What $10M in daily thefts tells us about crypto security

If you’re among the growing number of people interested in cryptocurrencies, you may be interested to know that nearly 7,000 people lost more than $80 million between October 2020 and March 2021 — a 1,000% increase from a year ago, according to the Federal Trade Commission.

The scams include fake currency exchanges and phony “investment” websites selling the currency. More recently, more than $10 million was stolen in various cryptocurrencies in the days leading up to Elon Musk’s appearance on “Saturday Night Live.”

And here’s the rub: You have no way to protect your accounts from any theft. In the world of cryptocurrency, there are no guarantees. Unlike the traditional banking world, there is no equivalent to the Federal Deposit Insurance Corporation to cover any losses on your account. If your assets are stolen, you’re out of luck.

Nearly 7,000 people have lost more than $80 million between October 2020 and March 2021 — a 1,000% increase from a year ago, according to the Federal Trade Commission.

Enabling secure access to these cryptocurrency assets is absolutely critical to preventing theft — which, as of the end of 2020, amounted to just over $10 million a day — and/or lockout of one’s potential fortune.

But how can you ensure that people can always access their accounts? That depends on how the accounts are set up initially — which usually means that passwords or other knowledge-based authentication (KBA) is involved. Unfortunately, passwords simply aren’t suitable for securing high-value accounts because they can be easily compromised, either through phishing attacks or outright theft.

Plus, if you have a less-used cryptocurrency wallet, you might forget your initial password and might have trouble recovering it — if there is even a mechanism to perform the recovery. KBA is also plagued with problems ranging from lack of recollection (what is my favorite hobby again?) to the wide availability of “personal” information on the web (for a few dollars, you can surely find my mother’s maiden name).

Cryptocurrency account takeovers happen with increasing frequency; it doesn’t help that there are few pre-established trust relationships between users and the exchange or wallet provider and that almost all transactions are finalized within minutes and not easily reversible.

Sadly, these takeovers make use of a very similar pattern that has been observed for years in the traditional banking world: An attacker will first try harvesting and then stuffing stolen credentials. If that doesn’t work — say a user has protected their account by requiring an SMS second factor — they will move on to popular techniques to overcome SMS, such as SIM swapping or a $16 SMS relay service that sends that SMS code to the attacker’s smartphone, which leads to a “successful” account takeover.

Even highly secure tokens or dedicated authenticator apps are vulnerable to replay attacks from a motivated hacker — and with personal fortunes at stake, there is no lack of motivation.

Furthermore, the vast growth in the number of cryptocurrency exchange users coupled with this need for strong cybersecurity has resulted in terrible support experiences where users have to wait for weeks or even months to regain access to their own accounts — simply because it is so difficult for them to prove they are the rightful owner.

Authentication best practices can help

So how do we fix this situation? With standards-based user authentication that has been proven to be resistant to phishing and account takeovers — and that is already embedded into billions of devices worldwide and available to just about any user on a modern browser. The FIDO (Fast IDentity Online) authentication protocols were developed by a who’s who of IT, payments and consumer services and ensure that all cryptographic credentials are stored on a user’s device — thereby eliminating even the most advanced machine-in-the-middle attacks.

The crypto exchange Gemini was an early adopter of FIDO for both its smartphone app and for browser users, with a growing percentage of its users protecting their accounts with FIDO authentication by purchasing FIDO Certified security keys. There have been a number of other exchanges that have added FIDO authentication, such as Coinbase, which also supports FIDO keys. Binance has FIDO for its web versions, but not on its smartphone apps yet. And STEX also has support for various FIDO devices and methods. Finally, Ledger hardware wallets support FIDO directly in their devices.

Ideally, it would be better and more effective if there was broad cryptocurrency industry acceptance of FIDO’s approach to modern authentication and adoption of several related best practices, such as:

Standardize authentication flows and practices across crypto exchanges. Better user authentication should be a standard practice for every exchange, not a competitive differentiator. If all leading exchanges moved to industry best practices for account creation, login and recovery, it would help protect customers — and their collective crypto assets.

Require users to enroll multiple authenticators to help with account recovery for each cryptocurrency exchange, whether that is two FIDO security keys or a FIDO security key and a biometric authenticator. Having multiple account recovery keys for each cryptocurrency exchange will help lessen support burdens and help users who lose a device. It will also offer users a choice of stronger authentication options.

Eliminating less secure backup and recovery options, such as using SMS or other knowledge-based authentication factors, will also help improve overall security, particularly for account recovery.

The bottom line is that for the cryptocurrency market to reach its full potential, its exchanges need to collectively strike a balance between the anonymity and privacy that make crypto unique with the security of accounts and assets. Following the lead of crypto exchanges like Gemini and letting users lock down their accounts is a great step toward protecting users against phishing and account takeovers while maintaining privacy and convenience.

Andrew Shikiar is CMO and executive director of The FIDO Alliance, which promotes the development of, use of, and compliance with standards for authentication and device attestation.