Digital dangers

The European Union Emission Trading Scheme (EU ETS) became the target of internet criminals at the beginning of February. For some time, 17 national trade registers stopped operations.

Several holders of carbon credits were confused by e-mails in late January. They had received a message that looked like it came from the German Emissions Trading Authority (DEHSt). The mail’s sender asked the carbon-credit holders to enter their passwords on a fake DEHSt website, arguing that this was necessary to prevent hackers’ attacks. Getting access to secret data this way is called “phishing” in online banking. So far, illegal attacks of this kind had not been a problem in emissions trading.

Every country that participates in Europe’s cap-and-trade system has to manage the data itself. In Germany, the relevant authority is the DEHSt. It registers participating companies and persons, it issues emission credits and keeps the books on who holds what allowance. At the end of the year, DEHSt collects the used pollution credits from the companies. Passwords and code numbers are necessary to access the records at the emissions trading authority; the procedure resembles those of online banking.

The crooks were able to steal the information from seven German customers and transfer around 250,000 credits worth about € 3 million to an account in Denmark. Then they sold the pollution allowances. DEHSt director Hans-Jürgen Nantke speaks of a “well-organised coup”. At the time of sale, however, the emission credits cost less than they had a little earlier.

The actual trading of carbon credits is not done at the DEHSt but at the European Energy Exchange (EEX) in Leipzig or directly between buyers and sellers. One carbon credit allows for the emission of one ton of carbon dioxide. In late February, a credit was worth
€ 12. Transactions are entered into the emissions trading authorities’ registers, similar to the way the purchase of real estate is entered in official land registers. After the phishing scam became known, several national registers closed, but trade went on at the EEX in Leipzig. It is possible to register a transaction at a later point in time.

“On the one hand the system was not safe enough,” read the comment of the Austrian magazine Computerwelt, “but on the other hand, users were careless and did not apply appropriate security measures online.” The European Commission said that the EU’s general register was not as risk, but announced it will raise the security standards. (cir)