A Tangled Web3: Crypto Wallets Aren’t Impervious to Fraud
Decentralization doesn’t equal invulnerability
Decentralization doesn’t equal invulnerability
It seems like every day there’s a new kid on the blockchain, a new cryptocurrency, a new crop of crypto-curious consumers hankering for a taste.
Trafficking in crypto requires choosing from a plethora of crypto wallets — what consumers use to buy crypto and store their private keys — but those, even with the decentralization of Web3, have proven vulnerable to fraud.
We took a closer look at five crypto wallets to study these limitations ourselves, as well as their impact on the user experience. Here is what we found.
Seed phrase malaise
A common way in which users gain access to their wallets is the almighty seed phrase. This randomized combination of 12–24 words, automatically generated by the wallet, acts as a master password that unlocks the private keys used to buy and sell crypto.
We were assigned seed phrases of our own on wallets imToken and Trust (the latter offers the option to use a passcode instead and only utilize your seed phrase as a backup). Your seed phrase is sacred; if someone else knows it, they can steal all of your crypto. Screenshotting it or storing it in the cloud is a no-no. That only leaves one option: writing it down.
Some people go the extra mile to protect their seed phrase — storing it across multiple safety deposit boxes, engraving it in steel — and for good reason: if they lose it, or if it’s compromised, game over. Given the added friction of both storing and entering a seed phrase upon each transaction, and the potentially life-altering ramifications of losing it, it behooves wallets to find a safer and more secure alternative.
The problem with biometrics
Argent, MyCrypto, and MyEtherWallet all enabled us to log in via Touch ID. From a friction perspective, this is preferable to 2FA solutions texting users a one-time passcode that can be hacked through sim-swapping. But, while the passwordless convenience is nice, Touch ID and similar biometric tools aren’t as secure as you think.
Per a 2021 report from Kraken, it costs bad actors no more than $5 to spoof a fingerprint. Sure, Touch ID will soon give way to Face ID, but facial recognition can be bypassed just as easily. Silicone masks, pulling pictures from social media, and other workarounds aren’t tall tasks for fraudsters eyeing hundreds, thousands, millions of dollars worth of crypto.
Argent and MyEtherWallet provide a six-digit passcode alternative to Touch ID. This is problematic as well. What if you forget your pin code and (gulp) the seed phrase needed to reset it? Not to mention the credential-stuffing risk posed by folks who reuse pin codes across different wallets and/or websites.
No time like the present
A recent survey from NordVPN found that 32% of respondents who were aware of cryptocurrency hardly knew about the dangers of crypto-related fraud. As the popularity of crypto and decentralized apps on Web3 continue to rise, this could lead to lots of friction-averse users and compromised wallets if the existing verification methods aren’t tweaked to create an experience that is both seamless and secure.
A new wave of phishing attacks hit the Web3 landscape just last week. If fraudsters aren’t stealing users’ pin codes by impersonating wallets or deploying malware, they’re typosquatting to attract users to dummy websites and seizing their tokens via misleading smart contracts.
If there’s one silver lining, it’s that the transparent nature of Web3 allows for measuring financial impact and identifying opportunities for improvement. Nevertheless, the time to beef up Web3’s security is now, while still early in its development.