Mirrors. Personal and Ubiquitous Computing, 17(1), 107–126. doi:10.100700779-011-0469-y Olson, M. (1965). The Logic of Collective Action; Public Goods and the Theory of Group. Harvard University Press. Organisation for Economic Co-Operation and Development (OECD). (2015). How’s Life? 2015 Measuring Well-being. OECD Publishing. Oxford Internet Institute. (2014). Proceedings of International Conference on Internet, Politics and Policy 2014: Crowdsourcing for Politics and Policy. Retrieved May 13, 2016, from http://ipp.oii.ox.ac.jp/2014/ Quercia, D., Schifanella, R., & Aiello, L. M. (2014). The Shortest Path to Happiness: Recommending Beautiful, Quiet, and Happy Routes in the City. In Proceedings of the 25th ACM conference on Hypertext and social media. ACM. 10.1145/2631775.2631799 Sakamoto, M., Alexandrova, T., & Nakajima, T. (2016). Analyzing the Influence of Virtuality on Playful Social Interaction. In Multimedia Tools and Application. Springer. doi:10.100711042-015-2751-x Sakamoto, M., & Nakajima, T. (2013). Micro-Crowdfunding: Achieving a Sustainable Society through Economic and Social Incentives in Micro-Level Crowdfunding. In Proceedings of the 12th International Conference on Mobile and Ubiquitous Multimedia. ACM. 10.1145/2541831.2541838

217

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

Sakamoto, M., & Nakajima, T. (2013) Augmenting Yu-Gi-Oh! Trading Card Game as Persuasive Transmedia Storytelling. In Proceedings of the 2nd International Conference on Design, User Experience and Usability. Springer. 10.1007/978-3-642-39241-2_64 Sakamoto, M., & Nakajima, T. (2014). Gamifying Intelligent Daily Environments through Introducing Fictionality. International Journal of Hybrid Information Technology, 7(4), 259–276. doi:10.14257/ ijhit.2014.7.4.22 Sakamoto, M., & Nakajima, T. (2014). The GamiMedia Model: Gamifying Content Culture. In Proceedings of the 6th International Conference on Cross-Cultural Design. Springer. Sakamoto, M., & Nakajima, T. (2015). Incorporating Fictionality into the Real World with Transmedia Storytelling. In Proceedings of the 4th International Conference on Design, User Experience and Usability. Springer. 10.1007/978-3-319-20886-2_61 Sakamoto, M., & Nakajima, T. (2015). In Search of the Right Abstraction for Designing Persuasive Affordance towards a Flourished Society. In Proceedings of the 9th International Conference on Design and Semantics of Form and Movement. Sakamoto, M., & Nakajima, T. (2015) A Better Integration of Fictionality into Daily Lives for Achieving a Digital-Physical Hybrid Gameful World. In Proceedings of the 20th International Conference on Control Systems and Computer Science. IEEE Computer Society. 10.1109/CSCS.2015.154 Sakamoto, M., Nakajima, T., & Akioka, S. (2016). Gamifying Collective Human Behavior with Gameful Digital Rhetoric. In Multimedia Tools and Application. Springer; doi:10.100711042-016-3665-y Sakamoto, M., Nakajima, T., & Alexandrova, T. (2015). Enhancing Values through Virtuality for Intelligent Artifacts that Influence Human Attitude and Behavior. Multimedia Tools and Applications, 74(24), 11537–11568. doi:10.100711042-014-2250-5 Segal, Z. V., Williams, J. M. G., & Teasdale, J. D. (2002). Mindfulness-based Cognitive Therapy for Depression: A new Approach to Prevent Relapse. The Guilford Press. Seligman, M. E. P. (2011). Flourish: A Visionary New Understanding of Happiness and Well-being. Free Press. Shiraishi, M., Washio, Y., Takayama, C., Lehdonvirta, V., Kimura, H., & Nakajima, T. (2009). Tracking behavior in persuasive apps: is sensor-based detection always better than user self-reporting? In Proceedings of the CHI’09 Extended Abstracts on Human Factors in Computing Systems. ACM. 10.1145/1520340.1520615 Spagnolli, A., Chittaro, L., & Gamberini, L. (2016). Interactive Persuasive Systems: A Perspective on Theory and Evaluation. International Journal of Human-Computer Interaction, 32(3), 177–189. doi:1 0.1080/10447318.2016.1142798 Stimmel, C. L. (2015). Building Smart Cities: Analytics, ICT, and Design Thinking. Auerbach Publications. doi:10.1201/b18827

218

 Making Citizens’ Activities Flourish Through a Crowdsourcing-Based Social Infrastructure

Tanenbaum, J. (2014). Design Fictional Interactions: Why HCI Should Care About Stories. Interaction, 21(5), 22–23. doi:10.1145/2648414 Tatsunoko Production. (2015). Gatchaman CROWDS insight. Retrieved May 13, 2016, from http://www. ntv.co.jp/GC_insight/ Wolfe, A. K., Malone, E. L., Heerwagen, J., & Dion, J. (2014). Behavioral Change and Building Performance: Strategies for Significant, Persistent, and Measurable Institutional Change. US Department of Energy. doi:10.2172/1132691 World Wide Web Consortium. (2014). HTML5 A vocabulary and associated APIs for HTML and XHTML. Retrieved May 13, 2016, from https://www.w3.org/TR/html5/

ENDNOTE

1

The characters in this story world are derived from an animation in Tatsunoko Production (2011).

This research was previously published in Enriching Urban Spaces with Ambient Computing, the Internet of Things, and Smart City Design edited by Shin’ichi Konomi and George Roussos, pages 232-256, copyright year 2017 by Engineering Science Reference (an imprint of IGI Global).

219

220

Chapter 12

Social Media and Online Gaming:

A Masquerading Funding Source Pedro Ramos Florida International University, USA Pierre Funderburk Florida International University, USA Jennifer Gebelein Florida International University, USA

ABSTRACT This article describes how the rise in technological innovation has allowed for transnational criminal organizations (TCOs) to expand their operations using virtual platforms such as social media and online video games. These virtual platforms are utilized by TCOs to conduct some of their traditional forms of crimes, such a money laundering. These criminal practices have found solace in technological innovation, mainly through the exploitation of rising technologies, such as online video games, video game consoles and peripherals, such as Virtual Reality headsets, inconspicuous electronic devices for children, Near-Field Communication (NFC), and finally, social media as tool for recruitment and immediate communication. TCOs have managed to utilize these mediums to conduct their criminal activities in part due to the lack or nonexistence of new or proper legislation that regulates how these new mediums can function without facilitating illicit activities and the germination of illicit markets.

1. INTRODUCTION Crime and technology share a complex relationship. Crime thrives on innovation and ingenuity. Illicit markets and activities germinate where new legislations are in place, where proper legislation is lacking or nonexistent, or where there is a high demand for these illicit markets and their products. Despite strong regulation, transnational criminals are highly resilient and are always adapting to these new DOI: 10.4018/978-1-5225-6201-6.ch012

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 Social Media and Online Gaming

regulations and availability of better technologies. Based on the National Security Council’s definition, “transnational criminal organizations (TCOs) are criminal groups that operate across national borders and utilize corruption and violence to exploit transnational commerce and communications in order to disguise their illegal activities” (Harris, 2014). Innovation is an important aspect of TCOs that engage in criminal activities. Criminal organizations need to innovate in the interest of expanding and improving their operations. One of the several forms of illegal activities that TCOs engage in is the laundering of money obtained through criminal activities or corruption and concealing it through legitimate, legal means (Investopedia, 2017). Incidentally, money laundering helps finance other forms of illicit activities that range from drugs and illegal arms trade to terrorist activities. Traditional forms of money laundering include cash smuggling, gambling, black market currency exchange, and other forms of fraudulent business operations (Richet, 2013). Nonetheless TCOs have progressively adopted new forms of money laundering in recent years. Due to the rapid technological development and the integration of financial transactions through online mediums such as social media and online gaming, criminal organizations have harnessed the ease of use provided by these virtual platforms and the light legislation focused on money laundering through such mediums. This recent form of money laundering is the reason why crime is sometimes symbiotically dependent on technological development. Beyond digital money laundering, technology has enabled the proliferation of TCOs operations through the feasibility of online communication networks enabled by social media. Initially, online communication was facilitated by messaging services like AIM or Messenger where two or more individuals could communicate with each other by connecting to a server through their computers. The detriment of these early online messaging services was that users were anchored to their computers in order to communicate with each other. Subsequently, this all changed with the introduction of newer technologies like cellphones that allowed text messaging. This was also further amended with the revolutionary introduction of smartphones, specifically the BlackBerry. Considered as the first “smart” device, the BlackBerry offered emails on the go as well as instant communication between other BlackBerry devices through BlackBerry Messenger (BBM) (O’Boyle, 2016). All these innovations in instant messaging became an integral part of smartphones since the introduction of the BlackBerry. Succeeding smartphones like iPhones and Android-based handhelds like Samsung Galaxy devices all adopted their own forms of instant messaging. WhatsApp (WA) is the clear example of the evolution of mobile instant messaging. This particular application has facilitated communication across the globe in ways never before imagined. Relying on both mobile data and WiFi, WA allows users to instantaneously send messages to other WA users. Long distance phone calls utilizing mobile data plans is also possible through WA. Furthermore, WA now offers end-to-end encryption when communicating with other users. This is particularly important given the “golden age of leaks” presently afflicting issues of national security and whistleblowers (Sanders, 2017). There has been an increase in encrypted instant messaging applications that even government officials utilize to communicate with each other. Applications such as “Signal” allow for highly encrypted end-to-end communication (Sanders, 2017). Similar applications like “Confide” are even used by staffers in the White House. In addition to WhatsApp, other popular applications that offer instant messaging include Facebook Messenger, Viber, Line, SnapChat, and even Instagram.

221

 Social Media and Online Gaming

2. BACKGROUND Pursuing this further, in order to understand the feasibility of money laundering through social media and online video games, it is important to first assess the importance of these two mediums. It is also necessary to address these concepts to better understand the relationship between social media and online gaming. Social media can be defined as any medium that allows users to connect with each other and share content, ideas, culture, entertainment, and other social forms of expression. These social media platforms include popular outlets such as Facebook, Twitter, Tumblr, Reddit, Pinterest, Instagram, and Snapchat. Although user interfaces vary significantly between these outlets, the main function remains the same: Social interconnectivity through shared content. Social media has the capacity to create complex networks and communities in ways that were not possible before due to geographical and technological restraints. Compared to other forms of communication like emailing or virtual chat rooms, it is easier for users in one country to quickly connect with users in other countries via social media through shared interests such as movies, television series, sports, and online video games. Forums, like Reddit, have created vast, living communities that participate in the discourse of several topics that range from sports to complex philosophical and political theories. Social media’s popularity consists of its ability to appeal to all the different types of internauts that visit social media outlets like Reddit or Twitter. In that sense, there are also detrimental aspects produced by the same ease of social interconnectivity. Individuals seeking to participate in criminal activities are able to easily connect with other users or groups that engage in criminal behavior online through simple actions such as following hashtag trends on twitter or joining obscure forums. Likewise, criminals that already form part of social media, such as black hat hackers (BHH), can easily connect with other criminals around the globe in order to expand their operations or even serve as consulting entities for other criminal organizations. The ease of communication and the ability to engage in criminal behavior through social media has become a facilitating medium for TCOs to conduct their operations. In contrast, social media focuses on the social aspect of content sharing and networking. It is important to understand that online video games stand as a separate platform from social media. While the two have a series of similarities, mainly through social networking and content sharing, the online video games platform is a completely different medium. The popularity of video games has increased steadily through the years since the inception and introduction of the Nintendo Entertainment System (NES) in 1983. The video game industry is one of the most highly adaptive and innovative industries in the world, where new consoles and video games drastically improve in both graphical and hardware improvement almost every year. Each video game console generation after the NES introduced a series of innovative functions that deemed the previous console obsolete. After the NES came a series of newer, more powerful consoles that changed every aspect of gaming through enhanced, 3D graphics as opposed to 2D graphics, the use of CDs as instead of cartridges, and ultimately the introduction of internet connectivity in order to participate in online multiplayer matches. Video game developers saw an opportunity to profit on the concept of online gaming as they introduced a series of games that allowed for such game dynamics. Video games incorporated internet connectivity with the rise of Sony’s PlayStation 3 and its online service PlayStation Network (PSN) and the creation of Microsoft’s XBOX and its XBOX Live Service, subsequently adopted by its secondgeneration console XBOX 360. Websites like Newgrounds.com were pioneers in the popularization of online flash games that random users could create with beginner to intermediate knowledge in coding. 222

 Social Media and Online Gaming

Flash games became popular due to their basic user interface, replay value, and the overall simplicity that allowed users to play those games whenever they wanted by simply visiting a website. This helped with the subsequent popularity among users that proffered to play video games in their computers as opposed to a video game console. As aforementioned, online integration in video game consoles came with the introduction of XBOX Live (XBXL) and PlayStation Network (PSN). Massive multiplayer games online (MMOs) were also popular prior to the introduction of XBXL and PSN. Prior to XBXL and PSN, video games consoles did not require internet connectivity to play solo or multiplayer campaigns. With online integration, however, came other issues that did not affect video gamer users in previous generations. Users that utilized both XBXL and the PSN were not susceptible to online hacking attacks conducted by hacking groups. Games did not require updates or patches before online integration. The main concern stems from online transactions that take place through XBXL or PSN. Users can store credit card information on their accounts to facilitate future purchases. This setting is prone to hacking and other forms of exploits, leaving the financial information of XBXL and PSN users vulnerable without proper security measures from Microsoft and Sony respectively (Paganini, 2016). Another important aspect of social media and online games consists of financial features in place to maintain and grow their operations. Most social media websites and their mobile counterparts are free to download. Facebook and Twitter, for instance, are free but progressively incorporated ads or allowed for brands to actively participate with other users by creating their own accounts or handles in order to market their products. Popular games like Farmville, created by Zynga, also generate substantial revenue by introducing new paid features in their games. Users have been known to invest thousands of dollars in such games (Lowensohn, 2010). In the other hand, popular apps or mobile games generate revenue by directly implementing real money transactions. Mobile games have also been known to generate millions of dollars annually. Mobile game developers like Supercell, known for popular games like Clash of Clans, reported $829 million in revenues in the year 2013 (Spence, 2014).

3. MAIN FOCUS OF THE ARTICLE Money laundering, according to Interpol, can be defined “as any act or attempted act to conceal or disguise the identity of illegally obtained proceeds so that they appear to have originated from legitimate sources” (Interpol, n.d.). Transnational criminal networks are doing just that and have been doing so for decades. However, transnational criminal networks are now conducting money laundering activities online via social media and online gaming, two mediums that in recent years have had an enormous impact on our society socially and economically. By examining case studies for both social media and gaming, this section will illustrate several key points that showcase the methods by which modern day transnational criminal organizations launder and transport their funds. Money mules, online currency, and gaming currency are currently some of the methods used by transnational criminal organizations to transfer funds, launder money and generate income. These specific mechanisms of transport/transfer will be discussed later in this section. It is important to mention that money laundering is one of the components of fraud performed by transnational criminal networks. However, it is also worth mentioning that they also generate income and use other platforms for communication and coordination as well as masking illicit financial activity.

223

 Social Media and Online Gaming

3.1. Issues, Controversies, Problems 3.1.1. Generating Funds Online In recent years, online gaming has taken the world by storm with games such as World of Warcraft, Diablo, and Second Life becoming international sensations. Within these games, you create your own world or character and play and explore new lands and make new friends along the way. For many, games such as these provide a way of coping with the stresses of the real world and provide some type of escape into a reality completely built by the player; a world where you make the rules and can be anyone you wish to be (Daniel, 2008). People are allowed to “form new kinds of relationships and live new kinds of lives outside their bodies in entirely re-imagined selves” (Daniel, 2008). The games also feature their very own in-game currency which allows you to buy weapons, food, or supplies in order to help you carry out your missions. Transnational criminal organizations have also grown fond of this type of in-game currency and have profited from it. According to Meng Lu (2014), “online roleplaying games provide easy ways for criminals to launder their money…they move dirty cash around online through anonymous transactions using in-game currencies, and thanks to almost zero financial regulations in most online games, money launders easily pass dirty money into online accounts and pull clean ones out of others… popular online games for money laundering include Second Life and World of Warcraft” (Meng Lu, 2014). Within games such World of Warcraft, players can earn money or “gold” currency by mining for it within the game. Players then sell this mined virtual gold for real-life currency which members of transnational criminal organizations buy and use to launder their dirty money.

3.2. More Issues, Controversies, Problems 3.2.1. Money Mules (Transfer) People in online communities such as Reddit and other chat rooms, advertise methods to make money online or research techniques on how to make money. Most chat rooms are open to the public, with the exception of some that are private, and are generally easy to communicate with someone on. The below transcript displays a chat room user asking other chat room members where and how to transfer money. This exemplifies just how easy it is to learn how to launder money and also how easy it is to find others who do it. 1. RE: How to pay anonymously “Liberty Reserve or just a fake paypal” 2. RE: How to pay anonymously “Liberty Reserve is for scammer and scammed people, no? ☺ 3. RE: How to pay anonymously “LR = The currency for really dodgy shit lol 4. RE: How do I receive money anonymously online? “originally posted b y ______ “A friend of mine is involved in carding. He told me they always use Liberty Reserve to transfer money to cardsellers. It’s said to be pretty rock-solid. I’m not sure about WU (Western Union).

224

 Social Media and Online Gaming

I don’t use it, but I know it works for this if you have a fake ID when you want to cash out. (You do it through offline stores) I have been in the carding scene in a short amount of time, stopped due to the rising chances of being caught, but one thing I can assure is that the reason Liberty Reserve is used, is cause no information is needed to be entered thus making it 100% anonymous 5. RE: The Best Payment Processors? The best patment (payment) processrs is liberty reserve……its too safe…. 6. RE: Best Method for transferring money that’s not paypal? I would suggest using liberty reserve… Once the money is sent to you, it’s sent to you, period. And if you’re selling some blackhat stuff it’s anonymous. 7. RE: Best Method for transferring money that’s not paypal? Actually, no one can send money directly to/from them…I guess that’s the beauty of what makes it 100% anonymous…They don’t have your info…Only the exchangers you use. So when someone says: I sent $500 to account 324j5234… no one is going to kno who that is. (and they won’t know what exchanger you used of course to withdraw the money) (Richet, 2013) In the United Kingdom, for example, illicit criminal networks use social media to recruit money mules to have funds deposited into their accounts, withdraw it, and then wire the funds overseas, minus a commission payment. According to UK cybercrime investigators: The mules are told that they are taking a legitimate job using such titles as ‘money transfer agent’. Acting as a money mule is illegal and allows organized crime groups to move funds easily around the world. If you are caught doing this you can face a prison sentence and the prospect of never again being able to secure a mortgage or open a bank account (Anonymous, 2015). According to UK Financial Fraud Action, the firm responsible for leading the fight against financial fraud within the United Kingdom, “fraudsters are now targeting people through social media…this includes Facebook posts on closed groups, or messages sent through instant messaging apps such as BBM, which typically encourage people to contact the sender if they hold a particular bank account” (Anonymous, 2015). In 2014, a woman from Ames, Iowa was “arrested for money laundering after she allegedly assisted in a Facebook scam that tells victims they have won money in an online game…Sherri Massey was notified through Facebook that she won $350,000 in an online game and was told to pre-pay taxes on the prize through Western Union” (Anonymous, 2014). Sherri Massey was asked if she would be interested in making money while she waited for her winnings. Within a week, “56 transactions were made totaling $20,000 from people she didn’t know and sent roughly $14,300 to Nigeria using Western Union and Money Gram, an online money transfer site” (Anonymous, 2014). However, money laundering via social media is not only for illicit international criminal networks. Terrorist organizations also make use of such avenues of online virtual communication and have a growing presence on social media sites such as Twitter.

225

 Social Media and Online Gaming

3.3. Even More Issues, Controversies, Problems 3.3.1. Funding and Investment by Terrorist Organizations The Middle East Media Research Institute (MEMRI) states that “Twitter began as an online social networking and micro blogging service in English in 2006…and since that time it has gained popularity in other languages as well, including Arabic across the Arab and Muslim world” (Stalinsky, 2012). MEMRI goes on to say that “according to recent research on Twitter users, Arabic is now the fastest-growing language on the site; the number of Arabic-language tweets is 22 times greater than it was a year ago… one segment of this group is members of jihadi and terrorist organizations” (Stalinsky, 2012). Of course this does not imply that all people who speak Arabic and are using Twitter are terrorists. The findings by MEMRI state that of the growing number of Arabic users on Twitter, there is also a growing percentage of users who are affiliated with terrorist groups. This correlation does not mean causation. This finding is not intended to generalize or target all people who speak Arabic. For the purpose of this research, we are interested in the growing number of people who align themselves with terrorist organizations and use Twitter to communicate with each other. A case study highlighting the above involves Nafir al Aqsa, a twitter user under the name @Nafeer_ aqsa100, who took to the social media platform to solicit funds for the Mujahidin of Jersalem. Al Aqsa quotes the prophet Muhammad saying, “…that giving money to those waging jihad is as good as doing it yourself…whoever equips a warrior in the way of God has himself fought, and he who supplies the needs of family of a warrior has himself fought.” (Shankar, 2016). As a result, other terrorist groups have begun to copy Nafir’s example and have also started soliciting funds via social media.

3.3.2. Money Mules via Online Gaming Online video games present an entirely new medium TCOs can use for money laundering. In online games such as Diablo, Club Penguin, Dragon Quest X, and World of Warcraft, “it is possible to convert money from the real world into virtual goods services or cash that can later be converted back into the real thing” (arXiv, 2014). These games use credits that players can exchange for real currency. It is these virtual currency systems that criminals can send virtual money to associates in another country, which can then be transferred into real money (arXiv, 2014). According to Solon (2016), “Millions of transactions take place over the internet each day, and criminal organizations are taking advantage of this fact to launder illegally acquired funds through cover, anonymous online transactions…” (Solon, 2016). The element of anonymity greatly helps and encourages criminals to use online gaming as their main laundering source. By creating fake profiles within video game accounts and discussion boards, they are able to communicate with each other and also with unsuspecting video game players who may or may not be recruited to help launder the money through games such as Second Life and World of Warcraft. Another scam illicit organizations like to use is to “offer people jobs in which they can make a substantial income working from home…However, the ‘job’ involves accepting money transfers into their accounts and then passing these funds on to an account set up by the employer” (arXiv, 2014). Solon (2016) states that “…the more robust and complex the various online marketplaces become, the more untraceable methods criminals are finding to pass ‘dirty’ money into online accounts and pull ‘clean money out of others…” (Solon, 2016).

226

 Social Media and Online Gaming

What also makes laundering money this way preferable is the lack of current legislation in place to punish and deter criminals and curious online game players from participating in such illicit online activities. A way to combat such activities requires that law enforcement “observe ‘various message boards and online communities where users pose questions and ask how to launder money and the best methods of doing so without getting caught” (Richet, 2013). Message boards such as ‘Black Hat’ have questions posted by users blatantly asking and discussing how to launder money. A way around such observations however is by using free messaging apps such as WhatsApp that encrypt users’ messages and are a lot more difficult to trace and keep track of.

3.3.3. Communication Encryption Twitter, along with mobile social media apps such as WhatsApp and Telegram have also started to be used for fund solicitations. For example, Chechen jihadist group, Jaish al Muhajireen, with the twitter handle @7sanaabil also made use of twitter for their terrorist agenda. In an April 2015 post, Jaish al Muhajireen, based in Aleppo Syria, “…solicited donations for ‘Arming-Medical-relief-Sponsorship’ and the sponsorship foe families of martyrs… The fundraising campaign uses WhatsApp and Telegram – mobile apps to receive and send text messages – to communicate instructions for transferring money…” (Shankar, 2016). This presents a new component for social media online money laundering due to the private nature of the apps. Currently, WhatsApp now has end-to-end encryption which “…ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp… your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read your message…” (WhatsApp FAQ, n.d.). According to the Telegraph, Encryption is a way of transmitting a message so that it can only be read by the intended recipient, and not intercepted by accessing the servers or the networks via which the message is sent. Rather than being sent as plain text, the message is scrambled as a long series of digits that needs a key only held by the sender and the recipient to understand it. The keys are ephemeral, meaning they disappear after the message is unscrambled so that it cannot be unlocked afterwards. WhatsApp users can also verify that their communications are not being intercepted by scanning a code on the other user’s phone. Encrypted messages and phone calls have infuriated security services, since they have relied on tapping into communications data (Titcomb, 2016). This new feature will give peace of mind to WhatsApp users since they no long have to worry about “malicious actors snooping on data networks, or anyone who could gain access to WhatsApp’s servers” (Titcomb, 2016). However, this also means that government agencies will find it more difficult to investigate suspects and gather evidence. Messaging encryption such as this will deny government agencies access to not only message text but to videos, photos, and phone calls as well. Due to the recent feuds between the FBI and Apple, for example, these types of encryption could be controversial and create a safe haven for transnational criminal organizations to communicate especially since “WhatsApp is the most popular messaging app in the world…those who want to keep conversations secret may switch from making phone calls, which can be tapped, to encrypted WhatsApp calls…” (Titcomb, 2016).

227

 Social Media and Online Gaming

These types of encryptions will create friction between governments around the world and WhatsApp and Facebook, the parent company of WhatsApp. The US government, for example, “…reportedly has had a long-running dispute with WhatsApp…Governments have attempted to put pressure on WhatsApp and other technology companies to help them break encryption…” (Titcomb, 2016). A way around the encryption would be to access cloud based backup files, which authorities have access to but even these files have some level of encryption on them (Titcomb, 2016). WhatsApp requires users to link their account to their cell phone number as a way of authenticating users, however transnational criminal organizations could use “burner phones” and have multiple WhatsApp accounts with which they could conduct their illicit activities on.

3.3.4. Micro-Laundering: iTunes, App Store and Google Play In addition, other mediums that are also susceptible to money laundering schemes include vast networks that are already in place like the Apple App Store or the android-based Google Play. The iconic application store for iPhones consists of millions of applications that users can download to their smartphones. As of 2016, the App Store had 2 million applications available for download (Statista, 2017). By comparison, Google Play had 2.2 million applications available for download. The revenue perceived by application range from one-time payments, free-to-start applications/games that require future purchases in order to liberate blocked content, or by sampling selling ad space on free applications (Statista, 2017). Any publisher or developer can upload their apps to both stores by following a series of steps (Ziolkowski, 2017). Likewise, other platforms like iTunes, the popular online music store created by Apple. Artists can also upload their own music for others to purchase. An example of direct money laundering through iTunes took place between 2008 and 2009 in the United Kingdom. The criminals made a total of $300,000 by uploading their songs for sale on iTunes and downloading those tracks themselves thousands of times with 1,500 stolen U.S. and U.K. credit cards (Topping, 2009). Subsequently, this level of freedom allows for developers around the world to submit their applications to the App Store and Google Play without having to undergo a rigorous marketing campaign. This can prove detrimental from a money laundering perspective. By conducting a simple search on the App Store, several applications with unknown developers can be seen in return. These applications, however, lack the quality of popular applications from well-known developers. Furthermore, these applications are usually sold in bundles of three or four applications for a discounted price. Additionally, a vast majority of these applications are of Chinese origin and sometimes several of these applications are developed by the same studio. Pursuing this further, money can be laundered through the App Store and Google Play by submitting applications. Since uploading applications is relatively easy and unregulated from a quality control perspective, other than just negative reviews provided by users, criminal groups that possess intermediate to advance knowledge on the process of app creation and publishing can launder illegally obtained money through the app stores. The process can be significantly slow, however, since substantial amounts of laundered money could immediately raise flags. However, criminal groups carry out money laundering operations in countries that have less restrictive money laundering monitoring laws. A clear case occurred in Denmark where a Danish blogger named Martin Wolsing noticed that the top grossing apps in the App Store for that particular week where a series of Chinese-developed apps. These apps, however, once downloaded were practically shell apps with

228

 Social Media and Online Gaming

little to no content (Elkjaer, 2011). Wolsing promptly contacted the Apple App Store customer service notifying them of this suspicious activity with no favorable response. However, these apps and their respective developers where removed from the App Store overnight (Elkjaer, 2011). This particular case never gained international notoriety and was only known amongst technology journalists and bloggers. One way to counter the proliferation of these shell apps is by implementing a mechanism in where users can denounce these apps through a simple “report” function within the App Store. Users that come across these type of shell apps could report any suspicious activity directly to Apple. Furthermore, user reviews have also proven to be useful in lieu of a reporting mechanism. App Store and Google Play users can rate a certain app by giving it a numerical value than ranges from one to five. Poorly rated apps often times alert users that certain apps are not worth buying or downloading. A second method of characterizing shell apps is creating a mechanism for identifying empty or non-playable content within an app. For example, if an app is merely a wrapper for useless code which does not engage the user in any way and does not provide an executable function, a trigger alert is sent to Apple security.

3.3.5. Near Field Communication The technology behind NFC is basic and applicable to most current technology today. NFC “has two standards: NFCIP-1 is an NFC-specific communication mode…this mode is intended for peer-to-peer data communication between devices” (Nagashree, Vibha, Aswini, 2014). Near field communication chips operate on an unlicensed radio frequency, 13.56 MHz, “the rate of data transfer may be 106, 212, or 424 kbps” however the rate of data transmission is determined by the application that is using the NFC chip (Nagashree, Vibha, Aswini, 2014). NFC technology also operates on the same channel to transmit and receive information. NFC chips use a “listen before talk protocol to prevent two devices transmitting together, thus in turn avoiding the collision that would otherwise occur.” (Nagashree, Vibha, Aswini, 2014). What makes NFC technology so unique and easy to use is the close proximity needed in order for the NFC chips to communicate. A maximum of 20cm is required, which makes NFC-enabled transactions inherently secure. Near Field Communication (NFC) presents a fast and convenient way for mobile and portable devices to communicate. NFC is simple to use and compatible with wireless systems already in place such as Wi-Fi and Bluetooth. NFC “provides a high level of comfort to users as it can communicate without any further configuration steps when two devices are brought very close to each other and to enjoy the privilege of accessing the content services in an intuitive way just by simply ‘touching’ smart objects” (Nagashree, Vibha, Aswini, 2014). It is this simplicity and compatibility with current wireless structures that allows NFC to be used easily by normal users and by illicit criminal organizations. Contactless payment options are becoming a popular way to make payments and transfer funds to different vendor and friends/relatives, respectively. Due to the simplicity of NFC, it is very possible and highly likely for a criminal to modify the chip or create an NFC chip of their own to then implant it into a credit card of a phone device to then carry thousands or millions of dollars undetected. An excellent disguise for NFC money transferring would be to use it on a Nintendo Amiibo character, for example. Amiibo figurines are affordable, user friendly, and a children’s toy, which would not appear suspicious to law enforcement agencies. Nintendo Amiibos are designed after several of Nintendo’s noticeable and historic franchises such as Super Mario, Zelda, Donkey Kong, and Pokémon. An illicit criminal organization could very well

229

 Social Media and Online Gaming

implant a modified NFC chip in an Amiibo toy and use it to transfer funds undetected. With a simple tap, thousands or millions of dollars could be transferred from the Amiibo NFC chip to a smart phone NFC chip, which could then be deposited into a bank account. Due to the portability of Amiibo figurines, a laptop or desktop computer with NFC capability could be used to extract funds from an Amiibo as well. Criminals could mail or carry Amiibos while traveling and simply tap them onto a laptop and transfer funds as well as sensitive personal information. NFC technology allows cardholders and criminals to bypass security measures in place such as pin number verification, cvv/cvv2 numbers (the three to four-digit number on the back of a credit or debit card), and zip code verification. Credit and debit cards have unique systems in place which are: card present and card not present scenarios. With card present, a user is physically making a purchase by swiping their card. Card not present is when users make an online purchase or over the phone and you simply provide your card details. NFC technology bridges together both scenarios in order for users to make easier/hassle-free payments. Apple pay and google wallet, for example, are services that try to do just that; make shopping more convenient. However, at what cost do convenience and easy shopping come to consumers?

3.3.6. NFC Hacking Devices Hackers can easily create a receiving device that reads NFC chips and extracts data from them. Since NFC operates on a one-way communication system, it is easy to hack and steal information by having a custom-made device that dictates to the app at what upload speed to operate at and to only set the communication path to only receive data. During the summer of 2016 in London, England, “a new gadget was released for sale that can be used by criminals to clone up to 15 contactless bank cards a second from victims who are simply standing nearby…the hi-tech device steals details such as the card number and the person’s name and address contained on the credit or debit card” (Robertson, 2016). The scanner is called “Contactless Infusion X5” and extracts information where it can be written onto blank cards, which can then be used by thieves to go on spending sprees” (Robertson, 2016). The device is being sold on the streets of London for £500. The case study above illustrates just how easy and feasible it is for criminals to steal information and money via NFC.

3.3.7. Increased Virtual Private Network and Proxy Usage President Donald Trump has “signed into law a resolution that repealed protections requiring internet service providers to get your permission before collecting and sharing data…these providers have data on your web browsing history, app usage and geo-location” (McClean & Fiegerman, 2017). In the past, providers would have had to ask your permission first before sharing any of your personal data. This recent resolution has now caused there to be less internet privacy which will lead people and illicit organizations to rely on apps such as WhatsApp to communicate due to the encryption in the messages. There will also be a rise in the use of Virtual Private Networks (VPNs) as well. A VPN is “a private network that uses a public network to connect remote sites or users, while encrypting all of a device’s internet traffic in the process, routing it through a middle-man server in a remote location, granting access to otherwise inaccessible network resources” (Bell, 2017). VPNs also hide your internet activity

230

 Social Media and Online Gaming

from your internet service provider, as well as governments or spy agencies, which could be an extreme benefit to transnational criminal organizations who want to conceal their online activities (Bell, 2017). VPNs can also “protect you from hackers when using a public Wi-Fi network and use peer-to-peer sites safely” (Bell, 2017). A proxy “routes internet traffic through another networked device, typically a remote server…Proxies allow users anonymity to the user as all traffic is seen to originate from the proxy server” (Bell, 2017). In terms of investigating and preventing illegal internet activity from occurring, this will present a major obstacle.

3.3.8. Virtual Reality and Augmented Reality Another area of concern is the newly commercialized concept of Virtual Reality (VR) and Augmented Reality (AR). Both concepts primarily apply to the video game industry where hardware is needed in order to interact with video games in a strictly first-person view. This hardware is known as VR Headsets or head mounted displays (HMDs). VR requires a HMD in order to play first person view or point of view (POV) video games (Emspak, 2016). By doing so, users can interact with a computer-generated environment created in forms of video games. Some examples of this systems include PlayStation VR, Oculus Rift, Samsung Gear VR, Google Cardboard, and HTC Vive. In the other hand, AR differs from VR by not requiring a HMD to play or interact with content. AR in essence consists of technology that superimposes information on the visible world (Emspak, 2016). A popular example of AR is Pokémon GO, the popular mobile game for iOS and Android devices that utilized the smartphone’s camera by superimposing a three-dimensional image of a creature in the user’s display. This gives the user a sense of having the creature in front of them. Both mediums have become increasingly popular as better technologies further blur the line between reality and virtual reality. These technologies, however, are very new and are still prone to illicit activities. One example is that of the ViewMaster VR Headset. The technology behind this innocent children’s toy possesses the ability to hide information or code that could lead to criminal activities, especially money laundering. The ViewMaster VR Headset works as both a VR Headset and an AR device through the use of small plastic disks known as “Physical Reels.” When utilizing the VR functionality of the ViewMaster, users that view the physical reels while wearing the headset will be able to see different images popping up from the disks. It is only through the VR functionality of the ViewMaster that users can interact with the AR functionality of the Physical Reels. Highly skilled hackers can hack this Physical Reels in order to hide more critical code, such as Bitcoins or Bitcoin code. Illegal money converted to Bitcoins could easily be uploaded to these disks in order to move such money across borders without raising suspicion as Bitcoin does not take up much space and could easily be concealed in a couple of Physical Reels. Furthermore, TCOs can also engage in money laundering by directly financing video game developers and studios. These developers and studios, mainly online gambling sites, can generate millions of dollars by creating online video games that attract new users. It is estimated that licensed online gambling sites reached a total of $37.6 billion dollars in 2015 (Bradbury, 2014). However, that unlicensed sector of online gambling websites is approximated to have surpassed that figure. Unlicensed gambling sites are highly unlikely to report earnings to the authorities, and deposits are taken through alternative means such as Bitcoin payments (Bradbury, 2014).

231

 Social Media and Online Gaming

4. RECOMMENDATIONS 4.1. Near Field Communication A way to safeguard and protect current technology from falling victim to illicit money laundering acts is to put policies in place to make sure the technology will not be abused. There is a lack of legislation in place that punishes criminals for abusing technology. The current legal framework is very reactionary, as is most legislation tends to be when pertaining to innovative technology. However, to best combat and anticipate future illicit money laundering methods it is important therefore to create technology that has several counter measures in place so that new and innovative technology will not be manipulated. The above-mentioned NFC chip, for example, could have been created in a way that more user authentication would be necessary in order to use the chips. Examples of user authentication include, pin number entry, password, thumb-print, and facial recognition. By implementing this security measure, it would be more difficult for a hacker or a transnational criminal organization to tamper with and abuse the NFC technology. Also, creating a failsafe would also help make NFC technology more secure. For example, if the NFC chips were tampered with in any way, shape, or form, the chip would self-destruct or corrupt itself, thus rending it useless and incapable of ever being used again. Creating legislation that requires companies to do the abovementioned security measures will help curtail the abuse of such technology by transnational organizations, as well as make the technology safer and more reliable to use.

4.2. Virtual Private Networks and Proxy Usage While increased usage in virtual private networks and proxy servers may be a way for some Americans to regain a sense of security regarding internet privacy and freedom, this increased and normalized use of private networks and proxy servers will also empower transnational criminal organizations and give them the opportunity to perform illicit activities even more covertly. A way to combat this would be to require users to register for a VPN or proxy account using their state ID or driver’s license, that way any suspicious or malicious activity is easily traceable to the account owner.

4.3. Massive Multiplayer Online Video Games (MMOs) The rise in popularity of online video games and the interconnectivity of social media has made these platforms vulnerable to TCOs that wish to engage in money laundering as virtual economies grow and expand beyond virtual boundaries. When assessing the issue of money laundering activities in massive multiplayer online video games (MMOs), TCOs launder their money by systematically opening several accounts in different online video games in order to conceal their real identities (Bradbury, 2014). Criminals then proceed to move money around these accounts and ultimately exchange in-game currencies to real currencies in different countries. (Bradbury, 2014). The same modus operandi applies to online gambling sites. A counter-measure to combat this issue can be implemented by the same game developers of these popular online video games. Game developers could establish a series of guidelines and minimum requirements in order to open different accounts when playing these video games. In-game mechanics could tighten security by demanding users to provide a more concrete identity verification process.

232

 Social Media and Online Gaming

Furthermore, online video games could put in place anti-money laundering mechanisms by limiting the amount of in-game currency exchanges made in a specific number of hours or even days. In addition, game developers could require users to first achieve a series of milestones or accomplishments before allowing them to freely participate in real money trading. Example of these achievements are reaching a specific level, maintaining an active presence, directly engaging with other users in special in-game events, and limiting the number of accounts users can open based on their IP addresses and therefore tackling the issue of multi-accounting scheme criminals use in online video games. These series of counter-mechanisms are strictly self-regulating measures game developers could take without recurring to government instances.

4.4. Virtual Reality/Augmented Reality (VR/AR) The emergence of new technologies always spikes the creative element in criminal minds. As explained earlier, VR and AR are emerging technologies that are so new that laws, policies or major user protection against criminal activities is far behind the advance of this technology. One of the key elements of VR and AR that can be exploited for criminal purposes is through the concealment of information or concealment of laundered money. In order for VR/AR to be an effective concealment tactic, TCOs must engage in a two-step process. First, TCOs must convert their laundered money into Bitcoins (or other digital currency) as a means to facilitate transportation. Second, Bitcoins can be uploaded directly to the Physical Reels by hacking into its simple memory components (such as hardware components used to store information in a device) and storing large amounts of Bitcoins in an inconspicuous way. By doing this, TCOs can then transport large amounts of laundered money through Bitcoins across borders without raising suspicion. While Bitcoins can be easily stored in computers and USB drives, these technologies are far more susceptible to inspection and data corruption than Physical Reels. Furthermore, TCOs can even add an extra layer of concealment by carrying placing a distinctive AR icon within the Physical Reels’ programming that would help other members of a particular TCOs identify through the View-Master headset which Physical Reels contain the Bitcoins and which are simple decoys. One counter-measure for this form of money laundering is by placing anti-hacking mechanisms in the Physical Reels that would prevent tampering by black hat hackers. These failsafe mechanisms could prevent the storage of information or simply render the disk useless by “bricking” it (an anti-piracy mechanism created by the developers of hardware and software in order to prevent tampering of their intellectual property).

4.5. Game Developers/Studios Despite the different ways in which TCOs can utilize technological development or virtual platforms to conduct money laundering schemes, it is also important to assess the possibility of TCOs directly financing game developers/studios to help them launder their money through the creation of video games. Furthermore, the same principle applies to terrorist organizations trying to expand their agenda and recruitment processes through video games. TCOs can finance video games studios in order to create video games tailored to a certain sector of the population. Hate groups such as Resistance Records, a record label that has direct connections to National Alliance, created a video game called “Ethnic Cleansing” (Left, 2002). The general premise of the game

233

 Social Media and Online Gaming

consists of the player assuming the role of a white supremacist that sets on a mission to kill as many minorities as possible (Left, 2002). This type of video games can help radicalize gamers that are susceptible to deviant behavior. However, there is a no direct link between money laundering schemes and Resistance Records. There are two issues present: TCOs directly financing video game studios, or simply creating one, in order to launder their money through the revenue generated by video games, and the use of video games to attract alienated individuals within society that could be manipulated into joining TCOs/Terrorist groups. Counter-measures for this issue can be complicated. The line between censorship and freedom of expression can be crossed by trying to approach issues of hate groups spreading their agenda through video games. It would be necessary to establish a direct link between video games produced by hate groups and hate crimes committed by individual that played those games. In addition, similar to the shell apps in the App Store and Google Play, video game revenues generated by potential game studios financed by TCOs must be properly reviewed and monitored. However, the same standards must be applied to all games so there is no violation of freedom of expression. This type of elevated monitoring is challenging and needs to become more automated to selectively target recruitment or illicit activities. A key player in the investigation of possible money laundering schemes through the revenue of “shell games” is Steam, a digital distribution platform. It provides users with a wide variety of video games and it also allows independent developers to directly upload their video games. It also allows users to download these video games and automatically update them (Steam, 2017). Steam therefore has the capability to investigate whether or not a video game is popular enough given parameters such as gameplay, replay value (the number of times a user is willing to play a popular video game), and general customer satisfaction. Suspicious revenue can then be easily detected if a game, despite having poor reviews, is still generating a lucrative amount of income.

4.6. Social Media Social media is an ideal outlet for the dissemination of new money laundering schemes. Monitoring social media outlets can be difficult when trying to identify suspicious activity relating to money laundering. Due to the vastness of social media outlets, like twitter and reddit, it would be beneficial to establish a granular approach to indexing such outlets. Web-crawlers, or Spiders, are programmable software applications that run automated tasks on the web (Mitroff, 2016). Creating a dedicated web-crawler that would index key words, such as slang in forums or twitter hashtags, related to money laundering tactics would help identify operations that are unfolding in real-time in social media outlets, like twitter, facebook, and reddit. Finding these virtual conversations taking place on the web could help identify new money laundering schemes that could take place in forums without risking future deletion.

5. CONCLUSION Technology is ever-changing and evolving medium that must be monitored and controlled in order to ensure that the public at large is safe from criminal threats. It has gradually overtaken certain aspects of human life forever changing the dynamics of social interaction. Technological innovation primarily strives to better human life by optimizing and facilitating several activities that would otherwise limit productivity. Innovation has truly brought major change to communication and entertainment.

234

 Social Media and Online Gaming

Policy makers need to be more vigilant at a state and local level when investigating money laundering schemes and the ways in which criminals can exploit current and new technology. Money laundering via social media and online games not only is supported by transnational criminal organizations but by terrorist organizations as well. Therefore, money laundering online should not be seen as just a domestic/ international criminal issue but as a national security issue as well. Instant communication between people in different continents has shortened geography in ways never before imagined. Social media has brought together large numbers of people by appealing to their interests and their desire to form part of something bigger. Video games have exponentially achieved to blur the line between reality and virtual reality by drastically improving video gaming technology with each passing year. However, there will always be a dark aspect to innovation. Cybercrime is a reality that did not exists in years prior to the expansion of social media and online video games. Necessity is the mother of invention, and so is criminality. TCOs have managed to exploit the flaws in technological legislation. By using new technologies, TCOs have managed to conceal their criminal operations, such as money laundering, through the use of social media and online video games. Technology that is not regulated or monitored will have the potential of becoming the next target for transnational criminal organizations and terrorist organizations to exploit. In the case of NFC chips, while it is a great and convenient way to make payments and transfer funds, it is also a great and convenient way for transnational criminal organizations to do the same as well. Therefore, it is imperative that when new technology be developed, that they be developed with fail-safes and counter-tampering measures just so that no modifications or tampering may occur. The reach of these criminal groups can go beyond financial gains. Terrorist groups can also actively recruit potential members by accessing online gaming communities and attracting individuals that might be attracted to their terrorist philosophies. Consequently, cyber-crime, social media and online video games is a phenomenon that can be combated through active crowdsourcing efforts, or the enlisting of large number of people in order to perform a certain task or obtain certain information, self-regulating measures from the very same video game developers/studios, and by automated and selective monitoring in order to target potential TCOs trying to disguise their operations through the creation of game studios.

REFERENCES Actionfraud. (2015). Criminals using social media to recruit victims as money launderers. Retrieved from http://www.actionfraud.police.uk/news/criminals-using-social-media-to-recruit-victims-as-moneylaunderers-mar15 Amestrib. (2014, May). Woman arrested for money laundering scheme. Retrieved from http://www. amestrib.com/news/woman-arrested-money-laundering-facebook-scheme ArXiv. E. T. (2014). The Secrets of Online Money Laundering. Retrieved February 22, 2017, from https:// www.technologyreview.com/s/520501/the-secrets-of-online money-laundering/ Bell, L. (2017). What is a VPN and is it legal? Virtual networks and proxies explained. Retrieved April 03, 2017, from http://www.wired.co.uk/article/vpn-proxy-explained

235

 Social Media and Online Gaming

Bradbury, D. (2014). How Cyber-Criminals Are Following the Money to Video Games. Retrieved from https://www.infosecurity-magazine.com/magazine-features/cybercriminals-money-video-games/ Daniel, J. (2008). The self set free. Therapy Today, 19(9), 4–9. Elkjaer, B. (2011). Dane Revealed Chinese Scammers. Retrieved from http://translate.google.com/transl ate?hl=en&sl=da&tl=en&u=http%3A%2F%2Fiphoneguide.dk%2Fnyheder%2Fapple-smider-kinesiskeapps-ud-af-app-store%2F Emspak, J. (2016). What Is Augmented Reality? Retrieved from http://www.livescience.com/34843augmented-reality.html Harris, K. D. (2014). Gangs Beyond Borders. Retrieved from https://oag.ca.gov/sites/all/files/agweb/ pdfs/toc/report_2014.pdf? Left, S. (2002). White Supremacists Create Racist Computer Games. Retrieved from https://www.theguardian.com/technology/2002/feb/21/games.internetnews Lowensohn, J. (2010). Virtual Farm Games Absorb Real Money, Real Lives. Retrieved from https:// www.cnet.com/news/virtual-farm-games-absorb-real-money-real-lives/ Lu, M. E. (2014). The Hows and Whys of Money Laundering. Retrieved from https://www.equities.com/ news/the-hows-and-whys-of-money-laundering McClean, R., & Fiegerman, S. (2017). President Trump just signed off on killing your Internet privacy protections. Retrieved from http://money.cnn.com/2017/04/03/technology/internet-privacy-law-trump/ Mitroff, S. (2016). What Is a Bot? Retrieved from www.cnet.com/how-to/what-is-a-bot/ Richet, J. (2013). Laundering Money Online: A review of cybercriminals’ methods. Retrieved from https://arxiv.org/pdf/1310.2368.pdf Robertson, A. (2016). New criminal gadget can clone up to 15 contactless bank cards a second from victims who are simply standing nearby. Retrieved from http://www.dailymail.co.uk/news/article-3637553/ New-criminal-gadget-clone-15-contactless bank-cards-second-victims-simply-standing-nearby.html Shankar, A. (2016). Social Media Emerges as a Valuable Terrorist Fundraising Tool. Retrieved from http://www.investigativeproject.org/5314/social-media emerges-as-a-valuable-terrorist# Solon, O. (2016). Cybercriminals launder money using in-game currencies. Retrieved from http://www.wired.co.uk/article/ money-laundering-online Spence, E. (2015). Clash of Clans’ Developer Supercell Reports $829 Million In Revenue And A Desire To Support The Finnish Community. Retrieved from https://www.forbes.com/forbes/welcome/?toURL=https:// www.forbes.com/sites/ewanspence/20 14/02/12/clash-of-clans-developer-reports-829-million-in-revenueand-a-desire-to-support-the finnish-community/&refURL=https://www.google.com/&referrer=https:// www.google.com/ Staff, I. (2016) Money Laundering. Retrieved from http://www.investopedia.com/terms/m/moneylaundering.asp

236

 Social Media and Online Gaming

Stalinsky, S. (2012). HASHTAG #Jihad: Charting Jihadi-Terrorist Organizations’ Use Of Twitter. Retrieved from https://www.memri.org/reports/hashtag-jihad-charting-jihadi-terrorist-organizations-use-twitter Statista. (2016). App Stores: Number of Apps in Leading App Stores 2016. Retrieved from https://www. statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/ Steam. (2017). Well, What the Heck Are You Waiting For? Steam, The Ultimate Online Game Platform. Retrieved from http://store.steampowered.com/about/?l=english Titcomb, J. (2016). WhatsApp adds end-to-end encryption: Have your messages really been spied on? Retrieved April 02, 2017, from http://www.telegraph.co.uk/technology/2016/04/06/whatsapp-addsencryption-have-your-messages-really-been-spied-on/ Topping, A. (2009). Police Hold 10 after Claiming to Crack Online Music Fraud. Retrieved from https:// www.theguardian.com/money/2009/jun/10/police-fraud-online-music WhatsApp. (2016). WhatsApp Encryption Overview. Retrieved from https://www.whatsapp.com/security/ WhatsApp-Security-Whitepaper.pdf WhatsApp FAQ. (n.d.) (2017). WhatsApp FAQ - End-to-End Encryption. Retrieved from https://www. whatsapp.com/faq/en/general/28030015 Ziolkowski, J. (2017). How To Submit An App To The App Store (The Right Way). Retrieved from https://clearbridgemobile.com/how-to-submit-an-app-to-the-app-store/

This research was previously published in the International Journal of Cyber Warfare and Terrorism (IJCWT), 8(1); edited by Graeme Pye and Brett van Niekerk, pages 25-42, copyright year 2018 by IGI Publishing (an imprint of IGI Global).

237

Social Media and Online Gaming

APPENDIX Figure 1. Liberty Reserve review #1

Figure 2. Liberty Reserve review #2

238

Social Media and Online Gaming

Figure 3. Liberty Reserve review comments

239

240

Chapter 13

#TerroristFinancing:

An Examination of Terrorism Financing via the Internet Michael Tierney University of Waterloo, Canada

ABSTRACT This article describes how the internet has come to play a central role in terrorist financing endeavours. Online channels allow terrorist financiers to network with like-minded individuals, in order to increase support, raise funds, and move wealth across the international system. For instance, the Islamic State, Hezbollah, and other groups have become adept at using these channels to finance their activities. Therefore, increased examination is required of the ways in which terrorists use the internet to raise and move funds. This study assesses some of the current trends and risks associated with online terrorist financing. Some policy options are also outlined, in order to reduce the threat of terrorist financing via the internet moving into the future.

1. INTRODUCTION The internet has become one of the major ways in which terrorist groups worldwide recruit individuals, gain support for their causes, and finance their operations (Jacobson, 2010; Okolie-Osemene & Okoh, 2015). As a result, there have been a myriad of studies in recent years which attempt to investigate terrorists’ use of the internet, and develop methods to effectively counter this activity (Jacobson, 2010; Okolie-Osemene & Okoh, 2015; Gates & Podder, 2015; Fisher, 2015; Freeman & Ruehsen, 2013). There have also been concerted efforts by governments worldwide to implement legal regimes to deter terrorists’ use of the internet. For instance, Canada recently enacted legislation enabling intelligence agents to disrupt known terrorist websites, in order to deter radicalization and attacks (Zimonjic, 2016). The United States has similarly worked with social media and technology companies to deter violent extremism as part of its wider Counter Violent Extremism (CVE) strategy (Kang & Apuzzo, 2016). It has also been argued that relatively new terrorist organizations, such as the Islamic State, have gained an advantage over other groups by utilizing the internet more successfully than its counterparts (Berger DOI: 10.4018/978-1-5225-6201-6.ch013

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 #TerroristFinancing

& Morgan, 2015; Blaker, 2015). Yet while there has been increased focus as of late on the recruitment and propaganda aspects of online terrorist activity, there has been relatively little focus on the ways in which terrorist groups use the internet to fund operations. The goal of this study is to provide a better understanding the ways in which terrorists fund their activities through the internet. As such, it will also focus on potential methods to more effectively combat terrorist financing through the internet as well. The paper proceeds in five parts. The second section looks at some of the current literature on online terrorist financing. The third section examines specific cases in which terrorists have used internet methods to raise and move funds. New risks and potential strategies to effectively combat online terrorist financing are then discussed. Conclusions ensue with necessary areas for future research on the subject of online terrorist financing.

2. TERRORIST FINANCING AND THE INTERNET As mentioned, terrorists’ use of the internet has become a major concern for security officials across the world in recent years. Like many other users, terrorists have found that the internet is an invaluable tool to share information quickly, in order to disseminate ideas and link up with like-minded individuals (Jacobson, 2010; Okolie-Osemene & Okoh, 2015). In this manner, terrorists use the internet for a variety of purposes, including recruitment, propaganda, and financing. As scholars have also noted, the internet is an attractive option for extremists due to the security and anonymity it provides (Jacobson, 2010). Yet while there have been a growing number of studies completed on the ways in which terrorist organizations use the internet to recruit and indoctrinate others, there has been relatively little focus on the methods by which terrorists finance themselves through online activities. Some researchers have attempted to fill gaps in this area by broadly studying internet aspects of terrorism financing. However, research on this particular aspect of terrorism financing still appears to be lacking, with little focus on new methods of terrorist financing via the internet or a marrying of strategies to combat online financing trends available to practitioners in the field. For instance, Sean Paul Ashley (2012) assessed the mobile banking phenomenon, which is prevalent in regions such as the Middle East and Africa, and provides extremists with the ability to easily connect to the internet and remit funds around the world. The decentralization of this kind of banking, due to the fact that brick-and-mortar facilities are not needed to conduct transactions, has allowed terrorist financiers to more efficiently move funds while avoiding detection from authorities. Other researchers, such as Michael Jacobson (2010), have studied the ways in which terrorists engage in cyber-crime to raise and move funds. For example, Jacobson (2010) found that online credit card fraud was a fairly major source of terrorist financing. By stealing a victim’s private credit information, terrorists are able to co-opt needed funds and provide support to themselves or their counterparts. Yet as James Okolie-Osemene and Rosemary Ifeanyi Okoh (2015) note, the internet is mostly used to augment and assist activities which occur in the physical world. In this way, it would appear that the internet is far more useful as a means to move funds globally in support of terrorism, rather than simply as a method to raise funds. Many have argued that terrorists can use a variety of means to launder money and move funds as needed. The Council of Europe (2013) stated that while online gambling does not seem to be a major venue for terrorist financing activity, there are risks associated with these online businesses. Terrorist financiers have the opportunity to develop their own online gambling sites, registered in one jurisdiction with servers in another to hinder law enforcement investigations. They can then launder funds through

241

 #TerroristFinancing

the site, by co-mingling legitimate funds with illegitimate funds meant for terrorist financing (Council of Europe, 2013). Financiers are also able to set up multiple accounts, or use smurfs to move money on an ongoing basis (Council of Europe, 2013). Furthermore, terrorists funding their operations through proceeds of crime may be able to register an account, place money into the system, and then withdraw the funds as legitimate gambling winnings to obfuscate the ultimate source and purpose of the funds (Council of Europe, 2013). Online payment systems have also come under scrutiny for their heightened potential to assist in the financing of terrorism (Duhaime, 2015). A case in the United States from 2015 highlighted the point, when members of the Islamic State attempted to send funds into the US via PayPal, likely to finance an attack (Ellis, 2015). E-banking platforms have been discussed previously, but it is worth noting that these services are growing in popularity, and therefore present an increased risk related to terrorism moving into the future. There have also been allegations that online gaming sites, such as SecondLife, can be effectively used by terrorist sympathizers to move money across the international system via crypto-currency exchanges (Brill & Keene, 2014). Crypto-currencies are heavily encrypted online wealth transfers, which are independent of a central regulatory authority and are thought to be “self-regulated.” Players have the option to exchange fiat currency for in-game crypto-currency, generally meant for in-game purchases. However, terrorist financiers can use this option to exchange funds to the game’s currency and transfer the funds to another player (i.e., another terrorist, who needs the funds to conduct attacks or other terrorist related activities). The recipient can then exchange the crypto-currency back into fiat money, for use in the real world (Brill & Keene, 2014). Perhaps the most concerning part of this kind of financial transaction is that crypto-currencies are generally very difficult to trace. Therefore, it becomes even more difficult to stop the transaction, or to bring the parties to justice. The most famous crypto-currency, bitcoin, has presented a major challenge to governments and traditional banking institutions alike (Brill & Keene, 2014). Like the online gaming sites, individuals simply need to set up a ‘Wallet’ provided by a bitcoin dealer, in order to exchange fiat currency. Bitcoins can then be moved and transferred across the internet and similarly withdrawn back into fiat as required (Brill & Keene, 2014). An added risk associated with this activity however is the fact that bitcoins are the official currency of the dark web (The Economist, 2016). Using the dark web, terrorists can use bitcoins to purchase weapons as well as other goods and services to carry out their operations. On the other side, terrorist organizations relying drugs and weapons trading can raise funds from the sale of goods. They can then also withdraw the funds as fiat to be used as needed. Given that bitcoins are unregulated by any government, there will likely need to be further assessment of the ways in which this kind of activity can be monitored and if needed, stopped, by counter-terrorism officials. With particular relation to social media, terrorists have also become adept at using crowd funding sites to quickly raise funds in support of their operations (FATF, 2015). Similar to other charitable endeavours fronted by terrorist groups, crowd funding efforts can be set up to disguise the true nature of the campaign. For instance, terrorists can develop online charity sites which appear to be related to actual humanitarian causes. They can then promote these “charitable causes” via other social media platforms, in order to attract supporters and increase revenues via sympathizers. In this way, terrorist sympathizers can collect funds from both witting and unwitting donors, to increase their wealth (FATF, 2015). The front also makes it more difficult for law enforcement to reveal the actual purpose of the campaign, which allows the individuals involved to avoid prosecution. Websites developed for the purpose of financially

242

 #TerroristFinancing

supporting terrorism can also be easily shut down and re-opened under a new name, making counterterrorism efforts in this field even more difficult (Greenberg, 2015). More simplistically, terrorist financiers can purchase credit products anywhere in the world and share account information with the on-the-ground foot soldiers, who can then use the funds to conduct attacks. Through chat and post features on sites such as Facebook and Twitter, terrorist financiers must simply send the required information to their counterparts, who can then make online purchases and with the right equipment, conduct in-person transactions, to acquire the needed supplies for their plots (FATF, 2015). Given the proliferation of internet access and social media websites in recent years, and the speed and anonymity these services can provide, the use of these mediums to fund terrorism has become a relatively major problem for governments worldwide. In Canada, Parliamentary consultations have been held to figure out ways to mitigate the risks associated with terrorist financing, including via the internet (The Standing Committee on Finance, 2015). The United Nations has also set up a task force to study and disseminate knowledge on terrorist financing, and to build international capacity to deter the funding of terrorism moving into the future (UN Office on Drugs and Crime, 2012). Yet it is apparent that the problem persists. Therefore, further examination is required of the ways in which terrorists raise and move funds through online channels, in order to effectively deter the threat moving ahead.

3. CASES There have been several recent cases of terrorist financing through online channels. As access to the internet and the number of available platforms to meet and exchange ideas and resources proliferate, there will likely be increased opportunity for terrorist financiers to raise and move wealth across the international system. Below, case studies of terrorist financing via the internet are examined, to provide context and understanding of this growing phenomenon.

3.1. Nafir al-Aqsa A group located in Israel and Palestine, Nafir al-Aqsa, has been active in recent years on social media sites such as Twitter and YouTube. While this group claims to not have any specific connections to a wider network, the name and content produced by its members suggests that it engages with and supports the Islamic State affiliate in Sinai Province (MEMRI, 2014; Shankar, 2016). Using various twitter handles, which are shut down by Twitter and then re-opened under modified names, the group posts religious messages, calls for funding, and lists of needed supplies plus the respective cost, for mujahedeen fighters in the Sinai region. Using religious messaging, the group justifies financial support for its fighters. It then posts Telegram, WhatsApp, and email address information where private communications can occur, and where instructions for donors to send funds take place. Email addresses can also be used to receive e-transfers through various banking institutions (MEMRI, 2014; Shankar, 2016). In this manner, the group is very adept at using the internet to solicit and receive funds for its activities. While social media accounts are consistently shut down, the group is resilient due to the fact that it can re-open new accounts under slightly modified account information. Those accounts are then used for calls for funding, which outline the religious justification for the fundraising campaign, and the specific amounts needed to advance the cause. Instructions for donors to contact more private channels of communication are also provided, in order to avoid detection, and to prevent financiers from getting caught

243

 #TerroristFinancing

by law enforcement. Therefore, Nafir al-Aqsa is skilled at using social media on a variety of platforms to raise and move wealth. E-banking channels are a major pipeline for funds, and the anonymity provided by the internet allows members to quickly increase revenue while avoiding detection.

3.2. Islamic State in Syria and Iraq The Islamic State has also proven proficient at soliciting, raising, and moving funds via the internet, and especially on social media since its inception (Cohen, 2014). Several intelligence officials worldwide have lamented the group’s ability to fundraise via crowdfunding sites such as GoFundMe, KickStarter, and others (McDonald, 2015). A large part of the concern comes from the fact that social media sites are largely unregulated, and rely upon reactive measures to stop new terrorist financing activities online (McDonald, 2015). In this manner, more needs to be done with social media companies themselves to effectively prevent the financing of terrorism via the internet. Moreover, the Islamic State has successfully been able to produce propaganda via social media which inspires lone wolves and small cells across the globe to finance their own attacks (Davis, 2015). Islamic State sympathizers and financiers have also begun to delve into the world of crypto-currency in order to move wealth across the international system. In this way, funds raised via social media can be removed from their true source, and laundered via the formal banking sector with relative ease (Davis, 2015). There are also reports that Islamic State members have held crypto-currencies totalling in the millions, which allows the organization to hold needed resources to maintain its operations both in Syria and Iraq, and around the world (Davis, 2015). As the Islamic State has become increasingly adept at using social media to raise and move funds, including via crypto-currency, terrorist financing investigators will have to find new ways to effectively trace and monitor online funding activities. There may also need to be further discussion of regulation for crypto-currencies, such as bitcoin, to effectively reduce the risk associated with these payments. Like many other groups, the Islamic State has turned to social media due to the security and ease of use it provides. Therefore, social media companies may need to become greater partners in the anti-terrorist financing space. There is also a case to be made that increased regulation of social media will be required to combat terrorist financing moving into the future.

3.3. Hezbollah Hezbollah has long relied on donations from sympathizers and diaspora populations to maintain its complex, international network (Levitt, 2007). The advent and proliferation of the internet has allowed the group to enhance its fundraising capabilities. Since 2006, the group has launched an “all-encompassing, offensive media strategy,” which includes an increase in the number of social media pages used to promote the organization and its goals (Estatie, 2016). Hezbollah members have also been responsible for creating apps and games, which can be downloaded across several venues, to bolster support and spread propaganda across its base community (Silver, 2014). Reports on these games suggest that at least some of them are purchased and downloaded; therefore increasing Hezbollah’s funding (Silver, 2014). In any case, Hezbollah is certainly using social media and the internet more generally to win hearts and minds, which will likely lead to increased funding via these channels moving ahead. The radical Shia organization is also using sites like Facebook to establish pages for its charities, which are used to raise and move funds on the group’s behalf. In 2014, Vernon Silver reported that the Islamic

244

 #TerroristFinancing

Resistance in Lebanon, a charity associated with Hezbollah, had established a Facebook page which was subsequently shut down. Yet social media pages affiliated with Hezbollah members were quickly re-created, demonstrating the difficulty in actually preventing financing activities via the internet (Silver, 2014). Headed by the Electronic Media Office, located in Beirut, Lebanon, Hezbollah has instituted a formal bureaucratic section to deal with social media, propaganda, and funding, indicating just how important these activities are to international terrorist organizations (Silver, 2014). In this regard, it will be imperative to reduce support for the group in general, while also combating specific instances of online financing operations, to effectively constrict Hezbollah’s funding. Effectively identifying Hezbollah front entities using effective online search techniques will also be required to successfully combat the group.

4. DISCUSSION Several different terrorist groups have turned to the internet to help finance their activities in recent years. This trend presents a unique challenge for counter-terrorism officials, given the anonymity, speed, and breadth of service that online sites provide. There are some measures which could prove useful for combating online terrorist financing through online channels moving forward, in addition to new risks which require further investigation. One pro-active method could be to enact new compliance rules for social media companies. While many social media sites have willingly worked with law enforcement to shut down terrorist accounts, it is still a reactive endeavour. Like in other industries, such as the formal banking sector, social media companies could be regulated and encouraged to pro-actively scour their networks to detect terrorist financing activities. While increased regulation would likely be a heavy-handed approach to dealing with terrorist financing over the internet, it would incentivize social media companies to invest in technology and hire more specialized personnel to effectively reduce the risk posed from terrorist supporters. An effect of increased regulation could be for governments and social media firms to work more closely together to deal with online terrorist financing. Currently, social media companies and governments work together in some jurisdictions to close accounts and provide counter-narrative material to potential terrorist sympathizers. By working more closely however, and pooling resources, both law enforcement officers and social media personnel would be able to share knowledge and more efficiently and effectively prevent terrorist financing. Investigative resources could also be pooled to increase capacity for counter-terrorism efforts, and to build rapport between organizations to improve information sharing processes. Along similar lines, there is a need to increase monitoring and compliance of e-banking service providers, given the proliferation of these services and their growing use by terrorist organizations. Due to the anonymity which the internet provides, and the relative ease of access to e-banking channels in high risk jurisdictions, terrorist financiers have found this option to be useful for funding their respective organizations. By simply posting e-banking information on social media, terrorists can successfully raise and move funds. Therefore, governments worldwide will have to increase their focus on regulating these e-banking entities, ensuring that they have effective anti-terrorist financing programs in place, and monitoring ongoing developments with these institutions to ensure compliance. As there are relatively weak terrorist financing compliance regimes in many of these regions though, there will also need to be increased international capacity building to effectively reduce the risks posed by terrorist financing through the internet, in relation to e-banking operations.

245

 #TerroristFinancing

Currently, organizations such as the Financial Action Task Force and the United Nations operate to improve anti-terrorist financing efforts globally. Yet there continues to be a lack of effective compliance regimes in various countries, which allows terrorist sympathizers a haven to fund their activities. In this manner, global capacity building needs to be a key priority in the coming years. The FATF (2016) recently released a report stating the same, as well as the need to improve private sector partnerships to successfully counter terrorism. Therefore, countries with well-developed and effective anti-terrorist financing regimes must take a pro-active approach to sharing resources and knowledge with their lagging counterparts to combat terrorist financing. Internet proliferation has allowed individuals in any part of the world to effectively raise and move funds. Countries already struggling to combat terrorist financing will only fall farther behind the curve given new technologies and access afforded by the internet. There is an immediate need for countries such as the United States, Canada, and others to engage more fully with the international community on terrorist financing through the internet. There is also a need for private sector institutions with interests and correspondents around the world to build relationships and share resources to mitigate risks surrounding online terrorist activity. Governments and financial institutions must work together in order to have the greatest impact in fighting new trends in online terrorist funding. Additionally, governments and financial institutions could work together to find new ways to successfully track and deter terrorist financing activities on the internet. For instance, the transfer of crypto-currencies has played an integral role in online terrorist financing. Terrorists have been known to raise funds online, and exchange the funds into bitcoin, for holding in an e-wallet. Given the unregulated nature of crypto-currencies and the ease with which they can be transferred and used in places like the dark net, these new forms of currency create a heightened risk for counter terrorism professionals worldwide. As a result, there is a need to further understand these types of transactions, and to develop tools to more effectively monitor and stop the exchange of fiat currencies into crypto-currencies for the purposes of terrorist financing. One such method may be for governments to work alongside traditional banking institutions to allow customers to deal in bitcoin through specialized products developed by the banks. These products could attract bitcoin exchangers, and allow terrorist financing and compliance professionals to better understand the clientele using these products, as well as share useful information with law enforcement authorities in order to prevent the financing of terrorism. While many banks would likely have hesitations about dealing in crypto-currency exchange, which comes with a heightened risk, the end result would be more accurate and timely intelligence gathering and analysis on potential terrorist financiers, as anti-terrorist financing authorities would be better equipped to track the source and flow of funds. It would also remedy the fact that much of crypto-currency banking currently occurs ‘underground’ where it is not easily detectable. Another option is for law enforcement agencies to invest in the hiring and training of specialized personnel to better understand crypto-currencies, social media, and the dark net. Currently, there is said to be a lack of knowledge and resources within many police circles regarding cybercriminal activity, especially below the surface net (Beckford, 2015; Pepitone, 2015). There are also concerns regarding encrypted social messaging apps, such as Telegram, and there use for terrorist financing. Several messaging apps have begun to develop means for fundraising and transferring wealth on their platforms, without surveillance from outside authorities. Some apps have even gone so far as to offer crypto-currency exchanges in-app, which can then be used for everything from ordering food to donating (Kik, 2017). As several case studies have highlighted the risk associated with online fundraising, the new trend in private crypto-currency based transactions provides an interesting risk for counter terrorism efforts moving into the future. While it is currently unclear how willing terrorist financiers are to use new crypto-currency 246

 #TerroristFinancing

on a large scale to fundraise, the nature of the platform appears to be an enticing one. Yet increased resources given to police, needed to obtain the right training and hire the appropriate personnel, would allow intelligence professionals to track and detect online terrorist financing more easily through online channels. Those terrorist financing activities could then be stopped, and the individuals engaging in the fundraising could be monitored further to build out networks and have a greater impact on wider counter-terrorism efforts. There are additional risks associated with “remote controlled terrorism,” in which recruiters assist sympathizers residing abroad in financing and conducting their attacks (Callimachi, 2017). Essentially, these individuals use social media, online chat forums, and encrypted messaging apps to find each other and to discuss means for carrying out operations. Handlers located in places such as Syria and Iraq can then co-ordinate financing efforts, in a bid to allow individuals residing in places such as the United States and Europe to gain access to needed resources. This relatively new trend requires further understanding and discussion, in order to fully comprehend the severity and nature of the threat. Overall, it is an inherent risk to otherwise innocent technologies to allow individuals to fundraise via advertisements, crowd funding campaigns, or direct account transfers through encrypted applications, in some cases using difficult to trace methods of exchange. While traditional bank to crypto-currency or bank to social media account transfers may be of interest for financial investigators, it is usually not the norm that these transactions are related to terrorism. The relatively small amounts of the transfers are likely also to be a challenge for effectively detecting online terrorist financing activities. However, indicators such as online blog postings sympathizing with terrorist organizations may provide an important clue for investigators wishing to determine whether an individual may be financing terrorism through new financial technologies. Further investigation is required into this area to determine whether and how new methods can be developed to prevent terrorist financing via these forums. In any case, it is clear that the internet is becoming more important for terrorists to gather and move funds in support of their causes. Therefore, counter-terrorism officials must be given the tools needed to successfully combat the evolving nature of terrorist financing moving into the future.

5. CONCLUSION Online terrorist financing has become a major area of concern in recent years. New technologies, such as bitcoin and e-banking, have allowed terrorist supporters located across the world to help fund their causes in myriad ways. Groups such as the Islamic State have also highlighted the usefulness of social media in terrorist financing efforts. Therefore, further investigation of this trend is required to effectively prevent terrorist financing in the years ahead. During this examination, it was revealed that many terrorist groups have turned to the internet help raise and move funds across the international system. By posting messages, banking information, and propaganda online, terrorists are able to leverage a global community of financial supporters, which ultimately enables them to plot attacks and advance agendas. The advent of encrypted messaging services and crypto-currency exchanges has also aided terrorist financiers in their efforts to fund attacks. In this manner, it was argued that more can be done by governments and the international community more broadly to successfully combat online terrorist financing. Increased regulation and resource sharing with social media companies are two methods by which governments can help to reduce the threat posed by terrorist activities via the internet. There also needs to

247

 #TerroristFinancing

be increased focus on global capacity building, to assist states with weak anti-terrorist financing regimes in effectively combating new trends in terrorism support. More training and resources will likely also need to be given to law enforcement agencies, to track and deter financing methods via crypto-currency, the dark net, and social media channels. Finally, public sector actors can work with traditional financial institutions to reduce risks posed by online terrorist financing. By creating new products, and working with law enforcement to share required intelligence, financial institutions with better developed compliance regimes can act as a key partner in the fight against online terrorist financing. Nonetheless, further study is also needed in this area moving into the future. Potential areas of inquiry could involve studying specific terrorist groups to determine how they use social media and the internet more generally to fund their activities. Additional assessment is also required of the ways in which this trend can be effectively addressed in the years to come. This paper has highlighted the rising trend in terrorist financing, and examined specific ways in which the internet is used to fund terrorist activities. Now there must be an enhanced practitioner focus on this issue to successfully combat terrorism moving into the future.

REFERENCES Ashley, S. (2012). The Future of Terrorist Financing: Fighting Terrorist Financing in the Digital Age. Penn State Journal of International Affairs, 2(1), 9–26. Beckford, M. (2015, August 30). Police chiefs: We can’t cope with cybercrime: Stunning admission in secret briefing shows toll of criminals exploiting the ‘dark web’. Retrieved November 12, 2016, from http://www.dailymail.co.uk/news/article-3215699/Police-chiefs-t-cope-cybercrime-Stunning-admissionsecret-briefing-shows-toll-criminals-exploiting-dark-web.html Berger, J. M., & Morgan, J. (2015, March). The ISIS Twitter Census: Defining and describing the population of ISIS supporters on Twitter [Scholarly project]. Blaker, L. (2015). The Islamic State’s Use of Online Social Media. MCA Military Cyber Affairs, 1(1). doi:10.5038/2378-0789.1.1.1004 Brill, A., & Keene, L. (2014). Cryptocurrencies: The Next Generation of Terrorist Financing? Defence Against Terrorism Review, 6(1), 7–30. Callimachi, R. (2017, February 4). Not ‘Lone Wolves’ After All: How ISIS Guides World’s Terror Plots From Afar. Retrieved October 22, 2017, from https://www.nytimes.com/2017/02/04/world/asia/ isis-messaging-app-terror-plot.html Cohen, D. (2014, March 04). Remarks of Under Secretary for Terrorism and Financial Intelligence David Cohen before the Center for a New American Security on “Confronting New Threats in Terrorist Financing” Retrieved November 13, 2016, from https://www.treasury.gov/press-center/press-releases/ Pages/jl2308.aspx Council of Europe. (2013, April). The use of online gambling for money laundering and the financing of terrorism purposes (Rep.).

248

 #TerroristFinancing

Davis, O. (2015, November 16). Paris Attacks Highlight Difficulty Of Stemming ISIS’ Terror Financing. Retrieved October 30, 2016, from http://www.ibtimes.com/paris-attacks-highlight-difficulty-stemmingisis-terror-financing-2187139 Duhaime, C. (2015, April). Terrorist Financing and the Islamic State (Rep.). Ellis, R. (2015, December 14). Maryland man charged with trying to aid ISIS. Retrieved October 30, 2016, from http://www.cnn.com/2015/12/14/us/maryland-terror-arrest/index.html Estatie, L. (2016, July 11). Hezbollah: Five ways the group has changed since 2006 Israel War. Retrived October 30, 2016, from http://www.bbc.com/news/world-middle-east-36672803 Financial Action Task Force. (2015, October). Emerging Terrorist Financing Risks (Rep.). Financial Action Task Force. (2016). Annual Report 2014-2015. Fisher, A. (2015). Swarmcast: How Jihadist Networks Maintain a Persistent Online Presence. Perspectives on Terrorism, 9(3), 3–20. Freeman, M., & Ruehsen, M. (2013). Terrorism Financing Methods: An Overview. Perspectives on Terrorism, 7(4), 5–26. Gates, S., & Potter, S. (2015). Social Media, Recruitment, Allegiance and the Islamic State. Perspectives on Terrorism, 9(4), 107–116. Greenberg, J. (2015, November 21). Why Facebook and Twitter Can’t Just Wipe Out ISIS Online. Retrieved October 30, 2016, from https://www.wired.com/2015/11/facebook-and-twitter-face-toughchoices-as-isis-exploits-social-media/ House of Commons Standing Committee on Finance. (2015, June). Terrorist Financing in Canada and Abroad: Needed Federal Actions (Rep.). Jacobson, M. (2010). Terrorist Financing and the Internet. Studies in Conflict and Terrorism, 33(4), 353–363. doi:10.1080/10576101003587184 Kang, C., & Apuzzo, M. (2016, February 24). U.S. Asks Tech and Entertainment Industries Help in Fighting Terrorism. Retrieved October 26, 2016, from http://www.nytimes.com/2016/02/25/technology/ tech-and-media-firms-called-to-white-house-for-terrorism-meeting.html?_r=0 Kik Interactive. (2017). Kin. Retrieved October 22, 2017 from https://kin.kik.com/ Levitt, M. (2007). Hezbollah Finances: Funding the Party of God. In J. Giraldo & H. Trinkunas (Eds.), Terrorism Financing and State Responses: A Comparative Perspective (pp. 134–151). Stanford: Stanford University Press. McDonald, S. (2015, November 16). Islamic State ‘using social media to crowdfund terrorist activities’ Retrieved October 30, 2016, from http://www.abc.net.au/news/2015-11-17/is-using-social-media-tocrowdfund-terrorist-activities/6948374 Monitoring, B. (2016, July 11). Hezbollah: Five ways group has changed since 2006 Israel war. Retrieved October 30, 2016, from http://www.bbc.com/news/world-middle-east-36672803

249

 #TerroristFinancing

Okolie-Osemene, J., & Okoh, R. I. (2015). The Nature Terrorism Reports on Social Networks. Glocalism. Journal of Culture, Politics, and Innovation, 3(6). doi:10.12893/gjcpi.2015.3.6 Pepitone, J. (2015, August 3). Interpol Is Training Global Police to Fight Crime on Dark Web. Retrieved November 12, 2016, from http://www.nbcnews.com/tech/security/interpol-training-police-fight-crimedark-web-n403076 Shankar, A. (2016, April 20). Social Media Emerges as a Valuable Terrorist Fundraising Tool. Retrieved October 30, 2016, from http://www.investigativeproject.org/5314/social-media-emerges-as-a-valuableterrorist Silver, V. (2014, June 6). Hezbollah’s Tech-Savvy, Platform-Agnostic Guerrilla Marketing Campaign. Retrieved October 30, 2016, from http://www.bloomberg.com/news/articles/2014-06-05/tech-savvyhezbollah-goes-multiplatform-to-spread-its-message The Economist. (2016, July 16). Shedding light on the dark web. Retrieved October 30, 2016, from http:// www.economist.com/news/international/21702176-drug-trade-moving-street-online-cryptomarketsforced-compete The Middle East Media Research Institute, The Cyber & Jihad Lab. (2014, November 6). Gaza Jihadis Launch Twitter Fundraising Drives To Arm And Supply Their Men. Retrieved October 30, 2016, from http://cjlab.memri.org/lab-projects/hashtag-jihad-charting-jihadi-terrorist-organizations-use-of-twitter/ gaza-jihadis-launch-twitter-fundraising-drives-to-arm-and-supply-their-men-2/ United Nations Office on Drugs and Crime. (2012, September). The use of the Internet for terrorist purposes. Zimonjic, P. (2016, February 23). CSIS using new powers to disrupt terrorists since Bill C-51 became law. Retrieved October 26, 2016, from http://www.cbc.ca/news/politics/c51-law-disrupt-power-1.3460613

This research was previously published in the International Journal of Cyber Warfare and Terrorism (IJCWT), 8(1); edited by Graeme Pye and Brett van Niekerk, pages 1-11, copyright year 2018 by IGI Publishing (an imprint of IGI Global).

250

Section 4

Security and Privacy

252

Chapter 14

The State-of-the-Art Technology of Currency Identification: A Comparative Study

Guangyu Wang Auckland University of Technology, New Zealand. Xiaotian Wu Jinan University, China & Chinese Academy of Sciences, China WeiQi Yan Auckland University of Technology, New Zealand

ABSTRACT The security issue of currency has attracted awareness from the public. De-spite the development of applying various anti-counterfeit methods on currency notes, cheaters are able to produce illegal copies and circulate them in market without being detected. By reviewing related work in currency security, the focus of this paper is on conducting a comparative study of feature extraction and classification algorithms of currency notes authentication. We extract various computational features from the dataset consisting of US dollar (USD), Chinese Yuan (CNY) and New Zealand Dollar (NZD) and apply the classification algorithms to currency identification. Our contributions are to find and implement various algorithms from the existing literatures and choose the best approaches for use.

INTRODUCTION Currency has become a medium for trading various goods that replaces the ancient barter system. Currency is composed of three important components, namely, coins, banknotes and electronic data. The stability of currency represents a nation’s overall strength in economy. Therefore, it appears to be significant to protect security of currency’s circulations. DOI: 10.4018/978-1-5225-6201-6.ch014

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 The State-of-the-Art Technology of Currency Identification

However, there exists currency counterfeit that influences the normal stability of currency. Cheaters are able to produce reprographic equipment to copy, scan and distribute fake banknotes that severely affects security of currency. The currency problem requires national reserve banks raise effective technical solutions to cope with them. Even if private banks have their own approaches of handling the threats from counterfeit currency, national reserve banks should officially have the authorization to centralize currency issue and policy establishment. A counterfeiter’s primary objective is to reproduce passable reproductions and mastering security features. Security features are classified into three categories (Clarkson et al., 2009, Ishigaki & Higuchi, 2008; Illingworth & Kittler, 1988; Zhang & Rockettt, 2006; Zhang et al., 2007), (a) immediately detectable through human senses, (b) hidden from normal view of human senses, detectable using basic tools, such as a magnifying glasses or Ultra Violet light, (c) intrinsic characteristics resulting from the manufacturing process and the interaction of raw materials. As physical banknotes have obvious weaknesses, all paper-like materials are prone to wear and tear, therefore they are possibly exploited by counterfeiters for producing forged banknotes which are hardly recognized by currency examination machines and tools. Therefore, banks and cashers are using techniques such as digital image processing, machine vision and pattern recognition that effectively distinguish fake banknotes from the authentic ones (Chambers et al., 2014; Yan & Chambers, 2013; Chambers, 2013). Software is being trained to recognize specific banknotes using learned knowledge based on computable features, a banknote which does not meet the specified condition is deemed to be either counterfeit or worn-out which affects normal transactions, it will be further examined and may be removed from the circulation. Similarly, if a banknote has such an engraving and printing problem in producing time which has been found out by using the same machine vision technology, it will be disposed before it entered the circulation after manual examinations. Traditional currency recognition software is used to check print quality of new notes (Chambers et al., 2014; Yan & Chambers, 2013; Chambers, 2013). It is considered to be significant of utilizing print banknotes, quality of notes remains to be authenticated by manual inspections. Cheaters are able to reproduce the forged notes with certain security features by simulating the genuine ones. However, it is impossible for them to distribute the notes with all the security features (Gaubatz et al., 2009; Grijalva et al., 2010; Hasanuzzaman et al., 2012; Jin et al., 2008; Kersten, 2010; Nishimura, 2009; Roy et al., 2010). Albeit there is a new kind of money which is electronic version of currency, it contains most of the basic security components which are inherited from physical banknotes. Nevertheless, as differences exist in transactions of using physical banknotes and electronic currency, the security and governance should be taken into consideration. In this paper, we will analyze features of currency by using feature extraction and classification techniques in the banknotes of USD (USA Dollar), NZD (New Zealand Dollar) and CNY (Chinese Yuan). In this paper, we hope to investigate quantitative methods of currency authentication further, a comparative study will be conducted based on the methods illustrated in Table 1 which is based on a published survey paper (Chambers et al., 2014). By designing and implementing an experiment on these feature extraction methods and classifiers, we expect selecting an existing algorithm that performs the best in distinguishing genuine currency notes from the forgery ones. Our contribution is to conduct comparisons of banknote identification approaches and select an effective identification method from various candidate ones. In this paper, the brief introduction of feature extraction and classifiers as well

253

 The State-of-the-Art Technology of Currency Identification

Table 1. Prevalent feature extraction and classification algorithms in currency authentication from the previous literatures review (Chambers et al., 2014) Task

Method Canny Hough Transform

Feature extraction

PCA SURF LBP LVQ GA

Classification

ANN SVM Adaboost HMM

as the proposed algorithms are presented in Section 2. The explanation of our dataset and the experiment process are described in Section 3. Section 4 will present the analysis of the experimental results. Finally, the conclusion of this paper will be drawn in Section 5.

CURRENCY SECURITY COMPUTATIONS Digital image processing and computer vision have been employed to quality assurance of paper currency in the producing time and currency authentication in the transaction time. Usually the Bureau of Engraving and Printing of the government officially take over production of paper currency and examine the printing procedure. In real transactions, the bank and government of all countries allow cashers to use the Cash Check and Count Machines for cash verification which are granted by government. Any suspicious cashes will be reported to police for further investigations. Our aims in this section are to investigate the algorithms that have been employed to the area of currency authentication by using those computable features in Table 1. Our goal is to automatically authenticate banknotes under a camera. By summing up the features and classifiers, this paper compares the results of experiments using these existing approaches such as CPN, SURF or Discrete Wavelet Transform for classification (Daraee & Mozaffari, 2010; Hasanuzzaman et al., 2011; Hrishikesh & Shefali, 2009; Huang & Wu, 2007; Ishigaki & Higuchi, 2008; Li et al., 2009; Sajal et al., 2008; Singh, Badoni & Verma, 2011; Sun & Li, 2008; Wu et al., 2009; Yoshida et al., 2007; Zhou et al., 2008).

Computable Features Despite the current security approaches of currency notes vary as the variances of nations and regions, the authentication is achieved by using multiple models of Human Vision System (HVS) such as security

254

 The State-of-the-Art Technology of Currency Identification

strips and paper watermarks. Basically, the authentication of these notes is in accordance with digital image processing since the geometric patterns on currency notes are designed for currency types and edition distinctions. Therefore, it is crucial to investigate the authentication of currency notes synthetically from the point view of visual information such as computer graphics, digital image processing, and computer vision, etc. Based on the given currency features, detection and classification algorithms could be employed to authenticate currency notes, etc.

Canny Edge Detector Previous research work has extended the knowledge of banknote authentication based on security components by utilizing various feature extraction and classification algorithms. One generally used in feature extraction is Canny edge detector. There are two criteria for evaluating performance of edge detectors (Singh et al., 2011; Singh, Badoni & Verma, 2011; Zhang & Rockettt, 2006). The first criterion is that a qualified detector needs to have a good signal-to-noise ratio which is able to facilitate the process of edge detector. The other is the accuracy of edge detection which describes precise boundaries of the detected object. The process of the Canny edge detection encompasses multiple stages. At the first step, an image is processed with a filter to remove insignificant details of the image which is then transferred to a grayscale image. The most widespread use of filters for noise removal in Canny edge detection is Gaussian operator. One concern in setting of the filter is the tune of its width which severely affects the result due to noise. On the next phase the gradient of each pixel is determined. As edges of an image may be expanded in any directions, the Canny algorithm detects edges in four directions, namely, horizontal, vertical and diagonal directions. The magnitude is called edge strength and calculated by using operators such as Roberts, Prewitt, Sobel which returns two metrics of gradient in two directions. From this, the edge, gradient and direction are obtained by:

G = Gx2 + G y2

(1)

G θ = arctan  y  Gx

(2)

  

where G is the gradient strength and arctan(·) is the arctangent function which is computed for the start of direction. The edge direction angle is rounded to one of four angles representing horizontal, vertical and the two diagonals (0°, 90°, 45° and 135°, respectively).

Hough Transform Hough transform is a technique which is used to extract features of a specific shape from an image (Illingworth & Kittler, 1988). Classical Hough transform is most broadly used for detection of regular patterns such as lines and circles. Despite its domain restrictions, the classical Hough transform retains a myriad of applications as the most manufactured parts contain feature boundaries which are described

255

 The State-of-the-Art Technology of Currency Identification

by regular curves. The main advantage of Hough transform technique is that it is able to avoid influence of gaps in feature boundary detection and is relatively immune to image noise. The Hough transform method performs well in the detection of fake banknotes which have been in circulation. This is because of its ability to detect lines where there are gaps in the captured image, especially for notes which are torn-up or worn-out. The simplest case of Hough transform is the linear transform for detecting straight lines. In the image, a straight line is described as y = m·x + b where the parameter m is slope of the line, and b is the intercept. For the sake of computations, Hough transform uses a different pair of parameters, denoted as r and θ for the lines in Hough transform. In a polar coordinate system, the parameter r represents the algebraic distance between the line and the origin, while θ is angle of the vector orthogonal to the line and pointing toward the half upper plane. Linear Hough Transform is interpreted as:

 cos θ y = −  sin θ

  r x+   sin θ

r = x ⋅ cos θ + y ⋅ sin θ

  

(3)

(4)

Each line in an image after Hough transform has a value of (r, θ) where θ ∈ [0, 2π] and r ≥ 0. The (r, θ) is used to define Hough space for analyzing lines in two dimensions.

PCA Principal Component Analysis (PCA) is a statistical procedure that uses an orthogonal transformation to convert a set of observations of possibly correlated variables into a set of values of linearly uncorrelated variables called principal components (Jolliffe et al., 2005; Wold et al., 1987). The number of principal components is less than or equal to the number of original variables. This transformation is defined in such a way that the first principal component has the largest possible variance, and each succeeding component in turn has the highest variant possibility under the constraint that it is orthogonal to the preceding components. PCA is the simplest of true eigenvector-based multivariate analyses. Its operation is often thought of as revealing the internal structure of the data in a way that best explains the variance in the data. If a multivariate dataset is visualized as a set of coordinates in a high-dimensional data space, the PCA supplies us with a lower-dimensional picture, a projection of this object when viewed from its most informative viewpoint. This is done by using only the first few principal components so that the dimensionality of the transformed data is reduced. The PCA is one of the most popular methods for feature extraction of data and it is discussed in documents on multivariate analysis. The most common derivation of the PCA is in terms of a standardized linear projection which maximizes the variance in the projected space. The PCA is well suited for extracting characteristics from banknotes, as banknotes are high quality documents, much classification data is captured. When embedded smart detection devices into ATM and banknote sorting machines, time is a critical factor as the PCA is used to determine the necessary features, we assure that only the necessary elements are being checked for this purpose.

256

 The State-of-the-Art Technology of Currency Identification

Traditionally, the PCA is performed on symmetric covariance matrix or symmetric correlation matrix. These matrices are calculated from the data matrix. The covariance matrix contains scaled sums of squares and cross products. A correlation matrix is like a covariance matrix. The principal components are normalized eigenvectors of the covariance matrix of the genes and ordered according to how much of the variation present in the data they contain. Each component is then interpreted as the direction, uncorrelated to previous components, which maximizes variance of the samples when projected onto the component. The dimensionality is reduced to a single dimension by projecting each sample onto the first principal component.

LBP Local Binary Pattern (LBP) is an operator for texture description and it converts the original image into binary one by using a threshold to choose value of each pixel (Guo et al., 2010; Wang et al., 2009). The LBP value of a certain pixel is calculated by the following Equation 5: 7

LBP( p ) = ∑ 2i ⋅ s ( gi − g p ) i =0

(5)

where gp is the value of a pixel p, gi is the grayscale value of i-th pixel around pixel p which totally has eight neighbors. Threshold of the pixel is given by the function s(·). The normal process of LBP is: Step 1: Separate the original picture into cells. Step 2: Compare one pixel to each of its eight-neighbors following a direction of clockwise. Step 3: If a central pixel value is greater than the value of adjacent pixels, then this neighbor will be replaced by the value of 1 and vice versa. Step 4: Make the result of each cell into the histogram so as to demonstrate the frequency of each number. Step 5: Normalize the histogram. Step 6: Combine histograms of each cell in the image and construct the feature vector for the entire image. Once the feature vector of LBP is formed, it is then utilized in machine learning algorithm to classify or cluster images. The LBP is broadly used for face recognition and other fields which require texture analysis.

Classification Algorithms SVM In machine learning, Support Vector Machines (SVMs) are supervised learning models with associated learning algorithms that analyze data and recognize patterns for classification and regression analysis (Gaubatz & Simske, 2009; Ryu et al., 2008; Sun & Li, 2008, “The Recognition of”; Wenhong et al., 2010; Yeh et al., 2007). Given a set of training examples labelled as one of two categories, an SVM training algorithm builds a model that assigns new examples into one category or the other, makes it a

257

 The State-of-the-Art Technology of Currency Identification

non-probabilistic binary linear classifier. An SVM model is a representation of the examples as points in space, mapped so that the examples of the separate categories are divided by a clear gap that is as wide as possible. New examples are then mapped into the same space which belongs to a category based on which side of the gap they fall on.

GA A Genetic Algorithm (GA) is a method for solving both constrained and unconstrained optimization problems based on a natural selection process that mimics biological evolution (Davis, 1991). The algorithm repeatedly modifies a population of individual solutions. At each step, the genetic algorithm randomly selects individuals from the current population and uses them as parents to produce their children for next generation. Over successive generations, the population evolves toward an optimal solution. The GA algorithm is applied to solve the problems that are not well suited for standard optimization algorithms, including problems in which the objective function is discontinuous, non-differentiable, stochastic, or highly nonlinear. The GA algorithm usually starts with a set of solutions (represented by chromosomes) called population. Solutions from one population are taken and used to form a new population. This is motivated by hypnosis that the new population will be better than the old ones. Solutions chosen to form new solutions (offspring) are selected for currency identification according to the fitness - the more suitable they are, the more chances they have to reproduce.

LVQ A Learning Vector Quantization (LVQ) network has the first competitive layer and a second linear layer (Gou et al., 2011). The competitive layer learns to classify input vectors in the same way as the competitive layers of Cluster with Self-Organizing Map Neural Network. The linear layer transforms the competitive layer’s classes into target classifications defined by the user. The classes learned by the competitive layer are referred to as subclasses and classes of the linear layer as target classes. An advantage of LVQ is to create prototypes that are easy to interpret for experts in the respective application domain. The LVQ is applied to multi-class classification problems in a natural way.

SOM A Self-Organizing Map (SOM) or Self-Organizing Feature Map (SOFM) is a type of Artificial Neural Network (ANN) that is trained using unsupervised learning to produce a low-dimensional (typically two-dimensional), discretized representation of input space of the training samples, called a map (Dittenbach et al., 2000; Van Hulle, 2012). SOMs are different from other ANNs in the sense that they use a neighborhood function to preserve topological properties of the input.

HMM Hidden Markov Model (HMM) which is employed to detect differences between several continuous states, is a widely used algorithm in statistic (Elliott et al., 1994; Rabiner & Juang, 1986; Shan et al., 2009).

258

 The State-of-the-Art Technology of Currency Identification

HMM utilized in currency notes authentication is due to its probability presentation in time-varying sequences. Equation 6 indicates the computational process of the HMM:

λ = arg max ( P ( λ | Oi , i = 1, t ) )

(6)

where λ is the model to be estimated, O is the observation sequences in training set, P is a probability of O in the model λ. The best model λ* is selected with the highest probability:

P ( λ * | O ) = max λ m P ( λm | O )

(7)

where m is the number of candidate models, O is the given sequence to be trained. The probability is calculated by Bayesian theory:

P ( λm | O ) =

P ( λm ) P ( O | λm ) P (O )

(8)

In HMM, the model selection is conducted based on the number of states, training iterations and Gaussian components. The number of Gaussian components is iteratively increased in test for determining its most suitable value for certain model establishment. Further, the length of sequence is also a significant parameter to be tested in the experiments.

ANN Artificial Neural Networks (ANN) are typically organized in layers (Cao & Liu, 2010; Debnath et al., 2009; Singh et al., 2014; Demuth & Beale, 1993; Hagan et al., 1996; Jing et al., 2010; Li et al., 2010; Omatu et al., 2009). Layers are made up of a number of interconnected nodes which contain an activation function. Various patterns are presented to the network via input layer, which communicates to one or more hidden layers where the actual process is done via a system of weighted connections. With the delta rule, as with other types of propagation, learning is a supervised process that occurs with each cycle or epoch (i.e. each time the network is presented with a new input pattern) through a forward activation flow of outputs, and the backwards error propagation of weight adjustments. When a neural network is initially presented with a pattern it makes a random guess as to what it might be. It then sees how far its answer was from the actual one and makes an appropriate adjustment to its connection weights. Once a neural network is trained to a satisfactory level it may be used as an analytical tool on other data. In order to work for this task, a user no longer specifies any training runs and instead allows the network to work in forward propagation mode only. New inputs are presented as the input pattern where they filter into and are processed by the middle layers as training is taking place. The output of a forward propagation is the predicted model for the data which is then used for further analysis and interpretation.

259

 The State-of-the-Art Technology of Currency Identification

AdaBoost AdaBoost (adaptive boosting) is an ensemble learning algorithm that is used for classification or regression (Geusebroek et al., 2011). Although the AdaBoost is more resistant to over-fitting than many machine learning algorithms, it is often sensitive to noisy data and outliers. AdaBoost is also called adaptive because it uses multiple iterations to generate a single composite strong learner. AdaBoost creates the strong learner (a classifier that is well-correlated to the true classifier) by iteratively adding a classifier that is only slightly correlated to the true classifier (a week learner). During each round of training, a new weak learner is added to the ensemble and a weighting vector is adjusted to concentrate on examples that were misclassified in previous rounds. The result is a classifier that has higher accuracy than the weak learners’ classifiers.

OUR CONTRIBUTIONS Data Collection In order to deal with the ongoing experiments of comparing the precision using various classifiers, a proper dataset is predefined for experiment input. The dataset in this project includes three kinds of currency with three different amounts of values, namely, New Zealand Dollar (NZD: $10, $20, $100), US Dollar (USD: $5, $50, $100) and Chinese Yuan (CNY: ¥10, ¥50, ¥100). The requirements for these samples are in various degrees with clear patterns of identifications on the currency so as to facilitate the process of feature extraction. The features to be used in classification are Canny edge detector, Hough transform feature, PCA, YIG and LBP. All the features are organized in a form of vectors and each direction of the vector represents a feature. The features are all extracted by using the programming platform Matlab. Figure 1 illustrates the features we used in our experiments. As there are a considerable number of raw samples which tend to affect the recognition process of the experiment, like experiments in currency authentication, we decide to segment one currency note into six partitions with three divisions in vertical direction and two in horizontal. Figure 2 shows an example of this segmentation. Each of the 3×2 parts of the currency are treated as a vector which is applied to feature extraction and utilized for the purpose of data collection. Moreover, as dimensions of the sample currency notes are different, the vectors are hard to be integrated into the database. Therefore, we decided to use the PCA for dimension decreasing. On the basis of a trail for testing parameters of components in the PCA, we find that the component number of 50 is suitable for the feature extraction. In addition to the parameter tuning in the PCA, we also choose the value of Y in YIQ for color feature extraction in our data preprocessing. YIQ is a better translation of color descriptor of RGB. YIQ is the color space commonly used by the NTSC color TV system (Schwarz et al., 1987). Specifically, Y component in YIQ denotes for the luminance information and the brightness of certain areas. As a preferred brightness descriptor of image and frames, YIQ has shown its outstanding performance in a variety of applications.

260

 The State-of-the-Art Technology of Currency Identification

Figure 1. Various features used in experiments

In the experiment, Canny edge detector is employed to extract the edge information of a vector and centroid of the detected image by applying Canny edge detector is utilized as the centroid has the ability to briefly describe the pixel distribution of a certain image. The extracted features of an instance are indicated in Table 2.

Experiment Design By clearly defining and collecting data from currency notes samples, we dispatch them into eight distinguished classifiers. The two most significant considerations for our experiments are the parametric tuning and result analysis. The parametric tuning methods vary as the difference of algorithms. By

261

 The State-of-the-Art Technology of Currency Identification

Figure 2. The sample of currency notes

Table 2. The extracted features from training data No.

Canny

Hough

YIQ

LBP

PCA

1

89.313

7.0

0.26404

41.295

8.2653

2

90.127

6.0

0.26479

41.681

8.2653

3

88.837

7.0

0.26534

41.421

8.2653

4

90.806

1.0

0.23128

41.808

8.2653

5

91.066

1.0

0.2394

41.808

8.2653

6

87.657

3.0

0.23392

41.808

4.823

7

88.005

8.0

0.25777

51.661

4.823

8

88.968

5.0

0.26921

52.088

4.823

9

88.387

9.0

0.26862

52.088

4.823

10

85.079

6.0

0.23319

51.803

4.823

identifying the best approach for each algorithm, we will conduct a comparison among these algorithms for determining the most suitable algorithm in currency authentication. We use F-measure shown in Equations 9 and 10 as our criterion for comparing all the eight classifiers which combine both precision and recall. Precision is the fraction of retrieved instances that are relevant, while recall is the fraction of relevant instances that are retrieved. Both precision and recall are therefore based on an understanding and measure of relevance. In this experiment, we expect the rate of currency identification to be as high as possible. On one hand, we hope the prediction precision of correctly classified currency notes in retrieved notes is high; on the other hand, the ratio of correctly identified notes to the number of relevant notes is preferred to be bigger. Therefore, we need both of precision and recall to be as high as possible. By considering both of the value of precision and recall, F-measure is an ideal function for our experiment:

262

 The State-of-the-Art Technology of Currency Identification

(a F=

2

+ 1) P ⋅ R

a2 ( P + R )



(9)

when a =1, we have:

F1 =

2P ⋅ R ( P + R)

(10)

RESULTS AND COMPARISONS Experiment Results LVQ The LVQ is a clustering algorithm for distributing instances into different categories. In this experiment, we pre-define the categories to be 0 and 1 which represent authentic and forgery currency notes respectively. The parameter to be calibrated is learning rate which explains the amount of weights updated. The accuracy is highly dependent on the initialization of the model as well as the learning parameters used as shown in Table 3.

GA Crossover probability tells us how often a crossover will be performed. If there is no crossover, the offspring is exact copy of the parents. If there is a crossover, the offspring is made from parts of parents’ chromosome. If the crossover probability is 100%, then all offspring is made by crossover. If it is 0%, the new generation is made from exact copies of chromosomes of old population, crossover is made in hope that new chromosomes will have good parts of old chromosomes and maybe the new chromosomes will be better. However, it is good to leave some parts of population survive to next generation. Mutation probability means how often will be parts of chromosome mutated. If there is no mutation, the offspring is taken after crossover (or copy) without any change. If the mutation is performed, part Table 3. Results of LVQ clustering Currency

Learning Rate

F-Measure

NZD

0.3

71.3%

USD

0.3

82.3%

CNY

0.3

82.3%

NZD

0.7

83.4%

USD

0.7

85.3%

CNY

0.7

87.4%

263

 The State-of-the-Art Technology of Currency Identification

of chromosome is changed. If the mutation probability is 100%, whole chromosome is different, if it is 0%, nothing is changed. Population size represents how many chromosomes are in population (in one generation). If there are too few chromosomes, GA has a few possibilities to perform crossover and only a small part of search space is explored. On the other hand, if there are too many chromosomes, GA slows down. Mutation is adopted to prevent falling GA into local extreme, but it should not occur very often, because GA will in fact change to random search. Table 5 reports the accuracy of each algorithm of different kinds of currency notes. We select the algorithms with the highest precision and compare them to select the most suitable algorithm for authenticate currency note.

Analysis From Table 4, we observe that the GA algorithm is the most suitable one for authenticating currency notes from the view of content-based analysis. While the experiment is conducted by using three different kinds of currency notes and five different features are extracted for the data model establishment, the F-measure result of adopting different classification and cluster algorithm appears to be various from around 40% to as high as 98%. By tuning the parameters of each algorithm, we firstly select the most suitable set of parameters for each algorithm. While some of the algorithms have only one parameter to be tuned in this experiment, GA and ANN algorithms have two kinds of parameter to tune. As the results of different currency with different parameters are distributed in a large scope, we simply compare each kind of parameter by computing their average value and select the set of parameters with the largest average F-measure to be the best one for a certain algorithm. Table 4. Results of the GA algorithm Currency

Population Size

Mutation Probability

F-Measure

NZD

100

50

98.4%

USD

100

50

91.7%

CNY

100

50

83.0%

NZD

50

50

92.8%

USD

50

50

87.4%

CNY

50

50

95.5%

Table 5. Comparisons of different algorithms in currency authentication Currency NZD 10

LVQ 83.4%

GA 90.4%

ANN 78.2%

SVM 86.3%

SOM 55.9%

Adaboost 82.0%

HMM 74.0%

USD 5

85.3%

91.7%

76.8%

75.2%

65.3%

50.4%

50.4%

CNY 10

87.4%

83.0%

73.1%

80.6%

62.1%

74.0%

74.0%

264

 The State-of-the-Art Technology of Currency Identification

After the parametric comparison, it is important to make a contrast of these algorithms and select the best one as the experiment result for currency notes authentication. From Table 5, the GA algorithm has been proved as the most preferable one with the F-measure value at around 90% which is apparently higher than that of the other algorithms.

CONCLUSION In this paper, we concentrate authentication problem in banknotes identification and select suitable algorithms for our comparative study. Our contribution is to review the available algorithms (Chambers et al., 2014) which are thought very effective in currency notes authentication. The result explicitly reveals that GA algorithm is the most feasible algorithm in currency authentication. Our future work is proposed to improve the results. Firstly, the types and the number of samples are expected to be enhanced by taking consideration of more available samples of both genuine ones and forgery ones. Moreover, more features are expected to be adopted since currency notes are protected by various ways of security methods.

ACKNOWLEDGMENT This work was partially supported by National Natural Science Foundation of China (Grant No. 61602211), Science and Technology Program of Guangzhou, China (Grant No. 201707010259).

REFERENCES Cao, B., & Liu, J. (2010). Currency recognition modelling research based on BP neural network improved by gene algorithm. Proceedings of the Second International Conference on Computer Modelling and Simulation (ICCMS’10), Washington, DC, USA (pp. 246–250). Chambers, J. (2013). Digital Currency Forensics [Master Degree Thesis]. Auckland University of Technology, New Zealand. Chambers, J., Yan, W., Garhwal, A., & Kankanhalli, M. (2014). Currency security and forensics: a survey. Springer Multimedia Tools and Applications. Clarkson, W., Weyrich, T., Finkelstein, A., Heninger, N., Halderman, J. A., & Felten, E. W. (2009). Fingerprinting blank paper using commodity scanners. Proceedings of the IEEE Symposium on Security and Privacy (pp. 301–314). Daraee, F., & Mozaffari, S. (2010). Eroded money notes recognition using wavelet transform. Proceedings of the Iranian Machine Vision and Image Processing (MVIP’10) (pp. 1–5). doi:10.1109/IranianMVIP.2010.5941144 Davis, L. (Ed.). (1991). Handbook of genetic algorithms. New York: Van Nostrand Reinhold.

265

 The State-of-the-Art Technology of Currency Identification

Debnath, K. K., Ahdikary, J. K., & Shahjahan, M. (2009). A currency recognition system using negatively correlated neural network ensemble. Proceedings of the International Conference on Computers and Information Technology (ICCIT ’09) (pp. 367–372). 10.1109/ICCIT.2009.5407265 Demuth, H., & Beale, M. (1993). Neural network toolbox for use with Matlab. Dittenbach, M., Merkl, D., & Rauber, A. (2000). The growing hierarchical self-organizing map. Proceedings of the IEEE-INNS-ENNS International Joint Conference on Neural Networks (pp. 6015-6015). Elliott, R. J., Aggoun, L., & Moore, J. B. (1994). Hidden Markov Models. Springer. Gaubatz, M. D., & Simske, S. J. (2009). Printer-scanner identification via analysis of structured security deterrents. Proceedings of the IEEE International Workshop on Information Forensics and Security (WIFS’09) (pp. 151–155). 10.1109/WIFS.2009.5386463 Gaubatz, M. D., Simske, S. J., & Gibson, S. (2009). Distortion metrics for predicting authentication functionality of printed security deterrents. Proceedings of the 16th IEEE International Conference on Image Processing (ICIP’09), Washington, DC, USA (pp. 1489–1492). 10.1109/ICIP.2009.5414608 Geusebroek, J.-M., Markus, P., & Balke, P. (2011). Learning banknote fitness for sorting. Proceedings of the International Conference on Pattern Analysis and Intelligent Robotics (ICPAIR’11) (Vol. 1, pp. 41–46). 10.1109/ICPAIR.2011.5976909 Gou, H., Li, X., Li, X., & Yi, J. (2011). A reliable classification method for paper currency based on LVQ neural network. In Advances in Computer Science and Education Applications, CCIS (Vol. 202, pp. 243–247). Springer. doi:10.1007/978-3-642-22456-0_35 Grijalva, F., Rodriguez, J. C., Larco, J., & Orozco, L. (2010). Smartphone recognition of the US banknotes’ denomination for visually impaired people. Proceedings of the IEEE ANDESCON. Guo, J., Zhao, Y., & Cai, A. (2010). A reliable method for paper currency recognition based on LBP. Proceedings of the 2nd IEEE International Conference on Network Infrastructure and Digital Content, Washington, DC, USA (pp. 359–363). 10.1109/ICNIDC.2010.5657978 Hagan, M. T., Demuth, H. B., & Beale, M. H. (1996). Neural network design. Boston: PWS. Hasanuzzaman, F. M., Yang, X., & Tian, Y. (2011). Robust and effective component-based banknote recognition by SURF features. Proceedings of the 20th Annual Wireless and Optical Communications Conference (WOCC’11) (pp. 1–6). 10.1109/WOCC.2011.5872294 Hasanuzzaman, F.M., Yang, X., & Tian, Y. (2012). Robust and effective component-based banknote recognition for the blind. IEEE Trans. Syst. Man Cybern. C Appl. Rev., 42(6), 1021-1030. Hrishikesh, C., & Shefali, S. (2009). Printed document watermarking using phase modulation. Proceedings of the International Conference on Emerging Trends in Engineering and Technology (ICETET). Huang, S., & Wu, J. K. (2007). Optical watermarking for printed document authentication. IEEE Transactions on Information Forensic and Security, 2(2), 164–173. doi:10.1109/TIFS.2007.897255 Illingworth, J., & Kittler, J. (1988). A survey of the Hough transform. Computer Vision Graphics and Image Processing, 44(1), 87–116. doi:10.1016/S0734-189X(88)80033-1

266

 The State-of-the-Art Technology of Currency Identification

Ishigaki, T., & Higuchi, T. (2008). Dynamic spectrum classification by divergence-based kernel machines and its application to the detection of worn-out banknotes. Proceedings of the IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP’08), Washington, DC, USA (pp. 1873–1876). 10.1109/ICASSP.2008.4517999 Jin, Y., Song, L., Tang, X., & Du, M. (2008). A hierarchical approach for banknote image processing using homogeneity and FFD model. IEEE Signal Processing Letters, 15, 425–428. doi:10.1109/ LSP.2008.921470 Jing, L., Shuang, L., Jin, M. S., & Wei, W. (2010). About CNY number identification with genetic evolution neural network. Proceedings of the International Conference on Computer, Mechatronics, Control and Electronic Engineering (CMCE’10), Washington D.C. USA (pp. 286–288). Jolliffe, I. (2005). Principal component analysis. John Wiley & Sons, Ltd. doi:10.1002/0470013192.bsa501 Kersten, J. (2010). The art of making money: the story of a master counterfeiter. USA: Penguin Group. Li, L., Yu-tang, Y., Yu, X., & Liang, P. (2010). Serial number extracting and recognizing applied in paper currency sorting system based on RBF Network. Proceedings of the International Conference on Computational Intelligence and Software Engineering (CiSE’10) (pp. 1–4). 10.1109/CISE.2010.5677049 Li, Z., Zhou, X., & Chen, Y. (2009). Research for the intelligent CNY sorter based on ANN. Proceedings of the 9th International Conference on Electronic Measurement and Instruments (ICEMI’09). Nishimura, K. (2009). Banknote recognition based on continuous change in strictness of examination. Proceedings of the IEEE ICCAS-SICE (pp. 5347–5350). Omatu, S., Yoshioka, M., & Kosaka, Y. (2009). Reliable banknote classification using neural networks. Proceedings of the International Conference on Advanced Engineering Computing and Applications in Sciences (ADVCOMP’09) (pp. 35–40). Rabiner, L., & Juang, B. H. (1986). An introduction to hidden Markov models. IEEE ASSP Magazine, 3(1), 4–16. doi:10.1109/MASSP.1986.1165342 Roy, A., Halder, B., & Garain, U. (2010, December). Authentication of currency notes through printing technique verification. Proceedings of the Seventh Indian Conference on Computer Vision, Graphics and Image Processing (pp. 383-390). 10.1145/1924559.1924610 Ryu, S.-J., Lee, H.-Y., Cho, I.-W., & Lee, H.-K. (2008). Document forgery detection with SVM classifier and image quality measures. Proceedings of the 9th Pacific Rim Conference on Multimedia (PCM’08) (pp. 486–495). 10.1007/978-3-540-89796-5_50 Sajal, R. F., Kamruzzaman, M., & Jewel, F. A. (2008). A machine vision based automatic system for real time recognition and sorting of Bangladeshi bank notes. Proceedings of the International Conference on Computer and Information Technology (ICCIT’08) (pp. 533–535). 10.1109/ICCITECHN.2008.4803060 Schwarz, M. W., Cowan, W. B., & Beatty, J. C. (1987). An experimental comparison of RGB, YIQ, LAB, HSV, and opponent color models. ACM Transactions on Graphics, 6(2), 123–158. doi:10.1145/31336.31338

267

 The State-of-the-Art Technology of Currency Identification

Shan, G., Peng, L., Jiafeng, L., & Xianglong, T. (2009). The design of HMM based banknote recognition system. Proceedings of the IEEE International Conference on Intelligent Computing and Intelligent Systems (ICIS’09) (Vol. 4, pp. 106–110). Singh, B., Badoni, P., & Verma, K. (2011). Computer vision based currency classification system. International Journal of Computers and Applications, 16(4), 34–38. doi:10.5120/1999-2695 Singh, B., Badoni, P., & Verma, K. (2011). Computer vision based currency classification system. International Journal of Computers and Applications. Singh, S., Choudhury, S., Vishal, K., & Jawahar, C. V. (2014). Currency Recognition on Mobile Phones. Proceedings of the International Conference on Pattern Recognition (ICPR) (pp. 2661 – 2666). Sun, B., & Li, J. (2008). Recognition for the banknotes grade based on CPN. Proceedings of the International Conference on Computer Science and Software Engineering (pp. 90–93). 10.1109/CSSE.2008.881 Sun, B., & Li, J. (2008). The recognition of new and old banknotes based on SVM. Proceedings of the International Symposium on Intelligent Information Technology Application (IITA’08) (pp. 95–98). 10.1109/IITA.2008.157 Van Hulle, M.M. (2012). Self-organizing maps. In Handbook of Natural Computing (pp. 585-622). Chicago: Springer Berlin Heidelberg. Wang, X., Han, T. X., & Yan, S. (2009). An HOG-LBP human detector with partial occlusion handling. Proceedings of the IEEE International Conference on Computer Vision (pp. 32-39). 10.1109/ ICCV.2009.5459207 Wenhong, L., Wenjuan, T., Xiyan, C., & Zhen, G. (2010). Application of Support Vector Machine (SVM) on serial number identification of CNY. Proceedings of the 8th World Congress on Intelligent Control and Automation (WCICA), Washington, DC, USA (pp. 6262–6266). Wold, S., Esbensen, K., & Geladi, P. (1987). Principal component analysis. Chemometrics and Intelligent Laboratory Systems, 2(1), 37–52. doi:10.1016/0169-7439(87)80084-9 Wu, Q., Zhang, Y., Ma, Z., Wang, Z., & Jin, B. (2009). A banknote orientation recognition method with BP network. Proceedings of the 2009 WRI Global Congress on Intelligent Systems (GCIS’09), Washington, DC, USA (pp. 3–9). 10.1109/GCIS.2009.225 Yan, W., & Chambers, J. (2013). An empirical approach for digital currency forensics. Proceedings of the IEEE ISCAS (pp. 2988–2991). doi:10.1109/ISCAS.2013.6572507 Yeh, C. Y., Su, W. P., & Lee, S. J. (2011). Employing multiple-kernel support vector machines for counterfeit banknote recognition. Applied Soft Computing, 11(1), 1439–1447. doi:10.1016/j.asoc.2010.04.015 Yoshida, K., Kamruzzaman, M., Jewel, F. A., & Sajal, R. F. (2007). Design and implementation of a machine vision based but low cost stand alone system for real time counterfeit Bangladeshi bank notes detection. Proceedings of the International Conference on Computer and Information Technology (ICCIT’07) (pp. 1–5). 10.1109/ICCITECHN.2007.4579427

268

 The State-of-the-Art Technology of Currency Identification

Zhang, J., Ma, L., & Wang, Y. (2007). Fair e-cash system without trustees for multiple banks. Proceedings of the International Conference on Computational Intelligence and Security Workshops (CISW’07) (pp. 585–587). 10.1109/CISW.2007.4425563 Zhang, Y., & Rockettt, P. I. (2006). The Bayesian operating point of the Canny edge detector. IEEE Transactions on Image Processing, 15(11), 3409–3416. doi:10.1109/TIP.2006.881964 PMID:17076400 Zhou, W., Xie, G., & Liu, B. (2008). The application of mixed GA-BP algorithm on remote sensing image classification. Proceedings of the Joint Conference on GIS and Built Environment: Classification of Remote Sensing Images (Vol. 7147).

This research was previously published in the International Journal of Digital Crime and Forensics (IJDCF), 9(3); edited by Wei Qi Yan, pages 58-72, copyright year 2017 by IGI Publishing (an imprint of IGI Global).

269

270

Chapter 15

Electronic Payment Systems and Their Security Kannan Balasubramanian Mepco Schlenk Engineering College, India M. Rajakani Mepco Schlenk Engineering College, India

ABSTRACT Electronic commerce (or e-commerce) can be defined as any transaction involving some exchange of value over a communication network. This broad definition includes: Business-to-business transactions, such as EDI (electronic data interchange); Customer-to-business transactions, such as online shops on the Web; Customer-to-customer transactions, such as transfer of value between electronic wallets; Customers/businesses-to-public administration transactions, such as filing of electronic tax returns. Business-to-business transactions are usually referred to as e-business, customer-to-bank transactions as e-banking, and transactions involving public administration as e-government. A communication network for e-commerce can be a private network (such as an interbank clearing network), an intranet, the Internet, or even a mobile telephone network. In this chapter, the focus is on customer-to-business transactions over the Internet and on the electronic payment systems that provide a secure way to exchange value between customers and businesses.

INTRODUCTION Electronic Commerce Electronic commerce (or e-commerce) can be defined as any transaction involving some exchange of value over a communication network. This broad definition includes • •

Business-to-business transactions, such as EDI (electronic data interchange). Customer-to-business transactions, such as online shops on the Web.

DOI: 10.4018/978-1-5225-6201-6.ch015

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 Electronic Payment Systems and Their Security

• •

Customer-to-customer transactions, such as transfer of value between electronic wallets. Customers/businesses-to-public administration transactions, such as filing of electronic tax returns.

Business-to-business transactions are usually referred to as e-business, customer-to-bank transactions as e-banking, and transactions involving public administration as e -government. A communication network for e-commerce can be a private network (such as an interbank clearing network), an intranet, the Internet, or even a mobile telephone network. In this chapter, the focus is on customer-to-business transactions over the Internet and on the electronic payment systems that provide a secure way to exchange value between customers and businesses.

Electronic Payment Systems Electronic payment systems have evolved from traditional payment systems, and consequently the two types of systems have much in common. Electronic payment systems are much more powerful, however, especially because of the advanced security techniques that have no analogs in traditional payment systems. An electronic payment system in general denotes any kind of network (e.g., Internet) service that includes the exchange of money for goods or services. The goods can be physical goods, such as books or CDs, or electronic goods, such as electronic documents, images, or music. Similarly, there are traditional services, such as hotel or flight booking, as well as electronic services, such as financial market analyses in electronic form. A typical electronic payment system is shown in Figure 1. In order to participate in a particular electronic payment system, a customer and a merchant must be able to access the Internet and must first register with the corresponding payment service provider. The provider runs a payment gateway that is reachable from both the public network (e.g., the Internet) and from a private interbank clearing network. The payment gateway serves as an intermediary between the traditional payment infrastructure and the electronic payment infrastructure. Another prerequisite is that the customer and the merchant each have a bank account at a bank that is connected to the clearing network. The customer’s bank is usually referred to as the issuer bank. The term issuer bank denotes the bank that actually issued the payment instrument (e.g., debit or credit card) that the customer uses for payment. The acquirer bank acquires payment records (i.e., paper charge slips or electronic data) from the merchants (O’Mahony et al, 1997). When purchasing goods or services, the customer (or payer) pays a certain amount of money to the merchant (or payee). Let us assume that the customer chooses to pay with his debit or credit card. Before supplying the ordered goods or services, the merchant asks the payment gateway to authorize the payer and his payment instrument (e.g., on the basis of his card number). The payment gateway contacts the issuer bank to perform the authorization check. If everything is fine, the required amount of money is withdrawn (or debited) from the customer’s account and deposited in (or credited to) the merchant’s account. This process represents the actual payment transaction. The payment gateway sends notification of the successful payment transaction to the merchant so that he can supply the ordered items to the customer. In some cases, especially when low-cost services are ordered, the items can be delivered before the actual payment authorization and transaction have been performed. An electronic payment system can be online or off-line. In an off-line system, a payer and a payee are online to each other during a payment transaction, but they have no electronic connection to their respective banks. In this scenario the payee has no possibility to request an authorization from the is-

271

 Electronic Payment Systems and Their Security

Figure 1. A typical electronic payment system

suer bank (via the payment gateway), so he cannot be sure that he is really going to receive his money. Without an authorization, it is difficult to prevent a payer from spending more money than he actually possesses. Mainly for this reason, most proposed Internet payment systems are online. An online system requires the online presence of an authorization server, which can be a part of the issuer or the acquirer bank. Clearly, an online system requires more communication, but it is more secure than off-line systems. An electronic payment system can be credit based or debit based. In a credit-based system (e.g., credit cards) the charges are posted to the payer’s account. The payer later pays the accumulated amounts to the payment service. In a debit-based system (e.g., debit cards, checks) the payer’s account is debited immediately, that is, as soon as the transaction is processed. An electronic payment system in which relatively large amounts of money can be exchanged is usually referred to as a macropayment system. On the other hand, if a system is designed for small payments (e.g., up to 5 euros), it is called a micropayment system. The order of magnitude plays a significant role in the design of a system and the decisions concerning its security policy. It makes no sense to implement expensive security protocols to protect, say, electronic coins of low value. In such a case it is more important to discourage or prevent large-scale attacks in which huge numbers of coins can be forged or stolen. Payment instruments are any means of payment. Paper money, credit cards, and checks are traditional payment instruments. Electronic payment systems have introduced two new payment instruments: electronic money (also called digital money) and electronic checks. As their names imply, these do not represent a new paradigm, but are rather electronic representations of traditional payment instruments. However, in many respects, they are different from their predecessors. Common to all payment instruments is the fact that the actual flow of money takes place from the payer’s account to the payee’s account. Payment instruments can in general be divided into two main groups: cash-like payment systems and check-like payment systems (. In a cash-like system, the payer withdraws a certain amount of money (e.g., paper money, electronic money) from his account and uses that money whenever he wants to make

272

 Electronic Payment Systems and Their Security

a payment. In a check-like system, the money stays in the payer’s account until a purchase is made. The payer sends a payment order to the payee, on the basis of which the money will be withdrawn from the payer’s account and deposited in the payee’s account. The payment order can be a piece of paper (e.g., a bank-transfer slip) or an electronic document (e.g., an electronic check). The following three sections give an overview of payment transactions involving different payment instruments. Some electronic payment systems use traditional payment instruments. Credit cards, for example, are currently the most popular payment instrument in the Internet. The first credit cards were introduced decades ago (Diner’s Club in 1949, American Express in 1958). For a long time, credit cards have been produced with magnetic stripes containing unencrypted, read-only information. Today, more and more cards are smart cards, containing hardware devices (chips) offering encryption and far greater storage capacity. Recently even virtual credit cards (software electronic wallets), such as one by Trintech Cable & Wireless, have appeared on the market. Figure 2 illustrates a typical payment transaction with a credit card as the payment instrument (Garfinkel et al, 1997). The customer gives his credit card information (i.e., issuer, expiry date, number) to the merchant (1). The merchant asks the acquirer bank for authorization (2). The acquirer bank sends a message over the interbank network to the issuer bank asking for authorization (3). The issuer bank sends an authorization response (3). If the response is positive, the acquirer bank notifies the merchant that the charge has been approved. Now the merchant can send the ordered goods or services to the customer (4) and then present the charge (or a batch of charges representing several transactions) to the acquirer bank (5 up). The acquirer bank sends a settlement request to the issuer bank (6 to the left). The issuer bank places the money into an interbank settlement account (6 to the right) and charges the amount of sale to the customer’s credit card account. At regular intervals (e.g., monthly) the issuer bank notifies the customer of the transactions and their accumulated charges (7). The customer then pays the charges to the bank by some other means (e.g., direct debit order, bank transfer, check). Figure 2. A credit card payment transaction

273

 Electronic Payment Systems and Their Security

Meanwhile, the acquirer bank has withdrawn the amount of sale from the interbank settlement account and credited the merchant’s account (5 down). The necessity of protecting the confidentiality of payment transaction data arose from cases of ‘stolen’ credit card numbers. Long before they were sent unencrypted over the Internet, credit card numbers were fraudulently used by non-owners, actually in most cases by dishonest merchants. There is some fraud protection in that authorization is required for all but low-value transactions, and unauthorized charges can be protested and reversed up to approximately 60 days after they are incurred. However, with the advent of e-commerce, and especially Web commerce, large-scale frauds became possible. Under the present circumstances it is important to make credit card numbers indeed, payment information in general unreadable not only to potential eavesdroppers, but to all e-commerce parties except the customer and his bank. As will be shown later, this can also solve the anonymity problem, because in some cases a customer can be identified on the basis of a credit card number, and many customers would rather remain anonymous to merchants. Generally, fraudulent use of credit card numbers stems from two main sources: eavesdroppers and dishonest merchants. Credit card numbers can be protected against • • •

Eavesdroppers alone by encryption (e.g., SSL). Dishonest merchants alone by credit card number pseudonyms. Both eavesdroppers and dishonest merchants by encryption and dual signatures.

Electronic Money Electronic money is the electronic representation of traditional money (Hassler, 2007; Radu, 2003). A unit of electronic money is usually referred to as an electronic or digital coin. For the following discussion, the actual value of a digital coin in units of traditional money is irrelevant. Digital coins are minted (i.e., generated) by brokers. If a customer wants to buy digital coins, he contacts a broker, orders a certain amount of coins, and pays with real money. The customer can then make purchases from any merchant that accept the digital coins of that broker. Each merchant can redeem at the broker’s the coins obtained from the customers. In other words, the broker takes back the coins and credits the merchant’s account with real money. Figure 3 illustrates a typical electronic money transaction. In this example the issuer bank can be the broker at the same time. The customer and the merchant must each have a current or checking account. The checking account is necessary as a transition from between the real money and the electronic money, at least as long as the electronic money is not internationally recognized as a currency. When the customer buys digital coins, his checking account is debited (0). Now he can use the digital coins to purchase in the Internet (1). Since digital coins are often used to buy low-value services or goods, the merchant usually fills the customer’s order before or even without asking for any kind of payment authorization. The merchant then sends a redemption request to the acquirer bank (3). By using an interbank settlement mechanism, the acquirer bank redeems the coins at the issuer bank (4) and credits the merchant’s account with the equivalent amount of real money.

Electronic Check Electronic checks are electronic equivalents of traditional paper checks. An electronic check is an electronic document containing the following data:

274

 Electronic Payment Systems and Their Security

Figure 3. An electronic money payment transaction

1. 2. 3. 4. 5. 6. 7. 8. 9.

Check number, Payer’s name, Payer’s account number and bank name, Payee’s name, Amount to be paid, Currency unit used, Expiration date, Payer’s electronic signature, and Payee’s electronic endorsement.

A typical payment transaction involving electronic checks is shown in Figure 4. The customer orders some goods or services from the merchant, whereupon the merchant sends an electronic invoice to the customer (1) As payment, the customer sends an electronically signed electronic check (2) (Electronic signature is a general term that includes, among other things, digital signatures based on public-key cryptography.) As with paper checks, the merchant is supposed to endorse the check (i.e., sign it on the back) (3) (Electronic endorsement is also a kind of electronic signature.) The issuer and the acquirer banks see that the amount of sale is actually withdrawn from the customer’s account and credited to the merchant’s account (4). After receiving the check from the customer, the merchant can ship the goods or deliver the services ordered.

Electronic Wallet Electronic wallets are stored-value software or hardware devices. They can be loaded with specific value either by increasing a currency counter or by storing bit strings representing electronic coins. The current technology trend is to produce electronic wallets in the smart card technology. In the electronic payment

275

 Electronic Payment Systems and Their Security

Figure 4. An electronic check payment transaction

system developed in the CAFE project (Conditional Access for Europe, funded under the European Community’s ESPRIT program), the electronic wallet can be either in the form of a small portable computer with an internal power source (Γ-wallet) or in the form of a smart card (α-wallet). Electronic money can be loaded into the wallets online and used for payments at point-of-sale (POS) terminals.

Smart Cards For several years now, smart card-based electronic wallets, which are actually reloadable stored-value (prepaid) cards, have been in use, mainly for small payments. The wallet owner’s account is debited before any purchases are made. The owner can load the card at a machine such as an ATM. Shops accepting such payments must be equipped with a corresponding card reader at the cash register. Examples are the Austrian Quick and Belgian Proton systems. Another example of the use of smart cards in e-commerce is SET (Secure Electronic Transactions), an open specification for secure credit card transactions over open networks (Loeb et al., 1998) In the current version of SET, a customer (i.e., cardholder) needs a SET cardholder application installed on, for example, his home PC. A set of already approved SET extensions introduces a smart card that can communicate with the cardholder application. Since many credit cards are already made with smart card technology, in this way they will be easily integrated into SET.

PAYMENT SECURITY SERVICES To fully satisfy the security requirements of an electronic payment system, it is necessary to provide certain additional security services that are different from the communications security services (IOS 1989). The following classification is based on an analysis of existing commercial or experimental

276

 Electronic Payment Systems and Their Security

electronic payment systems. Each electronic payment system has a specific set of security requirements and, consequently, a specific set of security services and security mechanisms to fulfill them. Payment security services fall into three main groups depending on the payment instrument used. The first group relates to all types of electronic payment systems and all payment instruments. The services from the first group are referred to as the payment transaction security services: • • • • • • •

User Anonymity: Protects against disclosure of a user’ s identity in a network transaction; Location Untraceability: Protects against disclosure of where a payment transaction originated; Payer Anonymity: Protects against disclosure of a payer’s identity in a payment transaction; Payment Transaction Untraceability: Protects against linking of two different payment transactions involving the same customer; Confidentiality of Payment Transaction Data: Selectively protects against disclosure of specific parts of payment transaction data to selected principals from the group of authorized principals; Nonrepudiation of Payment Transaction: Messages protect against denial of the origin of protocol messages exchanged in a payment transaction; Freshness of Payment Transaction Messages: Protects against replaying of payment transaction messages.

The next group of services is typical of payment systems using digital money as a payment instrument. It is referred to as digital money security: • • •

Protection against Double Spending: Prevents multiple use of electronic coins; Protection against Forging of Coins: Prevents production of fake digital coins by an unauthorized principal; Protection against Stealing of Coins: Prevents spending of digital coins by unauthorized principals.

The third group of services is based on the techniques specific to payment systems using electronic checks as payment instruments. There is an additional service typical of electronic checks: •

Payment Authorization Transfer (Proxy): Makes possible the transfer of payment authorization from an authorized principal to another principal selected by the authorized principal.

PAYMENT TRANSACTION SECURITY An electronic payment transaction is an execution of a protocol by which an amount of money is taken from a payer and given to a payee. In a payment transaction we generally differentiate between the order information (goods or services to be paid for) and the payment instruction (e.g., credit card number). From a security perspective, these two pieces of information deserve special treatment. User anonymity and location untraceability can be provided separately. A pure user anonymity security service would protect against disclosure of a user’s identity. This can be achieved by, for example, a user’s employing pseudonyms instead of his or her real name. However, if a network transaction can be traced back to the originating host, and if the host is used by a known user only, such type of ano-

277

 Electronic Payment Systems and Their Security

nymity is obviously not sufficient. A pure location untraceability security service would protect against disclosure of where a message originates. One possible solution is to route the network traffic through a set of anonymizing hosts, so that the traffic appears to originate from one of these hosts. However, this requires that at least one of the hosts on the network path be honest, if the traffic source is to remain truly anonymous.

User Anonymity and Location Untraceability A user anonymity and location untraceability mechanism based on a series of anonymizing hosts or mixes has been proposed in (Chaum et al, 1981). This mechanism, which is payment system independent, can also provide protection against traffic analysis. The basic idea involves using a Mix. Messages are sent from A, B, and C (representing customers wishing to remain anonymous) to the mix, and from the mix to X, Y, and Z (representing merchants or banks curious about the customers’ identities). Messages are encrypted with the public key of the mix, EM. If customer A wishes to send a message to merchant Y, A sends to the mix the following construct: A →Mix: EM(Mix, EY (Y, Message)) Now the mix can decrypt it and send the result to Y: Mix →Y: EY (Message) Only Y can read it since it is encrypted with Y’s public key, EY. If the mix is honest, Y has no idea where the message originated or who sent it. The main drawback of the scheme is that the mix has to be completely trustworthy. If A wishes Y to send a reply, he can include an anonymous return address in the message to Y: Mix, EM (A) In this way the reply message is actually sent to the mix, but only the mix knows whom to send it on to (i.e., who should ultimately receive it). An additional property of the mix scheme is protection against traffic analysis. This can be achieved by sending dummy messages from A, B, and C to the mix and from the mix to X, Y, and Z. All messages, both dummy and genuine, must be random and of fixed length, and sent at a constant rate. Additionally, they must be broken into fixed block sizes and sent encrypted so that an eavesdropper cannot read them. The problem of having a mix trusted by all participants can be solved by using a matrix (or network) of mixes instead of just one. In this case, only one mix on a randomly chosen path (chain) has to be honest. The bigger the matrix, the higher the probability that there will be at least one honest mix on a randomly chosen path.

Payer Anonymity The simplest way to ensure payer anonymity with respect to the payee is for the payer to use pseudonyms instead of his or her real identity. If one wants be sure that two different payment transactions by the same

278

 Electronic Payment Systems and Their Security

payer cannot be linked, then payment transaction untraceability must also be provided. An example is the first virtual system by first virtual holdings (http://www.fv.com). Under the First Virtual system, a customer obtains a VirtualPIN (VPIN), a string of alphanumeric characters which acts as a pseudonym for a credit card number. The VirtualPIN may be sent safely by e-mail. Even if it is stolen, an unauthorized customer cannot use it because all transactions are confirmed by e-mail before a credit card is charged. If someone tries to use a customer.s VirtualPIN without authorization, First Virtual will be notified of the stolen VirtualPIN when the customer replies .fraud. to First Virtual’s request for confirmation of the sale (Figure 5). In such a case, the Virtual-PIN will be canceled immediately. This mechanism also ensures confidentiality of payment instruction with respect to the merchant and potential eavesdroppers. Figure 5 illustrates a First Virtual (FV) payment transaction. A customer sends his order to the merchant together with his VPIN (1). The merchant may send VPIN authorization request to the FV payment provider (2). If the VPIN is valid (3), the merchant supplies the ordered services to the customer (4) and sends the transaction information to the FV provider (5). In the next step (6), the FV provider asks the customer whether he is willing to pay for the services (e.g., via e-mail). Note that the customer may refuse to pay (“No”) if the services were delivered but do not fulfill his expectations. If the services were not ordered by the customer, he responds with “Fraud” That aborts the transaction and revokes (i.e., declares invalid) the VPIN. If the customer wants to pay, he responds with “Yes” (7). In this case the amount of sale is withdrawn from his account (8a) and deposited to the merchant’s account (8b), involving a clearing transaction between the banks (9). Figure 5. First virtual payment system

279

 Electronic Payment Systems and Their Security

The payment transaction described above involves low risk if the services include information only. Even if a fraudulent customer does not pay for the services delivered, the merchant will not suffer a significant loss (O’Mahony, et al, 1997), and the VPIN will be blacklisted immediately. As mentioned before, cryptographically protected authorization messages must be exchanged between First Virtual and merchants before large shipments.

Payment Transaction Untraceability There is only one mechanism providing perfect anonymity and thus perfect payment untraceability. However, this mechanism (blind signature) is used for digital coins. In this section, two mechanisms that allow partial payment transaction untraceability are described. Specifically, they make it impossible for a merchant to link payment transactions made with the same payment instrument, assuming that he does not conspire with the acquirer (or payment gateway). In the randomized hashsum in iKP, When initiating a payment transaction, the customer chooses a random number RC and creates a onetime pseudonym IDC in the following way: IDC = hk (RC, BAN) BAN is the customer’s bank account number (e.g., debit or credit card number). hk (.) is a one-way hash function that is collision resistant and reveals no information about BAN if RC is chosen at random. The merchant does not obtain BAN, but only IDC, from which he cannot compute BAN. In each payment transaction the customer chooses a different random number so that the merchant receives different pseudonyms. Thus it is impossible for the merchant to link two payment transactions with the same BAN. In SET (Secure Electronic Transactions) a merchant also obtains only the hashsum of a payment instruction. The payment instruction contains, among other information, the following data: • • •

The card’s expiry date (CardExpiry); A secret value shared among the cardholder, the payment gateway, and the cardholder’s certification authority (PANSecret); A fresh nonce to prevent dictionary attacks (EXNonce).

Since the nonce is different for each payment transaction, the merchant cannot link two transactions even if the same PAN is used.

Confidentiality of Payment Transaction Data Payment transaction data generally consists of two parts: the payment instruction and the order information. A payment instruction can contain a credit card number or an account number. The primary purpose of protecting its confidentiality is to prevent misuse by unauthorized principals, including dishonest merchants. In many cases, however, the information contained in a payment instruction uniquely identifies the payer. Consequently, protecting it from unauthorized or dishonest principals also means protecting the payer’s anonymity. Order information can specify the type and amount of goods or services ordered and the price to be paid, or just contain the order number. It is often not desirable that the payment gateway (or the acquirer)

280

 Electronic Payment Systems and Their Security

learn about a customer’s shopping behavior. In such cases the order information must be made unreadable for the gateway. Although a payment instruction and order information must sometimes be made unreadable to different parties, there must still be a connection between them that can be easily verified by the customer, the merchant, and the payment gateway. Otherwise, in a case of dispute, the customer could not prove that the payment instruction he sent to the merchant really related to a particular order. The iKP mechanism (Vesna et al 2001) described in this section provides confidentiality of order information with respect to payment gateways (or acquirers), as well as confidentiality of payment instruction with respect to merchants. It also provides customer anonymity with respect to merchants. When initiating a payment transaction, a customer chooses a random number RC and creates a one-time pseudonym IDC in the following way: IDC =hk (RC, BAN) where BAN is the customer’s bank account number (e.g., debit or credit card number), hk (.) is a oneway hash function that is collision resistant and reveals no information about BAN if RC is chosen at random). In other words, hk(RC), behaves like a pseudorandom function. The merchant can see only the pseudonym, so he obtains no information about the customer’s identity. Since RC is different for each transaction, he cannot link two payments made by the same customer. The only attack he can try is to compute the hashsums of all possible combinations of a random number and an account number (dictionary attack), but this would hardly be feasible because, for a sufficiently long random number, there are too many combinations. The acquirer obtains RC, so he can compute IDC and verify that it is correct. The pseudonym should be used only once, that is, for only one payment transaction. Confidentiality of order information with respect to the acquirer is achieved in a similar way. To initiate a payment transaction, the customer chooses a random number, SALTC which should be different for each transaction, and sends it to the merchant in the clear (i.e., unprotected). Using the same hash function as before, the merchant prepares the description of the order information (DESC) for the acquirer in the following way: hk(SALTC, DESC) The acquirer can see that the hashsum is different for each payment transaction, but he does not have enough information to compute DESC. It is, however It is, however, possible to eavesdrop on the communication line between the customer and the merchant on which SALTC is sent in the clear. If the number of possible DESC values is not too high, the acquirer can compute all possible hashsums for a given SALTC and thus obtain the order information. Since the acquirer is probably trusted at least to some extent, this type of attack is not considered to be very likely. To communicate the payment instruction to the acquirer in such a way that the merchant cannot read it, iKP uses public key encryption. The customer encrypts a message including; • • • •

The price of the ordered item; His payment instruction (e.g., credit card number, and, optionally, card PIN); hk(SALTC,DESC) hashed together with the general transaction data; A random number RC used to create his one-time pseudonym, with the acquirer’s public key.

281

 Electronic Payment Systems and Their Security

The encrypted message is sent to the merchant to be forwarded to the acquirer. The customer must have the acquirer’s public key certificate issued by a trusted certification authority. In this way, only the acquirer can decrypt the message. With RC the acquirer can verify the correctness of the customer’s one-time pseudonym IDC . The connection between the payment instruction and the order information is established through the value of hk(SALTC,DESC) and the general transaction data known by all parties. This combination of values is unique for each payment transaction.

Nonrepudiation of Payment Transaction Messages Accountability in a communication network implies that the communication parties can be made liable for both what they did and what they did not do. It includes nonrepudiation of origin, receipt, submission and delivery. This section will deal with nonrepudiation of origin, which prevents denial of authorship of a document, and to some extent nonrepudiation of receipt, which prevents denial that a message was received if a signed acknowledgment has already been sent. Nonrepudiation of submission and delivery are very complex and still insufficiently resolved issues because they involve interaction with potentially unreliable communication networks. If a sender needs proof that he really did send a message, he may request a digitally signed submission acknowledgment from the network node. However, on the network path to the final receiver there may be more than one node, so the first node may request the same from the second node, and so on. Currently there is no infrastructure to provide such a service. Nonrepudiation of delivery is similar: the first node requests a signed delivery acknowledgment from the second node, and so on. Finally, the last node on the network path requests an acknowledgment from the actual receiver. Figure 6 illustrates a simple payment transaction. The acquirer represents a payment gateway and an acquirer bank. It is assumed that the order information (goods or services, price, type of delivery) has been negotiated before the Payment message, and that the Payment message uniquely identifies the payment transaction. The payer sends the payee the Payment message, which contains the payment instruction, including the payment instruments identification. For example, for a credit card the data contains the issuer bank, number, and expiry date (validity period). The payee wants to verify that the credit card can be charged, so he sends an Authorization Request message to the acquirer. The Authorization Response message contains the authorization result. If the result is positive, the payer sends a Payment Receipt to the payer and delivers the purchased goods or services. The payee needs undeniable proof that the payer agrees to pay a certain amount of money. The proof is contained in the Payer’s Payment Authorization message. This message ensures nonrepudiation of payment authorization by the payer. The acquirer and the issuer bank need that proof as well in order to withdraw the amount of sale from the payer’s account and credit the payee’s account. The message is digitally signed with the payer’s private key. The acquirer and the issuer bank need undeniable proof that the payee asked for the amount of sale for this transaction to be paid into his account. That is the purpose of Payee’s Payment Authorization, which ensures nonrepudiation of payment authorization by the payee. The message is signed with the payee’s private key. As mentioned before, the payee asks the acquirer for the Acquirer’s Payment Authorization message, since he needs as proof that the acquirer has approved the payment transaction. The payer may also

282

 Electronic Payment Systems and Their Security

Figure 6. A simple payment transaction

Figure 7. Nonrepudiation messages

require that proof. This ensures nonrepudiation of payment authorization by the acquirer. The message is signed with the acquirer’s private key. The Acquirer’s Payee Authorization message proves that the payee is authorized to collect payments. If the acquirer is also a certification authority, the message can be in the form of a public key certificate in which the payee’s public key is digitally signed (i.e., certified) with the acquirer’s private key. If the public key certificate can be obtained from a public directory, this message is not necessary. If the acquirer is not a certification authority, the message can represent an attribute certificate by which the acquirer authorizes the payee to collect payments. Since it is not usual that the payer and the acquirer communicate directly, the certificate is sent to the payee to be forwarded to the payer.

283

 Electronic Payment Systems and Their Security

Finally, if everything has gone well, the payee sends a payment receipt (Payee’s Payment Receipt) to the payer. In this way the payee cannot later deny that the payer has paid for the ordered items. The receipt should be digitally signed by the payee.

Freshness of Payment Transaction Messages Freshness of messages can, in general, be ensured by using nonces (random numbers) and time stamps. To illustrate how they can be used in a payment transaction, here is a model based on 1KP (Figure 7). In the rightmost column of the figure, the names of the transaction messages are given. In 1KP there are five values that are unique for each payment transaction: • • • • •

Transaction Identifier: TIDM, chosen by the merchant; Current Date and Time: DATE; Random Number: NONCEM, chosen by the merchant; Random Number: SALTC, chosen by the customer; Random Number: RC, chosen by the customer.

The purpose of TIDM, DATE, and NONCEM is to ensure freshness of all payment transaction messages except the Initiate message. All three values together are referred to as TRM. All transaction messages depend on SALTC and RC . The customer initiates the payment transaction by sending the Initiate message. He uses a one-time pseudonym IDC. The merchant responds with the Invoice message. IDM is his identifier. The value of COM represents a fingerprint of the general transaction data known by all parties: 7COM= h(PRICE, IDM, TRM, IDC, hk (SALTC, DESC)) h(.) is a collision-resistant one-way hash function, and hk (key) is a pseudorandom function. The Payment message is encrypted with the acquirer’s public key EA. The customer and the merchant negotiate PRICE and DESC (order information) before the Initiate message. The acquirer can compute PRICE from the Payment message that is forwarded to it since it is encrypted with its public key EA. However, it never learns DESC, since the protocol ensures confidentiality of order information with respect to the acquirer. PI is the customer’s payment instruction containing, for example, his credit card number and the card’s PIN. The Auth-Request (Authorization Request) message basically contains the Invoice and the Payment message. {Message} denotes the contents of the previously sent Message. The value of hk(SALTC, DESC), together with COM, establishes a connection between the payment instruction and the order information. Resp is the authorization response from the acquirer and can be positive (yes) if the credit card can be charged, or negative (no). The whole Auth-Response message is signed by the acquirer (D)A. The merchant forwards the Auth-Response message to the customer. CERTA is the acquirer’s public key certificate. It can usually be retrieved online from a public directory.

284

 Electronic Payment Systems and Their Security

REFERENCES Chaum, D. (1981). Untraceable Electronic Mail, Return Addresses and Digital Pseudonyms. Communications of the ACM, 24(2), 84–90. doi:10.1145/358549.358563 Garfinkel, S., & Spafford, G. (1997). Web Security & Commerce. Cambridge, UK: O’Reilly & Associates, Inc. Hassler, V. (2001). Security Fundamentals of Electronic Commerce. Artech House. Loeb, L. (1998). Secure Electronic Transactions: Introduction & Technical Reference. Norwood, MA: Artech House. O’Mahony, D., Peirce, M., & Tewari, H. (1997). Electronic Payment Systems. Norwood, MA: Artech House. Radu, C. (2003). Implementing Electronic Card Payment Systems. Artech House. SET Secure Electronic Transaction LLC. (1999). The SET Specification. Retrieved from http://www. setco.org/set_specifications.html

ADDITIONAL READING Asokan, N., Janson, P. A., Steiner, M., & Waidner, M. (1997). The State of the Art in Electronic Payment Systems. IEEE Computer, 30(9), 28–35. doi:10.1109/2.612244 International Organization for Standardization. (1989). Information Technology Open Systems Interconnection Basic Reference Model. Part 2: Security Architecture, ISO IS 7498-2.

KEY TERMS AND DEFINITIONS Anonymity: The property by which the initiator of a transaction or a consumer of a service does not reveal his identity to the others. Confidentiality: Protection provided to the privacy of user data. Electronic Payment: Payment made over the Internet using authorized credit or Debit Cards issued by Banks. Freshness: The freshness of a message ensures that the message is the most recent message received from a sender. Nonrepudiation: Cryptographic service to protect against denial by sender or receiver of a message. Smart Card: A card capable of storing digital information and can be used to verify identity and make payments. This research was previously published in Cryptographic Solutions for Secure Online Banking and Commerce edited by Kannan Balasubramanian, K. Mala, and M. Rajakani, pages 20-35, copyright year 2016 by Information Science Reference (an imprint of IGI Global).

285

286

Chapter 16

Data Mining for Secure Online Payment Transaction Masoumeh Zareapoor Shanghai Jiao Tong University, China Pourya Shamsolmoali CMCC, Italy M. Afshar Alam Jamia Hamdard University, India

ABSTRACT The fraud detection method requires a holistic approach where the objective is to correctly classify the transactions as legitimate or fraudulent. The existing methods give importance to detect all fraudulent transactions since it results in money loss. For this most of the time, they have to compromise on some genuine transactions. Thus, the major issue that the credit card fraud detection systems face today is that a significant percentage of transactions labelled as fraudulent are in fact legitimate. These “false alarms” delay the transactions and creates inconvenience and dissatisfaction to the customer. Thus, the objective of this research is to develop an intelligent data mining based fraud detection system for secure online payment transaction system. The performance evaluation of the proposed model is done on real credit card dataset and it is found that the proposed model has high fraud detection rate and less false alarm rate than other state-of-the-art classifiers.

INTRODUCTION Electronic society make the life more convenient and easy, the use of online mode of payment in banking system is one of the most essential parts of our daily life. “Electronic payment system is a combination of commerce and technology”. This idea which allows payment process to be performed across a computer network (electronically) is not a new thing. It has been proposed in 1980. But the electronic payment system officially started at the 1997 and until present an enormous number of different payment DOI: 10.4018/978-1-5225-6201-6.ch016

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 Data Mining for Secure Online Payment Transaction

techniques developed by researchers. Many of these methods entered to the market but they were not so successful since the consumers didn’t get satisfaction. An electronic payment system is conducted in “different electronic commerce categories such as Business to business, business to customer, customer to business and customer to customer”. To participate in the electronic payment system the “costumer and the merchant should access the internet” also in other side; their bank accounts (costumer and the merchant) should be at the banks which have connection to the internet. Electronic payment is “much powerful, convenient and portable”. Among all variety of payment systems “credit card is more popular and become the most convenient and essential instrument” to conduct electronic payment due to the following features (Jithendra, 2011): • • • •

They allow making purchase without carrying a lot of cash. They allow making purchases without being worry about local currency. They allow convenient ordering by email. They are simple and comfortable.

Credit cards are “convenient and flexible method of payment”. Credit card is a small plastic card that can be used either in physical or virtual way (Ngai et al., 2011). In a physical way, “the cardholder (costumer) handover his/her card physically to a merchant for making a payment”. While in virtual way, only some important and confidential information about a card such as “card number, expiration date and secure code” is required for making transactions, and there is no need to present the physical card. Usually “such purchases are normally done on the Internet or over the telephone”. Credit cards are not the panacea that we might hope for, because by increasing the number of transactions which have been done through credit card, “the fraudsters’ activities are also increased significantly”. Among the all type of fraud, financial fraud is more dangerous and frightening, because it costs hundreds of millions of dollars per year in damages and hurts hundreds of millions of people. According to “publisher of payments industry newsletter”, global credit card fraud cost $12.4 billion in 2015 (Bloomberg, 2015). Unfortunately, no one is completely safe from being defrauded. As the credit card is the easiest and popular method in payment industry, so “it is considered as a good place to make a fraud because in a short time fraudsters can earn lots of money”. To commit the fraud, “in case of offline payment” which using credit card physically, fraudsters must steal the credit card itself to make fraudulent transactions, while in the case of “online payment “which can occur over phone or internet, fraudsters must steal card’s information only (Ramanathan, 2012). Thus, “a secured banking system requires high speed authentication machines” that let legitimate transactions to pass easily, while detect the fraudulent transaction which attempt by others. The most popular and trusted technique in credit card fraud detection is Data mining technique, because “millions of transactions are handled every day and to process such a huge amount of data human assessing is inefficient”. According to a survey in 2015, “the five best fraud detection companies” are listed in Table 1 (Top Credit Card Processors, 2015).

CONTRIBUTIONS The major contribution of this research is an intelligent data mining based fraud detection system named FraudMiner. The challenges are listed as follow:

287

 Data Mining for Secure Online Payment Transaction

Table 1. Credit card fraud detection: best fraud detection services (July 2015) Rank

Name of Company

Year Founded

1

Ethoca Limited

2003

2

Norse Corporation

2010

3

Facility Management Advisors

2009

4

MaxMind

2002

5

Kount

2007

• • •

Credit card dataset is a strongly imbalanced data and hence general classifiers could not classify them into fraud and legal properly. Due to security reasons, banks do not provide the real dataset to the individual researchers. Banks are ready to give only anonymized data for research (the customer transaction data where the field names are changed so that the researcher would not get any idea of what it is).

Thus, the major considerations while developing FraudMiner was to develop a fraud detection system that can handle class imbalance as well as anonymized data. During the training phase, from the customer transaction data, the proposed system prepares two pattern databases namely legal pattern database and fraud pattern database. These databases are created by using frequent itemset mining. Then a matching algorithm that matches the incoming transaction of a particular customer with his/her legal as well as fraud patterns in the corresponding databases is used for classifying each incoming transaction. If “the incoming transaction is matching more to legal pattern than fraud pattern, then it is considered as legal and if it is matching more to the fraud pattern than the legitimate one it can be classified as fraud”.

SECURITY ISSUES IN ONLINE PAYMENT The “online payment transaction contain of four groups”. The first group is costumer, the real person who is the legal owner of the card and makes a legitimate transaction. “Second group is the credit card issuer which is the costumer’s bank (issuing bank)”. “The third group is the merchant who sells goods or products to the costumer”. “Finally the forth group is the merchant’s bank here called as acquiring bank) where finally the transaction amount from customer’s account transferred”. Figure 1 gives an overview of a typical conventional online payment transaction in a retail store. 1. In step 1, costumer hand over his/her card to merchant for making transaction, then the merchant swipes the card through the reader of the Point Of-Sales (POS) terminal which has been provided to the merchant by the acquiring bank, and enters the transaction amount into the POS terminal as well. 2. In step 2, the transaction details, merchant details and credit card details (that is stored in the card) has been sent to the acquiring bank. 3. In step 3, “the acquiring bank sends the information to the issuing bank for verification. In fact, in this step they want to check whether the card has any sign of fraudulent transactions”.

288

 Data Mining for Secure Online Payment Transaction

Figure 1. A typical electronic payment system

4. In step 4 the transaction authorization (or rejection) is sent to the acquiring bank. 5. In this step the notification of step 4 is passed back to the merchant. 6. In the last step if everything is fine (ie., the amount withdraws from the costumer account and deposit to merchant account) then the costumer can receive his/her goods and confirmed the legality of transactions with his/her signature. With increasing number of electronic shopping every day, credit card usage is also becoming more popular. Even you cannot only do shopping from your home, you can even get discount on the product that purchased through credit card (Jithendra, 2011). Credit card allows the customers to borrow money to pay for the product and goods they purchase. According to (Jithendra, 2011) customers and merchants both of them can get benefit from credit card payment systems, since cardholders enjoyed the convenience of credit card and “merchants also found that the costumers that using credit card for making transactions usually spends more than other costumers that they had to pay cash; the average of credit card users is about 126% more than if cash is used”. As the numbers of credit card transactions are increasing day by day, and the issuing procedure became complicated, so, “the banks started to sell the processing service to great companies such as, visa card, master card companies”. This reduces the task of banks to issue credit card and also makes a greater growth for the payments systems. As more and more people choose the online shopping and paying their bills online, the rate of online financial fraud also increased. Fraud is the use of false representations to monetary gain. Since its detection is complex, there is not yet a fraud detection method that can detect the fraud in an efficient way. Thus, we can say “any business that involves money can be compromised by fraudulent acts”, such as Insurance, Telecommunications (Farvaresh et al., 2011), and Credit Cards (Abdelhalim et al., 2009). According to (Ngai et al, 2011) among all areas of internet fraud, financial fraud is more significant and dangerous one since in the recent past, there has been an effort to develop methods to combat this type of financial fraud.

289

 Data Mining for Secure Online Payment Transaction

TYPE OF CREDIT CARD FRAUD Credit card is more convenient to use than carry cash and is a big concern if not used carefully. The most important pitfall of credit card usage is credit card fraud. “As the number of cards increasing so, does the risk of fraud”. Since “more cards have been issued for making more purchases, the fraud is likely to continue with new types of fraud”. Due to different type of fraud credit card fraud is grouped into transaction fraud and application fraud. Transaction frauds occur when legitimate costumer’s information are abused by criminals. Whereas application fraud occurs when fraudsters obtain a card from issuing financial institution/bank by using other people’s information and keep using the cards with the stolen identity (Currently, banks deny issue of credit cards to people who have insufficient income or whose profile fit the profile of those likely to commit fraud). “Credit card frauds are defined in the following ways: • • •

Act of criminal deception mislead with internet by using the unauthorized credit card accounts or by getting sensitive information Unlawful or unauthorized use of account for personal gain Misrepresentation of account information to purchase goods

Diversity of Credit Card Fraud It can be categorized in five groups (Phua, 2007) which are; lost or stolen cards, counterfeit credit card, card not present, identity-theft fraud, and mail & non-receipt fraud. The fraud statistics (Kim & Kim, 2002) provided “by federal trade commission, consumer centinel network” in 12th, July 2015 are shown in Figure 2. From the result (Figure 2) it obtains that lost and stolen cards represent 28% and a considerable proportion is for the counterfeit fraud, which is 46% of all fraud.

DATA MINING TECHNIQUES “Data Mining is a family of machine learning techniques that automatically go through huge amount of data and can discover meaningful information which is hidden”. Some of databases are very large, so it is inconvenient and sometimes impossible to manually discover the patterns from them. The data mining techniques is “the automatic discovery of valuable information from massive data”. Tan et al. state that Data Mining technique is combination of “data analysis techniques” with “sophisticated algorithms” which can easily process the dataset. Hormozi et al. (2204) noted that data mining is a marketing technique that focuses on the most useful and valuable information in the database and allows managers to make a decision about their product. Fayyad et al. (1996) noted, data mining is the easiest tool to find the valuable patterns in databases to make a best decision. Generally, Data mining is a blend of different areas such as machine learning, artificial intelligence, visualization, statistics, and database research and pattern recognition (Manikas, 2008). These areas are much related to each other and “it is difficult to distinguish where each of these areas overlap”. Figure 3 represents the above statement (data mining and the fields that influenced it).

290

 Data Mining for Secure Online Payment Transaction

Figure 2. Credit card fraud statistics (July 2015)

Figure 3. Related fields of data mining

291

 Data Mining for Secure Online Payment Transaction

APPLICATIONS OF DATA MINING Data mining techniques is used widely in different forms and is caused the enhancement of many applications. Data mining contains of the following steps: 1. Data Cleaning: The original data (raw data) are not clean and contain missing value or noise. We need to apply data cleaning techniques to the original data to remove these erroneous and create a new dataset that contain significant information. 2. Data Selection: In the previous step, we may not collect “all the relevant and important data”. So, this step helps us to choose the most useful data for data mining technique. 3. Data Transformation: Even after cleaning the dataset, still it is not ready for mining, so we should transform them into forms that can be suitable for the mining process. For example, data may need to be converted into numeric values to be used in a neural network. 4. Data Mining: After cleaning and transformation steps, now the dataset is ready to use to extract the important patterns or desired information. Many mining techniques have been developed that can be used often based on the type of information we are seeking and the type of data that we have. Some of the techniques are association rule mining, fuzzy logic, clustering, neural networks, classification and genetic algorithms. 5. Pattern Evaluation: This step is to identify the truly interesting and relevant patterns “by visualization and removing redundant patterns from the database”. 6. Decisions: At the end, we use the above acquired patterns & knowledge to make better decisions/ conclusions.

LEARNING TECHNIQUE IN DATA MINING Another crucial concept in data mining is learning model. There are two approaches; supervised and unsupervised learning techniques.

Supervised Learning Technique Supervised learning technique “uses a dataset to make predictions. The training data includes class label”. For instance, in the credit card dataset the class labels is the legal or fraud transactions. The key idea in supervised model is learning from past data and applying this information to future cases. Any incoming transactions compare with the previous patterns; if it follows a pattern in the fraudulent transaction as is described by the trained model, it will be classified as a fraudulent. In contrast if the new transaction follows the legitimate pattern then will be classified as a legitimate. Supervised model requires the availability of class for each training sample which is not always given in a real world problem, so, we may face problem to use this method for such datasets. Another limitation of supervised learning models is that, “it cannot detect new frauds, because the behaviour of new fraud is unknown to the trained model and therefore the system cannot detect it”. We can group the supervised technique into classification and regression. Neural networks and Support Vector Machines (SVMs) are the most popular applications of supervised techniques (Yu et al., 2010).

292

 Data Mining for Secure Online Payment Transaction

Unsupervised Learning This method does not require class labels for model construction. It is constructed by using normal behaviour without using class labels, and then used to “detect outlier instances which deviate from the normal behaviour”. Particularly unsupervised models can detect the new fraud types, since they are not limited to the pattern which we are created in training dataset. They often have a more exploration in compare to supervised models.

DATA MINING TECHNIQUES The prediction and description in data mining are achieved by using the following tasks.

Classification Classification is one of the most common learning models in the application of data mining that can “classify each record of data into one of the predefined classes” (Ngai et al., 2011). Most popular classification techniques are decision trees (Agrawal & Srikant, 1994), bayesian classifiers (Excell, 2012), support vector machine (Wu et al, 2007) and neural network (Aleskerov & Freisleben, 1997). Classification model in credit card fraud detection technique are mainly using credit card transactions for classifying them as legitimate or fraudulent.

Clustering Clustering is the most common data mining approach which is based on unsupervised learning. It can categorize data into different groups according to their characteristics, then “each group is a cluster”. Task of clustering technique is similar to the task of classification technique. Classification technique tries to separate data records into “a set of predefined classes” while in clustering method, “class labels are unknown (it is unavailable in dataset) and it is up to the clustering algorithm to find an acceptable class”. Thus, the clustering method referred as “an unsupervised classification” (Ngai et al., 2011). The result of clustering defined as; “objects in one cluster have a high similarity, whereas being very dissimilar to the objects in the other clusters”. Clustering is a useful method which can be used as an outlier detection tool to detect attributes that deviate from normal patterns. Recently, clustering techniques have been widely used in many real-world applications such as document clustering (Hanagandi et al., 1996) and credit card fraud detection. Most common clustering techniques are K-means (Cover & Hart, 1967) and self-organizing map (Zaslavsky & Strizhak, 2006).

Prediction Prediction is very similar to classification method; it estimates the upcoming values based on the patterns of a dataset. The only difference is, in prediction the classes are not a discrete attribute but a continuous. There are two main types of predictions; predict unavailable data values or predict a class label for dataset. This method uses a large number of past values as predefined patterns to estimate probable future values. Logistic and neural networks models are the most commonly example of this method. 293

 Data Mining for Secure Online Payment Transaction

Prediction techniques are mainly using in credit card fraud detection to predict any incoming transaction as legitimate or fraudulent.

Outlier Detection Outlier detection occurs when any data element is grossly different or incompatible from the remaining dataset (Ngai et al., 2011). Outliers are “data elements that cannot be grouped in a given class or cluster”. Outlier detection techniques are mainly using credit card transactions to detect any abnormality of data to classify them as legitimate or fraudulent.

Regression This method is a statistical model which used to expose the relationship between one or more variables (Charniak, 1991). Many practical experiences used logistic regression as a standard (Qibei & Chunhua, 2011).

Visualization Visualization is best technique to deliver complex patterns through the clear presentation of data (Hunt et al., 1998).

FRAUDMINER: THE PROPOSED FRAUD DETECTION MODEL With the advent of communications techniques, e-commerce as well as online payment transactions are increasing rapidly. Along with this, financial frauds associated with these transactions are also growing which have resulted in loss of billions of dollars every year globally. Among the various financial frauds, credit card fraud is the most old, common and dangerous one due to its widespread usage because of the convenience it offers to the customer. According to Kount Company which is the top five fraud detection companies in the world, 40% of the total financial fraud is related to credit card (topcreditcardprocessors.com in the month of August 2015). Fraudster gets access to credit card information in many ways. According to a latest report by CBC News, smart phones are used to skim credit card data easily with a free Google application. However, fraud is becoming increasingly more complex and financial institutions are under increasing regulatory and compliance pressures. In order to combat with these frauds, banks need more sophisticated techniques of fraud detection. The major problem for e-commerce business today is that fraudulent transactions appear more and more like legitimate ones (Liu et al., 2007) and a simple fraud detection method is not efficient to detect the frauds. Moreover, the credit card transaction dataset are “strongly imbalanced data and the legal and fraud transactions vary at least hundred times (Mukhanov, 2008) (In real dataset more than 98% of the transactions are legal while “only 2% or less” of them are fraud). Both Merchant’s and card issuer’s interests is to detect fraud as soon as possible. Otherwise costumer will lose their trust in both the card issuer and the merchant. A good banking system for electronic commerce must let genuine users to conduct their business easily, while flagging and detecting suspicious transaction attempts by others which are called as fraudster. 294

 Data Mining for Secure Online Payment Transaction

Even though fraud detection has a long history, not that much research has happened in this area. The reason is the unavailability of real world data on which researchers can perform experiments. Since this kind of dataset is sensitive, banks are reluctant to provide this data to researchers. Due to this difficulty in finding dataset, not many detection techniques have been developed and even fewer of literature are known to have been implemented in actual datasets. When any transaction is done, the fraud detection system generally starts to evaluate it, and classifies the new transaction to one of the classes: ‘fraudulent’ or ‘legitimate’. Fraud detection is generally a data mining classification where “its objective is to correctly classify the transactions either legitimate or fraudulent”.

AN OVERVIEW ON CREDIT CARD FRAUD DETECTION TECHNIQUES (CCFD) As we explained in section 3, due to this dearth of real credit card transaction dataset, not that much research has been developed in this area, and even fewer are known to have been implemented in actual detection systems. Still we can find some successful application of various data mining techniques in fraud detection such as; outlier detection (Manikas, 2008), self-organizing maps (Zaslavsky & Streak, 2006), neural network (Dorronsoro et al., 1997), Bayesian classifier (Excell, 2012), support vector machine (Kim et al., 2002), artificial immune system (Mohammad & Zitar, 2011), fuzzy systems (Quah et al., 2008) genetic algorithm (Duman et al., 2011), and K-nearest neighbour (Cover & Hart, 1967). We can refer that, detecting the frauds are “a complex computational task” and even the results show that there is no any detection system with confidence predicts the transactions to legitimate or fraudulent (Bolton & Hand, 2002). As a consequence, one of the common approaches to fight fraud is create mechanisms that distinguish fraudulent from legitimate behaviours. Technically, these mechanisms can be created by using a data mining classification technique which making use of past customers records that already known as fraudulent and legitimate. However, applying classification techniques for fighting fraud always deal with a particular problem which we discussed them in next section. Because of this essential characteristic, the result of applying traditional and existence classification techniques, like decision trees or neural networks, are not enough for obtaining a good classifier. Most of credit card fraud detection techniques that reported in literature are based on detecting and avoiding of abnormal behaviour of real user/cardholder. Technically, these mechanisms can be created using a data mining technique by making use of a set of historical records of customer’s transactions which already known as fraudulent and legitimate (the training set). Supervised learning model in credit card fraud detection technique require accurate information of previous transactions (Legitimate & fraudulent transactions) in training dataset. In next step, the classifier is used to assign class labels to the testing dataset for which the class label is unknown. There are five main supervised learning techniques: 1. 2. 3. 4. 5.

Naïve bayes Decision trees Neural networks K-nearest neighbour (KNN) Support vector machines (SVM)

295

 Data Mining for Secure Online Payment Transaction

While unsupervised learning model does not require class label for model construction. This model simply determines which observations are most dissimilar from the norm. Yap et al. (2013), Potamitis (2013), and Bolton et al. (2013) in their research discussed that unsupervised learning method discover those objects that have unusual behaviours. The baseline of model is constructed without using the class labels. The model represents the “normal behaviour of real user, and is then used to detect objects which deviate from the normal behaviour of user”. In fact, unsupervised learning methods can detect old and new fraud types since they do not require any information about previous fraudulent patterns, while supervised learning techniques can detect only known frauds. Unsupervised learning is often called ‘cluster analysis’ because it aims to group the data to develop classification labels automatically. A more sophisticated method that is used in many literatures is neural networks. The neural network technique can be used as supervised or unsupervised technique and “the output may contain one or several nodes”. For multi-dimensional features neural network technique is one of the choices. The pitfall of this technique is, size of dataset for training, because neural network models require large amount of data in training part to obtain their maximum performance.

TECHNIQUES BASED ON DERIVED ATTRIBUTES Some of the detection techniques usually calculate derived data attribute to model costumer’s usual transaction behaviour, such as average of transaction amounts per week or typical currencies that costumer normally performs transactions in. This derived attribute technique needs sufficient information about normal behaviour of customers, and then any simple deviation from normal pattern should be considered as a suspicious transaction.

Rule Based Techniques Some of detection techniques use some rules in their engine for better detection, for example they known some of the transactions as an essentially suspicious when: • • • • •

Multiple transactions on a single card but shipped to different addresses Multiple orders of the same item Multiple cards used using a single IP address Several transactions on a single card in a short time span. Rushed or overnight shipping

These patterns are coded as rules by human experts into a detection system that follows the expert system technique with static rules, or can be indicated of fraudulent behaviour in the system. In earlier fraudsters were not aware of the fraud detection techniques in banking payment system, thus they didn’t use any sophisticated strategies to make a fraudulent transaction and their transaction more likely lead to recognizable frauds. But recently the fraudsters are having very sophisticated methodology to perform mislead, which is not even recognized by human experts. Any fraud techniques after a while decrease in efficiency, then the fraudsters also trying to find out the new techniques for doing their job. Provost (2002) in his research on the Bolton points out that there are several ways that the credit card fraud detection systems can be approached. These ways include the following: 296

 Data Mining for Secure Online Payment Transaction

Hand & Blunt (2001) provide an overview of some data-mining work which they have performed on credit card transaction data. They show a number of amazingly linear relationships between different aspects of the data in a number of diagrams and plots in their research work. For example, card spending diagram, that suddenly jumps or suddenly changes of slope (for example number of transactions or expenditure rate suddenly exceeding some threshold) should be picked up by a detection system. All of these methods and hypothesis, can be combined or used separately, run in sequence or run in parallel, and be a base of very different technique. This means that a large number of theoretical credit card detection approaches are possible. But verification of the performance of these approaches and comparison between them is very difficult since the data sets are typically not available to other researchers to do research on. Bolton and Hand (2002) and Kim and Kim (2002) proposed outlier detection techniques to detect abnormality in credit card transactions. Outlier detection technique is considered as an unsupervised technique, which does not require any knowledge of fraudulent or legitimate transactions in historical databases. These techniques only look for any deviation in the dataset. The advantage of this method is that they can detect any types of fraud. However, outlier detection can cause legitimate irregular behaviour to be classified as a fraud, thus causing inconveniences to the customer. Ghosh and Reilly (1994) in their research work used neural network technique for detecting the credit card frauds that contains of a three layered feed forward network with only two training passes to achieve a reduction of 22% to 47% in total credit card fraud loses. Aleskerov et al. (1997) developed a credit card fraud detection technique (CCFD) that is called CardWatch. Construction of this method is upon the neural network algorithm. This system can handle large amount of data therefore is an efficient method for large financial companies like, banks. But, this system is required to construct a separate neural network for each customer, so, there is need a very large network and higher amounts of resources to maintain. Dorronsoro et al. (1997) developed credit card fraud detection technique based on neural network that is called Minerva. This system is embedded in credit card transaction servers to detect fraud transactions in real time. “It uses a novel nonlinear discriminate analysis which combines the multilayer perceptron of a neural network with Fisher’s discriminate analysis method”. Minerva does not require a large set of patterns because it acts only on previous pattern. The disadvantage of this method is that, determining a set of meaningful variable for detection is difficult and also obtaining effective datasets for training is not easy. Syeda et al. (2002) proposed a “fast credit card fraud detection system (CCFD) by a parallel granular neural network which uses fuzzy neural networks for knowledge discovery”. The importance of their research is mostly on optimizing the speed of the implemented algorithm. Chiu and Tsai (2004) found that the problem of credit card transaction data is because of natural skewness of dataset. Generally, the ratio of fraud transactions to legal transactions in real credit card transaction datasets is extremely low (less than 3%). The proposed method used “web service techniques” to share their fraud transactions to a centralized data centre and then used a rule-based data mining technique to the dataset to detect credit card frauds. The studies of combining data mining algorithms have increased in recent years and their results show outperforms the single algorithm methods.

297

 Data Mining for Secure Online Payment Transaction

MAIN CHALLENGES IN CREDIT CARD FRAUD DETECTION TECHNIQUES We can group the main challenges in credit card fraud detection as follow: • • • • • • •

Unavailability of real world dataset Anonymised Data Set Unbalanced Data Set Size of the Data Set Overlapping dataset Different error costs Determining the appropriate evaluation parameters

Unavailability of Real Dataset The most important issues associated with credit card fraud detection technique is unavailability of real world dataset, and it mentioned by many authors. Even though fraud detection has a long history, not that much research has happened in this area. The reason is unavailability of real world data, because banks are not ready to reveal their customer’s sensitive information due to privacy reasons.

Anonymised Dataset Due to privacy reasons, financial companies like banks, are not ready to provide their customer’s information as it is to the researchers. They used to change the field names so that the researcher would not get any idea about actual fields. This anonymous nature of the dataset makes the research difficult as it makes the derived attribute concept impossible.

Unbalanced Dataset Datasets are said to be balanced if there are approximately, as many positive instances as there are negative ones. In the other word, unbalanced distribution occurs when there is much more samples one instance to compare of another instance. In imbalanced datasets the detection model to know a little about the smaller instances classes, and much more about the larger classes and eventually, affecting in this way its predicting accuracy. The distribution of credit card transaction data is extremely skewed. Tuo et al. (2004) stated that credit card transaction dataset is basically a “rare problem” since approximately for every million transactions, there are only hundred fraudulent transactions, hence using purely the accuracy measure for the detection system may not be appropriate. Maes et al. (1993), Aleskerov et al. (1997) and Dorronsoro et al. (1997) in their research have dealt with highly imbalanced dataset and noted that in their dataset “the fraudulent transactions are much fewer than legitimate transactions”. Hassibi (2000) also remarked, out of 12 billion transactions which are processed, approximately 10 million transactions are fraudulent. This gives rise to the challenges of the selecting the appropriate evaluation function for the fraud detection technique. When the dataset is imbalance the standard classifiers like SVM, NB are often biased towards the large instances which are called majority class. These classifiers try to minimize the error rate regardless of data distribution. As mentioned in references highly imbal-

298

 Data Mining for Secure Online Payment Transaction

anced dataset hurts evaluation results. Most of the researcher in area of credit card fraud detection not considering skewed or imbalanced data and the issue of imbalance dataset is not studied widely.

TECHNIQUES TO HANDLE CLASS IMBALANCE Oversampling Oversampling tries to balance class distribution by replicating the minority instances to improve the performance of classifiers. State of art algorithm for oversampling problem is SMOTE (Syntactic minority over sampling). SMOTE generates synthetic minority instances to repeat the minority class (Ghosh & Liu, 2007). But SMOTE technique is dangerous since it blindly generalizes the minority classes regardless to the majority classes.

Under-Sampling Under-sampling (Yap et al, 2013) tries to balance the dataset by eliminating and removing the majority (legitimate) instances. The major problem with this technique is that it may discard useful and important data for the induction process. The state of art algorithm for handling undersampling is “Tomek Links”.

Size of Data Millions of credit card transactions processed every day. To analysis such huge amounts of data requires considerable computing power. Phua et al. (2005) has provided a good analysis of credit card fraud detection, and stated that the datasets usually are in the range of million records, which require considerable computer power for analysis of dataset. It creates certain restrictions for the researchers.

Overlap Dataset Another complicating factor in imbalanced dataset is that the classes may be overlapping. Overlapping means, when a legal transaction seems very similar to a fraud transaction or fraud transaction seems very similar to a legal transaction (Table 2). This is also a problem and creates difficulty in the analysis of credit card fraud, because it can lead to an incorrect model construction.

Different Error Costs The cost of misclassifying a fraud transaction as legal is much higher than classifying a legal as fraud as it results in money loss. Therefore, most of the fraud detection techniques available today give preference Table 2. Sample of overlapping problem Custattr1

Hour

Amount

Zip

Field1

Field2

Field3

Field4

Indicator1

Indicator2

Flag1

Flag2

Flag3

Flag4

Flag5

Class

23461

0

12.95

852

3

0

-2753

24

0

0

1

1

1

0

1

1

23461

0

12.95

852

3

0

-2753

24

0

0

1

1

1

0

1

0

299

 Data Mining for Secure Online Payment Transaction

for reducing the misclassification of fraud into legal. The misclassification of legitimate into fraudulent delays the transaction and results in customer dissatisfaction.

APPROPRIATE EVALUATION PARAMETERS False-positive and false-negative rates are two common measures for the fraud detection techniques. They have an opposite relationship, in this way the false positive decrease and false negative increase for better performance. Many researches in this area have shown that, the accuracy is not appropriate parameters for imbalanced dataset, as with good accuracy all fraud transactions will be misclassified. The cost of misclassifying fraud transaction is higher than the cost of misclassifying legal transaction. So we must consider not only the precision which is correctly classifying instances, but also the sensibility which is correctly classify fraud instances of each costumer. Hand (2007) reported that, the most common measure for classification methods is misclassification rate and the area under the ROC curve. We could confirm from the prior research work that misclassification rate has been very common function for fraud detection methods. However, we could not find any application of the ROC curve to fraud detection in the literature. But in our work we found that error rate parameter when the class sizes are highly imbalanced is not a good choice, because, in such problems the good error rate can be attained by classifying all instances as a larger class. “For example let us assume our detection method correctly classifies 99% of the legitimate instances as legitimate and 99% of the fraudulent instances as fraudulent, so the false-negative and false-positive rate is 1%. The result sounds quite good”. However, if the fraud class is 0.1% of all the instances, then 91% of those flagged as fraudulent are in fact legitimate instances.

UCSD-FICO DATA MINING CONTEST 2009 DATA SET There are different types of credit card transaction datasets with different fraud properties, for example, number of fraudulent transaction, type of fraud and the distribution of fraud transactions among legal transactions. In order to evaluate our proposed model, UCSD-FICO data mining contest 2009 data set is used. The dataset is a real credit card transaction dataset and the objective was to detect fraudulent transactions. They provided two versions of the dataset - “easy” and “hard” versions and we have used the “hard” version for the evaluation of our model. Moreover, the fields of the dataset are anonymized so strongly that it is hard to derive any new field and thus the fraud detection methods depending on aggregation and derived attributes will not work efficiently on this data. The dataset contains 100,000 credit card transactions, and 20 features/attributes. The dataset was already labelled by bank (legitimate/ fraudulent). Figure 4 shows the structure of our dataset. The dataset is highly imbalanced; the number of fraudulent transaction is 2349 out of 100,000 transactions.

DATA PRE-PROCESSING Dataset pre-processing is very important and vital theory in data mining technique. Pre-processing is to organize the original dataset, remove all irrelevant attributes, noises and simplifies the data. In order to address this issue, we include a pre-processing phase in our work. Pre-processing in this research 300

 Data Mining for Secure Online Payment Transaction

Figure 4. Structure of UCSD data mining contest 2009 dataset

mainly includes data cleaning, and reduction, since the unprocessed banking dataset isn’t suitable for applying g data mining techniques directly. We used the hard version of the dataset that contains of two sub datasets, training & testing set. The training set is labelled as a ‘legitimate’, ‘fraudulent’ and the testing set is unlabelled. We have used only the labelled training dataset. “It contains 100,000 transactions of 73729 individual customers”. The attributes contain of 20 fields including class label and are listed as; custAttr1, custAttr2, amount, hour1, state1, zip1,…., hour2, total, indicator1, indicator2, flag2, and Class. Fields custAttr1 and custAttr2 are found to be same for particular customer, as they are the card number and e-mail id of the customer. Both these fields are unique to a particular customer and thus we decided to keep only one. ie, custAttr1. The fields total and amount as well as hour1 and hour2 are found to be same for each customer and thus we removed total and hour2. Similarly, state1 and zip1 are also found to be representing the same information and thus we removed state1. All other fields are anonymized and therefore we decided to keep them as it is. For evaluation of our model the following procedure is used. First, we removed the transactions corresponds to those customers who have only one transaction in dataset since it appears either in training or testing dataset only. Now the dataset has been reduced to 40918 transactions. Then we divided these 40918 transactions into twotraining Set with 21000 transactions and testing set with 19918 transactions. Again from the training dataset we removed the transactions correspond to those customers who have only one transaction in the training dataset since it is hard to find a pattern from a single transaction. Now the training dataset has been reduced to 19165 transactions.

FRAUDMINER: PROPOSED FRAUD DETECTION MODEL The proposed fraud detection model (FraudMiner) is outlined in Figure 5. The proposed model contain of two phases training & testing. During the training phase, legal transaction pattern and fraud transaction pattern of each customer is created from their legal transactions and fraud transactions respectively

301

 Data Mining for Secure Online Payment Transaction

Figure 5. Proposed credit card fraud detection model

by using frequent itemset mining. Then during the testing phase, the matching algorithm detects to which pattern the incoming transaction matches more. In this way, if the new transaction that enter to our detection model is matching more with legal pattern of the particular customer then the algorithm returns ‘0’ (ie, legal transaction) and if the incoming transaction is matching more with fraud pattern of that customer then the algorithm returns ‘1’ (i.e., fraudulent transaction).

PATTERN DATABASE CONSTRUCTION USING FREQUENT ITEMSET MINING (TRAINING) Frequent itemsets are set of items that occur simultaneously in as many transactions as the user defined minimum support. The metric support(X) is defined as the fraction of records of database D that contains the itemset X as a subset. Support(X) = (count(X))/ (|D|) In credit card transaction data, the legal pattern of a customer is the set of attribute values specific to a customer when he does a legal transaction which shows the customer behaviour. It is found that the fraudsters are also behaving almost in the same manner as that of a customer. This means that fraudsters are intruding into customer accounts after learning their genuine behaviour only. Therefore, instead of finding a common pattern for fraudster behaviour it is more valid to identify fraud patterns for each customer. Thus, in this research we have constructed two patterns for each customer – legal pattern and fraud pattern. When frequent pattern mining is applied to credit card transaction data of a particular customer, it returns set of attributes showing same values in a group of transactions specified by the

302

 Data Mining for Secure Online Payment Transaction

support. Generally, the frequent pattern mining algorithms like Apriori return many such groups and the longest group containing maximum number of attributes is selected as that particular customer’s legal pattern. The training (Pattern Recognition) algorithm is given below: Step 1: Separate each customer’s transactions from the whole transaction database D. Step 2: From each customer’s transactions separate his/her legal and fraud transactions. Step 3: Apply Apriori algorithm to the set of legal transactions of each customer. The Apriori algorithm returns a set of frequent itemsets. Take the largest frequent itemset as the legal pattern corresponds to that customer. Store these legal patterns in legal pattern database. Step 4: Apply Apriori algorithm to the set of fraud transactions of each customer. The Apriori algorithm returns a set of frequent itemsets. Take the largest frequent itemset as the fraud pattern corresponds to that customer. Store these fraud patterns in fraud pattern database. The training algorithm is given as below: Begin                      Group the transactions of each customer together.                      Let there are ‘n’ groups corresponds to ‘n’ customers                      for i=1 to n do                                Separate each group Gi into two different groups LGi and FGi of legal and fraud                                         transactions. Let there are ‘m’ legal and ‘k’ fraud transactions                                 FIS= Apriori(LGi,S,m); //Set of frequent itemset                                LP=max(FIS); //Large Frequent Itemset                                LPD(i)=LP;                                FIS= Apriori(FGi,S,k); //Set of frequent itemset                                FP=max(FIS); //Large Frequent Itemset                                FPD(i)=FP;  endfor            return LPD & FPD;  End

FRAUD DETECTION USING MATCHING ALGORITHM (TESTING) After finding the legal and fraud patterns for each customer, the fraud detection system traverses these fraud and legal pattern databases in order to detect frauds. These pattern databases are much smaller in size than original customer transaction databases as they contain only one record corresponds to a customer. This research proposes a matching algorithm which traverses the pattern databases for a match with the incoming transaction to detect fraud. If a closer match is found with legal pattern of the corresponding customer then the matching algorithm returns’0’ giving a green signal to the bank for allowing the transaction. If a closer match is found with fraud pattern of the corresponding customer then the matching algorithm returns’1’ giving an alarm to the bank for stopping the transaction. “The size of

303

 Data Mining for Secure Online Payment Transaction

pattern databases are n x t where “n” is the number of customers and “t” is the number of attributes”. The following steps are the matching algorithm process: Step 1: Count the number of attributes in the incoming transaction matching with that of the legal pattern of the corresponding customer. Let it be lc. Step 2: Count the number of attributes in the incoming transaction matching with that of the fraud pattern of the corresponding customer. Let it be fc. Step 3: If fc=0 and lc is more than the user defined matching percentage then the incoming transaction is legal. Step 4: If lc=0 and fc is more than the user defined matching percentage then the incoming transaction is fraud. Step 5: If both fc and lc are greater than zero and fc>=lc then the incoming transaction is fraud else it is legal. The testing algorithm is given as below: Begin            lc=0;//legal attribute match count            fc=0;//fraud attribute match count            for i=1 to n do            if (LPD(i,1) = T(1)) then //First attribute                                          for j=2 to k do                                          if (LPD(i,j) is valid and LPD(i,j)=T(j)) then                                                    lc=lc+1;                                endif                                endfor  endif  endfor            for i=1to n do                      if (FPD(i,1) = T(1)) then                                for j=2 to k do                                                    if (FPD(i,j)is valid and FPD(i,j)=T(j)) then                                                    fc=fc+1;                                                    endif                      endfor  endif  endfor  if (fc=0) then //no fraud pattern            if((lc/no. of valid attributes in legal pattern)>=mp)then                                return(1);//fraud transaction            else return (0); //legal transaction  endif 

304

 Data Mining for Secure Online Payment Transaction

elseif (lc=0) then //no legal pattern                      if ((fc/no.of valid attributes in fraud pattern)>=mp)then                                return(0); //legal transaction                      else return (1); //fraud transaction                      endif  elseif (lc>0 && fc>0) then //both legal and fra ud                                                                               patterns are available                       if(fc >=lc) then return(1);//fraud transaction  else return(0); //legal Transaction  endif  endif  End

IMPLEMENTATION All the meta-classification models and outputs were obtained using Matlab R2013. In addition to matlab, the open source data mining software “Weka [47] and Microsoft Excel are also used. Weka is open source software that was developed by the University of Waikato, in New Zealand; it contains a large set of data mining algorithms and is widely used in academia.

Training and Testing Dataset Creation The following procedure is used for creating the new dataset for evaluating our model. First, we removed the transactions corresponds to those customers who have only one transaction in dataset since it appears either in training or testing dataset only. Now the dataset has been reduced to 40918 transactions. Then we divided these 40918 transactions into two-training Set with 21000 transactions and testing set with 19918 transactions. Again from the training dataset we removed the transactions correspond to those customers who have only one transaction in the training dataset since it is hard to find a pattern from a single transaction. Now the training dataset has been reduced to 19165 transactions. From this dataset, we have randomly selected different groups of customers and their corresponding transactions in the training and testing dataset, to evaluate the performance of fraud miner with increasing number of transactions. The data distribution is shown in Table 3.

Legal/Fraud Pattern Creation From the training set (for each group) in Table 3, fraud and legal patterns are created for each customer by using the proposed training algorithm. We set the minimum support as 0.9 and selected the large itemset as the pattern. For example, the largest itemset is: hour = 0 zip = 950 field1 = 3 305

 Data Mining for Secure Online Payment Transaction

Table 3. Imbalanced Data No. of Customer

Number of Transactions in Training Set Legal

Fraud

Number of Transactions in Testing Set

Total

Legal

Fraud

Total

200

652

25

489

17

506

677

400

1226

48

1274

864

30

894

600

1716

64

1780

1244

48

1292

800

2169

71

2240

1612

57

1669

1000

26041

131

2735

2002

102

2104

1200

3056

157

3113

2604

144

2748

1400

3440

158

3598

3083

147

3230

field2 = 0 field3 = 2429 field4 = 14 indicator1 = 0 indicator2 = 0 flag1 = 0 flag2 = 0 flag3 = 0 flag4 = 0 flag5 = 1. Then the corresponding pattern is as follows in Table 4: Here, ‘9999’ represent an invalid field because this field has different values in each transaction and hence it is not contributing to the pattern.

EVALUATION METRICS In this work, fraudulent transaction is considered as positive class and legitimate transaction as negative class, hence the meaning of the terms TP, TN, FP and FN are defined as follows: • • • •

TP refers to the number of fraudulent transactions which predicted as fraud TN refers to the number of legitimate transactions which predicted as legal FP refers to the number of legitimate transactions which predicted as fraud FN refers to the number of fraudulent transactions predicted as legal

Table 4. Corresponding pattern 0

306

9999

950

3

0

2429

14

0

0

0

0

0

0

1

 Data Mining for Secure Online Payment Transaction

At the end, the performance of the proposed method is evaluated in terms of five metrics as: • • • • •

Sensitivity Specificity False alarm rate Precision Balanced classification rate

In this work, we use frequent itemset mining technique in credit card transaction data, to create the legal pattern of a particular customer as well as a fraudulent pattern of same costumer if there is. Because from the obtained pattern is found that the fraudsters are also behaving almost in the same manner as that of a customer. This means that fraudsters are intruding into customer accounts after learning their genuine behaviour only. Therefore, instead of finding a common pattern for fraudster behaviour it is more valid to identify fraud patterns for each customer. Thus, in this research we have constructed two patterns for each customer – legal pattern and fraud pattern. When frequent pattern mining is applied to credit card transaction data of a particular customer, it returns set of attributes showing same values in a group of transactions specified by the support. Generally, the frequent pattern mining algorithms like Apriori (Agrawal & Srikant, 1994) return many such groups and the longest group containing maximum number of attributes is selected as that particular customer’s legal pattern. The performance evaluation of the proposed model is done to determine how well the proposed model performs in comparison to the other techniques. See Figure 6, Figure 7, Figure 8, Figure 9, and Figure 10. The state of the art classifiers which we used are (support vector machine (SVM), nearest neighbour (KNN), naïve bayes (NB) and random forest (RF). These are the base classifiers used in the credit card fraud detection models described in literature review. Among these classifiers Random Forest is used by the winner of the UCSD-FICO Data Mining Contest 2009. Before giving the data to the classifiers, we tried to apply SMOTE [20], (which is an oversampling technique to handle to class imbalance). But, the performance was degraded due to highly imbalancedness of the dataset. Hence we supplied the data directly to the classifiers. In Fraud detection, the most important measure is sensitivity or fraud detection rate, since the loss due to fraud depends on this metric. From the performance evaluation it is found that FraudMiner is having the Highest Fraud Detection Rate than other classifiers. Figure 6. Performance comparison of classifiers on term of sensitivity

307

 Data Mining for Secure Online Payment Transaction

Figure 7. Performance comparison of classifiers on term of specificity

Figure 8. Performance comparison of classifiers on term of balanced classification rate

Figure 9. Performance comparison of classifiers on term of false alarm rate

308

 Data Mining for Secure Online Payment Transaction

Figure 10. Performance comparison of classifiers on term of precision

The second important measure is, false alarm rate that it shows the customer dissatisfaction due to false alarm (legal transaction, but suspected as fraud). FraudMiner shows very less false alarm rate near to KNN. Performance of FraudMiner on other metrics like accuracy, precision & specificity is also equally good with that of KNN. “The balanced metrics-BC is used to show the competence of FraudMiner for handling imbalancedness problem and eventually FraudMiner showed decent performance according to this measure”. It is found that our model could not recognize only those frauds, where there is no pattern difference between the legal and fraud transactions (overlapping). For instance, consider the following transactions in the test data set of Figure 11: In Figure 11, the attributes of both transactions are same, but one is legal, and other is fraud. FraudMiner could not recognize this fraud transaction because the pattern database contains only legal pattern for this customer and both the transactions are matching with that pattern. It is found that when both fraud and legal patterns for a customer is available in the pattern database, then FraudMiner shows 100% fraud detection capability.

CONCLUSION We propose a fraud detection model whose performance is evaluated with an anonymized dataset and found that, the proposed model is having good performance since it is independent of attribute name. Figure 11. Example of overlapped data

309

 Data Mining for Secure Online Payment Transaction

The second superiority of proposed model is, having ability to handle imbalanced dataset. It is incorporated in the model by creating two separate pattern databases for fraud & legal transactions. Both customer and fraudulent behaviours are found to be changing gradually over a short period of time; this may degrade the performance of fraud detection model. Therefore, the fraud detection model should be adaptive to these behavioural changes. These behavioural changes can be incorporated into the proposed model by updating the fraud & legal pattern databases. This can be done by running the proposed pattern recognition algorithm at fixed time points like once in 3 months or six months or once in every one lakh transactions. More over the proposed fraud detection method takes very less time to evaluate the algorithms, which is also an important parameter in real time applications; because the fraud detection is done by traversing the smaller pattern databases rather than the large transaction database.

REFERENCES Abdelhalim & Traore. (2009). Identity Application Fraud Detection using Web. International Journal of Computer and Network Security, 31-44. Agrawal, R., & Srikant, R. (1994). Fast algorithm for mining association rules in large databases. IBM Almaden Research Center. Aleskerov, E., & Freisleben, B. (1997). CARD WATCH: a neural network based database mining system for credit card fraud detection. In Proceedings of the computational intelligence for financial Engineering. Bloomberg. (2015). How ATT Could Keep Crooks from Using Your Credit Card. Retrieved from http:// www.bloomberg.com/news/2015-06-26/how-at-t-could-keep-crooks-from-using-your- credit-card.html Bolton, R. J., Hand, D. J., Provost, F., Breiman, L., Bolton, R. J., & Hand, D. J. (2002). Statistical fraud detection: A review. Statistical Science, 17(3), 235–255. doi:10.1214s/1042727940 Charniak, E. (1991). Bayesians networks without tears. Artificial Intelligence Magazine, 12(4), 49–63. Chiu, C. C., & Tsai, C. Y. (2004). A Web services-based collaborative scheme for credit card fraud detection. In e-Technology, E-Commerce and e-Service; IEEE International Conference on. Cover, T., & Hart, P. E. (1967). Nearest neighbour pattern classification. IEEE Transactions on Information Theory, 13(1), 21–27. doi:10.1109/TIT.1967.1053964 Dorronsoro, Ginel, Sgnchez, & Cruz. (1997). Neural fraud detection in credit card operations. IEEE Transactions on Neural Networks, (8), 827-834. Duman, E., & Ozcelik, M. H. (2011). Detecting credit card fraud by genetic algorithm and scatter search. Expert Systems with Applications, 38(10), 13057–13063. doi:10.1016/j.eswa.2011.04.110 Excell D. (2012). Bayesian inference-the future of online fraud protection. Computer Fraud & Security, (2), 8-11. Farvaresh, H., & Sepehri, M. (2011). A data mining framework for detecting subscription fraud in telecommunication. Engineering Applications of Artificial Intelligence, 24(1), 182–194. doi:10.1016/j. engappai.2010.05.009

310

 Data Mining for Secure Online Payment Transaction

Fayyad, U., Shapiro, G. P., & Smyth, P. (1996). From data mining to knowledge discovery: An overview. Advances in Knowledge Discovery and Data Mining, 1–34. Ghosh, S., & Reilly, D. L. (1994). Credit Card Fraud Detection with a Neural- Network. Proceedings of the Twenty-Seventh Hawaii International Conference on System Science (pp. 621-630). 10.1109/ HICSS.1994.323314 Hanagandi, V., Dhar, A., & Buescher, K. (1996). Density-based clustering and radial basis function modeling togenerate credit card fraud scores. Computational Intelligence for Financial Engineering, Proceedings of the IEEE/IAFE Conference on. Hand D. J. (2007). Statistical techniques for fraud detection, prevention, and evaluation. NATO advanced study institute on mining massive data sets for security. Hand, D. J., & Blunt, G. (2001). Prospecting for gems in credit card data. IMA Journal of Management Mathematics. Hassibi, K. (2000). Detecting payment card fraud with neural networks. Business Applications of Neural Networks, 141-157. doi:10.1142/9789812813312_0009 Hormozi, A. M., & Giles, S. (2004). Data Mining: A Competitive Weapon for Banking and Retail Industries. Information Systems Management, 62-71. Hunt, J., Timmis, J., Cooke, D., Neal, M., & King, C. (1998). Development of an artificial immune system for real-world applications. Artificial Immune Systems and their Applications, 157–186. Jithendra Dara Laxman Gundemoni. (2006). Credit card security and E-payment Enquiry into credit card fraud in e-payment (Master thesis). Lulea University of Technology. Kim, M. J., & Kim, T. S. (2002). A Neural Classifier with Fraud Density Map for Effective Credit Card Fraud Detection. Proceedings of the Third International Conference on Intelligent Data Engineering and Automated Learning. 10.1007/3-540-45675-9_56 Maes, S., Tuyls, K., Vanschoenwinkel, B., & Manderick, B. (1993). Credit card fraud detection using Bayesian and neural networks. In Proceedings of the First International NAISO Congress on Neuro Fuzzy Technologies. Manikas, K. (2008). Outlier Detection in Online Gambling (Master thesis). Department of Computer Science. University of Goteborg, Sweden. Mohammad & Zitar. (2011). Application of genetic optimized artificial immune system and neural networks in spam detection. Applied Soft Computing, (11), 3827–3845. Mukhanov, L. E. (2008). Using Bayesian belief networks for credit card fraud detection. Proceeding of the IASTED International Conference on Artificial Intelligence and Applications. Ngai, E. W. T., Hu, Y., Wong, Y. H., Chen, Y., & Sun, X. (2011). The application of data mining techniques in financial fraud detection: A classification framework and an academic review of literature. Decision Support Systems, 50(3), 559–569. doi:10.1016/j.dss.2010.08.006

311

 Data Mining for Secure Online Payment Transaction

Phua, C., Lee, V., Smith, K., & Gayler, R. (2005). A comprehensive survey of data mining based fraud detection research. Artificial Intelligence Review. Phua, C. W. C. (2007). Data Mining in Resilient Identity Crime Detection (Doctoral thesis). Clayton School of Information Technology, Monash University. Potamitis, G. (2013). Design and Implementation of a Fraud Detection Expert System using Ontology-Based Techniques (Masters Dissertation). Faculty of Engineering and Physical Sciences, Monash University. Provost, F. (2002). Comment on: Statistical Fraud Detection—A review. Statistical Science, (17), 249-251. Qibei, L., & Chunhua, J. (2011). Research on Credit Card Fraud Detection Model Based on Class Weighted Support Vector Machine. Journal of Convergence Information Technology, 6(1), 62–68. doi:10.4156/jcit.vol6.issue1.8 Quah, J. T. S., & Sriganesh, M. (2008). Real-time credit card fraud detection using computational intelligence. Expert Systems with Applications, 35(4), 1721–1732. doi:10.1016/j.eswa.2007.08.093 Ramanathan, V. (2012). Adversarial face recognition and phishing detection using multi-layer data fusion (Doctoral Dissertation). George Mason University. Syeda, M., Zhang, Y. Q., & Pan, Y. (2002). Parallel Granular Neural Networks for Fast Credit Card Fraud Detection. Proceedings of the IEEE International Conference, (1), 572–577 10.1109/FUZZ.2002.1005055 Top Credit Card Processors. (2015). Rankings of Best Fraud Detection Companies. Retrieved from http:// www.topcreditcardprocessorsguide.com/rankings-of-best-fraud-detection-companies Tuo, J., Ren, S., Liu, W., Li, X., Li, B., & Lei, L. (2004). Artificial immune system for fraud detection. IEEE International Conference on Systems, Man and Cybernetics, (2), 1407-1411. 10.1109/ ICSMC.2004.1399827 Yap, B. W., Rani, K. A., Rahman, H. A. A., Fong, S., Khairudin, Z., & Abdullah, N. N. (2013). An application of oversampling, undersampling, bagging and boosting in handling imbalanced datasets. In Proceedings of International Conference on Advanced Data and Information-Lecture Notes in Electrical Engineering, (pp. 13-22). Yu, L., Yue, W., Wang, S., & Lai, K. K. (2010). Support vector machine based multi agent ensemble learning for credit risk evaluation. Expert Systems with Applications, 37(2), 1351–1360. doi:10.1016/j. eswa.2009.06.083 Zaslavsky V., A. Strizhak. (2006). Credit card fraud detection using self organizing maps. Information & Security: An International Journal, (18), 48-63. This research was previously published in the Handbook of Research on Advanced Data Mining Techniques and Applications for Business Intelligence edited by Shrawan Kumar Trivedi, Shubhamoy Dey, Anil Kumar, and Tapan Kumar Panda, pages 62-89, copyright year 2017 by Business Science Reference (an imprint of IGI Global).

312

313

Chapter 17

Ransomware:

A Rising Threat of New Age Digital Extortion Akashdeep Bhardwaj UPES Dehradun, India

ABSTRACT Compared to the last five to six years, the massive scale by which innocent users are being subjected to a new age threat in form of digital extortion has never been seen before. With the rise of Internet, use of personal computers and devices has mushroomed to immense scale, with cyber criminals subjecting innocent users to extortion using malware. The primary victim to be hit the most has been online banking, impacting the security and reputation of banking and financial transactions along with social interactions. Online security revolves around three critical aspects – starting with the use of digital data and files, next with the use of computer systems and finally the internet as an unsecure medium. This is where Ransomware has become one of the most malicious form of malware for digital extortion threats to home and corporate user alike.

INTRODUCTION TO RANSOMWARE With the recent explosion of internet and use of personal computers, has led to cyber criminals’ subject internet users to widespread and damaging threats leading to extortion focused on making profits at such a massive scale that has never been seen before. Apart from facing virus, worms, spyware, phishing, Ransomware has now become the new form of malware threat entering the user systems from various infection aiding vectors like browser exploit kits, drive-by freeware apps, malicious email attachments, links offering free software or advertisements offering free cash and incentives through a downloaded file or an unpatched vulnerability in the operating system with a malicious program running a payload that compromises and encrypts the user data files or even hijacking the system itself forcing the innocent user into paying up to the ransom demands before having the data files and system restored and released.

DOI: 10.4018/978-1-5225-6201-6.ch017

Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

 Ransomware

According to NIST, “Malware refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.” The malware injects a malicious code into the user system that installs randomly in the system location as an executable. This code then takes the user system hostage by preventing users from accessing their computer systems normally, stopping certain applications or input devices from running or encrypting user data files and using scare tactics like asking the user to either do something like pay a ransom amount in form of Bitcoin or fill in surveys before releasing the system or data. Ransomware uses different psychological, social-engineering, coercing, behavior-economic techniques to convince the users to pay the ransom to regain control of their systems. Malware is an umbrella term that represents malicious software whose sole purpose is intentionally malicious in nature operating with different actions and concealment technologies for attacking end users. Some of the common malware are virus, worms, Trojans, backdoors, rootkits, bots and spyware as • •

•

• • •

•

Virus one of the most commonly available globally, represents multiple subcategories of the malware versions. This malware is parasitic in nature, unable to survive alone and generally found replicating itself by copying onto other application programs. Worm comprise of malicious code causing maximum damage to data and user information. It has the capability of replicating itself via networks, using inbuilt email or scan engines to identify and spread to other hosts. Worms tend to exploit OS vulnerabilities, executing other malware as payload. Backdoors are standalone alternative entrance to user systems bypassing the existing security mechanisms built into OS and application systems. Usually created by programmers and accidently left behind when testing specific code functionality at the last moment, however, these are planted and utilized by attackers in order to enjoy continued privileged access of an application or the server system. Trojans are programs that resemble a legitimate code or application, however have some malicious code inbuilt. These are based on Homer’s Iliad on the concept of the Trojan horse and are non-replicating parasitic in nature, requiring a legitimate application program to hide and execute. Spyware are the most popular tools used for Identity thefts, comprising of malicious code to spy on victim’s activities and system and then for stealing sensitive information. Identity theft has become a major risk for users accessing their data from unsecured or public systems. Rootkits are a set of programs to alter the standard functionality of operating systems in order to hide any malicious activity done by it. These replace common operating utilities like kernel, net stat, ls, ps with their own set of programs with the intention of any malicious activity gets filtered before displaying results on screen. Bot is a program that performs action based on instructions received from the master controller system. These are mostly autonomous programs residing on unsuspecting end user systems, used majorly in the ‘dark community’ to accomplish malicious tasks as dictated by the controllers. A network of such bots is called a botnet. IRC is an example of bot that is used to communicate with other botnets.

Ransomware started with misleading applications and free software programs around 2005 as the use and acceptance of Internet grew (Savage, Coogan, & Lau, 2015). These free and fake applications came 314

 Ransomware

across as system enhancement tools (Registry Care or Perf Optimizer), fake spyware removal tools (Spy Sherriff) hidden with add-ons or hidden bundles of browser hijackers, spyware apps, ad libraries which mainly impacted the Windows OS. Typically, such applications exaggerated performance or spyware issues and promised to remove those after a payment was made when in fact these applications did not do anything at all. The first Crypto Ransomware appeared in form of Trojan.GPcoder in late 2005 using weak symmetric algorithm custom encryption techniques having same key for encryption as well as for decryption. Around mid-2006, the Crypto Ransomware (Kotov & Rajpal, 2015) concept took off with emergence of Trojan.Cyzip which after copying the original data into password protected encrypted files, deleted the original data and files. Another password protected file archiver called Trojan.Archiveus made the attacked victims buy medicines online instead of asking for a ransom payment. Around 2008-2009 fake and misleading applications came up which simulated the features and functionalities of antivirus or performance enhancement applications which performed fake scans and displayed large number of security and virus issues on the system. The end user was coerced to pay a certain amount after which another fake scan was rerun apparently fixing the earlier issues and viruses. These malwares even had annual and offered annual support services on payment. The years from 2010 to 2012 saw the attackers move from fake applications to more sophisticated ransomware in form of Locker Ransomware in which access and control of the user systems was compromised. Trojan.Randsom.C mimicked Windows Security Center update message that locked the user system display a screen message and forcing the user to call a high rate premium number in order to activate the license and access the system. These reformed from reporting misleading or fake issues to actually introducing errors and faults into the systems and posing as law enforcement notices instead of anti-virus or performance optimizers. Figure 1. Misleading apps, fake antivirus, lockers and crypto ransomware from 2005-2015

315

 Ransomware

Since 2013, the last few years (Wyke & Ajjan, 2015) have seen the cyber attackers going back to using Crypto Ransomware techniques using social engineering as their tool to propagate their malicious intents and seeking ransom demands. However, these new age Crypto Malware are a lot more advanced, capable, stronger in their encryption operations and wiping out session keys from memory after usage making it difficult to get the decryption key as compared to the legacy Crypto apps. The attackers enhanced their approach by using better key management and choosing the right encryption algorithm like RSA, 3DES and AES. Ransomware malware have two major variants – the most common version is Crypto Ransomware or data locker that encrypts the files and data while the other version is Locker Ransomware that locks down the user systems, applications or input devices, thereby preventing the users from performing normal operations. Both of them are designed to deny access to what rightfully belongs to the end user and a ransom asked in return yet the approach for each ransomware is different. As recently as January 2016, Emisof Malware engineers found a new ransomware package (Wyke & Ajjan, 2015) that encrypts user files before releasing and restoring the files after accepting a ransom demand. This worked in a different manner as compared to other ransomware variants as the code was purely java script and the package was being offered online as a service. This has been named Ransomw32 and effectively meant that ransomware has now evolved to become Ransomware as a Service.

Crypto Ransomware Crypto ransomware or Data locker once injected into user system, works in stealth mode to search for files and data with such extensions as FLV, RTF, PPT, CHM, TXT, DOC, CPP, ASM, XLS, JPG, MP3, MP4, CGI, KEY, MDB, PGP, PDF and acts as a data locker. During this time the system continues to work normally as critical OS and system files are not targeted or the system’s functionality is not tempered to raise any suspicion. Then the malware encrypts the user files and data. This makes the files and data unusable to the user forcing them to pay in order to obtain the decryption key. Figure 2. Crypto ransomware demand screens

316

 Ransomware

Figure 3. Crypto ransomware demand

Unlike traditional malware, Crypto ransomware does not steal any user information, it just compromises their access and does not try to be stealthy after data has been encrypted, since detecting the malware does not help decrypt and recover the data.

Locker Ransomware Locker ransomware or computer locker locks out the compute resources and input interface devices like mouse or keyboard, denying access to computer systems itself.

Figure 4. Locker Ransomware demand notifications

317

 Ransomware

Figure 5. Locker ransomware demand notifications

The malware then asks user to pay a fee in order to restore normal access and even ensures limited functionality to just interact with the Ransomware like keeping mouse and limited numeric keyboard keys enabled to input ransom amount and code. This malware keeps the system and files untouched and can be removed to restore a system to its original state relatively easily as compared to the data locker malware.

INTRODUCTION TO BITCOINS Bitcoins started in 2008 by MIT under open source credential, Bitcoin is a network that consists of a new form of commercial payment and an exchange medium and virtually Digital Cash. Any individual can purchase Bitcoins or Crypto Currency (Baek & Lebeck, 2015) from online exchanges, direct sellers or in person with hard cash or credit cards. Bitcoin transactions are stored in a public worldwide ledger known as Block Chain, where in money exchange is seen by the entire network almost immediately and recorded making it difficult to identify the owners, however the system is not anonymous. Bitcoin is not actually owned by any single company and are more like email exchanges where no one can block two entities from exchanging emails, details or Bitcoins among themselves. Bitcoins are used for sending or receiving money with anyone, anywhere globally at a very small transaction cost. The payments cannot be blocked or frozen. Short of turning off the Internet, and keeping the Bitcoin network switched off, Bitcoin seems to be seemingly unstoppable. Bitcoin $ price has been making headlines in 2015-16 and has jumped past $450, almost reaching $500. The rise in Bitcoin value has been phenomenal; about 25 Bitcoins are created every 10 minutes globally. In 2011 1 Bitcoin was under $1, currently 1 Bitcoin is worth 100s of US$. As Bitcoin’s demand and popularity increases, 1 Bitcoin might well be worth hundreds of thousands of dollars. For the user, Bitcoin is nothing more than a mobile application or computer software providing a wallet through which the user can send or receive bitcoins.

318

 Ransomware

Figure 6. Bitcoin price over the years

As Cyber Security experts battle against malware infections and Ransomware extortions, the financial losses for innocent user and corporate keep increasing as recently in August 2015 FBI announced US $18 million as “stolen” due to Ransomware. India ranks 9th for Ransomware attacks worldwide even as US, UK, Japan, Australia and Germany are others. These type of extortion attacks are usually done by infecting the user systems with a malware as a rouge malicious code. The top Ransomware malware abound globally is Crowti. Here is how the Bitcoin transactions work: • • • • • • • •

The user downloads a wallet software to their systems or phones are initiate Bitcoin payment This is broadcasted on the worldwide Bitcoin network or the World Ledger Every 10-15 minutes, groups of computers (or miners) collect few hundred transactions, combining them into a block or transaction This block is validated by a hash function and re-broadcasted to the Bitcoin network The miners keep performing checks for the validity of such transactions and blocks In this process, the miners are awarded 25 bitcoins per transaction. This is the incentive for providing compute power to the Bitcoin network The validated blocks are added to a block chain that serves as live record for the Bitcoin network The payee can then use his wallet software to see their own ledger, having coins received or sent

MALWARE AND ONLINE BANKING SECURITY Internet users, large Corporates or small enterprises and most home users are increasingly moving to the usage of online banking and use of mobile applications when performing online banking transactions rising from 30% in 2007 to over 70% in 2015. Online banking is convenient, faster and simplifies life working from home or office instead of going over to a bank and then standing in a long queue.

319

 Ransomware

Figure 7. Bitcoin notification

However, a significant percentage of these online banking consumers are at a major security risk of fraud from malware attacks infecting their handhelds or user systems. While banks and commercial institutions have been bolstering their online banking web portals and mobile apps working overtime to reassure customers by bolstering the security of their online banking portals and banking mobile apps. With malware payloads that can seek 16-digit credit card numbers or user passwords, the online banking security is always doubted just as mobile banking apps can be compromised as smart phones and android OS are known to have security flaws causing any online transaction from an infected desktop or mobile to be deliberately seeking danger. The “It-Will-Not-Happen-To-Me” mindset usually gets attacked first. Only the fools reckon that malware would not infect their systems or mobiles (Davis, Bodmer & LeMasters, 2014). The main reason why malware has been able to survive despite several attempts to mitigate is due to its unpredictability with the ethical teams always a step behind the cyber attackers. UK has online banking fraud as the fastest growing crime going from £ 60 million in 2014 to over £ 150 million in 2015. RBS revealed 5000 of their customers fell victim to online scams and fraud. Online banking security fraud is typically done in the following ways: • • •

320

Malware: Infected user systems can steal end user credentials and password being entered on the bank portal by recording anything being typed for accessing a particular bank URL. Remote Purchase: Stealing user credentials and card via malware or unsolicited email or phone call. Phishing: Cyber criminals posing as genuine bank portals, elicit unsuspecting users who logon with their credentials and passwords. Malware can affect user systems, modifying DNS redirecting them to the malicious bank site posing as the user’s bank.

 Ransomware

• •

Cloned: Cyber criminals clone cards from magnetic strips on a card and use for online purchases Identity Theft: Infiltrating user account, taking over the account and requesting a new card and pin Tips for safe online banking

• • • • •

Use Unique Account ID and Passwords: User Id and password should be unique and never be the same. Regular Malware Scan: Use of antimalware scanner is a must for those performing online transactions No Online in Public Wi-Fi: Shops and establishments offering free Wi-Fi have a risk of the network traffic being snooped using sniffers that can decipher logon credentials and passwords. Never give your banking and personal details on phone to someone claiming to be from a bank. Banks need to perform Behavioral patterns analysis, Web signature Injects detection, User Input analysis as well as inbound/outbound traffic analysis.

The authors reviewed Online Banking Malwares targeting customers (Aljawarneh, Al-Rousan, Maatuk, A. & Akour, 2014) of financial and banking institutions. The study found several banking malware being sold as software apps ‘off-the-shelf’. Dridex and Dyre were identified as the top online banking malwares which can bypass regular user authorization methods like TAN Codes, Hardware Token Numbers and SMS. Dridex malware steals customer information or modifying information on the fly using HTML injections, sent to an unsuspecting user as a word or excel document attachment from a bank. On opening the attachment, the payload copying itself to mapped and removable drives and opening a backdoor to download malicious payload on the victim’s systems. This malware also features novel routines and techniques to bypass detection. Dyre steals financial data by hiding in email attachments posing as an email from a tax consultant. The proposed anti-malware solution discussed in this chapter holds enough promise to mitigate and block malware from being detected and spreading.

RANSOMWARE PROPAGATION Ransomware infects user systems from various factors and there are several way that help propagate malware into user systems and lead to Ransomware infection (Aljawarneh, Alkhateeb, & Al Maghayreh, 2010). Some of those are discussed here. •

•

Traffic Redirection: This is the most common method to entice the user and redirect the web traffic to other site hosting the malware as an exploit kit. Usually the redirected traffic originates from porn sites to a portal offering free games or upgrade for user applications. If the user accepts and downloads the freeware, malware payload exploits vulnerabilities in the user computer leading to lock or encryption of their systems and files. Malvertisements and Spam: This involves using a drive–by-download process making the user click a malicious advertisement flashing on the screen for freebies or money on web site being browsed or opening emails with attachments or link to entice users to access web portals having 321

 Ransomware

Table 1. Lists recent ransomware attack methodologies Ransomware

Attack Method

Ransomware Payment

Trojan.Punder.A

Copy different types of files to hidden folders

Remit $10 to designated Chinese Industrial and Commercial Bank

Arhiveus

• Link all original files in the ‘My Documents’ folder to point to a single file named EncryptedFiles.als • Deletes all original files • Creates a HOW-TO-GET-YOUR-FILES-BACK. TXT ransom demand text file directing the victim to receive decryption keys, which exists in malicious codes

• Suggests victims purchase some products from Russian pharmaceutical websites and send the order ID. • The attacker validates the order ID and then emails the decryption key.

Trojan. Randsom.A

A distracting notification window displays over other application windows on the screen with a bluff that every 30 minutes a file is being deleted.

Remit $10.99 through Western Union

Trojan.PGPCode

Encrypts all files using RSA algorithm

Notify victims to remit $200 to a designated E-Gold account.

Trojan.Cryzip

• Compress document files (txt, doc, rft, etc.), data base files or multimedia files → password-protected ZIP. • The decryption key used for the ZIP file is stored in file Cryzip.

Notify victims to remit $300 to a designated E-Gold account. Specific instructions are given.

Onion

Encrypts files with 72-hour deadline using TOR network

Requires bitcoin payment to release

•

•

•

the Ransomware malware. The email on first look seem to have legitimate senders like the user’s energy bill, tax returns, legal notifications or even job seekers asking to open the attachment or clicking a link and updating it with the user’s latest information. While the user opens the attachment or browses the web site, in the background the malware sets about infecting users. Ransomware as a Service: With the growing trend of digital extortion, cybercriminals have started providing Ransomware as a service or RaaS (in cloud computing terms) offering to carry out malware attacks on payment or from the profits and running the attacks like a business service from the cloud. Botnets: These are distributed by way of downloaders compromising user systems and then downloading the malware as a second step process. The downloaders are legitimate software like free games or tools which don’t have the malware themselves; they download the malicious code and infect the user system later. Social Engineering: At times Ransomware has an inbuilt functionality of self-propagation to spread to other systems by either sending emails to user’s Outlook address book or from their phone list sending out SMS. This method is effective for malware to spread as it comes from a legitimate source and gets accepted easily. W32.Ransomlock.AO is a screen locker malware that infects a user system and also spreads to others.

RANSOMWARE TECHNIQUES While Ransomware is devised for extortion of money from innocent users making them victims of malware attack, the manner in which this is performed can be varied from operational and technical aspects. Most malware hide and the below mentioned folders to execute and propagate. Few Windows registry settings are also modified to enable the malware to manifest and stay ‘alive’:

322

 Ransomware

Figure 8. Ransomware propagation

Figure 9. Spam email containing CHM file as a RAR payload

• • • •

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\

Recent crypto Ransomware use symmetric as well as asymmetric encryption methods. Here we take a look at few file encrypting ransomware.

323

 Ransomware

Table 2. Impact factors in Windows operating systems Folder Locations

OS Process

• ApplicationData%\Microsoft\ • %Temp%\File.dll • %System%\File.tmp • %Temp%\File.tmp • %System%\File.dll • %Program Files%\Movie Maker\File.dll • %All Users Application Data%\File.dll • %Program Files%\Internet Explorer\File.dll

• svchost.exe • services.exe • explorer.exe

Services Stopped • Windows Defender Service (WinDefend) • Windows Error Reporting Service (ERSvc) • Windows Error Reporting Service (WerSvc) • Windows Automatic Update Service (Wauserv) • Background Intelligent Transfer Service (BITS) • Windows Security Center Service (Wscsvc)

Table 3. Impact factors in Unix and Linux operating systems Folder locations • /bin/login /bin/ps /bin/.login /tmp/ /etc/rc.d/ /usr/scr/ • /usr/bin/.ps /etc/ /usr/sbin/ /usr/spool/ /usr/lib/

OS Process • Apached ftpd lpd • rpc.statd zssld

CryptoWall 4.0 CryptoWall 4.0 has been released recently which displays a new redesigned ransom note, new filenames, and encrypts name of the files along with the file data. Initially the cyber world was alerted to this new malware variant by blog postings about being infected by what was originally called as ‘Help your files’ ransomware. After sample analysis, it was in fact determined to be a new version of CryptoWall. The most significant change in the new CryptoWall version 4.0 is the ability to encrypt file names of the encrypted files. Typically file names get changed to a unique encrypted name similar to 68p7k6037z. x1nep or 9102on67c.63a8. The encryption on files is done to make it seemingly difficult in order to gain any information about the files to be recovered, making it all the more frustrating for the impacted victim. The second feature change in CryptoWall 4.0 is a redesigned HTML ransom note displaying names to help_your_files.html as well as displaying ransom quotes with annoying arrogance to impact the victim further as: • • •

Cannot find the files you need? Are you now unable to read the contents of the files? Do you know the data and your files have been encrypted?

The new CryptoWall version continues to use the traditional email distribution methods with the payloads analyzed coming in form of a email attachment having a zipped word document resume. The resume files are actually Java Scripts, which when executed download an executable to the Windows %Temp% folder, and executing it. In this new version, CryptoWall 4.0 has similar installation characteristics and communication methods as the previous versions. During the communication phase with the Command Control Servers, RC4 encryption is used creating the victim’s unique ID from the MD5 hash of the computer name, volume serial, processor information, and OS version details. Much like the previous versions:

324

 Ransomware

Figure 10. Folder displaying encrypted files after CryptoWall 4.0 impact

Figure 11. Resume having JavaScript file sample

325

 Ransomware

• • • •

4.0 injects itself into the Explorer.exe Disables System Restore, deletes all the Shadow Volume Copies, and turns off Windows Startup Repair using BCDEdit. Then injects itself into svchost.exe and encrypts data on all the local, removable and mapped drives. After encryption is completed, the ransom notes that explain the mishap, impact and purchase information is launched and displayed.

CryptoWall 3.0 This ransomware uses AES Symmetric and RSA asymmetric encryption techniques by encrypting user files with a common 256-bit AES key, however using a different RSA private key to decrypt for each infection. However, access to internet and server is required for communicating with the live central command control system of the attacker and Tor networks for the ransom demand payments. Crypto Wall typically downloads the CHM payload into the system’s TEMP folder where its contents in form of interactive HTML files that are usually compressed holding java scripts and other image files. When the Crypto Wall starts its execution, it opens up a new explorer.exe instance, injects and executes its malicious payload and more critically ensures there is no back track to recover the encrypted data and files by deleting the volume shadow copy using VSSADMIN tool (command: Vssadmin.exe Delete Shadows /ALL /QUIET). The malware then launches a new SVCHOST.exe process with user privilege and injects it script code into that new process. This then tries to connect to proxies to find a live central command control system of the attacker which generates and supplies the public key specifically for the victim displaying ransom notes and instructions to follow. This starts the file encryption for all folders and file and copies the ransom notes into them. Finally, the user’s internet explorer is started displaying the ransom demand. Crypto Wall typically encrypts the following mentioned file extensions with Symmetric AES 256 key as xls, wpd, wb2, txt, tex, avi, ava, ass, asp, js, py, odt, obj, msg, mpg, mp3, lua, key, jpg, hpp, gif, pl, db, c, h, ps, cs, m, rm, swf, sql, rtf, RAW, ppt, png, pem, pdf, pdb, PAS, eps, DTD, doc, der, crt, cpp, cer, bmp, bay. Once encryption is done for a file, the Crpto Wall copies the file with an additional random character encrypting the file contents and deletes the original file. After all the files are encrypted, Crypto Wall flashes the ransom content on the system screen which has instructions about the ransom demand to be met.

Torrent Locker or Tor This malware spreads exclusively through spam email campaigns and localized to specific geographical regions. This ransomware uses AES to encrypt file and demands their release in Bitcoin and goes a step further by accessing email addresses of the victim and further advancing its spread. Tor infections spread with spam email which typically have Microsoft Office document with macro embedded to download the payload and execute the torrent locker file. “Process Howling” technique is used by Tor where initially a legitimate windows system process is launched, then suspended so the malicious code can be injected and then the process resumed. Tor uses Explorer.exe to further its activities and deletes the volume shadow copies using the VSSAdmin tool to reduce the chances of encrypted

326

 Ransomware

Figure 12. Ransomware payment demand note

files to be recovered from a previous system restore point as also Tor disables the internet browser’s Phishing filter so as to disable any future warnings when the ransom page is displayed to the victim. Tor usually resides in the C:\Windows folder with a strange random name (like ycizsrqlys.exe) and has a registry key entry for runtime persistence. Tor then contacts the central command control system with a POST request over HTTPS. The command system responds with the ransom demand to be displayed and Tor generates the encryption key which is sent back to the command system before the data and files are encrypted. Tor Locker harvests email addresses of the victim, sends them to the central command control system for further spreading the Tor malware. The new Tor variants have become smart and enhanced their encryption process, where in the use of AES in CBC mode and part encryption of files is now being followed. AES in CBC mode results in a unique alphanumeric key stream for each file being encrypted, which actually means the files cannot be decrypted without the original key. Part encryption manages to encrypt only the first 1MB of the file (instead of the 2MB sized originally), rendering the file to be useless. Tor communicates with the central command control system using POST over HTTPS sending the Encrypted AES key, Encrypted file numbers and the victim’s friends email addresses. After the files were encrypted, the ransom demand is displayed with instructions to follow to be paid in Bitcoins. Tor also offers a single file decryption option which gave the victim some sort of confidence that using the instructions, they could actually get back their encrypted data after payment was made. After the payment was made, the user would typically receive a link and access a personalized decryption tool and the AES decryption key.

327

 Ransomware

Figure 13. Ransomware payment demand note

Ransom32 This is the latest variant in the malicious world of ransomware, making Ransomware available as a service. Initially this was a malware campaign with signups being managed with a hidden Tor network server seeking a simple Bitcoin address to send the funds generated to that worked based on Java Script which disables java script execution in browsers which do not stop this malware from infecting. After the Bitcoin address was provided, access to the administration panel is allowed which provide various attack statistics about number of people who have paid or number of infected systems at that point of time or change the ransom amount of Bitcoins as well as create the message boxes or ransom notes the malware is supposed to display. On clicking the download button, a 22MB sized malware file “client.scr” gets generated (previous variants rarely exceeded 1MB). The Client.scr was infract a self-extracting RAR with automated script that unpacked the contents to a temp folder and executed an application (Chrome.exe) that contained the malicious malware code. The malware code turned out to be a windows applications framework development code using script to create a “Chrome service” and establish Tor network access to its command control system to negotiate the Bitcoin address and send the ransom to as well as interchange the cryptographic encryption keys before displaying the ransom note. The malware goes about encrypting the victim files using AES 128bit with CTR as a Block mode – so a new hey got generated for each file, making it a lot more difficult to restore.

Figure 14. Ransom32 Bitcoin address to send the funds to

328

 Ransomware

Figure 15. Ransom32 Admin Panel to check status of the malware attack

Figure 16. Ransom32 demand ransom note

329

 Ransomware

Screen Lock Ransomware This ransomware displays a message on the user system screen with the malware Trojan constantly getting the locker window to foreground in a continuous loop and even android mobiles changing the lock screen PIN utilizing APIs from the operating system itself to perform this task. The ransomware infects the OS locking the user screen and covers the entire desktop displaying only the ransom demand windows. On android mobiles, this ransomware tricks the mobile user into granting admin privileges, allowing the malicious app to make changes in the Android configuration, resetting the screen lock PIN.

Windows and Browser Lock This ransomware executes entirely within the web browser, displaying the ransom message on the system screen or browser controlling the background threads and applications ensuring the message is active. The malware is not executable and the ransom message page contains just images and HTML code running JavaScript executing within the web browser like other variants which have binary executables. This is propagated mainly using “client side” web technology by the attackers. The ransom page has HTML code, images and iframes and point to other ransom pages that are called whenever the user attempts to exit the page.

POPUP Advertisements As POPUP advertisement get displayed when accessing web sites, the main concept and goal behind popup malware is to get the end user to click the pop up at least once. The malware attacker gets paid for each click by having a unique ID for its malware application. Once clicked, another web window opens that takes the end user to another URL that has malware waiting to be pushed by using java or flash. Initially web browsers had pop up blockers but those blocked even useful popup windows and attacker methods improved to bypass the web browser popup blockers using a simple Java script as below that bypassed the traditional user’s web browser pop-up blocker: Figure 17. Screen lock ransomware

330

 Ransomware





Detecting Pop-Ups Mozilla web browser released a popup blocker patch update in 2005 that prevented Java and Flash pop ups and using a simple function we can detect a popup blocker and work to bypass the blocker as: function DetectBlocker() { var oWin = window.open (“”,“detectblocker”,“width=100,height=100, top=5000,left=5000”); if (oWin==null || typeof(oWin)==“undefined”) { return true; } else { oWin.close(); return false; } }

In recent times, Adobe Flash is being used for pop up advertisements making the pop up being virtually not getting detected as no popup s are displayed and the advertisement run from the web landing page itself or the current window. Then they push the ransomware script and execute it on the fly. The main reason for using popups by malware creators is to redirect the unsuspecting end user to another location with hardly any alarming change in the URL such as GO0GLE.com or icic.com or icicic.com instead of the correct URLs. Such malicious redirects give an opportunity to the attackers to 331

 Ransomware

a copy of the site they wanted to browse (say a bank site) that is in fact filled with multiple attack vector injection points where after the user clicks anywhere on the page and becomes infected with malware leading to ransomware executable files to be pushed to their systems (even asking for their bank logon and password). A more sinister method being employed by the attackers for planning Ransomware attacks is to push scripts and get access to user trace logs for servers and sites. This method is used to detect which sites are accessed regularly by the user and collect his/her browsing pattern and plan an advanced intelligence method by the attackers against those sites and push their malicious malware applications to those sites for ransomware attacks. By modifying the metadata of internet search engines for specific keywords, user are misguided and attackers target those end users who regularly first search for a word and then access the web site from a search engine, instead of typing the web site name.

RANSOMWARE PROTECTION For any security process to be successful, end user awareness and education is most critical. The average user accessing the internet are in fact the first and last line of defense. There is a critical need to ensure the end users are kept aware of data security, possible impact should ransomware or other malwares attack them and most importantly, the process end users need to follow. This can preempt loss of data and minimize damage and no amount of high end technology or security tools and protection can protect an organization from one simple mistake of an end user. However, it must be accepted that to have end users keep up with each and every potential threats and new attack vectors and perform their bit is asking for too much.

Minimizing Ransomware Impact The impact of Ransomware can be minimized by ensuring end user follow the steps mentioned below: •

332

Security Awareness Training and Procedures: Are essential and mandatory to ensure the end users in an organization are well informed about computer and internet usage. Awareness needs to be generated about topics such as those mentioned below: ◦◦ Security Policy: Should cover the enterprise policies, procedures and SLAs including the dos and don’ts to remind the end user about their role and responsibilities ◦◦ Clear Desk: Ensuring all sensitive and confidential material, records, papers or documents are kept secure and locked away by the end user on the work space when leaving the office for the day, clearing. ◦◦ Access Passwords: Defining authentication factors (single, two or three), code length, complexity, use of alphanumeric, manner of storing passwords is the single most important aspect ◦◦ Viruses: End users need to be aware about the approved process procedures to follow in case of malware or virus outbreak occurs and what the end users looks out to prevent further infection. ◦◦ Email: Emphasizing spam and mail attachments so users understand this vector where many malware samples enter the network. Users should also be aware of your organization’s email usage and abuse policies.

 Ransomware

Internet Usage: Ensure users understand that when working access to the Internet is a privilege and not a right. End users must be made to understand “Dos and Don’ts” when accessing Internet and what to be aware of and what to avoid. ◦◦ Computer Theft Instructions and User Awareness for users help in ensuring computing and portable electronic devices and corporate data. ◦◦ Social engineering awareness ensures users understand how to verify someone’s identity and what information they should and should not share about the organization. The human tendency to be helpful with information is the biggest downfall of any organization. Always have an updated Antivirus, Anti Malware and Web browser monitoring software with a personal firewall running on each user system. While strong personal firewall enforcing rules for what goes out or comes into the system and having an Anti-Malware application blocks most malicious code from infecting the user systems, ensuring the security applications are up to date is most critical. Maintaining a regular back as often as possible or after a major project to either an external hard disk or an online cloud backup service reduces the threats, as the user can simply wipe and reimage the system to default starting afresh and restoring data. Popup blockers should always be kept enabled as these are the main tactic used by the attackers to display luring advertisements and offers. Users need to simply close the popup if finding them suspicious. Never open links and attachments inside spam emails or from unknown senders. Attackers create fake sites, trying to entice users to enter their user id and passwords. Not all the time depends upon security controls, organization should have expert team to handle such situations Input of threat Intel feeds so that proactively block can be placed for highlighted Ransomware URL & IP addresses. Weekly/monthly scanning of network with the newly/available Ransomware IOC’s(Indicator of compromise) Removal of non-reputational applications Always keep updated applications such as Java & Flash players. ◦◦

•

• • • • • • • •

Malware Prevention for Home Users • • • • • •

Always be wary of web sites that prompt for software installations. Do not install new software from your browser unless you absolutely understand and trust both the web page and the software provider. Scan every item and any program downloaded through the Internet prior to installation with updated antivirus and anti-spyware software. Be aware of unexpected emails attachments even if they are from known sources. Always enable the automatic updating feature for your operating system and apply new updates as soon as they are available. Always use an antivirus real-time scan service.

333

 Ransomware

Malware Prevention for IT Administrators • • • • •

Deploy HTTP-scanning and content management systems. Do not allow unneeded protocols to enter the corporate network. Deploy vulnerability scanning software on the network and perform frequent audits. Restrict user privileges for all network users. Deploy corporate anti-spyware, anti-malware and Data loss prevention solutions.

In case the system does actually get infected and the screen displays the Ransomware note, immediately disconnect from Internet. This would deny any personal data from being sent back to the attackers, then shutting down the computer would stop encryption process to continue. By reimaging and reinstalling the OS and application software and restoring data from back, the user would be to normal operations.

RESEARCH REVIEW The authors reviewed existing solutions and threat vectors for online malware detection, blocking and removal. Some of the existing options for detecting and blocking malware, spyware, viruses are as •

•

•

Dynamic Analysis: Automated analysis of suspicious files which are scanned and analyzed for signatures or impact using tools. Reports are produced at the end of analysis with information like registry keys used by malware, configuration changes done, device, file or network activity trend. However, an automated scan do not necessarily provide detailed insight. These are signature based scans comparing and matching against a database of known malware, Static Analysis: Manual analysis taking a deep dive look at the malicious file’s activities looking at file headers, embedded resources, payload, hashes, signature, meta data among host of other properties that are analyzed. Heuristic scans are done here that do not need a signature analysis. Rules algorithms, commands or which point to its malicious properties are evaluated to detect the malware. Cloud Services: Using IaaS to build virtualized environment, record and analyze behavior of malicious files and predict the next action or occurrence event. This is a real-time protection and system are updated several times a day to mitigate zero-day attack vectors. The system integrates with antivirus engines with a lightweight agent running on user devices (laptop, desktop, mobiles) to monitor any deviation or new files in the user devices.

Identifying Threat Vectors Behavioral Malware analysis used the below mentioned threat vector end points to monitor as: • • • • • 334

User Outbox generates thousands of emails in a very short period of time Sudden generation of new programs with executable capability Modified Auto run registry keys Modification of the end user “hosts” file. Creation of “autorun.inf” file on a USB or removable disk or on a network folder.

 Ransomware

Figure 18. Registry keys showing unwanted programs (malware apps) in startup

Figure 19. Hosts file

Figure 20. Autorun file with malware payload

Proposed Solution The authors implemented Malware Detection as a Service (MDaaS) which provides malware detection, analysis and reporting services (Hasan Mahmoud Kanakar, Madihah Modh Saudi & Modh Fadzli Marhusin, 2015). Testing the malware in this manner requires the malicious code be run and observe its behavior, even as this results in infect the sandbox system making it potentially unsafe. Hence the authors performed the tests on isolated system environments.

335

 Ransomware

In this solution, three environments are implemented having virtual machines with malware tools. User device snapshot is taken to determine any changes to OS, Registry, processes or files and lightweight agent installed that constantly pushes user system and device snapshot and status is sent to Monitoring servers. The agent can also send the malicious file from the user devices to the test bed environment for analysis, detecting and blocking. •

The servers are commissioned and decommissioned each time a new malware analysis is completed. This is done to avoid any chance of the malware polymorphic features get into action and potentially infecting the analysis servers, leaking data or payload to other systems, contacting the attacker for new action to perform or even upgrading themselves. The malware detection service environments are implemented using virtual machines running VMware Servers with Windows 2008 Server hosts in three lab environments.

Environment Setup Malware Behavior Analysis Environment The first environment is configured for Malware Behavior Analysis, with server snapshots taken before and after receiving malware payload files and logs from user devices that may have got infected. Infrastructure tools implemented: • •

Process Monitor with Proc DOT tool to determine the manner in which the malware starts to infect and way in which the processes then interact with the system, infecting OS, Files and Registry. Wireshark sniffer for Network Bandwidth Monitoring and observing the malware payload attempts to contact the attacker, DNS or other external sources (P2P servers) for engaging bot traffic and trying to download the payload binaries or java scripts.

Figure 21. Malware detection environments

336

 Ransomware

• •

Process Explorer and Process Hacker tools to observe malware behavior processes like opening of new ports, contacting attacker IP addresses. Lightweight agent combined with Regshot tool to take user system and device snapshot for before and after state comparison.

Malware Code Analysis Environment The second environment is setup with Malware Code Analysis tools analyzing instructions in their assembly code and memory dumps from memory. Infrastructure and tools implemented: • •

IDA Pro tool used as disassembler to parse Windows OS executable files Scyalla a Memory Dump tool used to obtain code from system memory. This is a novel way of code analysis since executable payload instructions are mostly encoded, getting extracted in RAM only during execution time.

Malware Reporting Environment This environment acts as the reporting system for Internet, analyzing Web URL proactively for sites hosting malware code or payloads. This also checked the user system and devices taking snapshots for before and after analysis. Infrastructure and tools implemented: • • • •

MalWr, Threat Expert tools used to perform automated behavior analysis of payload executables. WebInspector MxToolKit for real time threat assessment and reputation of Web URL hosting suspected malware payloads and codes. Process Monitor with ProcDOT – analyze processes read-write, update or delete registry entries. This helped the authors ascertain the manner in which malware attempts their actions and attacks. File and System Registry analyzers for collecting the user data and checks for presence of suspicious malware. Basic dynamic analysis method is done for analysis and the behavior observed.

RESULTS The approach to follow include identifying suspicious codes and applications based on their heuristic characteristics, code and behaviors. As compared to signature based antivirus scanning systems, this process can have its own advantages. The Anti Malware scanning security is shown here that it can be offered as a cloud service with the scanners operating from a secure cloud platform. When the above suspicious actions were observed on the endpoint system, the MDaaS would detect and help block malicious or infected application programs and report the incident to the cloud sandbox system. In this way, other users of the same application program get benefited from the experience of other users. Apart from having the advantages of being a cloud based services which offers user driven implementation, elasticity and pay-as-you-use model. This even helps save huge costs and promotes the concept of BYOD (Bring your own Device). MDaaS approach also has few more advantages: 337

 Ransomware

Figure 22. Before and after malware detection as a service results

• • •

Public Cloud Scanners are not limited by hardware infrastructure, making them highly scalable and elastic. Thus tracking malware over long periods, searching in huge anti-malware database and have robust malware profiles of targeted threats is not confined to lack of computing power. Cloud Service is customizable, having the ability of being updated thru any method, OS type or version apart from the default set of images. In fact, organizations can upload their preferred images, signatures or even a custom environment configured for scanning their employee systems. Being a Cloud based sandbox, the service is not limited by geography. When attackers target office employees located in remote regions than on premise sandbox is running (usually organization’s IT Data center), the cloud service will quickly update employee systems globally and help avoid and block the attack.

CONCLUSION In this chapter we reviewed the origins and subsequent evolution of ransomware and can easily conclude that Ransomware is increasingly being used for ransomware demands to victims seeking to create an alternative source of direct income. Starting from less persuasive forms of direct revenue generation using misleading applications such as PC performance tools, cybercriminals learned and iterated over the years and with each step, ratcheted up the levels of aggression. Online banking industry has been hit hard as many cyber threats due to malware have risen immensely.

338

 Ransomware

Malware attacks progressed from misleading apps to fake antivirus scams and then later moved onto pure Ransomware in the form of locker and crypto Ransomware threats that are so prevalent today. The Bitcoin can change the financial landscape we see today and the growing demand of this digital currency application might just be the beginning for a new world order. Malicious code is seen as the primary enabler for any attacker to help gain access and maintain a foothold on the end user system. The probability of finding malware programs and malicious codes during detection is useful when used with the proposed cloud based sandbox environment.

REFERENCES Aljawarneh, S., Al-Rousan, T., Maatuk, A. M., & Akour, M. (2014). Usage of Data Validation Techniques in Online Banking: A Perspective and Case Study. Security Journal, 27(1), 27–35. doi:10.1057j.2012.10 Aljawarneh, S., Alkhateeb, F., & Al Maghayreh, E. (2010). A Semantic Data Validation Service for Web Applications. Journal of Theoretical and Applied Electronic Commerce Research, 5(1), 39–55. doi:10.4067/S0718-18762010000100005 Baek, R., & Elbeck, E. (2015). Bitcoin as an Investment or Speculative Vehicle? A First Look. Applied Economics Letters, 22(1), 30–34. doi:10.1080/13504851.2014.916379 Davis, M. A., Bodmer, S. M., & LeMasters, A. (2014). Hacking Malware and Rootkits Exposed. New York: McGraw-Hill. Kanakar, H. M., Saudi, M. M., & Marhusin, M. F. (2015). A Systematic Analysis on Worm Detection in Cloud Based Systems. Asian Research Publishing Network. Kotov, V., & Rajpal, M. S. (2015). Understanding Crypto Ransomware: In-Depth Analysis of the Most Popular Malware Families. Bromium. Retrieved from https://www.bromium.com/sites/default/files/ bromium-report-ransomware.pdf Savage, K., Coogan, P., & Lau, H. (2015). The Evolution of Ransomware. Symantec. Retrieved from http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolutionof-ransomware.pdf Wyke, J., & Ajjan, A. (2015). The Current State of Ransomware. Sophos. Retrieved from https://www. sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-ransomware.pdf

This research was previously published in Online Banking Security Measures and Data Protection edited by Shadi A. Aljawarneh, pages 189-221, copyright year 2017 by Information Science Reference (an imprint of IGI Global).

339

340

Index

A Alternate Delivery Channels 66 Android 132, 141-150, 156, 160, 162-167, 210, 231, 320, 330 Anonymity 25, 38, 42-45, 47, 49, 55, 107, 112, 127, 172, 178, 226, 231, 241, 243-245, 274, 277278, 280-281, 285

B Bitcoin 1-3, 7-11, 13-20, 22-39, 41-42, 44-45, 4758, 105-106, 112-114, 116-117, 119-121, 127, 141, 143, 146-149, 152-159, 161-162, 164-166, 170-172, 175-176, 178, 191-192, 231, 242, 244, 246-247, 313-314, 318-320, 326, 328, 339 Bitcoin Block 48-50, 52, 58 Bitcoin Block Chain 49, 58 Bitcoin Mining 33, 37, 45, 51, 54, 56, 58, 176 Bitcoin Proof of Work 58 Black Market 41, 53, 117, 122, 221 Blockchain 141, 143, 146-150, 152-154, 160-162, 164-180, 182-184, 188-192 Business-to-Business transactions 270-271

C Classification 77, 83-86, 88, 91-92, 94, 96-98, 100, 108, 111, 160, 167, 252-258, 260, 264, 266269, 276, 292-293, 295-296, 300, 307-308, 310-311 Comparative Study 252-253, 265 Confidentiality 143, 178-179, 185, 187, 189, 274, 277, 279-281, 284-285, 314 Counter-Terrorism 242-243, 245, 247 Credit card fraud 241, 286-288, 290-291, 293-299, 302, 307, 310-312 Cryptocurrency 37, 105-106, 110-111, 118, 164, 190-192, 248

Cryptographic Hash Function 45, 52, 55, 58, 153, 169 Crypto Ransomware 313, 315-317, 323, 339 Crypto Wall 313, 326 Currency Security 252, 254, 265 Customer-to-Business transactions 270-271 Customer-to-customer transactions 270-271 Cybercrime 105-110, 117-122, 225, 235, 248 Cyberspace 107, 119 Cyber-Terrorism 240

D Data Mining 286-287, 290-293, 295, 297, 300-301, 305, 307, 310-312 Designated Payment System 66, 74, 77 Digital Currency 1, 3, 24-28, 30-33, 35, 61, 106, 111, 121, 233, 265, 268, 339 Digital Extortion 313, 322 Digital Signature 44, 46-48, 57-58, 174 Dual-Currency 1-4, 7, 19-20

E E-Banking 60, 77, 242, 244-245, 247, 270-271 E-Commerce 41, 52, 58-59, 61, 63-64, 67, 70, 103104, 270-271, 274, 276, 294, 310 Electronic and Web based Money 59 Electronic Payment 44, 52-53, 55, 58, 64, 66, 77-78, 81, 114, 127, 270-273, 275-277, 285-287, 289 Equilibria 1, 6-7, 12-13, 15-16, 20 Europol 106, 122

F Feature Extraction 252-256, 260 Fraud detection 286-289, 293-303, 307, 309-312 Frequent itemset 286, 288, 302-303, 307 Freshness 277, 284-285

Index

H Hyperledger Fabric 168, 177-179, 182, 184, 186, 188, 190

Online Video Games 220, 222, 226, 231-233, 235 Open Source 26, 31, 123, 127, 130, 132, 135-138, 142, 161, 305, 318 Overlapped Data 286, 309

I

P

Imbalanced Data 286, 288, 294, 299, 306 Index terms: Cybercrimes 105 Information Management 80, 102, 104, 123-124, 128, 130, 132-134, 136, 138-139 Information Systems 24-25, 32, 37-39, 79-82, 100, 103-104, 108, 138, 166, 311 Information technology in banking 59-60 Innovative Banking 66, 74-75 international business 105, 110, 118, 121, 138 Internet 1, 26, 28, 33, 37-38, 58-63, 67-69, 73, 7881, 101, 106-108, 110-111, 115, 118, 121, 132, 166-167, 171-172, 177, 191-192, 200, 217, 219, 222-223, 226, 230-232, 236, 240-250, 270-274, 285, 287, 289-290, 313-314, 318-319, 326-327, 332-334, 337

Payment Systems 25, 44, 53, 61-63, 69, 71, 74-78, 80-81, 106, 110, 117, 242, 270-273, 277, 285, 287, 289 Peer-to-Peer Payment System 1 Permission Based Security 141 Private Money 1, 14-15, 20, 22

K

Safety 24, 28, 30, 34-35, 72, 172, 176 Smart Card 71, 81, 275-276, 285 Smart Contract 146, 165, 168-169, 176-178, 182, 186, 189-191 Social Capital 83-84, 86-87, 92, 97-98, 100-101, 104, 129, 135 Social Media 68-69, 137, 142, 165, 196-197, 217, 220-223, 225-227, 232, 234-236, 240, 242-250

Knowledge Management 123-124, 128, 130, 134, 136-139

L Learning Algorithm 257, 260, 286 Ledger 52, 58, 60, 168-180, 182, 184-186, 190-192, 318-319 Locker 313, 315-318, 322, 326-327, 330, 339

M Malware 142, 164-165, 167, 313-314, 316-322, 324, 326-339 Mobile Banking 59-60, 66-67, 69-70, 73, 75-76, 7882, 142, 241, 320 Money Launderers 105, 115, 118, 235 Money Laundering 2, 14, 19, 54, 105, 113-118, 120122, 220-228, 231-236, 248

N Near-Field Communication 220 Nonrepudiation 277, 282-283, 285

O

R Ransomware 148, 161, 164-165, 313-319, 322-324, 326-328, 330-334, 338-339 Real-Money Trade 83-84, 99, 102 Retail Banking Institutions 74-75

S

T Terrorism 105, 114-115, 118, 120, 237, 240-244, 246-250 Terrorist Financing 115, 122, 240-249 The Financial Crimes Enforcement Network (FinCEN) 106, 110, 122 Time Banks 124-125, 128, 139 Transnational Criminal Organizations 220-221, 223224, 227-228, 231-232, 235 Trusted Digital Repository 141

V Virtual Currencies (VCs) 105, 122 Virtual Economy 83-84, 87 Virtual Reality 83, 104, 220, 231, 233, 235 Virtual World 83, 99-104, 199, 215

Online Payment System 59, 70, 79

341