How crypto tokens became as insecure as payment cards once were

Last month, hackers stole approximately $100 million in cryptocurrency from the Harmony blockchain bridge. It looks like another wave of the last storm that started almost a year ago. In August 2021, the DeFi Poly Network was breached with $600 million stolen from user accounts. Then, in February 2022, hackers stole $320 million from users of crypto trading firm Wormhole. That was followed by another breach in March when hackers pocketed nearly $600 million in crypto from an online gaming company by exploiting a crypto payment system Ronin Network.

To less sophisticated users, it may sound like blockchain technology is vulnerable, which is not necessarily true. For example, some “core” blockchain codes like Bitcoin can still be trusted because it is based on strong cryptography and has been scrutinized by millions of users, including hackers, for years. But new technology like Harmony needs to be in beta testing for months or even years before it can be considered safe.

It’s amazing how people trust their money to untested, uncertified code. Traditional financial and payment software goes through excessive testing and compliance certifications before it goes into production, but security incidents still happen. But crypto software is not regulated, so no testing requirements or certifications exist.

The new crypto fintech era

It seems that cryptofintech is going through the same saga that the payment card industry experienced in the 2000s and 2010s. During that time, card data breaches emerged every day, exposing millions of records of cardholders’ sensitive information. In many cases, hackers sold the data on the darknet to other criminal gangs for additional “monetization”. These secondary groups specialized in creating counterfeit plastic cards using stolen cardholder information and cashing them out for online or in-store purchases.

The payment card industry cracked down on these security issues by creating the Payment Card Industry Security Standards (PCI DSS) and forcing players such as merchants, banks and payment processors to follow the rules. Another robust measure to combat payment card fraud was the implementation of new payment security technologies such as point-to-point encryption, chip&pin (smart cards) and secure online payment processors such as PayPal.

Crypto fintech does not have all these security standards and technologies yet. The coins and tokens are as naked and vulnerable as plastic payment cards with magnetic strips with account numbers embossed on them. Note: Such cards still exist, but are much more protected today. It took several years for the payment card industry to realize that an existential threat must be addressed. The latest mega-crypto breaches signal that the blockchain industry needs to recognize that and start learning from the lessons of its predecessor. And users should be careful and think twice before trusting their money to adventurous technology.

Slava Gomzin is director of payments and cyber security at Toshiba Global Commerce Solutions and an expert in blockchain technology. He is the author of Crypto Basics, Hacking Point of Sale and Bitcoin for non-mathematicians. He is also the co-founder of the Lyra blockchain.