Considering the growth of attacks and development of threats targeting crypto assets, how prepared will we be from a security and privacy point of view when ideas such as Web 3.0 or the metaverse become a reality?
There is a very popular phrase attributed to the philosopher George Santayana that says “Those who cannot remember the past are condemned to repeat it.” The phrase was widely used to refer to the importance for progress and evolution of the ability to learn from mistakes made in the past to prevent them from being repeated in the future. And I think it applies perfectly to analyze the future of technology and some promises of evolution that the metaverse, web 3.0 and crypto assets represent. Other technological revolutions in the recent past, such as the growth of the Internet of Things (IOT), to name just one example, have shown us the risks and consequences for the security and privacy of people and the lack of maturity of users. , the lack of regulations and little awareness on the part of the companies developing these technologies. Perhaps it is unrealistic to think that we can be sufficiently prepared to face the challenges of something that still seems far away, but there is a lot that can be done through education and awareness to avoid arriving so unprotected.
Introduction
In recent years, the Internet has been revolutionized with crypto assets and the possibility of having everything, at all times, but without having anything. I know this phrase may seem a bit strange, but it describes what happens with savings assets that are not physical, such as cryptocurrencies and crypto assets in general, whose adoption grew so much that in Latin America, for example, 51 % of consumers have already made transactions with crypto assets and are very interested in investment opportunities.
Another technological aspect that has been perfected in recent years has to do with immersive experiences, something that we have been seeing for some time with video games and virtual reality simulators. The combination of these two technologies largely explains why there is increasing interest in the metaverse and also in the concept of Web 3.0 development.
In the case of the metaverse we are referring to a virtual world to which people can connect through special devices to spend time interacting in an alternative reality. This project has some companies working on the development of models, such as Meta, Google and also Microsoft. According to Bloomberg , it is the next big technology platform that has the potential to become an industry worth $800 billion by 2024. On the other hand, projections estimate that by 2026, 25% of people in the world will dedicate at least one hour a day to this virtual world.
When we talk about Web 3.0, the main change will be marked by decentralization. It is an idea that aims to take control of the Internet away from technology giants and give people and communities the power to control content. The keys to achieving this decentralization are in technologies such as blockchain and the use of cryptocurrencies.
An interesting aspect of both ideas that concerns us from the perspective of cybersecurity is that the concept of “user” does not only cover people, but also organizations, since they will be able to carry out business, whether financial, buying and selling, through advertisements, etc.
Cryptocurrencies & NFTs: A growing reality even for cybercrime
The volume of cryptocurrency transactions grew 567% from 2020 to 2021, confirming the interest that exists in the adoption of cryptocurrencies to carry out various financial operations. On the other hand, during 2022 NFTs were consolidated, a very interesting proposal to monetize elements such as digital goods and art collecting. And although it seems that it is still something incipient, we cannot fail to mention the growth they have had with a market value projection for 2030 of 231,000 million dollars. And one of the keys to understanding this growth is video games.
Although the use of cryptocurrencies has been more than a decade old, the landscape today is not the same. Bitcoin is no longer the currency that controls the market, but there are more than 20 thousand different types of cryptocurrencies. Although many of them remain fraudulent and many others appear, the generation of micro (and macro) communities around them generate new ways of interacting with cryptocurrencies: From play-to-earn games , to investments , to the purchase and sale of other assets on the blockchain such as NFTs.
However, with the growth of the crypto ecosystem, computer threats and the interest of cybercriminals also grew. And this is something that is demonstrated by the number of attacks on Exchange services, decentralized financial platforms, blockchain-based video games and other services between 2021 and 2022. All attacks that resulted in the theft of millions in different crypto assets.
Unfortunately, many of these innovations emerged at a very rapid pace and many people decided to venture into them without being properly prepared. And this is something that cybercriminals have been trying to take advantage of using different forms of attacks and fraud schemes to keep people and companies’ money.
Another fundamental aspect to understand the difficulties that crypto assets pose for security has to do with the high degree of anonymity in the crypto ecosystem. This factor makes it impossible, by design, for people to have any type of support against scams, theft or identity verification, which has led to the proliferation of threats such as phishing and other forms of deception. And unfortunately, once the money has been stolen, not much can be done anymore. To understand the impact of criminal activity on users alone, according to official data for the United States, losses from cryptocurrency scams multiplied 60 times between 2018 and 2022, with victims losing an average of $2,600.
If we talk about the challenges for cybersecurity in the crypto world, we also have to talk about the incidents that arise from vulnerabilities or defects in software development. Although there are methodologies and good practices for safe development, they often do not correct the error caused by the human factor. Sometimes business interests accelerate and appropriate audits are not carried out before the applications and technologies are put into production. This gives rise to attackers exploiting these errors or vulnerabilities to their advantage. This was, for example, what happened with platforms such as Qubit and Wormhole , which suffered losses totaling $400 million in cryptocurrencies due to the exploitation of a complex vulnerability in smart contracts.
With all this context and focusing on security, it is evident that we are on track to face great challenges in the coming years that demand more secure applications, better trained people aware of the threats, and regulations that are up to the standards. circumstances. Vulnerabilities in systems will not stop appearing and new instruments and tools to operate with crypto assets will continue to emerge and grow, forcing people to be more attentive and able to think and recognize what is legitimate and what hides bad intentions.
The trend shows that in the last year social engineering was what cybercriminals used the most to carry out their attacks and specialized malware was second; such as ransomware, clipboard stealing malware, Remote Access Trojans (RAT), Keyloggers and the use of Cryptojacking.
This trend will probably continue next year and it is expected that the mass of users in the crypto ecosystem will continue to grow, as well as interest in NFTs or new operability instruments, such as those proposed by the world of decentralized finance ( Defi).
Virtual and real: Metaverse
The metaverse concept is one that is attracting the most attention from people and companies alike. The high investments that have already been made with these projects in mind are the greatest indicator that this new modality will be a reality. Some companies, like Meta, have invested more than $36 billion since 2019 in their metaverse project and, along with Google and Microsoft, are one of the biggest promoters of this new way of interacting in the virtual world. However, this fascinating idea of the metaverse has its B side and there are a large number of questions that still have no answers and that are essential to understanding security: What type of hardware will be used to access the metaverse? How will we authenticate ourselves? What architectures will be used by the devices involved in these experiences? What happens with the data and its privacy? These and countless more questions will be answered once the systems are in place.
One of the main points of attention when talking about the concept of metaverse are the new hardware and software that it could introduce. Authentication, the immersion factor, the static and dynamic storage of information, the functional economy and even social interactions will be crossed by devices as varied as cell phones, computers or virtual reality glasses.
This implies the development of new pieces of software – or partially – that are functional in very different architectures, which implies a great challenge if we think about secure development.
I think it is appropriate to take as a reference what happened a few years ago with another technological innovation: the Internet of Things, better known as IoT. The rise of smart devices connected to the Internet aroused great concern, especially when it was observed that many IoT devices available on the market had not been developed with people’s security and privacy in mind. The result? Alarming data with palpable consequences. According to a survey conducted by cybersecurity firm Cynerio , more than half of hospitals around the world stated that they received some type of cyberattack directed at their IoT devices, and 53% of the devices they use have at least one critical vulnerability. resolved.
Weaknesses such as security camera circuits open to the Internet, routers with default administrator passwords, hardware within the perimeter of an organization but outside corporate networks, and even health equipment used for lateral movement, are some of the security problems that we see every day as a result of accelerated development.
What happened with IoT devices — and is still happening — should serve as experience and learning as we develop the systems that will make the metaverse work. Otherwise, we will face a high number of vulnerabilities that cybercriminals will look for and use to exploit access, authentication, economic transactions and even modify the code of the applications themselves.
In addition, it is expected that malicious code will be developed with functionalities that will include espionage, credential theft and identity theft. If we add to this insecure software development, the scenario could be even more favorable for threat actors. Just think about file sharing systems, something that any social network offers, how will it be validated if the file has malicious content? How will the platform allow you to interact with these eventual files? Will they be opened by the interface itself or will they have to be downloaded and managed separately? Malicious files currently represent a significant part of the digital threat scene and will certainly need to be considered in Metaverse.
To these factors we must add the volume of personal information that will be required to interact with a metaverse, and what will be the level of knowledge of people regarding privacy policies and data use by the organizations that will maintain these metaverses in functioning. Although it is not a design error, the consequences could be critical if, for example, registration information is reflected in users’ public profiles. Another scenario that needs to be considered has to do with a data breach: users will need to know how their data will be stored, how they can request the deletion of records or whether it will be necessary for organizations to report if our information has been breached.
Lastly, social engineering will also be a concern. With the possibility of imitating, either visually or with a fraudulent account, a well-known personality or organization, hoaxes will be as common as they are today on any social network. And with the possibilities that immersion offers, it is very likely that people are more susceptible to a social engineering deception in this context.
In summary, seeing the growth of cryptocurrencies in recent years and the level of adoption that other forms of crypto assets such as NFTs have had, the combination of the crypto ecosystem with such innovative ideas as the metaverse and Web3.0 will undoubtedly revolutionize the future when they become a reality. Threat actors will speak up and look for ways to take advantage, so we hope that past experiences can help us be better prepared to face the challenges ahead, and this implies a commitment from all parties involved and the continued effort of work on education and awareness.