Selling carbon credits: Stronger authentication could've foiled theft

Two-factor authentication at a Prague-based energy-trading platform could have prevented the theft of millions of dollars worth of carbon credits.

A recent series of thefts involving $38 million worth of carbon credits could have been prevented if the organisations holding them had implemented two-factor authentication.

Last week, the European Union had to suspend the EU Emissions Trading System -- which allows companies to buy credits in order to offset any environmental damage they cause -- after what it described as "recurring security breaches in national registries over the last two months."

The latest such breach, perpetrated at Prague-based OTE a.s., a government-owned energy-trading platform, came to light when a Czech trader opened his account expecting to find 450,000 credits valued at  7 million ($9.4 million) and discovered the account had been cleared. The credits, each of which has a unique serial number, had been sold on the open market before the theft was discovered.

OTE has since admitted that around a million credits total had gone missing, at a collected value of $19 million. In addition, it has emerged that the OTE breach is just the latest in a string of similar breaches involving registries in Estonia, Poland, Greece, Romania and Austria during the last two months, bringing the total number of stolen credits to around two million, worth $38 million.

One reason for the late discovery of the OTE theft is a bomb scare that occurred in Prague around the same time on the day of the theft , Tuesday, Jan. 18. A caller telephoned the OTE building claiming a bomb had been left there, and offices were evacuated, leaving screens unobserved while the theft and subsequent sales took place. Some local reports said the Czech police suspect the two events are linked.

Carbon credits are currently held by 27 different national registries in the EU, although plans are in place to centralise the systems. The EU had also asked for the registries to improve security by introducing a stronger authentication system, using a second form of authentication, a randomly generated code sent to a mobile phone.

However, it has emerged that the Czech system, as well as 13 other EU member states, had not yet implemented the extra level of authentication. According to a report by news agency Bloomberg OTE was due to implement two-factor authentication on Jan 19.

The EU released a short notice concerning the thieves selling carbon credits (.pdf), saying that credits trading will not resume before Wednesday, Jan. 26: "Following a first such security breach in early 2010 , the Commission has worked closely with national authorities responsible for registries to ensure adequate security measures are put in place in all registries. The incidents over the last weeks have underlined the urgent need for all registries to ensure these measures are speedily implemented."

The OTE website currently shows a message saying, "Emission Trading Registry is not accessible for technical reasons."

Read more on Data breach incident management and recovery