Crypto has had a whirlwind of a year. Bitcoin bounced between dizzying peaks and rock bottom troughs, financial institutions bought and sold crypto assets in droves, mainstream consumer payment providers started offering digital assets to customers, and scores of crypto exchanges and custodians were hit by expensive cyberattacks.
Crypto’s greatest challenge is simply lack of regulation. Despite huge efforts from regulators and international monetary organisations to build frameworks for the secure and safe exchange and storage of crypto assets, industry regulators move at a pace that makes it nearly impossible for policymakers to get ahead of consumer interest. Nonetheless, despite strong protections, crypto has continued to edge its way into the financial mainstream.
Banks and other financial institutions have been subject to exacting security standards for decades – and have shored up their resources to quickly adapt to the evolving threat landscape. With growing interest in crypto interest and the relative novelty of it, there is risk. Every new way to trade, store or monetise digital assets opens another channel for hackers to exploit. It’s like when Microsoft releases the latest version of Windows – a stream of security updates inevitably follow as developers plug new potential exploits and vulnerabilities. The difference is that most crypto firms have nowhere near the research and development resources of a major bank or tech giant.
That doesn’t mean that crypto is condemned to a future of cyberattacks.
Take the recent Coinbase hack, for instance. At time of writing, we still don’t know the final figure for what’s been lost, but Coinbase has a market capitalisation of around $65bn across over 100 countries. Though a disaster for those 68 million users who may be at risk of losing their assets, the cause of the breach was, by traditional finance terms, extremely simple. Experts say the attack was a “SIM swap” – where hackers compromised victims’ mobile phone numbers and used that to authenticate themselves as a valid account holder. This method has been the cause of a string of attacks.
Cryptocurrency exchanges need to take a serious look at how they are authenticating users. SIM swap fraud was widely used to gain access to traditional bank accounts for many years, and as a result financial institutions have moved away from SMS as a form of authentication. Crypto firms will need to follow suit. Using SMS for multi factor authentication often puts the onus of protecting customer data on mobile network operators, whose systems are not designed to withstand such attacks. It’s like keeping expensive jewellery in a self-storage centre instead of a safe deposit box.
Most major banks now use Mobile push notifications as an alternative. You probably already use this – it’s when you verify your identity via a secure mobile phone app instead of a text message. These apps can use the latest ID verification technologies (such as AI and biometrics) to ensure that it’s really you trying to access your account. Crypto firms should look to this technology to stem the flow of these authentication-based hacks we’ve seen recently.
But this is just one example. Looking for security guidance from their more established peers in the world of traditional finance will help crypto firms build and maintain the credibility needed to become trusted, mainstream providers of financial services. Doing so proactively could act to stem the tide of exacting regulations and public scrutiny crypto firms are currently facing further down the line. Crypto was created out of a desire to be innovative and reject traditional finance. But it is now in the hands of the crypto market to turn it around and take advantage of the wealth of security resources available to them.