If you are one of the growing number of people interested in cryptocurrencies, you might be interested to know that nearly 7,000 people lost over $ 80 million between October 2020 and March 2021 – a 1000% increase. compared to a year ago, according to the Federal Trade Commission.
The scams include bogus money changers and bogus “investment” websites selling the currency. More recently, more than $ 10 million was stolen from various cryptocurrencies in the days leading up to Elon Musk’s appearance on “Saturday Night Live”.
And here’s the catch: you have no way to protect your accounts from being stolen. In the world of cryptocurrency, there are no guarantees. Unlike the traditional banking world, there is no equivalent to Federal Deposit Insurance Corporation to cover any loss on your account. If your goods are stolen, you’re out of luck.
Nearly 7,000 people lost more than $ 80 million between October 2020 and March 2021 – a 1,000% increase from a year ago, according to the Federal Trade Commission.
Allowing secure access to these cryptocurrency assets is absolutely essential to prevent theft – which, at the end of 2020, amounted to just over $ 10 million per day – and / or lockout of his potential fortune.
But how can you make sure that people can still access their accounts? It depends on the initial configuration of the accounts, which usually means that passwords or other knowledge-based authentication (KBA) are involved. Unfortunately, passwords are simply not suitable for securing high value accounts, as they can be easily compromised, whether through phishing attacks or outright theft.
Also, if you have a less used cryptocurrency wallet, you might forget your initial password and have problems. recover there – if there is even a mechanism to perform recovery. KBA is also plagued by issues ranging from lack of memory (what’s my favorite hobby still?) To the wide availability of “personal” information on the web (for a few dollars you can surely find the name young my mother’s daughter).
Cryptocurrency Account Takeovers Are Happening with increasing frequency; It doesn’t help that there are few pre-established trust relationships between users and the exchange or wallet provider and that almost all transactions are finalized within minutes and are not easily reversible.
Unfortunately, these takeovers use a very similar pattern that has been observed for years in the traditional banking world: an attacker will first try to harvest and then stuff the stolen credentials. If that doesn’t work – say a user protected their account by requiring a second factor SMS – they’ll switch to popular techniques for overcoming SMS, such as SIM card exchange or one SMS relay service at $ 16 which sends this SMS code to the attacker’s smartphone, which leads to a “successful” account takeover.
Even highly secure tokens or dedicated authenticator apps are vulnerable to replay attacks from a motivated hacker – and with personal fortunes at stake, there’s no shortage of motivation.
Furthermore, the strong growth in the number of cryptocurrency exchange users coupled with this need for strong cybersecurity has resulted in terrible support experiences where users have to wait weeks or even months to regain access to their devices. own accounts – just because it’s so difficult to prove they are the rightful owner.
Authentication best practices can help
So how do you deal with this situation? With proven standards-based user authentication phishing resistant and account takeovers – and this is already built into billions of devices around the world and available for roughly any user on a modern browser. FIDO (Fast IDentity Online) authentication protocols were developed by a who’s who in IT, payments and consumer services and ensure that all cryptographic credentials are stored on a user’s device, thereby eliminating even the most advanced machine attacks.
The Gemini crypto exchange was an early adopter of FIDO for its smartphone app and for browser users, with a growing percentage of its users protecting their accounts with FIDO authentication by purchasing FIDO-certified security keys. . There have been a number of other exchanges that have added FIDO authentication, such as Coinbase, which also supports FIDO keys. Binance has FIDO for its web versions, but not yet on its smartphone apps. And STEX also supports various FIDO devices and methods. To finish, Support for general ledger hardware wallets FIDO directly into their devices.
Ideally, it would be better and more efficient if there was broad acceptance by the cryptocurrency industry of FIDO’s approach to modern authentication and the adoption of several related best practices, such as:
- Standardize authentication flows and practices across cryptographic exchanges. Better user authentication should be standard practice for all exchange, not a competitive differentiator. If all major exchanges adopted industry best practices for account creation, connection, and recovery, it would help protect customers – and their collective crypto assets.
- Require users to enroll multiple authenticators to assist with account recovery for each cryptocurrency exchangewhether it is two FIDO security keys or one FIDO security key and a biometric authenticator. Having multiple account recovery keys for each cryptocurrency exchange will help reduce support charges and help users who lose a device. It will also offer users a choice of stronger authentication options.
- Eliminate less secure backup and restore options, such as the use of SMS or other knowledge-based authentication factors, will also help improve overall security, especially for account recovery.
The bottom line is that for the cryptocurrency market to reach its full potential, its exchanges must collectively strike a balance between anonymity and privacy that makes crypto unique with account and asset security. Following the lead of crypto exchanges like Gemini and allowing users to lock their accounts is a big step towards protecting users from phishing and account takeovers while maintaining privacy and convenience.
Andrew Shikiar is CMO and Executive Director of the FIDO Alliance, which promotes the development, use and compliance with standards for device authentication and attestation.