Cryptocurrency exchange security is being hotly debated as digital assets draw more attention from consumers, investors, regulators and fraudsters. The values of cryptocurrencies are famously volatile and users can trade certain tokens anonymously or while using pseudonyms. These combined factors can attract both privacy-focused investors eager to gamble on favorable cryptocurrency market trends and also lure fraudsters who hope to hide their identities while conducting financial crimes. The current cryptocurrency frenzy is further creating a lucrative environment in which cybercriminals can carry out their schemes.
Fraudsters’ abuse of cryptocurrency is not a new phenomenon. Criminals operating worldwide between 2011 and 2021 reportedly scammed users out of nearly $5 billion worth of cryptocurrency and stole another $3 billion through security breaches. The regulatory requirements facing the exchanges that facilitate the purchase and trade of these tokens have been evolving in recent years, partly in response to growing concern over fraudsters’ efforts. U.S.-based exchanges became subject to the Bank Secrecy Act’s anti-money laundering (AML) and know-your-customer (KYC) rules until 2019, for example; FinCEN is currently seeking comments on a policy proposal that attempts to tighten AML measures by requiring financial institutions (FIs) and exchanges to follow stricter reporting requirements on certain convertible virtual currency transactions.
Many crypto exchanges around the world still have relatively lax security measures, however, which could put them and their users at greater risk. A 2020 study found that 56 percent of the world’s virtual asset service providers (VASPs) allow users to withdraw or add funds of up to certain values without going through any KYC procedures or only cursory ones. Statistics like these can make exchanges seem like unsafe trading environments, discourage honest users from engaging with them and also prompt regulators to propose stricter KYC and AML requirements for these platforms to crack down on crime. Many consumers are interested in cryptocurrencies for legitimate reasons but may be wary of platforms that put them at risk of unwittingly trading with scammers.
Crypto exchanges face a careful balancing act because too onerous or invasive user verification procedures can scare off customers — especially those who are attracted to cryptocurrency for its much-advertised anonymity. This Deep Dive examines the security risks and privacy concerns facing crypto exchanges as well as strategies for improving safety without sacrificing the customer experience.
The Cryptocurrency Sector’s Security Challenges
Transactions made with digital assets are tracked and recorded on the blockchain, but users themselves remain anonymous by trading under pseudonyms and usernames. This opacity can make it easier for criminals to onboard and scam unwitting victims or conduct money laundering.
Cryptocurrency transactions are also irreversible, meaning that victims may have no recourse should they be tricked into sending digital tokens to fraudsters. Factors like these — plus the currently high value of many cryptocurrencies — make the space tempting for bad actors.
Exchanges that want to gain legitimate users’ trust must prove that it is safe to transact without introducing frictions that turn customers off, and each platform must find an approach that suits its particular customer base. Some platforms may feel that they cannot simply copy the KYC playbooks of their traditional, regulated FI counterparts without modifying the nature of their offerings. Users may therefore be reluctant to hand over many of the personally identifying details typically collected in FIs’ customer verification processes.
Exchanges recognize that many cryptocurrencies are also subject to rapid value fluctuations, and customers often want to be able to trade quickly so they can take advantage of current prices. This puts the onus on platforms to handle their verification and security checks swiftly to avoid making users suffer through painful delays. Safeguards may be essential to recruiting customers to a platform, but too much friction is likely to chase them away, and users may defect to competitors that are able to strike a more appealing balance of seamlessness and security.
Tailoring Authentication
Crypto platforms are adopting a variety of strategies for confirming customers’ identities while providing compelling experiences. Some exchanges may ask new customers to proceed through light initial onboarding processes but then require deeper ID verification before taking more financially risky actions, increasing the amount of identifying information that customers must provide as the value of their deposits and withdrawals rise.
Platforms may use contextual onboarding in which they allow customers to onboard without going through any identity verification but enable only very limited functionalities while customers who provide photo IDs may be permitted to conduct low-level withdrawals and deposits and full KYC adherence may allow users to transfer, deposit or withdraw significant sums.
Other exchanges seek to build trust by requiring all new customers to pass through robust KYC procedures right off the bat, including background searches, checks against sanctions lists, verification of government-issued IDs and even live phone calls. Each platform must determine the customer verification approach that best suits its business model and complies with local regulations.
Cryptocurrency platforms can also look out for red flags that — if detected and acted upon — allow them to nip fraud in the bud. Detecting when a customer signs up using one name while uploading funds from bank accounts bearing a different name can ring alarm bells as can the detection of users with IP addresses that have been associated with suspicious activities in the past. Such occurrences can prompt crypto exchanges to intervene or monitor the accounts more closely as they work to determine whether criminal activity is underway or if the events are simply false positives. Platforms can work to improve the precision and accuracy of their fraud detection measures as well by monitoring and analyzing transactions in real-time for fraud indicators. Automation-powered solutions can help make this rapid-fire analysis possible and support firms in identifying potential fraud even earlier.
Looking Ahead
Interest in digital currencies continues to grow and is prompting central banks around the world to explore their own digital currency projects that could provide virtual tender as an alternative to cash. China has already begun testing a digital version of the yuan, while the Saudi Arabian Monetary Authority is collaborating with the Central Bank of the United Arab Emirates on using cryptocurrency to facilitate cross-border transactions between their nations.
Developments like these put a focus on how identity verification and privacy will be balanced in the digital currency space in the coming years, including the extent to which the anonymity offered by cash transactions will be replicated and maintained by virtual alternatives. China’s digital yuan is intended to allow users to maintain anonymity when transacting with each other, but it would also expose participants’ details to the central bank, for example. This approach will not meet the needs of all users or suit the prevailing attitudes in all countries, though, and some consumers and businesses may continue to call for more anonymous options.
Cryptocurrency advocates seeking more widespread adoption of private tokens must also address the balance between fighting fraud and user anonymity. Kurt Nielsen, president of blockchain infrastructure organization Partisia Blockchain Foundation, wrote that broadening cryptocurrency uptake depends on the tokens offering both security and confidentiality. Nielsen said researchers are currently working on projects that seek to leverage both blockchain and a form of cryptography known as secure multiparty computation (MPC), and that this work could lead to promising results. These technologies together may enable cryptocurrencies to satisfy regulators’ needs to manage transactions while preserving user privacy through MPC’s ability to “comput[e] directly onto encrypted data while maintaining zero-knowledge about the data.” Nielsen sees MPC as building on a similar idea to zero-knowledge proof technologies, which, as other writers have previously noted, can enable users to verify their identities privately by proving their ownership of a drivers’ license without actually disclosing specific identifying details. Such discussions around providing verification while minimizing exposure of personal details may become increasingly important as 83 percent of consumers said in a 2020 global survey that they wanted more control over their own data. These needs could encourage greater exploration of how crypto exchanges and other companies can verify customer identities without having to view any more details than are strictly necessary for the transactions at hand.
Serving cryptocurrency users’ security and convenience needs now and in the future may require exchanges to explore revamping their customer authentication toolkits. Powerful automated identity verification tools can help platforms keep onboarding seamlessly while enabling them to catch and thwart potential fraud, building trust with regulators and legitimate users alike. New ID verification strategies and technology developments are also likely to continue to promote innovative ways of meeting regulators’ security demands and users’ privacy desires.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More