By Andrew Shikiar, executive director of the FIDO Alliance
Cryptocurrencies are becoming mainstream. Despite recent dramatic price falls after bitcoin hit an all-time high of around $65,000 in April, interest in owning cryptocurrency has continued to grow this past year. A report from the Financial Conduct Authority released last month estimated that around 2.3 million UK adults now own some form of cryptocurrency, up 21% over 12 months, and that 78% of the population have now heard of cryptocurrency.
However, alongside this growing interest in cryptocurrencies is a significant increase in cybersecurity risks. Investors need to be aware of these risks and the industry must do all it can to make cryptocurrency safer.
The first main issue is rising crime, as new crypto investors are targeted by scam artists, fraudsters and cyber criminals.
Nearly $3.78 billion was stolen in 122 blockchain-related attacks throughout 2020, equivalent to $10 million a day. Meanwhile, according to the US Federal Trade Commission, nearly 7,000 people lost more than $80 million in scams between October 2020 and March 2021 — a 1,000% increase from the year before.
These scams range from fake currency exchanges to phoney giveaway websites offering free cryptocurrency. In March, scammers took advantage of the highly publicised appearance of Tesla CEO Elon Musk on US comedy show “Saturday Night Live” to steal around $10 million worth of various cryptocurrencies.
Investors are particularly vulnerable as there is virtually no way to protect their accounts from theft; in the world of cryptocurrency, there are no guarantees. Traditional banks will generally cover losses if you are the victim of fraud or identity theft, while the Financial Services Compensation Scheme will protect UK consumers when a financial firm fails, but there is no equivalent scheme protecting your crypto assets.
In order to prevent theft, it is essential to enable secure access to these cryptocurrency assets. However, this is where we encounter the other major cybersecurity issue concerning cryptocurrency: how do we enhance security while also that investors can always access their accounts?
Security issues and problematic passwords
Many accounts are initially set up using passwords or other knowledge-based authentication (KBA) – both of which are inherently unfit for purpose to protect high-value accounts.
Specifically, passwords simply aren’t suitable for securing high-value accounts, because they can be easily compromised, either through phishing attacks (a form of social engineering where a victim is tricked into divulging their personal information, such as login credentials) or outright theft by purchasing one of the 15 billion credential pairs that are readily available on the dark web.
Furthermore, if you forget your password, you may have trouble recovering access to your account. There are several high-profile news stories of cryptocurrency investors being locked out of a fortune after forgetting a crucial password, such as that of German bitcoin trader Stefan Thomas, who has lost the password to hard drive containing the key needed to access to a digital wallet containing 7,002 bitcoins, currently worth around $165 million.
Meanwhile, KBA suffers from several problems, such as a user’s inability to remember a key piece of information or the wide availability of personal information on the internet through social media or data leaks. It also is possible to buy huge amounts of personal data from the dark web for relatively little cost.
Even if an account is protected by traditional two-factor authentication, such as requiring a code sent via SMS, attackers use SIM swapping and other techniques to get the code sent to their phone instead of the intended recipient. These methods as well as dedicated authenticator apps are also vulnerable to replay attacks – where the cybercriminal injects themselves into the authentication flow, unbeknownst to the account holder.
Using these approaches, cryptocurrency account takeovers are occurring more and more frequently. Once inside an account, criminals can quickly empty its contents, as almost all transactions are finalised within minutes and not easily reversible. Cryptocurrency exchanges themselves are also commonly targeted; in 2020, there were 28 exchange breaches, totalling over $300 million in losses.
Unfortunately, there are few pre-established trust relationships between users and the exchange or wallet provider. Many users have experienced terrible customer support with these exchanges, often having to wait for weeks or even months to regain access to their accounts, simply because it is so difficult to prove that they are the rightful owner.
How modern authentication can protect digital assets
So how do we address these issues? The answer lies in moving away from knowledge-based authentication to possession-based authentication. In this scenario, all cryptographic login credentials are stored on a physical device, like a smartphone or security key, that the account holder – and only the account holder – is in possession of.
This approach is proven to be resistant to phishing and account takeovers, and the technology is already embedded into billions of devices worldwide and available to anyone using a modern internet browser.
Crypto exchanges are already aware of these benefits and several have already added support for the FIDO(Fast IDentity Online) possession-based authentication protocols, including Coinbase, Binance, and STEX. Gemini was an early adopter of FIDO for both its smartphone app and web browser, with a growing percentage of its users protecting their accounts with FIDO authentication by purchasing FIDO Certified security keys.
However, standardised authentication alone cannot solve security issues unless it is adopted widely throughout the industry. A consistent approach to security and standardised authentication flows across exchanges, as well as for digital and physical cryptocurrency wallets, is desperately needed to protect investors and their assets – and these best practices should be universally encouraged to all users, across exchanges More can and needs to be done to take the onus of protection away from individuals and onto the institutions.
In conjunction with this push towards possession-based authentication, users should be required to have multiple authenticators to assist with account recovery for each cryptocurrency exchange – whether that is two security keys or a security key and a biometric authenticator. Having multiple account recovery keys for each exchange will reduce pressure on customer support and help users who lose a device. It would also offer users a choice of stronger authentication options.
Finally, exchanges should eliminate using less secure backup and recovery options such as using SMS or other knowledge-based factors. This will help improve overall security, especially for account recovery.
For the crypto industry to reach its full potential, exchanges must balance cryptocurrency’s anonymity and privacy with the security needed for accounts and assets. Following in the footsteps of exchanges like Gemini and enabling users to fully secure their accounts would help to protect customers from phishing attacks and account takeovers, without sacrificing convenience and privacy.