As more and more people become interested in cryptocurrencies, there is little discussed issue that potential players should know about. In the six months between October 2020 and March 2021, some 7,000 people who were involved in crypto lost more than $80 million. According to statistics published by the FTC, this represents a 1,000 percent increase over a year.
The scans run the gamut from fake currency exchanges to phony investment websites. In the run-up to Eon Musk’s appearance on SNL (Saturday Night Live) 10 million dollars, perhaps more in various crypto was stolen.
If a bank fails, the FDIC (Federal Deposit Insurance Corporation) steps in a covers account losses. No FDIC is protecting cyber accounts from theft. The cyber-world is a world with no guarantees nor protection. If your cyber assets are stolen, you are simply out of luck.
It is the task of the account owner to ensure there is secure access to his or her cyber assets. At the close of 2020, over $10 million a day was being stolen, or people were being locked out of their potential fortune.
Ensuring People Can Access Their Accounts
Ensuring that real owners can access their accounts depends a great deal on how the account was initially set up. Unfortunately, unlike other cyber-sites, passwords are not suitable for ensuring the security of these often high-value accounts. Conventional passwords are not difficult to compromise through phishing attacks or even theft.
Furthermore, if your crypto wallet is not used that often, it is possible that the password is forgotten and difficult to recover, that is if there is a way to perform the recovery in the first place. For those who do not access their account regularly, it is as easy to forget your account password as it is to forget where you ate last.
Unfortunately, crypto account takeovers are happening more and more. Although there are trust relationships between the exchange and the account owner, and that the greatest majority of transactions are completed quickly, it doesn’t always help.
Most account takeovers are using a pattern that, for many years has been used in the world of traditional banking. The potential account attacker first tries to harvest and stuff stolen credentials. If the account owner has protected the account with a second layer, such as requiring an SMS, the invader moves on to such things as SIM swapping or buying access to a relay service that sends the SMS directly to the potential attacker’s mobile phone. The result is a takeover of the account.
Nothing is secure against a dedicated hacker. Highly secure tokens are just as susceptible as dedicated authenticator apps are to a hacker. And with the potential of fortunes at stake, there certainly is no lack of motivation.
As if being hacked is not bad enough. With the ever-increasing number of crypto exchanges, the result is often a less than perfect support service. In many cases, users have had to wait weeks or months to regain access to accounts they own. The reason; it is extremely difficult for them to prove they actually are the rightful owner.
Authentication May Be the Key
How best to fix this situation? Standards-based user authentication is already part of an untold number of devices and has proven to be resistant to phishing. The so-called FIDO (Fast Identity Online) authentication protocols ensure that all “crypto creds” are stored on the user’s device, thereby protecting the device from even the most advanced attacks.
The ideal solution may be a broad acceptance by the crypto industry of the FIDO approach to authentication, as well as the adoption of several best practices, including:
- Better user authentication for every exchange.
- Users should be required to enroll more than a single identifier to aid with account recovery, and
- The elimination of less secure backup and recovery options.
If the crypto market is ever to reach its full potential, exchanges will have to strike a balance between account anonymity and privacy issues that make crypto unique. Following in the footsteps of the Gemini exchange, allowing users to lock down their accounts is a massive step to protect users against account takeovers and phishing, while at the same time, maintain account privacy and convenience.
ChesWorkShop commits to presenting fair and reliable information on subjects including cryptocurrency, finance, trading, and stocks. However, we do not have the capacity to offer financial guidance, advocating instead for users to conduct their own diligent research.