For many, the metaverse represents an idyllic future. Users can delve into a fully immersive virtual world, where geographic and physical barriers are removed. They can develop a perfectly crafted online identity, in the form of an avatar, which can move through various virtual environments to work, play games, shop, and socialize. Yet, while many are excited by the development of the metaverse, some are concerned about the cybersecurity risks it poses.
Cybercrime is already a common occurrence. In fact, according to the Cybersecurity and Infrastructure Security Agency, 47% of American adults have had their personal information exposed by cybercriminals. Additionally, 600,000 Facebook accounts are hacked every day. But what happens when we expand our online presence, connecting even more devices, accounts, and identities? The threat landscape expands as well. The more deeply people live online, the more opportunities bad actors have to disrupt that life and profit from it. Whether it’s the collection and sale of data, cryptocurrency theft, or increasingly realistic impersonations of another individual; the metaverse presents many cybersecurity threats that everyday users need to be aware of. By understanding the potential dangers of the metaverse, users can take the necessary precautions to avoid them and enjoy all the metaverse has to offer.
With every new technology comes new risks. Defining these risks becomes more complex when the technology itself is still being built. What we do know about the metaverse is that it’s meant to be completely immersive, highly personalized, and boundless. But the ability to create such an environment requires the collection of vast amounts of personal data. How that data is used — and protected — could determine the success of this impending alternate reality. This is why the lack of regulations around how that data can be used tops the list of the most pressing metaverse cybersecurity threats.
While today’s technology giants are busy building metaverse platforms, and businesses are scooping up digital properties on those platforms; there is one piece of the puzzle conspicuously missing: regulations. Unlike the internet where GDPR and CCPA protect consumers’ privacy, no such regulations exist for the metaverse. This means the platform and property owners aren’t beholden to any regulating body. They alone will control security, identity protection, and even manage financial transactions made on their properties.
This should be incredibly troubling given the amount of data users will intentionally — and inadvertently — give up in the metaverse. Companies will now have access to users’ biometrics, location, financial information, and a plethora of other data. Most importantly, no governing body will keep these businesses and individuals from monetizing that data or using it for malicious purposes. The vast amount of data combined with zero regulation opens the door for scandals like the 2018 Facebook and Cambridge Analytica incident, but on a much larger scale.
Unlike accessing the internet, entry into the metaverse will likely require a virtual reality (VR) headset. These headsets are highly complex devices with advanced software. While these headsets provide a fully immersive experience for users, they also collect tons of data — including a user’s eye movements and voice — making them juicy targets for hackers.
If hackers can access the biometric data stored on these VR headsets, it could allow them to access sensitive accounts inside and outside the metaverse. It would also allow bad actors to take over a user’s digital identity.
Through a variety of tactics, including hacking into endpoints like VR headsets or running a phishing campaign aimed at attaining a user’s seed phrase — a group of random words that gives a user access to their crypto wallet — hackers can take over avatars and gain access to a person’s entire digital existence. Hackers can then use the avatar to access a digital wallet and digital assets, making purchases and sales as the victim. Depending on how immersed users are in the metaverse, hackers may have access to a victim’s workspace, social circles, and even healthcare records.
Much like social media, chat apps, and video conferencing software, the metaverse is meant to facilitate user-to-user communication. But when people and businesses are communicating via avatars, it can be challenging to verify that a person is who they say they are. Because users can change the appearance of their avatars, their identity is always somewhat uncertain.
This problem is exacerbated with deepfakes, instances in which an individual’s face and voice are digitally altered to look and sound like someone else. Deepfake videos and conference calls are becoming increasingly common. Plus, the technology is so advanced that it can be extremely difficult to discern whether or not the person is real.
This presents a number of challenges in the metaverse. Hackers can infiltrate businesses in the metaverse space to gather sensitive company information — or provide false information on an impending deal. In 2020, one criminal used AI voice cloning to impersonate a company director and convinced a Hong Kong bank manager to initiate wire transfers in the amount of $35 million. Criminals can also impersonate political figures or celebrities to influence voters or start a dangerous social movement. Additionally, these bad actors can falsely portray themselves as lawyers, doctors, and other professionals whom users trust for counsel.
Though new technology poses new challenges, old tactics like phishing and social engineering scams will likely still be used by hackers in the metaverse. Many businesses use airdrops to engage with investors and customers. Users connect their digital wallets to the business, sign a smart contract, and claim their reward — often cryptocurrency or an NFT. With airdrop phishing attacks, hackers use the same tactic to lure users into clicking on a malicious link or signing a smart contract that gives the hacker claim to all the user’s digital assets.
Co-founder of the NFT collection, Moonbirds, recently fell victim to a phishing scam in which more than $1.1 million worth of his personal NFTs were stolen. This came on the heels of an airdrop scam where a Twitter account posing as Moonbirds lured users to a fake airdrop page asking them to enter their crypto wallet login information.
It’s not difficult to see how harm done in the metaverse cascades into the “real world.” For starters, transactions in the metaverse use cryptocurrency, but cryptocurrency is initially purchased with fiat money. So any losses of cryptocurrency translate into a real-life financial hit. According to new data from the blockchain analytics firm Chainalysis, bad actors around the world swindled people out of $14 billion in cryptocurrency in 2021. And, because avatars are the virtual representation of people living in the real world, a deepfake video or identity theft could tarnish reputations or ruin real personal and business relationships.
From a purely cybersecurity standpoint, if a bad actor uncovers passwords used in the metaverse, that might lead to account compromises outside of the metaverse. This would be especially dangerous if someone had used the same password for a metaverse game as they did for their email or online banking account.
Finally, the use of VR headsets presents a new, very real danger in the physical world. If someone hacks into a person’s headset, they may be able to alter what the person sees virtually. Depending on the victim’s surroundings — and the hacker’s knowledge of them — the attacker could endanger the victim by causing them to walk to the edge of a staircase and fall down or walk into a dangerous situation. This scenario is especially troubling when thinking of all the young people who spend time gaming with VR headsets.
While the threats posed by the metaverse may seem overwhelming, the tactics needed to stay safe in the metaverse are actually quite simple. And they’re often the same tactics used to stay safe outside of the metaverse. Best of all, they don’t require much time, effort, or money to implement. But they will go a long way towards keeping a user’s identity, personal information, and wallet safe.
Start with the basics. Use unique, private passwords, and enable two-factor identification. It’s important to use unique and difficult-to-guess passwords for all accounts. And, equally important, to never share your passwords with anyone. According to the Cybersecurity and Infrastructure Security Agency, 31% of millennials share passwords. But password sharing opens users to significantly more risk, especially if the person a user is sharing with isn’t using cybersecurity best practices. Nevertheless, in case a bad actor does discover a password, two-factor authentication adds a layer of protection that should stop hackers from getting any further.
Knowing that impersonation becomes easy when interacting via avatars, users should be very careful about how much personal information they share with others — and with whom they share that information. The goal of a deepfake or 3D engineering scam is to convince a user that they’re speaking with someone familiar, so users should be vigilant for any red flags that a person might be an imposter. For those who shop online frequently, it’s essential to check bank statements regularly to make sure there aren’t any unfamiliar metaverse purchases.
No one likes to read through lengthy contracts laden with legal jargon. But when you’re dealing with difficult-to-trace cryptocurrency and a slew of new technology, taking the time to read the contract pays off in dividends. With a plethora of ways for scammers to take advantage of your digital assets; from fake airdrops to NFT scams, to crypto theft, it’s essential to know what you’re getting — and giving up — in a transaction.
There is never a situation in which a user would need to share or enter their seed phrase into an online form — full stop. While it might seem obvious to never share your seed phrase with another user, too many people fall victim to seed phrase phishing, such as entering their seed phrase into a contest or airdrop form after trying to connect their crypto wallet and receiving an error message. If an error message pops up requesting a seed phrase, that’s a sure sign of a scam.
Because security protocols will vary across platforms and properties, it’s also a good idea for users to familiarize themselves with the privacy policies and security protocols being used by each platform or property visited. That may help users know which precautions to take and how to steer clear of some of the more dangerous corners of the metaverse.
The metaverse will undoubtedly prove to be an incredible space to work, socialize, and play. And, though cybersecurity should remain a high priority; most often, common sense will keep you safe. Just remember the fundamentals like using unique passwords, not sharing passwords, enabling two-factor identification, and staying away from stranger danger. From there, you can focus on the fun stuff — exploring.
If you have any questions about cybersecurity best practices, contact the team at SolCyber!