The scams include fake currency exchanges and phony “investment” websites selling the currency. More recently, more than $10 million was stolen in various cryptocurrencies in the days leading up to Elon Musk’s appearance on “Saturday Night Live.”
And here’s the rub: You cannot protect your accounts from theft. In the world of cryptocurrency, there are no guarantees. Unlike the traditional banking world, there is no equivalent to the Federal Deposit Insurance Corporation to cover any losses on your account. If your assets are stolen, you’re out of luck.
According to the Federal Trade Commission, nearly 7,000 people have lost more than $80 million between October 2020 and March 2021 — a 1,000% increase from a year ago.
Enabling secure access to these cryptocurrency assets is critical to preventing theft — which, as of the end of 2020, amounted to just over $10 million a day — and lockout of one’s potential fortune.
But how can you ensure that people can always access their accounts? That depends on how the funds are set up initially — which usually means that passwords or other knowledge-based authentication (KBA) are involved. Unfortunately, passwords aren’t suitable for securing high-value accounts because they can be easily compromised through phishing attacks or outright theft.
Plus, you might forget your initial password if you have a less-used cryptocurrency wallet. You have trouble recovering it — if there is even a mechanism to perform the recovery. KBA is also plagued with problems ranging from lack of recollection (what is my favorite hobby again?) to the wide availability of “personal” information on the web (for a few dollars, you can indeed find my mother’s maiden name).
Cryptocurrency account takeovers happen with increasing frequency; it doesn’t help that there are few pre-established trust relationships between users and the exchange or wallet provider. Almost all transactions are finalized within minutes and are not easily reversible.
Sadly, these takeovers use a similar pattern observed for years in the traditional banking world: An attacker will first try harvesting and then stuffing stolen credentials. If that doesn’t work — say a user has protected their account by requiring an SMS second factor — they will move on to popular techniques to overcome smses, such as SIM swapping or a $16 SMS relay service that sends that SMS code to the attacker’s smartphone, which leads to a “successful” account takeover.
Even highly secure tokens or dedicated authenticator apps are vulnerable to replay attacks from a motivated hacker — and with personal fortunes at stake, there is no lack of motivation.
Furthermore, the vast growth in the number of cryptocurrency exchange users coupled with this need for strong cybersecurity has resulted in terrible support experiences where users have to wait for weeks or even months to regain access to their accounts — simply because it is so difficult for them to prove they are the rightful owner.
Authentication best practices can help.
So how do we fix this situation? With standards-based user authentication that has been proven to be resistant to phishing and account takeovers — and that is already embedded into billions of devices worldwide and available to just about any user on a modern browser. The FIDO (Fast IDentity Online) authentication protocols were developed by a who’s who of IT, payments, and consumer services. They ensure that all cryptographic credentials are stored on a user’s device, eliminating even the most advanced machine-in-the-middle attacks.
The crypto exchange Gemini was an early FIDO adopter for its smartphone app and browser users. A growing percentage of its users protected their accounts with FIDO authentication by purchasing FIDO Certified security keys. Several other exchanges have added FIDO authentication, such as Coinbase, which supports FIDO keys. Binance has FIDO for its web versions but not on its smartphone apps. And STEX also has support for various FIDO devices and methods. Finally, Ledger hardware wallets support FIDO directly in their devices.
Ideally, it would be better and more effective if there was broad cryptocurrency industry acceptance of FIDO’s approach to modern authentication and adoption of several related best practices, such as:
- Standardize authentication flows and practices across crypto exchanges. Better user authentication should be standard practice for every business, not a competitive differentiator. If all top deals moved to industry best practices for account creation, login, and recovery, it would help protect customers — and their collective crypto assets.
- Require users to enroll multiple authenticators to help with account recovery for each cryptocurrency exchange, whether two FIDO security keys, a FIDO security key, or a biometric authenticator. Having various account recovery keys for each cryptocurrency exchange will help lessen support burdens and allow users who lose a device. It will also offer users a choice of more robust authentication options.
- Eliminating less secure backup and recovery options, such as SMS or other knowledge-based authentication factors, will also help improve overall security, particularly for account recovery.
For the cryptocurrency market to reach its full potential, its exchanges must collectively balance the anonymity and privacy that make crypto unique with the security of accounts and assets. Following the lead of crypto exchanges like Gemini and letting users lock down their accounts is a significant step toward protecting users against phishing and account takeovers while maintaining privacy and convenience.
Andrew Shikiar is The FIDO Alliance’s CMO and executive director, which promotes the development of, use, and compliance with authentication and device attestation standards.
