SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Can we protect against cryptocurrency theft?
Fri, 17th Apr 2020
FYI, this story is more than a year old

The cryptocurrency market attracts a huge number of investors and everyone hopes to get the highest returns possible. Bitcoin has so far been the most successful virtual currency, but has seen its value rise and fall dramatically over the past few years. Price volatility has undoubtedly been one of the most significant challenges facing all cryptocurrencies, but the other is security.

Over the years, digital thieves have stolen millions of dollars worth of cryptocurrency from both exchanges and wallets. The problem is that once cryptocurrency is stolen, there is no refund like there is with a bank or credit card company, and governments offer no protection for users. For some, this makes cryptocurrency too risky of an investment.

There is a very real vulnerability of cryptocurrency exchanges and bitcoin wallets when it comes to hacking attacks and theft: SIM swapping. Recent events have shown that millions of dollars worth of cryptocurrency can be lost with just one attack. The current state of SIM spoofing attacks, where a mobile phone number is taken over by an attacker, means that when a two-factor authentication (2FA) code is sent via SMS it can be intercepted by an attacker to access and steal vast sums of cryptocurrency. It's a silent but oftentimes catastrophic attack and there is very little anyone can do about it.

Such sophisticated attacks are now a reality — bolstered by the increasing use and value of cryptocurrency accounts — and these highly reported thefts have stunned currency traders across the globe. In turn, it's spawning an industry uptick in stronger two-factor authentication (2FA) methods.  

WebAuthn, the new W3C open standard for web authentication, is gaining particular traction within the cryptocurrency space — and for good reason. WebAuthn is supported by all major browsers and operating systems and depending on the options a service enables, it allows traders to add a biometric device or physical security key as an additional authentication method. Whereas a one-time code sent via phone or email could be easily intercepted by a remote attacker, a fingerprint (biometric) or security key must be physically present to permit a user to log in.

Motivating traders to use WebAuthn isn't difficult. The ability to foil SIM hijacking and other attacks that use fraudulent credentials are reason enough to select a fingerprint or security key as the preferred method of account protection. With these, credentials are much more difficult to forge. And if there needs to be further convincing, usability is unparalleled. Both biometrics and security keys are able to be self-registered, and only take seconds to log in.

Given the lack of regulation and protection for cryptocurrency, it would seem a no brainer that cryptocurrency platforms employ WebAuthn to offer traders peace of mind with a simple and easy solution.