Carbon trading fraudsters steal permits worth £2.7m in 'phishing' scam

European Commission launches investigation after 250,000 permits stolen from companies in Germany and Czech Republic
Felicity Carus, guardian.co.uk 4 Feb 10;

Hundreds of thousands of carbon trading permits have been stolen from companies in Germany and the Czech Republic by fraudsters who duped companies into giving their details via a fake website.

Around 250,000 permits worth €3m were stolen from six companies in Germany in last week's "phishing attack", which was first reported to the German national carbon registry on Friday. Permit trading on the German registry was closed immediately but reopened today.

Phishing attacks are similar to online banking scams, in which users are sent emails asking them to enter their details on a facsimile of a website.

Hans-Jurgen Nantke, the head of the German emissions trading authority, said that users had been warned and new passwords set. But he added it would be impossible to track the European emissions trading scheme permits as they would have been traded soon after they left the companies' accounts and changed hands several times since.

He said: "It's not a problem of carbon trading, it's a problem of the internet. The phishing attacks on banks has now spread to carbon trading. The phishers have already earned their money so we can't do anything about the permits. The problem now is to find the culprits and that's police a matter."

Nantke stressed that the German carbon register DEHSt was safe, adding that it has 2,000 companies and only seven were affected. But European carbon trading authorities have not yet confirmed how many companies were affected across Europe.

Europe's main mechanism for reducing emissions from industry has been targeted by criminals before. Last year so-called "carousel fraud" criminals were found to be cashing in on permits bought in countries without paying VAT by selling them on with VAT, and then disappearing without handing the VAT to the tax authorities. Three British men were arrested last month in Belgium and accused of failing to pay VAT worth €3m (£2.7m) on carbon credit transactions.

Barbara Helfferich, environment spokeswoman at the European Commission, said that an investigation had been launched into the phishing attack, but admitted the website had not yet been shut down or the culprits found.

Helfferich said that preventing future attacks was a priority, particularly because of the new European carbon registry scheduled to begin trading in 2012 which will include permits from the aviation industry. "We'll have to look at whether we need to improve security for this registry," she said.

Carbon trading around the world, beyond the European Union's emission trading scheme, is done via an international transaction log run by the UN framework convention on climate change (UNFCCC) under the Kyoto agreement.

The UNFCCC said in a statement on its website: "The secretariat of the UNFCCC has been informed by some national registries operated by parties to the Kyoto protocol that last week, a series of phishing attacks had stolen passwords from some users of these registries.

"The UNFCCC secretariat is collaborating closely with the remaining national registries to ensure that access to their systems is secured. Meanwhile, these registries have been disconnected from the international transaction log (ITL), which is under the control of the secretariat.

"The ITL validates and records all transactions of Kyoto protocol units. It has not been subject to interference and remains fully secure and operational."

Cyber fraudsters attack EU's carbon trading system
Yahoo News 4 Feb 10;

BRUSSELS (AFP) – Online fraudsters have carried out a "widepread" cyber attack on the European Union's Emissions Trading Scheme (ETS), the EU commission said Thursday, promising a security review.

The scam involved fake emails asking users of the carbon trading registries to log on to a malicious website and disclose their user identification code and password, the commission said.

With this data the cyber attackers could carry out fraudulent transactions at their victims' expense, for example by stealing carbon emissions trading certificates.

"Some fraudulent transactions were carried out," but the security of the Community Registry and transaction log "has not been compromised," the EU executive assured.

The widespread "phishing" attack took place last Thursday.

Alerted by the Netherlands and Norway, the EU Commission informed all 27 member states and asked them to take "appropriate security measures" immediately.

The European Commission said in a statement that it "intends to prepare revised Internet security guidelines" following the cyber attacks.

The Emissions Trading Scheme is a method of putting a price on carbon dioxide emissions to turn them into a valuable resource in a bid to cut emissions from industry and limit the effects of global warming

According to the German version of the Financial Times, Germany was among the countries worst hit along with Belgium, Denmark, Greece, Italy, the Netherlands and Spain.

The attack forced the closure of the carbon registries in 13 European nations, according to Serge Harry, head of the BlueNext environmental trading exchange.

Companies currently receive EU carbon dioxide trading quotas for free. Those who use them sparingly can sell off surplus allowances to bad performers who exceed their free limits.

It is planned to start charging operators in some sectors for the trading permits from 2013.