Genfinity recently engaged with prominent and highly knowledgeable individuals within the Web3 community for a cybersecurity podcast, gleaning unique perspectives on the current and future of crypto cybersecurity priorities within Web3.
As we navigate the complexities of crypto cybersecurity, our panelists offer valuable insights into securing digital assets and corporate entities within Web3 ecosystems. From the implementation of multisig wallets to decentralized recovery mechanisms, they explore various approaches to safeguarding assets against potential threats. Additionally, our discussion extends to the role of emerging technologies like artificial intelligence (AI) and zero-knowledge proofs (ZKPs) in enhancing security measures and user interactions within cryptocurrency wallets.
Looking ahead, our panelists envision a future where security solutions are seamlessly integrated into hardware, offering enhanced usability and protection for users of all levels of technical proficiency.
Our cybersecurity panel
We spoke with Denis Angell who is working on the hooks with XRPL Labs‘ C++ team, integrating smart contracts written in C with the XRPL ledger. He also has experience with Ethereum and building his own game using Swift. Pluto, CTO of HashPack, was also on our podcast. He helps build the HashPack wallet and interacts with dApp developers to improve security in the Hedera ecosystem. Michael Garber of Swirld Labs was also on our call. A veteran in the crypto space since 2013, Michael works as a developer advocate for Swirlds Labs and is part of the DeRec Alliance team. He discussed the Alliance’s work on this episode.
Additionally, we were excited to have the main developer behind the mixnet privacy messaging platform at xx network, Richard Carback, join us. The advisor to the Interlock platform, Ethan Johnson, partook in the discussion, as he is a cybersecurity consultant with experience in both crypto and traditional finance. Rick Deacon, CEO & Co-Founder with Interlock, also weighed in on our discussion. Finally, we also caught up with Sonny, the CMO at Brillion, who previously worked at Consensus.
As you can see, our panel discussion featured multiple esteemed experts from the forefront of Web3 innovation. Continue reading to discover valuable insights on optimal safety protocols and the exciting future of cybersecurity in Web3!
Crypto cybersecurity — best practices
Knowing that there are many common user mistakes in handling crypto within Web3, we asked the panel how users and companies alike can better safeguard their assets. Essentially, we wanted to know some of their personal crypto cybersecurity best practices.
Blind Transactions
Denis Angell with XRPL Labs kicked off our discussion. He emphasized the importance of the transparency in crypto transactions, advising against blind transactions. Blind transactions are common in Ethereum, and he recommended using wallets that clearly show what actions a smart contract will perform.
To safeguard his own funds, he keeps them in cold storage and only interacts with dApps through trusted wallets, using exchanges only rarely to push money through.
Dusting scams
Notably, he also warned about “dusting” scams where small crypto deposits are used to trick users into clicking possibly malicious links. Angell recommended that you reach out directly to legitimate sources for support and avoid social media interactions for such purposes. Additionally, he mentioned social recovery as a potential future solution and expressed interest in how developers secure company treasuries within the crypto space.
Phishing
Pluto from HashPack stated that the most common crypto scams involve phishing through fake social media accounts like Discord and Twitter where individuals impersonate “support agents” or legitimate platforms like Hedera or HashPack. You can be tricked into giving away your wallet keys, resulting in stolen funds. This is an ongoing battle as scammers adapt their methods.
The DeRec Alliance
Michael with Swirlds Labs emphasized separating crypto storage based on risk. Currently, hardware wallets with metal backups provide the best security for most holdings. For riskier activities, a separate hot wallet can be used.
His mantra is that the future of crypto security lies in distributed custody, a concept championed by the DeRec Alliance. This method involves splitting your secret key into shares and distributing them among trusted helpers. Even if you lose your device, these helpers can assist you in regaining access to your assets. The DeRec Alliance, with participation from major crypto and tech companies, aims to develop open-source standards for this decentralized recovery process, ensuring a more secure and collaborative future for crypto storage.
Crypto cybersecurity — ideal custody methods
Genfinity inquired into our panel’s perspectives on the optimal method for safeguarding digital assets. Some individuals advocate for multisig wallets as the most secure option, and we were curious if a multisig wallet truly offers the highest level of security for asset custody.
Decentralized recovery
Michael Garber argued that while multi-signature wallets offer some security benefits, they can become inaccessible if you lose your keys. Decentralized recovery, championed by the DeRec Alliance, proposes a superior solution. By splitting your key into shares distributed among trusted helpers, DeRec allows access recovery even if your device is lost. The speaker emphasizes DeRec as the future of crypto asset security, highlighting its flexibility for in-person verification and varying security measures from in-person verification, biometric authentication, and more.
User education + UI
Brillion’s CMO, Sonny, expressed that Web3 has to acknowledge user education. He argued for a flexible and nuanced approach to crypto wallet security. Different features like multi-signature wallets, social recovery, transaction limits, and biometric signing offer a range of security options. Yet, the ideal solution depends on how the user interacts with crypto. Striking a balance between security and user-friendly interfaces is crucial to avoid overwhelming users. Ultimately, the blockchain ecosystem has a responsibility to educate and guide users through these evolving technologies.
Physical key shares + hardware wallets
Rick Carback expanded on the discussion by suggesting an additional technique involving physical key shares without revealing specific implementation details. He emphasized the concept of distributing key shares among multiple trustees to enhance security, with only a subset of trustees required to reconstruct the key.
Carback acknowledged the trade-off between accessibility and recoverability in securing crypto assets, suggesting a balanced approach involving a dedicated device for important transactions, preferably a phone without a phone number and installed via secure methods like Android APKs. He also endorsed the use of hardware wallets for larger crypto holdings. He stressed the importance of backing up hardware wallets through sharing schemes and noted the improvement in available tools for crypto security.
ThreatSlayer
Rick Deacon introduced us to Interlock’s invention, ThreatSlayer, which has the primary objective to safeguard you from malicious online activities such as phishing and wallet-draining scams. They continuously enhance their heuristics to detect and mitigate various threats effectively. Their browser-based solution aims to shield you from a multitude of potential dangers. To bolster internet and web security overall, they gather private and anonymous data from your activity, specifically focusing on identifying harmful URLs and websites, as well as instances of wallet-draining scams.
In exchange for sharing this valuable data, you are rewarded with the company’s token, $ILOCK. This data, which remains anonymous, is then utilized and distributed within the cybersecurity community to empower various security tools, including firewalls, antivirus software, and web filters, ultimately contributing to a safer online environment.
Crypto cybersecurity — Ledger wallet
We referenced the news about Ledger implementing key sharding as a recovery mechanism, which sparked controversy within the crypto community. We were curious about others’ opinions on Ledger’s intentions, acknowledging the challenge of ensuring security while accommodating less tech-savvy users, like their grandmother, for example, who may struggle to manage recovery phrases.
Essentially, we wanted to know whether there were security concerns associated with Ledger’s approach and speculate on the potential implications if government entities were to intervene, raising the possibility of asset seizures.
Balancing recoverability and security
Rick Carback expressed that the main issue discussed is the divergence in priorities between Ledger, a hardware wallet provider, and its users regarding key recovery. While Ledger may prioritize support for less tech-savvy users like grandmothers, for example, most users purchasing Ledger wallets prioritize absolute control over their keys and do not want any possibility of key recovery.
This highlights a conflict between the desire for recoverability and the need for secure internet interactions, with hardware protection necessary for the latter. Carback suggested that key recoverability and day-to-day crypto interactions should be treated as separate issues to avoid conflating two distinct concerns.
Denis Angell also emphasized the importance of distinguishing between recovery, backing up, and day-to-day protection in cryptocurrency management, echoing Richard’s sentiment. He agreed with Richard’s views on the popularity and safety of key sharding, highlighting its relevance from an application standpoint.
Regarding Ledger’s situation, Angell notes the community’s perception of the company’s contradiction regarding the possibility of recovery, which many developers knew was feasible with proper coding. They foresee the future trend leaning towards decentralized recovery solutions for backing up and restoring cryptocurrency assets.
dApps + MFA
Sonny echoed previous sentiments regarding the inevitability of vulnerabilities in security systems, emphasizing that crypto scammers constantly seek out ways to breach even the most seemingly impenetrable defenses. He stressed the importance of exercising caution, noting that even seemingly innocuous actions like connecting wallets to decentralized applications (dApps) that you do trust at times can pose risks.
Ethan Johnson of Interlock expressed a preference for using a separate device for key recovery to maintain clarity and avoid complicating the original device’s ethos. He drew parallels between this situation and the evolution of multi-factor authentication (MFA), noting how MFA has transitioned from being device-bound to more cloud-centric, potentially weakening authentication strength and raising concerns about security vulnerabilities. Johnson highlighted the importance of addressing potential erosion in authentication standards to mitigate potential risks and prevent serious problems in the future.
Crypto cybersecurity — root of trust
We then raised the topic of the root of trust and questioned the possibility of using private keys as the root of trust instead of the traditional method of setting up wallets and writing down 24 words for recovery. We proposed the idea of incorporating the root of trust directly into hardware, which could potentially streamline the security process by leveraging this built-in foundation from the outset. We wanted to know the feasibility of this approach and its potential implications for simplifying security measures in managing private keys.
Addressing our question, Michael Garber expressed confidence in the feasibility and likelihood of incorporating the root of trust directly into hardware in the future, envisioning a scenario where users won’t need to know their private keys or seed phrases. Instead, they anticipate a system where users can split up shares of their key and share them with trusted individuals. In the event of device loss, these individuals could collaborate to reconstruct the key, enabling seamless recovery of assets. They express enthusiasm for this future development and see it as a positive direction for improving security and usability in managing cryptographic assets.
Garber also recommended that implementing a system where the root of trust is integrated into hardware could benefit users, like grandma, who may not be tech-savvy but can still access a highly secure environment without needing to understand the intricacies of cryptographic security. He further indicated that this approach aligns with the goals of the DeRec Alliance, emphasizing the importance of democratizing access to robust security measures without requiring users to have specialized knowledge or skills.
Crypto cybersecurity — corporate entities
As we have seen many larger entities fall prey to not keeping their crypto cybersecurity updated, we inquired about the security measures taken by entities operating within Web3, whether on an individual project or company level, particularly focusing on treasury management aspects.
We invited Denis to elaborate on the specific measures in place to safeguard assets and accounts within XRPL Labs as well as other relevant contexts.
Denis discussed various security measures implemented by entities within the Web3 ecosystem, particularly focusing on treasury management. He highlighted the importance of properly implementing multisig for large treasury accounts, emphasizing its effectiveness when executed correctly. He also elaborated upon the adoption of sharded Hardware Security Modules (HSM) by custody solutions, where keys are fragmented and brought together securely when needed for signing transactions, indicating this as the future direction for security.
From a treasury standpoint, he suggested implementing firewall hooks to block incoming and outgoing transactions and a “high value” hook requiring additional signatures for transactions exceeding a specific amount. Additionally, Denis shares a practical approach of segregating funds into different addresses for payroll transactions to enhance privacy and security, noting the importance of maintaining financial transparency while also safeguarding sensitive information.
Conversely, Rick Carback voiced his frustration with current hardware security modules (HSMs), highlighting a fundamental flaw in their design where if the key is lost or a vulnerability is exploited, the data stored within becomes essentially unlockable. He mentioned that some systems involve clients also protecting data uploaded to HSMs, requiring both the HSM and client to communicate for decryption, but notes that this setup still presents challenges. While he expressed hope for advancements in HSM technology, particularly in terms of key sharing and data protection mechanisms, he anticipated that significant improvements may still be five to ten years away.
Crypto cybersecurity — Zero Knowledge Proofs + DID
Zero knowledge proofs (ZKPs) enable the validation of a statement’s authenticity without disclosing the statement itself. We inquired about the potential impact of zero-knowledge proofs on wallet security and user interactions. Specifically, we wanted to know if ZKPs will become a factor in enhancing security by allowing users to perform actions within their wallets with a minimal disclosure of information.
Sonny with Brillion Finance believes that zero-knowledge proofs will play a role in enhancing security within cryptocurrency wallets, particularly in use cases such as identity verification. He emphasized the important ability of wallets to set transaction limits, add credentials, and provide notifications. He noted that these features, combined with ZKPs and Know Your Customer (KYC) procedures, contribute to overall security. Additionally, he mentioned Brillion’s security benefits of connecting bank accounts to cryptocurrency wallets, noting the extensive reach of this feature across multiple countries and banks. In conclusion, ZKPs have a definite place in achieving future security goals within cryptocurrency wallets.
Denis Angell also chimed in, expressing an interest in implementing a Decentralized Identifier (DID) solution within cryptocurrency wallet hooks, inspired by similar implementations on Ethereum. He believes that solving certain problems within the community requires such a solution.
Moreover, Angell discussed a scenario where banks require identity verification before transacting with users and propose a system where the bank signs a transaction or signature, which is then verified by the wallet hook when the user submits the transaction. This additional layer of verification provides the level of security that banks typically seek in transactions.
Crypto cybersecurity — artificial intelligence
What is the potential for enhancing security through artificial intelligence (AI) and emerging technologies? We wanted to know more about the concept of continuously regenerating private keys based on specific 24 words or phrases. Specifically, we wanted to know how Interlock is aiding with enhancing security and if AI was involved with their venture.
Rick Deacon, CEO, clarified that while their company isn’t using AI for continuously regenerating private keys, they are utilizing AI to detect malicious activities in real-time, expanding beyond identifying bad websites to include smart contracts and communication systems within the Web3 ecosystem. Deacon has a vision of leveraging AI to build trust verification methods for smart contracts, allowing users to verify the correctness of a smart contract they want to interact with.
This approach aims to enhance trust by ensuring users are interacting with the intended smart contract, rather than solely relying on its functionality. While he acknowledged the potential for AI in the context mentioned by our question, his focus lies on using AI for real-time detection of malicious activities and developing trust verification methods for smart contracts within their roadmap for the future.
Notably, Deacon also expressed concern about the potential implications of the model being trained on data and the information it acquires, particularly in the context of applying AI to private keys or other sensitive data. He highlighted the risk of inadvertently training the model to subvert the very systems it’s meant to protect if given too much information.
While he noted that this concern may not directly apply to their current activities, he cautioned against the broader implications of AI training in sensitive areas, emphasizing the importance of careful consideration regarding the data and methods used in training AI models for security-related tasks.
Looking forward
In conclusion, our panel’s optimism about the future of technology, particularly in key management and sharing solutions, reflects a promising trajectory for enhancing security measures in Web3 environments. Their excitement for next-generation crypto cybersecurity solutions, especially those focused on quantum security, underscores a proactive approach to addressing evolving threats and ensuring robust security strategies moving forward.
Implementing quantum-secure backups, for example, is seen as a vital component of future security measures, signaling a commitment to staying ahead of emerging challenges and embracing innovative solutions for safeguarding digital assets. Additionally, the shared enthusiasm for emerging technologies such as AI, quantum resistance, and decentralized recovery highlights a forward-thinking perspective on enhancing security while prioritizing user adoption and simplicity in Web3 environments.
*Disclaimer: News content provided by Genfinity is intended solely for informational purposes. While we strive to deliver accurate and up-to-date information, we do not offer financial or legal advice of any kind. Readers are encouraged to conduct their own research and consult with qualified professionals before making any financial or legal decisions. Genfinity disclaims any responsibility for actions taken based on the information presented in our articles. Our commitment is to share knowledge, foster discussion, and contribute to a better understanding of the topics covered in our articles. We advise our readers to exercise caution and diligence when seeking information or making decisions based on the content we provide.
