Cryptocurrency has been lauded for its many innovative benefits: its confidentiality, security, and flexibility. Unfortunately, things may have taken a turn for the worse as this digital currency faced one of its biggest challenges. A total of $300 million was embezzled from cryptocurrency accounts in 2020. Most of these scams were made up of phone number hijacking, fake crypto exchanges, and phishing schemes.
As if cryptocurrency has not been scrutinized enough for the lack of regulation, it has now come under fire, bringing them under more surveillance by regulators.
Scams On The Rise
According to the Federal Trade Commission, almost 7,000 people lost over $80 million from October 2020 to March 2021. This was a staggering 1,000% increase from the year prior.
Some of these scams involved phony “investment” websites and fake currency exchanges selling cryptocurrency. Scammers also took advantage of Dogecoin promoter Elon Musk’s appearance on Saturday Night Live. In the time leading up to his appearance, fake campaigns and giveaways were launched, using his likeness and compromised social media accounts. The imposters carried out a massive cleanup with more than $10 million stolen in numerous cryptocurrencies.
By the end of 2020, theft in cryptocurrency amounted to roughly over $10 million per day.
Despite the freedom that cryptocurrencies offer, the fact remains that you cannot protect your accounts from theft. In the conventional banking industry, the Federal Deposit Insurance Corporation has your back and is there to cover you should you have any losses on your account. No such security net exists with cryptocurrency. If you were to have your funds stolen, there is nothing that can be done.
The Gaping Holes Of Knowledge-Based Authentication (KBA)
In order to increase security and protect these assets, there must be an “enabling of secure access” for these cryptocurrency assets.
The current setup involves using passwords and knowledge-based authentication or (KBA). The problem with this method is that passwords can be easily compromised. Theft and phishing attacks are the most used tactics. Also, if there is a cryptocurrency wallet that is not used as often, you run the risk of not only forgetting your password but also recovering it. Provided that there is a method of recovery.
KBA is also problematic as one can easily forget the answers to those questions prompted at the beginning (what’s your favorite hobby?). Personal information such as your mother’s maiden name can also be easily accessed on the web by paying a small fee.
Account takeovers are also on the rise for cryptocurrency. What doesn’t help is that there are no “pre-established trust relationships” between the exchange or the wallet provider and the user. Another disadvantage, which was once a selling point, was that transactions were finalized in a matter of minutes and irreversible.
Authentication Best Practices Is The Answer
So what is the best way to tackle this onslaught of fraud? It is best to use a “standards-based user authentication”. One that has a demonstrated track record of warding off both phishing and account takeovers.
An authentication protocol called FIDO (Fast IDentity Online) was also developed in order to ensure all cryptographic credentials were already stored in a user’s device to prevent “machine-in-the-middle-attacks.” Ideally, the entire cryptocurrency industry would adopt the FIDO approach to modernize authentication.
More best practices worth considering include:
- Require users to use “multiple authenticators” to assist with account recovery for each cryptocurrency exchange
- Normalize authentication flows and practices across crypto exchanges.
- Remove less secure backup and recovery options, such as using SMS
The cryptocurrency market continues to grow as it becomes more mainstream and its adoption increases. However, in order for this to continue, cryptocurrency exchanges must comply with regulations and must work equally hard to protect their users from fraud. Exchanges also have to strike a careful balance between anonymity and privacy.