10 NFT and cryptocurrency security threats that CISOs must confront 

 

The list of companies accepting cryptocurrency payments is constantly growing, thanks to which customers can buy almost anything they want: electronics, diplomas, cappuccinos.

At the same time, the non-tradable token ( NFT ) market is booming as emerging artists become millionaires, with more established names like Snoop Dogg, Martha Stewart, and Grimes capitalizing on the trend.

Cryptocurrencies and NFTs are on the agenda of many organizations as they discuss the implications of Web3 and the opportunities it brings.

This new big shift in the evolution of the Internet promises to decentralize our digital world, providing users with greater control and a more transparent flow of information.

Also check:

Companies from various industries are doing their best to adapt to the new paradigm.

However, the list of CISO concerns is long, and ranges from cybersecurity and identity fraud to market security, key management, data and privacy threats.

Cryptocurrency in any form, including NFT, carries a number of risks and security issues that most businesses may not be familiar with.

“It requires a number of new operating procedures, exposes you to a new set of systems (public blockchains), and carries risks that many companies are not aware of,” says Doug Schwenk, CEO of Digital Asset Research.

How CISOs think about these issues can affect users and business partners.

“The settlement has immediate financial consequences for the company, its users, and/or NFT collectors,” says Ilya Stein, chief security engineer at Confiant.

Here are the top ten security threats that cryptocurrencies and NFT pose to CISOs.

1. The integration of blockchain protocols can be complex

Blockchain is a relatively new technology. As such, integrating blockchain protocols into the project becomes a bit tricky.

“The main challenge with blockchain is the lack of awareness of the technology, especially in sectors other than banking, and the widespread lack of understanding of how it works,” Deloitte said in a report.

“This makes it difficult to invest and explore ideas.”

Companies must carefully evaluate each supported chain for maturity and appropriateness.

“Early-stage [blockchain] protocol adoption can lead to downtime and security risks, while later-stage protocols currently have higher transaction fees,” says Schwenk.

“Once a protocol is chosen for the desired use (such as payment), the sponsor may not be able to provide any support. It is more like open source adoption where specific service providers may be required to fully realize the value.”

2. Changing the criteria for asset ownership

When someone buys an NFT, they are not actually buying an image because it is impractical to store images on the blockchain due to their size.

Instead, users receive a kind of receipt showing them the way to the image.

Only the image identification is stored in the blockchain, which can be a hash or a URL. HTTP is often used, but a decentralized alternative is the Interplanetary File System (IPFS).

Organizations that choose IPFS should be aware that the IPFS node will be managed by the company selling the NFT, and if that company decides to close the store, users may lose access to the image the NFT points to.

“While it is technically possible to re-upload a file to IPFS, it is unlikely that the average user will be able to do so because the process is complex,” says independent security researcher Anatole Brisacaro.

“However, the good part is that due to its decentralized and vulnerable nature, anyone can do this – not just project developers.”

3. Market security risks

Although NFTs are based on blockchain technology, the images or videos associated with them can be stored on a centralized or decentralized platform.

Often, for convenience, a centralized model is chosen because it makes it easier for users to interact with digital assets. The disadvantage of this approach is that NFT markets may inherit Web2 vulnerabilities.

Also, while traditional banking transactions are reversible, those on the blockchain are not.

“A hacked server could provide misleading information to the user, tricking them into making transactions that would drain their wallet,” says Brisacaro.

However, spending the right amount of time and effort on the correct implementation of the system can protect against attacks, especially when it comes to using a decentralized platform.

“However, some markets are cutting corners and sacrificing security and decentralization for greater control,” says Brisacaro.

4. Identity fraud and cryptocurrency fraud

Cryptocurrency scams are common and a large number of people can fall victim to them. “Scammers regularly follow up on upcoming NFT launches and typically have dozens of scam mint sites ready to promote along with the official launch,” says Stein.

Customers who fall victim to these scams are often some of their most loyal customers, and such bad experiences can affect how they perceive a particular brand.

Therefore, protecting them is crucial.

Often, users receive malicious emails that suspicious behavior has been noticed in one of their accounts. To solve this problem, they are required to provide their credentials for account verification.

If the user falls for it, their credentials are at risk. “Any brand trying to get into the NFT space would benefit from dedicating resources to monitoring and mitigating these types of phishing attacks,” says Stein.

5. Blockchain bridges are a growing threat

Different blockchains have different currencies and are subject to different rules. For example, if someone owns Bitcoin but wants to spend Ethereum, they need a link between the two blockchains that enables the transfer of assets.

A blockchain bridge, sometimes called a cross-chain bridge, does just that. “By its very nature, it is not strictly implemented using smart contracts and relies on off-chain components initiating a transaction on the second chain when the user deposits assets on the original chain,” says Brisacaro.

Some of the largest cryptocurrency hacks include multi-chain bridges such as Ronin, Poly Network, and Wormhole.

For example, during the Ronin Games blockchain hack in late March 2022, attackers seized $625 million worth of Ethereum and USDC.

Also during the attack on the Poly Network in August 2021, the hacker transferred more than $600 million in tokens to multiple cryptocurrency wallets.

Fortunately, in this case, the money was returned after 2 weeks.

6. The code must be thoroughly tested and revised

Having good code should be a priority from the beginning of any project. Developers must be skilled and willing to pay attention to detail, Brisacaro argues.

Otherwise, the risk of becoming a victim of a security incident increases. For example, in the attack on the Poly Network, the attacker exploited a gap between node calls.

To prevent an accident, teams must conduct comprehensive testing. The organization must also have a third party perform a security audit, although this can be costly and time consuming.

Audits provide a systematic code review that helps identify the most common vulnerabilities.

Of course, code verification is necessary, but it is not sufficient, and the fact that the company has conducted an audit does not guarantee that it will not have problems. “In a blockchain, smart contracts tend to be very complex and often interact with other protocols,” says Brisacaro.

“However, only organizations control their own code, and interaction with external protocols increases the risk.”

Both individuals and companies can explore another avenue for risk management: insurance that helps companies reduce the cost of smart contracts or custody hacks.

7. Management key

“At the heart of cryptocurrency is simply managing the private key. It seems simple to many companies, and CIOs can be familiar with the issues and best practices,” says Schwenk.

There are several key management solutions available.

One of them is hardware wallets like Trezor, Ledger or Lattice1. These are USB devices that create and store cryptographic material on their secure components, preventing attackers from accessing private keys even when they have access to the computer, eg via a virus/backdoor.

Another line of defense is the multiple formations that can be used with hardware wallets. “Multi-sig is a smart contract wallet that requires transactions to be confirmed by multiple owners,” says Brisacaro.

“For example, you could have five owners and require at least three people to sign a transaction before sending it. That way, the attacker would have to compromise on more than one person to compromise the wallet.”

8. User and user education

Organizations that want to integrate Web3 technologies need to train their staff because new tools are needed to perform transactions on different blockchains.

says Aaron Higbee, co-founder and chief technology officer of Cofense.

Although every company needs to worry about email-based phishing attacks, employees who handle digital assets may be more likely to be targeted.

The purpose of the training is to ensure that everyone on the team uses the latest practices and has a good understanding of security principles. Oded Vanunu, Head of Product Vulnerabilities Research at Check Point, says he’s noticed a huge knowledge gap about cryptocurrencies, which can make things “a little messy” for some companies.

“Organizations that want to integrate Web3 technologies need to understand that these projects need a deep security overview and understanding of security, which means they need to understand the numbers and the implications that can happen,” he says.

Some organizations that do not want to manage private keys choose to use a centralized system, which makes them vulnerable to Web2 security issues.

“I call for integrating Web3 with Web2 technologies to be a project where in-depth security analysis and security best practices are implemented,” says Vanunu.

9. Continued use of NFT and Web3 decentralized applications

Many companies abandon products that no longer serve their needs, but this is not usually the case with blockchain-based assets if implemented correctly.

“NFTs should not be seen as a one-off marketing effort,” says Stein.

“If the NFT itself is not on-chain, the onus is on the company to maintain it at all times. If the project is very successful, the company takes on the serious task of supporting collectors of these NFTs in case of mishaps, scams, etc. till then.

One such viral project is one launched by the Ukrainian government that sold NFT based on a war timeline.

A place where the memory of the war is preserved. A place to celebrate Ukrainian identity and freedom,” reads a tweet by Mykhailo Fedorov, Ukraine’s Deputy Prime Minister and Minister of Digital Transformation.

NFT enthusiasts have responded positively, saying they want to buy a piece of history and support Ukraine. However, they expect the project to continue.

10. Blockchain isn’t always the right tool

New technologies are always exciting, but before introducing them, organizations should ask themselves if they have already solved the problem and if this is the right time to adopt them. Blockchain-based projects have the potential to change companies for the better, but they can also be resource-intensive, at least in the initial stage.

Assessing the risk-benefit ratio will be an important part of the decision, and adequate funding for security-related activities, both at the implementation stage and during their implementation, is critical.

Assessing the risk-benefit ratio of these new threats may not be a core competency (yet), and it is easy to get caught up in the hype that is often associated with cryptocurrencies,” concludes Schwenk.

Source: CSO