Cryptocurrencies have had a turbulent year. On the one hand, the growing popularity of Bitcoin, Ethereum and Co. caused their ratings to skyrocket. On the other hand, state intervention in the crypto market in countries like China and Turkey, in addition to the tweets from Elon Musk, also caused dramatic price drops.
Nonetheless, digital currencies are increasingly being accepted and integrated by traditional finance: for example, financial institutions have now bought and sold crypto assets in large quantities. Established payment service providers have started to offer their customers digital assets and in El Salvador Bitcoin has become legal tender.
However, these developments have been overshadowed by regular reports of massive cyberattacks on crypto exchanges and deposits. According to studies, hackers stole cryptocurrencies worth $ 1.9 billion in 2020 alone. Just a month ago, more than 600 million US dollars in Ethereum and Binance coins as well as tokens of the stable crypto currency USD Coin (USDC) were stolen in an attack on the Japanese blockchain platform Poly Network.
The challenge of crypto regulation
Since the invention of cryptocurrencies, regulation has lagged behind technological advances in this area. Regardless of this, the cryptocurrencies are making their way into the masses. In traditional finance, banks and financial institutions have to comply with complex and demanding security standards. This ensures that they have enough resources and skills to continuously adapt to the rapidly changing cyber threat landscape.
The crypto landscape, on the other hand, is still barely regulated – despite enormous efforts by government agencies and currency organizations around the world. This can be attributed, at least in part, to the breakneck pace of innovation in the industry. It will be almost impossible for politicians and decision-makers to guarantee the protection of consumers.
Gary Gensler, head of the US Securities and Exchange Commission, recently asked crypto trading platforms to register with his authority. Because many crypto currencies are now considered securities. In addition, he warned the companies that in the future they will have to move within a predefined and regulated framework so that the crypto market does not lose its relevance in the next ten years.
Many central banks are currently working on issuing their own digital currency. This so-called Central Bank Digital Currencies (CBDC) will then compete on the crypto market with currencies from private providers such as Bitcoin. The European Central Bank decided in July this year to start the digital euro project. However, the new digital currency will only come into digital wallets from 2026. The introduction of state crypto money is still an ongoing process, but both industry associations and governments are already trying to establish regulations and guidelines to ensure fair competition.
Lessons must be learned
Any technological innovation inevitably brings with it some cybersecurity risk. Cryptocurrencies are no exception. Every new way of trading, storing, or monetizing digital assets opens up new opportunities for hackers to exploit them. Similar to the release of an updated version of the Apple operating system, a flood of security updates usually follows as developers have to fix potential vulnerabilities and security holes. The difference, however, is that most crypto companies don’t have nearly the same level of research and development resources as large financial institutions or tech giants.
However, that does not mean that the battle for cybersecurity is lost and that crypto companies will have to expect frequent cyber attacks in the future. Rather, there are a number of practical, feasible steps businesses can take to protect themselves. Let’s take a look at the latest hacker attack on Coinbase: For the 68 million users who were threatened with losing their credit, the attack was a disaster. But according to classic financial standards, the reason for this was very simple – and could therefore be prevented relatively easily in the future. According to experts, the attack was a so-called “SIM swap”, a scam in which hackers stole the cell phone numbers of their victims and then pretended to be legitimate account holders.
For many years, SIM swapping has been a common method used by fraudsters to gain access to the bank accounts of unsuspecting consumers. As a result, financial institutions have moved away from using SMS messages as a form of authentication. When using SMS messages for multi-factor authentication (MFA), it is often the responsibility of the mobile network operator to protect customer data. However, their systems are not designed to fend off hacker attacks. In terms of security, this is a bit like keeping the Mona Lisa in a rental warehouse and not in the Louvre.
Most of the big banks are now using push notifications for MFA to verify the identity of their customers via a secure app. These apps often use the latest identity verification technologies – such as AI, biometrics, and liveness detection – to ensure that only the real account holder has access. Looking to the future, crypto firms urgently need to revise their user authentication practices and use technology to prevent hacking attacks that exploit authentication data.
Implementation of user verification guidelines
Unlike online banking fraud or card identity theft, it is extremely difficult for crypto firms to cushion the effects of a hacker attack. This is primarily due to the fact that transactions with cryptocurrencies cannot be reversed and a refund can only be made by the recipient himself. As soon as a hacker attack takes place, the funds are usually lost forever. It is all the more important to prevent such hacks from the outset.
In addition, crypto networks are usually based on pseudo-anonymity, which means that users are only identified using a character string made up of randomly selected letters and numbers, the so-called address. This makes it very difficult to identify the perpetrators behind a hack and hold them accountable. On top of that, the networks are decentralized and “trustless” (that is, not dependent on a credible intermediary such as a bank), which is why transactions made with stolen cryptocurrency cannot be traced.
In contrast, traditional banks have been subject to stringent “Know Your Customer” regulations for many years to prevent money laundering. In 2019, the Financial Action Task Force (FATF) adopted stringent anti-money laundering and terrorist financing requirements for Virtual Asset Service Providers (VASPs), which include crypto exchanges. Their latest draft of the 2019 requirements revision states: “Regardless of the nature of the relationship or transaction, countries should ensure that VASPs have effective procedures in place to identify a customer and verify it through risk analysis also when establishing a business relationship with this customer or if there is a suspicion of money laundering / terrorist financing, regardless of any exceptions for threshold values, or if you have doubts about the authenticity or appropriateness of previously received customer identification data. “
There is no question that crypto companies need to take security more seriously. If they don’t, the risks are enormous. On the one hand, every successful hacker attack undermines the already ailing consumer confidence. On the other hand, there is a very real possibility of incurring the wrath of regulators, whose strict regulations would put a damper on the growth of this emerging industry.
In terms of security, crypto companies can learn a lot from their older, more established colleagues in the classic financial world. If you want to establish yourself as a trustworthy provider of financial services, you must avoid making the same mistakes banks and financial institutions have made in the past – building and maintaining credibility is essential for this. To achieve this, it is now up to the crypto companies to take advantage of the multitude of security resources available to them.