More than $1.2 billion is estimated to have been lost to cryptocurrency scams, thefts and fraud in the first quarter of 2019, and cybercriminals and scammers are not the only ones putting digital asset users at risk. Canadian exchange QuadrigaCX’s former CEO, Gerald Cotten, allegedly embezzled approximately $195 million of clients’ money, for example, and his recent death left the company without the passwords required to access most of its customers’ holdings.
Cryptocurrency transactions’ irreversible and anonymous nature and existence outside traditional banking infrastructures make them tempting targets for criminals, putting pressure on exchanges to enhance their defenses and oversight to protect users and comply with regulations.
Thwarting fraud and making usage as secure as possible are key concerns for Canadian trading platform Bitbuy. The company has focused tightly on security as it helps its user base purchase, sell and trade cryptocurrencies like Bitcoin, Bitcoin Cash, Ethereum, Litecoin and XRP. Founder and President Adam Goldman recently explained the company’s approach and perspective in an interview with PYMNTS.
“A lot of criminal actors start to get it into their heads that because they’d be using the nontraditional medium of cryptocurrency, there’s no course for law enforcement, so trading platforms like ourselves along with regulators need to catch these actors,” he said. “But that’s not the case [for businesses that are staying vigilant].”
Cybercriminals often have a wide range of attacks at their disposal — not all of which are new. Many bad actors deploy traditional internet scams and methods like phishing and malware, while others exploit mobile phone and web browsers’ vulnerabilities or software, hardware or firmware flaws. Cryptocurrency owners can also fall prey to sites that promise guaranteed returns on investment from required cryptocurrency payments, among other get-rich-quick schemes.
“Cryptocurrency, the community and the technology are simply new media for all of the existing illicit actors that commit crimes over computer networks,” Goldman explained. “A lot of those actors are using their previous knowledge from the pre-cryptocurrency era to compromise certain pieces of traditional technology infrastructure in order to commit fraud or theft.”
Criminals can also attempt to thwart exchanges’ customer identity verification efforts by using attacks, such as SIM card swaps, in which they convince carriers to switch victims’ phone numbers over to hacker-owned SIM cards. This enables fraudsters to receive their targets’ incoming texts, allowing them to beat two-factor authentication measures or use password reset links to access accounts.
Tackling such fraud issues requires cryptocurrency trading platforms to take a variety of approaches. Bitbuy has used proprietary methods to analyze transactional data for patterns and activities that could indicate red flags. The company supplements these processes with third-party assistance, such as tapping identity verification provider Trulioo to screen customers in real time. Goldman said the authentication screening usually takes 45 seconds and enables customers to be onboarded, deposit their money and begin trading within an hour, a quick process intended to ensure smoother customer experiences.
Bitbuy’s more than 50,000 registered users are required to provide credentials, such as government-registered identification forms, names, addresses and emails. The verification process includes checking IP address data, email accounts and customer information against international watch lists, with credit bureaus and through open source intelligence (OSINT) and daily investigations.
Customers who do not pass automated identity checks can then undergo manual review processes. This involves additional steps, requiring users to provide two forms of government identification with photos, identification “selfies” and proof-of-address documentation, like utility bills or credit card statements.
The company requests an applicant’s personal information, such as occupation, age and location, during the manual onboarding process to further gauge risks associated with suspicious behavior. Occupation details are particularly useful in helping the company determine the likelihood that users have attained their funds through legitimate means, for example. If a prospective user intends to invest an amount equal to or greater than his or her listed occupation’s average annual salary, Goldman said, that could be a red flag.
“Simple data points like asking for an occupation might indicate what may be going on here,” he noted.
The company also inspects its internal practices by engaging an outside party to conduct “proof of reserve audits.” This process includes verifying that the trading platform has the fiat and cryptocurrency holdings claimed, as well as assessing capabilities like transaction flows, private key management systems, segregated accounts and more.
Goldman said a recent “proof of reserve audit” even analyzed Bitbuy’s strategies for recovering customers’ assets and maintaining operations in the event of disastrous incidents, such as the death of senior management or directors. The company also uses background checks to help prevent situations in which management or employees are responsible for theft and hacking.
Exchanges must perform critical KYC, AML and other security and compliance work to ensure they support only legitimate transactions and keep customers safe from fraud as the cryptocurrency space grows. Thorough examinations of both internal practices and potential customers are key to these efforts, as is using a security approach that blends trading platforms’ expertise with third-party services’ transparency and impartiality.
How exchanges and other parties tackle fraud and abuse will be critical in determining the future of cryptocurrency transactions.