Big concerns exist around account takeover (ATO) at digital cryptocurrency exchanges—and no wonder. By its very nature, it is nearly impossible to trace who owns cryptocurrency funds. Digital currency wallets are also a very popular target for cyber thieves because of the irreversibility of digital currency transactions, making wallet security a top concern.
This is a big problem for digital currency wallets. It is extremely difficult to return stolen funds, through compromised accounts to users, if account takeover occurs. In fact, only as much as 20 percent of stolen cryptocurrency is recovered, and law enforcement is at a huge handicap in finding the cybercriminals responsible. Individual losses can be for very large amounts that can be lost forever, once transferred out of the account. Since the beginning of 2017, cybercriminals have stolen in total $1.2 billion in cryptocurrency.
Vulnerability of the password layer
Feeding the ATO problem in the crypto space and elsewhere are the hundreds of millions of stolen passwords, identities, and other personal identifiable information (PII) for sale at low cost on the black market. This makes it easy for criminal rings to compromise wallet accounts that use password-based log-ins. Cryptocurrency itself may be very secure but the password protected wallets and accounts that hold them are not.
Lastly, the problem facing the product owner, CISO, or CEO is ensuring an easy, positive customer experience so that digital wallet is a success. You can’t secure it in a way that makes it difficult to use. The user experience must be frictionless, fast, familiar, and even fun! Using e-wallets must be frictionless and fast because the digital currency market and trading are highly dynamic with values rapidly changing. Meanwhile, user trust and loyalty must be maintained, which you can forget about if word gets out accounts are being compromised.
There is no silver bullet, no matter what you’ve heard in the cybersecurity market, but there is a better way out there to make digital currency wallets safe, secure and even a pleasurable experience to use. By adding layers that are interoperable with each other and engaged only when risk-tolerances are exceeded, you can create a comprehensive and dynamic solution to ATO.
Accurate and real-time device intel
You got to know the risks of allowing a user to continue every single time they interact with the wallet. Is this a trusted device? Or is an actor with malicious intent? If you’ve never seen the device before, who has? Critical intelligence like this must be available in real-time to prevent disturbing trustworthy users.
You need a solution in place that allows you to custom configure what kind of riskiness you care about, and to apply it went it matters most in the user journey. This way you can dial down fraud evidence that is not specific to your risk tolerances and dial up the scoring on the types of fraud that you are focused on. It must also be agile & granular enough to do this at different actions by the user in the session. For example, you may want to have all your rules dialed down if the user is just checking the value of their currency, but if they’re making a funds transfer or changing personal information on their account, you may want the scoring dialed up. This kind of flexibility will help you build a first line of defense in layering protection for the wallet.
Privacy regulations like GDPR are expected to expand globally, placing at a disadvantage fraud tools that rely on PII for their functionality. This makes uses PII for one of your layers of defense risky. . If you’re worried about staying compliant GDPR and other upcoming regulations, get rid of PII-based solutions and find other ways to mitigate risk.
Also, beware solutions out there that compromise the security of their device databases with PII. Most fraud prevention solutions tag devices with a unique identifier, which stays with the device data as long as it’s in the database. This is okay, but some vendors append to a particular device and identity based on PII provided by third parties. This PII will stay with that device identity in the database even if sometimes it is inaccurate. PII can be spoofed, stolen, or fabricated by cybercriminals very easily, which would then make the device identity false as well.
Finally, your device intelligence tool must be interoperable with your next layer of defense, to create risk-based authentication. When your risk tolerances have been exceeded, and then engage the next layer.
Layering protection with risk-based authentication
There are plenty of solutions out there for adding layers on top of access credentials (i.e. passwords) to an account and fraud prevention layers. This usually involves adding an extra step of verifying the user is who they say they are by use of two-factor authentication (2FA) or multi-factor authentication (MFA).” It’s important to do this. However, many of these solutions were developed to help enterprise users, and cannot scale to consumer-facing digital channels like hot wallets.
These kinds of systems were designed for organization employees used to authenticating every time they login to their company apps, especially when remote and are purposely made cumbersome. There’s also a heavy financial cost to these systems, which require whole teams to be hired just to manage them.
For cryptocurrency users a solution that offers speed of access and accounts for the randomness of user activity is absolutely needed. Adopting a traditional enterprise solution to manage hundreds of thousands, perhaps millions, of user identities and passwords would be costly and cumbersome.
Another problem with traditional MFA systems is that they used texted SMS codes, one-time PINs (OTP), emails and the like to authenticate identity. These methods, once thought secure are now vulnerable to interception especially in the cryptocurrency space. These interception attacks, known as “man-in-the-middle” attacks, which can compromise these MFA-solutions by intercepting the SMS or email sent to you. All they need is your stolen username and password, and they’re in!
Instead, for crypto-wallets you need to find something out-of-band to authenticate your identity.
Unlike traditional MFA, you need contextual, risk-appropriate authentication that takes into account the action the user is doing at that time. if there’s very little reason to challenge a user (i.e. low risk activity), don’t make users use multiple factors to authenticate. Once past the login point, if you’re going to add an authentication layer, why bug them to do it every time? If they’re just checking their account balance, do you really need to send them yet another 2FA request?
If the account is compromised at login with stolen credentials and they make it through the gauntlet of 2FA, what happens deep into the user session? What you need is something that can adjust to the riskiness and the context of what the user is doing even after login. If the user is just checking in on the value of their Bitcoin, then it’s no big deal. Not risky. But if they’re about to transfer $100,000, you may want to prompt them then, for that extra layer of authentication.
You may even want a solution that can do a multi-party authorization, where an authorized employee of the currency exchange and the user will be prompted to authenticate their identity to authorize a transaction. The ability for cybercriminals to have access to two or more mobile devices that would be prompted to authenticate and authorize a transaction of funds is highly unlikely.
One should also consider that if there are higher-risk actions by the user, you can even use a tool for authentication that can be layered itself. For example, you can require a customer to provide a thumbprint and a PIN to authorize their transaction via their smartphone. The point is to be flexible & agile enough with your MFA solution to accommodate the context of the action and the true risk level without hindering user experience.
Make using your wallet fun!
And for goodness sake, make it fun and exciting! Accessing a cryptocurrency wallet with a 6-digit code, and waiting for an email or getting a text to get a code is neither frictionless nor a fun and positive experience. This approach may work for employee users who are required to be compliant with security guidelines for their continued employment, but it won’t keep customers coming back to your wallet, repeatedly, each day.
Digital currency is trendy and innovative. You want to wow your users with something that reflects this trend. So, if you must prompt a user to authenticate, give them choices they prefer. Offer authentication options like thumbprints, facial recognition, Bluetooth proximity to a smartwatch or laptop or even geofencing themselves to their neighborhood. This way your crypto wallet users can authenticate from the comfort of their own device in a way that keeps pace with the dynamic world of cryptocurrency markets.