Securing the Future of Wallets Safety Scorecard Webinar

March 14, 2018

Can I Get the Slide Deck and Webinar Playback? Of course!

• The webinar is being recorded. • The slide deck will be available in Client Portal tomorrow.* • The report is available now in the Client Portal.* www.javelinstrategy.com/user/login

*For information on becoming a Javelin subscriber, please contact us after today’s webinar.

2 Confidential JAVELIN

Today’s Webinar Speakers

Kyle Marchini Senior Analyst, Fraud Management

Sean Sposito Analyst, Cybersecurity

Al Pascual SVP, Research Director and Head of Fraud & Security

3 Confidential JAVELIN

Today’s Agenda

The State of the Wallet Market

Facing Today’s Fraud Threats

Future of Cryptocurrency Wallets

Closing thoughts

Report Components 26 pages 12 figures

4 Confidential JAVELIN

Coinbase Takes “Best in Class” in 2018 Scorecard

2018 Cryptocurrency Wallet Safety Scorecard Leaders

2018 Cryptocurrency Wallet Safety Scorecard BEST IN CLASS

Prevention Detection Resolution Leaders Leaders Leaders • Coinbase • • Blockchain • GreenAddress • Coinbase • Coinbase • • Xapo

5 Confidential JAVELIN The State of the Wallet Market

Understanding Wallets: Non-Custodial Wallets Putting the “wallet” in wallet

Private stored on-device

• Resistant to compromise

• Send/receive from known addresses

• Minimal account recovery options

7 Confidential JAVELIN

Understanding Wallets: Custodial Wallets Cryptocurrency meets investment service

Private key stored by provider

• Familiar experience for less sophisticated users

• Easy to buy/sell

• Vulnerable to traditional fraud tactics

8 Confidential JAVELIN

Exploring the Other Wallet Types Different types of digital safes have their strengths and weaknesses

Paper Hardware Multi-sig Wallets Wallets Wallets

9 Confidential JAVELIN Facing Today’s Fraud Threats

What Criminals Love About Cryptocurrency Criminal interest in cryptocurrency has risen at the same pace as consumer adoption.

“Immutable” transactions Pseudo- Weak wallet controls Maturing fraud tools

11 Confidential JAVELIN

Human Behavior is the Weak Link, Not Technology Incidence of existing non-card fraud and account takeover, 2013-2017

3.0%

2.5%

2.0% Existing Non-Card Fraud 1.5%

1.0%

0.5% Percentage of consumers Account Takeover 0.0% 2013 2014 2015 2016 2017

Source: Javelin Strategy & Research, 2018 12 Confidential JAVELIN

Online Authentication is at a Crossroads Most commonly used authentication tools are also the most vulnerable

HIGH ADOPTION, SIGNIFICANT RISK ROBUST FRAUD PREVENTION, LOW ADOPTION

Passwords Biometrics Breaches, malware, Hardware limitations, social engineering, fallback authentication reuse

KBA Non-SMS OTP Breaches, social User experience, engineering, social adoption challenges media

SMS OTP Behaviometrics Malware, social Adoption, appropriate engineering, SS7, MNO use cases account takeover

13 Confidential JAVELIN

Upfront Authentication is Strong… Authentication for browser/desktop portal among evaluated wallets

Username and password 78%

One-time password (Standalone app) 67%

One-time password (SMS) 33%

User-defined PIN 33%

One-time password (Other) 22%

Use of social media credentials 11%

Hardware security key 11%

One-time password (Email) 11%

Biometrics (any) 0%

0% 20% 40% 60% 80% 100% Percentage of Evaluated Wallets Source: Javelin Strategy & Research, 2018

14 14 Confidential JAVELIN

But Step-Up Authentication is Lacking Pre-transaction authentication adoption among evaluated wallets

User-defined PIN 36%

One-time password (Standalone app) 15%

Fingerprint scanning 14%

One-time password (SMS) 14%

User name and password 14%

One-time password (Other) 7%

One-time password (Email) 7%

Other biometric 0%

Hardware security key 0%

0% 10% 20% 30% 40% Percentage of Evaluated Wallets Source: Javelin Strategy & Research, 2018

15 Confidential JAVELIN

Mobile Phones Are Increasingly Under Attack Fraudulent new mobile phone accounts and account takeovers

400 Fraudulent new mobile phone accounts 380 344 350 Mobile phone account takeover

300

250 210 200 161 150 107 84 Thousands victims of Thousands 100

50

0 2015 2016 2017

Source: Javelin Strategy & Research, 2018

16 Confidential JAVELIN

Fueling Cryptocurrency Theft Criminal creativity is being fueled by several factors influencing digital - related crimes.

Botnets: Just like they do in other areas of fraud, crooks are using enslaved armies of computers to systematically defeat the protections of cryptocurrency wallets.

HTTPS Everywhere: Browsers are raising the bar for everyone – including criminals. Because of free and cheap certificates, it’s difficult to discern legitimate banking portals from websites.

Physical Theft: Even cryptocurrency holders using cold storage must be careful who they tell about their fortunes. There have been examples of hardware wallets being physically stolen from their owners.

17 Confidential JAVELIN The Future of Cryptocurrency Wallets

Lines Blur Between Financial Institutions and Cryptocurrency Wallets Progressive players begin to move between worlds

Cryptocurrency wallets encroach into financial …and vice versa. services…

19 Confidential JAVELIN

Meeting Consumers’ Expectations There is a long way to go before wallet providers reach parity with financial institutions in fraud protection

Authentication

• Wallet providers have strong upfront authentication features, but weak step-up authentication gives fraudsters unrestricted access once they pass the front door.

Alerts

• While users may receive alerts for transactions or account activity, few wallet providers are willing to hold pending transactions for customer approval in the event of apparently suspicious activity.

Liability Protection

• With no legal liability safeguards, consumers have essentially no protection from loss in the event of fraud resulting from either provider-wide compromise or takeover or their individual wallet.

20 Confidential JAVELIN

Threats to Custodial Wallet Providers Fraud mitigation functionality still has a long way to go for wallet providers

Data Breaches: When these wallet providers systematically lose control of the private keys that protect their users’ cryptocurrency, money (unexpectedly) moves.

Reputational Risks: An industry track record of hacks and exit scams drags down the reputation of even conscientious wallet providers. They require a strong communications strategy that plans for issues with customer relationships.

Reliant Parties: As cryptocurrency moves mainstream, providers rely on payment networks and processors to help consumers move value into . Problems at these partners can create issues that wallet providers have to clean up.

21 Confidential JAVELIN

Closing Thoughts 1 Cryptocurrency is Especially Attractive to Criminals. The immutability of transactions and pseudo-anonymity makes cryptocurrency wallets prime targets for crooks. Their rise in popularity among consumers comes as cybercriminals are already shifting more focus to compromising online accounts. 2 Conventional fraud tactics are easily repurposed to target cryptocurrency wallets. Phishing, credential stuffing, and mobile ATO are all well-honed tools for fraudsters in other parts of the economy. The rise of unique tactics such as abuse of advertising services and employing free, SSL certificates makes combatting fraud even harder. 3 Wallets have a long way to go before reaching parity with financial institutions. While progressive players on both sides of the market are making moves, the fraud prevention features at cryptocurrency wallets do not yet match consumers expectations for the protection they receive in .

22 Confidential JAVELIN

Q&A Session

? ?

JAVELIN

Thank you! Securing the Future of Cryptocurrency Wallets

Webinar recording and slide deck will be available tomorrow in HUB, as well as email. Kyle Marchini Senior Analyst, Fraud

Management For questions regarding access to Javelin research, please contact: [email protected]

Sean Sposito

For more information on this report, please visit: Analyst, Cybersecurity https://www.javelinstrategy.com/coverage- area/2018-cryptocurrency-wallet-safety- scorecard Al Pascual SVP, Research and Head of Fraud & Security

© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. No portion of these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise provide access to the content of this report without permission. JAVELIN