Outwitting crypto criminals: Why exchanges have to go the extra mile
Crypto criminals are getting more adaptive and smarter than ever before. But how can industry service providers keep up with them? If I say that the crypto industry is highly targeted by cybercriminals and, in particular, organized criminals, I’m sure that no one who has spent a few months within the space would be surprised. And for a valid reason.
Due to the new technology and the nascent nature of the sector, criminals and fraudsters have long identified the excellent opportunity that crypto offers to profit via illicit methods. Indeed, any “new” approach to the financial sector is welcomed by the criminal fraternity as an opportunity to launder funds and find new victims.
While the situation has improved significantly since the early days of digital assets, political and financial industry pressure has led regulators to aim their sites at the crypto industry, and their long-trusted approach may not be as effective in this innovative and non-traditional space. At the same time, market participants often underestimate the intelligence, innovation and adaptability of criminals who wish to take advantage of the industry.
Related: Bitcoin can’t be viewed as an untraceable ‘crime coin’ anymore
To KYC, or not to KYC: How criminals circumvent traditional security measures
Know Your Customer (KYC) is one of the most widely utilized measures among cryptocurrency exchanges. While it helps service providers to learn more about their customers — including their identity, residence and source of funds — KYC is also a mandatory requirement for most digital asset businesses.
But rapid technological advancement and the attention regulators pay to KYC are definitely not enough to eliminate bad actors from the platform. The criminal fraternity is able to abuse the industry because they adapt rapidly, do not have to follow the same rules as us, have high liquidity and enjoy a great deal of expertise.
As a result, while traditional KYC tools can stop less established, less professional criminals, those with great experience and the necessary skills can easily circumvent such measures. It’s something they have been doing for decades in traditional financial services.
In practice, it’s very easy for criminals to procure fake documents and use them to bypass KYC rules. And they don’t even need comprehensive “Photoshop” skills. Fraudsters can get through the front door by paying decent people who want to take care of their families for their passport data and a selfie when required. The use of mules is no revelation, but the process has become immeasurably easier in the digital space.
In terms of fraud, cybercriminals primarily target less tech-savvy users. Despite the serious money involved, criminals know that many utilize crypto products and services without knowing even the basics about how they work.
Malicious parties definitely take advantage of this. This is the reason why you see so many — rather amateurish — “Elon Musk giveaway” scams out there. While veteran users can spot them easily, they effectively attract less-knowledgeable victims eager to not miss out on crypto space opportunities.
Because they are harder to fool, fraudsters rarely target more savvy people. That said, we should never underestimate the intelligence and brazen approach of criminals. They learn fast, and many of them possess the necessary resources to bypass previously unbreakable security measures. A great example is the way in which fraudsters are employed to leverage social engineering and other cunning tactics to acquire the details and private keys even of experienced crypto users.
Related: The radical need for updating blockchain security protocols
Evolving regulation and going above the standard are crucial to protect customers
The innovative technology in the financial services industry brings with it progressive, tech-savvy fraudsters who adapt quickly to major changes and new situations. For that reason, regulators need to continue to work in partnership with crypto industry players to protect consumers. However, where Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) is concerned, governments have implemented traditional style rules for the crypto space, and in such an innovative and, at times, different industry, this isn’t always the best fit.
Where traditional KYC measures are concerned, money launderers see these as akin to an old, previously solved puzzle that can be easily pieced together to circumvent service providers’ AML measures. It’s a problem they have been solving for years and are now very adept at.
And despite the importance of protecting their customers and systems from abuse, cryptocurrency enterprises have to implement old-school controls and abide by these sometimes ill-fitting rules to retain or attain their regulated status (and, thus, stay in business). This is a key stage where regulators and governments need to utilize their relationship with the crypto industry to better develop more suitable controls over time. For example, with external bad actors having long solved the KYC puzzle, better systems are required to address this issue. Perhaps utilizing bio-KYC and developing subsequent controls, such as monitoring the activities of users once they are past the gates and detecting patterns or unusual behavior, would help.
While traditional AML controls have historically been suitable in the fight against money laundering, adding the cyber element brings with it new challenges, giving us a need to protect customers, their funds and their data in the digital space. We first saw this start to develop with online banking, and it really became a fast-paced development requirement with the evolution of the payments industry and e-money.
Where cybersecurity is concerned, this doesn’t mean that digital asset exchanges can’t do anything to better protect their customers. On the contrary, industry service providers have to go the extra mile and spend additional resources to raise their standards higher than required by implementing cybersecurity best practices internally.
For example, crypto exchanges can become Payment Card Industry Data Security Standard (PCI DSS) qualified, even though most regulators don’t require them to do so. These rules are in place to guide the payments and card industry, but they could be an excellent place to start to build a protective framework within the crypto industry. In addition to implementing such extra measures, service providers need a dynamic and expert cyber team, decent technology and the right processes to respond to threats in a quick, efficient way. A lot can be learned from the payments and e-money industries in this respect.
Combine these with high-quality customer support, and you have a good chance at keeping up with the rapidly evolving and advancing strategies and tactics of crypto cybercriminals.
Fighting a war on the front lines
Criminals targeting the digital asset space are savvy and learn fast. They will attempt to attack our customers, our systems and utilize our services to launder their funds just as they have been doing in traditional financial services for decades.
However, crypto businesses have one major advantage. Due to its innovative, complex solutions, the crypto industry already possesses great expertise and extensive experience. For that reason, we are already technologically minded and need to be recognized as part of the vanguard in the security and protection of our customers as well as their assets and information.
Related: How DeFi protocols get hacked?
We are in a regulatory phase, with eyes on regulators and the industry working together. Now is the time to take the necessary steps to establish a framework more suited to the crypto industry than traditional financial services. Only when this harmony is achieved can we come together as a society to stop our customers and financial services from being abused by criminal and terrorist enterprises.
The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.