The FATF’s travel rule was introduced to curb the likelihood of cryptocurrencies being used for money laundering. It requires Virtual Asset Service Providers to collect information about their users and then share that information with other providers when transferring assets between entities.
By collecting sender information such as a physical address and a national identification number, crypto exchanges can effectively control accountability for transactions in their systems. Not only do these transactions come with a cryptographic hash that can be tracked through the assets’ journey, but exchanges now know who is sending it, down to their social security number.
Now that the world’s largest DeFi players are trying to get their companies to comply with travel regulations, is crypto becoming a safer place to play?
Yes and no unfortunately.
Move safety here, danger goes there
companies like coin base COIN have partnered with other crypto exchanges and fintechs to form the Travel Rule Universal Solution Technology (TRUST) network. This group was formed to provide a framework for easy travel compliance, allowing wallets and exchanges to conduct business as usual with secure confidence.
The participants in the TRUST network are thus collecting more information about their customers than before. If a transaction later turns out to be part of organized crime or some other violation of the law, not only is the transaction history traceable, but now the names and locations of the fraudulent senders are known, as they are required to provide verifiable identifying information when signing onto their account .
The sense of security? Totally transparent transaction history.
The reality? Fraudsters will flow toward cybersecurity like a pent-up stream is not in place.
ATOs in crypto exchanges
A crypto exchange that is working overtime to bring its practices within Travel Rule restrictions is likely to feel a lot of trust after making all the necessary changes – the association of compliant businesses is literally referred to as the TRUST network. The problem is that this can give exchanges a false sense of security when it comes to the most worrying (expensive) type of cybercrime for wallets and exchanges on the blockchain: account takeover.
Consider the damage that could be done in another instance of an ATO attack on, for example, a social media or e-commerce shopping account. Certainly there have been high-profile Twitter account hacks where, through a form of brute force social engineering, scammers have been able to scam hundreds of thousands of overzealous, hopeful users. Aside from these unusual strategies, generally not that much damage can be done other than a few anomalous purchases on an Amazon Prime account that are later refunded.
In comparison, an ATO on a crypto wallet is like letting a scammer run amok on your bank account, except bank accounts come with much more intensive layers of identity authentication that VASPs are not required to implement. Because of the friction this security adds, many aren’t particularly interested anyway.
In the event of a crypto account takeover, be it coins or non-fungible tokens, it goes without saying that the account will be emptied quickly. Although bitcoin BTC/USD and (cryptocurrency in general) was initially touted by its creator Satoshi Nakamoto as a safer option than fiat currencies due to the nature of their traceability, this assumes there are no crypto wallet services that allow for anonymity – which there are in droves . When comedian Seth Green’s Bored Ape Yacht Club NFT was stolen earlier this year when a scammer gained access to his crypto wallet account, it was apparent that the stolen ape had been moved to another account, but there was no identity with it connected, and it was immediately resold.
Though he appealed to Twitter not to interact with the stolen blockchain tokens, the nature of decentralized finance means there is no trusted entity — a centralized bank, a government — at the center to mediate these issues. The monkey APE/USD NFTs were gone and there was no recourse.
It is also worth noting that there are certain cryptocurrency anonymization services, commonly referred to as coin mixers or coin tumblers. These services effectively separate an asset from its identifiable history, like melting down stolen gold doubloons into anonymous block bars. They do this by splitting up the stolen coins (now flagged as illegal) and “mixing” them with clean, unflagged coins to create an entirely new financial product. These mixed coins bear the scars of their fall but are still coins with value and the number of exchanges that have blacklisted these products is small despite their likely link to money laundering.
Prevent cryptocurrency takeover attacks
Protecting an individual user’s account, let alone the accounts of an entire user base, is a multi-faceted problem that requires a multi-faceted effort to solve.
Through software
With many ATOs using some form of credential stuffing attack, throwing waves of automated bots armed with stolen credentials at a security gateway until one gets through, the first line of defense will be a fraud solution with account takeover detection. Scammers who program the botnets tend to be lazy when it comes to distinguishing their hundreds or thousands of bot programs from one another. Although everyone is programmed to approach a safety threshold as an individual, there are bound to be data points that look oddly similar as long as the cheating solution knows which stones to turn.
Turn over that stone—browser fingerprinting—and the software finds a thousand accounts that appear to be using the exact same web browser.
Flipping another – by revisiting submitted data multiple times throughout the user journey – notice a user who changed their trusted email address to a new one with no digital footprint, a particularly red rag for ATO.
These are the types of anomalous behavior that can escape human control, but automated fraud solutions are trained by machine learning algorithms to detect and rule them out.
through education
Other ATO methods are both more sophisticated and less technical. Preventing them from invading your infrastructure is a battle of human skill and vigilance as much as software.
Because in knowledge-based attacks (KBAs), knowledge relates to personally identifiable information about a single target account. This knowledge could be obtained through some kind of social engineering, such as B. Gathering shared (excessive?) personal information from social media – schools, family – that could come into play at security checks.
Other social engineering tricks could be better described as all-around scams, such as: B. Romance scams, a combination of catfishing and exploiting lonely people on dating sites to steal their IDs and then use their various accounts to appear more legitimate in future cybercrime.
There are many uses for scam software in targeted spear phishing attacks like this one, e.g. B. tuning software to respond to unusual account behavior, but the most effective prevention is awareness. Awareness not only of the very existence of things like spear phishing, watering hole attacks, and password managers, but of the forms they can take. A healthy dose of suspicion in any connected employee is a good thing, as scammers devise methods that look as innocuous as a text message from the CEO, but lead to chaos if not carefully checked.
More friction, more defense
If the best security plans still fail to keep fraudsters out of your infrastructure, digital failovers still exist. From a user experience perspective, these options are clearly low-friction, but necessary to keep your marketplace secure.
Multi- or 2-factor authentication techniques that require more than one device to verify are hard to bypass if you’re a scammer – that’s why they exist. Today, the average MFA system sends an SMS to a registered mobile device and associates an online account with the device’s registration. Perhaps because of the obvious friction this brings, one tends to rely on the trust that passing an MFA generates for the rest of the customer journey without asking (more) questions. But SMS was not designed with security in mind, and even these authentications can be forged. Even after the relatively high hurdle of a 2FA or MFA, additional device analysis and IP risk assessments still need to be stacked on top to have the highest level of security confidence.
Some security options that are common in e-commerce retail may also be applicable to the crypto space. Retailers who stock high-theft merchandise – AirPods, for example – often combine digital purchases with liveness checks over the phone. Scam teams in crypto environments should already be aware that users are complaining about being unable to complete a multi-factor authentication process because they are on a mobile device and be (badly) aware of their likely true intentions. Likely suspicious candidates like this seem to be a good opportunity for such a liveness check when fraudulent software flags suspiciously large, numerous, or otherwise abnormal transactions.
Why the friction is worth it
Crypto exchanges, like the commodities they trade, are sensitive and very vulnerable to reputational damage. The online examples of crypto volatility are plentiful, with entire fortunes evaporating in a matter of moments.
Blockchain-based currencies have always struggled against the wave of reputations that the currency itself is a minor scam. Recent high-profile crypto implosions, like 3 Arrows Capital, certainly didn’t help.
As more people around the world become aware and interested in crypto and DeFi exchanges, stability and reliability become more valuable. Currently, some major crypto markets seem to care little or less about reputational damage, but others are offering their employees payment in Bitcoin — a situation that calls for stability or potential workforce revolt. Should such models become the status quo, the exchanges that benefit from holding the funds of crypto newbies are the ones that go well beyond compliance with travel regulations and actively protect their borders from scams that not only destabilize their own marketplace could. but the entire economic landscape.
Image source: Pixbay
