By Andrew Shikiar, executive director of the FIDO Alliance
Digital currencies exploded in value during the COVID-19 pandemic. Thanks to the prolific rise in popularity of bitcoin, ether, and dogecoin, the cryptocurrency market has surpassed $2 trillion. In fact, crypto activity in Asia has grown more than 700% year-on-year in the past 12 months. Even with the recent plunging prices and downturn, cryptocurrencies have tripled in 2021, adding $1.5 trillion in market value since the end of 2020.
The same crypto enthusiasm is evident in the Philippines, where the country’s Securities and Exchange Commission (SEC) has been looking to build a cryptocurrency exchange as more investors in the country jump on to the crypto-investment craze.
However, cryptocurrency exchanges and investors across the world are becoming serious targets for cyberthreat actors. In 2021 alone, we saw several high-profile cryptocurrency hacks making the headlines. These include a case of nearly $100 million stolen from Japanese cryptocurrency exchange Liquid and the theft of $600 million in cryptocurrency from PolyNetwork.
Furthermore, cryptocurrency investors have no one to turn to for help if their digital assets are stolen unlike customers of traditional banks, who are typically insured if they fall prey to fraud or theft.
This is a crucial gap to bridge, and it will require a robust and secure environment on both the business and user ends. Besides cryptocurrency exchanges needing to protect their applications and digital assets, investors also need to play a role in minimizing user error.
Security issues and problematic passwords
Let us start with a typical security setup today. Many cryptocurrency investment accounts are set up using passwords or other knowledge-based authentication (KBA), such as personal security questions that only the individual would know the answer to — for example, “How many pets do you have?” However, these methods are often unfit for the purpose of protecting high-value accounts.
Passwords simply are not suitable for securing high-value accounts because they can be easily compromised. Phishing attacks (a form of social engineering where a victim is tricked into divulging their personal information, such as login credentials), theft on the Dark Web, and simply forgetting your password may lead to trouble recovering access to your account.
Meanwhile, KBA suffers from several problems, such as a user’s inability to remember a key piece of information or the wide availability of personal information on the internet through social media or data leaks. It also is possible for cybercriminals to buy large amounts of personal data from the Dark Web for relatively little cost.
Even if an account is protected by traditional two-factor authentication (2FA), such as requiring a code sent via SMS, attackers can use SIM swapping and other techniques to get the code sent to their phone instead of the intended recipient. These methods as well as dedicated authenticator apps are also vulnerable to replay attacks — where the cybercriminal injects themselves into the authentication flow, unbeknownst to the account holder.
Using these approaches, cryptocurrency account takeovers are occurring more and more frequently. Once inside an account, criminals can quickly empty its contents, as almost all transactions are finalized within minutes and not easily reversible.
Unfortunately, there are few pre-established trust relationships between users and the exchange or wallet provider. Many users have experienced terrible customer support with these exchanges, often having to wait for weeks or even months to regain access to their accounts, simply because it is so difficult to prove that they are the rightful owner.
How modern authentication can protect digital assets
So how do we address these issues? The answer lies in moving away from knowledge-based authentication and legacy 2FA to possession-based multi-factor authentication.
In this scenario, all cryptographic login credentials are stored on a physical device, like a smartphone or security key, that the account holder — and only the account holder — is in possession of.
This approach is proven to be resistant to phishing and account takeovers, and the technology is already embedded into billions of devices worldwide and available to anyone using a modern internet browser.
Existing crypto exchanges are already aware of these benefits and several have already added support by adopting the FIDO (Fast IDentity Online) possession-based authentication protocols. These include Coinbase, Binance, and STEX. Gemini was an early adopter of FIDO for both its smartphone app and web browser, with a growing percentage of its users protecting their accounts with FIDO authentication by purchasing FIDO Certified security keys.
However, standardized authentication alone cannot solve security issues unless it is adopted widely throughout the industry. A consistent approach to security and standardized authentication flows across exchanges, as well as for digital and physical cryptocurrency wallets, is desperately needed to protect investors and their assets — and these best practices should be universally encouraged to all users, across exchanges. More can — and needs to — be done to take the onus of protection away from individuals and onto the institutions.
In conjunction with this push toward possession-based MFA, users should be required to have multiple authenticators to assist with account recovery for each cryptocurrency exchange — whether that is two security keys or a security key and a biometric authenticator. Having multiple account recovery keys for each exchange will reduce pressure on customer support and help users who lose a device. It would also offer users a choice of stronger authentication options.
Finally, exchanges should eliminate using less secure backup and recovery options such as using SMS or other knowledge-based factors. This will help improve overall security, especially for account recovery — which is often targeted with social engineering hacks for account takeovers.
For the crypto investment to reach its full potential in the Philippines, exchanges must balance cryptocurrency’s anonymity and privacy with the security needed for accounts and assets. Enabling users to fully secure their accounts will help to protect customers from phishing attacks and account takeovers, without sacrificing convenience and privacy.