WHAT SECURITY LESSONS CAN THE WORLD OF TRADITIONAL FINANCE TEACH CRYPTOCURRENCY FIRMS?

By Michael Magrath, VP Global Regulations and Standards,OneSpan

 

Cryptocurrency has had a whirlwind of a year. The growth in popularity of currencies like Bitcoin and Ethereum saw valuations skyrocket, whilst government crackdowns in countries including China and Turkey – and even Tweets by Elon Musk – caused them to fall just as dramatically.

Meanwhile, financial institutions have bought and sold cryptoassets in vast quantities, mainstream consumer payment providers have started offering digital assets to their customers, and Bitcoin has even become legal tender in El Salvador.

However, these exciting developments have been punctuated by regular reports of significant cyberattacks on crypto exchanges and custodians. Research shows that $1.9 billion worth of cryptocurrency was stolen by hackers in 2020. And just last month, hackers successfully targeted Japanese blockchain-based platform Poly Network and extracted more than $600 million in Ethereum and Binance coins, as well as the stablecoin, USD Coin (USDC) tokens.

 

The crypto regulation challenge

Since the invention of crypto, regulation has lagged behind technological advancements in the space. Nonetheless, crypto continues to edge its way into the financial mainstream. Unlike cryptocurrency firms, banks and other traditional financial institutions are required to comply with complex and demanding security standards. These ensure that they’re equipped with the necessary resources and skills to continually adapt to the rapidly shifting cyber threat landscape.

Michael Magrath

Despite huge efforts from global regulators and international monetary organisations to effectively build frameworks for the secure, safe exchange and storage of crypto assets, the crypto space remains very underregulated. This can be attributed in part to the breakneck pace of innovation in the industry, which makes it nearly impossible for policymakers to ensure that consumers are protected.

Recently, Gary Gensler, US Securities and Exchange Commission chief, urged crypto trading platforms to register with his organisation on the grounds that many cryptocurrencies qualify as securities. He warned that, for the crypto market to still be relevant in ten years, firms would have to start operating within a public policy framework.

Today, many central banks are now working on releasing their own digital currency. These public currencies referred as Central Bank Digital Currencies (CBDC) will compete with private currencies like bitcoin and others. While this is an ongoing process, industry bodies and governments alike are seeking to establish regulations and guidance to ensure fair competition.

 

Lessons must be learned

Any technological innovation inevitably carries with it a degree of cyber security risk. Cryptocurrency is no different in this regard. Every new way to trade, store or monetise digital assets opens a new channel for hackers to exploit. It’s like when Apple releases an updated version of its operating system – a stream of security updates inevitably follows, as developers plug potential exploits and vulnerabilities. The difference is that most crypto firms have nowhere near the research and development resources of a major financial institution or tech giant.

All this doesn’t mean that the battle is lost, and crypto firms are condemned to a future of frequent cyberattacks. Instead, there are a series of practical, achievable steps that firms can take to protect themselves. Let’s examine the recent Coinbase hack. Though a disaster for the 68 million users at risk of losing their assets, by traditional finance standards, the cause of the breach was extremely simple – and therefore relatively easy to guard against in future. According to experts, the attack was a “SIM swap”, where hackers compromise victims’ mobile phone numbers and use these to authenticate themselves as a valid account holder.

For many years, SIM swap fraud was a method commonly used by malicious actors to gain access to the bank accounts of unsuspecting consumers. As a result, financial institutions moved away from using text messages as a form of authentication. Utilising text messages for multi-factor authentication (MFA) often puts the onus of protecting customer data on mobile network operators, whose systems are not designed to withstand such attacks. This is the security equivalent of locking the Mona Lisa away in a self-storage unit, rather than the Louvre.

The U.S. Federal Financial Institutions Examination Council (FFIEC) appropriately notes in its updated Guidance Authentication and Access to Financial Institution Services and Systems that not all MFA solutions offer equal usability and security pointing out that “certain MFA factors may be susceptible to ‘Man in the Middle’ (MIM) attacks, such as when a hacker intercepts a one-time security code sent to a customer.”  This is true as NIST uses this example in its Digital Identity Guidelines: Authentication and Lifecycle Management (Special Publication 800-63B). In July 2020, NIST published Special Publication 800-63: Digital Identity Guidelines FAQs reminding readers that SMS-OTP is a “restricted” authenticator.

Instead, most major banks now use Mobile PUSH notifications for MFA, verifying customer identities using a secure mobile app. These apps often employ the latest ID verification technologies – such as AI, biometrics and liveness detection – to ensure that access can only be gained by a genuine account holder. Looking forward, crypto firms urgently need to re-examine their user authentication practices, using these technologies to stem the flow of authentication-based hacks.

 

Implementing user verification policies

Unlike online banking fraud or card identity theft, it’s extremely difficult for crypto firms to mitigate the effects of a hack. This is because cryptocurrency transactions are irreversible and can only be refunded by the recipient. So, once a hack happens, funds are usually lost forever. This makes preventing hacks from occurring in the first place even more important.

What’s more, crypto networks typically rely on pseudo anonymity, where users are identified only by a string of random letters and numbers known as an address. This makes it very difficult to identify the perpetrators behind a hack and bring them to justice. Plus, since networks are decentralised and trustless, there is no way to identify transactions subsequently made with stolen cryptocurrency.

By contrast, traditional banks have for many years been subjected to stringent Know Your Customer regulations, designed to prevent money laundering. In 2019, the Financial Action Task Force (FATF) adopted strict AML/CTF requirements on Virtual Asset Service Providers (VASPs), which include crypto exchanges.  In its latest draft to revise its 2019 requirements, it states, “regardless of the nature of the relationship or transaction, countries should ensure that VASPs have in place effective procedures to identify and verify, on a risk basis, the identity of a customer, including when establishing business relations with that customer; where VASPs may have suspicions of ML/TF (money laundering/terrorist financing), regardless of any exemption of thresholds; and where they have doubts about the veracity or adequacy of previously obtained identification data.”

There’s no doubt that crypto firms need to take security more seriously. The risks of not doing so are enormous. On the one hand, every successful hack chips away at already shaky consumer trust. On the other, there’s the very real possibility of inspiring the ire of regulators, who have the power to impose draconian regulation that would stifle the growth of this nascent industry.

When it comes to security, crypto firms can learn a lot from their older, more established peers in the world of traditional finance. If they are to build and maintain the credibility needed to become trusted, mainstream providers of financial services, they need to avoid repeating past mistakes made by banks and financial institutions. It’s now up to crypto firms to take advantage of the wealth of security resources available to them.

 

spot_img

Explore more