Melting Down Crypto Coins: The Dangers of Account Takeovers in Decentralized Finance (DeFi)

Now, as the world’s largest DeFi players look to bring their companies into Travel Rule compliance, is crypto becoming a safer space to play in?

Yes and no, sadly.

Move Security Here, Danger Goes There

Companies like Coinbase (NASDAQ:COIN) have partnered with other crypto exchanges and fintech to form the Travel Rule Universal Solution Technology (TRUST) network. This group was formed to provide a framework to adhere to Travel Rule requirements with ease, allowing wallets and exchanges to conduct business as usual with security confidence.

The TRUST network participants will thus be gathering more information about their clients than before. If a transaction is later found to be part of organized crime or another legal infraction, the transaction history is not only discoverable but now the names and locations of the fraudulent senders will be known, as they will have to submit verifiable identifying information as they sign up for their account.

The perceived security? Completely transparent transaction history.

The reality? Fraudsters, like a dammed-up stream, will flow towards wherever cybersecurity isn’t in place.

ATOs in Crypto Exchanges

A crypto exchange working overtime to bring its practices into the constraints of the Travel Rule will probably feel a lot of confidence after instituting all the necessary changes – the union of compliant companies is literally called the TRUST network. The problem is that this may give exchanges a false sense of security when it comes to the most worrisome (expensive) species of cybercrime for wallets and exchanges on the blockchain: the account takeover.

Consider the damage that could be done in a different instance of ATO attack on, say, a social media or ecommerce shopping account. Certainly, there have been high-profile Twitter account hacks in which fraudsters, through a sort of brute-force social engineering, were able to scam hundred of thousands away from overzealous, hopeful users. But outside of these unusual strategies, there generally isn’t as much damage to be done besides a few anomalous purchases on an Amazon Prime account, which will later be refunded.

By comparison, an ATO on a crypto wallet is akin to letting a scammer run amok in your bank account, except bank accounts come with much more intense levels of identity authentication that VASPs are not required to implement. Due to the friction this security adds, many aren’t particularly interested anyway.

In the event of a crypto account takeover, be it coins or non-fungible tokens, it goes without saying that the account gets drained, and quickly. Though Bitcoin (CRYPTO: BTC) and (cryptocurrency in general) was originally pitched by its creator, Satoshi Nakamoto, as a safer option than fiat currencies because of the nature of its traceability, this assumes that there are no crypto wallet services that allow anonymity – which there are, in droves. Thus, when comedian Seth Green’s Bored Ape Yacht Club NFT was stolen earlier this year when a fraudster gained access to his crypto wallet account, it could be seen that the stolen Ape was moved to another account, but there was no identity attached to it, and it was promptly resold.

Though he appealed to Twitter to not interact with the stolen blockchain tokens, the nature of decentralized finance means there is no body of trust – a centralized bank, a government – at the center to mediate these issues. The Ape (CRYPTO: APE) NFTs were gone, and there was no recourse.

It’s also worth noting that certain anonymizing services for cryptocurrencies exist, commonly referred to as coin mixers or coin tumblers. These services effectively sever an asset from their identifiable history, like melting down stolen gold doubloons into anonymous block ingots. They do this by splitting the stolen coins (that are now flagged as illicit) and “tumbling” them with clean, unflagged coins to create a totally new financial product. These mixed coins bear the scars of their tumbling, but are still coins with value, and the number of exchanges that have blacklisted these products are few, despite their likely association with money laundering.

Preventing Account Takeover Attacks in Cryptocurrency

Protecting a single user’s account, much less the accounts of an entire user base, is a multifaceted problem that requires a multifaceted solution effort.

Through Software

As many ATOs use some sort of credential stuffing attack, throwing waves of automated bots armed with stolen credentials at a security gateway until one makes it through, the first line of defense is going to be a fraud solution with account takeover detection. Fraudsters that program the botnets are prone to laziness when it comes to differentiating their hundreds or thousands of bot programs from each other. Though each is programmed to approach a security threshold as an individual person, there will inevitably be data points that will look oddly similar, as long as the fraud solution knows which rocks to turn over.

Turn over this rock – browser fingerprinting – and the software finds a thousand accounts that are apparently using the exact same web browser.

Turn over another – re-checking submitted data multiple times in the user journey – you notice a user that has changed their trusted email address to a new one with no digital footprint, a particularly red flag for ATO.

These are the kinds of anomalous behavior that may escape human purview, but automated fraud solutions are trained by machine-learning algorithms to detect and preclude them.

Through Education

Other methods of ATO are both more sophisticated and lower-tech. Stopping them from reaching inside your infrastructure is a battle of human education and vigilance as much as software.

This is because in Knowledge-Based Attacks (KBAs), Knowledge refers to personal data about an individual targeted account. This knowledge might be obtained through some sort of social engineerings, such as gathering shared (overshared?) pieces of personal information from social media – schools, family – that might come into play during security checks.

Other social engineering ploys might be better described as flat-out scams, such as romance fraud, a combination of catfishing and taking advantage of lonely people on dating sites to steal their IDs, and then using their various accounts to appear more legitimate in future cybercrime.

There are plenty of applications for fraud software in targeted spear-phishing attacks like this, such as tuning software to be sensitive to unusual account behavior, but the most effective prevention is awareness. Awareness not only of the mere existence of things like spear-phishing, watering-hole attacks, and password managers but also of what forms they might take. A healthy dose of suspicion among every connected employee is a good thing to instill, as fraudsters develop methods that look as innocuous as a text message from the CEO, but will lead to havoc if they aren’t scrutinized carefully.

More Friction, More Defense

Should the best-laid security plans still fail to keep fraudsters out of your infrastructure, there are still digital failsafes. From a user experience perspective, these options are plainly high-friction, but are necessary in order to keep your marketplace secure.

Multi- or 2-factor authentication techniques that require more than one device to verify are hard to work around if you’re a fraudster – that’s why they exist. Today the average MFA system will send an SMS to a registered mobile device, linking an online account to the device’s registration. Perhaps because of the obvious friction this presents, the tendency is to rely on the trust generated by a passed MFA for the remainder of the customer journey, no (more) questions asked. But SMS was not designed with security in mind, and even these authentications can be spoofed. Even after the relatively high hurdle of a 2FA or MFA, additional device analytics and IP risk scoring still need to be stacked on top to have the highest security confidence.

Some security options that are common in ecommerce retail may be applicable to the crypto space as well. Retailers stocking merchandise that is prone to theft – AirPods, for example – often pair digital purchases with liveness checks via phone. Fraud teams in crypto environments should already be well aware of users who complain of being unable to finish a multi-factor authentication process due to being on a mobile device, and be aware of their likely true intentions (bad). Probably suspicious candidates like this seem a good opportunity for such a liveness check in cases where fraud software flags suspiciously large, numerous, or otherwise abnormal transactions.

Why The Friction Is Worth It

Crypto exchanges, like the commodities they deal in, are finicky, and highly susceptible to reputational damage. Incredibly numerous are the examples online of crypto’s volatility, with whole fortunes evaporating in moments.

Blockchain-based currencies have always been fighting against the reputational tide that the currency itself is a bit of a scam. Recent high-profile crypto-implosions, as with 3 Arrows Capital, certainly did nothing to help that.

Thus, as more of the world becomes aware and interested in exchanging crypto and DeFi, stability and dependability will become increasingly valuable marketing assets. Currently, some major crypto markets seem to care little or less about reputational damage, but others are offering their employees payment in bitcoin – a situation that demands stability or a potential workforce revolt. Should models like this become the status quo, the exchanges that stand to profit from holding the funds of crypto-newbies are the ones that go well beyond Travel Rule adherence, and actively defend their borders from fraud that could destabilize not only their own marketplace, but the entire economic landscape.

Source of the image: Pixbay