Investment in the metaverse, where people invest in virtual “land” on multiple platforms in hopes of benefiting from its incremental value, is rising in popularity. However, alongside this potential comes equal opportunities for new high-tech fraud.
Metaverse investors disclosed that they were deceived by hackers into using illegitimate portals to enter the virtual universe. The fake webpages were instead phishing sites designed to steal user credentials through which the hackers could seize land in the metaverse.Virtual property in the metaverse was targeted as it represented a newly popular blockchain-based virtual network of platforms.
The novelty of new technology means that it also has a built-in social engineering benefit. Instead of using a deceptive domain name or email address, fraud and phishing assaults in the metaverse could originate from a seemingly familiar face. Often hackers would present themselves as avatars impersonating their coworkers. Despite this, the interoperability of the platform is essential to ensure a cohesive metaverse platform or experience with user trust. Otherwise, security uncertainty will make users unsure of what to say or do in a new virtual environment and make them vulnerable to cyberattacks.
Retail in Asia had the pleasure to talk to Philipp Pointner, Chief of Digital Identity, Jumio, the provider of orchestrated end-to-end identity proofing, eKYC and AML solutions. The interview discusses security, privacy and convenience across all activities in the metaverse.
RiA : Is identity scam a common crime in the metaverse? What would you identify to be the main reasons for people to steal someone’s avatars / identity?
Philipp: Identity scam or digital identity theft is already a major security concern today.
The metaverse adds new layers of complexity to a digital identity. In fact, every individual participating in the metaverse is required to create a digital identity that can capture granular details such as facial features, gestures and reflexes that represent an accurate “twin” of the real-world profile of the user. The objective is to prevent people from pretending to be someone else, but the downside is that such information is now available in cyberspace and is at risk of breaches. With the metaverse predicted to be the next phase of the internet and social interaction, the threat of identity theft is expected to be heightened.
There are already conversations about how information gathered in the metaverse can be monetized. For context, just 20 minutes of interaction using VR can generate some 2 million unique data sets on users. This unprecedented volume of data means advertisers can now get a highly accurate glimpse not only into the preferences and purchase behaviours of users but an even richer insight into who they are in the real world – insight that enables targeted marketing messages that are highly accurate.
With such valuable data collected, bad actors can gain access to motion data, personal information and biometric data of an individual through an augmented reality or virtual reality headset to impersonate an individual and launch social engineering attacks that trick others to give away their personal details (such as credit card numbers) or initiate an unwanted contact. It does not stop there, however. Accounts and e-wallets that store cryptocurrencies or in-game credits in the virtual world are exposed to identity theft and account takeover. But, there has yet to be any regulation imposed to protect users from cybercrime in the metaverse.
Source : Shutterstock
RiA: Has there been any case as such reported in the metaverse?
Philipp: The metaverse is likely to introduce a new era of high-tech fraud and deception, thanks to the increased complexity brought about by the merging of immersive technologies and artificial intelligence.
In a recent Microsoft blog post, Executive Vice President Charlie Bell states that fraud and phishing attacks in the metaverse could come from a familiar face – literally – like an avatar that impersonates your co-worker. As consumers are exploring the metaverse as an avatar, an impersonation of their friend inviting them to hang out in a malicious virtual room is one of the ways scammers could lure their victims in this virtual world. The risk of phishing scams, which is already on the rise today, is also expected to be heightened in the metaverse. There are already reports of victims who have fallen prey to phishing scams, losing their investments typically made through their cryptocurrency wallet. An example of this is by stealing metaverse “land”. To purchase land in the metaverse, users typically need a cryptocurrency wallet. And, once an investor buys virtual land, it is transferred to their digital wallet, and encoded on the blockchain. This essentially serves as a deed to the property — once stolen, it is very difficult to retrieve.
In addition, hackers were also able to steal land in the metaverse by tricking users into clicking on links they believed were genuine portals to the virtual universe, but which turned out to be phishing sites designed to steal user credentials.
Aside from this, the metaverse may also directly impact the retail sector. As our interactions with companies move from the screens in our hands to the entirety of our being, these companies will gain access to more consumer data — increasing chances of unethical manipulation of consumer behaviour based on their perceived preferences, or behavioural and motion data.
RiA: Do we not have a set of standards for identification and security in the metaverse now? Is it still a new concept to most?
Philipp: The metaverse itself is still a new concept (and an evolving one) and as such, we have yet to see a set of standards for identification and security in this virtual world.
Implementing such standards takes time for it to be effective globally, but the industry players of the metaverse can take proactive steps to create their own ‘metacode’ of conduct — ensuring the safety of all users. Such metacodes may include implementation of Know Your Customer (KYC) requirements that ask users to verify their real-world identity, creating safe spaces with the help of AI tools, and enabling the ability to opt into levels of content and maintaining a cross-industry database of bad actors and their real-world identities. The technologies that form the basis of the real financial world are a good starting point to support these processes in the metaverse, helping to ensure that transactions are authentic and secure.
RiA: Is there a need to develop a universal standard for identity verification in the metaverse?
Philipp: To better safeguard the security of metaverse, there is a need to develop a universal standard for identity verification and security to keep users safe across digital environments. Just like we want to feel safe in any city in the real world, or on any social media platform, safety and security must be a given and consistent experience in the metaverse. This is a ripe time for stakeholders to come together and define the standards that will support the advancement of the metaverse.
Regulations are certainly needed, but policies tend to take time to develop and enforce, even more so when cross borders are involved. Having an industry body that will proactively ensure the healthy advancement of the metaverse while taking into consideration risks to users such as privacy and security will benefit the long-term development of this exciting new phase of the digital universe.
RiA: What are the challenges for the implementation of such standards?
Philipp: As the metaverse is constantly evolving, so do cybersecurity threats. These threats emerge and change rapidly, making it very difficult for organisations and regulators to keep up. As soon as a new type of threat is observed and new controls are put in place, an even newer threat arises which requires expedited attention and action. Security standards have to be constantly updated in order to keep up with the cybercriminals and protect consumers from becoming fraud victims.
With more and more brands jumping into the metaverse, there is a possibility where some of these virtual worlds will be regulated – perhaps subject to key rules on security or privacy – and others not. Both fraud and profit are equally likely to occur in the latter case.
Due to the borderless nature of these advanced technologies, it is vital to have international coordination of regulatory approaches to the metaverse and associated technologies.
RiA: How do you think stakeholders of different metaverses can make this happen?
Philipp: Security researchers, chief information security officers and industry stakeholders have the opportunity to understand the terrain of the metaverse as adversaries do — and to use it to our advantage. Metaverse platforms will likely create and generate entirely new data streams with the potential to improve authentication, pinpoint suspect or malicious activity or even revisualize cybersecurity to help human analysts make decisions in the moment. It is vital for these stakeholders to align on key priorities to help secure the metaverse for future generations — identity, transparency and a continued sense of unity among defenders will be key.
Cyber defense is a team sport where no single stakeholders can fully achieve all by themselves. The security community must work together to build a robust foundation for users to safely work, shop and play. Since the metaverse is much more immersive, the main focus of these stakeholders should be on verifying and preserving the identity of the user.