Interest in cryptocurrency has continued to grow this year despite the somewhat gloomy economy. For instance, Bitcoin prices hit an all-time high of more than US$63,000 earlier this year. From institutional investors to students looking to get their first taste of investing, cryptocurrency adoption has risen by close to 900 percent in the past year, with Asia leading the charge.
Of course, the appeal of cryptocurrencies has not gone unnoticed by cybercriminals. In fact, nearly US$3.78 billion was stolen in 122 blockchain-related attacks throughout 2020. That is equivalent to US$10 million a day on average. The US Federal Trade Commission also reported that an estimated 7,000 people had lost more than US$80 million in cryptocurrency-related scams between October 2020 and March 2021 — a whopping 1,000 percent increase from the year before. These scams ranged from fake currency exchanges to phoney giveaway websites offering free cryptocurrency.
The kicker is that in the world of cryptocurrency, there are no guarantees. While traditional banks will try their best to recover funds for their customers and are liable for any losses sustained as a result of security breaches on the bank’s part, there is no such avenue for recourse in the cryptocurrency world.
Security issues and problematic passwords
Many cryptocurrency investment accounts are initially set up using passwords or other forms of knowledge-based authentication (KBA) – both of which are inherently unfit for the purpose of protecting high-value accounts. Specifically, passwords can be easily compromised, either through phishing attacks (a form of social engineering where a victim is tricked into divulging their personal information, such as login credentials) or outright theft by purchasing one of the 15 billion credential pairs that are readily available on the dark web.
KBA also suffers from several other problems, such as a user’s inability to remember a key piece of information or the wide availability of personal information on the Internet through social media or data leaks. Cybercriminals can also buy personal data from the dark web for relatively little cost.
Even traditional two-factor authentication (2FA), such as when the process involves a one-time code sent via SMS to a user’s mobile phone, may be insufficient. Attackers can use techniques such as SIM swapping or a US$16 SMS relay service to get the code sent to their phones instead of the intended recipient’s. Even dedicated authenticator apps can be vulnerable to replay attacks — where cybercriminals inject themselves into the authentication flow, unbeknownst to the account holder.
Once inside an account, cybercriminals can quickly empty its contents, as almost all transactions are finalised within minutes and not easily reversible. Additionally, cryptocurrency exchanges themselves are also commonly targeted; over US$300 million was lost across 28 exchange breaches in 2020.
How modern authentication can protect digital assets
The answer to these issues lies in moving away from KBA to possession-based authentication. In possession-based authentication, all cryptographic login credentials are stored on a physical device, such as a smartphone or security key, that the account holder — and only the account holder — is in possession of.
This approach has proven to be resistant to phishing and account takeovers. Also, such technology is already embedded into billions of devices worldwide and available to anyone using a modern Internet browser.
Crypto exchanges globally are already benefiting from such authentication methods. Many, such as Coinbase, Binance, and STEX, have adopted FIDO (Fast IDentity Online) possession-based authentication protocols. Gemini was an early adopter of FIDO for both its smartphone app and web browser, with a growing percentage of its users protecting their accounts with FIDO authentication by purchasing FIDO Certified security keys.
However, standardised authentication alone cannot solve security issues unless it is adopted widely throughout the industry. A consistent approach to security and standardised authentication flows across exchanges, as well as for digital and physical cryptocurrency wallets, is desperately needed to protect investors and their assets – and these best practices should be universally encouraged to all users, across exchanges. More can and needs to be done to take the onus of protection away from individuals and onto the institutions.
In conjunction with this push towards possession-based authentication, users should also be required to have multiple authenticators to assist with account recovery for each cryptocurrency exchange – whether that is two security keys or a security key and a biometric authenticator. Having multiple account recovery keys for each exchange will reduce pressure on customer support and help users who lose a device. It would also offer users a choice of stronger authentication options.
Additionally, exchanges should eliminate using less secure backup and recovery options such as SMS messages or knowledge-based factors.
For the crypto industry to reach its full potential, exchanges must balance cryptocurrency’s anonymity and privacy with the security needed for accounts and assets. Following the footsteps of exchanges like Gemini, exchanges need to empower users to fully secure their accounts to protect themselves from phishing attacks and account takeovers. With modern authentication standards, they can achieve this without sacrificing user convenience and privacy too.
