The metaverse promises to be a revolutionised digital world unlike any we’ve experienced before. The cybersecurity challenges that come with it will also, likely, be different from anything we’ve seen before because of the explosion of devices and infrastructure that’s going to accompany it. The sudden and significant increase in apps and data is going to expand the attack surface for bad actors by a significant amount.
As more money enters the metaverse, more hackers will try to take advantage of everyday crypto users. If metaverse platforms fall short on security and privacy before they take off, then it’s going to prevent the technology from being widely adopted. This article predicts some of the major security concerns that the metaverse and web3 is likely to pose.
Phishing
According to last year’s Q4 2021 brand phishing report, the metaverse platform Roblox ranked 8th as the most imitated brand for phishing attacks during the quarter. This was the first time a metaverse platform has made it to the top ten of this list. This is especially concerning since 50% of Roblox’s user base is under 13 years of age.
Brand phishing involves bad actors pretending to be partners or representatives of a brand and sending carefully crafted fake emails. The objective is to convince victims of the authenticity of the email so that they click on malicious links or attachments included in it. This opens the path to infiltrating their accounts and system and stealing their personal information or banking credentials.
As the popularity of the metaverse continues to grow, one can assume that brand fishing attacks will increase in frequency.
NFT scams
NFTs are central to the function of the metaverse economy, and NFT scams have been everywhere since the start of the new year (when global NFT sales jumped over the $4 billion mark).
One of the most common NFT scams is Discord hacks, in which fake minting links are posted on the announcements channel of a Discord server (which is a decentralised, online network of chat room servers). The message will offer a deal that seems too good to be true, like claiming a sold-out collection is releasing additional NFTs as a surprise.
Other times, a fake Discord link could ask for a victim’s seed phrase—which is a sequence of confidential words used to access a crypto wallet.
Malicious smart contracts
According to billionaire entrepreneur and crypto proponent Mark Cuban, smart contracts are going to be the most likely source of crypto-related fraud—as well as deliberate omissions, underhanded actions, and lack of clarity from users.
Since anyone who has the know-how can create a blockchain, there is a danger of bad actors creating intentionally vulnerable smart contracts. The purpose would be to draw victims to enter into smart contracts that can be easily exploited. The blockchain creators would exploit the market by taking control of a large share of the blockchain’s coin supply, thereby artificially inflating the coin’s value as the available supply to other investors drops. They would then put up their holdings for sale before the market can respond.
A bug in a smart contract is also particularly difficult because transactions on a blockchain can’t be undone. The only solution is to build a new blockchain for users to switch over to.
Vulnerable AR and VR glasses
The essential use of VR or AR glasses in any functional metaverse is also likely going to be a significant hindrance to user privacy and security. Not only do these devices collect large amounts of user data (including biometric information), but the metaverse is likely going to increase the modern demand for user data.
AR devices collect a lot more information on who the user is and what they are doing than any social network or another form of technology. This means that if hackers gain access to the device, the potential loss of privacy would be extensive. At the moment, it’s not that difficult for hackers to substitute a user’s AR for one of their own—since established transmission generation and transmission mechanisms are still in the process of being developed. The potential unreliability of content also makes it possible for hackers to garble a user’s perception of reality by creating fake signs or displays that bait them to perform actions that benefit the hackers.
VRs collect highly private information regarding the user, such as biometric data (such as retina scans), fingerprint data, face mappings, and voiceprints. Neither VR nor AR tracking data can be made anonymous, because the movements of individuals are completely distinctive. This presents a serious problem if VR devices are hacked. As with AR devices, hackers can inject features into VR platforms that trick users into giving away crucial information—thereby creating scope for ransomware attacks.
