Connect with us

NFT

10 NFT and cryptocurrency security risks that CISOs must navigate – CSO Online

Published

on

By
CSO |
The list of companies accepting payments in cryptocurrency keeps expanding, so customers can buy almost everything they want: electronics, college degrees and cappuccinos. At the same time, the market for non-fungible tokens (NFTs) skyrockets, with new artists becoming millionaires and more established names like Snoop Dogg, Martha Stewart and Grimes capitalizing on the trend.
Cryptocurrency and NFTs are on many organizations’ agenda as they discuss the ramifications of Web3 and the opportunities it presents. This new major shift in the internet’s evolution promises to decentralize our digital world, offering users more control and a more transparent flow of information.
Across industries, companies are giving their best shot at adapting to the new paradigm. But CISOs have a long list of concerns, starting with cybersecurity and identity fraud, marketplace security risks, management of keys and data, and privacy.
Cryptocurrency in any form, including NFTs, has a set of threats and security concerns that may not be familiar to most companies. “It requires a number of new operational procedures, creates exposure to a new set of systems (public blockchains), and entails risks that many firms are less familiar addressing,” says Doug Schwenk, CEO of Digital Asset Research.
How CISOs think about these issues could affect users and business partners. “Compromises have an immediate financial impact on either the company or their users and/or NFT collectors,” says Eliya Stein, senior security engineer at Confiant.
These are the ten most significant security risks that cryptocurrencies and NFTs present to CISOs.
The blockchain is a relatively new technology. As a result, incorporating blockchain protocols into a project becomes a bit difficult. “The principal challenge associated with blockchain is a lack of awareness of the technology, especially in sectors other than banking, and a widespread lack of understanding of how it works,” according to a report by Deloitte. “This is hampering investment and the exploration of ideas.”
Companies should evaluate each supported chain carefully for maturity and suitability. “Adopting a [blockchain] protocol that is at an early stage can lead to downtime and security risks, while later-stage protocols currently have higher transaction fees,” says Schwenk. “After selecting a protocol to support the desired use (such as payments), there may not be any support available from the sponsor. It’s much more like adopting open source, where particular service providers may be necessary to fully realize the value.”
When someone buys an NFT, they aren’t actually buying an image, because storing photos in the blockchain is impractical due to their size. Instead, what users acquire is some sort of a receipt that points them to that image.
The blockchain only stores the image’s identification, which can be a hash or a URL. The HTTP protocol is often used, but a decentralized alternative to that is the Interplanetary File System (IPFS). Organizations who opt for IPFS need to understand that the IPFS node will be run by the company that sells the NFT, and if that company decides to close shop, users can lose access to the image the NFT points to.
“Although it’s technically possible to reupload a file to IPFS, it’s unlikely that a regular user will be able to do that because the process is complex,” says independent security researcher Anatol Prisacaru. “However, the good part is that due to the decentralized and permissionless nature, anyone can do that—not just the project developers.”
While NFTs are based on blockchain technology, the images or videos associated with them can be stored on either a centralized or a decentralized platform. Often, out of convenience, the centralized model is chosen, because it makes it easier for users to interact with the digital assets. The downside of this is that NFT marketplaces can inherit the vulnerabilities of Web2. Also, while traditional bank transactions are reversible, those on the blockchain are not.
“A compromised server may present the user with misleading information tricking him into executing transactions that will drain his wallet,” says Prisacaru. But putting enough time and effort into doing the implementation properly can protect against attacks, especially when it comes to using a decentralized platform.
“When implemented properly in a decentralized fashion, a compromised marketplace should not be able to steal or alter a user’s assets; however, some marketplaces cut corners and sacrifice security and decentralization for more control,” Prisacaru says.
Cryptocurrency scams are common, and they can often have a large number of victims. “Scammers regularly stay on top of highly anticipated NFT releases and usually have dozens of scam minting sites ready to promote in tandem with the official launch,” says Stein. The customers who fall victim to these scams are often some of the most loyal, and this bad experience could potentially affect how they perceive the brand. So, protecting them is crucial.
Often, users receive malicious emails telling them that suspicious behavior was noticed in one of their accounts. They are asked to provide their credentials for account verification to solve that. If the user falls for this, their credentials are compromised. “Any brand trying to get into the NFT space would benefit from allocating resources towards monitoring and mitigation from these types of phishing attacks,” Stein says.
Different blockchains have different coins and are subject to different rules. For example, if someone has bitcoin but wants to spend Ethereum, they need a connection between the two blockchains that allows the transfer of assets.
A blockchain bridge, sometimes called cross-chain bridge, does just that. “Due to their nature, usually they are not implemented strictly using smart contracts and rely on off-chain components that initiate the transaction on the other chain when a user deposits assets on the original chain,” Prisacaru says.
Some of the biggest cryptocurrency hacks involve cross-chain bridges, including Ronin, Poly Network, Wormhole. For example, in the hack against the gaming blockchain Ronin at the end of March 2022, attackers got $625 million worth of Ethereum and USDC. Also, during the Poly Network attack in August 2021, a hacker transferred more than $600 million of dollars in tokens to multiple cryptocurrency wallets. Luckily, in this case, the money was returned two weeks later.
Having good code should be a priority from the beginning of any project. Prisacaru argues that developers should be skilled and willing to pay attention to detail. Otherwise, the risk of falling victim to a security incident increases. For instance, in the Poly Network attack, the attacker exploited a vulnerability between contract calls.
To prevent an incident, teams should conduct thorough testing. The organization should also contract a third party to do a security audit, although this can be expensive and time-consuming. Audits offer a systematic code review to help identify the most known vulnerabilities.
Of course, checking the code is necessary but not sufficient, and the fact that a company did an audit doesn’t guarantee that they are out of trouble. “On a blockchain, smart contracts are usually highly composable, and oftentimes, your contracts will interact with other protocols,” Prisacaru says. “Businesses, however, only have control over their own code, and interacting with external protocols will increase the risks.”
Both individuals and businesses can explore another avenue for risk management: insurance, which helps companies reduce the cost of smart contract or custodian hacks.
At its heart, crypto is just private key management,” says Schwenk. “That sounds simple to many firms, and CISOs may well be aware of the issues and best practices.”
There are several accessible solutions for key management. One of those is hardware wallets like Trezor, Ledger, or Lattice1. These are USB devices that generate and store the cryptographic material on their secure elements, preventing the attackers from accessing your private keys even if they have access to your computer, for example, using a virus/backdoor.
Another line of defense is multi-sigs, which can be used together with hardware wallets. “At its base, a multi-sig is a smart contract wallet that requires the transactions to be confirmed by a number of its owners,” says Prisacaru. “For example, you could have five owners and require a minimum of three people to sign the transaction before it can be sent. This way, an attacker would have to compromise more than one person in order to compromise the wallet.”
Organizations that would like to integrate Web3 technologies need to train their employees because new tools are needed to transact on the different blockchains. “Commerce for digital assets might seem familiar to traditional e-commerce, but the tools and browser plugins needed to be proficient in this new world are quite different than what finance teams are used to,” says Aaron Higbee, co-founder and CTO of Cofense.
While every business needs to worry about email-based phishing attacks, employees who handle digital assets can be targeted more often. The purpose of training is to make sure that everyone in the team follows the latest best practices and has a good understanding of security. Oded Vanunu, head of products vulnerability research at Check Point, says he noticed “a big gap” in knowledge when it comes to cryptocurrency, which can make things “a little bit chaotic” for certain companies. “Organizations that would like to integrate Web3 technologies need to understand that these projects must have deep security reviews and security understanding, meaning that they must understand the numbers and the implication that can happen,” he says.
Some organizations that don’t want to do private key management decide to use a centralized system, which makes them vulnerable to Web2 security issues. “I’m urging that if they are integrating Web3 technologies into their Web2, this must be a project that will have a deep security review and security best practices that need to be implemented,” Vanunu says.
Many enterprises will sunset products that no longer serve their needs, but this is typically not available for blockchain-backed assets if they are done right. “NFTs should not be treated as a one-time marketing effort,” Stein says. “If the NFT itself is not on chain, there’s now a burden on the company to keep it up in perpetuity. If the project becomes a wild success, then the company has taken on a major task of supporting the collectors of these NFTs with regards to mishaps, scams, etc.”
One viral project is the one launched by the Ukrainian government, which sold NFTs based on the timeline of the war. “The place to keep the memory of war. And the place to celebrate the Ukrainian identity and freedom,” according to a tweet by Mykhailo Fedorov, vice prime minister of Ukraine and minister of digital transformation. NFT enthusiasts reacted positively, saying they wanted to buy a piece of history and support Ukraine. Their expectation, though, is for the project to be kept up.
New technologies are always exciting, but before making the leap, organizations should ask if they actually solve the problem, and if it’s the right time to adopt them. Blockchain-based projects have the potential to change companies for the better, but they might also drain resources, at least in the initial stage.
“Weighing the risk/reward will be an important part of the decision, and appropriately resourcing the security effort, both in adoption and ongoing, is critical,” Schwenk says. “Judgment of risk/reward for these new exposures may not (yet) be a core competency, and it’s easy to get caught up in the hype that is often associated with crypto.”
 
 
Copyright © 2022 IDG Communications, Inc.
Copyright © 2022 IDG Communications, Inc.

source

NFT

Tyler Hobbs' Fidenza NFT Project Gets $1M Pump Over 48 hours – CoinDesk

Published

on

source

Continue Reading

NFT

DOJ Asks Congress for Tools to Limit NFT Money-Laundering Risk – PYMNTS.com

Published

on


Down at the very bottom of the crypto crime report the Justice Department issued last week was a request that could make it a lot harder to buy and sell NFTs.
Citing examples of criminals using the sale of the popular nonfungible tokens that hold art, video, music and collectibles to launder funds, the Justice Department asked Congress to define some of all NFTs as “value that substitutes for currency” under the Bank Secrecy Act (BSA).
Doing so, it said in “The Role of Law Enforcement in Detecting, Investigating, and Prosecuting Criminal Activity Related to Digital Assets,” would “make clear that its key [anti-money-laundering (AML) and countering the financing of terror (CFT)] provisions — including the obligations to have customer identification programs and report suspicious transactions to regulators — apply to NFT platforms, including online auction houses and digital art galleries.”
See also: DOJ Seeks to Double Jail Time for Money Transmission Crimes
The impetus, the department said, is the “explosive growth in the demand and corresponding markets for NFTs, perhaps most notably in the area of digital art.”
Substantial Risk
This “presents substantial money-laundering risks,” it said, citing a February Treasury Department study on money laundering in the broader art market.
“NFTs can be used to conduct self-laundering, a sequence in which criminals purchase an NFT with illicit funds and then resell to a purchaser who pays for it with clean funds unconnected to a prior crime,” that report noted.
It also found that in most cases, “digital assets that are unique, rather than interchangeable, and that are used in practice as collectibles rather than as payment or investment instruments … are generally not considered to be virtual assets under [international regulations].”
The “nonfungible” part of NFT means that each is unique and cannot substitute for any other, as opposed to cryptocurrencies like bitcoin which all have the same uses and value.
NFT marketplaces “may take the view that this definition [of a ‘value that substitutes for currency’] does not apply to their activities — and that they are thus not subject to the BSA’s anti money-laundering and anti-terrorism laws, the department said.
Justice is asking Congress to amend the BSA “to make clear that its key AML/CFT provisions — including the obligations to have customer identification programs and report suspicious transactions to regulators — apply to NFT platforms, including online auction houses and digital art galleries.”
Already There
Redefining NFTs as “value that substitutes for currency” would allow the Treasury Department’s Financial Crimes Enforcement Unit (FinCEN) to “potentially seek to regulate such activity under its money transmission regime,” a trio of lawyers at Skadden, Arps, Slate, Meagher & Flom wrote in an April blog post.
That, according to Jamie Boucher, Eytan Fisch and Javier Urbina, would require NFT marketplaces to register as money services businesses (MSB) with FinCEN.
Some types of NFTs — notably those used to fractionalize tangible assets like physical artworks and real estate, but also other valuable art or collectible tokens — are likely securities, the Securities and Exchange Commission (SEC) has said.
See more: How Did NFTs Become SEC’s Newest Crypto Target?
In FinCEN’s view, the trio noted, those can be repurposed to fit the definition of “value that substitutes for currency” and thus may already require MSB licenses.
 
For all PYMNTS crypto coverage, subscribe to the daily Crypto Newsletter.
New PYMNTS Study: How Consumers Use Digital Banks

A PYMNTS survey of 2,124 US consumers shows that while two-thirds of consumers have used FinTechs for some aspect of banking services, just 9.3% call them their primary bank.
Sign up for our daily newsletter.
You have successfully joined our subscriber list.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More
Sign up for our daily newsletter.
You have successfully joined our subscriber list.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More

source

Continue Reading

NFT

FTX Talking With Investors for $1B Fundraising at $32 Billion Valuation – NFTgators

Published

on

Quick take:
Although Binance maintains its number one spot in terms of crypto transaction volume, FTX is catching up quick after rising to third, behind Coinbase. This could change soon given the steps FTX is taking in web3.
According to reports, Sam Bankman-Fried’s company is seeking $1 billion in a new round of funding at a valuation of about $32 billion. That values FTX twice the value of Coinbase— whose market cap stands at just over $14 billion, and at least 7-fold Binance’s most recent valuation of $4.5 billion.
And there is a good reason for the disparity in market share (volume-wise) and overall valuation. FTX is more than just a crypto exchange platform. 
The company has expanded its ecosystem to include stock trading, NFTs, crypto lending services and more, all forming significant operational synergies for the rapidly growing web3 company.
It explains why investors are placing such value on FTX. According to sources close to the $1 billion fundraising talks, the figure could change by the time the round is closed, CNBC reported, citing people who did not want to be named.
FTX has been one of the most active investors in the web3 space during the crypto winter. The company is in the process of acquiring the crypto lending platform Blockfi for a reported amount of $240 million.
Last year, it acquired crypto derivatives platform LedgerX allowing it to offer derivatives trading alongside traditional crypto exchange services.
Earlier this year, the company purchased Good Luck Games, the developer of the card battle game Storybook Brawl for an undisclosed amount. The acquisition added another perspective to FTX’s business pouncing on the rapidly growing web3 gaming sector.
The company also recently announced a partnership with online game retailer Gamestop to onboard the gaming community to web3.
In July, Bankman-Fried refuted claims that FTX was planning to buy retail stock brokerage platform Robinhood after Bloomberg published a report suggesting discussions were underway.
News about the new fundraising come hot on the heels of the company’s $900 million raise announced in July. FTX also raised $420 million in October 2021.
Stay up to date:
The Embassy of Israel in Korea Opens Pavilion in the Metaverse
Bored Ape Yacht Club #2883 Was Today Sold For 105 ETH
Leading NFT Collections Are Seeing a Rise In Median Price
Uniswap Labs Acquires Genie, Announces Uniswap NFT
New NFT Marketplaces Bid to Dethrone OpenSea From Top Spot
Space Runners Ramps Up the Development of Its Metaverse-Only Fashion House with $10M Round

source

Continue Reading

Trending

Copyright © Diaily Meta News