The list of companies accepting payments in cryptocurrency keeps expanding, so customers can buy almost everything they want: electronics, college degrees and cappuccinos. At the same time, the market for non-fungible tokens (NFTs) skyrockets, with new artists becoming millionaires and more established names like Snoop Dogg, Martha Stewart and Grimes capitalizing on the trend.
Cryptocurrency and NFTs are on many organizations’ agenda as they discuss the ramifications of Web3 and the opportunities it presents. This new major shift in the internet’s evolution promises to decentralize our digital world, offering users more control and a more transparent flow of information.
Across industries, companies are giving their best shot at adapting to the new paradigm. But CISOs have a long list of concerns, starting with cybersecurity and identity fraud, marketplace security risks, management of keys and data, and privacy.
Cryptocurrency in any form, including NFTs, has a set of threats and security concerns that may not be familiar to most companies. “It requires a number of new operational procedures, creates exposure to a new set of systems (public blockchains), and entails risks that many firms are less familiar addressing,” says Doug Schwenk, CEO of Digital Asset Research.
How CISOs think about these issues could affect users and business partners. “Compromises have an immediate financial impact on either the company or their users and/or NFT collectors,” says Eliya Stein, senior security engineer at Confiant.
These are the ten most significant security risks that cryptocurrencies and NFTs present to CISOs.
1. Integrating blockchain protocols can be complex
The blockchain is a relatively new technology. As a result, incorporating blockchain protocols into a project becomes a bit difficult. “The principal challenge associated with blockchain is a lack of awareness of the technology, especially in sectors other than banking, and a widespread lack of understanding of how it works,” according to a report by Deloitte. “This is hampering investment and the exploration of ideas.”
Companies should evaluate each supported chain carefully for maturity and suitability. “Adopting a [blockchain] protocol that is at an early stage can lead to downtime and security risks, while later-stage protocols currently have higher transaction fees,” says Schwenk. “After selecting a protocol to support the desired use (such as payments), there may not be any support available from the sponsor. It’s much more like adopting open source, where particular service providers may be necessary to fully realize the value.”
2. Asset ownership norms change
When someone buys an NFT, they aren’t actually buying an image, because storing photos in the blockchain is impractical due to their size. Instead, what users acquire is some sort of a receipt that points them to that image.
The blockchain only stores the image’s identification, which can be a hash or a URL. The HTTP protocol is often used, but a decentralized alternative to that is the Interplanetary File System (IPFS). Organizations who opt for IPFS need to understand that the IPFS node will be run by the company that sells the NFT, and if that company decides to close shop, users can lose access to the image the NFT points to.
“Although it’s technically possible to reupload a file to IPFS, it’s unlikely that a regular user will be able to do that because the process is complex,” says independent security researcher Anatol Prisacaru. “However, the good part is that due to the decentralized and permissionless nature, anyone can do that—not just the project developers.”
3. Marketplace security risks
While NFTs are based on blockchain technology, the images or videos associated with them can be stored on either a centralized or a decentralized platform. Often, out of convenience, the centralized model is chosen, because it makes it easier for users to interact with the digital assets. The downside of this is that NFT marketplaces can inherit the vulnerabilities of Web2. Also, while traditional bank transactions are reversible, those on the blockchain are not.
“A compromised server may present the user with misleading information tricking him into executing transactions that will drain his wallet,” says Prisacaru. But putting enough time and effort into doing the implementation properly can protect against attacks, especially when it comes to using a decentralized platform.
“When implemented properly in a decentralized fashion, a compromised marketplace should not be able to steal or alter a user’s assets; however, some marketplaces cut corners and sacrifice security and decentralization for more control,” Prisacaru says.
4. Identity fraud and cryptocurrency scams
Cryptocurrency scams are common, and they can often have a large number of victims. “Scammers regularly stay on top of highly anticipated NFT releases and usually have dozens of scam minting sites ready to promote in tandem with the official launch,” says Stein. The customers who fall victim to these scams are often some of the most loyal, and this bad experience could potentially affect how they perceive the brand. So, protecting them is crucial.
Often, users receive malicious emails telling them that suspicious behavior was noticed in one of their accounts. They are asked to provide their credentials for account verification to solve that. If the user falls for this, their credentials are compromised. “Any brand trying to get into the NFT space would benefit from allocating resources towards monitoring and mitigation from these types of phishing attacks,” Stein says.
5. Blockchain bridges are a rising threat
Different blockchains have different coins and are subject to different rules. For example, if someone has bitcoin but wants to spend Ethereum, they need a connection between the two blockchains that allows the transfer of assets.
A blockchain bridge, sometimes called cross-chain bridge, does just that. “Due to their nature, usually they are not implemented strictly using smart contracts and rely on off-chain components that initiate the transaction on the other chain when a user deposits assets on the original chain,” Prisacaru says.
Some of the biggest cryptocurrency hacks involve cross-chain bridges, including Ronin, Poly Network, Wormhole. For example, in the hack against the gaming blockchain Ronin at the end of March 2022, attackers got $625 million worth of Ethereum and USDC. Also, during the Poly Network attack in August 2021, a hacker transferred more than $600 million of dollars in tokens to multiple cryptocurrency wallets. Luckily, in this case, the money was returned two weeks later.
6. Code should be thoroughly tested and audited
Having good code should be a priority from the beginning of any project. Prisacaru argues that developers should be skilled and willing to pay attention to detail. Otherwise, the risk of falling victim to a security incident increases. For instance, in the Poly Network attack, the attacker exploited a vulnerability between contract calls.
To prevent an incident, teams should conduct thorough testing. The organization should also contract a third party to do a security audit, although this can be expensive and time-consuming. Audits offer a systematic code review to help identify the most known vulnerabilities.
Of course, checking the code is necessary but not sufficient, and the fact that a company did an audit doesn’t guarantee that they are out of trouble. “On a blockchain, smart contracts are usually highly composable, and oftentimes, your contracts will interact with other protocols,” Prisacaru says. “Businesses, however, only have control over their own code, and interacting with external protocols will increase the risks.”
Both individuals and businesses can explore another avenue for risk management: insurance, which helps companies reduce the cost of smart contract or custodian hacks.
7. Key management
“At its heart, crypto is just private key management,” says Schwenk. “That sounds simple to many firms, and CISOs may well be aware of the issues and best practices.”
There are several accessible solutions for key management. One of those is hardware wallets like Trezor, Ledger, or Lattice1. These are USB devices that generate and store the cryptographic material on their secure elements, preventing the attackers from accessing your private keys even if they have access to your computer, for example, using a virus/backdoor.
Another line of defense is multi-sigs, which can be used together with hardware wallets. “At its base, a multi-sig is a smart contract wallet that requires the transactions to be confirmed by a number of its owners,” says Prisacaru. “For example, you could have five owners and require a minimum of three people to sign the transaction before it can be sent. This way, an attacker would have to compromise more than one person in order to compromise the wallet.”
8. Employee and user education
Organizations that would like to integrate Web3 technologies need to train their employees because new tools are needed to transact on the different blockchains. “Commerce for digital assets might seem familiar to traditional e-commerce, but the tools and browser plugins needed to be proficient in this new world are quite different than what finance teams are used to,” says Aaron Higbee, co-founder and CTO of Cofense.
While every business needs to worry about email-based phishing attacks, employees who handle digital assets can be targeted more often. The purpose of training is to make sure that everyone in the team follows the latest best practices and has a good understanding of security. Oded Vanunu, head of products vulnerability research at Check Point, says he noticed “a big gap” in knowledge when it comes to cryptocurrency, which can make things “a little bit chaotic” for certain companies. “Organizations that would like to integrate Web3 technologies need to understand that these projects must have deep security reviews and security understanding, meaning that they must understand the numbers and the implication that can happen,” he says.
Some organizations that don’t want to do private key management decide to use a centralized system, which makes them vulnerable to Web2 security issues. “I’m urging that if they are integrating Web3 technologies into their Web2, this must be a project that will have a deep security review and security best practices that need to be implemented,” Vanunu says.
9. The permanence of NFTs and Web3 decentralized apps
Many enterprises will sunset products that no longer serve their needs, but this is typically not available for blockchain-backed assets if they are done right. “NFTs should not be treated as a one-time marketing effort,” Stein says. “If the NFT itself is not on chain, there’s now a burden on the company to keep it up in perpetuity. If the project becomes a wild success, then the company has taken on a major task of supporting the collectors of these NFTs with regards to mishaps, scams, etc.”
One viral project is the one launched by the Ukrainian government, which sold NFTs based on the timeline of the war. “The place to keep the memory of war. And the place to celebrate the Ukrainian identity and freedom,” according to a tweet by Mykhailo Fedorov, vice prime minister of Ukraine and minister of digital transformation. NFT enthusiasts reacted positively, saying they wanted to buy a piece of history and support Ukraine. Their expectation, though, is for the project to be kept up.
10. Blockchain is not always the right tool
New technologies are always exciting, but before making the leap, organizations should ask if they actually solve the problem, and if it’s the right time to adopt them. Blockchain-based projects have the potential to change companies for the better, but they might also drain resources, at least in the initial stage.
“Weighing the risk/reward will be an important part of the decision, and appropriately resourcing the security effort, both in adoption and ongoing, is critical,” Schwenk says. “Judgment of risk/reward for these new exposures may not (yet) be a core competency, and it’s easy to get caught up in the hype that is often associated with crypto.”
Copyright © 2022 IDG Communications, Inc.