The hackers who broke into the EU system, however, never transferred the credits out of the system. Instead, they opened a dummy account on the Estonian registry, and then they hacked into the Czech registry and transferred a batch of offsets to the Estonian account. Then they sold the offsets to legitimate players in Germany, Luxembourg, and elsewhere. The credits never left the system, but the cash from the transaction did – at least until the thieves were caught a few days later.
Ironically, a key security upgrade was set to be implemented by the end of the week in which the breaches occurred. All that upgrade would have done is require that anyone accessing the system key in both a static password and a randomly-generated password that is delivered by mobile phone on the spot. The hackers had gained the static passwords for non-commercial users, but would not have been able to get the randomly-generated new ones.
Furthermore, the European system of registries itself is on its way out – due to be replaced by a single registry before the next phase of trading kicks in at the end of 2011. The current system, which requires an individual registry in each country, was created long before most people realized that carbon offsets would have value. Indeed, in the months leading up to the January breach, the European Commission had been warning the smaller exchanges that they were vulnerable to just this sort of attack.
None of this means that our modern electronic markets are foolproof or that we should cease being diligent in guarding our financial services transactions. Rather, it means that the technology needed to keep information safe exists – and it works where it's been deployed. The key is deploying it widely and efficiently enough to prevent these kinds of breaches from happening in the future. That's not a complex solution – but it may be an expensive one.
