Crypto Security: Analyzing $10M in Daily Thefts

The Rising Threat of Cryptocurrency Scams and Security Concerns

A growing number of individuals are becoming interested in cryptocurrencies. However, data from the Federal Trade Commission reveals a significant increase in related scams. Between October 2020 and March 2021, nearly 7,000 individuals experienced losses exceeding $80 million, representing a 1,000% surge compared to the previous year.

Common Cryptocurrency Scams

These fraudulent activities often involve deceptive currency exchanges and illegitimate websites marketed as cryptocurrency “investment” opportunities. Recent incidents include the theft of over $10 million in various cryptocurrencies shortly before Elon Musk’s appearance on “Saturday Night Live.”

Lack of Protection for Cryptocurrency Assets

A critical difference between traditional finance and cryptocurrency is the absence of protective measures. Unlike conventional banking, there is no equivalent of the Federal Deposit Insurance Corporation to safeguard your cryptocurrency holdings. If your assets are stolen, recovery is unlikely.

Securing access to these digital assets is paramount to preventing both theft – which reached over $10 million daily by the end of 2020 – and potential account lockouts.

The Shortcomings of Traditional Security Methods

Ensuring continuous account access hinges on the initial setup, typically relying on passwords or knowledge-based authentication (KBA). However, passwords are demonstrably inadequate for securing high-value accounts due to their susceptibility to compromise through phishing or direct theft.

Moreover, infrequently used cryptocurrency wallets can lead to forgotten passwords and difficult, or even impossible, recovery processes. KBA also presents vulnerabilities, including difficulty recalling answers and the ease with which “personal” information is accessible online.

Increasing Frequency of Account Takeovers

Cryptocurrency account takeovers are becoming increasingly common. This is exacerbated by the limited established trust between users and exchanges or wallet providers, and the rapid, often irreversible, nature of cryptocurrency transactions.

Attack Patterns Mirror Traditional Banking

These takeovers frequently follow a pattern observed in traditional banking. Attackers initially attempt to utilize stolen credentials obtained through harvesting and credential stuffing. If unsuccessful – for example, if a user has enabled two-factor authentication via SMS – they resort to techniques like SIM swapping or inexpensive SMS relay services to intercept verification codes.

Vulnerabilities in Advanced Security Measures

Even robust security measures, such as hardware tokens or dedicated authenticator applications, are not immune to replay attacks from determined hackers. The substantial financial stakes involved provide ample motivation for such attacks.

Challenges with Account Recovery

The rapid expansion of cryptocurrency exchange users, combined with the need for robust cybersecurity, has resulted in poor customer support experiences. Users often face lengthy delays – weeks or even months – to regain access to their accounts due to the difficulty in verifying ownership.

Strong cybersecurity is essential for protecting your cryptocurrency investments, but it must be coupled with efficient and reliable account recovery mechanisms.

Enhancing Security Through Modern Authentication

What solutions exist to address current vulnerabilities? Implementing standards-based user authentication, proven effective against phishing and account compromises, is key. This method is already integrated into billions of devices and accessible to most modern browser users.

The FIDO (Fast IDentity Online) authentication protocols, developed by leading experts in IT, payments, and consumer services, ensure cryptographic credentials are securely stored on the user’s device. This effectively eliminates sophisticated man-in-the-middle attacks.

Gemini, a cryptocurrency exchange, was an early adopter of FIDO, integrating it into both its smartphone application and browser access. A growing number of their users now safeguard their accounts using FIDO authentication, often through the purchase of FIDO Certified security keys.

Other exchanges have followed suit. Coinbase also supports FIDO keys, while Binance offers FIDO for its web platform, with smartphone app integration planned. STEX provides support for a variety of FIDO devices and methods. Furthermore, Ledger hardware wallets natively support FIDO functionality.

Key Recommendations for Improved Security

Wider adoption of FIDO and related best practices within the cryptocurrency industry would significantly enhance security. Several crucial steps should be considered:

• Harmonizing Authentication Processes Across Exchanges. Robust user authentication should be a universal standard, not a competitive advantage. A collective shift towards industry best practices for account creation, login, and recovery would bolster customer protection and safeguard collective crypto assets.

• Mandating Multiple Authenticators for Account Recovery. Requiring users to enroll multiple authenticators – such as two FIDO security keys or a combination of a FIDO key and biometric authentication – will streamline account recovery and provide users with stronger authentication choices.

• Phasing Out Insecure Recovery Methods. Eliminating less secure backup and recovery options, like SMS-based verification or knowledge-based authentication, will improve overall security, particularly during account recovery processes.

Ultimately, the cryptocurrency market’s growth hinges on finding a balance between the privacy and anonymity inherent in crypto and the robust security of accounts and assets. Following the example set by exchanges like Gemini, and empowering users to secure their accounts, represents a significant stride towards protecting against phishing and account takeovers while preserving user privacy and convenience.

Andrew Shikiar serves as CMO and executive director of The FIDO Alliance, an organization dedicated to the advancement, implementation, and adherence to standards for authentication and device attestation.