Decentralization doesn’t equal invulnerability

It seems like every day there’s a new kid on the blockchain, a new cryptocurrency, a new crop of crypto-curious consumers hankering for a taste.

Trafficking in crypto requires choosing from a plethora of crypto wallets — what consumers use to buy crypto and store their private keys — but those, even with the decentralization of Web3, have proven vulnerable to fraud.

We took a closer look at five crypto wallets to study these limitations ourselves, as well as their impact on the user experience. Here is what we found.

Seed phrase malaise

A common way in which users gain access to their wallets is the almighty seed phrase. This randomized combination of 12–24 words, automatically generated by the wallet, acts as a master password that unlocks the private keys used to buy and sell crypto.

We were assigned seed phrases of our own on wallets imToken and Trust (the latter offers the option to use a passcode instead and only utilize your seed phrase as a backup). Your seed phrase is sacred; if someone else knows it, they can steal all of your crypto. Screenshotting it or storing it in the cloud is a no-no. That only leaves one option: writing it down.

A seed phrase example from the Trust wallet

Some people go the extra mile to protect their seed phrase — storing it across multiple safety deposit boxes, engraving it in steel — and for good reason: if they lose it, or if it’s compromised, game over. Given the added friction of both storing and entering a seed phrase upon each transaction, and the potentially life-altering ramifications of losing it, it behooves wallets to find a safer and more secure alternative.

The problem with biometrics

ArgentMyCrypto, and MyEtherWallet all enabled us to log in via Touch ID. From a friction perspective, this is preferable to 2FA solutions texting users a one-time passcode that can be hacked through sim-swapping. But, while the passwordless convenience is nice, Touch ID and similar biometric tools aren’t as secure as you think.

Per a 2021 report from Kraken, it costs bad actors no more than $5 to spoof a fingerprint. Sure, Touch ID will soon give way to Face ID, but facial recognition can be bypassed just as easily. Silicone masks, pulling pictures from social media, and other workarounds aren’t tall tasks for fraudsters eyeing hundreds, thousands, millions of dollars worth of crypto.

Creating a pin on MyEtherWallet

Argent and MyEtherWallet provide a six-digit passcode alternative to Touch ID. This is problematic as well. What if you forget your pin code and (gulp) the seed phrase needed to reset it? Not to mention the credential-stuffing risk posed by folks who reuse pin codes across different wallets and/or websites.

No time like the present

A recent survey from NordVPN found that 32% of respondents who were aware of cryptocurrency hardly knew about the dangers of crypto-related fraud. As the popularity of crypto and decentralized apps on Web3 continue to rise, this could lead to lots of friction-averse users and compromised wallets if the existing verification methods aren’t tweaked to create an experience that is both seamless and secure.

A new wave of phishing attacks hit the Web3 landscape just last week. If fraudsters aren’t stealing users’ pin codes by impersonating wallets or deploying malware, they’re typosquatting to attract users to dummy websites and seizing their tokens via misleading smart contracts.

If there’s one silver lining, it’s that the transparent nature of Web3 allows for measuring financial impact and identifying opportunities for improvement. Nevertheless, the time to beef up Web3’s security is now, while still early in its development.

Once crypto is gone…it’s gone

Crypto fraud taking off

Crypto.com, one of the most popular crypto exchange marketplaces, made a big splash last Christmas when it usurped Staples Center as the home of the Los Angeles Lakers.

Recently, the company made another splash: a $34 million security breach.

The Crypto.com hack exemplifies the rise in crypto fraud over the past year, which jumped 79% in 2021 due in large part to synthetic identities. Per Pew Research, 86% of Americans are knowledgeable about cryptocurrency, and the amount of crypto users currently sits at around 300 million. With this number expected to go up, crypto apps face a herculean task in protecting their platforms from ATO (account takeover), money laundering, and other fraudster schemes.

Cryptic crypto

Balancing security with a seamless customer experience is a tough balance for companies employing traditional fraud prevention approaches. Unfortunately, most crypto apps lean into seamlessness and are too loosey-goosey at the account creation stage.

The real culprit here is static data — what crypto apps use to verify customer identity — social security numbers, dates of birth, names and addresses that can be purchased on the dark web for peanuts and cobbled into a synthetic identity. IP addresses? Those can be spoofed. And fraudsters can even pay a real person to verify their own identity through legitimate documents, such as a photo ID.

Glaring vulnerability at the account creation stage isn’t the worst part of the crypto fraud problem; it’s the fleeting nature of crypto itself. Cryptocurrency is not insured by the FDIC, so once it’s gone…it’s gone. Victims of the common “rugpull” scam know this all too well: a bad actor convinces them to invest in the newest (fraudulent) coin on the blockchain, only to vanish along with everyone’s funds and the bogus cryptocurrency that never was.

Multi-factor is hardly a factor

Complex passwords, OTPs, 2FA, and MFA can be effective in stopping fraud. But, as with Crypto.com’s 2FA approach, effective isn’t good enough.

For the advanced fraudster and their legion of bots, creating a synthetic identity or credential-stuffing or sim-swapping their way into ATO and money laundering is light work. The security protocols above are a decent start; however, they must be paired with dynamic, real-time insights to be truly impactful.

At Deduce, we are all about living in the here and now. There’s no time like real time when it comes to preventing crypto fraud or identity fraud at large, which is why we’ve built our real-time Identity Network that cross-references more than 450 million anonymized user profiles and 1.4 billion daily user activities across 150,000 websites and apps. It’s an added layer of real-time intelligence that identifies fraudsters and legitimate users with better accuracy and efficiency. It’s a winning trifecta of less fraud, less false positives, and less churn — users will login safely and seamlessly, and crypto apps can avoid a front-page breach.

Want to see how Deduce can fortify your app’s defenses? Drop us a line today and get started in no time.