Feeds

EU halts carbon trading after 'concerted' hack attacks

€30m up in smoke

Providing a secure and efficient Helpdesk

The European Commission has temporarily halted trading of carbon emissions credits following revelations that some two-million allowances worth about €30m were stolen from insecure accounts in recent days.

At least three of the “cyber attacks” have occurred since the beginning of the year, and other registries are known to be vulnerable, EC officials said in a FAQ posted on Friday. The Associated Press said national systems in five countries – including Austria, the Czech Republic, Estonia, Greece, and Poland – “each fell victim to 'concerted' online thievery over five days this week.”

Trading is scheduled to resume on Wednesday, but only if vulnerable countries secure their registries. Among the measures required, Bloomberg News reported, is the adoption of multi-factor authentication for account access rather than the simple use of a user name and password as is the case at many sites now.

The EC sets a limit on the total amount of carbon that can be spewed into the environment, and then allows polluters to buy and sell emission credits. Factories that emit less can sell allowances to those that emit more. The cap and trade system is the source of intense criticism from both environmentalists and pro-business groups, so it's not clear who is behind the attacks. While each ton of credit is worth about €2m apiece, each certificate comes with its own serial number, so it's not clear if a thief would be able to profit by reselling the stolen credits.

The EC didn't say how the registries were breached. Phishing emails that attempt to swindle registry-account passwords date back to at least July and resulted in the theft of 250,000 carbon permits worth over €3m. EU climate exchange ECX.eu has also come under defacement attacks by what's believed to be green-hat hackers opposed to the system.

The Czech registry compromised this week was planning to upgrade its security on Wednesday, but had to postpone the move after discovering the missing credits. About one million permits belonging to multiple companies were stolen from that exchange, Bloomberg said. Some 475,000 of them belonged to Blackstone Global Ventures and were transferred to accounts in Poland, Estonia, and Lichtenstein.

In November, an exchange in Romania was also compromised, the EC said. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.