End User Scams and Phishing Attacks in Web3: Are They Being Underreported?
According to Christian Seifert, an expert in cybersecurity, end users in the cryptocurrency space are facing numerous attacks that often go unreported. In order for widespread adoption to occur, it is necessary to address the security concerns of Web3 technologies and increase the trust of end users in these systems.
Phishing, vulnerabilities, malware, centralization – pick your poison
Seifert, who is currently a researcher-in-residence for the Forta Network, a real-time detection network for security and operational monitoring of the blockchain, told Cryptonews.com that the Web3 space is filled with attacks targeting protocols. And it is mostly only the biggest hacks that get reported such as the Ronin bridge attack seen in March this year and Wintermute in September.
Cybercriminals often target Web3 companies in order to steal the private keys associated with their protocols' addresses. These keys can be taken through phishing attacks or by exploiting vulnerabilities that allow attackers to gain control of the addresses. As the industry becomes aware of these vulnerabilities, they are usually fixed with updates to the protocols.
Some protocols do not regularly update their contracts, leaving them vulnerable to attack. In addition to these threats, there is also a variety of malware that can steal private keys or alter transaction addresses.
However, argued Seifert,
“One thing to keep in mind is that protocols should really not be structured in a way such that they rely on trust of one address or one developer.”
No one person should be able to, for example, change a role on a contract. Instead, it should be controlled by something like a multisig, with multiple people or a community approving a decision, so “even if I am compromised with malware, and my private key got compromised, I by myself cannot do anything.”
Related to this is the question of being able to pause a blockchain. For example, major crypto exchange Binance paused Bitcoin (BTC) withdrawals in June due to a backlog, according to its CEO. And it’s far from the only one doing so, with many choosing this option when attacked.
Pausing at the base layer – which is the blockchain itself – is concerning, argued Seifert, “because it illustrates the centralized nature of that particular blockchain.”
On the other hand, pausing on the application layer is a different story and a necessary measure to protect user funds when under attack, he said. There could, for example, be a pause functionality that is not impacting the entire protocol, but transactions over a certain value.
“The goal of these actions is to mitigate the attack or slow it down while at the same time allowing legitimate users to continue working with the protocol,” says Seifert.
Furthermore, transparency around how security is implemented is essential, said the expert, allowing users to have all the existing information on security measures in order to decide whether to use the protocol or not. He argued that,
“Security by obscurity is not the way to go.”
Widespread but underreported crimes against end users
So far we have talked about issues impacting protocols and companies, but even then, it is the end user that’s affected the most. Besides these huge thefts, there is also a myriad of smaller attacks, where, for instance, some $40,000-$50,000 in assets get stolen.
“I think those are actually underreported,” said Seifert. “And I think what is even more underreported is essentially the theft that end users are experiencing, because well, there's really no reporting mechanism.”
End users are frequently being attacked through various types of scams, and commonly through ‘ice phishing’ – signing approval transactions that give the attacker access to the digital assets that are associated with a user's wallet.
Seifert also gave an example of a recent attack where end users were getting scammed by tokens that take a rake for every swap – a few dollars were being siphoned off to the token deployer in addition to the swap fees. These thefts are not clearly visible to the end user, he warned.
Therefore, Seifert added, “We talked a lot about protocols, but we also need to think about end users. And what is really important is that there are security services to protect end users, blocking malicious accounts, as well as account abstraction that allows users to set policies in terms of how applications can act on their digital assets.”
How to protect end users
Asked if the existence of Web3 is threatened by these disruptive attacks, or is just a teething problem, Seifert said that “it's a combination,” but that it has a negative impact either way. It’s certainly detrimental to adoption.
For example, if a user sees their crypto or non-fungible token (NFT) stolen, they often “don't understand what happened; they're basically faced with an empty wallet,” said Seifert, adding:
“I think that this does not increase the likelihood that those folks stay in Web3. And so I think victims in particular will probably turn away from Web3. Many of these stories are being shared online, and that does not instill a lot of confidence.”
Meanwhile, the recent string of project failures and bankruptcies, particularly the fall of the FTX exchange, has once again placed the issue of centralization into the spotlight, leading to more trust being given to decentralized finance (DeFi) and noncustodial solutions, said the expert.
But where there is money, there are bad actors. Users have been withdrawing funds from centralized exchanges, so there is likely to be an influx of users adopting noncustodial aspects and participating in DeFi, however:
“I am sure that attackers will try to take advantage of that. I think there's going to be extensive push around phishing, rugpulls, all scams that are impacting end users.”
Therefore, there needs to be a better security layer that would warn a user about a potentially dangerous action, more education targeting users, and usability improvements for the end users, including greater simplicity of products, user-friendly wallets, as well solutions that help end users navigate Web3. It is these complexities within products and transactions not understandable for an average user that attackers are taking advantage of, said Seifert, adding:
“Even big wallet providers need to adopt extensive security features to protect end users.”
At the same time, the industry is fairly young, and Seifert has seen over the last couple of years “a plethora” of security services that are coming online that help end users and protocols protect themselves.
Some of the important components of a comprehensive security strategy, Seifert said, are:
- auditing: audits are the most well-adopted technique for securing a protocol, and one should not try to reinvent the wheel, but use the already audited template libraries that eliminate many known bugs;
- bug bounties: there is an increase in the adoption of bounties, with security researchers doing great work in an ethical way; a protocol should incentivize potential attackers to work with not against it;
- monitoring: once the protocol has been deployed, monitoring is of utmost importance as it will allow time to act in case of an attack to mitigate it;
- incident response capabilities: either automated or manual, necessary in order to be able to act and protect the funds;
- pause functionality: as discussed above, this helps stop further draining of the funds;
- upgradable contracts;
- cyber insurance.
He added that,
“Ideally, these should be integrated from day one. But a lot of the protocols are small teams, innovating rapidly, and they want to be quick to market. And security as a result in that environment is not a top priority.”
However, as they move into the market, and should they become successful, they will see an influx of users and their total value locked (TVL) rise – and this is where this protocol’s risk profile changes.
“Attackers see how much digital assets are in the protocol, and you will become a target. And you need to adopt a comprehensive security strategy once you become a risk.”
Meanwhile, what we're seeing in the Web2 industry is a concentration of security services in managed service providers, where a small business can ask such a provider to secure them. “And I expect there's going to be something similar in the Web3 space,” said Seifert. There is the issue of centralization there, and the industry will need to find ways to mitigate that.
Attacks are a huge problem for users and protocols alike, and the industry is recognizing them as such, producing “a flurry” of companies, decentralized autonomous organizations (DAOs), and communities that are creating security services.
“And so I very much expect that in five years, security will be more mature in the Web3 space, and we're starting to see that,” Seifert concluded.
- CEO of Binance Warns Users About New Hack Targeting Cryptocurrency Industry
- DeFi Protocol Ankr Suffers Infinity Minting Exploit – Here’s What Happened
- $160 Million Rug Pull? – Crypto Staking Platform Freeway Halts Withdrawals Citing ‘Unprecedented Volatility’
- GameFi Rug Pull and Accidently Closed Exchange - Beware of Risks in Crypto
- BTC Mining Pool Poolin Suspends Wallet Withdrawals in Bid to ‘Stabilize Liquidity’
- Give Us Our Money Back: The Issue With Custodial Wallets and the Implications of Halting Withdrawals on Crypto's Reputation