Why financial institutions need to start taking crypto fraud seriously – and how they can fix it
There’s little denying we’ve entered the age of crypto. Last year, practically every crypto wallet saw its user figures increase, with Blockchain.com wallets – the site that makes it possible to buy bitcoin – boasting more than 81 million wallet users as of February 2022. And considering the array of multi-million-dollar adverts for crypto apps/currencies shown at this year’s Superbowl, it’s fair to say that cryptocurrency has well and truly entered the mainstream.
by Amir Nooriala, Chief Commercial Officer, Callsign
And with more people interested in digital assets, many financial institutions are rushing to create their own decentralized platforms (DeFi) to cash in on the hype.
However, this growing popularity is also fueling another boom – a boom in fraud. In 2021 alone, crypto scammers stole a record $14 billion, a staggering rise of almost 80% over 2020. And while scamming was the most popular form of crypto-related crime, theft via hacking was a close second – and not just from individuals.
For instance, there were more than 20 occasions last year when a single criminal entity hacked into a crypto exchange or project, making off with a total of at least $10 million. And there were at least six occasions last year when hackers managed to steal more than $100 million from an exchange.
The lucrative nature of digital assets has made them one of the most desirable targets for modern criminals. Yet, despite the enormous sums of money at stake, without fundamental changes to how these crypto exchanges operate – and more specifically, authenticate users – this situation is only going to get worse.
Understanding the crypto ‘Wild West’
The nature of cryptocurrency has always been antithetical to how most financial services institutions work. Blockchain technology is a dynamic, decentralized innovation, so developing the controls and frameworks to better manage it has always been a daunting task for financial services businesses, governments, and regulators (which is why many banks are still resistant to it).
And despite the public’s growing interest in crypto, many still struggle to understand the basics of how a blockchain works – they simply know it may make them rich. That confluence of poor understanding and high desirability is also why crimes – such as the One Coin cryptocurrency scam – can happen.
Detailed in the book (and podcast) The Missing Cryptoqueen, millions of people paid billion dollars for a cryptocurrency called One Coin – even though it was never really a cryptocurrency or even on a blockchain.
The leader of the company/scam, Dr Ruja Ignatova, used the confidence and excitement in cryptocurrency – along with the general lack of true understanding as to how the technology works – to prey on people all around the world looking for their own crypto success story.
However, when it comes to crypto crime, there are much simpler ways of pilfering incredible wealth without the hassle of leading a fake financial revolution. That’s because there are mechanisms enabling most of these crimes to happen, and the fault very much lies with most exchanges themselves – not individuals.
Fighting modern threats with archaic weapons
Despite the futuristic nature of crypto, criminals haven’t had to reinvent the wheel to gain access to wallets and exchanges. Because many methods of attack being leveraged by most criminals are scams that traditional financial institutions have long been aware of, such as Remote Access Trojans (RATs) and Account Takeover Fraud (ATO).
However, the problem is that crypto exchanges haven’t learnt from these techniques that fraudsters have been deploying for many years. Instead, they are deploying controls banks stopped using 10 years ago. While these controls would be fine to protect social media accounts, they are no longer enough to protect your cryptocurrencies which are now incredibly valuable.
In addition, crypto exchanges aren’t bound by the same stringent rules and regulations other financial institutions – such as banks – are. For instance, in comparison to the billions mentioned above that have been scammed from exchanges in recent months, the £1.3 billion lost by banking customers to fraudsters in 2020 is but a drop in the bucket. And that’s despite the uptick in fraud due to Covid-19.
One way crypto exchanges are particularly letting their users down is in how they conduct authentication. When these businesses want to authenticate a user’s ID, the tendency is still to use passwords and usernames, reinforced by “possession factors” – such as an OTP (one-time-password) sent via SMS message to users’ phone.
On the surface, OTPs seem like a reasonably secure method of authentication, but SIM cards were never designed for security which is why many banks have moved away from authenticating customers with them. So, credit stuffing, SIM swapping and SS7 attacks, passwords, usernames and OTPs all present fraudsters with very convenient workarounds for all the subsequent layers of security these platforms have.
But even though these are old vulnerabilities being exploited, that doesn’t mean cybercriminals are resting on their laurels – scams are getting larger and more devastating every year.
RATs for instance – whereby scammers use malware to remotely control infected computers and send/receive data from the system – are increasingly being substituted with its mobile equivalent, MRATS, to gain access to devices.
Used in tandem with other forms of attack such as credit stuffing, has proven to be incredibly effective for criminals. For instance, an ATO attack is when fraudsters use stolen credentials to try and gain access to genuine accounts, often leveraging automated tools to “credit stuff” at an astounding rate. One fraud prevention platform estimated that incidences of ATO grew a staggering 307% over just the last two years.
Simply put, it’s time for this new wave of financial institutions to stop the fraudulent activity taking place in the crypto sector under their watch. And the only way to achieve that is to uproot the broken foundation of authentication that’s currently letting its users down, in lieu of a modern solution better fitted to our digital world.
The age of biometrics
Despite the many makeovers usernames and passwords may have undergone, they’re still analogue solutions that are merely being used in a digitized context. As such, the entire notion of digital identity is built on a fundamentally broken system not built for a truly digital world.
Biometrics, on the other hand, presents a truly digital solution capable of keeping up with our dynamic world. Unlike a username or password which can be intercepted or compromised, behavioural biometrics, such as Callsign’s platform can be finetuned to individuals. It can consider everything from how a device is being held, the speed and style of keystrokes, and numerous other idiosyncrasies that are impossible to mimic.
Behavioural biometrics give businesses a method of authentication that requires no additional hardware on the part of the user (device agnostic) and doesn’t impact the user experience in any way. All while learning and adapting over time as that user’s relationship with the business evolves.
So, as crypto fraud shows no sign of slowing down, it’s now incumbent on these exchanges to interrogate the ways they authenticate users and ask themselves if their security policies are in fact putting their customers at risk. Because the sooner they can start fixing digital identities in a meaningful way, the better.
December 08, 2023
tell.money partners with Moorwand for PSD2 complianceRead More
- Daily insightful Financial Technology news analysis
- Weekly snapshots of industry deals, events & insights
- Weekly global FinTech case study
- Chart of the Week curated by IBSi’s Research Team
- Monthly issues of the iconic IBSi FinTech Journal
- Exclusive invitation to a flagship IBSi on-ground event of your choice
IBSi FinTech Journal
- Most trusted FinTech journal since 1991
- Digital monthly issue
- 60+ pages of research, analysis, interviews, opinions, and rankings
- Global coverage