Securing the Future of Cryptocurrency Wallets Cryptocurrency Wallet Safety Scorecard Webinar
March 14, 2018
Can I Get the Slide Deck and Webinar Playback? Of course!
• The webinar is being recorded. • The slide deck will be available in Client Portal tomorrow.* • The report is available now in the Client Portal.* www.javelinstrategy.com/user/login
*For information on becoming a Javelin subscriber, please contact us after today’s webinar.
2 Confidential JAVELIN
Today’s Webinar Speakers
Kyle Marchini Senior Analyst, Fraud Management
Sean Sposito Analyst, Cybersecurity
Al Pascual SVP, Research Director and Head of Fraud & Security
3 Confidential JAVELIN
Today’s Agenda
The State of the Wallet Market
Facing Today’s Fraud Threats
Future of Cryptocurrency Wallets
Closing thoughts
Report Components 26 pages 12 figures
4 Confidential JAVELIN
Coinbase Takes “Best in Class” in 2018 Scorecard
2018 Cryptocurrency Wallet Safety Scorecard Leaders
2018 Cryptocurrency Wallet Safety Scorecard BEST IN CLASS Coinbase
Prevention Detection Resolution Leaders Leaders Leaders • Coinbase • Blockchain • Blockchain • GreenAddress • Coinbase • Coinbase • Xapo • Xapo
5 Confidential JAVELIN The State of the Wallet Market
Understanding Wallets: Non-Custodial Wallets Putting the “wallet” in wallet
Private key stored on-device
• Resistant to compromise
• Send/receive from known addresses
• Minimal account recovery options
7 Confidential JAVELIN
Understanding Wallets: Custodial Wallets Cryptocurrency meets investment service
Private key stored by provider
• Familiar experience for less sophisticated users
• Easy to buy/sell currency
• Vulnerable to traditional fraud tactics
8 Confidential JAVELIN
Exploring the Other Wallet Types Different types of digital safes have their strengths and weaknesses
Paper Hardware Multi-sig Wallets Wallets Wallets
9 Confidential JAVELIN Facing Today’s Fraud Threats
What Criminals Love About Cryptocurrency Criminal interest in cryptocurrency has risen at the same pace as consumer adoption.
“Immutable” transactions Pseudo-anonymity Weak wallet controls Maturing fraud tools
11 Confidential JAVELIN
Human Behavior is the Weak Link, Not Technology Incidence of existing non-card fraud and account takeover, 2013-2017
3.0%
2.5%
2.0% Existing Non-Card Fraud 1.5%
1.0%
0.5% Percentage of consumers Account Takeover 0.0% 2013 2014 2015 2016 2017
Source: Javelin Strategy & Research, 2018 12 Confidential JAVELIN
Online Authentication is at a Crossroads Most commonly used authentication tools are also the most vulnerable
HIGH ADOPTION, SIGNIFICANT RISK ROBUST FRAUD PREVENTION, LOW ADOPTION
Passwords Biometrics Breaches, malware, Hardware limitations, social engineering, fallback authentication reuse
KBA Non-SMS OTP Breaches, social User experience, engineering, social adoption challenges media
SMS OTP Behaviometrics Malware, social Adoption, appropriate engineering, SS7, MNO use cases account takeover
13 Confidential JAVELIN
Upfront Authentication is Strong… Authentication for browser/desktop portal among evaluated wallets
Username and password 78%
One-time password (Standalone app) 67%
One-time password (SMS) 33%
User-defined PIN 33%
One-time password (Other) 22%
Use of social media credentials 11%
Hardware security key 11%
One-time password (Email) 11%
Biometrics (any) 0%
0% 20% 40% 60% 80% 100% Percentage of Evaluated Wallets Source: Javelin Strategy & Research, 2018
14 14 Confidential JAVELIN
But Step-Up Authentication is Lacking Pre-transaction authentication adoption among evaluated wallets
User-defined PIN 36%
One-time password (Standalone app) 15%
Fingerprint scanning 14%
One-time password (SMS) 14%
User name and password 14%
One-time password (Other) 7%
One-time password (Email) 7%
Other biometric 0%
Hardware security key 0%
0% 10% 20% 30% 40% Percentage of Evaluated Wallets Source: Javelin Strategy & Research, 2018
15 Confidential JAVELIN
Mobile Phones Are Increasingly Under Attack Fraudulent new mobile phone accounts and account takeovers
400 Fraudulent new mobile phone accounts 380 344 350 Mobile phone account takeover
300
250 210 200 161 150 107 84 Thousands victims of Thousands 100
50
0 2015 2016 2017
Source: Javelin Strategy & Research, 2018
16 Confidential JAVELIN
Fueling Cryptocurrency Theft Criminal creativity is being fueled by several factors influencing digital money- related crimes.
Botnets: Just like they do in other areas of fraud, crooks are using enslaved armies of computers to systematically defeat the protections of cryptocurrency wallets.
HTTPS Everywhere: Browsers are raising the bar for everyone – including criminals. Because of free and cheap certificates, it’s difficult to discern legitimate banking portals from phishing websites.
Physical Theft: Even cryptocurrency holders using cold storage must be careful who they tell about their fortunes. There have been examples of hardware wallets being physically stolen from their owners.
17 Confidential JAVELIN The Future of Cryptocurrency Wallets
Lines Blur Between Financial Institutions and Cryptocurrency Wallets Progressive players begin to move between worlds
Cryptocurrency wallets encroach into financial …and vice versa. services…
19 Confidential JAVELIN
Meeting Consumers’ Expectations There is a long way to go before wallet providers reach parity with financial institutions in fraud protection
Authentication
• Wallet providers have strong upfront authentication features, but weak step-up authentication gives fraudsters unrestricted access once they pass the front door.
Alerts
• While users may receive alerts for transactions or account activity, few wallet providers are willing to hold pending transactions for customer approval in the event of apparently suspicious activity.
Liability Protection
• With no legal liability safeguards, consumers have essentially no protection from loss in the event of fraud resulting from either provider-wide compromise or takeover or their individual wallet.
20 Confidential JAVELIN
Threats to Custodial Wallet Providers Fraud mitigation functionality still has a long way to go for wallet providers
Data Breaches: When these wallet providers systematically lose control of the private keys that protect their users’ cryptocurrency, money (unexpectedly) moves.
Reputational Risks: An industry track record of hacks and exit scams drags down the reputation of even conscientious wallet providers. They require a strong communications strategy that plans for issues with customer relationships.
Reliant Parties: As cryptocurrency moves mainstream, providers rely on payment networks and processors to help consumers move value into digital currency. Problems at these partners can create issues that wallet providers have to clean up.
21 Confidential JAVELIN
Closing Thoughts 1 Cryptocurrency is Especially Attractive to Criminals. The immutability of transactions and pseudo-anonymity makes cryptocurrency wallets prime targets for crooks. Their rise in popularity among consumers comes as cybercriminals are already shifting more focus to compromising online accounts. 2 Conventional fraud tactics are easily repurposed to target cryptocurrency wallets. Phishing, credential stuffing, and mobile ATO are all well-honed tools for fraudsters in other parts of the economy. The rise of unique tactics such as abuse of advertising services and employing free, SSL certificates makes combatting fraud even harder. 3 Wallets have a long way to go before reaching parity with financial institutions. While progressive players on both sides of the market are making moves, the fraud prevention features at cryptocurrency wallets do not yet match consumers expectations for the protection they receive in financial services.
22 Confidential JAVELIN
Q&A Session
? ?
JAVELIN
Thank you! Securing the Future of Cryptocurrency Wallets
Webinar recording and slide deck will be available tomorrow in HUB, as well as email. Kyle Marchini Senior Analyst, Fraud
Management For questions regarding access to Javelin research, please contact: [email protected]
Sean Sposito
For more information on this report, please visit: Analyst, Cybersecurity https://www.javelinstrategy.com/coverage- area/2018-cryptocurrency-wallet-safety- scorecard Al Pascual SVP, Research and Head of Fraud & Security
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. No portion of these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise provide access to the content of this report without permission. JAVELIN